arxiv: 2604.02522 · v1 · submitted 2026-04-02 · 💻 cs.CR · cs.AI

Recognition: no theorem link

Opal: Private Memory for Personal AI

Darya Kaviani , Alp Eren Ozdarendeli , Jinhao Zhu , Yu Ding , Raluca Ada Popa

Authors on Pith no claims yet

Pith reviewed 2026-05-13 21:05 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords personal AIprivate memorytrusted enclaveORAMknowledge graphaccess pattern privacysecure retrievalpersonal data

0 comments

The pith

Opal confines data-dependent reasoning to a trusted enclave with a lightweight knowledge graph to enable private and efficient personal AI memory retrieval.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Opal as a system that solves the privacy-performance tradeoff in personal AI memory by keeping all reasoning inside trusted hardware. Personal data lives on untrusted storage but is accessed only through fixed oblivious patterns via ORAM, while the enclave uses a knowledge graph to add context that semantic search misses. This design supports continuous data ingestion by handling reindexing during normal accesses. A sympathetic reader would care because it promises accurate retrieval for growing personal datasets without exposing access patterns to providers, at lower cost than full cryptographic baselines.

Core claim

Opal claims that decoupling all data-dependent reasoning from bulk personal data and confining it to the trusted enclave allows untrusted disk to see only fixed oblivious memory accesses. The enclave uses a lightweight knowledge graph to capture personal context missed by semantic search alone and manages continuous ingestion by piggybacking reindexing and capacity management on every ORAM access. On a synthetic personal-data pipeline, this yields 13 percentage points higher retrieval accuracy than semantic search and 29 times higher throughput at 15 times lower infrastructure cost than a secure baseline.

What carries the argument

Enclave-resident lightweight knowledge graph that performs query-dependent traversals and context capture while all external accesses remain fixed and oblivious via ORAM.

If this is right

Retrieval accuracy improves by 13 percentage points compared to semantic search.
Throughput is 29 times higher with 15 times lower infrastructure cost than secure baselines.
Continuous ingestion is handled without extra overhead by piggybacking operations on ORAM accesses.
Personal AI can scale memory to large datastores while preserving privacy from access pattern leaks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar decoupling could apply to other privacy-sensitive systems that require dynamic data access.
Validation on real user data would be needed to confirm the synthetic model results hold.
The lower cost could make private memory feasible for consumer-grade personal AI applications.

Load-bearing premise

The lightweight knowledge graph in the enclave sufficiently captures the personal context that semantic search misses, and the synthetic stochastic communication model represents real user data and query patterns accurately.

What would settle it

Running the system on actual user personal data and query logs from a deployed AI and observing whether accuracy gains disappear or performance drops below the reported levels would falsify the central performance claims.

Figures

Figures reproduced from arXiv: 2604.02522 by Alp Eren Ozdarendeli, Darya Kaviani, Jinhao Zhu, Raluca Ada Popa, Yu Ding.

**Figure 1.** Figure 1: System model. The client sends queries and ingestion data to TEEs that run search and model serving while storing encrypted state on untrusted disk. messaging app [60, 100, 133, 183, 187], offer no comparable guarantee. Indeed, outsourced workers were recently found reviewing sensitive videos captured by Meta’s Ray-Ban smart glasses [30]. Worse, compromising the application provider’s infrastructure could… view at source ↗

**Figure 2.** Figure 2: Opal system architecture. The Opal Controller orchestrates query and ingestion operations across three enclaves, routing data through oblivious storage (ORAM) on untrusted disk. Blue numbers trace the query flow; red numbers trace ingestion. Numbered steps correspond to Algorithm 1. Limitations remain: recent work studies host-induced channels on TDX including interrupt and exception attacks [177, 1… view at source ↗

**Figure 3.** Figure 3: Security game for Opal exogenous public schedule fixed across the two worlds. The game is played in the Gatt-hybrid model. The adversary controls all computation, storage, and message delivery outside enclave boundaries. It wins if it learns information beyond L about the user’s queries or data, or causes an undetected incorrect execution of Opal. The adversary A wins the game if the challenger C does not… view at source ↗

**Figure 4.** Figure 4: Sample Opal knowledge graph for user Alice. artifact nodes link to modality, person, and project nodes; chunk nodes are labeled 𝑐1-𝑐8. 3.2.2 Filtration Types. Semantic similarity is necessary but insufficient for personal memory retrieval. Personal information management (PIM) studies confirm that users naturally scope queries by time, people, source type, and project context [54, 118, 235]. We identify f… view at source ↗

**Figure 5.** Figure 5: Oblivious dreaming lifecycle. (1) Initial IVF state. (2) Writes grow a cluster; expired items (red) pass TTL. (3) Overgrown cluster splits, vectors marked pending, expired items deleted. (4) Pending corrections resolved on ordinary ORAM accesses. makes them more relevant per item, earning a disproportionate share of top-𝐾 slots (§6). Recursive summarization, compressing old summaries into progressivel… view at source ↗

**Figure 6.** Figure 6 [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗

**Figure 7.** Figure 7: Accuracy comparison for ANN-only and Opal. Left: aggregate GTretrieval rate and judged accuracy across Vertex and open-weight stacks. Right: judged accuracy by question type (Vertex). 6.2 Experiment Setup Baselines. We evaluate Opal against five baselines. ANNonly performs ANN retrieval without KG filtering, isolating the accuracy gain of structured search. Graphiti [166] is a state-of-the-art graph-m… view at source ↗

**Figure 8.** Figure 8: Online bandwidth per query and ingestion operation for Opal, In-Memory Opal, and Plaintext Opal across database sizes. Left: linear scale; right: log-2 scale. respectively. Across the 1K-to-524K sweep, Opal uses 12- 2,700× less query bandwidth than the In-Memory baseline. 6.5 Throughput and Cost §6.3 shows that semantic search alone does not meet our accuracy objectives. We therefore apply the same KG-fil… view at source ↗

**Figure 9.** Figure 9: Single-client latency for query (Q) and ingestion (I). ANN denotes embeddings, Data raw encrypted chunks, and Client sealed per-user state; each split shows disk I/O versus in-memory compute. 6.7 Oblivious Dreaming Oblivious dreaming (§3.3) piggybacks all maintenance on ordinary ORAM accesses, operating only on blocks incidentally brought into the stash, so the storage trace reveals nothing about when … view at source ↗

**Figure 10.** Figure 10: Three-year replay of oblivious dreaming. (A) Active entries rise to capacity and then remain stable. (B) ORAM stash size stays bounded. (C) Opal tracks LIRE closely on judged accuracy over time. deployed products [2, 3, 5–7, 123, 151, 181, 240], confirming demand. Opal brings security to this space. Synthetic personal data and memory benchmarks. [33, 44, 45, 48, 50, 65, 82, 91, 98, 106, 131, 134, 197, 19… view at source ↗

read the original abstract

Personal AI systems increasingly retain long-term memory of user activity, including documents, emails, messages, meetings, and ambient recordings. Trusted hardware can keep this data private, but struggles to scale with a growing datastore. This pushes the data to external storage, which exposes retrieval access patterns that leak private information to the application provider. Oblivious RAM (ORAM) is a cryptographic primitive that can hide these patterns, but it requires a fixed access budget, precluding the query-dependent traversals that agentic memory systems rely on for accuracy. We present Opal, a private memory system for personal AI. Our key insight is to decouple all data-dependent reasoning from the bulk of personal data, confining it to the trusted enclave. Untrusted disk then sees only fixed, oblivious memory accesses. This enclave-resident component uses a lightweight knowledge graph to capture personal context that semantic search alone misses and handles continuous ingestion by piggybacking reindexing and capacity management on every ORAM access. Evaluated on a comprehensive synthetic personal-data pipeline driven by stochastic communication models, Opal improves retrieval accuracy by 13 percentage points over semantic search and achieves 29x higher throughput with 15x lower infrastructure cost than a secure baseline. Opal is under consideration for deployment to millions of users at a major AI provider.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Opal's enclave-plus-ORAM design with piggybacked reindexing is a concrete step toward scalable private memory, but the accuracy and throughput numbers rest on unvalidated synthetic workloads.

read the letter

The main thing to know is that Opal keeps data-dependent reasoning inside the enclave using a lightweight knowledge graph while forcing all bulk accesses through fixed ORAM patterns. This sidesteps the usual ORAM limit on variable traversals and lets them piggyback reindexing and capacity management onto every access. The result is a system that claims to deliver 13 percentage points better retrieval accuracy than semantic search plus 29x throughput and 15x lower cost than a secure baseline, all on a synthetic personal-data pipeline driven by stochastic communication models. The paper is under consideration for millions of users at a major provider, which suggests the authors have at least an internal implementation that runs at some scale. The architecture itself is the clearest part: by confining the context graph to the enclave they avoid leaking query-dependent patterns on disk, and the piggybacking trick is a practical way to keep the index fresh without extra oblivious accesses. That combination is not just a routine extension of prior enclave or ORAM work. The soft spot is the evaluation. Everything rests on synthetic stochastic models with no reported validation against real user traces, query logs, or ingestion patterns. Without that check, the accuracy lift and the throughput numbers could shrink or disappear once the data has the structure and access skew that actual personal histories produce. The abstract also gives no error bars or ablation details, so it is hard to tell how much of the gain comes from the graph versus other tuning choices. This paper is for people working on private personal AI or trusted-execution systems who need to handle growing long-term memory without leaking access patterns. A reader who cares about enclave-ORAM hybrids will find the design worth examining even if the numbers need more grounding. It deserves peer review because the problem is real and the proposed decoupling is specific enough to test and improve, though any referee will want real-workload validation before the claims can be taken as settled.

Referee Report

2 major / 1 minor

Summary. The paper presents Opal, a private memory system for personal AI. It decouples data-dependent reasoning to a trusted enclave containing a lightweight knowledge graph that captures personal context missed by semantic search alone, while using ORAM to ensure only fixed oblivious accesses are visible to untrusted storage. Continuous ingestion is handled by piggybacking reindexing on ORAM operations. On a synthetic personal-data pipeline driven by stochastic communication models, Opal reports a 13 percentage point retrieval accuracy improvement over semantic search, 29x higher throughput, and 15x lower infrastructure cost than a secure baseline.

Significance. If the synthetic evaluation holds under real workloads, the design offers a practical path to scalable, pattern-hiding personal memory for AI agents, addressing a key tension between privacy and the dynamic, context-rich retrieval needed for long-term user modeling. The enclave-resident KG plus piggybacked reindexing is a concrete mechanism that could generalize to other agentic systems constrained by oblivious primitives.

major comments (2)

[Abstract] Abstract: The 13pp accuracy gain, 29x throughput, and 15x cost claims are derived exclusively from a synthetic pipeline driven by stochastic communication models. No validation of these models against real user traces or query workloads is provided, which directly affects whether the enclave KG actually captures the personal context gaps that semantic search misses in practice.
[§4] Evaluation (abstract and §4): Concrete accuracy, throughput, and cost numbers are stated without visible error bars, ablation studies on the KG component, or a full description of the experimental methodology and parameter settings. This makes it impossible to assess the robustness or sensitivity of the reported improvements.

minor comments (1)

[Abstract] Abstract: The phrase 'comprehensive synthetic personal-data pipeline' should be expanded with a brief description of the stochastic model parameters and data-generation process to allow readers to judge its fidelity.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive feedback on the evaluation. We address each major comment below and have revised the manuscript to improve clarity and completeness where feasible.

read point-by-point responses

Referee: [Abstract] Abstract: The 13pp accuracy gain, 29x throughput, and 15x cost claims are derived exclusively from a synthetic pipeline driven by stochastic communication models. No validation of these models against real user traces or query workloads is provided, which directly affects whether the enclave KG actually captures the personal context gaps that semantic search misses in practice.

Authors: We acknowledge that the reported gains rely on synthetic workloads generated from stochastic communication models. These models were parameterized using statistical properties drawn from prior studies of personal messaging and document access patterns to capture variability in query-dependent context. We agree that empirical validation against real traces would strengthen the claims. In the revised manuscript we have expanded §4 with additional justification for the model parameters and added an explicit Limitations paragraph discussing the synthetic evaluation and the inherent difficulty of releasing or accessing privacy-sensitive real user traces. revision: partial
Referee: [§4] Evaluation (abstract and §4): Concrete accuracy, throughput, and cost numbers are stated without visible error bars, ablation studies on the KG component, or a full description of the experimental methodology and parameter settings. This makes it impossible to assess the robustness or sensitivity of the reported improvements.

Authors: We have revised §4 to include: (i) error bars on all accuracy, throughput, and cost figures computed across ten independent simulation runs with distinct random seeds; (ii) a new ablation that isolates the enclave knowledge-graph component by comparing full Opal against a semantic-search-only variant; and (iii) a dedicated Experimental Setup subsection that enumerates every parameter (stochastic rates, ORAM block size, enclave memory budget, query distribution, etc.). These additions allow direct assessment of robustness. revision: yes

standing simulated objections not resolved

Validation of the stochastic communication models against real user traces or query workloads

Circularity Check

0 steps flagged

No circularity: empirical claims rest on independent synthetic evaluation pipeline

full rationale

The paper describes a system architecture using enclave-resident lightweight knowledge graphs and ORAM for oblivious access, with performance and accuracy claims derived from direct measurement on a separately defined synthetic personal-data pipeline driven by stochastic communication models. No equations, derivations, or fitted parameters are shown that reduce the reported 13pp accuracy gain or 29x throughput numbers to the results themselves by construction. The evaluation inputs (synthetic models and workloads) are external to the output metrics, and no self-citation chains or uniqueness theorems are invoked to force the design. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The design rests on the established security properties of ORAM and the assumption that a lightweight enclave-resident knowledge graph can capture sufficient personal context; no free parameters are explicitly fitted in the abstract.

axioms (2)

standard math ORAM hides access patterns from untrusted storage
Invoked as the mechanism that makes disk accesses oblivious.
domain assumption Enclave provides trusted execution for reasoning and graph maintenance
Assumed to scale with the knowledge graph component while bulk data remains external.

invented entities (1)

Lightweight knowledge graph resident in enclave no independent evidence
purpose: Capture personal context missed by semantic search alone
Introduced as the component that enables accurate retrieval while keeping reasoning inside the trusted boundary.

pith-pipeline@v0.9.0 · 5538 in / 1259 out tokens · 41227 ms · 2026-05-13T21:05:08.683233+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

An AI Agent Execution Environment to Safeguard User Data
cs.CR 2026-04 unverdicted novelty 6.0

GAAP guarantees confidentiality of private user data for AI agents by enforcing user-specified permissions deterministically through persistent information flow tracking, without trusting the agent or requiring attack...

Reference graph

Works this paper leans on

293 extracted references · 293 canonical work pages · cited by 1 Pith paper · 9 internal anchors

[1]

[n. d.]. 1x.https://www.1x.tech/

work page
[2]

[n. d.]. ChatGPT.https://chatgpt.com/

work page
[3]

[n. d.]. Google Project Astra.https://deepmind.google/models/ project-astra/

work page
[4]

[n. d.]. How Do People Re-find Files, Emails and Web Pages?iCon- ference 2014 Proceedings([n. d.]). doi:10.9776/14136

work page doi:10.9776/14136 2014
[5]

[n. d.]. Mem.ai.https://get.mem.ai/

work page
[6]

[n. d.]. NotebookLM.https://notebooklm.google/

work page
[7]

[n. d.]. Personal.ai.https://www.personal.ai/

work page
[8]

[n. d.]. Pinecone.https://www.pinecone.io/

work page
[9]

[n. d.]. Signal.https://signal.org/

work page
[10]

[n. d.]. Sunday Robotics.https://www.sunday.ai/

work page
[11]

[n. d.]. Weaviate.https://weaviate.io/

work page
[12]

[n. d.]. WhatsApp.https://www.whatsapp.com/

work page
[13]

[n. d.]. Windows Copilot "Recall".https://learn.microsoft.com/en- us/windows/ai/recall/

work page
[14]

End-to-end encryption on Messenger explained

2024. End-to-end encryption on Messenger explained. https://about.fb.com/news/2024/03/end-to-end-encryption- on-messenger-explained/

work page 2024
[15]

Gulavani, Alexey Tumanov, and Ramachandran Ramjee

Amey Agrawal, Nitin Kedia, Ashish Panwar, Jayashree Mohan, Nipun Kwatra, Bhargav S. Gulavani, Alexey Tumanov, and Ramachandran Ramjee. 2024. Taming Throughput-Latency Tradeoff in LLM Infer- ence with Sarathi-Serve. InOSDI. USENIX Association, 117–134

work page 2024
[16]

Adil Ahmad, Kyungtae Kim, Muhammad Ihsanulhaq Sarfaraz, and Byoungyoung Lee. 2018. OBLIVIATE: A Data Oblivious Filesystem for Intel SGX. InNDSS. The Internet Society

work page 2018
[17]

Dumais, Nick Craswell, and Daniel J

Qingyao Ai, Susan T. Dumais, Nick Craswell, and Daniel J. Liebling

work page
[18]

Characterizing Email Search using Large-scale Behavioral Logs and Surveys. InWWW. ACM, 1511–1520

work page
[19]

Tarfah Alrashed, Ahmed Hassan Awadallah, and Susan T. Dumais

work page
[20]

The Lifetime of Email Messages: A Large-Scale Analysis of Email Revisitation. InCHIIR. ACM, 120–129

work page
[21]

Amazon Web Services. 2024. The Security Design of the AWS Nitro System.https://docs.aws.amazon.com/whitepapers/latest/security- design-of-aws-nitro-system/security-design-of-aws-nitro- system.html

work page 2024
[22]

Amazon Web Services. 2026. Amazon EC2 M6i Instances.https: //aws.amazon.com/ec2/instance-types/m6i/

work page 2026
[23]

Amazon Web Services. 2026. Amazon EC2 M7i Instances.https: //aws.amazon.com/ec2/instance-types/m7i/

work page 2026
[24]

Anderson and Lael J

John R. Anderson and Lael J. Schooler. 1991. Reflections of the En- vironment in Memory.Psychological Science2, 6 (1991), 396–408. doi:10.1111/j.1467-9280.1991.tb00174.x

work page doi:10.1111/j.1467-9280.1991.tb00174.x 1991
[25]

Sebastian Angel, Aditya Basu, Weidong Cui, Trent Jaeger, Stella Lau, Srinath T. V. Setty, and Sudheesh Singanamalla. 2023. Nimble: Roll- back Protection for Confidential Cloud Services. InOSDI. USENIX Association, 193–208

work page 2023
[26]

Sorokin, Dmitry Evseev, Andrey Kravchenko, Mikhail Burtsev, and Evgeny Burnaev

Petr Anokhin, Nikita Semenov, Artyom Y. Sorokin, Dmitry Evseev, Andrey Kravchenko, Mikhail Burtsev, and Evgeny Burnaev. 2025. AriGraph: Learning Knowledge Graph World Models with Episodic Memory for LLM Agents. InIJCAI. ijcai.org, 12–20

work page 2025
[27]

Anthropic. 2025. Confidential Inference via Trusted Virtual Ma- chines.https://www.anthropic.com/research/confidential-inference- trusted-vms

work page 2025
[28]

Guido Appenzeller. 2024. Welcome to LLMflation: LLM Inference Cost Is Going Down Fast.https://a16z.com/llmflation-llm-inference-cost/

work page 2024
[29]

Apple. 2024. Private Cloud Compute.https://security.apple.com/ blog/private-cloud-compute/.Apple Security Blog(2024)

work page 2024
[30]

Argilla. 2024. FinePersonas: Synthetic Email Conversations. https://huggingface.co/datasets/argilla/FinePersonas-Synthetic- Email-Conversations

work page 2024
[31]

Denis Baylor, Eric Breck, Heng-Tze Cheng, Noah Fiedel, Chuan Yu Foo, Zakaria Haque, Salem Haykal, Mustafa Ispir, Vihan Jain, Levent Koc, Chiu Yuen Koo, Lukasz Lew, Clemens Mewald, Akshay Naresh Modi, Neoklis Polyzotis, Sukriti Ramesh, Sudip Roy, Steven Euijong Whang, Martin Wicke, Jarek Wilkiewicz, Xin Zhang, and Martin Zinkevich. 2017. TFX: A TensorFlow-...

work page 2017
[32]

BBC News. 2026. Meta smart glasses: Workers reviewing intimate content.https://www.bbc.com/news/articles/c0q33nvj0qpo

work page 2026
[33]

Bernstein, Sergey Bykov, Alan Geller, Gabriel Kliot, and Jorgen Thelin

Philip A. Bernstein, Sergey Bykov, Alan Geller, Gabriel Kliot, and Jorgen Thelin. 2014.Orleans: Distributed Virtual Actors for Programma- bility and Scalability. Technical Report MSR-TR-2014-41. Microsoft Research

work page 2014
[34]

Sinchana Ramakanth Bhat, Max Rudat, Jannis Spiekermann, and Nico- las Flores-Herr. 2025. Rethinking Chunk Size For Long-Document Retrieval: A Multi-Dataset Analysis.arXiv preprint arXiv:2505.21700 (2025)

work page arXiv 2025
[35]

Haonan Bian, Zhiyuan Yao, Sen Hu, Zishan Xu, Shaolei Zhang, Yifu Guo, Ziliang Yang, Xueran Han, Huacan Wang, and Ronghao Chen

work page
[36]

RealMem: Benchmarking LLMs in Real-World Memory-Driven Interaction.arXiv preprint arXiv:2601.06966(2026)

work page arXiv 2026
[37]

Andrea Bittau, Úlfar Erlingsson, Petros Maniatis, Ilya Mironov, Ananth Raghunathan, David Lie, Mitch Rudominer, Ushasree Kode, Julien Tinnés, and Bernhard Seefeld. 2017. Prochlo: Strong Privacy for Analytics in the Crowd. InSOSP. ACM, 441–459. 13

work page 2017
[38]

Teofil Bodea, Masanori Misono, Julian Pritzi, Patrick Sabanic, Thore Sommer, Harshavardhan Unnibhavi, David Schall, Nuno Santos, Dim- itrios Stavrakakis, and Pramod Bhatotia. 2025. Trusted AI Agents in the Cloud.arXiv preprint arXiv:2512.05951(2025)

work page arXiv 2025
[39]

Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, and Michael Schwarz. 2022. ÆPIC Leak: Architecturally Leak- ing Uninitialized Data from the Microarchitecture. InUSENIX Security Symposium. USENIX Association, 3917–3934

work page 2022
[40]

Wenisch, Yuval Yarom, and Raoul Strackx

Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In USENIX Security Symposium. USENIX Association, 991–1008

work page 2018
[41]

Jo Van Bulck, Nico Weichbrodt, Rüdiger Kapitza, Frank Piessens, and Raoul Strackx. 2017. Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution. InUSENIX Security Symposium. USENIX Association, 1041–1056

work page 2017
[42]

Yuzheng Cai, Jiayang Shi, Yizhuo Chen, and Weiguo Zheng. 2024. Navigating Labels and Vectors: A Unified Approach to Filtered Ap- proximate Nearest Neighbor Search.Proc. ACM Manag. Data2, 6 (2024), 246:1–246:27

work page 2024
[43]

Iqbal, Mary Czerwinski, Priscilla N

Hancheng Cao, Chia-Jung Lee, Shamsi T. Iqbal, Mary Czerwinski, Priscilla N. Y. Wong, Sean Rintel, Brent J. Hecht, Jaime Teevan, and Longqi Yang. 2021. Large Scale Analysis of Multitasking Behavior During Remote Meetings. InCHI. ACM, 448:1–448:13

work page 2021
[44]

Pádraig Mac Carron, Kimmo Kaski, and Robin Dunbar. 2016. Calling Dunbar’s numbers.Soc. Networks47 (2016), 151–155

work page 2016
[45]

David Cash, Paul Grubbs, Jason Perry, and Thomas Ristenpart. 2016. Leakage-Abuse Attacks Against Searchable Encryption.IACR Cryptol. ePrint Arch.2016 (2016), 718

work page 2016
[46]

CERT Coordination Center. 2025. Vulnerability Note VU#404544: Vulnerabilities identified in PCIe Integrity and Data Encryption (IDE) protocol specification.https://kb.cert.org/vuls/id/404544

work page 2025
[47]

Ding Chen, Simin Niu, Kehang Li, Peng Liu, Xiangping Zheng, Bo Tang, Xinchi Li, Feiyu Xiong, and Zhiyu Li. 2025. HaluMem: Evalu- ating Hallucinations in Memory Systems of Agents.arXiv preprint arXiv:2511.03506(2025)

work page arXiv 2025
[48]

Guo Chen, Lidong Lu, Yicheng Liu, Liangrui Dong, Lidong Zou, Jixin Lv, Zhenquan Li, Xinyi Mao, Baoqi Pei, Shihao Wang, et al . 2026. Towards Multimodal Lifelong Understanding: A Dataset and Agentic Baseline.arXiv preprint arXiv:2603.05484(2026)

work page arXiv 2026
[49]

Wiener, Shridhar Iyer, Anshul Jaiswal, Ran Lei, Nikhil Simha, Wei Wang, Kevin Wilfong, Tim Williamson, and Serhat Yilmaz

Guoqiang Jerry Chen, Janet L. Wiener, Shridhar Iyer, Anshul Jaiswal, Ran Lei, Nikhil Simha, Wei Wang, Kevin Wilfong, Tim Williamson, and Serhat Yilmaz. 2016. Realtime Data Processing at Facebook. In SIGMOD Conference. ACM, 1087–1098

work page 2016
[50]

Qi Chen, Bing Zhao, Haidong Wang, Mingqin Li, Chuanjie Liu, Zengzhong Li, Mao Yang, and Jingdong Wang. 2021. SPANN: Highly- efficient Billion-scale Approximate Nearest Neighborhood Search. In NeurIPS. 5199–5212

work page 2021
[51]

Tiantian Chen, Jiaqi Lu, Ying Shen, and Lin Zhang. 2026. ES-MemEval: Benchmarking Conversational Agents on Personalized Long-Term Emotional Support.arXiv preprint arXiv:2602.01885(2026)

work page arXiv 2026
[52]

Yihang Cheng, Lan Zhang, Junyang Wang, Mu Yuan, and Yunhao Yao

work page
[53]

InACL (Findings) (Findings of ACL)

RemoteRAG: A Privacy-Preserving LLM Cloud RAG Service. InACL (Findings) (Findings of ACL). Association for Computational Linguistics, 3820–3837

work page
[54]

Zihao Cheng, Weixin Wang, Yu Zhao, Ziyang Ren, Jiaxuan Chen, Ruiyang Xu, Shuai Huang, Yang Chen, Guowei Li, Mengshi Wang, Yi Xie, Ren Zhu, Zeren Jiang, Keda Lu, Yihong Li, Xiaoliang Wang, Liwei Liu, and Cam-Tu Nguyen. 2026. LifeBench: A Benchmark for Long-Horizon Multi-Source Memory.arXiv preprint arXiv:2603.03781 (2026)

work page arXiv 2026
[55]

Prateek Chhikara, Dev Khant, Saket Aryan, Taranjeet Singh, and Deshraj Yadav. 2025. Mem0: Building Production-Ready AI Agents with Scalable Long-Term Memory. InECAI (Frontiers in Artificial Intelligence and Applications). IOS Press, 2993–3000

work page 2025
[56]

Gérard Chollet, Hugues Sansen, Yannis Tevissen, Jérôme Boudy, Mossaab Hariz, Christophe Lohr, and Fathy Yassa. 2024. Privacy preserving personal assistant with on-device diarization and spoken dialogue system for home and beyond.arXiv preprint arXiv:2401.01146 (2024)

work page arXiv 2024
[57]

Jalen Chuang, Alex Seto, Nicolas Berrios, Stephan van Schaik, Christina Garman, and Daniel Genkin. 2026. TEE.fail: Breaking Trusted Execution Environments via DDR5 Memory Bus Interpo- sition.https://tee.fail/

work page 2026
[58]

Klasnja, and Harry Bruce

Andrea Civan, William Jones, Predrag V. Klasnja, and Harry Bruce

work page
[59]

InASIST (Proc

Better to organize personal information by folders or by tags?: The devil is in the details. InASIST (Proc. Assoc. Inf. Sci. Technol., 1). Wiley, 1–13

work page
[60]

Confidential Containers. 2024. Trust Model for Confidential Con- tainers.https://confidentialcontainers.org/docs/architecture/trust- model/trust-model/

work page 2024
[61]

Graeme Connell, Vivian Fang, Rolfe Schmidt, Emma Dauterman, and Raluca Ada Popa. 2024. Secret Key Recovery in a Global-Scale End- to-End Encryption System. InOSDI. USENIX Association, 703–719

work page 2024
[62]

Scott Constable, Jo Van Bulck, Xiang Cheng, Yuan Xiao, Cedric Xing, Ilya Alexandrovich, Taesoo Kim, Frank Piessens, Mona Vij, and Mark Silberstein. 2023. AEX-Notify: Thwarting Precise Single-Stepping At- tacks through Interrupt Awareness for Intel SGX Enclaves. InUSENIX Security Symposium. USENIX Association, 4051–4068

work page 2023
[63]

Lebedev, and Srinivas Devadas

Victor Costan, Ilia A. Lebedev, and Srinivas Devadas. 2016. Sanc- tum: Minimal Hardware Extensions for Strong Software Isolation. In USENIX Security Symposium. USENIX Association, 857–874

work page 2016
[64]

Cas Cremers, Alexander Dax, and Aurora Naska. 2023. Formal Analy- sis of SPDM: Security Protocol and Data Model version 1.2. InUSENIX Security Symposium. USENIX Association, 6611–6628

work page 2023
[65]

Emmelyn A. J. Croes, Marjolijn L. Antheunis, Chris van der Lee, and Jan M. S. de Wit. 2024. Digital Confessions: The Willingness to Disclose Intimate Information to a Chatbot and its Impact on Emotional Well-Being.Interact. Comput.36, 5 (2024), 279–292

work page 2024
[66]

Emma Dauterman, Vivian Fang, Ioannis Demertzis, Natacha Crooks, and Raluca Ada Popa. 2021. Snoopy: Surpassing the Scalability Bot- tleneck of Oblivious Storage. InSOSP. ACM, 655–671

work page 2021
[67]

Vicente Bicudo de Castro. 2025. Quantifying the burden of organisa- tional bulk emails in a business school.Higher Education Research & Development44, 8 (2025), 1934–1948. doi:10.1080/07294360.2025. 2510662

work page doi:10.1080/07294360.2025 2025
[68]

David Dearman and Jeffrey S. Pierce. 2008. It’s on my other computer!: computing with multiple devices. InCHI. ACM, 767–776

work page 2008
[69]

DMTF. 2025. Security Protocol and Data Model (SPDM) Specification. https://www.dmtf.org/dsp/DSP0274

work page 2025
[70]

Yiming Du, Hongru Wang, Zhengyi Zhao, Bin Liang, Baojun Wang, Wanjun Zhong, Zezhong Wang, and Kam-Fai Wong. 2024. PerLTQA: A Personal Long-Term Memory Dataset for Memory Classification, Retrieval, and Fusion in Question Answering. InSIGHAN. Association for Computational Linguistics, 152–164

work page 2024
[71]

Dumais, Edward Cutrell, Jonathan J

Susan T. Dumais, Edward Cutrell, Jonathan J. Cadiz, Gavin Jancke, Raman Sarin, and Daniel C. Robbins. 2015. Stuff I’ve Seen: A System for Personal Information Retrieval and Re-Use.SIGIR Forum49, 2 (2015), 28–35. doi:10.1145/2888422.2888425

work page doi:10.1145/2888422.2888425 2015
[72]

Darren Edge, Ha Trinh, Newman Cheng, Joshua Bradley, Alex Chao, Apurva Mody, Steven Truitt, Dasha Metropolitansky, Robert Osazuwa Ness, and Jonathan Larson. 2024. From Local to Global: A Graph RAG Approach to Query-Focused Summarization.arXiv preprint arXiv:2404.16130(2024)

work page internal anchor Pith review Pith/arXiv arXiv 2024
[73]

Joshua Engels, Benjamin Landrum, Shangdi Yu, Laxman Dhulipala, and Julian Shun. 2024. Approximate Nearest Neighbor Search with Window Filters. InICML (Proceedings of Machine Learning Research). 14 PMLR / OpenReview.net, 12469–12490

work page 2024
[74]

Epoch AI. 2026. Trends in AI: The Inference Cost of Frontier Models is Halving Every Two Months.https://epoch.ai/trends

work page 2026
[75]

Saba Eskandarian and Matei Zaharia. 2019. ObliDB: Oblivious Query Processing for Secure Databases.Proc. VLDB Endow.13, 2 (2019), 169–183

work page 2019
[76]

2024.A Look Behind the Screens: Ex- amining the Data Practices of Social Media and Video Streaming Ser- vices

Federal Trade Commission. 2024.A Look Behind the Screens: Ex- amining the Data Practices of Social Media and Video Streaming Ser- vices. Technical Report.https://www.ftc.gov/system/files/ftc_gov/ pdf/Social-Media-6b-Report-9-11-2024.pdf

work page 2024
[77]

Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. 2017. Komodo: Using verification to disentangle secure- enclave hardware from software. InSOSP. ACM, 287–305

work page 2017
[78]

Fox, Martin B

Eric W. Fox, Martin B. Short, Frederic P. Schoenberg, Kathryn D. Coronges, and Andrea L. Bertozzi. 2016. Modeling E-mail Networks and Inferring Leadership Using Self-Exciting Point Processes.J. Amer. Statist. Assoc.111, 514 (2016), 564–584. doi:10.1080/01621459.2015. 1135802

work page doi:10.1080/01621459.2015 2016
[79]

Benny Fuhry, Raad Bahmani, Ferdinand Brasser, Florian Hahn, Flo- rian Kerschbaum, and Ahmad-Reza Sadeghi. 2017. HardIDX: Practical and Secure Index with SGX. InDBSec (Lecture Notes in Computer Sci- ence). Springer, 386–408

work page 2017
[80]

Stefan Gast, Hannes Weissteiner, Robin Leander Schröder, and Daniel Gruss. 2025. CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP. InNDSS. The Internet Society

work page 2025

Showing first 80 references.