English

Zero2Text: Zero-Training Cross-Domain Inversion Attacks on Textual Embeddings

Computation and Language 2026-02-04 v2 Machine Learning

Abstract

The proliferation of retrieval-augmented generation (RAG) has established vector databases as critical infrastructure, yet they introduce severe privacy risks via embedding inversion attacks. Existing paradigms face a fundamental trade-off: optimization-based methods require computationally prohibitive queries, while alignment-based approaches hinge on the unrealistic assumption of accessible in-domain training data. These constraints render them ineffective in strict black-box and cross-domain settings. To dismantle these barriers, we introduce Zero2Text, a novel training-free framework based on recursive online alignment. Unlike methods relying on static datasets, Zero2Text synergizes LLM priors with a dynamic ridge regression mechanism to iteratively align generation to the target embedding on-the-fly. We further demonstrate that standard defenses, such as differential privacy, fail to effectively mitigate this adaptive threat. Extensive experiments across diverse benchmarks validate Zero2Text; notably, on MS MARCO against the OpenAI victim model, it achieves 1.8x higher ROUGE-L and 6.4x higher BLEU-2 scores compared to baselines, recovering sentences from unknown domains without a single leaked data pair.

Keywords

Cite

@article{arxiv.2602.01757,
  title  = {Zero2Text: Zero-Training Cross-Domain Inversion Attacks on Textual Embeddings},
  author = {Doohyun Kim and Donghwa Kang and Kyungjae Lee and Hyeongboo Baek and Brent Byunghoon Kang},
  journal= {arXiv preprint arXiv:2602.01757},
  year   = {2026}
}

Comments

10 pages

R2 v1 2026-07-01T09:31:10.471Z