Table of Contents
Fetching ...

Efficient Privacy-Preserving Retrieval Augmented Generation with Distance-Preserving Encryption

Huanyi Ye, Jiale Guo, Ziyao Liu, Kwok-Yan Lam

TL;DR

This paper tackles privacy risks in retrieval-augmented generation when data and embeddings are outsourced to untrusted clouds. It introduces ppRAG, a framework that encrypts embeddings using CAPRISE to preserve only query-to-database distances, thereby enabling efficient similarity search while obscuring internal database relations. To guard against repeated-query inference, it adds DistanceDP to perturb the query embedding before encryption. The authors provide theoretical privacy guarantees, prove CAPRISE's properties, and demonstrate through experiments on MS MARCO that ppRAG achieves strong privacy with high retrieval accuracy and substantial throughput, making secure cloud-augmented LLMs practical for resource-constrained users.

Abstract

RAG has emerged as a key technique for enhancing response quality of LLMs without high computational cost. In traditional architectures, RAG services are provided by a single entity that hosts the dataset within a trusted local environment. However, individuals or small organizations often lack the resources to maintain data storage servers, leading them to rely on outsourced cloud storage. This dependence on untrusted third-party services introduces privacy risks. Embedding-based retrieval mechanisms, commonly used in RAG systems, are vulnerable to privacy leakage such as vector-to-text reconstruction attacks and structural leakage via vector analysis. Several privacy-preserving RAG techniques have been proposed but most existing approaches rely on partially homomorphic encryption, which incurs substantial computational overhead. To address these challenges, we propose an efficient privacy-preserving RAG framework (ppRAG) tailored for untrusted cloud environments that defends against vector-to-text attack, vector analysis, and query analysis. We propose Conditional Approximate Distance-Comparison-Preserving Symmetric Encryption (CAPRISE) that encrypts embeddings while still allowing the cloud to compute similarity between an encrypted query and the encrypted database embeddings. CAPRISE preserves only the relative distance ordering between the encrypted query and each encrypted database embedding, without exposing inter-database distances, thereby enhancing both privacy and efficiency. To mitigate query analysis, we introduce DP by perturbing the query embedding prior to encryption, preventing the cloud from inferring sensitive patterns. Experimental results show that ppRAG achieves efficient processing throughput, high retrieval accuracy, strong privacy guarantees, making it a practical solution for resource-constrained users seeking secure cloud-augmented LLMs.

Efficient Privacy-Preserving Retrieval Augmented Generation with Distance-Preserving Encryption

TL;DR

This paper tackles privacy risks in retrieval-augmented generation when data and embeddings are outsourced to untrusted clouds. It introduces ppRAG, a framework that encrypts embeddings using CAPRISE to preserve only query-to-database distances, thereby enabling efficient similarity search while obscuring internal database relations. To guard against repeated-query inference, it adds DistanceDP to perturb the query embedding before encryption. The authors provide theoretical privacy guarantees, prove CAPRISE's properties, and demonstrate through experiments on MS MARCO that ppRAG achieves strong privacy with high retrieval accuracy and substantial throughput, making secure cloud-augmented LLMs practical for resource-constrained users.

Abstract

RAG has emerged as a key technique for enhancing response quality of LLMs without high computational cost. In traditional architectures, RAG services are provided by a single entity that hosts the dataset within a trusted local environment. However, individuals or small organizations often lack the resources to maintain data storage servers, leading them to rely on outsourced cloud storage. This dependence on untrusted third-party services introduces privacy risks. Embedding-based retrieval mechanisms, commonly used in RAG systems, are vulnerable to privacy leakage such as vector-to-text reconstruction attacks and structural leakage via vector analysis. Several privacy-preserving RAG techniques have been proposed but most existing approaches rely on partially homomorphic encryption, which incurs substantial computational overhead. To address these challenges, we propose an efficient privacy-preserving RAG framework (ppRAG) tailored for untrusted cloud environments that defends against vector-to-text attack, vector analysis, and query analysis. We propose Conditional Approximate Distance-Comparison-Preserving Symmetric Encryption (CAPRISE) that encrypts embeddings while still allowing the cloud to compute similarity between an encrypted query and the encrypted database embeddings. CAPRISE preserves only the relative distance ordering between the encrypted query and each encrypted database embedding, without exposing inter-database distances, thereby enhancing both privacy and efficiency. To mitigate query analysis, we introduce DP by perturbing the query embedding prior to encryption, preventing the cloud from inferring sensitive patterns. Experimental results show that ppRAG achieves efficient processing throughput, high retrieval accuracy, strong privacy guarantees, making it a practical solution for resource-constrained users seeking secure cloud-augmented LLMs.
Paper Structure (17 sections, 12 equations, 5 figures, 3 tables, 2 algorithms)

This paper contains 17 sections, 12 equations, 5 figures, 3 tables, 2 algorithms.

Figures (5)

  • Figure 1: Overview of ppRAG. In Phase 1 (Upload), the user embeds and encrypts local files, sending both AES-encrypted content and CAPRISE-encrypted embeddings to the untrusted cloud. In Phase 2 (Retrieve), the user encrypts the query embedding and retrieves Top-K similar encrypted vectors from the server, which are then decrypted locally. In Phase 3 (Augment & Generate), the retrieved content is combined with the original query to enhance LLM-based response generation.
  • Figure 2: Illustration of ADCPE and CAPRISE. While the original embedding vectors $\{e_1, e_2, e_3, e_4\}$ and query embedding $e_q$ are encrypted into $\{e'_1, e'_2, e'_3, e'_4\}$ and $e'_q$, the ranking of distances is preserved under ADCPE. As illustrated, solid edges represent distances between the query and database embeddings, and dashed edges represent distances among database embeddings. ADCPE maintains both, potentially leaking global relational structure. CAPRISE mitigates this by preserving only the query-to-database (solid) distances while perturbing inter-database (dashed) distances, thereby protecting internal relationships in the encrypted space.
  • Figure 3: Illustration of query embedding perturbation by differential privacy. To protect user privacy from distance-based inference attacks across repeated queries, controlled noise is added to the query embedding, expanding the search region and preventing precise query analysis by the server.
  • Figure 4: Efficiency of $\mathsf{CAPRISE}$
  • Figure 5: Attack with vectors analysis.