Homomorphic Linear Transformation (HLT)

Updated 24 December 2025

Homomorphic Linear Transformation is a technique that applies explicit linear maps to encrypted or encoded data, preserving privacy even during computation.
It enables secure matrix multiplication, federated learning, and time-delayed computations by operating directly on encrypted or secret-shared data.
The method leverages encrypted rotations, masked matrix operations, and optimized pipelining to achieve high performance while maintaining rigorous security guarantees.

A Homomorphic Linear Transformation (HLT) is a cryptographic or computational primitive that realizes a linear map $U: R^n \rightarrow R^m$ on data which remains encoded, encrypted, or otherwise algebraically unavailable. Unlike mere linear homomorphism in group or ring theory, the defining property of HLT in cryptography and computation is the ability to apply an explicit linear transformation to protected data—be it fully homomorphic ciphertexts, time-lock puzzles, or secret-shared states—such that the final outcome, upon decryption or recovery, matches $U(x)$ for the underlying plaintext $x$ without ever exposing $x$ or intermediate results. HLT instantiates a central subroutine for secure matrix multiplication, private aggregation, time-locked computation, structured cryptosystems, and unlabeled or robust signal recovery. Its practical realizations extend from advanced homomorphic encryption schemes and verifiable time-lock frameworks to public-key cryptosystems that encode secrecy within underdetermined systems and secret matrix actions.

1. Algebraic and Cryptographic Definition

An HLT in the homomorphic encryption sense is any operation which, for an input encoding (or ciphertext) $[m]$ encrypting slot vector $m \in R^n$ , outputs another encoding $[m']$ such that, for a fixed publicly known $U: R^n \rightarrow R^m$ , $\mathrm{Dec}([m']) = U(\mathrm{Dec}([m]))$ and all intermediate states remain cryptographically indistinguishable to adversaries. The exact mechanism depends on the cryptosystem or protocol class:

In RLWE/CKKS and lattice FHE: $[m]$ is a ciphertext in (typically) residue-number-system (RNS) representation; HLT is implemented via slot rotations (automorphisms), coefficient-wise scalar products, and structured packing/unpacking to compose the overall linear map (Xu et al., 17 Dec 2025, Bae et al., 20 Mar 2025).
In additive schemes / federated learning: HLT is realized by exploiting the native additive and scalar-multiplicative homomorphism of schemes like BFV or DTAHE, with threshold decryption to aggregate inputs (Tian et al., 2021).
In time-lock puzzle constructions: HLT enables computing (and later revealing, after a cryptographic delay) arbitrary linear combinations of time-sealed secrets by puzzle-level homomorphic algebra realized through blinded polynomial representations and secure commodity like $\mathsf{OLE}^+$ (Abadi, 2024, Abadi, 2024).
In public-key primitives: HLT may take the form of secret matrix transformations as secret-shared substitutions in underdetermined linear systems, providing security by combinatorial explosion and one-way actions (Khalimov et al., 6 Jul 2025).

2. Mathematical Formulation and Algorithmic Realizations

Central to nearly all concrete HLTs is the reduction of $U$ into a minimal set of algebraically homomorphic primitives afforded by the system.

CKKS/FHE HLT: For sparse-diagnonal matrices $U$ , with $d$ nonzero diagonals at offsets $z_0,\ldots,z_{d-1}$ , the linear action is

$U m = \sum_{t=0}^{d-1} \mathrm{Diag}(u_{z_t})\, \mathrm{Rot}(m, z_t)$

Realized at the ciphertext level as:

$[m'] \gets \mathrm{Rescale} \left( \sum_{t=0}^{d-1} \mathrm{CMult} \big( \mathrm{Rot}([m]; z_t),\, u_{z_t} \big) \right)$

where $\mathrm{CMult}$ denotes ciphertext-plaintext multiplication, and $\mathrm{Rot}$ is a slot-automorphism realized via KeySwitch and Automorphisms (Xu et al., 17 Dec 2025).

Homomorphic Linear Aggregation: For additive schemes, suppose $[m_i]$ encodes individual user data, the server computes

$[c] = \sum_{i=1}^n \alpha_i [m_i] = [\sum_{i=1}^n \alpha_i m_i]$

which remains encrypted until threshold decryption, or in time-lock schemes, until a predetermined computational delay (Tian et al., 2021, Abadi, 2024).

Time-lock polynomial HLTs: Inputs $m_1,\dots,m_n$ represented as degree-1 polynomials over $\mathbb{F}_p$ are combined with public coefficients $q_1,\dots,q_n$ to form a linear-combination puzzle, which encodes $\sum_i q_i m_i$ , with correctness and verifiability ensured via committed roots and polynomial interpolation (Abadi, 2024, Abadi, 2024).
Systems based on secret matrix actions: The HLT is a blockwise application of a secret matrix $S$ (over $\mathbb{F}_2$ or other small fields), yielding

$T(x) = Sx$

and embedded as the “missing” element in an underdetermined linear system $A y = u$ , with the mapping masked by public one-way substitutions and additional affine pads (Khalimov et al., 6 Jul 2025).

3. Architectures and Implementation Strategies

HLTs form the computational bottleneck in large-scale privacy-preserving linear algebra, especially secure matrix multiplication.

FPGA-Optimized CKKS HLT (Xu et al., 17 Dec 2025):
- Datapath Fusion: Hoisting of base conversion and modulus up/down steps outside rotation loops.
- Limb-Pipelined Processing: Each limb of the ciphertext polynomial is streamed through a fused 5-stage pipeline (NTT, Automorph, KeySwitch, Diag Multiply, iNTT) to minimize on-chip footprint and maximize temporal data reuse.
- On-chip Memory Model: Memory cost maintained at $O(1)$ ciphertext + $O(4)$ limbs (e.g., 29MB for $N=2^{16}$ , $Q$ large), versus $>250$ MB in baseline (non-fused) architectures. Strictly limited off-chip movement per HLT step.
BLAS-Reduction HLT (CPU) (Bae et al., 20 Mar 2025):
- Reduces the HLT to a small fixed set of plaintext matrix-matrix (or matrix-vector) multiplications (GEMM/GEMV) over a large modulus, using standard libraries, with all expensive homomorphic reshuffling, rotations, and rescalings relegated to $O(d^2)$ postprocessing, closing the performance gap to cleartext operations (factor $4$-$12$ for matrix-matrix multiply).
- Key advantage is the tight coupling between large, dense numerical instructions (high cache efficiency, SIMD vectorization) and comparatively lightweight post-homomorphic crypto steps.
Secure Linear Aggregation (Tian et al., 2021):
- Lattice-based DTAHE aggregation is realized as polynomial ring encryption with secret shares and hybrid encryption for partial decryption, orchestrating linear forms across user data in federated learning and enabling resiliency to user drop-out or collusion.
- Blockchain-based verification minimizes required interactive rounds and hardens security via public auditing.
Time-Lock HLTs (Abadi, 2024, Abadi, 2024):
- Homomorphic linear aggregation achieved through OLE $^+$ protocols, secret polynomial roots, blinded PRFs, and non-interactive commitments, ensuring efficient, verifiable puzzle combination with minimal computational and communication cost.

4. Applications and Performance

Table: HLT Applications Across Domains

Domain	HLT Role / Realization	Paper(s)
Secure Matrix Multiplication	Fused CKKS/FPGA, fast DP HLT subsystems	(Xu et al., 17 Dec 2025)
Private Linear Algebra	BLAS-style PP-MM, PC/CC/CP-MM kernel reductions	(Bae et al., 20 Mar 2025)
Federated Learning	Decentralized, threshold DTAHE aggregation	(Tian et al., 2021)
Timed Aggregation/E-voting	Verifiable homomorphic TLPs via polynomial HLT	(Abadi, 2024, Abadi, 2024)
Public-key Primitives	Under-determined F₂-linear secret matrix actions	(Khalimov et al., 6 Jul 2025)

The HLT bottleneck dominates runtime (≥95%) in large HE matrix multiplication (Xu et al., 17 Dec 2025), motivating fine-grained datapath engineering. FAME-L achieves an end-to-end speedup of $1,337\times$ over a 32-core Xeon (matrix size $160\times 160$ ) for HE-MM, indicating the crucial role of HLT design.

In BLAS-reduced FHE linear algebra, the overhead over cleartext is reduced to practical levels (4–12×) for $4\,k\times 4\,k$ matrices, opening practical deployments for private inference and similar workloads (Bae et al., 20 Mar 2025).

In decentralized secure aggregation, HLT approaches yield scalable, fault-tolerant, and privacy-preserving aggregation resilient to up to $n-t$ user drop-out, with per-user cost $O(n)$ and per-server evaluation $O(n d)$ for $d$ -degree polynomial rings (Tian et al., 2021).

Homomorphic TLPs deliver linear scalability in both the number of time-locked secrets and clients, with verification cost $O(n^2 + z)$ (for $n$ clients, $z$ puzzles), independent of any trusted third party (Abadi, 2024, Abadi, 2024).

5. Uniqueness, Security, and Robustness

Algebraic Uniqueness (Homomorphic Sensing) (Tsakiris et al., 2019): When seen as an information recovery primitive, HLT asks under what conditions a collection of linear transforms (projections, permutations, affine maps) on a linear subspace allows unique recovery of the input. The Tsakiris–Peng theory characterizes rank, codimension, and variety-intersection constraints under which unique or generic point recovery is guaranteed, encompassing problems such as shuffled linear regression and affine registration.
Security for DTAHE/Time-lock HLTs: Correctness is ensured as long as noise remains within prescribed bounds and no subset below the threshold controls the key. Security relies on the decisional-RLWE or sequential squaring assumption, combined with cryptographic hiding of secret keys and randomness. Public verifiability (especially in time-lock TLPs) is guaranteed via non-interactive polynomial verification, with failure probability negligible (Abadi, 2024, Abadi, 2024).
Public-key F₂-linear HLT (LINE) (Khalimov et al., 6 Jul 2025): The underdetermined linear system embedded with secret matrix transforms provides $2^{(k-l)m}$ -fold ambiguity, with one-wayness compounded by the difficulty of inverting a secret random $m\times m$ matrix from observed masked outputs.

6. Best Practices and Implementation Guidelines

Fused, fine-grained pipelines (CKKS/FAME): Maximize sub-op fusion, stream-limb processing, allocate scratchpad BRAM/URAM for only immediate operands, use a streaming permutation network (SPN) over conventional crossbars, and limit off-chip data to strictly necessary inputs/outputs (Xu et al., 17 Dec 2025).
BLAS kernel reduction: Precompute static matrix encryptions, batch GEMM/GEMV calls, monitor HE noise growth, and exploit hardware vectorization and multi-threading for all plaintext operations (Bae et al., 20 Mar 2025).
Aggregation and time-lock protocols: Employ threshold key management, Shamir secret-sharing, and non-interactive commitments for verifiability; batch OLE $^+$ calls for linear combinations; design protocols to remain robust to client drop-out and server misbehavior via on-chain verification or protocol incentives (Tian et al., 2021, Abadi, 2024).
Parameter selection: Choose the polynomial degree, modulus chain depth, and matrix dimensions to meet security and performance targets, balancing memory cost and throughput. In public-key schemes, set $(k-l)m \geq 128$ for NIST-level security (Khalimov et al., 6 Jul 2025).

7. Extensions, Open Problems, and Research Directions

Notable open directions include algebraic-geometric analyses for family-sized HLTs (infinite transformation groups), extension to nonlinear homomorphic transformations (beyond linear subspace intersections), noise robust uniqueness theory in sensing, and explicit, symbolic codimension computation for general HLT uniqueness conditions (Tsakiris et al., 2019). Further optimization of memory and communication overhead for very large-scale HLT operations, along with hardware acceleration and quantum security, remain active nontrivial challenges.

In sum, Homomorphic Linear Transformation spans a spectrum of algorithmic and theoretical primitives that are foundational for secure, privacy-preserving computation on encoded data—enabling scalable private matrix computation, verifiable delayed-release aggregation, and robust signal recovery in adversarial settings. State-of-the-art realizations in both hardware and software now permit HLTs at scale and with provable correctness and security (Xu et al., 17 Dec 2025, Bae et al., 20 Mar 2025, Tian et al., 2021, Abadi, 2024, Abadi, 2024, Khalimov et al., 6 Jul 2025, Tsakiris et al., 2019).