Privacy-preserving query processing over public key-value databases requires a controllable trade-off between security and performance. To address this, we propose Distance-based Indistinguishability—a novel privacy model grounded in metric-space semantics—and design the first Private Information Retrieval (PIR) scheme supporting variable-range queries. Our system integrates learned indexes, distance-driven noise injection, and adaptive server-side retrieval. Theoretically guaranteed under rigorous cryptographic assumptions, our approach outperforms state-of-the-art (SOTA) methods under strong privacy constraints. When modestly relaxing privacy requirements, it achieves up to 163.9× higher throughput and substantially reduced bandwidth overhead—enabling deployment in resource-constrained environments.

With increasing demands for privacy, it becomes necessary to protect sensitive user query data when accessing public key-value databases. Existing Private Information Retrieval (PIR) schemes provide full security but suffer from poor scalability, limiting their applicability in large-scale deployment. We argue that in many real-world scenarios, a more practical solution should allow users to flexibly determine the privacy levels of their queries in a theoretically guided way, balancing security and performance based on specific needs. To formally provide provable guarantees, we introduce a novel concept of distance-based indistinguishability, which can facilitate users to comfortably relax their security requirements. We then design Femur, an efficient framework to securely query public key-value stores with flexible security and performance trade-offs. It uses a space-efficient learned index to convert query keys into storage locations, obfuscates these locations with extra noise provably derived by the distance-based indistinguishability theory, and sends the expanded range to the server. The server then adaptively utilizes the best scheme to retrieve data. We also propose a novel variable-range PIR scheme optimized for bandwidth-constrained environments. Experiments show that Femur outperforms the state-of-the-art designs even when ensuring the same full security level. When users are willing to relax their privacy requirements, Femur can further improve the performance gains to up to 163.9X, demonstrating an effective trade-off between security and performance.