Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Opal: Private Memory for Personal AI

Darya Kaviani, Alp Eren Ozdarendeli, Jinhao Zhu, Yu Ding, Raluca Ada Popa

Abstract

Personal AI systems increasingly retain long-term memory of user activity, including documents, emails, messages, meetings, and ambient recordings. Trusted hardware can keep this data private, but struggles to scale with a growing datastore. This pushes the data to external storage, which exposes retrieval access patterns that leak private information to the application provider. Oblivious RAM (ORAM) is a cryptographic primitive that can hide these patterns, but it requires a fixed access budget, precluding the query-dependent traversals that agentic memory systems rely on for accuracy. We present Opal, a private memory system for personal AI. Our key insight is to decouple all data-dependent reasoning from the bulk of personal data, confining it to the trusted enclave. Untrusted disk then sees only fixed, oblivious memory accesses. This enclave-resident component uses a lightweight knowledge graph to capture personal context that semantic search alone misses and handles continuous ingestion by piggybacking reindexing and capacity management on every ORAM access. Evaluated on a comprehensive synthetic personal-data pipeline driven by stochastic communication models, Opal improves retrieval accuracy by 13 percentage points over semantic search and achieves 29x higher throughput with 15x lower infrastructure cost than a secure baseline. Opal is under consideration for deployment to millions of users at a major AI provider.

Opal: Private Memory for Personal AI

Abstract

Personal AI systems increasingly retain long-term memory of user activity, including documents, emails, messages, meetings, and ambient recordings. Trusted hardware can keep this data private, but struggles to scale with a growing datastore. This pushes the data to external storage, which exposes retrieval access patterns that leak private information to the application provider. Oblivious RAM (ORAM) is a cryptographic primitive that can hide these patterns, but it requires a fixed access budget, precluding the query-dependent traversals that agentic memory systems rely on for accuracy. We present Opal, a private memory system for personal AI. Our key insight is to decouple all data-dependent reasoning from the bulk of personal data, confining it to the trusted enclave. Untrusted disk then sees only fixed, oblivious memory accesses. This enclave-resident component uses a lightweight knowledge graph to capture personal context that semantic search alone misses and handles continuous ingestion by piggybacking reindexing and capacity management on every ORAM access. Evaluated on a comprehensive synthetic personal-data pipeline driven by stochastic communication models, Opal improves retrieval accuracy by 13 percentage points over semantic search and achieves 29x higher throughput with 15x lower infrastructure cost than a secure baseline. Opal is under consideration for deployment to millions of users at a major AI provider.

Paper Structure

This paper contains 57 sections, 5 theorems, 4 equations, 10 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Evaluation summary.
  3. System Overview
  4. System Model
  5. Threat Model & Security Guarantees
  6. Adversary Model
  7. Out-of-scope attacks.
  8. Security Guarantees & Definition
  9. Security Definition.
  10. Opal's System Design
  11. Technical Background
  12. Oblivious RAM
  13. IVF Indexes
  14. KG-filtered Search
  15. Enclave-Resident Graph
  16. ...and 42 more sections

Key Result

theorem 1

As defined by the security game in Figure fig:security-game, for any PPT stateful adversary $\mathcal{A}$, the Opal protocol defined in §sec:opal-system-design and Algorithm alg:opal satisfies condition 1) with probability at most $\frac{1}{2} + \mathsf{negl}(\lambda)$ and condition 2) with probab

Figures (10)

  • Figure 1: System model. The client sends queries and ingestion data to TEEs that run search and model serving while storing encrypted state on untrusted disk.
  • Figure 2: Opal system architecture. The Opal Controller orchestrates query and ingestion operations across three enclaves, routing data through oblivious storage (ORAM) on untrusted disk. Blue numbers trace the query flow; red numbers trace ingestion. Numbered steps correspond to Algorithm \ref{['alg:opal']}.
  • Figure 3: Security game for Opal
  • Figure 4: Sample Opal knowledge graph for user Alice. HTML]FDEACA artifact nodes link to HTML]CEECF4 modality , HTML]F6DBDB person , and HTML]D9EFD3 project nodes; HTML]EAEBED chunk nodes are labeled $c_1$-$c_8$.
  • Figure 5: Oblivious dreaming lifecycle. (1) Initial IVF state. (2) Writes grow a cluster; expired items (red) pass TTL. (3) Overgrown cluster splits, vectors marked pending, expired items deleted. (4) Pending corrections resolved on ordinary ORAM accesses.
  • ...and 5 more figures

Theorems & Definitions (6)

  • theorem 1
  • definition 1: Structural equivalence
  • lemma 1: Dreaming preserves the enclosing trace
  • lemma 2: Request trace structure
  • lemma 3: Integrity
  • lemma 4: Checkpoint-relative freshness