CFRIT: Confidential Encrypted Iterative Tuning

Updated 10 December 2025

CFRIT is a secure methodology unifying homomorphic encryption, quantization, and data-driven control for encrypted tuning in linear and nonlinear systems.
It uses encrypted least-squares gain computation and iterative filter updates to achieve robust performance while ensuring overflow-free precision.
Its applications include adaptive filtering and state-feedback control for cyber-physical systems, balancing accuracy, computational cost, and security.

Confidential Fictitious Reference Iterative Tuning (CFRIT) is a systematic methodology enabling secure, encrypted, and accurate data-driven controller and filter tuning in linear and nonlinear dynamical systems. CFRIT unifies homomorphic encryption, quantization theory, and data-driven control/estimation, supporting both encrypted gain computation for state-feedback controllers and the iterative self-tuning of filter statistics. Its development targets the confidentiality constraints native to cyber-physical systems (CPS), outsourced control-as-a-service (CaaS), and adaptive filtering, and provides precise guarantees on accuracy, robustness, and security when implemented with modern homomorphic encryption schemes such as ElGamal and CKKS (Hoshino et al., 30 Oct 2025, Park et al., 9 Dec 2025, Ananthasayanam et al., 2015).

1. Theoretical Underpinnings and Motivation

CFRIT is motivated by the need for confidential data-driven control and estimation in scenarios where plant data and controller/filter designs must remain hidden from untrusted computation service providers. The classical Fictitious Reference Iterative Tuning (FRIT) paradigm solves state-feedback gain tuning for linear plants of the form $x(t\!+\!1) = Ax(t) + Bu(t)$ using input/output data under exogenous “pseudo-references,” extracting sample matrices $E$ and $W$ , and forming the least-squares update $F^* = -E^\top W (W^\top W)^{-1}$ (Park et al., 9 Dec 2025).

CFRIT generalizes this approach by systematically replacing all real-valued arithmetic with operations over encrypted and quantized data. The design goal is to ensure that gain updates $F^*$ or filter statistics can be obtained encrypted, with analytical conditions ensuring both accuracy (loss due to quantization) and security (no overflow and strong cryptographic guarantees) (Park et al., 9 Dec 2025), while also adapting to nonlinear models and recursive filter tuning contexts (Ananthasayanam et al., 2015).

2. CFRIT in Encrypted Controller Tuning

In the encrypted data-driven tuning setting, CFRIT proceeds by mapping all real operations onto homomorphic manipulations in the encrypted domain. The workflow, as detailed in (Park et al., 9 Dec 2025) and (Hoshino et al., 30 Oct 2025), can be formalized as follows:

Quantization and Encoding: Each real scalar $x$ is mapped to an integer $y = \lceil G |x| \rceil \in \mathbb{Z}_q^+$ using a quantization gain $G$ , with an auxiliary sign bit $\zeta$ . This pair $(\zeta, y)$ is encoded in the plaintext group and then encrypted (e.g., via ElGamal for multiplicative homomorphism).
Homomorphic Computation: All matrix operations—most critically, the least-squares gain solution—are recast to use only multiplications and (where supported) additions of encrypted quantities. A key insight is expanding matrix inverses via cofactor or sum-of-products expansion:

$F^* = -E^\top W (W^\top W)^{-1}$

is rewritten such that each scalar term involved is a low-depth product of quantized variables, suitable for evaluation under homomorphism.

Overflow-Free Guarantees: The risk of “modular wrap-around” (integer overflow in the encrypted domain) is analyzed and controlled with an explicit bound. If the modulus $q = 2^\lambda$ and quantization gain $G$ satisfy

$q - \lceil G^{n+5} \left( \|E\|_\mathrm{max} \|W\|_\mathrm{max} / \mu \right) \rceil > 1/2$

where $\mu = \lambda_\mathrm{min}(W^\top W)$ , then overflow is precluded (Park et al., 9 Dec 2025).

Error Analysis: The scalar quantization error is bounded: if $x\in\mathbb{R}$ is quantized as $\breve{x}$ , then $|\breve{x} - x| \leq 1/G$ . The total deviation between the encrypted/computed gain $K_\mathrm{CFRIT}$ and the true gain $K_\mathrm{FRIT}$ is bounded as $| K_\mathrm{CFRIT} - K_\mathrm{FRIT} | \leq M n / G$ , with $M=(n-1)! n^2 N$ (Park et al., 9 Dec 2025).
Decryption and Decoding: The client, holding the decryption key, decrypts the homomorphic sum/products, rescales, and reconstructs the final real-valued controller or gain.

3. Encryption Protocols, Complexity, and Security Model

CFRIT supports a range of encryption schemes:

ElGamal (discrete logarithm, multiplicative homomorphism): Offers IND-CPA security under DL, not quantum-safe. Quantization sensitivity (e.g., $\gamma_e \sim 2^{-40}$ ) controls error. Typical modulus: $p$ of $3072$ bits, $q$ of $1536$ bits for 128-bit security (Hoshino et al., 30 Oct 2025).
CKKS (Approximate FHE): Provides approximate IND-CPA under RLWE (post-quantum). Parameters (e.g., ring dimension $n = 32768$ , modulus length $\sim 880$ bits) and sensitivity control error and grant $128$-bit security (Hoshino et al., 30 Oct 2025).

Complexity is dominated by the number of principal expansion terms $M=(n-1)! n N n$ , with each requiring a homomorphic evaluation. ElGamal enables efficient scalar multiplies, while CKKS packs summands but incurs higher per-operation cost due to rescaling and relinearization. Communication costs and latency scale differently between schemes, and parameter region design must balance security margin and computational feasibility.

Security Model: The server is assumed semi-honest (honest-but-curious). Data confidentiality is protected throughout computation, and the client’s decoding additionally blinds sign information. Attacks via noise overflow (CKKS), side channels, or data poisoning are possible and must be mitigated outside the core protocol (Hoshino et al., 30 Oct 2025).

4. Accuracy, Quantization, and Parameter Selection

The CFRIT framework is rigorously parameterized to guarantee overflow-freeness and target accuracy. With data $(E,W)$ and desired error tolerance $\varepsilon$ , the quantization gain should satisfy $G \geq Mn/\varepsilon$ . Given plant order $n$ , sample count $N$ , and matrix norms $\|E\|_{\max}$ , $\|W\|_{\max}$ , and $\mu$ , one chooses:

$G$ for accuracy: $G \geq Mn/\varepsilon$
$\lambda$ (key size, $q \sim 2^\lambda$ ) to satisfy overflow condition

A visualization in $(\lambda, \log_{10} G)$ -space demonstrates the admissible “cone” where both criteria are satisfied (Park et al., 9 Dec 2025). Numerically, for $n=4, N=50, \varepsilon=10^{-5}$ , $G \gtrsim 1.9 \times 10^9$ , $\lambda=280$ bits suffices, and the resulting gain error is $\|F_E^* - F^*\|_2 = 3.12 \times 10^{-8} \ll \varepsilon$ (Park et al., 9 Dec 2025).

These guidelines support systematic tuning, enabling trade-offs between accuracy, computational cost, and security margin.

5. Applications to Adaptive Filtering and Reference-Recursive Tuning

CFRIT generalizes beyond linear controller design to adaptive estimation scenarios, notably the iterative tuning of Kalman filter (or extended Kalman filter—EKF) statistics. In such contexts, CFRIT refers to the use of “fictitious” statistical reference points (e.g., maximally-likelihood Newton–Raphson solutions, cost-function consistency checks) to anchor and stabilize recursive update recipes (Ananthasayanam et al., 2015). The principal features include:

Iterative passes of EKF+RTS with covariance, measurement, and process-noise updates
Multiple weighted cost terms $J_0 \ldots J_8$ evaluating filter consistency and performance
Parameter and covariance updates (including covariance upscaling and block trimming) targeting statistical equilibrium across all estimation statistics
Extension to EM and DSDT approaches for $Q$ , $R$ estimation, with cross-validation of cost function expectations and noise sample properties

This recursive scheme, when implemented under the CFRIT paradigm, yields rapid and consistent convergence to near-optimal filter statistics, avoiding the pitfalls of ad-hoc tuning and providing direct interpretability via reference criteria (Ananthasayanam et al., 2015).

6. Practical Guidelines, Trade-offs, and Limitations

Recommended Usage and Trade-offs:

CFRIT is most practical for small to moderate state dimensions ( $n \leq 3,4$ ); the $(n-1)!$ factorial growth in computational cost becomes prohibitive beyond this regime.
For minimal latency and traditional security, ElGamal is often preferred; CKKS enables post-quantum security at the expense of substantially higher computational load.
Quantization error and ciphertext noise must be balanced by tuning $G$ ; excess quantization increases decryption error, while insufficient $G$ increases overflow risk.
Precompute determinant/cofactor structures when possible, and consider approximate or iterative inverse techniques for scalability (Hoshino et al., 30 Oct 2025).

Known Limitations:

For cases with weakly observable parameters or insufficiently exciting data, CFRIT (like all data-driven approaches) may fail to deliver accurate results.
For high-order systems, performance is limited by the factorial term in the sum-of-products inverse expansion. Approximate or iterative schemes may help, but this introduces secondary complexity and accuracy analyses (Hoshino et al., 30 Oct 2025).
In recursive filtering, convergence is affected by heuristic choices (e.g., $P_0$ scaling) and assumptions on system smoothness.

7. Comparative Results and Domain Impact

Empirical studies confirm that CFRIT, whether used for encrypted controller gain calculation (Park et al., 9 Dec 2025, Hoshino et al., 30 Oct 2025) or adaptive filter tuning (Ananthasayanam et al., 2015), matches the performance of conventional, non-confidential methods to within analytically predictable tolerances. Typical gain or parameter deviations are $<10^{-5}$ for moderate system sizes and quantization parameters, and filtering examples demonstrate convergence of estimated statistics and sample properties to theoretical optima in 5–10 iterations.

CFRIT directly addresses contemporary demands for secure, outsourced computation in CPS and provides a rigorous, paradigm-unifying treatment of confidentiality, quantization, and iterative tuning. Its explicit and verifiable parameter conditions enable robust integration in sensitive industrial, scientific, and mission-critical applications.