Papers
Topics
Authors
Recent
Search
2000 character limit reached

Semantic Encryption

Updated 7 July 2026
  • Semantic Encryption is a family of methods that protect meaning-bearing information rather than raw data bits, enabling secure semantic communication and specialized applications.
  • It underpins various areas including privacy-preserving cloud LLM interactions, searchable encryption with concept-based retrieval, and quantum cryptographic systems.
  • Techniques balance controlled semantic leakage and task performance using methods like semantic codecs, homomorphic encryption, and generative deception.

Searching arXiv for recent and foundational papers on “Semantic Encryption” across its main usages. Semantic Encryption (SE) denotes a family of non-equivalent security constructs centered on protecting meaning-bearing information rather than, or in addition to, conventional bitstrings. In semantic communication, SE targets latent semantic representations or generative carriers so that authorized receivers recover task-relevant meaning while adversaries cannot infer it; in searchable encryption, “semantic” refers to ontology- or concept-based retrieval over encrypted corpora; in privacy-preserving interaction with cloud-based LLMs, SE transforms prompts into an alternative semantic context that preserves logical structure while obscuring sensitive context; and in quantum cryptography, semantic security retains the Goldwasser–Micali meaning, adapted to quantum states and quantum adversaries (Meng et al., 23 Jan 2026, Boucenna, 2020, Chen et al., 3 Aug 2025, Xiang et al., 2015, Alagic et al., 2016). The shared theme is controlled utility under restricted semantic leakage, but the underlying objects, threat models, and guarantees differ substantially.

1. Terminological scope and conceptual distinctions

The most important fact about Semantic Encryption is terminological: the literature uses the term for several different targets of protection. In semantic communication, the protected object is a meaning-bearing latent, carrier, or task representation. A typical formulation lets an input modality XX with task semantics SS pass through a semantic encoder EE to a latent ZZ, from which a decoder DD recovers task outputs Y^\hat Y; SE then seeks to transform or transmit ZZ or a stego carrier so that authorized parties can reconstruct SS while eavesdroppers cannot infer SS or even detect that SS is embedded (Meng et al., 23 Jan 2026). In cloud-LLM interaction, the protected object is the logical content of the prompt, preserved through a transformed semantic context rather than through classical ciphertext formation (Chen et al., 3 Aug 2025).

In searchable encryption, the acronym “SE” often denotes searchable encryption itself, and “semantic” refers not to semantic security in the cryptographic sense but to concept-based retrieval under encryption. Queries and documents are mapped to concepts from an ontology, and the server searches over encrypted concept-weighted representations to preserve relevance and recall without revealing sensitive data (Boucenna, 2020). A related but distinct usage appears in quantum cryptography, where semantic security and indistinguishability are defined for quantum private-key and public-key encryption schemes whose ciphertexts are quantum states (Xiang et al., 2015, Alagic et al., 2016).

The literature also contains adjacent usages in which “semantic” comes from the protected task rather than from the security definition. A block-wise secret-key transform for semantic segmentation, for example, protects access to a trained model by binding it to a keyed encrypted image domain; the paper explicitly distinguishes this from cryptographic semantic security and presents it as keyed access control rather than IND-CPA-style encryption (Ito et al., 2021). This suggests that “Semantic Encryption” is best understood as an umbrella label whose precise meaning is fixed by the surrounding research program.

2. Meaning-layer protection in semantic communication

In semantic communication, SE is motivated by the observation that plaintext semantic features can be highly revealing even when conventional packet structures disappear. One recent formulation explicitly contrasts bit-level cryptographic semantic security with steganography-based semantic secrecy and defines the goal as making the stego distribution close to natural content, for example by minimizing SS0, while ensuring recoverability of private semantics for an authorized receiver (Meng et al., 23 Jan 2026). The paper “Secure Intellicise Wireless Network: Agentic AI for Coverless Semantic Steganography Communication” realizes this through AgentSemSteCom, which combines semantic extraction, digital token–controlled reference image generation, coverless steganography, a semantic codec, and optional task-oriented enhancement. The transmitter extracts a public semantic key SS1 as a sequence of natural-language prompts and an implicit feature SS2 encoding structural constraints, hashes a user-defined token SS3 into a seed SS4, generates a reference image with ControlNet-guided diffusion, uses EDICT for exact diffusion inversion, and transmits the resulting stego image through semantic JSCC with

SS5

At the security level it introduces a reconstruction-based adversarial advantage

SS6

and frames leakage through SS7 for an eavesdropper without the correct token. Experimentally, relative to SemSteDiff, AgentSemSteCom improves PSNR by 14.29%, SSIM by 8.88%, reduces MSE by 43.75%, and lowers LPIPS by 5.1%; the legitimate receiver with the correct token achieves PSNR 25.37 dB, whereas an eavesdropper with the wrong token achieves 18.91 dB (Meng et al., 23 Jan 2026).

Other semantic-communication realizations adopt different mechanisms. ESCS inserts symmetric encryption before semantic encoding and decryption before semantic decoding, then trains encryptor, decryptor, semantic codec, and attacker adversarially with

SS8

The system is trained on Europarl, uses AWGN, and is designed to retain accuracy in both encrypted and unencrypted modes; with adversarial training, Bob’s BLEU remains high while Eve’s BLEU stays below 0.2 across SNRs, whereas without adversarial training Eve’s BLEU tracks Bob’s closely (Luo et al., 2022). SREC instead encrypts semantic feature tensors by per-element modulo-256 addition and then applies super-resolution reconstruction; at SNR = 4 dB, its QPSK configuration yields PSNR equal to NTSCC + 3.0 dB and +4.6 dB versus encrypted NTSCC without super-resolution (Zhang et al., 5 Sep 2025). A homomorphic variant redesigns deep JSCC around square activations and average pooling so that inference can run directly on CKKS ciphertext; on MNIST, the homomorphic model attains essentially the same accuracy as its plaintext privacy-preserved counterpart while taking 73.84 s per inference rather than 0.000172 s (Meng et al., 17 Jan 2025).

Key generation can likewise be moved to the semantic layer. A physical-layer semantic encryption scheme for deep-learning semantic communication computes BLEU scores between source and transmitter-side decoded content, forms a weighted aggregate

SS9

and hashes it into a semantic key used for encryption and subcarrier obfuscation; with dynamic dummy insertion, legitimate BER matches the unencrypted case while eavesdropper BER remains approximately 0.5 (Qin et al., 2023). ESAE for intelligent connected vehicles replaces explicit key transmission with semantic reciprocity: both endpoints derive session keys from YOLO-v10 descriptors extracted from past semantically equivalent reconstructions, use PBKDF2/HMAC to derive keys, and report a highest Mean Consistency Rate of Semantic Key Generation of 86% at SNR = 25 dB and EE0 while maintaining a semantic search space above EE1 with suitable EE2 (Wang et al., 23 Feb 2025). VENENA pushes the idea further into physical-layer deception: a high-power decoy image and a low-power poison mask are non-orthogonally multiplexed so that Bob recovers the true semantic class while Eve typically recovers only a plausible false class. In the reported setting, “deception on” with EE3 yields Bob 93.43%, Eve(full) 51.12%, and Eve(partial) 5.18% message perception accuracy (Han et al., 18 Jan 2025).

Taken together, these works define SE in semantic communication as a shift from protecting packets to protecting inference. Some schemes encrypt features directly, some exploit semantic reciprocity for key derivation, and some use generative or deceptive carriers so that the intercepted object remains meaningful but semantically wrong.

3. Semantic transformation for privacy-preserving cloud LLM interaction

A distinct line of work defines Semantic Encryption as a local semantic transformation layer around cloud-based LLMs. Here the central claim is that masking personally identifiable information or injecting differential-privacy noise often damages logical structure, numerical dependencies, and task utility, especially for structured reasoning tasks such as math word problems (Chen et al., 3 Aug 2025). The proposed framework therefore preserves intent and logical structure while changing the semantic frame. Formally, a local semantic encoder maps original inputs to transformed inputs,

EE4

the cloud model processes the transformed prompt,

EE5

and a local semantic decoder reconstructs the response in the original context,

EE6

Privacy is posed as low leakage EE7, while structure preservation requires EE8. The paper also states a Shannon-style claim that under a uniformly random bijective semantic mapping, with original context descriptions EE9, numerical data ZZ0, ciphertext space ZZ1, and key space ZZ2, one has ZZ3 (Chen et al., 3 Aug 2025).

The system is trained by “Semantic Distillation,” in which a cloud LLM generates alternative semantic contexts and reconstruction pairs used to fine-tune lightweight local models. The reported implementation uses Qwen3-0.6B for both encoder and decoder, fine-tuned with LoRA rank 8, learning rate ZZ4, and batch size 2, with Qwen-Plus as the cloud API and a single NVIDIA RTX A6000 GPU (Chen et al., 3 Aug 2025). Evaluation spans GSM8K, OrcaMath, MetaMath, and ANLI. On encrypted inputs, the framework reports 83.02% accuracy on GSM8K versus a best baseline of 7.66%, 84.08% on MetaMath versus a best baseline of 23.64%, and 55.78% on ANLI versus a best baseline of 45.59%. On GSM8K user-experience metrics, it reports BLEU 0.2294 versus InferDPT 0.1947, METEOR 0.4368 versus 0.3687, ROUGE-1 0.5380 versus 0.4996, ROUGE-2 0.2524 versus 0.2139, ROUGE-L 0.3682 versus 0.3443, and BERTScore 0.7243 versus 0.7149 (Chen et al., 3 Aug 2025).

This formulation differs sharply from classical cryptography. There is no exchange of symmetric or asymmetric keys with the provider; the effective “key” is the learned pair of local models. It also differs from semantic communication SE because the protected object is not a wireless latent but a transformed prompt–response trajectory. A plausible implication is that this variant is best viewed as semantic-domain virtualization: the cloud model performs useful computation, but only inside an alternative context that is locally invertible for the client.

4. Semantic search over encrypted corpora

In encrypted search, “Semantic Encryption” refers to searchable encryption systems that aim to preserve semantic relevance under encryption rather than to encrypt semantics as such. The representative construction in “Semantic, Efficient, and Secure Search over Encrypted Cloud Data” builds concept-based SSE over a Wikipedia ontology, using TF–IDF term weights

ZZ5

and a Double Score Weighting (DSW) rule in which a concept receives a primary score ZZ6 equal to the number of distinct terms associated with it and a secondary score ZZ7 equal to a TF–IDF-weighted association sum (Boucenna, 2020). Concepts are sorted lexicographically by ZZ8, and the server searches over encrypted concept vectors rather than plaintext keywords. The system combines SKNN for encrypted inner-product evaluation, homomorphic encryption for encrypted scores, and CP-ABE for access control. Its threat model is an honest-but-curious cloud under known-ciphertext and known-background models, and its security framing adopts standard SSE notions such as IND-CKA2 and reviews PK-CKA2, with forward and backward privacy identified as future work rather than implemented features (Boucenna, 2020).

The paper complements semantic ranking with leakage-mitigation mechanisms. Search pattern linkability is reduced by randomized trapdoor construction and concept subsampling. Access-pattern hiding uses separating, splitting, scrambling, and grouping, while dummy documents in inverted lists obscure term distribution. On Yahoo! Answers, the semantic SSE and SIIS constructions are evaluated on 962,232 answers as documents and 142,627 questions as queries. SIIS reports 38.76% precision, close to 43.46% for semantic search on clear data and well above MRSE at approximately 23%. It completes 20 searches over approximately 962k documents in approximately 31 minutes, whereas MRSE extrapolates to approximately 21.5 hours. A cluster deployment reaches up to approximately 46× acceleration (Boucenna, 2020).

A separate engineering line emphasizes that searchable encryption, even when fast, remains operationally constrained by dynamic updates. An end-to-end tiered-index implementation derived from Demertzis–Papamanthou stores multiple encrypted indexes of distinct orders and evaluates daily, weekly, and monthly update batches over the Enron corpus. For one department, daily updates average 21.14 minutes with standard deviation 240.75 minutes, monthly updates average 322.31 minutes with standard deviation 855.13 minutes, and pathological merges can last as long as 4 days 15 hours (Willoughby, 2023). This dynamic-update work concerns searchable encryption in the strict SSE sense rather than semantic retrieval, but it underscores a broader point: once encrypted search acquires real retrieval semantics and update support, leakage, storage expansion, and rebuild costs become first-order design constraints.

The semantic-search literature therefore uses SE in a retrieval-centric sense. Its central challenge is not invisible transmission or semantic obfuscation, but preserving relevance and recall while confining leakage to controlled search and access patterns.

5. Quantum semantic security

In quantum cryptography, Semantic Encryption reverts to the classical Goldwasser–Micali vocabulary, but with plaintexts, ciphertexts, and adversaries generalized to the quantum setting. A quantum encryption scheme is modeled as a tuple ZZ9 in which DD0 is a quantum algorithm and ciphertexts are quantum states. The literature distinguishes private-key and public-key schemes and defines indistinguishability and semantic security in information-theoretic, computational, and physical regimes (Xiang et al., 2015). For quantum private-key encryption, information-theoretic indistinguishability requires that for every quantum circuit family DD1, every positive polynomial DD2, all sufficiently large DD3, and every plaintexts DD4, the distinguishing advantage be less than DD5. The paper then states a necessary and sufficient condition: if the average ciphertext density operators are DD6 and DD7, the scheme is information-theoretically indistinguishable whenever

DD8

It further proves that indistinguishability and semantic security are equivalent in the quantum setting (Xiang et al., 2015).

The later computational treatment formalizes semantic security for quantum data by having a message generator output a joint quantum state on message, side-information, and helper registers, thereby avoiding classical function notation that clashes with the no-cloning principle (Alagic et al., 2016). It proves a quantum analogue of the IND–SEM equivalence across private-key and public-key settings and gives concrete constructions: quantum-secure one-way functions imply IND-CCA1-secure symmetric-key quantum encryption, and quantum-secure trapdoor one-way permutations imply semantically secure public-key quantum encryption (Alagic et al., 2016). The same work notes that a robust IND-CCA2 notion for quantum encryption remains open because superposition decryption queries make it difficult to formulate and enforce the condition that the challenge ciphertext itself not be queried (Alagic et al., 2016).

This branch of the literature is conceptually distinct from semantic communication or semantic transformation. Here “semantic” does not refer to meaning-bearing features, ontology-based concepts, or transformed contexts. It refers to the formal cryptographic requirement that whatever can be efficiently inferred from the ciphertext can already be inferred from side information alone.

6. Common objectives, recurring trade-offs, and frequent misconceptions

Across these literatures, a recurring objective is asymmetric semantic usability: authorized parties retain task performance, while adversaries lose either reconstruction ability, retrieval quality, or contextual interpretability. The methods, however, realize that asymmetry in very different ways. AgentSemSteCom uses digital-token-controlled generative inversion and reports that increasing perturbation strength DD9 collapses Eve’s PSNR from approximately 23.94 dB to approximately 7.83 dB, but visible artifacts increase when Y^\hat Y0 becomes too large (Meng et al., 23 Jan 2026). Cloud-LLM semantic transformation preserves logical structure and utility, but its privacy guarantee depends on learned transformations and on the decoder’s ability to reconstruct from the transformed context and the locally stored input (Chen et al., 3 Aug 2025). Homomorphic semantic communication preserves computation on encrypted data, but the cost can rise from fractions of a millisecond to tens of seconds per inference (Meng et al., 17 Jan 2025). Semantic search improves relevance under encryption, yet still leaks some search and access patterns and can incur very large encrypted index sizes or expensive updates (Boucenna, 2020, Willoughby, 2023).

A frequent misconception is that all forms of Semantic Encryption are “keyless.” The record is narrower. AgentSemSteCom removes private semantic keys, but it still depends on a digital token Y^\hat Y1, shared public conditions, and deterministic latent perturbations; the paper explicitly describes cryptographic protection of residual bit-level payloads and metadata as a complementary defense (Meng et al., 23 Jan 2026). VENENA avoids persistent cryptographic keys for semantic reconstruction, yet its secrecy relies on the protected low-power mask and on Bob’s channel advantage (Han et al., 18 Jan 2025). ESAE removes steady-state key transport, but it still bootstraps with asymmetric cryptography for the initial session key and then derives later keys from reciprocal semantics (Wang et al., 23 Feb 2025). Searchable encryption and quantum semantic security remain fully key-based in the conventional cryptographic sense (Boucenna, 2020, Alagic et al., 2016).

Another misconception is that “semantic” automatically implies stronger privacy. Several papers instead emphasize controlled leakage and trade-offs. In semantic communication, higher perturbation or stronger deception can harm perceptual naturalness or legitimate accuracy (Meng et al., 23 Jan 2026, Han et al., 18 Jan 2025). In cloud-LLM SE, preserving numbers and logical relations is essential for utility, but those preserved structures are also the substrate on which the cloud model still reasons (Chen et al., 3 Aug 2025). In semantic search, richer relevance signals require more index structure, and that structure is itself a potential source of inference unless masked by dummy documents, HE-encrypted scores, and access-pattern hiding (Boucenna, 2020). A plausible synthesis is that SE rarely eliminates leakage outright; more often it moves leakage into a domain judged operationally acceptable for the intended task.

The broad literature therefore supports a narrow conclusion and a broad one. Narrowly, “Semantic Encryption” has no single technical definition. Broadly, it marks a shift in security engineering from protecting syntax alone to protecting meaning, inference, and semantic utility under adversarial observation.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Semantic Encryption (SE).