Impact on Search Accuracy
Cloaked AI by design has an impact on the relevance of results returned in response to nearest neighbor searches on vectors that have been encrypted. The algorithm used by Cloaked AI to encrypt the vectors has a configurable approximation factor that adjusts how much each vector is modified by the encryption process. Higher approximation factors will reduce the relevance of some vectors returned by a search, but will make it more difficult to attempt to correlate encrypted vectors with unencrypted values.
We have run a number of benchmark tests to gauge the effect of encryption on search result relevance, using different datasets, different embedding models, and a range of approximation factors to measure the impact on searches. We used the BEIR benchmark framework to do the evaluation.
The test datasets included nfccorpus, scifact, scidocs, and quora. The embedding models included paraphrase-MiniLM-L3-v2, gte-base, msmarco-distilbert-base-tas-b, all-MiniLM-L6-v2, and all-mpnet-base-v1. All searches were done using the HNSWFaissSearch algorithm.
Several different runs were done, randomly selecting elements of the test dataset and retrieving the top 1, 3, 5, 10, 100, and 1000 nearest neighbors, measuring the percent performance decrease for four different relevance metrics, and averaging the results.
The relevance measures we computed were NDCG (Normalized Discounted Cumulative Gain), MAP (Mean Average Precision), Recall, and Precision. We ran experiments with approximation factors of 1, 1.5, and 2. Example precision loss values for different models and datasets when an approximation factor of 1.5 is used can be seen in the table below.
In general, the larger the approximation factor, the larger the loss in precision, but actual values depend a lot on the specific model in use. For example, the
gte-base embedding model proved to have high precision loss of -19% with the nfcorpus and an approximation factor of 1.5, but this model is an outlier. Precision loss at this approximation factor across our runs averaged to -4.9%.
In summary, using Cloaked AI will have some impact on the relevancy of results, even though it is often minor and generally not noticeable by users. Exact results vary based on the embedding model, dataset, approximation factor, and use cases.
The tradeoffs between accuracy and security can be balanced using different values for the approximation factor. The higher the factor, the harder it is for an inversion attack to succeed even if an attack model can be trained on known associations between source text and encrypted vectors.
If you would like to reproduce these experiments, expand on them, or evaluate your own embedding model and data, contact us and we can help.
Was this page helpful?