Inferensys

Glossary

Ciphertext Expansion

The ratio of the size of an encrypted data element to its original plaintext size, a critical performance metric for homomorphic encryption that directly impacts storage and communication overhead.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
STORAGE OVERHEAD METRIC

What is Ciphertext Expansion?

Ciphertext expansion quantifies the increase in data size resulting from encryption, a critical performance metric for homomorphic encryption that directly impacts storage and communication overhead.

Ciphertext expansion is the ratio of the size of an encrypted data element (ciphertext) to its original plaintext size. In homomorphic encryption schemes like BFV and CKKS, this expansion is substantial—often 10x to 100x or more—because ciphertexts must carry cryptographic noise and large modulus parameters to enable computation directly on encrypted data.

This expansion directly impacts bandwidth consumption and storage costs in privacy-preserving machine learning. Techniques like SIMD packing amortize expansion by encoding thousands of plaintext values into a single ciphertext, while modulus switching and relinearization manage ciphertext growth during computation to prevent exponential blowup.

STORAGE OVERHEAD COMPARISON

Ciphertext Expansion Across HE Schemes

Comparative analysis of ciphertext-to-plaintext size ratios across major homomorphic encryption schemes, illustrating the storage and communication overhead inherent to each cryptographic approach.

MetricBFVCKKSTFHE

Typical Expansion Ratio

10,000x - 100,000x

10,000x - 100,000x

1,000,000x+

Plaintext Encoding

Integer packing via CRT

Complex/real vector packing

Single bit per ciphertext

Ciphertext Size (128-bit security)

~50 KB - 500 KB

~50 KB - 500 KB

~10 KB - 50 KB per bit

SIMD Amortization

Post-Quantum Secure

Noise Growth Rate

Linear (additive)

Linear (approximate)

Rapid (per gate)

Bootstrapping Overhead

High latency

High latency

Low latency per bit

Storage Efficiency

High (amortized)

High (amortized)

Low (per-bit cost)

PERFORMANCE METRICS

Key Factors Influencing Expansion

Ciphertext expansion is not a fixed constant; it is a dynamic property influenced by the choice of cryptographic scheme, security parameters, and encoding optimizations. Understanding these factors is critical for managing storage and bandwidth overhead in production systems.

01

Underlying Scheme Selection

The choice of homomorphic encryption scheme is the primary determinant of expansion magnitude.

  • BFV/BGV: Typically exhibit expansion factors between 10x and 50x due to large ciphertext moduli required for exact integer arithmetic.
  • CKKS: Often shows lower expansion, but the size fluctuates based on the scaling factor and polynomial modulus degree.
  • TFHE: Operates on individual bits or small integers, leading to extreme expansion per bit (often >1000x), but this is mitigated by packing techniques.
02

Security Parameter (λ)

The bit-security level directly dictates the lattice dimension and modulus sizes.

  • A jump from 128-bit to 256-bit post-quantum security often doubles the ciphertext size.
  • The ring dimension (N)—typically 1024, 2048, 4096, or 8192—defines the polynomial degree and is the fundamental block of expansion.
  • Higher security levels require larger parameters, creating a direct trade-off between quantum resistance and storage efficiency.
03

Encoding & Packing Density

How plaintext data is mapped into polynomial slots dramatically changes effective expansion.

  • SIMD Packing: Using the Chinese Remainder Theorem, a single ciphertext can hold N values (e.g., 4096 floats). This amortizes the expansion overhead, making the effective per-element expansion very low.
  • Sparse Encoding: Encoding a single scalar into a full polynomial slot wastes capacity, resulting in massive effective expansion.
  • Complex Numbers: CKKS encodes complex vectors, doubling the data per slot compared to real-only schemes.
04

Noise Management Operations

Operations that manage the noise budget introduce temporary or permanent size changes.

  • Relinearization: Reduces a ciphertext from 3 polynomials back to 2 after multiplication, preventing quadratic growth.
  • Modulus Switching: Reduces the modulus chain, physically shrinking the ciphertext size after each operation.
  • Bootstrapping: Refreshes the noise but often requires a large evaluation key and temporarily bloats memory during the procedure.
05

Key Material Overhead

Ciphertext expansion is only part of the storage story; auxiliary keys are often much larger.

  • Public Keys: Typically 2 polynomials, similar in size to a fresh ciphertext.
  • Evaluation Keys (Relinearization/Galois): Required for multiplication and rotations. These can be 10x to 100x larger than a standard ciphertext.
  • Galois Keys: Enable slot rotations in SIMD packing but require storing a key for every rotation step, significantly increasing the total key material footprint.
06

Fresh vs. Evaluated Ciphertexts

Ciphertext size is not static throughout a computation.

  • Fresh Ciphertexts: Encrypted by the client, typically consist of 2 polynomials.
  • Evaluated Ciphertexts: After multiplication without relinearization, they grow to 3 polynomials, increasing size by 50%.
  • Modulus Chain Depth: In leveled schemes, a fresh ciphertext contains the full modulus chain (largest size), while an exhausted ciphertext at the end of computation is physically smaller.
CIPHERTEXT EXPANSION

Frequently Asked Questions

Ciphertext expansion is a fundamental trade-off in homomorphic encryption that directly impacts storage costs, network bandwidth, and overall system performance. Below are the most common questions engineers ask when evaluating this critical metric.

Ciphertext expansion is the ratio of the size of an encrypted data element to its original plaintext size, calculated as ciphertext_size / plaintext_size. In modern lattice-based homomorphic encryption schemes like CKKS and BFV, this expansion factor typically ranges from 10,000x to 1,000,000x depending on the security parameters and the number of SIMD packing slots utilized. For example, encrypting a single 64-bit floating-point number under CKKS with a ring dimension of 2^15 can produce a ciphertext exceeding 1 megabyte. This dramatic expansion occurs because each ciphertext contains multiple polynomial ring elements—usually two for a fresh encryption—each composed of thousands of 64-bit coefficients representing the underlying Ring Learning With Errors (RLWE) structure. The expansion is not a bug but an inherent property of the cryptographic hardness assumptions that provide IND-CPA security and post-quantum resistance.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.