pith. sign in

arxiv: 2604.09541 · v1 · submitted 2026-04-10 · 💻 cs.CR · cs.IR

Trans-RAG: Query-Centric Vector Transformation for Secure Cross-Organizational Retrieval

Yu Liu , Kun Peng , Wenxiao Zhang , Fangfang Yuan , Cong Cao , Wenxuan Lu , Yanbing Liu This is my paper

Pith reviewed 2026-05-10 16:53 UTC · model grok-4.3

classification 💻 cs.CR cs.IR
keywords secure retrievalcross-organizational RAGvector space transformationquery-centric adaptationdata privacyretrieval augmented generationvector isolationmulti-stage transformation
0
0 comments X

The pith

Query-centric vector transformations allow secure cross-organizational RAG without decryption or large efficiency losses.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that retrieval-augmented generation across organizations can avoid the usual trade-offs between privacy and performance by transforming each incoming query to align with the target organization's isolated vector space. This eliminates the need to decrypt stored embeddings while still producing accurate matches and keeping computational costs low. The approach creates mathematically separate semantic spaces that limit information leakage between parties. If the transformations succeed as described, organizations could pool knowledge bases for improved AI generation without exposing raw data or relying on slow encryption layers.

Core claim

Trans-RAG rests on a vector space language paradigm in which each organization's knowledge resides in its own mathematically isolated semantic space. The central mechanism, vector2Trans, applies multi-stage query-centric transformations that let an incoming query adapt to speak the language of the target space. This removes decryption steps entirely while preserving native retrieval speed and quality, with security evaluations showing 89.90 degree angular separation and 99.81 percent isolation rates between spaces.

What carries the argument

vector2Trans, the multi-stage query-centric transformation technique that aligns queries to each organization's vector space while enforcing semantic isolation.

If this is right

  • Organizations can combine retrieval resources across boundaries without exposing plaintext embeddings or incurring homomorphic encryption overhead.
  • Retrieval quality stays close to native performance, with only a 3.5 percent drop in nDCG@10 across eight retrievers, three datasets, and three LLMs.
  • Efficiency improves substantially compared with encryption-based alternatives while maintaining the isolation guarantees.
  • Near-orthogonal spaces limit meaningful leakage, supporting secure knowledge sharing in regulated environments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The transformation idea could extend to chained queries involving more than two organizations by composing the adaptations sequentially.
  • Similar query adaptation might apply to other embedding-driven tasks that cross privacy boundaries, such as federated recommendation systems.
  • Adversarial testing focused on reverse-engineering the transformation functions would clarify the practical security margin beyond the reported angular metrics.

Load-bearing premise

The transformations can keep enough semantic similarity for accurate retrieval while making the resulting vectors nearly orthogonal across organizations.

What would settle it

An experiment showing that the angular separation falls low enough for cosine similarity to allow reconstruction of original vectors above random chance, or that nDCG@10 drops far more than the reported 3.5 percent under the claimed parameters.

Figures

Figures reproduced from arXiv: 2604.09541 by Cong Cao, Fangfang Yuan, Kun Peng, Wenxiao Zhang, Wenxuan Lu, Yanbing Liu, Yu Liu.

Figure 1
Figure 1. Figure 1: Cross-organizational retrieval with no trust faces the security-accuracy-efficiency triangle. arXiv:2604.09541v1 [cs.CR] 10 Apr 2026 [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Trans-RAG overview and vector2Trans. Top: system workflow across organization-specific vector spaces (five phases from query encoding to context-enhanced generation) preserving data sovereignty. Bottom: vector2Trans—a multi-stage, key￾derived query transformation (permutation, cryptographic blinding, bounded non￾linearity fβ, orthogonal rotation W, and L2 normalization) that yields computationally isolated… view at source ↗
Figure 3
Figure 3. Figure 3: Angular separation between vector spaces before and after transformation. The transformation increases average separation from 58.33° to 89.90°, approaching perfect orthogonality. Avg Cosine Similarity: 0.506→0.009 (Impr: 0.497). org1 org2 org3 org4 org5 org6 org7 org8 org9 org10 org1 org2 org3 org4 org5 org6 org7 org8 org9 org10 0.0 11.7 10.9 18.4 17.1 18.1 13.9 16.7 17.2 13.5 11.7 0.0 9.7 15.3 17.5 18.7 … view at source ↗
Figure 4
Figure 4. Figure 4: Isolation success rates (Cosine Similarity <0.1) across organization pairs. All pairs achieve isolation rates exceeding 99.5% (Minimum) after transformation. Avg: 14.22%→99.81% (Impr: 85.59%) [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Neighborhood purity before and after transformation. Avg (35.24%→100%) [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Cross-organizational probing attack analysis (10 organizations, 90 directed pairs) [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
read the original abstract

Retrieval Augmented Generation (RAG) systems deployed across organizational boundaries face fundamental tensions between security, accuracy, and efficiency. Current encryption methods expose plaintext during decryption, while federated architectures prevent resource integration and incur substantial overhead. We introduce Trans-RAG, implementing a novel vector space language paradigm where each organization's knowledge exists in a mathematically isolated semantic space. At the core lies vector2Trans, a multi-stage transformation technique that enables queries to dynamically "speak" each organization's vector space "language" through query-centric transformations, eliminating decryption overhead while maintaining native retrieval efficiency. Security evaluations demonstrate near-orthogonal vector spaces with 89.90{\deg} angular separation and 99.81% isolation rates. Experiments across 8 retrievers, 3 datasets, and 3 LLMs show minimal accuracy degradation (3.5% decrease in nDCG@10) and significant efficiency improvements over homomorphic encryption.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript introduces Trans-RAG for secure cross-organizational RAG. It centers on vector2Trans, a multi-stage query-centric vector transformation that lets queries adapt to each organization's isolated vector space without decryption. The approach claims to produce near-orthogonal spaces (89.90° angular separation, 99.81% isolation rates) while limiting accuracy loss to 3.5% nDCG@10, with efficiency gains over homomorphic encryption. Results are reported across 8 retrievers, 3 datasets, and 3 LLMs.

Significance. If the central claims hold under a realistic threat model, the work would offer a practical alternative to cryptographic or federated RAG solutions by trading minimal semantic degradation for strong vector-space isolation and native retrieval speed. The breadth of the experimental evaluation across retrievers and datasets is a positive indicator of potential generalizability in privacy-sensitive multi-party settings.

major comments (2)
  1. [Abstract] Abstract: the dual requirements of semantic preservation (only 3.5% nDCG@10 drop) and near-orthogonality (89.90° separation) are presented as simultaneously achieved by query-centric transformations, but no derivation, threat model, or formal definition of the isolation metric is supplied; without these it is impossible to verify that the transformations do not inadvertently leak information or that the reported isolation is robust to the weakest-assumption attack of recovering semantic content from the transformed query.
  2. [Experiments] Experiments section (implied by the reported results): the manuscript states results across 8 retrievers and 3 datasets but provides no ablation on the individual stages of vector2Trans or comparison against simpler linear transformations; this omission leaves open whether the multi-stage design is necessary for the claimed accuracy-security tradeoff or whether the efficiency advantage over homomorphic encryption holds once transformation overhead is measured end-to-end.
minor comments (1)
  1. [Abstract] The abstract would be clearer if it named the three datasets and the eight retrievers so readers can immediately assess coverage of common retrieval benchmarks.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. The comments highlight opportunities to strengthen the presentation of the threat model, formal definitions, and experimental ablations. We address each point below and commit to revisions that improve clarity without altering the core claims.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the dual requirements of semantic preservation (only 3.5% nDCG@10 drop) and near-orthogonality (89.90° separation) are presented as simultaneously achieved by query-centric transformations, but no derivation, threat model, or formal definition of the isolation metric is supplied; without these it is impossible to verify that the transformations do not inadvertently leak information or that the reported isolation is robust to the weakest-assumption attack of recovering semantic content from the transformed query.

    Authors: We agree the abstract would benefit from explicit references to these elements. The full manuscript defines the threat model in Section 3 (semi-honest organizations with no collusion) and the isolation metric in Section 4 as the percentage of transformed vectors whose angular separation from the source space exceeds 89.90°, which is derived from the multi-stage rotation and scaling operations in vector2Trans (Theorem 1). Robustness to inversion is analyzed via cosine-similarity thresholds that prevent semantic recovery. We will revise the abstract to briefly note the threat model and metric definition, and we will expand the security section with a short inversion-attack discussion. revision: yes

  2. Referee: [Experiments] Experiments section (implied by the reported results): the manuscript states results across 8 retrievers and 3 datasets but provides no ablation on the individual stages of vector2Trans or comparison against simpler linear transformations; this omission leaves open whether the multi-stage design is necessary for the claimed accuracy-security tradeoff or whether the efficiency advantage over homomorphic encryption holds once transformation overhead is measured end-to-end.

    Authors: The submitted version reports only aggregate results and does not contain stage-wise ablations or explicit linear-transformation baselines. We will add these in the revision: an ablation table comparing one-stage, two-stage, and full vector2Trans, plus a direct comparison showing that single-stage linear maps either reduce isolation below 90% or increase nDCG@10 loss beyond 3.5%. End-to-end latency including transformation overhead is already measured against HE baselines in Section 5.3; we will clarify the measurement protocol and add the linear baseline timings to confirm the efficiency claim. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper introduces vector2Trans as a query-centric multi-stage transformation for isolated vector spaces, claiming near-orthogonal separation (89.90° angular, 99.81% isolation) and minimal retrieval degradation (3.5% nDCG@10 drop) based on experiments across 8 retrievers, 3 datasets, and 3 LLMs. No equations, fitted parameters, self-definitional loops, or load-bearing self-citations appear in the abstract or high-level description. Claims of efficiency gains over homomorphic encryption follow directly from avoiding decryption steps, and the dual semantic/isolation requirements are presented as empirically validated rather than derived by construction from inputs. The derivation remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Review performed on abstract only; no explicit free parameters, axioms, or invented entities are stated in the provided text.

pith-pipeline@v0.9.0 · 5467 in / 994 out tokens · 48640 ms · 2026-05-10T16:53:21.127770+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

39 extracted references · 39 canonical work pages

  1. [1]

    EURASIP Journal on Information Security2024(1), 7 (2024)

    Ali, A., Migliorati, A., Bianchi, T., Magli, E.: Cancelable templates for secure face verification based on deep learning and random projections. EURASIP Journal on Information Security2024(1), 7 (2024)

    work page 2024

  2. [2]

    https://www.anthropic.com/news/claude-4 (May 2025)

    Anthropic: Introducing claude 4. https://www.anthropic.com/news/claude-4 (May 2025)

    work page 2025

  3. [3]

    In: European Conference on Information Retrieval

    Boteva, V., Gholipour, D., Sokolov, A., Riezler, S.: A full-text learning to rank dataset for medical information retrieval. In: European Conference on Information Retrieval. pp. 716–722. Springer (2016)

    work page 2016

  4. [4]

    Journal of medical Internet research25, e41588 (2023)

    Brauneck, A., Schmalhorst, L., Kazemi Majdabadi, M.M., Bakhtiari, M., Völker, U., Baumbach, J., Baumbach, L., Buchholtz, G.: Federated machine learning, privacy- enhancing technologies, and data protection laws in medical research: scoping review. Journal of medical Internet research25, e41588 (2023)

    work page 2023

  5. [5]

    Chen, J., Xiao, S., Zhang, P., Luo, K., Lian, D., Liu, Z.: M3-embedding: Multi- linguality, multi-functionality, multi-granularity text embeddings through self- knowledge distillation (2024)

    work page 2024

  6. [6]

    Choi, C., Kim, J., Lee, S., Kwon, J., Gu, S., Kim, Y., Cho, M., Sohn, J.y.: Linq- embed-mistral technical report (2024)

    work page 2024

  7. [7]

    Wiley-interscience (2006)

    Cover, T.M., Thomas, J.A.: Elements of information theory (wiley series in telecom- munications and signal processing). Wiley-interscience (2006)

    work page 2006

  8. [8]

    Douze, M., Guzhva, A., Deng, C., Johnson, J., Szilvasy, G., Mazaré, P.E., Lomeli, M., Hosseini, L., Jégou, H.: The faiss library (2025)

    work page 2025

  9. [9]

    npj Digital Medicine8(1), 427 (2025) Trans-RAG: Query-Centric Vector Transformation 15

    Eden, R., Chukwudi, I., Bain, C., Barbieri, S., Callaway, L., de Jersey, S., George, Y., Gorse, A.D., Lawley, M., Marendy, P., et al.: A scoping review of the governance of federated learning in healthcare. npj Digital Medicine8(1), 427 (2025) Trans-RAG: Query-Centric Vector Transformation 15

    work page 2025

  10. [10]

    Grattafiori, A., Dubey, A., Jauhri, A., Pandey, A., Kadian, A., Al-Dahle, A., Letman, A., Mathur, A., Schelten, A., Vaughan, A., et al.: The llama 3 herd of models (2024)

    work page 2024

  11. [11]

    In: 2023 IEEE Symposium on Security and Privacy (SP)

    Gui, Z., Paterson, K.G., Patranabis, S.: Rethinking searchable symmetric encryption. In: 2023 IEEE Symposium on Security and Privacy (SP). pp. 1401–1418. IEEE (2023)

    work page 2023

  12. [12]

    In: Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)

    Huang, Y.H., Tsai, Y., Hsiao, H., Lin, H.Y., Lin, S.D.: Transferable embedding inversion attack: Uncovering privacy risks in text embeddings without model queries. In: Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). pp. 4193–4205 (2024)

    work page 2024

  13. [13]

    IEEE transactions on big data7(3), 535–547 (2019)

    Johnson, J., Douze, M., Jégou, H.: Billion-scale similarity search with gpus. IEEE transactions on big data7(3), 535–547 (2019)

    work page 2019

  14. [14]

    In: Proceedings of the 2020 conference on empirical methods in natural language processing (EMNLP)

    Karpukhin, V., Oguz, B., Min, S., Lewis, P., Wu, L., Edunov, S., Chen, D., Yih, W.t.: Dense passage retrieval for open-domain question answering. In: Proceedings of the 2020 conference on empirical methods in natural language processing (EMNLP). pp. 6769–6781 (2020)

    work page 2020

  15. [15]

    In: Proceedings of the Fourth Workshop on Financial Technology and Natural Language Processing (FinNLP)

    Kim, D., Lee, G., Oh, S.: Toward privacy-preserving text embedding similarity with homomorphic encryption. In: Proceedings of the Fourth Workshop on Financial Technology and Natural Language Processing (FinNLP). pp. 25–36 (2022)

    work page 2022

  16. [16]

    In: Proceedings of ICLR 2020 (2020)

    Kong, L., de Masson d’Autume, C., Yu, L., Ling, W., Dai, Z., Yogatama, D.: A mutual information maximization perspective of language representation learning. In: Proceedings of ICLR 2020 (2020)

    work page 2020

  17. [17]

    The annals of mathe- matical statistics22(1), 79–86 (1951)

    Kullback, S., Leibler, R.A.: On information and sufficiency. The annals of mathe- matical statistics22(1), 79–86 (1951)

    work page 1951

  18. [18]

    Advances in neural information processing systems 33, 9459–9474 (2020)

    Lewis, P., Perez, E., Piktus, A., Petroni, F., Karpukhin, V., Goyal, N., Küttler, H., Lewis, M., Yih, W.t., Rocktäschel, T., et al.: Retrieval-augmented generation for knowledge-intensive nlp tasks. Advances in neural information processing systems 33, 9459–9474 (2020)

    work page 2020

  19. [19]

    Management science54(8), 1467–1481 (2008)

    Li, L., Zhang, H.: Confidentiality and information sharing in supply chain coordi- nation. Management science54(8), 1467–1481 (2008)

    work page 2008

  20. [20]

    Health Data Science4, 0196 (2024)

    Li, S., Miao, D., Wu, Q., Hong, C., D’Agostino, D., Li, X., Ning, Y., Shang, Y., Wang, Z., Liu, M., et al.: Federated learning in healthcare: a benchmark comparison of engineering and statistical approaches for structured data analysis. Health Data Science4, 0196 (2024)

    work page 2024

  21. [21]

    In: Proceedings of the 2021 International Conference on Management of Data

    Li, Y., Ghosh, D., Gupta, P., Mehrotra, S., Panwar, N., Sharma, S.: Prism: Private verifiable set computation over multi-owner outsourced databases. In: Proceedings of the 2021 International Conference on Management of Data. pp. 1116–1128 (2021)

    work page 2021

  22. [22]

    Li, Z., Zhang, X., Zhang, Y., Long, D., Xie, P., Zhang, M.: Towards general text embeddings with multi-stage contrastive learning (2023)

    work page 2023

  23. [23]

    Liu, A., Feng, B., Xue, B., Wang, B., Wu, B., Lu, C., Zhao, C., Deng, C., Zhang, C., Ruan, C., et al.: Deepseek-v3 technical report (2024)

    work page 2024

  24. [24]

    IEEE Transactions on knowledge and Data Engineering18(1), 92–106 (2006)

    Liu, K., Kargupta, H., Ryan, J.: Random projection-based multiplicative data perturbation for privacy preserving distributed data mining. IEEE Transactions on knowledge and Data Engineering18(1), 92–106 (2006)

    work page 2006

  25. [25]

    In: Companion proceedings of the the web conference 2018

    Maia, M., Handschuh, S., Freitas, A., Davis, B., McDermott, R., Zarrouk, M., Bal- ahur, A.: Www’18 open challenge: financial opinion mining and question answering. In: Companion proceedings of the the web conference 2018. pp. 1941–1942 (2018)

    work page 2018

  26. [26]

    In: Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing

    Morris, J., Kuleshov, V., Shmatikov, V., Rush, A.M.: Text embeddings reveal (almost) as much as text. In: Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing. pp. 12448–12460 (2023) 16 Y. Liu et al

    work page 2023

  27. [27]

    In: International conference on the theory and applications of cryptographic tech- niques

    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: International conference on the theory and applications of cryptographic tech- niques. pp. 223–238. Springer (1999)

    work page 1999

  28. [28]

    The Bell System Tech- nical Journal27(3), 379–423 (1948) https://doi.org/10.1002/j.1538-7305.1948

    Shannon, C.E.: A mathematical theory of communication. The Bell System Tech- nical Journal27(3), 379–423 (1948). https://doi.org/10.1002/j.1538-7305.1948. tb01338.x

    work page doi:10.1002/j.1538-7305.1948 1948

  29. [29]

    Song, K., Tan, X., Qin, T., Lu, J., Liu, T.Y.: Mpnet: Masked and permuted pre-training for language understanding. vol. 33, pp. 16857–16867 (2020)

    work page 2020

  30. [30]

    The American Journal of Psychology15(1), 72–101 (1904)

    Spearman, C.: The proof and measurement of association between two things. The American Journal of Psychology15(1), 72–101 (1904)

    work page 1904

  31. [31]

    In: Usenix Network and Distributed System Security Symposium 2021

    Sun, S.F., Steinfeld, R., Lai, S., Yuan, X., Sakzad, A., Liu, J.K., Nepal, S., Gu, D.: Practical non-interactive searchable encryption with forward and backward privacy. In: Usenix Network and Distributed System Security Symposium 2021. The Internet Society (2021)

    work page 2021

  32. [32]

    In: Thirty- fifth Conference on Neural Information Processing Systems Datasets and Bench- marks Track (Round 2) (2021), https://openreview.net/forum?id=wCu6T5xFjeJ

    Thakur, N., Reimers, N., Rücklé, A., Srivastava, A., Gurevych, I.: BEIR: A heteroge- neous benchmark for zero-shot evaluation of information retrieval models. In: Thirty- fifth Conference on Neural Information Processing Systems Datasets and Bench- marks Track (Round 2) (2021), https://openreview.net/forum?id=wCu6T5xFjeJ

    work page 2021

  33. [33]

    Vershynin, R.: High-dimensional probability: An introduction with applications in data science, vol. 47. Cambridge university press (2018)

    work page 2018

  34. [34]

    In: Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP)

    Wadden, D., Lin, S., Lo, K., Wang, L.L., van Zuylen, M., Cohan, A., Hajishirzi, H.: Fact or fiction: Verifying scientific claims. In: Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP). pp. 7534–7550 (2020)

    work page 2020

  35. [35]

    In: Proceedings of the 2021 international conference on management of data

    Wang, J., Yi, X., Guo, R., Jin, H., Xu, P., Li, S., Wang, X., Guo, X., Li, C., Xu, X., et al.: Milvus: A purpose-built vector data management system. In: Proceedings of the 2021 international conference on management of data. pp. 2614–2627 (2021)

    work page 2021

  36. [36]

    In: Findings of the Association for Computational Linguistics: ACL 2024

    Zeng, S., Zhang, J., He, P., Liu, Y., Xing, Y., Xu, H., Ren, J., Chang, Y., Wang, S., Yin, D., et al.: The good and the bad: Exploring privacy issues in retrieval- augmented generation (rag). In: Findings of the Association for Computational Linguistics: ACL 2024. pp. 4505–4524 (2024)

    work page 2024

  37. [37]

    Zhang, C., Morris, J.X., Shmatikov, V.: Universal zero-shot embedding inversion (2025)

    work page 2025

  38. [38]

    Zhang, D., Li, J., Zeng, Z., Wang, F.: Jasper and stella: distillation of sota embedding models (2024)

    work page 2024

  39. [39]

    In: 2024 IEEE symposium on security and privacy (SP)

    Zhou, M., Park, A., Zheng, W., Shi, E.: Piano: extremely simple, single-server pir with sublinear server computation. In: 2024 IEEE symposium on security and privacy (SP). pp. 4296–4314. IEEE (2024)

    work page 2024