What happens when you hide embeddings but keep search working?

zahraarmantech — Tue, 26 May 2026 21:16:03 +0000

I spent the last few months building a system that does something counterintuitive: it takes semantic search embeddings, makes them completely unreadable, and somehow search still works at 98% quality.

Here’s what that looks like.

The problem nobody talks about

Every company using semantic search has a dirty secret: their vector database is a map of their entire document collection’s meaning.

Embeddings cluster by topic. If someone gets access to your vector database — a breach, an insider, a subpoena — they don’t need to read a single document. They can cluster the embeddings and immediately see: these 500 documents are about cancer patients, these 200 are about ongoing litigation, these 100 are salary records.

No decryption needed. The structure IS the leak.

Look at the left side. Same-color dots represent same-topic documents. They cluster together — an attacker immediately sees the structure. The right side is the same 50 documents after ZATRON processing. Random noise. No clusters. No structure.

But here’s the thing: search returns the exact same results on both sides.

What I built

ZATRON (Zero-Access Transformed Retrieval Over Noise) transforms embeddings into modular barcodes. The process:

Project the embedding onto 200 independent channels (PCA)
Quantize each channel to an integer (0–49)
Mask each value with a cryptographic salt unique to each document
Store only the modular residues (remainder after dividing by prime numbers)

The key insight: modular arithmetic preserves distance relationships but destroys the original values. Two similar documents produce similar modular distances. But the individual barcodes look like random numbers.

Without the key, you can’t unmask them. With the key, you can compare them. You never reconstruct the original embedding.

Does it actually work?

I tested on real data, not toy examples.

MSMARCO passage retrieval — 626,906 real documents:
The system preserves 98.2% of cosine search quality. Out of 500 queries, the encrypted system returns nearly identical rankings to unencrypted cosine search.

Three different embedding models:
MiniLM: 98.2%. MPNet: 99.2%. BGE: 86.6% (this model’s embedding distribution is less quantization-friendly — I report this honestly).

Five languages:
Arabic, Spanish, Korean, Chinese, English — all above 88%.

Comparison with existing methods:

Method	Quality	Encrypted?
Binary quantization	96.9%	No
Scalar int8	98.8%	No
Product quantization	97.9%	No
ZATRON	99.6%	Yes

Higher quality than every quantization method — and the only one that’s encrypted.

Can an attacker break it?

I ran eight independent attack vectors. All passed.

But the most convincing evidence is visual:

Left: raw embedding distances perfectly predict true document similarity (ρ = 1.00). An attacker with database access knows exactly which documents are related.

Right: ZATRON barcode distances show zero correlation with true similarity (ρ = 0.09). The attacker gets nothing.

What about FHE?

Fully homomorphic encryption (CKKS) can do encrypted search too. But on the same hardware (Google Colab, T4 GPU), CKKS takes 38.9ms per comparison. ZATRON takes 5ms. That’s 8x faster, using only integer arithmetic, no GPU needed.

Both are computationally secure — CKKS under Ring-LWE, ZATRON under PRF (HMAC-SHA256). Different assumptions, both standard.

What this is NOT

I want to be precise about what ZATRON is and isn’t:

It is NOT classical encryption like AES. You can’t “decrypt” a barcode back to an embedding.
It IS a randomized privacy-preserving encoding. Barcodes are computationally indistinguishable from random without the key.
A key holder who computes many pairwise distances CAN partially recover embedding geometry (ρ = 0.63, mitigated to 0.35 with log transform). This is inherent to any distance-preserving scheme, including FHE.

I state these limitations explicitly because overselling helps nobody.

Try it yourself

Live demo (no install needed):
https://huggingface.co/spaces/zahraarman/ZATRON

Code and paper:
https://github.com/zahraarmantech/ZATRON

Run locally:

pip install sentence-transformers scikit-learn matplotlib
python demo.py

Who needs this?

Any organization that searches sensitive documents: hospitals (patient records), law firms (case files), financial institutions (client data), defense (classified documents).

The EU AI Act and GDPR are making embedding privacy a compliance issue, not just a nice-to-have.

What’s next

The system works. The patent is filed. I’m looking for technical feedback, especially from people building vector search infrastructure.

If you work on vector databases, privacy-preserving ML, or searchable encryption — I’d genuinely appreciate your thoughts. What did I miss? What would break it? What would make it useful?

Zahra Arman — Independent Researcher, Plano TX
US Provisional Patent Pending

DEV Community: zahraarmantech

What happens when you hide embeddings but keep search working?

The problem nobody talks about

What I built

Does it actually work?

Can an attacker break it?

What about FHE?

What this is NOT

Try it yourself

Who needs this?

What’s next