pith. sign in

arxiv: 2606.26373 · v2 · pith:DWLZ6U2Jnew · submitted 2026-06-24 · 💻 cs.CR · cs.AI· cs.IR

Hybrid privacy-aware semantic search: SVD-truncated document geometry and CKKS-encrypted query reranking under a restricted threat model

Pith reviewed 2026-06-30 09:32 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.IR
keywords privacy-preserving semantic searchSVD truncationorthogonal rotationCKKS encryptionembedding inversiondata loss preventionhonest-but-curious serverreconstruction lower bound
0
0 comments X

The pith

SVD truncation to a protected subspace plus secret rotation bounds reconstruction error for document embeddings while CKKS encryption hides queries.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a hybrid protection scheme in which static document vectors are projected onto a lower-dimensional subspace via SVD truncation and then rotated by a secret orthogonal transform known only to the data owner. Queries are handled separately under CKKS homomorphic encryption so the server never observes their values or the resulting similarity scores. A tight lower bound is proven on the error any decoder can achieve when restricted to the protected subspace. On a one-million-document corpus the method preserves or slightly improves retrieval quality across five encoders because of a linear denoising effect, runs at sub-second latency, and causes standard inversion attacks to fail. The same geometry is shown to support semantic data-loss prevention for LLM firewalls at near parity with unprotected detectors.

Core claim

Projecting document embeddings onto an SVD-truncated subspace and rotating them with a secret orthogonal transform confines every possible decoder to that subspace, establishing a strict lower bound on reconstruction error; when paired with CKKS-encrypted queries this yields cryptographic query confidentiality and empirical document obfuscation that maintains retrieval quality on million-document corpora and defeats off-the-shelf inversion.

What carries the argument

The SVD-truncated subspace under secret orthogonal rotation, which enforces a lower bound on any decoder's reconstruction error while still permitting similarity search.

If this is right

  • Retrieval quality is preserved or slightly improved on the strongest encoders because truncation acts as a linear denoiser.
  • Off-the-shelf inversion attacks collapse to the noise floor under the protected geometry.
  • Sub-second end-to-end latency is achieved on a one-million-document corpus.
  • A known-plaintext attacker needs roughly as many leaked pairs as the retained dimension to recover the rotation.
  • The same geometry functions as a privacy-preserving semantic data-loss-prevention detector for LLM firewalls.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The observed denoising effect might be isolated and tested on other embedding models or tasks to determine whether truncation alone improves ranking in some regimes.
  • The asymmetry between static protected documents and dynamic encrypted queries could be applied to other retrieval or classification settings where one side is fixed.
  • Adding modest differential privacy noise to the already-truncated vectors could be measured to see how much extra protection is gained before quality degrades.
  • The Procrustes recovery threshold suggests a practical rule of thumb for choosing retained dimension relative to expected leakage volume.

Load-bearing premise

The server is honest-but-curious and no attacker obtains enough known-plaintext pairs to recover the secret rotation via Procrustes analysis.

What would settle it

An inversion attack that recovers readable text from the protected vectors using fewer than the retained-dimension number of known-plaintext pairs, or a measurable drop in retrieval quality after protection on the million-document test set.

Figures

Figures reproduced from arXiv: 2606.26373 by Sergey Kurilenko.

Figure 1
Figure 1. Figure 1: Online query flow of the construction under study. Steps 1–7 realise the two-stage protocol: client transformation T(·) and local PQ filtering produce a short-list of Kcands candidate IDs; step 4 encrypts the rotated query under CKKS; step 5 runs ct-pt reranking on the server; steps 6–7 decrypt the scores and sort. The secret keys (µ, Vk, R, skCKKS) and the rotated database Erot are produced offline by the… view at source ↗
Figure 1
Figure 1. Figure 1: Online query flow of the construction under study. Steps 1–7 realise the two-stage protocol: client transformation T(·) and local PQ filtering produce a short-list of Kcands candidate IDs; step 4 encrypts the rotated query under CKKS; step 5 runs ct-pt reranking on the server; steps 6–7 decrypt the scores and sort. The secret keys (µ, Vk, R, skCKKS) and the rotated database Erot are produced offline by the… view at source ↗
Figure 2
Figure 2. Figure 2: ct-pt vs. ct-ct: distribution of per-batch latencies over 50 trials. Removing relinearisa￾tion moves the median by ∼ 6 s and tightens the upper tail. 7.1 Experiment 1: ciphertext-plaintext speed-up We benchmark a batched dot-product of an encrypted 192-dimensional query with N = 10 000 plaintext documents. The CKKS parameters are N = 8192, coeff_mod_bit_sizes = [60, 40, 40, 60], ∆ = 240 (security level ≥ 1… view at source ↗
Figure 2
Figure 2. Figure 2: ct-pt vs. ct-ct: distribution of per-batch latencies over 50 trials. Removing relinearisa￾tion moves the median by ∼ 6 s and tightens the upper tail. 7.2 Experiment 2: Vec2Text attack We instantiate Vec2Text on GTR-base embeddings (d = 768). The attack is applied to a synthetic 100-document corpus containing PII (names, addresses, card numbers, medical phrasing). Three threat models are compared at five va… view at source ↗
Figure 3
Figure 3. Figure 3: Vec2Text BLEU as a function of k/d under three threat models (left); zoom on k/d = 1.0 comparing no-rotation, known-R and unknown-R (right). Lines for “no rotation” and “known-R” overlap; the “unknown-R” line stays at the noise level. budget ( [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
Figure 3
Figure 3. Figure 3: Vec2Text BLEU as a function of k/d under three threat models (left); zoom on k/d = 1.0 comparing no-rotation, known-R and unknown-R (right). Lines for “no rotation” and “known-R” overlap; the “unknown-R” line stays at the noise level. noise floor (∼ 0.007) for all k/d values, including k/d = 1.0 (no truncation at all). The ratio BLEUoff/BLEUunknown is 22× at k/d = 1.0, 11× at 0.75, 8× at 0.50. This is an e… view at source ↗
Figure 4
Figure 4. Figure 4: Per-seed Acc@10 of the proposed pipeline relative to baseline_proj on five rotation seeds; the spread is below the 5-seed CI of the baseline [PITH_FULL_IMAGE:figures/full_fig_p014_4.png] view at source ↗
Figure 4
Figure 4. Figure 4: Per-seed Acc@10 of the proposed pipeline relative to baseline_proj on five rotation seeds; the spread is below the 5-seed CI of the baseline. truncation removes half the embedding volume) and −0.066 for paraphrase-mpnet (a paraphrase￾distilled model that does not concentrate retrieval signal in the top singular directions). The end-to-end accuracy budget is met for retrieval-trained d ≥ 768. The end-to-end… view at source ↗
Figure 5
Figure 5. Figure 5: Left: per-stage latency decomposition at k = 192 (the server-side ct-pt rerank dominates). Right: CDF of the server-side rerank latency over 500 queries × 5 seeds (p95 ≈ 283 ms); the full end-to-end p95 ≈ 370 ms ( [PITH_FULL_IMAGE:figures/full_fig_p015_5.png] view at source ↗
Figure 5
Figure 5. Figure 5: Left: per-stage latency decomposition at k = 192 (the server-side ct-pt rerank dominates). Right: CDF of the server-side rerank latency over 500 queries × 5 seeds (p95 ≈ 283 ms); the full end-to-end p95 ≈ 370 ms ( [PITH_FULL_IMAGE:figures/full_fig_p016_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Known-plaintext alignment destroys the unknown-rotation assumption: with about k leaked pairs the rotation is recovered. The x axis uses a symlog scale to include m = 0 [PITH_FULL_IMAGE:figures/full_fig_p016_6.png] view at source ↗
Figure 6
Figure 6. Figure 6: Known-plaintext alignment destroys the unknown-rotation assumption: with about k leaked pairs the rotation is recovered. The x axis uses a symlog scale to include m = 0 [PITH_FULL_IMAGE:figures/full_fig_p020_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Reference-corpus lookup after alignment. When the reference overlaps the protected collection, alignment turns the protected vector into an exact paragraph lookup; with a disjoint reference this token-overlap proxy stays low. 16 [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗
Figure 7
Figure 7. Figure 7: Reference-corpus lookup after alignment. When the reference overlaps the protected collection, alignment turns the protected vector into an exact paragraph lookup; with a disjoint reference this token-overlap proxy stays low [PITH_FULL_IMAGE:figures/full_fig_p021_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Utility/leakage diagnostic for SVD truncation and calibrated Gaussian noise (dashed: matched-σrec noise baselines). 18 [PITH_FULL_IMAGE:figures/full_fig_p018_8.png] view at source ↗
Figure 8
Figure 8. Figure 8: Utility/leakage diagnostic for SVD truncation and calibrated Gaussian noise (dashed: matched-σrec noise baselines). 22 [PITH_FULL_IMAGE:figures/full_fig_p022_8.png] view at source ↗
read the original abstract

Dense embeddings power semantic search and retrieval-augmented generation, yet a leaked vector database also leaks the text behind it, because embeddings can be inverted with high fidelity. Fully homomorphic search is sound but far too slow at million-document scale, while privacy noise degrades ranking before it protects. We study a middle path built on an asymmetry: the static document collection is protected geometrically - each vector is SVD-truncated onto a lower-dimensional subspace and rotated by a secret orthogonal transform held only by the data owner - while the dynamic query is protected cryptographically under CKKS, so an honest-but-curious server never sees query values or similarity scores. We prove a tight lower bound on the reconstruction error of any decoder confined to the protected subspace. On a one-million-document corpus with five encoders the protection preserves - and on the strongest encoders slightly improves - retrieval quality, a linear-denoiser effect, at sub-second latency, while an off-the-shelf inversion attack collapses to the noise floor. We also quantify the boundary: a known-plaintext attacker recovers the secret rotation by orthogonal Procrustes from about as many leaked pairs as the retained dimension. The same asymmetric geometry doubles as a privacy-preserving semantic data-loss-prevention primitive for LLM firewalls: a server holding only the protected vectors detects whether a candidate matches a confidential reference corpus at near parity with a plaintext detector, degrading gracefully under text obfuscation. We state the limits plainly: query confidentiality is cryptographic, but document protection rests on SVD truncation and a secret rotation that form an empirical obfuscation layer, not a cryptographic primitive, under a clearly delimited threat model.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 2 minor

Summary. The paper proposes a hybrid privacy-aware semantic search method combining SVD-truncated and rotated document embeddings for geometric protection with CKKS-encrypted queries for cryptographic protection under an honest-but-curious server model. It proves a tight lower bound on reconstruction error for subspace-confined decoders and shows through experiments on a 1M-document corpus with five encoders that retrieval quality is preserved or improved with sub-second latency, while inversion attacks fail. The method is also applied to semantic data-loss prevention.

Significance. This approach addresses the practical need for scalable privacy in semantic search without the overhead of full homomorphic encryption. The mathematical lower bound and the clear delimitation of the threat model strengthen the contribution. The observed linear-denoiser effect and the boundary quantification for known-plaintext attacks are valuable. The work has potential significance for privacy-preserving RAG systems if the empirical results are robust.

minor comments (2)
  1. [Abstract] The abstract refers to 'five encoders' without naming them; including the specific models would improve clarity and reproducibility.
  2. [Empirical Evaluation] Details on the exact truncation dimensions used and any post-hoc experimental choices should be provided to allow full verification of the retrieval quality claims.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the constructive and positive review. The recommendation for minor revision is appreciated, and we note the absence of specific major comments requiring point-by-point rebuttal. We will incorporate minor clarifications and improvements in the revised version to enhance readability and address any implicit suggestions from the summary.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper's central claims consist of an explicitly stated proof of a lower bound on reconstruction error for decoders confined to the protected subspace, together with separate empirical measurements of retrieval quality on a one-million-document corpus. These elements are presented as distinct: the proof applies under the delimited honest-but-curious threat model with secret orthogonal transform, while the retrieval numbers are reported as experimental outcomes that do not reduce to any fitted parameter defined by the same experiment. The manuscript explicitly labels document-side protection as empirical obfuscation rather than a cryptographic primitive and states the Procrustes recovery boundary as a separate quantification. No equation, self-citation chain, or ansatz reduces the claimed results to their own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the domain assumptions that the server follows the honest-but-curious model, that the secret rotation remains confidential, and that the reconstruction lower bound holds inside the truncated subspace. No free parameters or new invented entities are introduced in the abstract; the retained dimension appears only as a parameter governing attacker success, not as a fitted constant in the main result.

axioms (2)
  • domain assumption The server is honest-but-curious and does not collude to obtain the secret rotation.
    Explicitly stated as part of the restricted threat model under which document protection is evaluated.
  • domain assumption The data owner alone controls and keeps secret the orthogonal transform applied after SVD truncation.
    Central premise of the geometric protection layer; recovery of this transform is shown to require roughly as many leaked pairs as the retained dimension.

pith-pipeline@v0.9.1-grok · 5828 in / 1759 out tokens · 66639 ms · 2026-06-30T09:32:11.976207+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. SHARD: cell-keyed residual splitting for alignment-resistant private dense retrieval

    cs.CR 2026-06 conditional novelty 7.0

    SHARD shards private embedding residuals into cell-local keyed groups to raise the anchor requirement for alignment attacks by a factor of C while preserving full-dimensional nDCG@10 via encrypted reranking.

  2. SHARD: cell-keyed residual splitting for alignment-resistant private dense retrieval

    cs.CR 2026-06 unverdicted novelty 6.0

    SHARD introduces cell-keyed residual splitting that turns dense retrieval embeddings into revocable, renewable, unlinkable templates resistant to alignment attacks while preserving exact utility under CKKS reranking.

Reference graph

Works this paper leans on

53 extracted references · 10 canonical work pages · cited by 1 Pith paper · 4 internal anchors

  1. [1]

    Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks,

    N. Reimers and I. Gurevych, “Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks,” inProc. EMNLP, 2019, pp. 3982–3992

  2. [2]

    Text Embeddings by Weakly-Supervised Contrastive Pre-training

    L. Wang, N. Yang, X. Huang, et al., “Text Embeddings by Weakly-Supervised Contrastive Pre- training,”arXiv:2212.03533, 2022

  3. [3]

    Large Dual Encoders Are Generalizable Retrievers,

    J. Ni et al., “Large Dual Encoders Are Generalizable Retrievers,” inProc. EMNLP, 2022, pp. 9844–9855

  4. [4]

    M3-Embedding: Multi-Linguality, Multi-Functionality, Multi-Granularity Text Embeddings Through Self-Knowledge Distillation

    J. Chen, S. Xiao, P. Zhang, K. Luo, D. Lian, and Z. Liu, “BGE M3-Embedding: Multi-Lingual, Multi-Functionality, Multi-Granularity Text Embeddings Through Self-Knowledge Distillation,” arXiv:2402.03216, 2024

  5. [5]

    Dense Passage Retrieval for Open-Domain Question Answering,

    V. Karpukhin et al., “Dense Passage Retrieval for Open-Domain Question Answering,” inProc. EMNLP, 2020, pp. 6769–6781

  6. [6]

    ColBERT: Efficient and Effective Passage Search via Contextualised Late Interaction over BERT,

    O. Khattab and M. Zaharia, “ColBERT: Efficient and Effective Passage Search via Contextualised Late Interaction over BERT,” inProc. ACM SIGIR, 2020, pp. 39–48

  7. [7]

    Text Embeddings Reveal (Almost) As Much As Text,

    J. X. Morris, V. Kuleshov, V. Shmatikov, and A. M. Rush, “Text Embeddings Reveal (Almost) As Much As Text,” inProc. EMNLP, 2023

  8. [8]

    Sentence Embedding Leaks More Information than You Expect: Generative Embedding Inversion Attack to Recover the Whole Sentence,

    H. Li, M. Xu, and Y. Song, “Sentence Embedding Leaks More Information than You Expect: Generative Embedding Inversion Attack to Recover the Whole Sentence,” inFindings of ACL, 2023, pp. 14022–14040

  9. [9]

    Transferable Embedding Inversion Attack: Uncovering Privacy Risks in Text Embeddings without Model Queries,

    Y.-H. Huang, Y. Tsai, H. Hsiao, H.-Y. Lin, and S.-D. Lin, “Transferable Embedding Inversion Attack: Uncovering Privacy Risks in Text Embeddings without Model Queries,” inProc. ACL (Long), 2024, pp. 4193–4205. 26

  10. [10]

    ALGEN: Few-shot Inversion Attacks on Textual Embeddings via Cross-Model Alignment and Generation,

    Y. Chen, Q. Xu, and J. Bjerva, “ALGEN: Few-shot Inversion Attacks on Textual Embeddings via Cross-Model Alignment and Generation,” inProc. ACL (Long), 2025, pp. 24330–24348. arXiv:2502.11308

  11. [11]

    Universal Zero-shot Embedding Inversion,

    C. Zhang, J. X. Morris, and V. Shmatikov, “Universal Zero-shot Embedding Inversion,” arXiv:2504.00147, 2025

  12. [12]

    Harnessing the Universal Geometry of Embed- dings,

    R. Jha, C. Zhang, V. Shmatikov, and J. X. Morris, “Harnessing the Universal Geometry of Embeddings (vec2vec),”arXiv:2505.12540, 2025

  13. [13]

    Zero2Text: Zero-Training Cross-Domain Inversion Attacks on Textual Embeddings,

    D. Kim, D. Kang, K. Lee, H. Baek, and B. B. Kang, “Zero2Text: Zero-Training Cross-Domain Inversion Attacks on Textual Embeddings,”arXiv:2602.01757, 2026

  14. [14]

    The Good and the Bad: Exploring Privacy Issues in Retrieval-Augmented Generation (RAG),

    S. Zeng et al., “The Good and the Bad: Exploring Privacy Issues in Retrieval-Augmented Generation (RAG),” inFindings of ACL, 2024, pp. 4505–4524

  15. [15]

    Information Leakage in Embedding Models,

    C. Song and A. Raghunathan, “Information Leakage in Embedding Models,” inProc. ACM CCS, 2020, pp. 377–390

  16. [16]

    Membership Inference Attacks Against Machine Learning Models,

    R. Shokri et al., “Membership Inference Attacks Against Machine Learning Models,” inProc. IEEE S&P, 2017, pp. 3–18

  17. [17]

    Extracting Training Data from Large Language Models,

    N. Carlini et al., “Extracting Training Data from Large Language Models,” inProc. USENIX Security, 2021, pp. 2633–2650

  18. [18]

    Differential Privacy,

    C. Dwork, “Differential Privacy,” inProc. ICALP, 2006, pp. 1–12

  19. [19]

    Deep Learning with Differential Privacy,

    M. Abadi et al., “Deep Learning with Differential Privacy,” inProc. ACM CCS, 2016, pp. 308–318

  20. [20]

    Differentially Private Representation for NLP,

    L. Lyu, X. He, and Y. Li, “Differentially Private Representation for NLP,” inFindings of EMNLP, 2020, pp. 2355–2365

  21. [21]

    Privacy via the Johnson-Lindenstrauss Transform,

    K. Kenthapadi, A. Korolova, I. Mironov, and N. Mishra, “Privacy via the Johnson-Lindenstrauss Transform,”J. Privacy and Confidentiality, vol. 5, no. 1, 2013

  22. [22]

    Random Projection-Based Multiplicative Data Perturbation for Privacy Preserving Distributed Data Mining,

    K. Liu, H. Kargupta, and J. Ryan, “Random Projection-Based Multiplicative Data Perturbation for Privacy Preserving Distributed Data Mining,”IEEE TKDE, vol. 18, no. 1, 2006, pp. 92–106

  23. [23]

    Homomorphic Encryption for Arithmetic of Approximate Numbers,

    J. H. Cheon, A. Kim, M. Kim, and Y. Song, “Homomorphic Encryption for Arithmetic of Approximate Numbers,” inAdvances in Cryptology—ASIACRYPT 2017, LNCS 10624, pp. 409–437

  24. [24]

    Bootstrapping for Approximate Homomorphic Encryption,

    J. H. Cheon, K. Han, A. Kim et al., “Bootstrapping for Approximate Homomorphic Encryption,” in Advances in Cryptology—EUROCRYPT 2018, LNCS 10820, pp. 360–384

  25. [25]

    Homomorphic Encryption Security Standard,

    M. Albrecht et al., “Homomorphic Encryption Security Standard,” HomomorphicEncryption.org, 2018

  26. [26]

    On the Concrete Hardness of Learning with Errors,

    M. R. Albrecht, R. Player, and S. Scott, “On the Concrete Hardness of Learning with Errors,”Journal of Mathematical Cryptology, vol. 9, no. 3, 2015, pp. 169–203 (lattice-estimator methodology)

  27. [27]

    A Generalized Solution of the Orthogonal Procrustes Problem,

    P. H. Schönemann, “A Generalized Solution of the Orthogonal Procrustes Problem,”Psychometrika, vol. 31, no. 1, 1966, pp. 1–10

  28. [28]

    OpenFHE: Open-Source Fully Homomorphic Encryption Library,

    A. Al Badawi et al., “OpenFHE: Open-Source Fully Homomorphic Encryption Library,” inProc. WAHC ’22, 2022, pp. 53–63

  29. [29]

    EVA: An Encrypted Vector Arithmetic Language and Compiler for Efficient Homomorphic Computation,

    R. Dathathri et al., “EVA: An Encrypted Vector Arithmetic Language and Compiler for Efficient Homomorphic Computation,” inProc. ACM PLDI, 2020, pp. 546–561

  30. [30]

    CHET: An Optimizing Compiler for Fully-Homomorphic Neural-Network Inferencing,

    R. Dathathri et al., “CHET: An Optimizing Compiler for Fully-Homomorphic Neural-Network Inferencing,” inProc. ACM PLDI, 2019, pp. 142–156

  31. [31]

    Over 100x Faster Bootstrapping in Fully Homomorphic Encryption through Memory-centric Optimisation with GPUs,

    W. Jung, S. Kim, J. H. Ahn et al., “Over 100x Faster Bootstrapping in Fully Homomorphic Encryption through Memory-centric Optimisation with GPUs,”IACR TCHES, vol. 2021, no. 4, pp. 114–148. 27

  32. [32]

    Intel HEXL: Accelerating Homomorphic Encryption with Intel AVX512-IFMA52,

    F. Boemer et al., “Intel HEXL: Accelerating Homomorphic Encryption with Intel AVX512-IFMA52,” inProc. WAHC ’21, 2021, pp. 57–62

  33. [33]

    CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy,

    R. Gilad-Bachrach et al., “CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy,” inProc. ICML, 2016, vol. 48, pp. 201–210

  34. [34]

    Private Web Search with Tiptoe,

    A. Henzinger, E. Dauterman, H. Corrigan-Gibbs, and N. Zeldovich, “Private Web Search with Tiptoe,” inProc. ACM SOSP, 2023

  35. [35]

    PIR with Compressed Queries and Amortised Query Processing,

    S. Angel, H. Chen, K. Laine, and S. Setty, “PIR with Compressed Queries and Amortised Query Processing,” inProc. IEEE S&P, 2018, pp. 962–979

  36. [36]

    One Server for the Price of Two: Simple and Fast Single-Server Private Information Retrieval (SimplePIR),

    A. Henzinger, M. M. Hong, H. Corrigan-Gibbs, S. Meiklejohn, and V. Vaikuntanathan, “One Server for the Price of Two: Simple and Fast Single-Server Private Information Retrieval (SimplePIR),” in Proc. USENIX Security, 2023

  37. [37]

    OnionPIR: Response Efficient Single-Server PIR,

    M. H. Mughees, H. Chen, and L. Ren, “OnionPIR: Response Efficient Single-Server PIR,” inProc. ACM CCS, 2021, pp. 2292–2306

  38. [38]

    Finding Structure with Randomness: Probabilistic Algorithms for Constructing Approximate Matrix Decompositions,

    N. Halko, P.-G. Martinsson, and J. A. Tropp, “Finding Structure with Randomness: Probabilistic Algorithms for Constructing Approximate Matrix Decompositions,”SIAM Review, vol. 53, no. 2, 2011, pp. 217–288

  39. [39]

    Product Quantisation for Nearest Neighbor Search,

    H. Jegou, M. Douze, and C. Schmid, “Product Quantisation for Nearest Neighbor Search,”IEEE TPAMI, vol. 33, no. 1, 2011, pp. 117–128

  40. [40]

    Efficient and Robust Approximate Nearest Neighbour Search Using Hierarchical Navigable Small World Graphs,

    Y. A. Malkov and D. A. Yashunin, “Efficient and Robust Approximate Nearest Neighbour Search Using Hierarchical Navigable Small World Graphs,”IEEE TPAMI, vol. 42, no. 4, 2020, pp. 824–836

  41. [41]

    Milvus: A Purpose-Built Vector Data Management System,

    J. Wang, X. Yi, R. Guo et al., “Milvus: A Purpose-Built Vector Data Management System,” inProc. ACM SIGMOD, 2021, pp. 2614–2627

  42. [42]

    The Approximation of One Matrix by Another of Lower Rank,

    C. Eckart and G. Young, “The Approximation of One Matrix by Another of Lower Rank,”Psychome- trika, vol. 1, no. 3, 1936, pp. 211–218

  43. [43]

    Extensions of Lipschitz Mappings into a Hilbert Space,

    W. B. Johnson and J. Lindenstrauss, “Extensions of Lipschitz Mappings into a Hilbert Space,” Contemporary Mathematics, vol. 26, 1984, pp. 189–206

  44. [44]

    BEIR: A Heterogeneous Benchmark for Zero-shot Evaluation of Information Retrieval Models,

    N. Thakur, N. Reimers, A. Rücklé, A. Srivastava, and I. Gurevych, “BEIR: A Heterogeneous Benchmark for Zero-shot Evaluation of Information Retrieval Models,” inProc. NeurIPS Datasets and Benchmarks Track, 2021

  45. [45]

    BLEU: a Method for Automatic Evaluation of Machine Translation,

    K. Papineni et al., “BLEU: a Method for Automatic Evaluation of Machine Translation,” inProc. ACL, 2002, pp. 311–318

  46. [46]

    Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,

    P. Lewis et al., “Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,” inProc. NeurIPS, 2020

  47. [47]

    Self-RAG: Learning to Retrieve, Generate, and Critique through Self-Reflection,

    A. Asai et al., “Self-RAG: Learning to Retrieve, Generate, and Critique through Self-Reflection,” in Proc. ICLR, 2024

  48. [48]

    Corrective Retrieval Augmented Generation

    S.-Q. Yan et al., “Corrective Retrieval Augmented Generation,”arXiv:2401.15884, 2024

  49. [49]

    Retrieval-Augmented Generation for Large Language Models: A Survey

    Y. Gao et al., “Retrieval-Augmented Generation for Large Language Models: A Survey,” arXiv:2312.10997, 2024

  50. [50]

    Hybrid Method for Privacy-Preserving Semantic Search Based on Homomorphic Encryption and Random Projections,

    S. M. Kurilenko, “Hybrid Method for Privacy-Preserving Semantic Search Based on Homomorphic Encryption and Random Projections,”Vestnik Komp’yuternykh i Informatsionnykh Tekhnologiy, no. 3, 2026, pp. 44–49. doi:10.14489/vkit.2026.03.pp.044-049

  51. [51]

    LlamaFirewall: An open source guardrail system for building secure AI agents

    Meta AI, “LlamaFirewall: An Open-Source Guardrail System for Building Secure AI Agents,” arXiv:2505.03574, 2025. 28

  52. [52]

    Presidio: Context-aware, pluggable and customizable data protection and de-identification SDK,

    Microsoft, “Presidio: Context-aware, pluggable and customizable data protection and de-identification SDK,”https://github.com/microsoft/presidio, 2024

  53. [53]

    AI Adoption and Risk Report,

    Cyberhaven, “AI Adoption and Risk Report,” industry report, 2025. 29