PRAG: End-to-End Privacy-Preserving Retrieval-Augmented Generation

TL;DR

PRAG is a novel system enabling privacy-preserving retrieval-augmented generation that maintains high retrieval quality and scalability while ensuring end-to-end confidentiality of data.

Contribution

PRAG introduces a dual-mode architecture with innovative techniques like OEE to achieve secure, scalable, and accurate RAG without compromising privacy.

Findings

PRAG achieves 72.45%-74.45% recall on large datasets.

PRAG maintains practical retrieval latency.

PRAG demonstrates resilience against graph reconstruction attacks.

Abstract

Retrieval-Augmented Generation (RAG) is essential for enhancing Large Language Models (LLMs) with external knowledge, but its reliance on cloud environments exposes sensitive data to privacy risks. Existing privacy-preserving solutions often sacrifice retrieval quality due to noise injection or only provide partial encryption. We propose PRAG, an end-to-end privacy-preserving RAG system that achieves end-to-end confidentiality for both documents and queries without sacrificing the scalability of cloud-hosted RAG. PRAG features a dual-mode architecture: a non-interactive PRAG-I utilizes homomorphic-friendly approximations for low-latency retrieval, while an interactive PRAG-II leverages client assistance to match the accuracy of non-private RAG. To ensure robust semantic ordering, we introduce Operation-Error Estimation (OEE), a mechanism that stabilizes ranking against homomorphic noise. Experiments on large-scale datasets demonstrate that PRAG achieves competitive recall (72.45%-74.45%), practical retrieval latency, and strong resilience against graph reconstruction attacks while maintaining end-to-end confidentiality. This work confirms the feasibility of secure, high-performance RAG at scale.