Partially Homomorphic Encryption (PHE) is a form of encryption that allows a specific mathematical operation to be performed on ciphertexts, generating an encrypted result that, when decrypted, matches the outcome of that operation on the original plaintexts. Unlike Fully Homomorphic Encryption (FHE), a PHE scheme is restricted to a single algebraic function, such as only addition in the Paillier cryptosystem or only multiplication in the RSA cryptosystem. This limitation makes PHE schemes computationally lightweight and practical for targeted applications like encrypted aggregation and private voting.
Glossary
Partially Homomorphic Encryption (PHE)

What is Partially Homomorphic Encryption (PHE)?
Partially Homomorphic Encryption (PHE) is a cryptographic scheme that permits unbounded computation of a single operation type—either addition or multiplication—directly on ciphertexts, enabling specific privacy-preserving computations without exposing raw data.
The primary utility of PHE lies in its efficiency for specialized privacy-preserving protocols. An additively homomorphic scheme enables a server to sum encrypted financial values or aggregate model updates in federated learning without accessing individual contributions. Conversely, a multiplicatively homomorphic scheme allows for blinded multiplication. Because these schemes do not require the complex noise management of bootstrapping or modulus switching, they offer low ciphertext expansion and high throughput, making them a pragmatic choice for production systems requiring only unidirectional computation on encrypted data.
Key Characteristics of PHE
Partially Homomorphic Encryption (PHE) is defined by its operational constraint: it supports unbounded computation for a single arithmetic operation. This specialization yields high efficiency and simple security proofs, making it ideal for specific privacy-preserving aggregation and multiplication tasks.
Single-Operation Constraint
PHE schemes are cryptographically restricted to evaluating either addition or multiplication on ciphertexts, but not both. This fundamental limitation distinguishes them from Fully Homomorphic Encryption (FHE).
- Additive PHE (e.g., Paillier): Allows
Enc(a) + Enc(b) = Enc(a+b). - Multiplicative PHE (e.g., ElGamal): Allows
Enc(a) * Enc(b) = Enc(a*b). - Attempting the unsupported operation results in a non-decryptable ciphertext or a random value.
Unbounded Homomorphic Depth
Unlike Somewhat Homomorphic Encryption (SWHE), PHE schemes do not suffer from a strict noise budget that limits the number of sequential operations. You can perform an arbitrary number of the supported operation without corrupting the ciphertext.
- An additive PHE scheme can sum millions of encrypted values without decryption failure.
- This property is critical for encrypted aggregation in federated learning and secure voting.
High Computational Efficiency
Because PHE avoids the costly noise management techniques required by FHE—such as bootstrapping and relinearization—it is orders of magnitude faster. Ciphertext sizes are also significantly smaller.
- Paillier addition is a modular multiplication, making it practical for real-time systems.
- ElGamal multiplication is a group exponentiation, far lighter than lattice-based FHE operations.
- This efficiency makes PHE deployable on standard hardware without specialized accelerators.
Classic Security Foundations
Most PHE schemes rely on well-understood, hard mathematical problems that predate the lattice-based cryptography dominating modern FHE. This provides a long track record of cryptanalysis.
- Paillier is based on the Decisional Composite Residuosity Assumption (DCRA).
- ElGamal is based on the Decisional Diffie-Hellman (DDH) assumption.
- RSA (multiplicative PHE) is based on the integer factorization problem.
- These schemes are not inherently post-quantum secure, unlike lattice-based FHE.
Practical Encrypted Aggregation
The primary real-world application of additive PHE is securely computing the sum of encrypted values without revealing individual contributions. This is the backbone of privacy-preserving analytics.
- Federated Learning: A server aggregates encrypted model updates from clients using Secure Aggregation protocols built on Paillier.
- Private Billing: Smart meters can sum encrypted consumption data without exposing granular usage patterns.
- E-Voting: Ballots are encrypted additively to tally results while preserving voter anonymity.
IND-CPA Semantic Security
Standard PHE schemes provide Indistinguishability under Chosen-Plaintext Attack (IND-CPA). This guarantees that an adversary cannot distinguish between the encryptions of two different messages, even if they can choose the plaintexts.
- This is achieved through probabilistic encryption, where the same plaintext encrypts to different ciphertexts each time.
- Paillier uses a random nonce
rduring encryption:c = g^m * r^n mod n^2. - IND-CPA ensures that ciphertexts reveal zero information about the underlying data.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about partially homomorphic encryption (PHE) schemes, their operational constraints, and their role in privacy-preserving machine learning.
Partially homomorphic encryption (PHE) is a cryptographic scheme that permits unlimited computation of a single type of operation—either addition or multiplication—directly on ciphertexts without requiring decryption. Unlike fully homomorphic encryption (FHE), which supports arbitrary circuits, a PHE scheme is algebraically homomorphic with respect to only one operation. For example, the Paillier cryptosystem supports additive homomorphism, meaning Enc(a) ⊗ Enc(b) = Enc(a + b), while the ElGamal and RSA schemes support multiplicative homomorphism, where Enc(a) ⊗ Enc(b) = Enc(a × b). This structural limitation makes PHE schemes significantly more computationally efficient than FHE, as they avoid the complex noise management and bootstrapping procedures required for universal computation. In privacy-preserving machine learning, additive PHE is frequently used for secure aggregation of model updates in federated learning, where a central server needs to sum encrypted gradient vectors from multiple clients without inspecting individual contributions.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Partially Homomorphic Encryption (PHE) is a foundational primitive. Understanding its relationship to more advanced schemes and the core components of the cryptosystem is essential for selecting the right privacy tool.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us