CAPRISE: Conditional Distance Encryption

• The paper introduces CAPRISE, a symmetric encryption scheme that preserves conditional distance ordering for secure, efficient top‑k retrieval in outsourced settings.
• CAPRISE uses separate encryption methods for queries and database embeddings with controlled randomization to protect sensitive geometric information.
• Experimental evaluations show CAPRISE achieves up to 9× throughput improvements and strong differential privacy guarantees compared to partially homomorphic encryption approaches.

Conditional Approximate Distance-Comparison-Preserving Symmetric Encryption (CAPRISE) is a symmetric cryptographic scheme designed to allow efficient and privacy-preserving similarity search over embedding vectors, particularly in outsourced retrieval-augmented generation (RAG) frameworks. CAPRISE enables cloud providers to determine the relative similarity between an encrypted query and encrypted database embeddings—revealing only the required comparison ordering for top-k retrieval—while concealing all other geometric or pairwise information. It achieves this using two distinct encryption algorithms for queries and database items, employing controlled randomization to protect both content and structural relationships. CAPRISE can be composed with differentially private query perturbation, enabling strong theoretical confidentiality guarantees, high retrieval accuracy, and significantly reduced computational overhead compared to partially homomorphic encryption approaches (Ye et al., 18 Jan 2026).

1. Formal Construction of CAPRISE

CAPRISE operates over an embedding space $\mathcal{M} \subseteq \mathbb{R}^d$, parameterized by a distance-gap $\beta > 0$ and key space $\mathcal{S}$ for the scalar multiplier $s$. It utilizes a pseudorandom function (PRF) $F_K$ and randomness sources for vector-valued and scalar sampling. The encryption involves a separate procedure for database embedding vectors ($\mathrm{Enc}_{\mathrm{DB}}$) and for query embeddings ($\mathrm{Enc}_{\mathrm{Q}}$).

• Key Generation:

$\mathrm{KeyGen}()$: Sample $s \leftarrow \mathcal{S}$, $K \leftarrow \{0,1\}^k$. Return secret key $\beta > 0$0.

• Database Embedding Encryption:

$\beta > 0$1 1. $\beta > 0$2 (random nonce). 2. $\beta > 0$3. 3. $\beta > 0$4 (d-dimensional standard Gaussian). 4. $\beta > 0$5 (seed=$\beta > 0$6). 5. $\beta > 0$7. 6. $\beta > 0$8. 7. Return $\beta > 0$9.

• Query Embedding Encryption:

$\mathcal{S}$0 Identical steps, except the offset is $\mathcal{S}$1, and $\mathcal{S}$2.

• Database Decryption:

For completeness, decryption reconstructs $\mathcal{S}$3 via $\mathcal{S}$4 determinism from $\mathcal{S}$5:

$\mathcal{S}$6

This system ensures non-determinism (due to $\mathcal{S}$7 and the randomized offsets), and separate randomization scales between database and query ciphertexts.

2. Conditional Distance-Comparison-Preserving Guarantees

CAPRISE preserves only the conditional ordering for query-to-database distances, crucial for top-$\mathcal{S}$8 nearest neighbor retrieval. Let $\mathcal{S}$9 be a query, $s$0 be database vectors, and corresponding ciphertexts as previously defined.

• If $s$1, then the encrypted comparison $s$2 will also hold.
• However, for database–database distances, $s$3 is not guaranteed to imply $s$4.

Mathematically, the core property is:

$s$5

but

$s$6

This separation is enforced by bounding the noise terms $s$7, with query offsets strictly smaller than database offsets. The design makes only the required query-to-database distance orderings accessible to the server, obfuscating all other spatial relationships.

3. Operation, Conditional Logic, and Server Behavior

The distinct noise scales in $s$8 and $s$9 render all inter-database distances unusable, while maintaining order reliability for sufficiently separated query-to-database distances (gap at least $F_K$0) amplified by the scaling parameter $F_K$1.

For top-$F_K$2 retrieval, the cloud server, given the encrypted query $F_K$3 and stored encrypted database $F_K$4, performs:

• For each $F_K$5, compute $F_K$6.
• Return indices corresponding to the $F_K$7 smallest $F_K$8.

The server never learns plaintext distances or the order among the encrypted database vectors themselves. This approach supports secure non-interactive ranking, with privacy bound tightly to the inability to relate database embeddings to one another.

4. Security and Privacy Analysis

The security analysis considers an honest-but-curious adversarial cloud. Embedding encryption security rests on the PRF; given $F_K$9, the noise is computationally indistinguishable from random, and reconstructing $\mathrm{Enc}_{\mathrm{DB}}$0 is as hard as the underlying PRF. CAPRISE's leakage function $\mathrm{Enc}_{\mathrm{DB}}$1 exposes only the top-$\mathrm{Enc}_{\mathrm{DB}}$2 comparison outcome:

• Given $\mathrm{Enc}_{\mathrm{DB}}$3, the server learns only the outcome “is $\mathrm{Enc}_{\mathrm{DB}}$4 among the smallest $\mathrm{Enc}_{\mathrm{DB}}$5?”

Privacy Theorem (as stated):

Under standard PRF assumptions, CAPRISE is $\mathrm{Enc}_{\mathrm{DB}}$6-indistinguishable: only the relative order of encrypted query–database distances is exposed; absolute distances and all inter-database relations remain hidden.

To mitigate query analysis, CAPRISE composes with Differential Privacy via the DistanceDP mechanism: before query encryption, $\mathrm{Enc}_{\mathrm{DB}}$7 is perturbed by Gaussian noise calibrated for $\mathrm{Enc}_{\mathrm{DB}}$8-DP guarantees. The resultant query $\mathrm{Enc}_{\mathrm{DB}}$9, $\mathrm{Enc}_{\mathrm{Q}}$0, is then encrypted as above. As a result, even repeated queries do not expose sensitive user information.

This privacy composition extends to theoretical proofs showing (Theorem, as claimed) that the mechanism satisfies $\mathrm{Enc}_{\mathrm{Q}}$1-differential privacy over the embedding space.

5. Computational and Communication Characteristics

CAPRISE is designed for practical throughput and low resource requirements. For each vector, encryption involves $\mathrm{Enc}_{\mathrm{Q}}$2 cost for sampling $\mathrm{Enc}_{\mathrm{Q}}$3 and for linear transform and offset addition.

Empirical performance on an NVIDIA A100 GPU is:

• CAPRISE: $\mathrm{Enc}_{\mathrm{Q}}$4 embeddings/sec (for $\mathrm{Enc}_{\mathrm{Q}}$5)
• PHE-based RemoteRAG: $\mathrm{Enc}_{\mathrm{Q}}$6–$\mathrm{Enc}_{\mathrm{Q}}$7 embeddings/sec

This constitutes approximately a $\mathrm{Enc}_{\mathrm{Q}}$8 improvement in throughput relative to partially homomorphic encryption, with encryption overhead remaining below 19% of the underlying embedding computation.

Ciphertext size is near-minimal: each entry is the embedding plus a small random string ($\mathrm{Enc}_{\mathrm{Q}}$9, $\mathrm{KeyGen}()$0).

embedding size	CAPRISE embeddings/sec
768	$\mathrm{KeyGen}()$12,339
1536	$\mathrm{KeyGen}()$21,800
3072	$\mathrm{KeyGen}()$31,200

Each database query and retrieval round thus scales efficiently for practical RAG deployments.

6. Differential Privacy Integration and Retrieval Adjustments

To enforce differential privacy for query protection—especially to defend against inference from repeated or correlated searches—DistanceDP perturbation is applied to each query embedding before encryption. The noise is Gaussian or von Mises–Fisher ($\mathrm{KeyGen}()$4), with $\mathrm{KeyGen}()$5 set according to the desired $\mathrm{KeyGen}()$6 guarantee.

There exists an explicit relationship between distortion and candidate expansion: to recover the actual top-$\mathrm{KeyGen}()$7 neighbors under angle distortion $\mathrm{KeyGen}()$8, the top-$\mathrm{KeyGen}()$9 search at the cloud must be expanded to top-$s \leftarrow \mathcal{S}$0, as formalized by:

$s \leftarrow \mathcal{S}$1

with $s \leftarrow \mathcal{S}$2 database size, $s \leftarrow \mathcal{S}$3 surface area on $s \leftarrow \mathcal{S}$4-sphere. Thus, increasing privacy via larger $s \leftarrow \mathcal{S}$5 entails a modest computational expansion.

Empirical results found that, despite adding DP noise, local re-ranking after top-$s \leftarrow \mathcal{S}$6 retrieval over the encrypted database ensures that the true top-$s \leftarrow \mathcal{S}$7 is recovered with high recall ($s \leftarrow \mathcal{S}$895%), and RAG quality is nearly indistinguishable from the plaintext baseline.

7. Experimental Evaluation and Application to Secure RAG

A detailed case study was performed using the MS MARCO passage-retrieval dataset, with gtr-t5-base embeddings ($s \leftarrow \mathcal{S}$9). Privacy resistance to vector inversion was measured by Vec2Text BLEU and F1 scores: plaintext BLEU $K \leftarrow \{0,1\}^k$0, F1 $K \leftarrow \{0,1\}^k$1; CAPRISE-encrypted BLEU $K \leftarrow \{0,1\}^k$2, F1 $K \leftarrow \{0,1\}^k$3. This indicates strong resistance to plaintext recovery.

Against database vector-analysis (attacker success rate, ASR), CAPRISE outperformed ADCPE for all embedding sizes tested, indicating superior robustness.

Query DP trade-offs were quantified, showing the proportional growth in $K \leftarrow \{0,1\}^k$4 as a function of the noise setting and database size. Example table:

top-$K \leftarrow \{0,1\}^k$5	$K \leftarrow \{0,1\}^k$6 ($K \leftarrow \{0,1\}^k$7)	$K \leftarrow \{0,1\}^k$8	$K \leftarrow \{0,1\}^k$9 ($\beta > 0$00)	$\beta > 0$01
5	258	52	58	12
10	571	57	108	11
20	928	46	203	10

End-to-end retrieval with CAPRISE and DP-perturbed queries reliably recovers the plaintext top-$\beta > 0$02 with recall $\beta > 0$03, combining strong privacy with practical RAG deployment (Ye et al., 18 Jan 2026).

In summary, CAPRISE provides a symmetric-key embedding encryption scheme for secure, efficient, and privacy-preserving retrieval in cloud-based settings, ensuring that only query-to-database ordinal information is ever revealed, and together with DistanceDP, supports provable privacy guarantees without significant computational or communication penalty.