Homomorphic Encryption (Query)

Homomorphic encryption (HE) schemes are built on complex mathematical problems like Learning With Errors (LWE) or Ring-LWE. These schemes allow specific algebraic operations (addition, multiplication) to be performed directly on ciphertexts (encrypted data). For query encryption, a query embedding vector is encrypted element-wise. The core property is that performing a dot product between an encrypted query vector and a plaintext document vector in the encrypted domain yields a result that, when decrypted, matches the dot product of the original vectors. This enables semantic similarity search (e.g., cosine similarity) without decrypting the sensitive query.

In an edge RAG context, HE for queries provides a strong client-side privacy guarantee. The user's query is encrypted on their device before being sent to an untrusted edge server or device hosting the retrieval index. The server performs the similarity search over its knowledge base without ever seeing the plaintext query. This protects against:

• Query interception revealing intellectual property or personal intent.
• Inference attacks where a malicious server could profile users based on their search patterns.
• Data leakage from the query to other processes on the shared edge hardware. Only the final, encrypted similarity scores or a small set of encrypted result identifiers are returned to the client for decryption.

HE introduces significant performance costs, which is a critical constraint for edge deployment:

• Computational Overhead: Operations on ciphertexts are orders of magnitude slower than on plaintext. A single homomorphic multiplication can be 10,000x to 1,000,000x slower than its plaintext equivalent.
• Ciphertext Expansion: Encrypted data is vastly larger than plaintext. A 768-dimensional float32 query embedding (3 KB) can balloon to megabytes when encrypted, increasing network bandwidth needs between client and edge server.
• Specialized Operations: Efficient implementation often requires number-theoretic transform (NTT) accelerators or GPU support, which may not be available on all edge devices. This makes algorithmic choices (e.g., using additive-only HE like Paillier for simpler scoring) crucial for feasibility.

Consider a smart hospital where bedside IoT devices need to query a private medical guideline database hosted on a local edge server. A nurse asks a device, "What is the protocol for a patient presenting with chest pain and history of diabetes?"

1. The device's local SLM converts the query to an embedding.
2. The embedding is encrypted using an HE scheme on the device.
3. The encrypted embedding is sent to the hospital's edge server, which holds an encrypted index of medical guidelines.
4. The server performs a homomorphic similarity search, comparing the encrypted query to document vectors, without decrypting the sensitive patient context.
5. The server returns the IDs of the top-k most relevant, encrypted guideline snippets.
6. The device decrypts the IDs and retrieves the corresponding plaintext guidelines from a local, trusted cache. This ensures patient data never leaves the device in plaintext and the edge server cannot learn the clinical query.

HE for queries is one tool in the privacy-preserving ML toolkit, each with different trade-offs:

• vs. Differential Privacy (DP): DP adds statistical noise to query results to prevent inferring individual data points. HE provides stronger cryptographic privacy (no information leakage) but with higher computational cost. DP is often applied to the retrieved results, while HE protects the query itself.
• vs. Secure Multi-Party Computation (SMPC): SMPC allows multiple parties to jointly compute a function over their private inputs. It can be more flexible but typically involves more rounds of communication. HE is often simpler for client-server retrieval models.
• vs. Trusted Execution Environments (TEEs): TEEs (e.g., Intel SGX) rely on hardware isolation to protect data during computation. HE provides a software-only, cryptographic guarantee that does not trust the hardware manufacturer or require specialized CPU features, making it more portable across heterogeneous edge devices.

Enables healthcare providers to search patient records for similar symptoms or conditions without exposing sensitive Protected Health Information (PHI). A homomorphically encrypted query embedding can be compared against an encrypted vector database of medical notes on a hospital's edge server. This allows for diagnostic support and cohort finding while maintaining strict HIPAA/GDPR compliance, as the data never exists in plaintext during processing.

Allows financial analysts at a bank to perform semantic search across encrypted internal reports, transaction summaries, and client communications to detect fraud patterns or market opportunities. The encrypted query process ensures that even system administrators or cloud providers hosting the edge analytics platform cannot access the raw financial data or the intent of the searches, protecting against insider threats and meeting SEC/FCA regulatory requirements for data handling.

Deploys a Retrieval-Augmented Generation assistant on corporate laptops or phones that can answer questions from a private knowledge base (e.g., engineering docs, HR policies). The user's query is encrypted on-device, and similarity search is performed homomorphically on a company server. The server returns the most relevant encrypted document chunks to the device for local decryption and LLM context building. This prevents the server from learning employee queries or accessing the knowledge base contents.

Enhances federated learning systems where edge devices (e.g., smartphones) collaboratively train a model. Homomorphic encryption allows a central coordinator to privately retrieve aggregated model updates or specific gradient information from encrypted indices contributed by devices. This enables more sophisticated, retrieval-augmented model averaging strategies without compromising the privacy of any individual device's update, strengthening defenses against reconstruction attacks.

Supports operatives in the field using ruggedized edge devices to query encrypted intelligence databases. A soldier could submit a homomorphically encrypted query about a location or object, and the system retrieves relevant, encrypted mission briefs or sensor histories from an on-vehicle server. The data is decrypted only on the secure, authenticated edge device, ensuring mission-critical data is never exposed, even if the hardware is captured or compromised.

Facilitates collaborative drug discovery between pharmaceutical companies or research institutes without sharing proprietary molecular data. Partners can each encrypt their proprietary compound or genomic sequence embeddings into a shared, encrypted index. Researchers can then submit homomorphically encrypted queries to find similar structures or patterns across the entire pool of encrypted intellectual property. This enables discovery while cryptographically enforcing data sovereignty agreements.

Binary embeddings are dense vector representations where each dimension is quantized to a binary value, typically -1/+1 or 0/1. This extreme form of quantization enables similarity search using ultra-fast bitwise operations like the Hamming distance (a popcount of XOR). For homomorphic encryption, operating on binary data can significantly reduce the computational complexity of encrypted arithmetic, as operations simplify to XOR and AND gates. Therefore, combining binary embeddings with HE schemes tailored for binary circuits (like TFHE) is a promising research direction for making private retrieval on edge devices more practical.

• Key Advantage: Drastically reduces storage footprint and accelerates plaintext or encrypted similarity search.
• Trade-off: Some loss in representational fidelity compared to full-precision floating-point embeddings.
• Synergy with HE: Simplifies the encrypted computation graph, potentially reducing latency and power consumption.