RemoteRAG: A Privacy-Preserving LLM Cloud RAG Service

TL;DR

RemoteRAG introduces a privacy-preserving cloud RAG service that protects user queries using $(n,\, ext{ extepsilon})$-DistanceDP, ensuring privacy, efficiency, and accuracy in large-scale document retrieval.

Contribution

It is the first to formally define privacy-preserving cloud RAG and proposes RemoteRAG, combining differential privacy with efficient retrieval and theoretical guarantees.

Findings

Resists embedding inversion attacks effectively.

Achieves fast retrieval with minimal data transmission.

Maintains retrieval accuracy under privacy constraints.

Abstract

Retrieval-augmented generation (RAG) improves the service quality of large language models by retrieving relevant documents from credible literature and integrating them into the context of the user query. Recently, the rise of the cloud RAG service has made it possible for users to query relevant documents conveniently. However, directly sending queries to the cloud brings potential privacy leakage. In this paper, we are the first to formally define the privacy-preserving cloud RAG service to protect the user query and propose RemoteRAG as a solution regarding privacy, efficiency, and accuracy. For privacy, we introduce $(n,\epsilon)$-DistanceDP to characterize privacy leakage of the user query and the leakage inferred from relevant documents. For efficiency, we limit the search range from the total documents to a small number of selected documents related to a perturbed embedding generated from $(n,\epsilon)$-DistanceDP, so that computation and communication costs required for privacy protection significantly decrease. For accuracy, we ensure that the small range includes target documents related to the user query with detailed theoretical analysis. Experimental results also demonstrate that RemoteRAG can resist existing embedding inversion attack methods while achieving no loss in retrieval under various settings. Moreover, RemoteRAG is efficient, incurring only $0.67$ seconds and $46.66$KB of data transmission ($2.72$ hours and $1.43$ GB with the non-optimized privacy-preserving scheme) when retrieving from a total of $10^6$ documents.