Lab

Paillier homomorphic addition demo

A tiny, educational Paillier demo showing additively homomorphic encryption with toy parameters.

JavaScript Required

The FHE demo requires JavaScript to run in your browser. Please enable JavaScript to use this tool.

Educational only - not production crypto

This demo uses tiny numbers and a toy Paillier-like setup so you can see homomorphic addition in action. It is not secure and should never be used for real data.

What this is

A toy Paillier encryption demo that shows additively homomorphic computation: encrypted numbers can be combined without revealing plaintext. The math is intentionally tiny so you can inspect each step.

Who it's for

Engineers who want an intuition for encrypted computation.
Builders exploring privacy-preserving analytics ideas.
Students learning modern cryptography concepts.

Builder notes

This lab is intentionally practical: run one simple example, inspect the math, then change parameters and observe what moves.

Start with small values and confirm decrypted sums are correct.
Enable intermediate steps and map each line to the formulas below.
Randomize primes and compare how ciphertext values change.

Learning resources

These are background references; this lab stays toy-sized and browser-local.

Add two integers without revealing them

Your browser encrypts each value, a simulated server multiplies ciphertexts, and the browser decrypts the sum.

Value A Value B

Ciphertext A

Ciphertext B

Server sum (ciphertext)

Client decrypted sum

Homomorphic addition: the server multiplies ciphertext A and ciphertext B modulo n^2 to produce the ciphertext of (A + B). The browser then decrypts that sum.

How the math works

Encrypt: c = g^m * r^n mod n^2 (m is A or B, r is random so the same input encrypts differently each time).
Combine: c_sum = c_a * c_b mod n^2 (this corresponds to m_a + m_b).
Decrypt: m = L(c^lambda mod n^2) * mu mod n, where L(u) = (u - 1) / n.

Pick values and run the demo.

Toy key parameters

Random tiny primes and derived values used for the demo. These are intentionally small and not secure.

Prime p

Prime q

n = p × q

n^2

Lambda (lcm)

Mu (mod inverse)

Key Concepts

What does "homomorphic" mean?

A homomorphism is a structure-preserving map between two algebraic systems. In this context, multiplying two ciphertexts (in the encrypted domain) produces the ciphertext of the sum of the plaintexts. The encryption "preserves" addition: you can compute on encrypted data without decrypting it.

Why it matters

Homomorphic encryption lets a server process data it cannot read. Use cases include private analytics (sum encrypted salaries without seeing them), secure voting, and confidential machine learning inference. The server never sees plaintext, so a breach reveals nothing.

Paillier vs Fully Homomorphic

Paillier supports only addition (partially homomorphic). Fully homomorphic encryption (FHE) schemes like CKKS or BGV support both addition and multiplication, enabling arbitrary computation. FHE is much slower but far more powerful.

Semantic security

The random value r in each encryption ensures that the same plaintext encrypts to a different ciphertext every time. This property (semantic security) prevents an attacker from learning whether two ciphertexts encode the same value.

Limitations

Uses tiny primes and BigInt math for clarity, not security.
Ciphertexts are much larger than plaintext inputs.
Performance does not scale; production homomorphic encryption is far heavier.

Security model (30 seconds)

This is a toy Paillier-style construction with tiny primes. It demonstrates additively homomorphic encryption but provides no real security. No server-side secrets and no user tracking are used. Do not use it for production data.