What happens when you hide embeddings but keep search working?
I spent the last few months building a system that does something counterintuitive: it takes semantic search embeddings, makes them completely unreadable, and somehow search still works at 98% quality.
Here’s what that looks like.
Every company using semantic search has a dirty secret: their vector database is a map of their entire document collection’s meaning.
Embeddings cluster by topic. If someone gets access to your vector database — a breach, an insider, a subpoena — they don’t need to read a single document. They can cluster the embeddings and immediately see: these 500 documents are about cancer patients, these 200 are about ongoing litigation, these 100 are salary records.
No decryption needed. The structure IS the leak.
Look at the left side. Same-color dots represent same-topic documents. They cluster together — an attacker immediately sees the structure. The right side is the same 50 documents after ZATRON processing. Random noise. No clusters. No structure.
But here’s the thing: search returns the exact same results on both sides.
ZATRON (Zero-Access Transformed Retrieval Over Noise) transforms embeddings into modular barcodes. The process:
The key insight: modular arithmetic preserves distance relationships but destroys the original values. Two similar documents produce similar modular distances. But the individual barcodes look like random numbers.
Without the key, you can’t unmask them. With the key, you can compare them. You never reconstruct the original embedding.
I tested on real data, not toy examples.
MSMARCO passage retrieval — 626,906 real documents:
The system preserves 98.2% of cosine search quality. Out of 500 queries, the encrypted system returns nearly identical rankings to unencrypted cosine search.
Three different embedding models:
MiniLM: 98.2%. MPNet: 99.2%. BGE: 86.6% (this model’s embedding distribution is less quantization-friendly — I report this honestly). Five languages:
Arabic, Spanish, Korean, Chinese, English — all above 88%.
Comparison with existing methods:
| Method | Quality | Encrypted? |
|---|---|---|
| Binary quantization | 96.9% | No |
| Scalar int8 | 98.8% | No |
| Product quantization | 97.9% | No |
| ZATRON | 99.6% | Yes |
Higher quality than every quantization method — and the only one that’s encrypted.
I ran eight independent attack vectors. All passed.
But the most convincing evidence is visual:
Left: raw embedding distances perfectly predict true document similarity (ρ = 1.00). An attacker with database access knows exactly which documents are related.
Right: ZATRON barcode distances show zero correlation with true similarity (ρ = 0.09). The attacker gets nothing.
Fully homomorphic encryption (CKKS) can do encrypted search too. But on the same hardware (Google Colab, T4 GPU), CKKS takes 38.9ms per comparison. ZATRON takes 5ms. That’s 8x faster, using only integer arithmetic, no GPU needed.
Both are computationally secure — CKKS under Ring-LWE, ZATRON under PRF (HMAC-SHA256). Different assumptions, both standard.
I want to be precise about what ZATRON is and isn’t:
I state these limitations explicitly because overselling helps nobody.
Any organization that searches sensitive documents: hospitals (patient records), law firms (case files), financial institutions (client data), defense (classified documents). The EU AI Act and GDPR are making embedding privacy a compliance issue, not just a nice-to-have.
The system works. The patent is filed. I’m looking for technical feedback, especially from people building vector search infrastructure.
If you work on vector databases, privacy-preserving ML, or searchable encryption — I’d genuinely appreciate your thoughts. What did I miss? What would break it? What would make it useful?