Papers
Topics
Authors
Recent
Search
2000 character limit reached

Privacy-Preserving Similarity Search

Updated 8 July 2026
  • Privacy-Preserving Similarity Search is a field that computes similarity scores while keeping queries, database entries, and features confidential using cryptographic and privacy-preserving mechanisms.
  • Techniques include secure protocols for private set intersection, homomorphic encryption for inner products, and approximate indexing such as secure LSH and bucketization to balance efficiency and accuracy.
  • The field addresses challenges like information leakage, computational overhead, and adapting methods to diverse data types including sets, graphs, strings, and biometric templates.

Privacy-preserving similarity search is the problem of computing similarity, retrieving near neighbors, or performing thresholded matching when the compared objects, the query, the database, or the search infrastructure are privacy-sensitive. In the literature, the protected objects include sets, strings, graphs, biometric templates, genomic profiles, voice features, and dense vector embeddings; the similarity operators include Jaccard similarity, inner products, cosine similarity, Hamming distance, longest common substring similarity, and thresholded distance tests. The field therefore spans private pairwise similarity computation, secure or leakage-aware indexing for sub-linear search, differentially private similarity release, and hybrid systems that combine cryptography with trusted execution or controlled disclosure (Blundo et al., 2011, Riazi et al., 2016, Zhao, 20 Feb 2025, Saeki et al., 20 Apr 2026).

1. Problem formulations and similarity models

The basic formulations differ in whether the goal is pairwise similarity evaluation or database search. In pairwise protocols, two parties learn a similarity value or threshold decision for private inputs. In search systems, a server or cloud evaluates one query against many stored items, often under a top-kk, rr-neighbor, or thresholded retrieval rule. Some works target exact metrics under restricted operators, while others accept approximate retrieval to obtain scalability (Blundo et al., 2011, Riazi et al., 2016, Hua et al., 2021).

Several similarity measures recur across the literature. For set data, the canonical definition is the Jaccard index

J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.

For vector retrieval with one encrypted side, the central score is the inner product

q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.

For binary biometric templates, the dominant metric is Hamming distance. For privacy-preserving string matching, the normalized longest-common-substring score is

simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.

Graph similarity learning uses either binary graph-graph classification labels y{0,1}y\in\{0,1\} or regression labels y[0,1]y\in[0,1], while some mHealth voice systems use a squared Euclidean-distance-like score over fixed-length voice features (Zhao, 20 Feb 2025, Vaiwsri et al., 2021, Hou et al., 2022, Hadian et al., 2018).

Representation Similarity notion Representative approach
Sets Jaccard index PSI-CA and MinHash protocols
Dense vectors Inner product; cosine via preprocessing AHE/PHE encrypted-plaintext scoring
Binary templates Hamming distance Secure LSH; obfuscated-distance inference
Strings Longest common substring Encoded suffix trees
Graphs Graph-graph classification/regression Privacy-preserved neural graph matching
Genomic SNP sets Thresholded cosine over customized Bloom filters Hierarchical encrypted search index

This diversity of similarity notions is not incidental. The operator usually determines the feasible privacy mechanism. Inner products align with additive homomorphism when exactly one operand is encrypted; Jaccard aligns with PSI-CA and MinHash; Hamming distance aligns with binary embeddings, substring indexes, or obfuscated interval tests; and modality-specific systems often redesign the representation so that a restricted private computation becomes possible (Zhao, 20 Feb 2025, Blundo et al., 2011, Wang et al., 2017).

2. Exact and approximate private similarity computation

A foundational line of work reduces private similarity computation to private set intersection cardinality. In "EsPRESSo" (Blundo et al., 2011), exact private Jaccard is obtained by securely learning c=ABc=|A\cap B|, then computing J(A,B)=c/(A+Bc)J(A,B)=c/(|A|+|B|-c). The same paper gives an approximate protocol based on MinHash signatures

sim(A,B)={ai,i}i=1k{bi,i}i=1kk,sim(A,B)=\frac{\left|\{\langle a_i,i\rangle\}_{i=1}^k \cap \{\langle b_i,i\rangle\}_{i=1}^k\right|}{k},

with expected error rr0. The contribution is a private similarity primitive rather than a full search engine: repeated pairwise comparisons are still needed in database settings (Blundo et al., 2011).

For encrypted vectors, recent work sharpens the distinction between what requires fully homomorphic encryption and what does not. "A Note on Efficient Privacy-Preserving Similarity Search for Encrypted Vectors" (Zhao, 20 Feb 2025) studies the case where only one side is encrypted and the target similarity is the inner product. With a plaintext vector rr1 and encrypted vector rr2, the protocol computes

rr3

and proves

rr4

Its complexity estimate for one encrypted inner product is

rr5

with the simplified total rr6 for additive HE schemes. The same note is explicit that encrypted top-rr7 selection is not provided, and that AHE alone is insufficient when both operands are encrypted (Zhao, 20 Feb 2025).

A closely related 2025 study extends this restricted design to cosine-style embedding search by moving normalization outside the encrypted domain. "Encrypted Vector Similarity Computations Using Partially Homomorphic Encryption" (Serengil et al., 7 Mar 2025) pre-normalizes vectors so that cosine similarity reduces to a dot product, then evaluates encrypted-plaintext dot products with additively homomorphic schemes such as Paillier, Damgård-Jurik, and Okamoto-Uchiyama. In that design, the stored vector is encrypted, the query remains plaintext, and the server computes an encrypted score that only the secret-key holder can decrypt. The paper emphasizes tiny score loss for PHE and much smaller keys and similarity ciphertexts than its TenSEAL baseline, while also making clear that query privacy is not protected in the depicted architecture (Serengil et al., 7 Mar 2025).

Another branch replaces cryptographic secrecy with differential privacy for similarity release. "PrivMin" (Yan et al., 2017) studies MinHash-based Jaccard similarity under neighboring-set semantics and argues that ordinary MinHash satisfies only Conditional rr8-DPSO. Its PrivMin algorithm privatizes MinHash signature generation using the Exponential mechanism and Randomized Response, with overall privacy budget

rr9

and reports substantially better utility than direct Laplace perturbation of the final similarity score on the evaluated text datasets. This is a private similarity estimation mechanism, not a complete nearest-neighbor system (Yan et al., 2017).

3. Search indexes and scalable retrieval architectures

The central scalability problem is that strong cryptographic similarity evaluation is often linear in database size. One response is to redesign the searchable representation rather than encrypt every arithmetic operation. "Sub-Linear Privacy-Preserving Near-Neighbor Search" (Riazi et al., 2016) proposes Secure Locality Sensitive Indexing (SLSI), described as the first PP-NNS scheme with sub-linear query time in the honest-but-curious, two-non-colluding-server setting. If the base LSH collision probability is J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.0, its secure transformation yields

J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.1

so non-neighbor collisions are forced toward J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.2 while near-neighbor discrimination is retained. The resulting query complexity remains of LSH form, roughly J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.3, with J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.4 determined by the secure collision probabilities (Riazi et al., 2016).

A different route is controlled prefiltering before a heavy private test. "Increasing Adversarial Uncertainty to Scale Private Similarity Testing" (Hua et al., 2021) introduces similarity-based bucketization (SBB): the client reveals a noisy, coarse embedding, the server constructs a candidate bucket J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.5, and a downstream private similarity protocol runs only on J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.6. On the evaluated social-media image setting, the paper reports average bucket sizes of J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.7 of the database, retained correctness above J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.8, and speedups of at least J(A,B)=ABAB=ABA+BAB.J(A,B)=\frac{|A\cap B|}{|A\cup B|}=\frac{|A\cap B|}{|A|+|B|-|A\cap B|}.9 compared to using the downstream protocol without SBB (Hua et al., 2021).

Large-scale vector retrieval has also motivated hybrid ANN systems. "Privacy-Preserving Product-Quantized Approximate Nearest Neighbor Search Framework for Large-scale Datasets via A Hybrid of Fully Homomorphic Encryption and Trusted Execution Environment" (Saeki et al., 20 Apr 2026) proposes PPPQ-ANN, which combines product quantization, CKKS-based FHE, and TEE. The framework covers codebook generation, database encoding, database indexing, and search. Its packing strategy reduces many encrypted computations to q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.0 ciphertext work per query, and the paper reports database generation in less than 2 hours and more than 50 QPS in a sequential search on million-scale datasets while preserving privacy (Saeki et al., 20 Apr 2026).

Other systems use modality-specific compressed indexes. "Privacy-Preserving Search for a Similar Genomic Makeup in the Cloud" (Zhu et al., 2019) builds a hierarchical search structure over hospital-randomized customized Bloom filters, supports merged multi-hospital search, and reports that under its experimental settings the scheme is more than q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.1 times faster than Wang et al.'s protocol and q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.2 times faster than Asharov et al.'s solution. "Privacy-Preserving Identification via Layered Sparse Code Design" (Razeghi et al., 2018) instead uses ambiguized sparse ternary codebooks: a public untrusted server performs fast coarse search on privacy-protected codes, and a private trusted server or local client performs refined search with clean layered reconstructions and authorization-dependent fidelity (Zhu et al., 2019, Razeghi et al., 2018).

Privacy-preserving search in Hamming space can also be based on obfuscated evidence rather than exact distance. "Inference-Based Similarity Search in Randomized Montgomery Domains for Privacy-Preserving Biometric Identification" (Wang et al., 2017) partitions a binary template into substrings, computes an obfuscated collision count q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.3, and derives the distance interval

q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.4

It then uses statistical inference for q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.5-neighbor testing and top-q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.6 retrieval, while randomized Montgomery-domain signatures protect the indexing structures themselves (Wang et al., 2017).

4. Leakage, attacks, and security models

The security models in this area are heterogeneous. Some works adopt standard IND-CPA style ciphertext privacy; some permit searchable-encryption leakage such as size, search, and access patterns; some operate in the semi-honest model; some quantify privacy by adversarial posterior confidence; and some provide differential privacy for score release rather than cryptographic confidentiality (Zhao, 20 Feb 2025, Zhu et al., 2019, Hua et al., 2021, Yan et al., 2017).

A recurring theme is that similarity structure itself can be the disclosure channel. "Vulnerabilities in the use of similarity tables in combination with pseudonymisation" (Culnane et al., 2017) is a security critique of an ONS privacy-preserving record-linkage design using HMACs plus similarity tables for names. The paper models the released similarity table as a directed weighted graph over pseudonyms and shows that the graph is highly identifying. On approximately 351,070 Australian surnames, it reports that over q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.7 of the sets of similarity scores are unique; with the full graph, the recovery rate is q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.8; and with one seeded common name such as “Smith,” many neighbors become identifiable through propagation (Culnane et al., 2017).

This critique generalizes beyond record linkage. Searchable representations that reveal stable neighborhoods, exact pairwise distances, or reusable distance profiles may remain vulnerable even when the labels are keyed or encrypted. That lesson reappears in work on modern learned models. "Privacy-Preserved Neural Graph Similarity Learning" (Hou et al., 2022) introduces the notion of an attackable representation: the representation directly involved in cross-graph computation and therefore communicated off device. PPGM is designed so that attackable representations are graph-level messages and obfuscated features rather than node embeddings, with the explicit goal of avoiding reconstruction attacks and reducing graph-property inference leakage (Hou et al., 2022).

Several systems therefore make leakage explicit rather than pretending it is absent. The genomic similar-patient-search system defines a leakage function

q,x=iqixi.\langle q,x\rangle=\sum_i q_i x_i.9

where simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.0 is a size pattern, simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.1 a search-pattern matrix, and simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.2 an access pattern (Zhu et al., 2019). The AHE inner-product note is explicit that it does not formalize leakage after score decryption, access patterns, ranking results, repeated queries, or auxiliary information (Zhao, 20 Feb 2025). PPPQ-ANN explicitly states that it does not address attacks based on access patterns in the search process (Saeki et al., 20 Apr 2026).

Privacy can also fail under repeated interaction even when single-query leakage looks mild. In SBB, the single-query privacy target is adversarial uncertainty about a predicate such as exact perceptual-hash matching, but the paper shows that repeated randomized embeddings of the same image rapidly destroy that protection: by simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.3, the conditioned precision of the matching attacker is almost simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.4, and by simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.5 it is essentially perfect (Hua et al., 2021). This suggests that composition, statefulness, and system-level query control are central issues, not implementation details.

5. Modality-specific systems

The field is strongly shaped by representation. For strings, "Accurate and Efficient Suffix Tree Based Privacy-Preserving String Matching" (Vaiwsri et al., 2021) replaces q-gram-set similarity with encoded suffix trees and chained hashing. It supports longest common substring length, longest common prefix, longest common suffix, longest common middle, and the normalized score

simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.6

Its main point is that set-based encodings lose positional structure, whereas suffix-tree matching preserves contiguous-substring semantics for strings such as account numbers, IBANs, and telephone numbers (Vaiwsri et al., 2021).

For voice search, "Efficient and Privacy-preserving Voice-based Search over mHealth Data" (Hadian et al., 2018) keeps raw voice files under AES and feature vectors under homomorphic encryption. Each clip is reduced to a 36-dimensional averaged feature vector, and the server computes

simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.7

The system is threshold-based rather than top-simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.8 ranked, using thresholds simlcs(s1,s2)=lcs(s1,s2)max(l1,l2).sim_{lcs}(s_1,s_2)=\frac{lcs(s_1,s_2)}{\max(l_1,l_2)}.9 and y{0,1}y\in\{0,1\}0, and the reported average accuracy across its three matching tasks is y{0,1}y\in\{0,1\}1 (Hadian et al., 2018).

For graph similarity, the challenge is that strong neural graph matching often relies on communicated node-level representations. PPGM keeps node-level GNN states local, exchanges graph-level messages via attention,

y{0,1}y\in\{0,1\}2

forms pair-conditioned obfuscated features, and predicts similarity from those obfuscated representations. On the reported binary-code graph benchmarks, it achieves the lowest property-inference attack AUCs among the tested methods while retaining competitive graph-similarity AUC (Hou et al., 2022).

For biometrics and other binary-template systems, the literature includes both secure embeddings and inference-based search. SLSI focuses on secure binary embeddings for sub-linear search (Riazi et al., 2016), whereas the Montgomery-domain biometric framework deliberately conceals exact Hamming distance in a dynamic interval and then retrieves likely candidates statistically (Wang et al., 2017). In document, multimedia, and biometric set representations, EsPRESSo shows that secure Jaccard evaluation can act as a building block for threshold matching and shortlist generation, even though it does not itself provide a private search index (Blundo et al., 2011).

Dense-vector applications now range well beyond classical multimedia. The AHE/PHE vector papers explicitly cite confidential recommender systems, secure federated learning, reverse image search, recommendation engines, and LLM embeddings as motivating workloads (Zhao, 20 Feb 2025, Serengil et al., 7 Mar 2025). PPPQ-ANN makes the same shift explicit by targeting LLMs, VLMs, semantic search, and vector databases at million scale (Saeki et al., 20 Apr 2026). This suggests that modern privacy-preserving similarity search is increasingly an embedding-systems problem rather than only a record-linkage or biometric one.

6. Limitations and research directions

Several limitations recur across otherwise different designs. One-encrypted-side inner-product methods do not solve the both-sides-encrypted case, and they typically leave ranking and top-y{0,1}y\in\{0,1\}3 selection to a decrypting party (Zhao, 20 Feb 2025, Serengil et al., 7 Mar 2025). Set-based protocols such as EsPRESSo provide private pairwise similarity primitives but no private indexing or sublinear retrieval structure (Blundo et al., 2011). ANN-oriented systems such as PPPQ-ANN and SBB scale far better, but they do so by accepting approximation, hybrid trust assumptions, or controlled leakage (Saeki et al., 20 Apr 2026, Hua et al., 2021).

Representation issues remain equally important. Real-valued embeddings often require quantization, fixed-point encoding, or normalization pipelines that are left implicit or only partially analyzed (Zhao, 20 Feb 2025, Serengil et al., 7 Mar 2025). String systems with richer substring semantics incur higher matching cost than bit-array baselines (Vaiwsri et al., 2021). Voice systems compress variable-length feature matrices to 36-dimensional averages, which makes encrypted matching feasible but also discards temporal structure (Hadian et al., 2018). Hybrid PQ systems omit residual re-encoding to keep private indexing practical, trading accuracy for cost (Saeki et al., 20 Apr 2026).

Threat models are still narrower than deployment reality. Multiple papers assume semi-honest or honest-but-curious parties, non-collusion, trusted hardware, or trusted cloud components (Riazi et al., 2016, Wang et al., 2017, Saeki et al., 20 Apr 2026, Yan et al., 2017). Several papers explicitly do not cover access-pattern leakage, richer output leakage, repeated-query attacks, or malicious robustness (Zhao, 20 Feb 2025, Zhu et al., 2019, Hua et al., 2021, Saeki et al., 20 Apr 2026). The ONS critique shows why these omissions matter: even when cryptographic labels are sound, a reusable similarity graph may suffice for large-scale deanonymisation (Culnane et al., 2017).

Three research directions recur across the literature. First, scalable systems increasingly separate coarse candidate generation from stronger private scoring, whether by secure LSH, SBB, hierarchical Bloom-filter trees, or public/private layered search (Riazi et al., 2016, Hua et al., 2021, Zhu et al., 2019, Razeghi et al., 2018). Second, many methods privatize only the most revealing computation or representation rather than the entire pipeline, as in one-sided homomorphic scoring, attackable-representation minimization, and hybrid FHE+TEE ANN (Zhao, 20 Feb 2025, Hou et al., 2022, Saeki et al., 20 Apr 2026). Third, modality-aware design remains decisive: privacy-preserving similarity search succeeds when the similarity operator, encoding, and leakage model are chosen together rather than independently. A plausible implication is that future systems will continue to combine restricted cryptographic computation, approximate indexing, and explicit leakage accounting instead of pursuing a single universal primitive for all data types and all threat models.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (14)

Topic to Video (Beta)

Whiteboard

Follow Topic

Get notified by email when new papers are published related to Privacy-Preserving Similarity Search.