Additive Homomorphic Encryption (AHE) is a cryptographic scheme where an operation on ciphertexts corresponds to the addition of the underlying plaintexts. Formally, given ciphertexts c1 = Enc(m1) and c2 = Enc(m2), there exists an operation ⊕ such that Dec(c1 ⊕ c2) = m1 + m2. This property allows a central server to compute the sum of client-submitted model updates while the individual contributions remain encrypted and inaccessible.
Glossary
Additive Homomorphic Encryption (AHE)

What is Additive Homomorphic Encryption (AHE)?
Additive Homomorphic Encryption (AHE) is a form of encryption that allows the direct computation of the sum of plaintexts by performing an operation on their corresponding ciphertexts, enabling a server to aggregate encrypted updates without decrypting them.
In the context of secure aggregation protocols, AHE provides an alternative to pairwise masking by shifting the cryptographic burden to the client. Each client encrypts its gradient update with a public key, and the server homomorphically sums all ciphertexts before requesting a threshold decryption. The Paillier cryptosystem is the most common instantiation, offering semantic security based on the decisional composite residuosity assumption. Unlike secret-sharing approaches, AHE simplifies dropout resilience since the server only needs the aggregate ciphertext, but it introduces higher computational overhead per client.
Key Properties of AHE
Additive Homomorphic Encryption (AHE) is defined by a set of mathematical properties that enable computation on ciphertexts. These properties make it a fundamental building block for privacy-preserving protocols like secure aggregation.
The Additive Homomorphism
The core property: Dec(Enc(m₁) ⊗ Enc(m₂)) = m₁ + m₂. There exists an operation ⊗ on ciphertexts that, when applied, produces a new ciphertext decrypting to the sum of the original plaintexts. The server never sees m₁ or m₂, only their encrypted forms and the encrypted sum.
- Example: A server holding
Enc(5)andEnc(3)can computeEnc(8)without ever decrypting. - Mechanism: Typically based on the Decisional Diffie-Hellman assumption in groups where the discrete log is hard.
Scalar Multiplication
AHE schemes inherently support scalar multiplication: multiplying a ciphertext by a known plaintext constant k yields an encryption of k * m. This is derived from repeated application of the additive homomorphism.
- Formula: Dec(Enc(m)ᵏ) = k * m
- Use Case: Computing weighted averages in federated learning, where each client's update is scaled by its dataset size before aggregation.
- Limitation: This is multiplication by a known constant, not multiplication of two encrypted values.
Semantic Security (IND-CPA)
AHE schemes must be semantically secure (IND-CPA): an adversary cannot distinguish between encryptions of two chosen plaintexts. This implies probabilistic encryption—encrypting the same message twice produces different ciphertexts.
- Mechanism: Achieved by injecting a random nonce or blinding factor during encryption.
- Critical Implication: Prevents dictionary attacks. An eavesdropper seeing
Enc(0)andEnc(1)cannot tell them apart, protecting model update values in transit.
Malleability by Design
AHE is malleable—a feature, not a bug. An adversary can transform Enc(m) into Enc(m + x) without decryption. This is the intended functionality for secure aggregation.
- Risk: In isolation, malleability enables chosen-ciphertext attacks.
- Mitigation: Secure aggregation protocols combine AHE with zero-knowledge proofs or authenticated encryption on the communication channel to ensure ciphertexts are only manipulated by the legitimate aggregator according to protocol rules.
Partial Homomorphism vs. Fully Homomorphic
AHE is a partially homomorphic encryption (PHE) scheme. It supports only one operation (addition) an unlimited number of times.
- AHE (Additive): Unlimited additions. Examples: Paillier, Exponential ElGamal.
- MHE (Multiplicative): Unlimited multiplications. Example: RSA (unpadded).
- FHE (Fully Homomorphic): Supports both additions and multiplications, enabling arbitrary circuits. Examples: CKKS, TFHE. FHE is far more computationally expensive than AHE.
- Trade-off: AHE is lightweight and practical for aggregation; FHE is heavy but enables private inference.
Common AHE Schemes
Two primary constructions dominate practical use:
- Paillier Cryptosystem: Based on the Composite Residuosity Class Problem. Provides additive homomorphism over integers modulo
n. Ciphertext expansion is 2x the plaintext size. - Exponential ElGamal: A variant of standard ElGamal where encryption encodes
gᵐinstead ofm. Homomorphic addition computesg^(m₁+m₂). Decryption requires solving a discrete logarithm, limiting it to small message spaces (e.g., 32-bit values).
Both are quantum-vulnerable; post-quantum AHE based on Learning With Errors (LWE) is an active research area.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about how additive homomorphic encryption enables private computation on encrypted data.
Additive homomorphic encryption (AHE) is a cryptographic scheme that allows the direct computation of the sum of plaintexts by performing an operation on their corresponding ciphertexts, without ever decrypting the individual values. The core mechanism relies on a mathematical property where Enc(m1) ⊗ Enc(m2) = Enc(m1 + m2), with ⊗ representing a specific algebraic operation on ciphertexts. The most well-known example is the Paillier cryptosystem, where multiplying two ciphertexts modulo n² yields a ciphertext encrypting the sum of the plaintexts. This property enables a server to aggregate encrypted model updates from multiple clients in a federated learning setting, computing the global sum while remaining completely blind to individual contributions. Unlike fully homomorphic encryption, AHE supports only addition operations, making it computationally efficient and practical for secure aggregation protocols.
Applications of AHE in Machine Learning
Additive Homomorphic Encryption (AHE) enables computation directly on encrypted data, unlocking privacy-preserving workflows where a server can aggregate sensitive values without ever seeing the raw inputs.
Federated Learning Gradient Aggregation
The primary use case for AHE in ML. Each client encrypts their local model update (gradient vector) using the server's public key. The server performs homomorphic addition on all ciphertexts to compute the encrypted global sum, then decrypts only the final aggregate. This ensures the server never inspects any individual client's contribution, defending against gradient leakage attacks that can reconstruct private training data from raw updates.
Private Set Intersection Cardinality
AHE allows two organizations to compute the size of the overlap between their datasets without revealing the actual intersecting elements or any non-matching records. Each party encrypts their set elements, the other party homomorphically computes a polynomial evaluation, and the result reveals only the intersection count. This is critical for healthcare informatics and fraud detection consortia where revealing raw identifiers is prohibited by regulation.
Encrypted Statistical Aggregation
Beyond ML training, AHE enables privacy-safe computation of basic statistics on distributed sensitive data:
- Encrypted Sum: Total revenue across competing business units without exposing individual unit performance.
- Encrypted Average: Compute the mean of patient vitals across hospitals by homomorphically summing encrypted values and dividing the decrypted total by the known count.
- Encrypted Variance: Two-pass protocols using AHE for sums of squares enable private standard deviation calculations.
Secure Electronic Voting
AHE forms the cryptographic backbone of privacy-preserving voting systems. Each vote is encrypted as a 0 or 1 (or a more complex preference vector) using an additively homomorphic scheme. The tallying authority sums all ciphertexts homomorphically and decrypts only the final total. This guarantees ballot secrecy while enabling public verifiability of the count. Threshold decryption ensures no single authority can decrypt individual votes.
Privacy-Preserving Recommendation Systems
AHE enables a recommendation server to compute user-item preference scores without learning the user's rating history. The user encrypts their rating vector, the server holds the item matrix in plaintext, and performs homomorphic dot products to generate encrypted recommendation scores. Only the user can decrypt the final result. This prevents the service provider from building shadow profiles on user behavior.
Confidential Cloud Inference
AHE can be combined with other techniques for private neural network inference. While fully homomorphic encryption (FHE) is often too slow for entire networks, AHE is efficient for the linear layers (fully connected and convolutional layers where operations are additions and scalar multiplications). The client encrypts their input, the cloud computes the linear transformations homomorphically, and the client decrypts the output. Non-linear activations are handled client-side or via secure multi-party computation.
AHE vs. Other Homomorphic Encryption Schemes
Comparison of additive homomorphic encryption with other homomorphic encryption schemes across key cryptographic and operational dimensions.
| Feature | Additive HE (AHE) | Partially HE (PHE) | Fully HE (FHE) |
|---|---|---|---|
Supported operations | Addition only | Addition or multiplication (not both) | Addition and multiplication (unlimited) |
Computational depth | Unlimited additions | Unlimited for single operation | Unlimited for both operations |
Ciphertext size overhead | 2-4x plaintext | 2-8x plaintext | 10,000-1,000,000x plaintext |
Encryption time | < 1 ms | < 5 ms | 100 ms - 10 sec |
Homomorphic addition time | < 1 µs | < 10 µs | 1-100 ms |
Homomorphic multiplication time | < 10 µs | 100 ms - 10 sec | |
Post-quantum security | |||
Production maturity |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Additive Homomorphic Encryption (AHE) is a foundational building block for privacy-preserving computation. The following concepts form the ecosystem of cryptographic tools and protocols that leverage, extend, or complement AHE in secure aggregation workflows.
Paillier Cryptosystem
The most widely implemented partially homomorphic encryption scheme for additive operations. Paillier provides semantic security based on the decisional composite residuosity assumption. Its key property is the homomorphic addition of plaintexts through multiplication of ciphertexts: E(m1) * E(m2) = E(m1 + m2).
- Key sizes: Typically 2048-4096 bits for production security
- Expansion factor: Ciphertext is 2x the modulus size
- Performance: Encryption requires modular exponentiation; decryption uses the Carmichael function
- Common use: Federated learning aggregation where a server sums encrypted model weight updates without decryption
Secret Sharing
A cryptographic method that splits a secret value into shares distributed among participants. The secret can only be reconstructed when a threshold of shares is combined. In secure aggregation, secret sharing provides dropout resilience—the sum can still be computed even if some clients disconnect.
- Additive secret sharing: Splits a value
xinto random sharesx1 + x2 = x - Threshold schemes: Require
tofnshares for reconstruction - Information-theoretic security: No computational assumptions required
- Integration with AHE: Shares can be encrypted under AHE for layered protection against collusion
Secure Aggregation (SecAgg)
A protocol enabling a central server to compute the sum of model updates from multiple clients without inspecting any individual contribution. SecAgg combines pairwise masking, secret sharing, and key agreement to ensure that individual updates remain hidden while the aggregate is revealed.
- Threat model: Semi-honest server that follows protocol but attempts to learn individual updates
- Dropout handling: Survives up to a configurable fraction of client dropouts per round
- Communication complexity: O(n²) in naive implementations; optimized to O(n log n) with sparse random graphs
- Relationship to AHE: AHE provides an alternative cryptographic path to the same goal—summing without revealing—but with different trust assumptions and computational trade-offs
Pairwise Masking
A technique where each pair of clients agrees on a shared secret mask using Diffie-Hellman key agreement. Client i adds masks for all pairs where i < j and subtracts masks where i > j. When all updates are summed, the masks cancel out exactly, revealing only the aggregate.
- Key exchange: Each pair performs an ephemeral Diffie-Hellman handshake
- Mask generation: Shared secrets are expanded using a Pseudorandom Generator (PRG)
- Dropout recovery: If a client drops, its pairwise masks would corrupt the sum—secret sharing of seeds enables reconstruction
- Synergy with AHE: Pairwise masking provides information-theoretic hiding; AHE provides cryptographic hiding. They can be composed for defense-in-depth
Threshold Encryption
A public-key encryption scheme where the private decryption key is split among multiple parties. A ciphertext can only be decrypted when a threshold number of parties cooperate. This prevents any single entity—including the server—from decrypting individual contributions.
- Key generation: Distributed protocol produces shares of the secret key; no single party ever holds the full key
- Decryption: Each party produces a decryption share; combining
tshares reconstructs the plaintext - Use with AHE: Clients encrypt updates under a threshold public key; the server aggregates ciphertexts homomorphically; a quorum of trustees decrypts only the final sum
- Lattice-based constructions: Threshold variants of Learning With Errors (LWE) schemes provide post-quantum security
Gradient Leakage Prevention
The primary threat that AHE and secure aggregation defend against. Gradient leakage attacks analyze shared model updates to reconstruct private training data. An adversary with access to individual gradients can recover pixel-accurate images or verbatim text from training batches.
- Deep Leakage from Gradients (DLG): Iteratively optimizes dummy inputs to match observed gradients
- Inverting Gradients: Recovers high-fidelity images from ResNet and Vision Transformer gradients
- Defense stacking: AHE prevents the server from seeing individual gradients; gradient clipping and differential privacy bound what can leak even if encryption fails
- Provable guarantee: AHE provides cryptographic (not statistical) privacy—the server learns nothing about individual updates beyond what the aggregate reveals

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us