Homomorphic Cryptographic Scheme Based on Nilpotent Lie Algebras for Post-Quantum Security

Abstract

In this paper, the use of nilpotent Lie algebras as the basis for homomorphic encryption based on additive operations is explored. The $g$-setting is set up over $g{l}_n\left({\mathbb{Z}}_q\right)$) and the group $G=exp\left(g\right)$, and it is noted that the exponential and logarithm series are truncated by nilpotency in a natural way. From this, an additive symmetric conjugation scheme is constructed: given a message element $M$ and a central randomizer $U\in z\left(g\right),$ we encrypt $=Kexp\left(M+U\right)K^{-1}$ and decrypt to $M=log\left(K^{-1}CK\right)-U$. The scheme is additive in nature, with the security defined in the IND-CPA model. Integrity is ensured using an encrypt-then-MAC construction. These properties together provide both confidentiality and robustness while preserving the homomorphic functionality. The scheme realizes additive homomorphism through a truncated BCH-sum, so it is suitable for ciphertext summations. We implemented a prototype and took reproducible measurements (Python 3.11/NumPy) of the series $\{{10,10}^2,{10}^3,{10}^4,{10}^5\}$ over 10 iterations, reporting the medians and 95% confidence intervals. The graphs exhibit that the latency per operation remains constant at fixed values, and the total time scales approximately linearly with the batch size; we also report the throughput, peak memory usage, $\mid C\mid /\mid M\mid$ expansion rate, and achievable aggregation depth. The applications are federated reporting, IoT telemetry, and privacy-preserving aggregations in DBMS; the limitations include its additive nature (lacking general multiplicative homomorphism), IND-CPA (but not CCA), and side-channel resistance requirements. We place our approach in contrast to the standard FHE building blocks BFV/BGV/CKKS nd the emerging NIST PQC standards (FIPS 203/204/205), as a well-established security model with future engineering optimizations.

1. Introduction

Information security is a universal problem confronting information systems in various industries, ranging from day-to-day communication to industrial and military technology, in the computerization era. Cryptography, as a scientific basis for protecting information through mathematical methods, aims at ensuring data confidentiality, integrity, authentication, and non-repudiation [1,2,3]. Classical cryptographic algorithms such as RSA and Diffie–Hellman rely on the computational difficulty of problems like factorization and discrete logarithms in cyclic groups [4,5,6]. The rapid progress in quantum computing, especially Shor’s algorithm, which can quickly solve factorization and discrete logarithm problems, has raised serious questions about the long-term security of traditional cryptosystems [5,7]. In response, researchers have turned to post-quantum cryptography, which is based on mathematical structures for which no efficient quantum algorithms are currently known [6,8,9].

Lie groups and their associated Lie algebras have emerged as promising candidates within this search for alternatives. They provide a rich algebraic and geometric foundation for designing cryptographic methods [10,11,12,13]. As smooth manifolds, Lie groups have group operations connected naturally with differential geometry and linear algebra, allowing for complex operations using exponential and logarithmic maps [14,15,16]. Their companion structures, Lie algebras, represent the tangent space at the identity element of the group and, thanks to their linear nature, are particularly well suited to efficient computation in encryption [11,17].

Lie structures are already applied in group theory, geometry, and physics, and more recently, they have increasingly been used in cryptography [10,12,18]. Their application, however, requires a careful definition of the conditions under which exponential and logarithmic mappings remain valid in modular arithmetic. In particular, for a nilpotent Lie algebra of class c, both the series of exponentials and of logarithms terminate naturally, being exact without approximation. This boundedness provides a mathematically rigorous foundation for the encoding and decoding of messages in the algebra.

In the cryptographic literature, related principles have been successfully applied in the canonical fully homomorphic encryption schemes BFV, BGV, and CKKS [19,20,21,22]. Applications cover both the construction of public-key systems and homomorphic schemes that can process data directly in its encrypted version [19,20]. Our work builds upon this tradition and extends it to the post-quantum regime, in conformity with recent NIST PQC standards like ML-KEM, ML-DSA, and SLH-DSA [23,24,25]. These standards are a benchmark of modern cryptography, and the appearance of Lie-theoretic primitives in this arena offers promise for secure computation. This paradigm has become an essential tool in distributed and cloud computing. It allows computations to be performed directly on encrypted data. This removes the need for decryption during processing and ensures privacy and security throughout [26]. Also, concepts such as algebraic commutators and nilpotent matrices naturally occurring in Lie theory have additional layers of security that are promising in the face of quantum attacks [17,27,28].

Together, these advancements reflect the importance of Lie algebras in constructing post-quantum cryptography. Drawing from these observations, this paper researches the application of nilpotent Lie algebras in constructing efficient and secure homomorphic cryptosystems. These algebraic structures are particularly attractive since they provide computational efficiency with enhanced immunity against quantum attacks. Through their study using matrix representations and truncated BCH (Baker–Campbell–Hausdorff) expansions, we develop a homomorphic scheme with mathematical rigor, accompanied by the practical requirements of modern cryptography.

Within this setting, this paper emphasizes the role of nilpotent Lie algebras in enabling homomorphic encryption, focusing in particular on achieving exact addition through truncated BCH operations. The overarching aim is to narrow the divide between elegant algebraic theory and real-world cryptographic system implementations that are reproducible, measurable, and supported by a clearly defined security model. This research contributes to the integration of a theoretical security paradigm with a reproducible approach to implementation so that theoretical advancements are vindicated and proven by concrete, verifiable outcomes. The main contributions of this research can be summarized as follows:

(i)

The formalization of the conjugation scheme $C = K exp\left(M+U\right)K^{-1}$ with an explicit CPA (chosen-plaintext attack) security model NCIP (Nilpotent Conjugacy/Log-Inversion Problem) and a scope of validity;

(ii)

A fully parameterized and publicly reproducible implementation with quantitative measurements (latency, throughput, memory, expansion, depth);

(iii)

A path to integration into a DBMS with integrity verification and key rotation.

The manuscript is organized as follows: Introduction; Objective and Research Methodology; Related Works; Theoretical Basis: Lie Groups and Lie Algebras in Cryptography; Design of a Homomorphic Encryption Scheme Based on Lie Groups and Algebras; and Conclusion.

2. Objective and Research Methodology

2.1. Goal

The aim of this paper is to design and present a cryptographic scheme based on nilpotent Lie algebras and groups that enables additive homomorphic encryption (summation in the cipher domain) with a clearly defined security model. Unlike traditional approaches (factorization, discrete logarithm), we rely on structured matrices and their commutators; security is considered in the context of the assumption of the difficulty of conjugation/logarithm inversion in the nilpotent environment (NCIP). We note that the scheme is not presented as formally post-quantum-standardized; it is positioned as a research candidate with clear assumptions and measurable performance.

2.2. Specific Objectives

• We wish to

• Formalize the mathematical basis of Lie algebras and corresponding Lie groups relevant to cryptography (nilpotency, BCH truncation);
• Define message encoding in the algebra g (not in a group) and encryption/decryption via $exp/log$ and conjugation in the group G;
• Construct a scheme with homomorphic addition in the cipher domain (cipher multiplication ↔ BCH-sum in g);
• Specify the security model (IND-CPA in symmetric key), constraints (malleability, no CCA), and integrity mechanisms (encrypt-then-MAC);
• Implement a prototype in Python and conduct reproducible measurements (latency/throughput, memory, cipher extension, achievable depth).

2.3. Methodology

The research design combines a formal theoretical framework with a reproducible implementation. We work in the field ${\mathbb{Z}}_q$ where q is a large prime, $M_n\left({\mathbb{Z}}_q\right)$ denotes the algebra of $n\times n$ matrices, and g is a nilpotent Lie algebra of class c. The associated group is $G=exp\left(g\right)$. By construction, the series for both$exp$ and $log$ terminate after a finite number of steps, and the BCH expansion truncates at depth c.

To guarantee correctness, the parameters $(n,c,q,s,\beta )$ are explicitly bounded as follows: the norm of the encoded messages is constrained to avoid overflow, the nilpotency class c defines the maximum additive depth, and the modulus q is chosen to be large enough to prevent wrap-around. This formal specification ensures that encryption, homomorphic addition, and decryption remain both efficient and mathematically consistent.

Encryption is carried out by conjugating the exponential form of the encoded message with a secret key $K\in G$, while decryption simply reverses this process and applies the logarithm.

A central component of the scheme is the randomizer $U\in z\left(g\right),$ which lies in the center of the Lie algebra and therefore commutes with all other elements. During encryption, $U$ is added to the encoded message to ensure probabilistic security so that multiple encryptions of the same plaintext yield different ciphertexts.

In decryption, $U$ is recovered implicitly because $log\left(K^{-1}CK\right)=M+U$, and subtracting this randomizer yields the original message element M. For homomorphic addition, randomizers combine additively: combining two ciphertexts results in $U_1+U_2$. To maintain correctness and reproducibility, U can be generated either from a public seed using a pseudorandom function (PRF) or stored as associated metadata $(\nu , ver, ctx).$ This mechanism ensures that the randomization remains transparent for the evaluator while still guaranteeing semantic security in the IND-CPA model.

On the practical side, the work includes an implementation in Python 3.11 with NumPy, along with parameter selection and a measurement protocol. All experiments are supported by publicly available scripts and fixed seeds, ensuring full reproducibility.

For clarity, the encryption scheme operates in the following steps:

• Encoding: $M=Encod{e}_s\left(m\right)\in g$ with the norm constraint;
• Encryption: $C = K exp\left(M+U\right)K^{-1}$, where $U\in z\left(g\right)$ is the central randomizer.
• Addition homomorphism: $C_1{C}_2=Kexp\left(M_1\oplus M_2\right)K^{-1}$ (BCH terminates at depth c).
• Decryption: $M = log\left(K^{-1} C K\right)-U$, and then $m=Decod{e}_s\left(M\right).$

We report measurements as the median ms/op and 95% confidence intervals. For a complete and formal specification of the scheme (M+U, MAC, IND-CPA), see Section 5.1 and Section 5.2, where Equations (1)–(4) and pseudocode with the metadata $\nu /ver/ctx$ are given.

The notation has been unified with the definitions introduced in Section 2.3 (parameters $n,c,q,s,\beta$) and Section 5.1 (the security model). In the performance tables, the ciphertext size $(\mid C\mid )$, expansion rate $(\mid C\mid /\mid M\mid )$, throughput measured in operations per second (ops/s), and achievable homomorphic depth are included, alongside latency and memory usage. Figures are presented with axis labels and more precise legends to make them easier to interpret and to avoid any ambiguity.

3. Related Works

The use of algebraic structures, particularly Lie groups and Lie algebras, has increasingly attracted the attention of researchers in the field of cryptography, especially in the context of developing post-quantum security systems. The work by Abdollahi et al. [29] is one of the pioneering studies on non-commutative structures, investigating the non-commuting graphs of groups, which has inspired subsequent studies where non-commutativity serves as the foundation for security protocols.

Khamseh [30] presented the potential of bilinear cryptography using Lie algebras derived from p-groups, highlighting their structural suitability for cryptosystem development. Similarly, Roman’kov [31] analyzed the discrete logarithm problem in nilpotent groups and laid the foundation for the cryptanalysis of polylinear systems, which directly supports the use of nilpotent Lie algebras in this work.

Post-quantum security is a highly relevant topic, as confirmed by the work of Samiullah et al. [32], and Duong et al. [33] who developed signature schemes and key management protocols based on unconventional algebraic structures with a specific focus on quantum resistance. A similar objective, but with a different mathematical foundation, is observed in the study by Hong et al. [34], who employed finite groups of the Lie type to construct CCA-secure public key encryption schemes. The BFV [19], BGV [21], and CKKS [22] schemes form the canonical triad; our comparison and terminology draw on these works. In the domain of standardization, the NIST PQC (FIPS 203/204/205) provides compatible primitives [23,24,25].

The broad application of Lie groups extends beyond cryptography and finds relevance in many modern data processing techniques. Wang and Liu [35] applied Lie group theory in adaptive filters for inertial navigation systems, while Zeng et al. [36] proposed a model for remote sensing scene classification based on Lie group feature extraction. These examples demonstrate the applicability of Lie theory in the fields of artificial intelligence and computer vision.

Sophocleous and Tracinà [37] employed Lie group classification for reduced Burgers systems, while Xu et al. [38] investigated real-time industrial defect detection using intrinsic mean features derived from Lie groups. Such applications underscore the capability of Lie theory to model complex real-world systems.

The mathematical foundation of Lie groups has been expanded further in works such as that by Li, Cherif, and Xie [39], which explores Ricci solitons and harmonic vector fields on the Lie group Nil⁴, and Fiori [40], who introduced discrete-time dynamical systems on structured state spaces based on Lie algebras. Bildirici et al. [41] also developed stochastic methods based on $SO\left(2\right)$ Lie groups to approximate correlation matrices.

From the perspective of automation and control applications, Ayala et al. [42] examined the stability of linear control systems on Lie groups—an aspect also relevant to real-time cryptographic protocols.

As another important aspect of technical contributions, the broader implications of post-quantum security are discussed in works such as those by Bauspieß [43] and Emerencia [44], which include secure biometric systems. Finally, the work by Hasić et al. [45] provides a direct examination of the role of nilpotent and solvable Lie algebras in cryptography and steganography, which is directly relevant to the proposed homomorphic cryptographic scheme in this paper that utilizes nilpotent structures.

Recent studies further contextualize the interdisciplinary relevance of cybersecurity research. Akmese and Erdogan [46] conducted a bibliometric analysis of the cybercrime literature (2000–2023), identifying evolving threats that align with the need for advanced cryptographic solutions like those based on Lie algebras. Alaca et al. [47] contributed to anomaly detection through graph-based LSTM models, showcasing the synergy between machine learning and algebraic methods for security applications. Meanwhile, Seyyarer et al. [48] highlighted technological safeguards for autonomous vehicles, reinforcing the demand for robust cryptographic frameworks in emerging domains. These works collectively emphasize the critical role of innovative mathematical structures, such as Lie-theoretic approaches, in addressing contemporary cybersecurity challenges.

4. Theoretical Basis: Lie Groups and Lie Algebras in Cryptography

Lie groups are sets of elements that are both groups in the algebraic sense and smooth differentiable manifolds in the analytical sense. In other words, they combine the structure of a group with the properties of a differentiable space, which allows for the use of methods from differential geometry and linear algebra in their analysis.

Formally, a Lie group is a smooth manifold G equipped with a group structure where the multiplication map $m: G \times G \to G \left(\right(x, y) \mapsto xy)$ and the inversion map $i: G \to G (x \mapsto x^{-1})$ are both smooth (infinitely differentiable).

Key Examples of Lie Groups:

1.

General Linear Group $\mathit{G}\mathit{L}(\mathit{n},\mathbb{R}):$

The set of all invertible $n\times n$ real matrices under matrix multiplication. It forms

i.

An open submanifold of ${\mathbb{R}}^{n^2}$;

ii.

Dimension: $n^2$.

Properties:

i.

Closure: $A,B\in GL(n,\mathbb{R})\Rightarrow AB\in GL(n,\mathbb{R})$;

ii.

Associativity: $A\left(BC\right)=\left(AB\right)C$;

iii.

Identity: $I\mathrm{ₙ}=diag(1,1,\dots ,1)$;

iv.

Inverses: $\forall A,\exists A^{-1} with A{A}^{-1}=A^{-1}A=I\mathrm{ₙ}.$

2.

Special Linear Group $\mathit{S}\mathit{L}(\mathit{n},\mathit{R}):$

The set of $n\times n$ real matrices with determinant 1 under matrix multiplication. It is

i.

A smooth submanifold of GL(n, ℝ);

ii.

Dimension: $n^2 - 1$.

Properties:

i.

Closure: $det\left(AB\right)=det\left(A\right)·det\left(B\right)=1·1=1$;

ii.

Associativity: Inherited from $GL(n,\mathbb{R})$;

iii.

Identity: $det\left(I\mathrm{ₙ}\right)=1$;

iv.

Inverses: $det\left(A^{-1}\right)=1.$

For each Lie group $G$, there is an associated Lie algebra $g$, defined as the tangent space at the group’s identity element, equipped with a bilinear operation called the commutator (Lie bracket). Formally, a Lie algebra is a vector space g over a field $F$ with a bracket $[·,·]:\mathfrak{g}\times \mathfrak{g}\to \mathfrak{g}$ satisfying

1.

Antisymmetry: $[x,y]=-[y,x]$;

2.

Jacobi Identity: $[x,[y,z\left]\right]+[y,[z,x\left]\right]+[z,[x,y\left]\right]=0.$

Examples of Lie algebras:

1.

Endomorphism Lie Algebra: For a vector space $V$, $End\left(V\right)$ (linear maps $V \to V$) is a Lie algebra under the commutator bracket $[A, B]=A\circ B-B\circ A$;

2.

General Linear Lie Algebra$\mathfrak{g}\mathfrak{l}(\mathit{n},\mathit{F})$: The general linear Lie algebra consists of all n × n matrices over F with the bracket $[A, B]=AB-BA$;

3.

${\mathbb{R}}^3$with Cross Product: ${\mathbb{R}}^3$ is a Lie algebra under the cross product $[u, v] = u \times v$ (antisymmetric and satisfied Jacobi identity);

4.

Heisenberg Algebra: Basic matrices:

$$X=\left(\begin{array}{ccc}0& 1& 0\\ 0& 0& 0\\ 0& 0& 0\end{array}\right),\hspace{1em}Y=\left(\begin{array}{ccc}0& 0& 0\\ 0& 0& 1\\ 0& 0& 0\end{array}\right),\hspace{1em}Z=\left(\begin{array}{ccc}0& 0& 1\\ 0& 0& 0\\ 0& 0& 0\end{array}\right)$$

with brackets $[X,Y]=Z,[X,Z]=0,[Y,Z]=0.$

Nilpotent Algebras

A Lie algebra $g$ is nilpotent if its lower central series terminates:

$$g^{\left(0\right)}=g, g^{(k+1)}=[g^{\left(k\right)},g],\hspace{1em}\hspace{1em}\exists n:g^{\left(n\right)}=\left\{0\right\}$$

Here, $[\cdot ,\cdot ]$denotes the Lie bracket (commutator).

Properties:

i.

All iterated commutators vanish beyond step n, enabling finite computations.

Example (Heisenberg Algebra): Lower central series

$${\mathfrak{g}}^1=span\left\{X,Y,Z\right\}, {\mathfrak{g}}^2=span\left\{Z\right\}, {\mathfrak{g}}^3=\left\{0\right\} (\mathrm{nilpotency} \mathrm{index} 2)$$

Connecting Lie Groups and Algebras

The exponential map $exp:g\to G$ associates a Lie group element with each Lie algebra element:

$$\exp \left(A\right)=\sum _{k=0}^{\mathrm{\infty }}{\displaystyle \frac{A^k}{k!}}.$$

For nilpotent $g$ (where $A^m=0$ for some $m$), the series terminates.

Properties:

ii.

Converts algebraic operations into group actions;

iii.

Computable in polynomial time for nilpotent algebras.

Example:

For $A=\left(\begin{array}{ccc}0& 3& 0\\ 0& 0& 4\\ 0& 0& 0\end{array}\right)$ (nilpotent, $A^3=0$),

$$\exp \left(A\right)=I+A+{\displaystyle \frac{A^2}{2}}=\left(\begin{array}{ccc}1& 3& 6\\ 0& 1& 4\\ 0& 0& 1\end{array}\right).$$

The logarithmic map log: G→g inverses this process.

Nilpotency and Baker–Campbell–Hausdorff truncation.

Lower central series

$g=g_1\supseteq g_2=[g,g]\supseteq \dots$ terminates in $g_{c+1}=0$. Therefore, the BCH-sum

$$M_1⨁M_2=M_1+M_2+{\displaystyle \frac{1}{2}}\left[M_1,M_2\right]+{\displaystyle \frac{1}{12}}\left[M_1,\left[M_1,M_2\right]\right]-{\displaystyle \frac{1}{12}}\left[M_2,\left[M_1,M_2\right]\right]+\dots$$

has finitely many members (truncation on class c).

Exponential and logarithmic mapping.

For nilpotent matrices, the series are finite:

$$exp\left(M\right)= \sum _{i=0}^c{\displaystyle \frac{M^i}{i!}}, \mathit{log}\left(I+Y\right)=\sum _{i=0}^c{\displaystyle \frac{{\left(-1\right)}^{i+1}}{i}} Y^i$$

Implications for cryptography.

Our design follows the principles from the FHE literature [42,43,44,45], with nilpotency allowing for exp/log termination and BCH truncation.

• Correctness: Series completion guarantees the return of the encoding/decoding without approximations;
• Homomorphism: The product $exp\left(M_1\right)exp\left(M_2\right)=exp(M_1\oplus M_2)$ induces addition into the algebra;
• Computability: The operations are polynomial in n for a fixed c.

Why Are Lie Groups Useful in Cryptography?

• Complexity of operations: Matrix operations within Lie groups are mathematically complex, which provides high security;
• Replacement of classical problems: Problems of inversion of exponential and commutator operations can replace classical problems such as the discrete logarithm;
• Potential resistance to quantum attacks: Quantum algorithms currently lack efficient solutions to problems based on Lie algebras and commutators in nilpotent structures.
• Homomorphism: Operations in algebras can be directly transferred to group operations, which allows for the processing of encrypted data.

5. Design of a Homomorphic Encryption Scheme Based on Lie Groups and Algebras

5.1. Threat Model and Security Goal

Goal

The main security objective is confidentiality under the IND-CPA (indistinguishability under chosen-plaintext attack) model; integrity is provided via an HMAC (Hash-Based Message Authentication Code) in an encrypt-then-MAC composition for a symmetric key $K\in G$. The construction is randomized since each message is randomized with a fresh $U\in z\left(g\right).$ Encryption for a plaintext $M\in g$gives

$$C=Kexp(M+U)K^{-1}$$

We formalize confidentiality with the standard indistinguishability under a chosen-plaintext attack (IND-CPA) experiment. Let $\mathcal{A}$ denote a probabilistic polynomial-time adversary and ${\epsilon }_K(·)$ the encryption oracle under the secret key $K \in G$. The game proceeds as follows:

• Setup: A random key $K \in G$ is sampled, and $\mathcal{A}$ is given public parameters $(n,c,q,s,\beta ).$
• Query phase: $\mathcal{A}$ adaptively submits messages $M \in g$ and receives ciphertexts $C = K exp\left(M+U\right)K^{-1}$, with a fresh $U \in z\left(g\right)$ per query.
• Challenge: $\mathcal{A}$ outputs two challenge messages $M_0, M_1$. A random bit $b \in \left\{\mathrm{0,1}\right\}$ is chosen, and $\mathcal{A}$ receives $C^{*} = K exp\left(M_b+U^{*}\right)K^{-1}$, with fresh $U^{*}$.
• Guess: $\mathcal{A}$ outputs $b’$. It wins if $b’=b$.

The advantage of $\mathcal{A}$ is defined as

$$Ad{v}_{\mathcal{A}}^{IND-CPA}=\left|Pr\right[b\mathrm{’}=b]-1/2|.$$

Our construction achieves IND-CPA security under the assumption that the Nilpotent Conjugacy/Log-Inversion Problem (NCIP) is hard in $g \subseteq M_n\left({\mathbb{Z}}_q\right).$ Intuitively, if an adversary can distinguish encryptions of $M_0$ and $M_1$ with a non-negligible advantage, then it can also distinguish conjugates of structured elements $exp(M+U)$ from random elements in the conjugacy orbit, thus solving the NCIP. This provides a reduction from IND-CPA adversaries into NCIP solvers, reinforcing the security claim.

We consider the post-quantum context in accordance with the NIST PQC standards (ML-KEM, ML-DSA, SLH-DSA) [46,47,48]; our layer can be combined with KEM for key exchange.

Decrypting gives $M + U$; subtracting $U$ gives $M$. Formally,

$$M=\log \left(K^{-1}CK\right)-U$$

Adversary

We assume an active network attacker who

Observes an unlimited number of ciphertexts and metadata (e.g., nonce $\nu$, key version $ver$) and has the chosen-plaintext ability to call $Encryp{t}_K(·)$ on messages of their choice, including messages associated with challenges;

Can modify/order ciphertexts in transit (malleability is expected due to homomorphism) and does not have access to a decrypting oracle (no CCA).

Security goals

• IND-CPA confidentiality: For challenge messages of the same format/length, the attacker does not distinguish which ciphertext was obtained, except to a negligible extent;
• Key protection: Recovering $K$ or $K^{-1}$ from pairs $(M_i, C_i)$ is infeasible under the NCIP (Nilpotent Conjugacy/Log Inversion Problem) assumption;
• Randomization robustness: U has high min-entropy, is chosen independently of $M$, and belongs to the center $z\left(g\right)$, so it does not violate the addition homomorphism.

Outline of arguments (high level)

Suppose the attacker achieves a non-negligible advantage in the IND-CPA game. In that case, they effectively distinguish the distribution $exp(M+U)$ (after conjugation with the secret $K$) from the reference distribution that the randomization of $U$ makes uniform/averages. This induces a distinguisher against the NCIP (i.e., distinguishing the structured $exp(·)$ in the conjugation orbit from the reference distribution), contrary to the weight assumption. This sketch does not target CCA; see Out of scope.

Out of scope

• CCA security: We do not claim resistance to chosen-ciphertext attacks;
• Non-malleability: Malleability is intentional for the sake of homomorphism (e.g., the product of ciphertexts corresponds to the addition of codes);
• Side channels (timing/cache/power) are handled implementation-wise (constant-time arithmetic, avoiding branching on secret bits, affinity pinning).

Integrity and authentication

To protect against modification and replay attacks, we apply encrypt-then-MAC over serialization $(C, \nu , ver, ctx),$ where ν (nonce) is unique per encryption, ver denotes the key version (for rotation), and $ctx$serves as domain separation. On failed verification leads to abort (no feedback).

Operational requirements

• Randomization $U$: Sampled from the center $z\left(g\right)$ with sufficient entropy (CSPRNG) and independent of $M$; distribution and support are chosen so as not to compromise correctness and minimize cipher extension.
• Nonce ν: Unique per encryption (e.g., monotonic counter or 96-bit random), stored publicly and fed into MAC.
• Key rotation: Periodic rotation $K_i \to K_{i+1}$ with versioning; compromise of $K_i$ does not compromise the sessions under $K_{i+1}$.
• Multi-tenant: Independent keys per tenant; avoids cross-tenant domain mixing via $ctx$.
• Correctness: Parameters $(n, c, q, s, \beta )$constrain the norms and BCH members so that the log is well-defined; on exiting the allowed region, abort and re-encode/parameter correction (see Section 2.3 Methodology for formal parameter specification).

Although encrypt-then-MAC guarantees that each ciphertext is verified before decryption, the evaluator who carries out homomorphic additions does not have access to the secret key and therefore cannot generate fresh authentication tags. To address this, integrity verification is deferred until after decryption: all intermediate ciphertexts are considered tentative, and only the final ciphertext is checked with its corresponding MAC. In practice, this means that a set of ciphertexts with valid tags can be aggregated, but the authenticity of the aggregate result is validated only once, when decryption is performed. This approach is in line with the usual practice of pairing homomorphic encryption with symmetric authentication, making sure that any tampering during evaluation is only exposed once the final ciphertext is decrypted.

Security features:

The security of this system is based on several factors. One is that Lie group operations such as commutation and exponential mappings are computationally involved mathematically, thus making the system immune to current quantum algorithms such as Shor’s algorithm. The other key property is homomorphism, computation on encrypted data without decryption, thus allowing computation on private data in distributed systems securely.

Theorem 1.

(IND-CPA Security Under the NCIP Assumption).  Let $\mathcal{A}$ be a probabilistic polynomial-time adversary participating in the IND-CPA experiment against our encryption scheme. The key $K\in G$ and the MAC key $k_{mac}$ are sampled uniformly at random during setup. For each encryption query, fresh randomness is generated: a nonce $\nu$, a central randomizer $U\in z\left(g\right)$ (either stored as metadata or deterministically derived from a PRF), and corresponding metadata $(\nu ,ver,ctx)$. The encryption oracle then returns $(C,meta,T$), where 

$$C=K\cdot exp(M+U)\cdot K^{-1}, T={HMAC}_{k_{mac}}(C,meta).$$

Suppose that $\mathcal{A}$ distinguishes encryptions of chosen challenge messages $(M_0,M_1)$ with a non-negligible advantage $\epsilon$. Then, a polynomial-time algorithm $B$ exists that solves the Nilpotent Conjugacy/Log-Inversion Problem (NCIP) in $g\subseteq g{l}_n({\mathbb{Z}}_q$) with an advantage at least $\epsilon$.

Proof. 

If A can distinguish between ciphertexts of $M_0$ and $M_1$, then it can also distinguish structured conjugates $exp(M+U)$ from random elements in the conjugacy orbit. This contradicts the assumed hardness of the NCIP. Therefore, the scheme achieves IND-CPA security under the NCIP assumption. □

5.2. Definition of Scheme

KeyGen. Sample a small $S\in g$; set $K=exp\left(S\right)\in G$ and $K^{-1}=exp(-S)$. Publish the parameters $(n,c,q,s)$ and implementation domain tags; keep K and the MAC key $k_{mac}$ secret.

Encode/Decode.

Map a plaintext m to an algebra element $M=Encod{e}_s\left(m\right)\in g$ with the bounded norm; $Decod{e}_s$ is the inverse map back to $m$.

Encrypt.

For each message, sample fresh $U\in z\left(g\right)$(central randomness) and set the metadata $(\nu ,ver,ctx).$ Compute

$$C=Kexp\left(M+U\right)K^{-1}$$

(1)

Then, compute the tag

$$T=HMAC(k_{mac},serialize(C,\nu ,ver,ctx\left)\right)$$

(2)

and return $(C,\nu ,ver,ctx,T)$.

Decrypt.

Verify the MAC; if verification fails, abort. Otherwise, compute

$$M=log\left(K^{-1}CK\right)-U$$

(3)

and output $m=Decod{e}_s\left(M\right).$

Evaluate (homomorphic addition).

Given $C_1,C_2$ produced under the same key and metadata domain, set $C_{\oplus }:=C_1{C}_2$. Since BCH truncates in a nilpotent algebra,

$$exp\left(M_1\right)exp\left(M_2\right)=exp(M_1\oplus M_2)$$

(4)

Decrypting $C_{\oplus }$ yields $M_1\oplus M_2$, which $Decod{e}_s$ maps to the component-wise sum.

Correctness.

Because U is central, $exp(M+U)=exp\left(M\right)exp\left(U\right)$; conjugation by K preserves the central factor, and subtracting U after taking log recovers M. The truncated BCH identity guarantees an exact evaluation of $\oplus$ up to the algebra’s class c.

Figure 1 shows the basic principles of homomorphic encryption and decryption based on Lie algebras.

5.3. Homomorphic Properties (Addition)

Where $C_i=Kexp\left(M_i+U_i\right)K^{-1}$ is valid,

$$C_1{C}_2=Kexp\left(M_1⨁M_2+(U_1+U_2)\right)K^{-1},$$

$$\log \left(K^{-1}\left(C_1{C}_2\right)K\right)-\left(U_1+U_2\right)=M_1⨁M_2+(U_1+U_2)-(U_1+U_2)=M_1⨁M_2$$

which implements an additive homomorphism (BCH truncated on the class c).

5.4. Integrity and Key Rotation

We apply encrypt-then-MAC over serialization $(C,\nu ,ver,ctx)$. On verification failure, decryption is aborted. Key rotation $K_i\to K_{i+1}$ with meta-data versioning.

Pseudocode

Inputs: Secret K ∈ G (KinV = K^{-1}), MAC key kmac;

  params (n, c, q, s); metadata (C, ν, ver, ctx)

  Encrypt(m):

  U    ← SampleFromCenter()       # U ∈ z(g), fresh per message

  M    = Encode_s(m)           # M ∈ g

    E    = exp(M + U)             # in G

    C    = K · E · KinV          # conjugation

    T    = HMAC(kmac, serialize(C, ν, ver, ctx))

return (C, ν, ver, ctx, T)

 

Decrypt(C, ν, ver, ctx, T):

  assert T == HMAC(kmac, serialize(C, ν, ver, ctx))  # abort on failure

    X   = KinV · C · K

    M   = log(X) − U

    m   = Decode_s(M)

    return m

    EvalAdd(C1, C2):

      return C1 · C2              # additive homomorphism via truncated BCH

To guarantee reproducibility, the reconstruction of the central randomizer $U$ is made explicit. During encryption, $U$ is either stored as lightweight metadata attached to the ciphertext or deterministically derived from a public seed using a pseudorandom function (PRF). In the decryption phase, the evaluator retrieves U accordingly: if metadata is present, the stored value is subtracted directly after the logarithm step; if a PRF is used, $U$ is recomputed from the seed, ensuring consistency across encryption/decryption cycles.

We performed the evaluation on an extended set of messages: we generated a symmetric secret key $K\in G$, optimized the encryption for serial inputs, and performed homomorphic operations on the ciphertexts. For fixed parameters $(n,c,q,s)$, the expected dynamics were observed: the per-operation decryption latency remained approximately constant, while the total time grew approximately linearly with the batch size, thus correcting an earlier error in which the time for a single message was unintentionally replicated to larger batches and created the illusion of constant time. The measurement environment was as follows: Python 3.11/NumPy 1.26, Windows 10 (64-bit), 12-core CPU, 32 GB of RAM; arithmetic modulo $q=2^{31} -1$; $n\in \{\mathrm{3,6},9\}$, $c\in \left\{\mathrm{2,3}\right\}.$ Protocol: series $\{{10, 10}^2,{10}^3,{10}^4,{10}^5\}$, 10 replicates per point; we report the medians and 95% confidence intervals, with warm-up rejection. The metrics include latency (ms/op), throughput (op/s), peak memory usage (MB), expansion ratio $\mid C\mid /\mid M\mid$, and achievable summation depth. The performance is stable and scales as theoretically expected, and we target further improvements through optimizations of large matrix operations and faster exp/log calculations; an overview of the results is given in

Table 1. Encryption and decryption analysis.

Number of Messages	Encryption Time (s)	Homomorphic Addition Time (s)	Decryption Time (s)
10	0.000334	0.000013	0.000286
100	0.003111	0.000133	0.002848
1000	0.036144	0.001258	0.031633
10,000	0.361436	0.012579	0.316331
100,000	3.614358	0.125793	3.163310
1,000,000	36.143582	1.257931	31.633097

(and Figure 2). Scripts and seeds are provided for full reproducibility.

Table 2. Resource metrics and achievable additive depth.

n	c	Ciphertext Size (|C|)	Expansion Ratio (|C|/|M|)	Depth (Median)	Depth CI95 Low	Depth CI95 High
3	2	3.4 × 10−5	3.0	1.0	1.0	3.0
6	2	0.000137	2.4	0.0	0.0	1.0
9	3	0.000309	2.25	0.0	0.0	0.0

summarizes the resource metrics and achievable additive depth, complementing the latency and throughput results in Table 1. The results in Table 2 show that certain parameter sets yield very limited or even zero additive depth. This phenomenon is explained by the algebraic structure of nilpotent Lie algebras. Specifically, when the nilpotency class $c$ is small relative to the chosen matrix dimension $n$, the truncated BCH expansion terminates prematurely. As a consequence, the space of valid additive operations collapses after only one or two levels, resulting in a negligible effective depth. This outcome is not due to implementation limitations but rather reflects an inherent structural constraint of the underlying algebra. Understanding this interaction between $n$ and $c$is essential for parameter selection, as only configurations where the nilpotency class allows sufficient room for higher commutators will enable practically useful homomorphic depth in encrypted aggregation tasks.

Figure 2 shows the encryption and decryption median latency (ms/op) across batch sizes, shown on a log–log scale. The batch-size ranges are harmonized with the experimental methodology. Values represent medians across 10 replicates, and error bars denote 95% confidence intervals, while the total time increases approximately linearly with batch size.

In Figure 3, the ciphertext payload (MB) and the expansion ratio $\left(\right|C|/|M\left|\right)$ are a function of the matrix dimension n. Values represent medians across 10 replicates. Error bars denote 95% confidence intervals.

5.5. Integrating the Model with a Data Management System

To integrate encryption into a data management system, we are going to use a database; see Figure 4. We are going to examine the basic conversation between the database and the encryption scheme.

Steps:

• Building the database: First, let us create a simple database to store the encrypted data;
• Developing a model for data storage: The model will contain the encrypted values and their metadata;
• Implementing encryption functionality when entering the database: When entering data, the data will be encrypted before being stored in the database;
• Implementing decryption functionality when reading from the database: When the user accesses the data, it will be decrypted.

Our authentication model uses additional data protection options such as using an HMAC (Hash-based Message Authentication Code) based on a homomorphic encryption scheme that uses Lie groups and algebras for data integrity. This approach provides specific advantages in certain applications because homomorphic schemes allow operations to be performed on encrypted data without the need to decrypt it. To protect data with an HMAC for data integrity verification, we use the following:

• Flask Back-End: We add HMAC generation logic and data integrity checks;
• Front-End React: We add the support to take the input of the secret key, calculate the HMAC, and post data to the server for verification.

5.6. Flask Back-End—Implementing HMAC

First, we will implement the functionality for generating the HMAC and verifying data integrity in our Flask server.

• HMAC: The HMAC is used for data integrity verification. First, we generate an HMAC for the encrypted data (using the secret key) and send it along with the encrypted data. Further optimization strategies and performance results are discussed in Appendix A.
• Encryption and Decryption: We use Lie group mode to encrypt and decrypt the data.
• HMAC Verification: Before decrypting the data, we check whether the HMAC we received matches the one we generated on the server. If it does not match, we return an error.

6. Conclusions

In this paper, a symmetric encryption scheme founded on nilpotent Lie algebras and the corresponding group $G=exp\left(g\right)$ is detailed, with conjugation as the encryption operation at the center and employing a truncated BCH expansion to meet an additive homomorphism. The design was informed by a theoretical analysis as well as by reproducible implementation, and the performance metrics were the median latency, throughput, memory usage, ciphertext growth, and attainable aggregation depth. Our results show that the scheme offers low-cost stability in operations and essentially linear scalability with batch size, making it a strong candidate for applications such as federated reporting, IoT telemetry, and database system privacy-preserving data aggregation. It is especially useful in aggregation-heavy applications, such as secure DBMS queries (e.g., SUM/AVG on sensitive columns), IoT edge processing, federated statistics within organizations without disclosing raw data, and audit controls like running totals or event counters in high-security environments.

The scheme provides additive functionality, without supporting general multiplicative operations. Its security is framed within the IND-CPA model, not the stronger CCA setting. Malleability is intentionally included to allow for homomorphic addition, though it requires careful integrity management. The achievable aggregation depth and cipher extension depend on the parameters $(n,c,q,s)$. The performance over very large matrices requires further optimization, and side channels (time measurements, cache) must be mitigated implementation-wise (constant-time arithmetic, no branching on secret bits, key rotation, audit).

Though these are the advantages, the scheme also has its own drawbacks. The scheme offers additive functionality and not extension of generality of the multiplicative operations. It is shown to be secure in the IND-CPA model and not extended to chosen-ciphertext resistance (CCA). Malleability is added only to enable homomorphic addition, but integrity management with care will be needed in the feature. Further, huge matrix sizes must have an efficiency-strengthened and robust defense at the implementation level against side-channel leakage (power, cache, timing).

These results agree with and suggest strong directions for further research. Future research will explore the matrix exponential and chains of commutator optimizations (such as parallelization or GPU acceleration), methods to increase the factor of ciphertext expansion, and constructing CCA-secure variants for scenarios in which homomorphism is undesirable. Further works will study controlled multiplicative gates of a bounded depth and construct formal reductions for the NCIP conjecture. Through the clear articulation of strengths and limitations, this paper lays a sound foundation for further development of Lie-theoretic homomorphic encryption to even more secure guarantees and further applicability.