The Paillier Cryptosystem is an asymmetric, additive homomorphic encryption scheme that allows the sum of encrypted values to be computed directly on ciphertexts, producing an encrypted result that, when decrypted, equals the sum of the original plaintexts. Invented by Pascal Paillier in 1999, its security relies on the decisional composite residuosity assumption, a computational problem related to factoring. This property makes it a cornerstone for secure aggregation in federated learning, where a server can combine client model updates without decrypting any individual contribution.
Glossary
Paillier Cryptosystem

What is the Paillier Cryptosystem?
A public-key cryptosystem enabling additive homomorphic operations, fundamental for privacy-preserving federated learning.
In practice, the scheme uses a public key for encryption and a private key for decryption. Its homomorphic property is expressed as E(m1) * E(m2) = E(m1 + m2), where E denotes encryption. This enables privacy-preserving computations like federated averaging. While highly efficient for addition and scalar multiplication, it does not natively support multiplication between ciphertexts, distinguishing it from Fully Homomorphic Encryption (FHE). It is often paired with techniques like secret sharing to provide robustness against client dropouts in production systems.
Key Features of the Paillier Cryptosystem
The Paillier cryptosystem is a probabilistic asymmetric encryption scheme that enables specific computations on encrypted data, making it a cornerstone of privacy-preserving machine learning.
Additive Homomorphism
The Paillier cryptosystem's defining property is its additive homomorphism. This allows the encrypted sum of two plaintexts to be computed directly from their ciphertexts, without decryption. Formally, given two ciphertexts Enc(m1) and Enc(m2), the product Enc(m1) * Enc(m2) mod n² decrypts to (m1 + m2) mod n. This enables secure aggregation of values, such as summing client model updates in federated learning, where only the combined total is revealed.
Semantic Security
Paillier encryption is semantically secure under the Decisional Composite Residuosity Assumption (DCRA). This means an adversary cannot learn any partial information about a plaintext from its ciphertext, even when given the public key. Security is achieved through probabilistic encryption: encrypting the same message multiple times yields different, computationally indistinguishable ciphertexts due to the use of a random blinding factor r. This prevents frequency analysis and chosen-plaintext attacks.
Scalar Multiplication Homomorphism
Beyond simple addition, Paillier supports scalar multiplication on ciphertexts. Given a ciphertext Enc(m) and a known integer k, raising the ciphertext to the power of k (Enc(m)^k mod n²) decrypts to the product k * m mod n. This allows a central server to perform weighted averaging in federated learning by multiplying encrypted client updates by a known scalar (e.g., based on dataset size) before secure summation, all while the data remains encrypted.
Self-Blinding Property
A unique feature is the self-blinding property. Any valid ciphertext can be transformed into another, different ciphertext that decrypts to the same plaintext. This is done by multiplying the ciphertext by an encryption of zero (Enc(0)). This property is crucial for ciphertext refreshment in multi-round protocols, allowing ciphertexts to be re-randomized to prevent linkage attacks across protocol rounds without changing the underlying plaintext value.
Threshold Decryption Variant
Standard Paillier uses a single private key for decryption. A threshold variant distributes the decryption capability among multiple parties. The private key is secret-shared among n parties, and a predefined threshold t of them must collaborate to decrypt a ciphertext. No single party holds the full key. This enhances security in distributed systems like secure aggregation, preventing any single aggregator from unilaterally decrypting individual client contributions.
Computational Overhead & Practical Use
Paillier operations are computationally intensive compared to symmetric encryption. Key characteristics:
- Ciphertext Expansion: Plaintexts are modulo
n, while ciphertexts are modulon², leading to a 2x expansion in size. - Performance: Encryption and decryption involve modular exponentiation with large numbers (typically 2048-bit or larger
n). - Application: Its primary use is in secure multi-party computation (MPC) and federated learning for secure summation, where the computational cost is justified by the strong privacy guarantee. It is often combined with differential privacy for layered protection.
Paillier vs. Other Privacy Technologies
A feature comparison of the Paillier cryptosystem against other cryptographic primitives commonly used for privacy-preserving machine learning and secure aggregation.
| Cryptographic Feature / Property | Paillier Cryptosystem | Secure Multi-Party Computation (MPC) | Differential Privacy (DP) | Trusted Execution Environment (TEE) |
|---|---|---|---|---|
Core Privacy Mechanism | Additive Homomorphic Encryption | Cryptographic secret sharing & garbled circuits | Mathematical noise injection | Hardware-enforced isolation (enclaves) |
Data Exposure During Computation | None (operations on ciphertext) | None (only final output revealed) | Bounded information leakage (ε) | None (data decrypted only inside secure enclave) |
Supported Operations | Unbounded additions; single multiplication by plaintext constant | Arbitrary functions (addition, multiplication, comparisons) | Aggregation & statistical queries | Arbitrary computations (full program execution) |
Communication Rounds for Secure Sum | 1 (non-interactive) | ≥ 2 (interactive protocol required) | 1 (non-interactive, after local perturbation) | 1 (non-interactive, after data enters enclave) |
Formal Privacy Guarantee | Semantic security (IND-CPA) | Information-theoretic or computational security | Rigorous (ε, δ)-differential privacy | Hardware/trust model security |
Resilience to Client Dropout in Aggregation | ||||
Post-Quantum Security | Varies (some lattice-based MPC is PQ) | Depends on enclave attestation crypto | ||
Primary Threat Model Mitigated | Honest-but-curious server | Malicious participants (up to threshold) | Inference from aggregated outputs | Malicious host OS & software |
Computational Overhead | High (public-key operations per value) | Very High (interactive protocols, network latency) | Low (local noise addition) | Moderate (enclave context switches, memory encryption) |
Bandwidth Overhead | High (ciphertext expansion ~2-4x plaintext) | Extremely High (constant communication rounds) | Low (perturbed data same size as original) | Low (encrypted data transmission to enclave) |
Hardware/Trust Requirements | None (pure cryptography) | None (pure cryptography) | None (pure mathematics) | Required (specific CPU features e.g., Intel SGX, AMD SEV) |
Ideal Use Case in Federated Learning | Non-interactive secure summation of model updates | Complex joint computations (e.g., secure comparisons, model evaluation) | Limiting memorization of training data in final model | Protecting aggregation logic and model weights from cloud provider |
Frequently Asked Questions
The Paillier cryptosystem is a foundational public-key encryption scheme enabling secure, privacy-preserving computations, particularly for federated learning and secure aggregation. These FAQs address its core mechanisms, security, and practical applications.
The Paillier cryptosystem is an additive homomorphic encryption scheme that allows computations to be performed on encrypted data. It is a public-key cryptosystem where anyone can encrypt data using a public key, but only the holder of the corresponding private key can decrypt it. Its core homomorphic property is that the product of two ciphertexts decrypts to the sum of their corresponding plaintexts: Decrypt(Encrypt(m1) * Encrypt(m2)) = m1 + m2. This enables a server to aggregate encrypted client updates in federated learning without ever decrypting individual contributions.
Key Generation:
- Choose two large primes,
pandq. - Compute
n = p * qandλ = lcm(p-1, q-1). - Select a generator
g(typicallyg = n + 1). - The public key is
(n, g). - The private key is
(λ, μ)whereμis the modular multiplicative inverse of a function ofgandλ.
Encryption:
For a message m (an integer modulo n), select a random r.
The ciphertext is computed as: c = g^m * r^n mod n^2.
Decryption:
Given ciphertext c, the plaintext is recovered using the private key: m = L(c^λ mod n^2) * μ mod n, where L(u) = (u-1)/n.
This structure directly enables the additive homomorphism, making it a cornerstone for secure multi-party computation and privacy-preserving machine learning.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The Paillier Cryptosystem is a foundational component within a broader ecosystem of cryptographic primitives and protocols designed for privacy-preserving computation. These related concepts are essential for designing and implementing secure federated learning systems.
Homomorphic Encryption
Homomorphic Encryption is a cryptographic paradigm that allows computations to be performed directly on encrypted data. The Paillier scheme is a specific type known as additive homomorphic encryption, where the product of two ciphertexts decrypts to the sum of their corresponding plaintexts. This property is the core enabler for secure aggregation in federated learning, as the server can sum encrypted model updates without decrypting them first. Other forms include:
- Somewhat Homomorphic Encryption (SHE): Supports a limited number of operations.
- Fully Homomorphic Encryption (FHE): Supports an unlimited number of arbitrary computations (addition and multiplication) but with significantly higher computational overhead than Paillier.
Secure Multi-Party Computation (MPC)
Secure Multi-Party Computation is a broader cryptographic subfield that enables multiple parties to jointly compute a function over their private inputs while revealing only the final output. Secure aggregation in federated learning is a specific instance of an MPC problem. While Paillier provides a solution using public-key cryptography, MPC often employs different techniques like secret sharing and garbled circuits. Key distinctions include:
- Trust Model: MPC protocols often assume no single trusted party, whereas Paillier-based aggregation typically involves a central (but untrusted) server.
- Interaction: MPC protocols can be highly interactive, requiring multiple communication rounds between parties.
- Flexibility: MPC can compute arbitrary functions, while Paillier natively supports only addition.
Differential Privacy
Differential Privacy is a rigorous mathematical framework for quantifying and limiting the privacy loss incurred by an individual when their data is included in an analysis. It is often used in conjunction with cryptographic techniques like Paillier. In a federated learning pipeline:
- Paillier provides input privacy, ensuring the server never sees a client's raw model update.
- Differential Privacy (often via the Gaussian Mechanism) provides output privacy, adding calibrated noise to the aggregated model update before it is released, bounding the influence of any single client's data. This combination defends against privacy attacks that might leverage the final model parameters.
Learning With Errors (LWE)
Learning With Errors is a foundational computational problem in lattice-based cryptography. Its conjectured hardness forms the security basis for many post-quantum cryptographic schemes, including modern Fully Homomorphic Encryption systems like CKKS and BFV. While the original Paillier cryptosystem is based on the composite residuosity assumption and is vulnerable to quantum attacks via Shor's algorithm, LWE-based constructions are believed to be quantum-resistant. For long-term security in federated learning systems, LWE-based homomorphic encryption is a leading candidate to eventually replace or complement classical schemes like Paillier.
Additive Secret Sharing
Additive Secret Sharing is a lightweight cryptographic technique where a secret value (e.g., a model update) is split into multiple shares that sum to the original secret. No subset of shares reveals any information about the secret unless all are combined. This is a core mechanism in many Secure Multi-Party Computation-based secure aggregation protocols (like the Bonawitz Protocol), as an alternative to Paillier. Advantages include:
- Information-theoretic security: Security based on randomness, not computational assumptions.
- Efficiency: Often faster than public-key operations.
- Dropout Resilience: Protocols can be designed so that shares from dropped clients can be canceled out.
Trusted Execution Environment (TEE)
A Trusted Execution Environment is a secure, isolated area within a main processor (e.g., Intel SGX, AMD SEV) that guarantees the confidentiality and integrity of code and data loaded inside it. TEEs offer a hardware-based alternative to cryptographic protocols for secure aggregation. In this paradigm, client updates are sent encrypted to the server and are only decrypted and aggregated inside the secure enclave, invisible to the host operating system. Compared to Paillier:
- Performance: Can be faster for complex aggregation functions.
- Functionality: Supports arbitrary computations, not just addition.
- Trust Model: Shifts trust from cryptographic hardness to the hardware manufacturer and the enclave's attestation mechanism.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us