AgentCrypt: Advancing Privacy and (Secure) Computation in AI Agent Collaboration

As AI agents increasingly operate in complex environments, ensuring reliable, context-aware privacy is critical for regulatory compliance. Traditional access controls are insufficient because privacy risks often arise after access is granted; agents may inadvertently compromise privacy during reasoning by messaging humans, leaking context to peers, or executing unsafe tool calls. Existing approaches typically treat privacy as a binary constraint, overlooking nuanced, computation-dependent requirements. Furthermore, Large Language Model (LLM) agents are inherently probabilistic, lacking formal guarantees for security-critical operations. To address this, we introduce AgentCrypt, a three-tiered framework for secure agent communication that adds a deterministic protection layer atop any AI platform. AgentCrypt spans the full spectrum of privacy needs: from unrestricted data exchange (Level 1), to context-aware masking (Level 2), up to fully encrypted computation using Homomorphic Encryption (Level 3). Unlike prompt-based defenses, our approach guarantees that tagged data privacy is strictly preserved even when the underlying model errs. Security is decoupled from the agent’s probabilistic reasoning, ensuring sensitive data remains protected throughout the computational lifecycle. AgentCrypt enables collaborative computation on otherwise inaccessible data, overcoming barriers like data silos. We implemented and validated it using LangGraph and Google ADK, demonstrating versatility across architectures. Finally, we introduce a benchmark dataset simulating privacy-critical tasks to enable systematic evaluation and foster the development of trustworthy, regulatable machine learning systems.

💡 Research Summary

AgentCrypt addresses a critical gap in the security of AI‑driven multi‑agent systems: the inability of traditional access‑control mechanisms to protect privacy after data has been accessed. Modern agents, especially those powered by large language models (LLMs), can unintentionally leak sensitive information through downstream actions such as tool calls, memory writes, or the generation of derived functions. Because LLM reasoning is probabilistic, there is no guarantee that an agent will behave correctly for every query, making it unsuitable for high‑stakes security‑critical operations.

The paper proposes a three‑tiered framework that sits on top of any existing agent platform and deterministically enforces privacy regardless of the underlying model’s correctness. The tiers are:

• Level 1 – No Privacy: Plain‑text data exchange with no encryption or policy enforcement. This is only appropriate for public, non‑sensitive interactions.
• Level 2 – Policy‑Based Retrieval Privacy: Each data cell is tagged with a policy and an encryption key. When an agent retrieves data, a “Fetch & Encrypt” tool automatically encrypts the result under the cell’s policy. The receiving agent can decrypt only if it holds a matching decryption key, which is granted based on its role. The encryption step is independent of the agent’s reasoning, so even if the agent selects the wrong cell or behaves maliciously, the data remains encrypted and unreadable to unauthorized parties. The implementation uses Identity‑Based Encryption (IBE) following the Boneh‑Franklin construction.
• Level 3 – Policy‑Based Computation Privacy: Extends Level 2 by allowing agents to compute arbitrary functions over encrypted inputs using Fully Homomorphic Encryption (FHE). A deterministic “security wrapper” intercepts every function call, attaches an output policy derived as the intersection of all input policies, and enforces encryption of the result. Consequently, only principals authorized for all inputs can decrypt the output, preventing inference attacks that exploit conditional queries. The authors employ the OpenFHE library for FHE operations.

Key technical contributions include:

1. Deterministic Security Wrapper – A policy‑enforcement layer that operates independently of the LLM’s stochastic output. It guarantees that any function result is encrypted according to a formally defined policy, providing worst‑case privacy guarantees even when the agent’s logic is incorrect or adversarial.
2. Policy‑Intersection Output Rule – By default, the wrapper assigns the output the intersection of the input policies, ensuring that no party can infer information about a data item they are not authorized to see. The paper demonstrates how this rule thwarts classic conditional‑leak attacks (e.g., “return Alice’s salary if Charlie’s salary > 100 k, else return Bob’s salary”).
3. Platform‑Agnostic Implementation – AgentCrypt is realized on top of LangGraph and Google’s Agent Development Kit (ADK) using an Agent‑to‑Agent (A2A) protocol. The framework does not require changes to the underlying LLM or tool‑calling mechanisms; it merely wraps them with cryptographic primitives.
4. Benchmark Dataset – The authors construct a privacy‑annotated benchmark covering regulatory contexts such as GDPR, HIPAA, FCRA, FDIC, and sector‑specific rules (e.g., FERPA). Each scenario specifies required computations (sum, min, max, percentile, selection) over encrypted tables, enabling systematic evaluation of privacy preservation, task performance, and computational overhead across the three levels.
5. Empirical Evaluation – In Level 3 experiments, agents correctly selected the appropriate database rows and computation tools in > 85 % of the 200 synthetic scenarios. Crucially, privacy was preserved in 100 % of cases: no sensitive value was ever exposed in plaintext, even when the agent made a wrong selection. The paper also reports the runtime overhead of IBE (negligible) and FHE (significant, on the order of seconds to minutes per query), highlighting the trade‑off between strong privacy and performance.

The authors acknowledge limitations. Fully homomorphic encryption remains computationally intensive, which may hinder real‑time deployment in latency‑sensitive domains. Managing per‑cell policies and distributing corresponding decryption keys at scale introduces operational complexity. Nonetheless, the deterministic separation of privacy enforcement from probabilistic reasoning constitutes a novel security paradigm for AI agents.

In conclusion, AgentCrypt offers a rigorous, worst‑case privacy guarantee for multi‑agent AI systems by layering deterministic cryptographic controls over heuristic LLM reasoning. It enables agents to collaborate on sensitive data—such as payroll, medical records, or financial performance metrics—without violating regulatory constraints. Future work is suggested in optimizing FHE performance, automating policy generation and verification, and extending the framework to larger, real‑world multi‑agent deployments.