An End-to-End Encrypted Control Pipeline for Multi-Agent Coordination via CKKS Homomorphic Encryption

Asim Zoulkarni; John S. Baras; Maria Charitidou; Sai Sandeep Damera

arxiv: 2606.07375 · v1 · pith:4CL3SX3Znew · submitted 2026-06-05 · 📡 eess.SY · cs.CR· cs.SY

An End-to-End Encrypted Control Pipeline for Multi-Agent Coordination via CKKS Homomorphic Encryption

Sai Sandeep Damera , Maria Charitidou , Asim Zoulkarni , John S. Baras This is my paper

Pith reviewed 2026-06-27 21:11 UTC · model grok-4.3

classification 📡 eess.SY cs.CRcs.SY

keywords homomorphic encryptionCKKSmulti-agent systemsencrypted controlformation controlprivacy-preserving controlKalman estimationgraph Laplacian

0 comments

The pith

Multi-agent formation control runs entirely on encrypted data and stays stable with tracking error bounded by bootstrapping precision and spectral radius.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper constructs an end-to-end encrypted control pipeline in which sensing, Kalman estimation, state propagation, and consensus control all execute on CKKS-encrypted values using only addition, multiplication, and cyclic rotation. Steady-state Kalman gains replace online matrix computation, and graph Laplacians are handled via the diagonal method to cover ring, torus, and complete graphs in one framework. A periodic bootstrapping bound is derived by applying the separation principle to treat encryption noise as impulsive disturbances, yielding an explicit steady-state error ball that depends on bootstrapping precision and closed-loop spectral radius. This bound supplies a concrete design relation between privacy level and tracking accuracy, and the pipeline is shown to keep formation control stable under encryption.

Core claim

The authors present a pipeline that performs all stages of multi-agent coordination on CKKS-encrypted data and prove that the closed-loop system remains stable with a bounded steady-state tracking error. The error ball is obtained by decoupling controller and observer dynamics under the separation principle and modeling each bootstrapping step as an impulsive disturbance; the resulting expression depends only on the bootstrapping precision and the spectral radius of the closed-loop matrix, directly relating encryption parameters to achievable accuracy.

What carries the argument

The periodic bootstrapping bound, obtained by treating CKKS bootstrapping as impulsive disturbances and applying the separation principle to decouple error dynamics, which produces the explicit steady-state error ball.

If this is right

The closed-loop system maintains stability and bounded tracking error under encryption in the formation control scenario.
The steady-state error ball supplies a direct design equation that lets engineers set bootstrapping precision to meet a target accuracy.
The diagonal Laplacian method unifies handling of ring, torus, and complete-graph communication topologies at cost linear in the number of nonzero diagonals.
Steady-state Kalman gains allow the entire pipeline to avoid solving matrix equations online while operating on encrypted data.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same error-bound approach could be tested on other distributed tasks such as rendezvous or coverage control to check whether the spectral-radius dependence remains predictive.
Reducing bootstrapping frequency in proportion to the spectral radius might lower total computation while preserving the error guarantee.
The pipeline's reliance on fixed gains suggests it could be combined with event-triggered communication to further reduce encrypted arithmetic cost.

Load-bearing premise

The separation principle continues to decouple controller and observer dynamics when the system is driven by the impulsive disturbances introduced by periodic CKKS bootstrapping.

What would settle it

Run the reported multi-agent formation control experiment; if the observed tracking error grows without bound or exceeds the predicted steady-state ball for the chosen bootstrapping precision and spectral radius, the bound and stability claim are falsified.

Figures

Figures reproduced from arXiv: 2606.07375 by Asim Zoulkarni, John S. Baras, Maria Charitidou, Sai Sandeep Damera.

**Figure 2.** Figure 2: Communication topologies analyzed (M =9 agents). design principle that pervades the pipeline: precompute everything possible in plaintext. Gains, system matrices, graph weights, and reference trajectories are all known offline and are never encrypted; only the agents’ states, measurements, and control inputs traverse the pipeline as ciphertexts. B. Multi-Agent System Model Consider M agents, each modeled … view at source ↗

**Figure 3.** Figure 3: CKKS-induced gap |enc − pt| for consensus (solid) and closed-loop pipeline (dotted) on various topologies. budget dmult = 15, with bootstrapping enabled. The local gain K and reference gain Kr are scalar multiples of identity, so the control computation reduces to scalar-ciphertext multiplications plus the Laplacian, which costs zero depth for the ring and one level for the torus and complete graph (Secti… view at source ↗

**Figure 4.** Figure 4: Formation control validation. (a) Nine agents (ring [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗

read the original abstract

Cloud-based coordination of multi-agent systems requires sharing state with a central server, creating a conflict between coordination and privacy. Fully homomorphic encryption (FHE) resolves this in principle, but its severe arithmetic constraints demand that every stage of the control loop be redesigned from first principles. We present an end-to-end encrypted control pipeline in which sensing, state estimation, state propagation, and consensus control all operate on CKKS-encrypted data using only addition, multiplication, and cyclic rotation. In order to overcome the computational challenges of FHE, we employ steady-state Kalman gains instead of solving for the matrices online and graph Laplacians are applied via the diagonal method at a cost proportional to the number of nonzero cyclic diagonals, accommodating ring, torus, and complete-graph topologies within a unified framework. To quantify the cumulative effect of encryption noise, we use the separation principle to decouple controller and observer error dynamics and derive a periodic bootstrapping bound in which CKKS bootstrapping acts as an impulsive disturbance; the resulting steady-state error ball depends on the bootstrapping precision and the closed-loop spectral radius, providing a direct design equation for the privacy-accuracy tradeoff. The pipeline is validated on a multi-agent formation control scenario, confirming stable closed-loop operation under encryption with bounded tracking error.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper builds a complete CKKS pipeline for encrypted multi-agent control with steady-state gains and a bootstrapping error bound, but the separation principle under periodic impulses is the part that needs direct verification.

read the letter

The core contribution is a full pipeline that redesigns sensing, Kalman estimation, state propagation, and Laplacian-based consensus to run under CKKS using only addition, multiplication, and rotation. They avoid online Riccati solves by fixing steady-state gains and handle the graph Laplacian with a diagonal method that scales with nonzero cyclic diagonals. That combination lets them close the loop on encrypted data for ring, torus, and complete graphs in one framework.

The new piece is the periodic bootstrapping bound. They treat each bootstrapping step as an impulsive disturbance, invoke the separation principle to keep controller and observer errors separate, and arrive at a steady-state error ball set by bootstrapping precision and closed-loop spectral radius. The formation-control example then shows the closed loop stays stable with bounded tracking error, which gives a usable design knob for the privacy-accuracy trade-off.

The soft spot is exactly the one the stress-test flags. The bound assumes the separation principle survives the periodic impulses. If the encrypted observer introduces any cross-coupling through state-dependent noise or non-commuting rotations, the block-diagonal structure used in the derivation would not hold and the simple design equation would be off. The abstract states the bound without showing the cross-term calculation, so the paper needs to demonstrate that those terms stay negligible or zero under the actual CKKS operations.

This is aimed at control engineers who already work with homomorphic encryption or need to meet data-sharing rules in vehicle or robot fleets. It is worth sending to referees because the pipeline is concrete, the validation is on a standard multi-agent task, and the bound is falsifiable once the separation step is checked. Minor revisions on the impulse-coupling argument would make the claim solid.

Referee Report

1 major / 2 minor

Summary. The manuscript presents an end-to-end encrypted control pipeline for multi-agent coordination using CKKS homomorphic encryption. Sensing, state estimation, propagation, and consensus control are redesigned to operate solely on encrypted data via addition, multiplication, and cyclic rotation. Steady-state Kalman gains replace online Riccati solutions, and graph Laplacians are implemented via the diagonal method at cost proportional to nonzero cyclic diagonals. The separation principle is invoked to decouple controller and observer dynamics under periodic CKKS bootstrapping (treated as impulsive disturbances), yielding a steady-state error ball that depends only on bootstrapping precision and closed-loop spectral radius. The pipeline is validated on a multi-agent formation-control scenario demonstrating stable closed-loop behavior with bounded tracking error.

Significance. If the central derivation holds, the work supplies a concrete, computable design equation linking encryption parameters to closed-loop accuracy for privacy-preserving multi-agent control. The choice of steady-state gains and the unified diagonal-Laplacian treatment for ring/torus/complete graphs are practical strengths that address FHE arithmetic constraints directly.

major comments (1)

[Abstract] Abstract (and the derivation of the periodic bootstrapping bound): the claim that the separation principle continues to produce a block-diagonal error dynamics structure when CKKS bootstrapping injects periodic impulsive disturbances is load-bearing for the stated error-ball formula. The manuscript must exhibit the explicit augmented state-space model (or the corresponding Lyapunov or spectral-radius argument) showing that the impulses do not introduce cross terms between controller and observer errors; without this step the design equation for the privacy-accuracy tradeoff rests on an unverified assumption.

minor comments (2)

The abstract refers to 'the diagonal method' for Laplacian application; the main text should supply the precise algorithmic definition and complexity count (number of nonzero cyclic diagonals) with a short pseudocode or matrix illustration.
Clarify whether the steady-state Kalman gains are computed in the clear and then encrypted once, or whether any encrypted Riccati iteration is performed; the former is implied but should be stated explicitly.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful reading and for identifying the need for an explicit verification of the separation principle under periodic bootstrapping. We address the concern below.

read point-by-point responses

Referee: [Abstract] Abstract (and the derivation of the periodic bootstrapping bound): the claim that the separation principle continues to produce a block-diagonal error dynamics structure when CKKS bootstrapping injects periodic impulsive disturbances is load-bearing for the stated error-ball formula. The manuscript must exhibit the explicit augmented state-space model (or the corresponding Lyapunov or spectral-radius argument) showing that the impulses do not introduce cross terms between controller and observer errors; without this step the design equation for the privacy-accuracy tradeoff rests on an unverified assumption.

Authors: We agree that the manuscript would benefit from an explicit augmented state-space representation to confirm that the periodic bootstrapping impulses preserve the block-diagonal structure of the error dynamics. In the revised version we will add the augmented closed-loop model (observer error, controller error, and the periodic impulse terms) and show that the cross-coupling blocks remain zero because the bootstrapping operation is applied separately to the encrypted state estimate and the encrypted control input; the resulting Lyapunov or spectral-radius argument for the steady-state error ball will then follow directly from the decoupled subsystems. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation applies standard separation principle to independent quantities

full rationale

The paper's central derivation applies the separation principle (a standard control-theoretic result) to decouple controller and observer dynamics when treating CKKS bootstrapping as an impulsive disturbance, yielding a steady-state error ball expressed in terms of bootstrapping precision and closed-loop spectral radius. These quantities are treated as external inputs rather than being defined in terms of the final bound itself. No self-definitional steps, fitted inputs renamed as predictions, or load-bearing self-citations appear in the provided derivation chain. The result is therefore self-contained against external benchmarks and does not reduce to its inputs by construction.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 0 invented entities

The central claim rests on standard linear control assumptions adapted to encrypted arithmetic; the main additions are the choice of steady-state gains and the error-bound derivation, both of which introduce design parameters whose values are not derived from first principles within the abstract.

free parameters (2)

bootstrapping precision
Chosen to set the magnitude of the impulsive disturbance in the periodic error-bound derivation.
steady-state Kalman gains
Precomputed offline rather than solved online to fit CKKS arithmetic constraints.

axioms (2)

domain assumption Separation principle holds for error dynamics under CKKS bootstrapping noise
Invoked to decouple controller and observer errors when deriving the periodic bootstrapping bound.
domain assumption Graph Laplacians admit a cyclic-diagonal representation for ring, torus, and complete graphs
Required for the diagonal-method application whose cost scales with nonzero cyclic diagonals.

pith-pipeline@v0.9.1-grok · 5778 in / 1617 out tokens · 21640 ms · 2026-06-27T21:11:46.662231+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

12 extracted references

[1]

Homomorphic encryption for arithmetic of approximate numbers,

J. H. Cheon, A. Kim, M. Kim, and Y . Song, “Homomorphic encryption for arithmetic of approximate numbers,” inInternational conference on the theory and application of cryptology and information security, pp. 409–437, Springer, 2017

2017
[2]

Secure numerical compu- tations using fully homomorphic encryption,

M. Schlottke-Lakemper and A. Kholod, “Secure numerical compu- tations using fully homomorphic encryption,” 2024. JuliaCon 2024, Eindhoven, 10th July 2024

2024
[3]

Cyber-security enhancement of networked control systems using homomorphic encryption,

K. Kogiso and T. Fujita, “Cyber-security enhancement of networked control systems using homomorphic encryption,” in54th IEEE Con- ference on Decision and Control (CDC), pp. 6836–6843, IEEE, 2015

2015
[4]

Secure and private cloud-based control using semi-homomorphic encryption,

F. Farokhi, I. Shames, and N. Batterham, “Secure and private cloud-based control using semi-homomorphic encryption,”IFAC- PapersOnLine, vol. 49, no. 22, pp. 163–168, 2016

2016
[5]

Towards privacy-preserving cooperative control via encrypted distributed optimization,

P. Binfetet al., “Towards privacy-preserving cooperative control via encrypted distributed optimization,”at-Automatisierungstechnik, vol. 71, no. 9, pp. 736–747, 2023

2023
[6]

Dprive: Data protection in virtual environments

DARPA, “Dprive: Data protection in virtual environments.”
[7]

Encrypting controller using fully homomorphic en- cryption for security of cyber-physical systems,

J. Kimet al., “Encrypting controller using fully homomorphic en- cryption for security of cyber-physical systems,”IFAC-PapersOnLine, vol. 49, no. 22, pp. 175–180, 2016

2016
[8]

A code-driven tutorial on encrypted control: From pioneering realizations to modern implementations,

N. Schl ¨uteret al., “A code-driven tutorial on encrypted control: From pioneering realizations to modern implementations,” in2024 European Control Conference (ECC), pp. 914–920, IEEE, 2024

2024
[9]

Cloud-based mpc with encrypted data,

A. B. Alexandru, M. Morari, and G. J. Pappas, “Cloud-based mpc with encrypted data,” in2018 IEEE conference on decision and control (CDC), pp. 5014–5019, IEEE, 2018

2018
[10]

Algorithms in helib,

S. Halevi and V . Shoup, “Algorithms in helib,” inAnnual Cryptology Conference, pp. 554–571, Springer, 2014

2014
[11]

Consensus problems in networks of agents with switching topology and time-delays,

R. Olfati-Saber and R. M. Murray, “Consensus problems in networks of agents with switching topology and time-delays,”IEEE Transac- tions on automatic control, vol. 49, no. 9, pp. 1520–1533, 2004

2004
[12]

OpenFHE.jl: Fully homomorphic encryption in Julia using OpenFHE

M. Schlottke-Lakemper, “OpenFHE.jl: Fully homomorphic encryption in Julia using OpenFHE.”https://github.com/hpsc-lab/ OpenFHE.jl, 2024

2024

[1] [1]

Homomorphic encryption for arithmetic of approximate numbers,

J. H. Cheon, A. Kim, M. Kim, and Y . Song, “Homomorphic encryption for arithmetic of approximate numbers,” inInternational conference on the theory and application of cryptology and information security, pp. 409–437, Springer, 2017

2017

[2] [2]

Secure numerical compu- tations using fully homomorphic encryption,

M. Schlottke-Lakemper and A. Kholod, “Secure numerical compu- tations using fully homomorphic encryption,” 2024. JuliaCon 2024, Eindhoven, 10th July 2024

2024

[3] [3]

Cyber-security enhancement of networked control systems using homomorphic encryption,

K. Kogiso and T. Fujita, “Cyber-security enhancement of networked control systems using homomorphic encryption,” in54th IEEE Con- ference on Decision and Control (CDC), pp. 6836–6843, IEEE, 2015

2015

[4] [4]

Secure and private cloud-based control using semi-homomorphic encryption,

F. Farokhi, I. Shames, and N. Batterham, “Secure and private cloud-based control using semi-homomorphic encryption,”IFAC- PapersOnLine, vol. 49, no. 22, pp. 163–168, 2016

2016

[5] [5]

Towards privacy-preserving cooperative control via encrypted distributed optimization,

P. Binfetet al., “Towards privacy-preserving cooperative control via encrypted distributed optimization,”at-Automatisierungstechnik, vol. 71, no. 9, pp. 736–747, 2023

2023

[6] [6]

Dprive: Data protection in virtual environments

DARPA, “Dprive: Data protection in virtual environments.”

[7] [7]

Encrypting controller using fully homomorphic en- cryption for security of cyber-physical systems,

J. Kimet al., “Encrypting controller using fully homomorphic en- cryption for security of cyber-physical systems,”IFAC-PapersOnLine, vol. 49, no. 22, pp. 175–180, 2016

2016

[8] [8]

A code-driven tutorial on encrypted control: From pioneering realizations to modern implementations,

N. Schl ¨uteret al., “A code-driven tutorial on encrypted control: From pioneering realizations to modern implementations,” in2024 European Control Conference (ECC), pp. 914–920, IEEE, 2024

2024

[9] [9]

Cloud-based mpc with encrypted data,

A. B. Alexandru, M. Morari, and G. J. Pappas, “Cloud-based mpc with encrypted data,” in2018 IEEE conference on decision and control (CDC), pp. 5014–5019, IEEE, 2018

2018

[10] [10]

Algorithms in helib,

S. Halevi and V . Shoup, “Algorithms in helib,” inAnnual Cryptology Conference, pp. 554–571, Springer, 2014

2014

[11] [11]

Consensus problems in networks of agents with switching topology and time-delays,

R. Olfati-Saber and R. M. Murray, “Consensus problems in networks of agents with switching topology and time-delays,”IEEE Transac- tions on automatic control, vol. 49, no. 9, pp. 1520–1533, 2004

2004

[12] [12]

OpenFHE.jl: Fully homomorphic encryption in Julia using OpenFHE

M. Schlottke-Lakemper, “OpenFHE.jl: Fully homomorphic encryption in Julia using OpenFHE.”https://github.com/hpsc-lab/ OpenFHE.jl, 2024

2024