Paillier Homomorphic Encryption

Updated 28 January 2026

Paillier homomorphic encryption is a public-key cryptosystem based on composite residuosity that supports additive operations on ciphertexts.
It employs efficient modular arithmetic and exponentiation, facilitating applications like secure aggregation, biometric matching, and federated learning.
Current research focuses on efficiency improvements, key size reduction, and extending non-linear operations while preserving exact arithmetic.

Paillier homomorphic encryption is a seminal public-key cryptosystem based on composite residuosity and is notable for its additive homomorphic property. This allows for efficient arithmetic directly on ciphertexts, enabling privacy-preserving computations such as secure aggregation, biometric matching, and secret sharing. Designed in 1999, the Paillier scheme has become a foundational primitive for a range of cryptographic protocols and primitives, including secure multiparty computation, threshold cryptography, blind signatures, and homomorphic secret sharing.

1. Mathematical Construction and Cryptographic Primitives

The Paillier cryptosystem operates over the group of invertible elements modulo $n^2$ , where $n = pq$ for large primes $p, q$ (Cao et al., 2015, Anselme, 2012, Acar et al., 2017, Nautsch et al., 2018, Serengil et al., 7 Mar 2025, Deng et al., 2024, Yang et al., 2020). Key generation, encryption, and decryption procedures are as follows:

Key Generation
1. Select large primes $p, q$ (typically 1024–2048 bits for security).
2. Compute modulus $n = p \cdot q$ , and $\lambda = \mathrm{lcm}(p-1, q-1)$ .
3. Choose generator $g \in \mathbb{Z}_{n^2}^*$ such that $\gcd(L(g^\lambda \bmod n^2), n) = 1$ , where $L(u) = (u-1)/n$ .
4. Compute $\mu = (L(g^\lambda \bmod n^2))^{-1} \bmod n$ .
5. Public key: $(n, g)$ ; private key: $(\lambda, \mu)$ .
Encryption
- Plaintext $m \in \mathbb{Z}_n$ , random $r \in \mathbb{Z}_n^*$ .
- Ciphertext: $c = g^m \cdot r^n \bmod n^2$ .
Decryption
- Compute $u = c^\lambda \bmod n^2$ .
- Recover $m = L(u) \cdot \mu \bmod n$ .

These steps are consistent across academic presentations, implementations, and engineering optimizations (Acar et al., 2017, Yang et al., 2020, Serengil et al., 7 Mar 2025).

2. Additive Homomorphism and Algebraic Laws

Paillier’s critical property is its support for homomorphic addition:

Additive Homomorphism: For ciphertexts $c_1 = E(m_1; r_1)$ , $c_2 = E(m_2; r_2)$ ,

$c_1 \cdot c_2 \bmod n^2 = E(m_1 + m_2; r_1 r_2)$

This enables the sum of plaintexts to be evaluated by multiplying ciphertexts (Cao et al., 2015, Acar et al., 2017, Anselme, 2012).

Scalar Multiplication: Raising a ciphertext to integer $k$ yields

$E(m; r)^k = E(k \cdot m; r^k)$

Supporting linear aggregate operations and enabling implementations such as encrypted dot products, as in privacy-preserving vector similarity computations (Serengil et al., 7 Mar 2025, Nautsch et al., 2018).

These properties require only group operations modulo $n^2$ and exponentiations, making the scheme attractive for secure arithmetic over encrypted data.

3. Security Foundations and Complexity Assumptions

The scheme’s security relies on the composite residuosity problems:

Decisional Composite Residuosity Assumption (DCR): Given $(n, z \in \mathbb{Z}_{n^2}^*)$ , it is hard to decide whether $z$ is an $n$ -residue, i.e., $z = y^n \bmod n^2$ for some $y$ (Cao et al., 2015, Acar et al., 2017, Anselme, 2012).
Computational Composite Residuosity Assumption (CCRA): It is hard to compute $m$ in $w \equiv g^m y^n \bmod n^2$ without the private key.

Semantic security (IND-CPA) is equivalent to the DCR assumption (Cao et al., 2015). The message randomness $r$ ensures that identical plaintexts yield independent ciphertexts (self-blinding), enforcing unlinkability (Nautsch et al., 2018).

4. Practical Applications and Performance Considerations

Paillier HE is used extensively in privacy-preserving computational settings, due to its balance of efficiency, small key sizes, and exact computation (Serengil et al., 7 Mar 2025, Yang et al., 2020, Nautsch et al., 2018, Deng et al., 2024). Empirical evidence indicates:

Vector Similarity Search: Used for facial recognition and recommendation over encrypted embeddings; achieves negligible accuracy loss ( $\approx10^{-14}$ to $10^{-7}$ ), moderate throughput (e.g., encryption $\approx0.4$ –$1.7$it/s at 80–112 bits, 128–4096D) with sub-MB key/ciphertext sizes (Serengil et al., 7 Mar 2025).
Federated Learning: Hardware-accelerated Paillier can reduce encryption time per iteration by up to $71\%$ and overall iteration time by $26\%$ in federated learning systems, outperforming CPU-based software by an order of magnitude (Yang et al., 2020).
Biometric Template Protection: Encrypted cosine and Euclidean similarity with Paillier HE preserves classifier performance while offering unlinkability and irreversibility (meeting ISO/IEC 24745 for biometric security) (Nautsch et al., 2018).
Homomorphic Secret Sharing (HSS): FastPaillier-based HSS such as MORSE supports linear and nonlinear computation, reducing communication costs by $16.6\%$ and offering up to $9.3\times$ speedup in secure multiplication compared to prior Paillier-based HSS (Deng et al., 2024).

Security Level	Key Size	Embedding Size	Enc. Throughput (128D)	Hom. Throughput (128D)	Loss
80 bits (1024 bit mod)	0.0015 MB	0.1308 MB (128D)	1.66 it/s	8.07 it/s	$10^{-14}$
112 bits (2048 bit)	0.003 MB	0.2559 MB (128D)	0.40 it/s	2.41 it/s	$10^{-14}$

Paillier’s small key and ciphertext sizes make it preferable for memory-constrained environments such as mobile and edge computing.

5. Protocol Adaptations and Cryptographic Extensions

Paillier's structure supports several higher-level protocols and variants:

Blind Signatures: Paillier naturally yields a trapdoor permutation, enabling blind signatures and one-wayness (Cao et al., 2015, Anselme, 2012).
Three-Pass Protocol: The addition law enables a “no-key” three-pass protocol where only the sender requires the private key; operation is based on Paillier's homomorphism rather than commutativity (Anselme, 2012).
BCP Double Trapdoor Variant: The Bresson–Catalano–Pointcheval scheme introduces independent trapdoors for recovering the randomness and the message, enabling robust threshold decryption and key splitting for cloud applications (Cao et al., 2015). The decryption shares are mutually independent and facilitate distributed or verifiable computation.
Homomorphic Secret Sharing: Protocols such as MORSE leverage Paillier additive homomorphism and efficient share–ciphertext conversion to support a full suite of arithmetic, including non-linear functions, with concrete speedups and reduced bandwidth (Deng et al., 2024).
Extensions: Damgård–Jurik generalizes to $n^{k+1}$ modulus, Okamoto–Uchiyama modifies the modulus for efficiency, and elliptic-curve variants move the construction to new algebraic domains while preserving additive homomorphism (Cao et al., 2015, Acar et al., 2017).

6. Implementation and Hardware Acceleration

Efficient implementation of Paillier encryption is possible using modular exponentiation strategies (e.g., square-and-multiply), and modular multiplication is often optimized via Montgomery or Karatsuba methods (Yang et al., 2020). FPGA workflows utilize pipelined, resource-optimized cores, achieving per-operation costs close to theoretical minimums and supporting parallelism for batch cryptographic workloads. Key practicalities include:

Flexible core and batch sizing via OpenCL and HLS paradigms,
Parallel encryption/decryption for federated learning,
Clock frequencies in excess of $500$ MHz on contemporary FPGAs,
BRAM partitioning to manage operand storage and in-flight data transfers.

7. Security Analysis, Trade-Offs, and Research Directions

Security of Paillier HE derives directly from the DCR and CCRA assumptions. Fresh ciphertexts for identical plaintexts, unlinkability, and exact algebraic computation are realizable under standard parameter choices. However, scalability challenges can arise: ciphertext and communication sizes grow linearly with vector dimension in ML applications, and decryption throughput may be a limiting factor in resource-limited scenarios (Serengil et al., 7 Mar 2025). FHE alternatives (e.g., CKKS via TenSEAL) enable multiplicative depth, but with multi-megabyte keys and non-negligible computation error; Paillier remains preferable when exact arithmetic and memory efficiency are critical (Serengil et al., 7 Mar 2025, Deng et al., 2024).

Emergent research directions include further key size reductions, efficiency improvements (via variants like FastPaillier (Deng et al., 2024)), lightweight alternatives (Pan et al., 2023), and improved support for non-linear operations through cryptographic protocol adaptations.

References:

(Anselme, 2012, Cao et al., 2015, Acar et al., 2017, Serengil et al., 7 Mar 2025, Deng et al., 2024, Yang et al., 2020, Nautsch et al., 2018, Pan et al., 2023)