PrivISAC: Privacy-Preserving ISAC Paradigm

• PrivISAC is a privacy-preserving paradigm for ISAC systems that leverages RIS and cell-free MIMO to degrade eavesdropper signal clarity while maintaining legitimate sensing and communication.
• It employs randomized RIS configurations and physical-layer perturbations to reduce attacker gesture detection accuracy from about 93% to near 30%, showcasing effective privacy gains.
• Joint optimization using block coordinate descent and concave–convex procedures ensures robust communication (>80% success) and improved sensing accuracy with scalable performance.

PrivISAC is a privacy-preserving paradigm for integrated sensing and communication (ISAC) systems that addresses privacy leakage caused by the inherent environmental and target-related information embedded in wireless signals such as channel state information (CSI). Through joint design and dynamic control of physical-layer assets—including reconfigurable intelligent surfaces (RIS) and cell-free multiple-input multiple-output (MIMO) architectures—PrivISAC introduces artificial perturbations and resource allocation strategies that degrade eavesdropper signal interpretability. The approach guarantees robust legitimate communication and sensing functionalities while substantially reducing an attacker’s ability to infer sensitive user information or environmental behaviors (He et al., 8 Jan 2026, Åkesson et al., 2024).

1. Threat Models and System Architecture

In the RIS-enabled ISAC scenario, the actors comprise: a transmitter (Tx); a multi-antenna communication receiver (Rx) capable of CSI feedback; a multi-antenna sensing receiver (legitimate Rx); and a passive, flexible-location eavesdropper with up to three antennas and full access to public pilots and pretrained sensing models (He et al., 8 Jan 2026). Channels in the absence of RIS are modeled as:

• Communication link: $$h^{\text{Com}} = \sum_{k=1}^{K} G_k^c \Phi_k h_k^T \in \mathbb{C}^{M^c}$$
• Sensing link: $$h^{\text{Sen}} = \sum_{k=1}^{K} [G_k^{s,s} + G_k^{s,o}] \Phi_k h_k^T \in \mathbb{C}^{M^s}$$

Privacy leakage arises via attacker inference from $h^{\text{Sen}}$, extracting private gestures, keystrokes, or location features.

In cell-free MIMO ISAC systems, $N_{\rm Tx}$ access points (APs) jointly transmit to $N_{\rm UE}$ users and sense targets via $N_{\rm Rx}$ receiver APs. The adversary, assumed to be an internal user, reconstructs AP beampattern peak directions ($\widehat\theta_j$) and estimates the target position using gradient-descent minimization over geometric constraints. Detection probability $P_D$ quantifies privacy loss (Åkesson et al., 2024).

2. RIS Configuration Mechanism and Perturbation Modeling

PrivISAC leverages a $K \times N$ RIS, where each row $k$ implements two distinct unit-modulus beamforming vectors $\phi_{k,1}$ and $\phi_{k,2}$. Configurations are formed by selecting one vector per row, yielding $N^r = 2^K$ total states. At every RIS-update interval $T_{\text{RIS}}$ (e.g., $2\,\text{ms}$), a random configuration is activated, triggered synchronously with the Tx to avoid mid-packet switching.

Random switching introduces perturbations $\Delta h_{\text{conf}}(t)$ into the eavesdropper’s observation:

$$h^e(t) = h_{\text{true}}(t) + \Delta h_{\text{conf}}(t), \quad \Delta h_{\text{conf}}(t) = \sum_k (G_k^{s,s}\phi_k[x_k(t)] - \text{baseline})h_k^T + \text{noise}$$

These perturbations destroy the temporal structure exploited by eavesdroppers for advanced inference, while legitimate receivers recover clean CSI via time-domain demasking (He et al., 8 Jan 2026).

3. Joint Optimization of Privacy and Communication

The RIS beamforming vectors are optimized to maximize privacy-inducing perturbations in the sensing direction and maintain nearly identical responses for high-throughput communication in the direction $\theta^c$. This is formalized as a single-stage weighted sum optimization:

$$\max_{\phi_{k,i}, \varphi} F = \sum_{k=1}^K \left[ \omega_1 \left( |h_k^{sT} \phi_{k,1}|^2 + |h_k^{sT} \phi_{k,2}|^2 \right) - \omega_2 \| h_k^{sT} (\phi_{k,1} + \phi_{k,2}) \|^2 + \omega_3 \min_{i \in \{1,2\}} \Re\{ h_k^{cT} \phi_{k,i} e^{-j\varphi} \} \right]$$

subject to $|\phi_{k,i}[n]| = 1$ for all rows $k$, vectors $i$, and elements $n$. Weights $\omega$ control the privacy–communication tradeoff.

The solution employs block coordinate descent (BCD), iteratively updating $\phi_{k,i}$ and global phase $\varphi$, guaranteeing convergence to a KKT point. For hardware-limited 1-bit RIS, constraints $|\phi| = 1$ are relaxed with a penalty to support quantized phase operation (He et al., 8 Jan 2026).

In cell-free MIMO settings, optimization involves a CCP (concave–convex procedure) for precoder design under quadratic-over-quadratic forms, ensuring maximized sensing SINR $\gamma_s(\mathbf{W})$ and guaranteed communication SINR for users ($\geq 3\,\text{dB}$) (Åkesson et al., 2024). AP selection for sensing further minimizes mutual information leakage, implemented via greedy sorting.

4. Legitimate Sensing: Masking and Demasking Algorithms

To ensure authorized sensing under randomized RIS states, PrivISAC instantiates a time-domain masking and demasking approach. A shared secret key determines static “sync” configurations for coarse time alignment between RIS and legitimate Rx. Legitimate receivers compute subcarrier and antenna CSI ratios, then detect global minima in coefficient of variation to achieve alignment.

Demasking reconstructs valid CSI for downstream tasks:

1. Zero-mean static paths for each configuration: $\bar{h}_n(t) = h_n(t) - \text{Mean}_t h_n(t)$
2. Estimate relative configuration gains $\{g_n\}$ via minimization over mean ratios $W_{ij}$
3. Demask: $\hat{h}_n(t) = \bar{h}_n(t) / g_n$
4. Sequence legitimate, demasked samples and apply filtering

This methodology allows the legitimate Rx to recover high-fidelity environmental/gesture signals, whereas configurations remain unpredictable to attackers (He et al., 8 Jan 2026).

5. Implementation and Complexity Considerations

PrivISAC prototypes utilize two 8×8 RIS panels (total 8×16), 1-bit PIN-diode phase shifters, and FPGA control for real-time configuration management at $5.22\,\text{GHz}$. The Tx and legitimate/sensing Rxs are ordinary mini-PCs with Intel 5300 NICs and up to three antennas each. Wired triggers (RJ45) ensure packet-aligned RIS switching.

Computation for RIS updates is distributed: configuration optimization on FPGA (Verilog), masking/demasking in MATLAB/Python. Complexity for RIS optimization is $O(I_{\max}(2N^2K+K^2))$ per BCD, and CCP-based cell-free MIMO optimization scales as $O((MN_{\rm Tx})^3)$ per QCQP step (He et al., 8 Jan 2026, Åkesson et al., 2024).

Scalability is feasible for large AP or RIS configurations, with warm-starts and distributed solvers mitigating overhead. Sorting APs for cell-free selection is computationally light at $O(N_{\rm AP}\log N_{\rm AP})$.

6. Performance Evaluation and Privacy Gains

PrivISAC is evaluated via metrics including attacker gesture-classification accuracy, CSI estimation RMSE, mutual information reduction, packet success ratio, RSSI stability, and confusion matrices.

• RIS-enabled PrivISAC reduces attacker classification accuracy from baseline ($\sim$93%) to $\sim$30%, invariant under eavesdropper location and antenna count; multi-view attacks yield similar protection.
• Legitimate sensing accuracy is preserved or slightly improved (from 93.3% to 94.2%) due to RIS gain, contingent on correct demasking.
• Communication integrity is maintained ($>80\%$ success ratio at MCS 7), with stabilized RSSI, outperforming standard configurations.
• Parameter sweeps reveal: increasing active RIS rows benefits legitimate sensing while degrading attacker accuracy; legitimate accuracy remains robust under angular estimation errors; higher antenna count increases attacker baseline accuracy, but PrivISAC holds attacker rate constant near 30%.
• Cell-free MIMO PrivISAC demonstrates 20–30 % privacy improvement in detection probability $P_D$, particularly for moderate power or larger receiver AP sets (Åkesson et al., 2024). A privacy–sensing tradeoff is evident as degrees of freedom rise.

PrivISAC blocks adversarial retraining, with attackers unable to fit models even on self-collected data; test accuracy falls below 20% and loss remains high. Extended tasks—such as respiration monitoring—show legitimate Rx waveform recovery while blinding attackers to useful signal structure (He et al., 8 Jan 2026).

7. Significance and Limitations

PrivISAC advances privacy assurance in ISAC by using randomized spatial perturbations and coordinated resource selection, achieved via lightweight hardware and scalable optimization. The approach maintains communication quality and supports authorized sensing functionality, validated via extensive prototyping and experimentation (He et al., 8 Jan 2026, Åkesson et al., 2024).

Tradeoffs exist: higher power budgets can reduce privacy efficacy in cell-free MIMO; increasing receiver resources supports privacy without meaningful sensing degradation; dynamic resource (AP/RIS) reconfiguration may add coordination overhead but yields sustained privacy benefits across time-coherent intervals.

A plausible implication is that PrivISAC principles may extend to future ISAC systems with higher-dimensional RIS, 1-bit phase quantization, or even distributed MIMO architectures, provided core masking and optimization concepts are adapted for corresponding hardware constraints and adversarial models. Limitations remain under exceedingly high power or hardware-imposed phase granularity, where privacy-sensing separation is less tractable.

Researchers deploying ISAC architectures should consider PrivISAC-compatible strategies as robust countermeasures against passive and active privacy threats, with empirical and theoretical privacy guarantees under realistic deployment conditions.