# I trained a neural network to break my own encrypted search. It learned nothing. > Source: > Published: 2026-06-11 23:27:29+00:00 A few months ago I built a way to search documents by meaning while keeping the embeddings hidden — even from the server doing the search. I called it ZATRON. The obvious question everyone (including me) kept asking was: *does it actually hide anything, or does it just look scrambled?* Scrambled-looking isn't the same as secure. So instead of trusting a correlation number, I did the thing that actually scares me: I trained a neural network to break it. This post is the honest write-up — including the part where I tried hard to make the attack win. Standard semantic search stores embeddings as plain vectors. Anyone with database access can cluster them by topic and infer content without reading a word. ZATRON transforms each embedding into a **modular barcode**: project onto PCA channels, quantize, add a per-document keyed mask, and keep only residues modulo a set of primes. You compare barcodes in modular space; the original embedding is never reconstructed. Retrieval still works — 98% of cosine quality on 626K MSMARCO passages. The question is whether the barcodes leak. My first security check was a Spearman correlation between barcode distance and true similarity. It came out near zero (ρ ≈ 0.05). Good — but a low *linear* correlation only rules out a *simple* attacker. A neural network doesn't need linearity. It can learn whatever structure is there. So the real test: give a neural network every advantage and see if it can recover similarity from the barcodes. I used a **known-plaintext** attacker — the strongest realistic setting: And the part that makes the result trustworthy: I ran the **identical attack on the unprotected quantized signals** as a control. If the attack can't break those, the attack is too weak and the test means nothing. On 50,000 MSMARCO passages, 100,000 labeled pairs: | Input the attacker sees | Linear probe | MLP (3-layer) | |---|---|---| | Unprotected signals (control) | ρ = 0.79, AUC = 0.985 | ρ = 0.90, AUC = 0.999 | | ZATRON barcodes | ρ = 0.00, AUC = 0.498 | ρ = 0.00, AUC = 0.505 | The same network that recovers similarity from unprotected signals *almost perfectly* (AUC 0.999) gets **exactly chance level** on the barcodes — with 80,000 labeled pairs to learn from. AUC 0.50 is a coin flip. It learned nothing. "8x faster than FHE" is a weak flex — everyone knows FHE is slow. The fairer comparison is **ASPE** (Wong et al., SIGMOD 2009), the classic encrypted-kNN scheme. ASPE preserves scalar products exactly, so retrieval is perfect — but that same property means any observer can read similarities straight off the ciphertexts. | ASPE (SIGMOD '09) | ZATRON | | |---|---|---| | Retrieval recall@10 (strict) | 100% | 81% | | Observer reads similarity directly | ρ = +0.87 | ρ = −0.06 | | Learned attack (MLP) | ρ = +0.91, AUC = 0.99 | ρ = +0.01, AUC = 0.52 | ASPE buys perfect recall with total leakage. ZATRON gives up a margin on the strictest retrieval metric and leaks nothing — to a direct observer *or* a trained network. Honesty is the whole point, so the limits: Everything is reproducible: ``` pip install zatron ``` The attack and the ASPE comparison are in the repo as runnable scripts (`benchmarks/` ). If you can make the neural attack win — train it longer, give it more pairs, better features — I genuinely want to see it. Finding the weakness is the point. I'd rather have someone break this now than after I've claimed too much.