Inferensys

Glossary

Partially Homomorphic Encryption (PHE)

Partially Homomorphic Encryption (PHE) is a cryptographic scheme that allows computation of only one operation type—addition or multiplication—directly on encrypted data without decryption.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CRYPTOGRAPHIC PRIMITIVE

What is Partially Homomorphic Encryption (PHE)?

Partially Homomorphic Encryption (PHE) is a cryptographic scheme that permits unbounded computation of a single operation type—either addition or multiplication—directly on ciphertexts, enabling specific privacy-preserving computations without exposing raw data.

Partially Homomorphic Encryption (PHE) is a form of encryption that allows a specific mathematical operation to be performed on ciphertexts, generating an encrypted result that, when decrypted, matches the outcome of that operation on the original plaintexts. Unlike Fully Homomorphic Encryption (FHE), a PHE scheme is restricted to a single algebraic function, such as only addition in the Paillier cryptosystem or only multiplication in the RSA cryptosystem. This limitation makes PHE schemes computationally lightweight and practical for targeted applications like encrypted aggregation and private voting.

The primary utility of PHE lies in its efficiency for specialized privacy-preserving protocols. An additively homomorphic scheme enables a server to sum encrypted financial values or aggregate model updates in federated learning without accessing individual contributions. Conversely, a multiplicatively homomorphic scheme allows for blinded multiplication. Because these schemes do not require the complex noise management of bootstrapping or modulus switching, they offer low ciphertext expansion and high throughput, making them a pragmatic choice for production systems requiring only unidirectional computation on encrypted data.

FOUNDATIONAL PROPERTIES

Key Characteristics of PHE

Partially Homomorphic Encryption (PHE) is defined by its operational constraint: it supports unbounded computation for a single arithmetic operation. This specialization yields high efficiency and simple security proofs, making it ideal for specific privacy-preserving aggregation and multiplication tasks.

01

Single-Operation Constraint

PHE schemes are cryptographically restricted to evaluating either addition or multiplication on ciphertexts, but not both. This fundamental limitation distinguishes them from Fully Homomorphic Encryption (FHE).

  • Additive PHE (e.g., Paillier): Allows Enc(a) + Enc(b) = Enc(a+b).
  • Multiplicative PHE (e.g., ElGamal): Allows Enc(a) * Enc(b) = Enc(a*b).
  • Attempting the unsupported operation results in a non-decryptable ciphertext or a random value.
1
Supported Operation
02

Unbounded Homomorphic Depth

Unlike Somewhat Homomorphic Encryption (SWHE), PHE schemes do not suffer from a strict noise budget that limits the number of sequential operations. You can perform an arbitrary number of the supported operation without corrupting the ciphertext.

  • An additive PHE scheme can sum millions of encrypted values without decryption failure.
  • This property is critical for encrypted aggregation in federated learning and secure voting.
03

High Computational Efficiency

Because PHE avoids the costly noise management techniques required by FHE—such as bootstrapping and relinearization—it is orders of magnitude faster. Ciphertext sizes are also significantly smaller.

  • Paillier addition is a modular multiplication, making it practical for real-time systems.
  • ElGamal multiplication is a group exponentiation, far lighter than lattice-based FHE operations.
  • This efficiency makes PHE deployable on standard hardware without specialized accelerators.
ms
Typical Operation Latency
04

Classic Security Foundations

Most PHE schemes rely on well-understood, hard mathematical problems that predate the lattice-based cryptography dominating modern FHE. This provides a long track record of cryptanalysis.

  • Paillier is based on the Decisional Composite Residuosity Assumption (DCRA).
  • ElGamal is based on the Decisional Diffie-Hellman (DDH) assumption.
  • RSA (multiplicative PHE) is based on the integer factorization problem.
  • These schemes are not inherently post-quantum secure, unlike lattice-based FHE.
05

Practical Encrypted Aggregation

The primary real-world application of additive PHE is securely computing the sum of encrypted values without revealing individual contributions. This is the backbone of privacy-preserving analytics.

  • Federated Learning: A server aggregates encrypted model updates from clients using Secure Aggregation protocols built on Paillier.
  • Private Billing: Smart meters can sum encrypted consumption data without exposing granular usage patterns.
  • E-Voting: Ballots are encrypted additively to tally results while preserving voter anonymity.
06

IND-CPA Semantic Security

Standard PHE schemes provide Indistinguishability under Chosen-Plaintext Attack (IND-CPA). This guarantees that an adversary cannot distinguish between the encryptions of two different messages, even if they can choose the plaintexts.

  • This is achieved through probabilistic encryption, where the same plaintext encrypts to different ciphertexts each time.
  • Paillier uses a random nonce r during encryption: c = g^m * r^n mod n^2.
  • IND-CPA ensures that ciphertexts reveal zero information about the underlying data.
PARTIALLY HOMOMORPHIC ENCRYPTION

Frequently Asked Questions

Clear, technically precise answers to the most common questions about partially homomorphic encryption (PHE) schemes, their operational constraints, and their role in privacy-preserving machine learning.

Partially homomorphic encryption (PHE) is a cryptographic scheme that permits unlimited computation of a single type of operation—either addition or multiplication—directly on ciphertexts without requiring decryption. Unlike fully homomorphic encryption (FHE), which supports arbitrary circuits, a PHE scheme is algebraically homomorphic with respect to only one operation. For example, the Paillier cryptosystem supports additive homomorphism, meaning Enc(a) ⊗ Enc(b) = Enc(a + b), while the ElGamal and RSA schemes support multiplicative homomorphism, where Enc(a) ⊗ Enc(b) = Enc(a × b). This structural limitation makes PHE schemes significantly more computationally efficient than FHE, as they avoid the complex noise management and bootstrapping procedures required for universal computation. In privacy-preserving machine learning, additive PHE is frequently used for secure aggregation of model updates in federated learning, where a central server needs to sum encrypted gradient vectors from multiple clients without inspecting individual contributions.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.