Inferensys

Glossary

Paillier Cryptosystem

The Paillier Cryptosystem is an additive homomorphic public-key encryption scheme that allows computations (specifically addition) to be performed directly on encrypted data.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
SECURE AGGREGATION PROTOCOLS

What is the Paillier Cryptosystem?

A public-key cryptosystem enabling additive homomorphic operations, fundamental for privacy-preserving federated learning.

The Paillier Cryptosystem is an asymmetric, additive homomorphic encryption scheme that allows the sum of encrypted values to be computed directly on ciphertexts, producing an encrypted result that, when decrypted, equals the sum of the original plaintexts. Invented by Pascal Paillier in 1999, its security relies on the decisional composite residuosity assumption, a computational problem related to factoring. This property makes it a cornerstone for secure aggregation in federated learning, where a server can combine client model updates without decrypting any individual contribution.

In practice, the scheme uses a public key for encryption and a private key for decryption. Its homomorphic property is expressed as E(m1) * E(m2) = E(m1 + m2), where E denotes encryption. This enables privacy-preserving computations like federated averaging. While highly efficient for addition and scalar multiplication, it does not natively support multiplication between ciphertexts, distinguishing it from Fully Homomorphic Encryption (FHE). It is often paired with techniques like secret sharing to provide robustness against client dropouts in production systems.

CRYPTOGRAPHIC PRIMITIVES

Key Features of the Paillier Cryptosystem

The Paillier cryptosystem is a probabilistic asymmetric encryption scheme that enables specific computations on encrypted data, making it a cornerstone of privacy-preserving machine learning.

01

Additive Homomorphism

The Paillier cryptosystem's defining property is its additive homomorphism. This allows the encrypted sum of two plaintexts to be computed directly from their ciphertexts, without decryption. Formally, given two ciphertexts Enc(m1) and Enc(m2), the product Enc(m1) * Enc(m2) mod n² decrypts to (m1 + m2) mod n. This enables secure aggregation of values, such as summing client model updates in federated learning, where only the combined total is revealed.

02

Semantic Security

Paillier encryption is semantically secure under the Decisional Composite Residuosity Assumption (DCRA). This means an adversary cannot learn any partial information about a plaintext from its ciphertext, even when given the public key. Security is achieved through probabilistic encryption: encrypting the same message multiple times yields different, computationally indistinguishable ciphertexts due to the use of a random blinding factor r. This prevents frequency analysis and chosen-plaintext attacks.

03

Scalar Multiplication Homomorphism

Beyond simple addition, Paillier supports scalar multiplication on ciphertexts. Given a ciphertext Enc(m) and a known integer k, raising the ciphertext to the power of k (Enc(m)^k mod n²) decrypts to the product k * m mod n. This allows a central server to perform weighted averaging in federated learning by multiplying encrypted client updates by a known scalar (e.g., based on dataset size) before secure summation, all while the data remains encrypted.

04

Self-Blinding Property

A unique feature is the self-blinding property. Any valid ciphertext can be transformed into another, different ciphertext that decrypts to the same plaintext. This is done by multiplying the ciphertext by an encryption of zero (Enc(0)). This property is crucial for ciphertext refreshment in multi-round protocols, allowing ciphertexts to be re-randomized to prevent linkage attacks across protocol rounds without changing the underlying plaintext value.

05

Threshold Decryption Variant

Standard Paillier uses a single private key for decryption. A threshold variant distributes the decryption capability among multiple parties. The private key is secret-shared among n parties, and a predefined threshold t of them must collaborate to decrypt a ciphertext. No single party holds the full key. This enhances security in distributed systems like secure aggregation, preventing any single aggregator from unilaterally decrypting individual client contributions.

06

Computational Overhead & Practical Use

Paillier operations are computationally intensive compared to symmetric encryption. Key characteristics:

  • Ciphertext Expansion: Plaintexts are modulo n, while ciphertexts are modulo , leading to a 2x expansion in size.
  • Performance: Encryption and decryption involve modular exponentiation with large numbers (typically 2048-bit or larger n).
  • Application: Its primary use is in secure multi-party computation (MPC) and federated learning for secure summation, where the computational cost is justified by the strong privacy guarantee. It is often combined with differential privacy for layered protection.
CRYPTOGRAPHIC PROTOCOL COMPARISON

Paillier vs. Other Privacy Technologies

A feature comparison of the Paillier cryptosystem against other cryptographic primitives commonly used for privacy-preserving machine learning and secure aggregation.

Cryptographic Feature / PropertyPaillier CryptosystemSecure Multi-Party Computation (MPC)Differential Privacy (DP)Trusted Execution Environment (TEE)

Core Privacy Mechanism

Additive Homomorphic Encryption

Cryptographic secret sharing & garbled circuits

Mathematical noise injection

Hardware-enforced isolation (enclaves)

Data Exposure During Computation

None (operations on ciphertext)

None (only final output revealed)

Bounded information leakage (ε)

None (data decrypted only inside secure enclave)

Supported Operations

Unbounded additions; single multiplication by plaintext constant

Arbitrary functions (addition, multiplication, comparisons)

Aggregation & statistical queries

Arbitrary computations (full program execution)

Communication Rounds for Secure Sum

1 (non-interactive)

≥ 2 (interactive protocol required)

1 (non-interactive, after local perturbation)

1 (non-interactive, after data enters enclave)

Formal Privacy Guarantee

Semantic security (IND-CPA)

Information-theoretic or computational security

Rigorous (ε, δ)-differential privacy

Hardware/trust model security

Resilience to Client Dropout in Aggregation

Post-Quantum Security

Varies (some lattice-based MPC is PQ)

Depends on enclave attestation crypto

Primary Threat Model Mitigated

Honest-but-curious server

Malicious participants (up to threshold)

Inference from aggregated outputs

Malicious host OS & software

Computational Overhead

High (public-key operations per value)

Very High (interactive protocols, network latency)

Low (local noise addition)

Moderate (enclave context switches, memory encryption)

Bandwidth Overhead

High (ciphertext expansion ~2-4x plaintext)

Extremely High (constant communication rounds)

Low (perturbed data same size as original)

Low (encrypted data transmission to enclave)

Hardware/Trust Requirements

None (pure cryptography)

None (pure cryptography)

None (pure mathematics)

Required (specific CPU features e.g., Intel SGX, AMD SEV)

Ideal Use Case in Federated Learning

Non-interactive secure summation of model updates

Complex joint computations (e.g., secure comparisons, model evaluation)

Limiting memorization of training data in final model

Protecting aggregation logic and model weights from cloud provider

PAILLIER CRYPTOSYSTEM

Frequently Asked Questions

The Paillier cryptosystem is a foundational public-key encryption scheme enabling secure, privacy-preserving computations, particularly for federated learning and secure aggregation. These FAQs address its core mechanisms, security, and practical applications.

The Paillier cryptosystem is an additive homomorphic encryption scheme that allows computations to be performed on encrypted data. It is a public-key cryptosystem where anyone can encrypt data using a public key, but only the holder of the corresponding private key can decrypt it. Its core homomorphic property is that the product of two ciphertexts decrypts to the sum of their corresponding plaintexts: Decrypt(Encrypt(m1) * Encrypt(m2)) = m1 + m2. This enables a server to aggregate encrypted client updates in federated learning without ever decrypting individual contributions.

Key Generation:

  • Choose two large primes, p and q.
  • Compute n = p * q and λ = lcm(p-1, q-1).
  • Select a generator g (typically g = n + 1).
  • The public key is (n, g).
  • The private key is (λ, μ) where μ is the modular multiplicative inverse of a function of g and λ.

Encryption: For a message m (an integer modulo n), select a random r. The ciphertext is computed as: c = g^m * r^n mod n^2.

Decryption: Given ciphertext c, the plaintext is recovered using the private key: m = L(c^λ mod n^2) * μ mod n, where L(u) = (u-1)/n.

This structure directly enables the additive homomorphism, making it a cornerstone for secure multi-party computation and privacy-preserving machine learning.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.