Ciphertext expansion is the ratio of the size of an encrypted data element (ciphertext) to its original plaintext size. In homomorphic encryption schemes like BFV and CKKS, this expansion is substantial—often 10x to 100x or more—because ciphertexts must carry cryptographic noise and large modulus parameters to enable computation directly on encrypted data.
Glossary
Ciphertext Expansion

What is Ciphertext Expansion?
Ciphertext expansion quantifies the increase in data size resulting from encryption, a critical performance metric for homomorphic encryption that directly impacts storage and communication overhead.
This expansion directly impacts bandwidth consumption and storage costs in privacy-preserving machine learning. Techniques like SIMD packing amortize expansion by encoding thousands of plaintext values into a single ciphertext, while modulus switching and relinearization manage ciphertext growth during computation to prevent exponential blowup.
Ciphertext Expansion Across HE Schemes
Comparative analysis of ciphertext-to-plaintext size ratios across major homomorphic encryption schemes, illustrating the storage and communication overhead inherent to each cryptographic approach.
| Metric | BFV | CKKS | TFHE |
|---|---|---|---|
Typical Expansion Ratio | 10,000x - 100,000x | 10,000x - 100,000x | 1,000,000x+ |
Plaintext Encoding | Integer packing via CRT | Complex/real vector packing | Single bit per ciphertext |
Ciphertext Size (128-bit security) | ~50 KB - 500 KB | ~50 KB - 500 KB | ~10 KB - 50 KB per bit |
SIMD Amortization | |||
Post-Quantum Secure | |||
Noise Growth Rate | Linear (additive) | Linear (approximate) | Rapid (per gate) |
Bootstrapping Overhead | High latency | High latency | Low latency per bit |
Storage Efficiency | High (amortized) | High (amortized) | Low (per-bit cost) |
Key Factors Influencing Expansion
Ciphertext expansion is not a fixed constant; it is a dynamic property influenced by the choice of cryptographic scheme, security parameters, and encoding optimizations. Understanding these factors is critical for managing storage and bandwidth overhead in production systems.
Underlying Scheme Selection
The choice of homomorphic encryption scheme is the primary determinant of expansion magnitude.
- BFV/BGV: Typically exhibit expansion factors between 10x and 50x due to large ciphertext moduli required for exact integer arithmetic.
- CKKS: Often shows lower expansion, but the size fluctuates based on the scaling factor and polynomial modulus degree.
- TFHE: Operates on individual bits or small integers, leading to extreme expansion per bit (often >1000x), but this is mitigated by packing techniques.
Security Parameter (λ)
The bit-security level directly dictates the lattice dimension and modulus sizes.
- A jump from 128-bit to 256-bit post-quantum security often doubles the ciphertext size.
- The ring dimension (N)—typically 1024, 2048, 4096, or 8192—defines the polynomial degree and is the fundamental block of expansion.
- Higher security levels require larger parameters, creating a direct trade-off between quantum resistance and storage efficiency.
Encoding & Packing Density
How plaintext data is mapped into polynomial slots dramatically changes effective expansion.
- SIMD Packing: Using the Chinese Remainder Theorem, a single ciphertext can hold N values (e.g., 4096 floats). This amortizes the expansion overhead, making the effective per-element expansion very low.
- Sparse Encoding: Encoding a single scalar into a full polynomial slot wastes capacity, resulting in massive effective expansion.
- Complex Numbers: CKKS encodes complex vectors, doubling the data per slot compared to real-only schemes.
Noise Management Operations
Operations that manage the noise budget introduce temporary or permanent size changes.
- Relinearization: Reduces a ciphertext from 3 polynomials back to 2 after multiplication, preventing quadratic growth.
- Modulus Switching: Reduces the modulus chain, physically shrinking the ciphertext size after each operation.
- Bootstrapping: Refreshes the noise but often requires a large evaluation key and temporarily bloats memory during the procedure.
Key Material Overhead
Ciphertext expansion is only part of the storage story; auxiliary keys are often much larger.
- Public Keys: Typically 2 polynomials, similar in size to a fresh ciphertext.
- Evaluation Keys (Relinearization/Galois): Required for multiplication and rotations. These can be 10x to 100x larger than a standard ciphertext.
- Galois Keys: Enable slot rotations in SIMD packing but require storing a key for every rotation step, significantly increasing the total key material footprint.
Fresh vs. Evaluated Ciphertexts
Ciphertext size is not static throughout a computation.
- Fresh Ciphertexts: Encrypted by the client, typically consist of 2 polynomials.
- Evaluated Ciphertexts: After multiplication without relinearization, they grow to 3 polynomials, increasing size by 50%.
- Modulus Chain Depth: In leveled schemes, a fresh ciphertext contains the full modulus chain (largest size), while an exhausted ciphertext at the end of computation is physically smaller.
Frequently Asked Questions
Ciphertext expansion is a fundamental trade-off in homomorphic encryption that directly impacts storage costs, network bandwidth, and overall system performance. Below are the most common questions engineers ask when evaluating this critical metric.
Ciphertext expansion is the ratio of the size of an encrypted data element to its original plaintext size, calculated as ciphertext_size / plaintext_size. In modern lattice-based homomorphic encryption schemes like CKKS and BFV, this expansion factor typically ranges from 10,000x to 1,000,000x depending on the security parameters and the number of SIMD packing slots utilized. For example, encrypting a single 64-bit floating-point number under CKKS with a ring dimension of 2^15 can produce a ciphertext exceeding 1 megabyte. This dramatic expansion occurs because each ciphertext contains multiple polynomial ring elements—usually two for a fresh encryption—each composed of thousands of 64-bit coefficients representing the underlying Ring Learning With Errors (RLWE) structure. The expansion is not a bug but an inherent property of the cryptographic hardness assumptions that provide IND-CPA security and post-quantum resistance.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding ciphertext expansion requires familiarity with the cryptographic primitives and noise management techniques that directly influence the size of encrypted data.
Noise Budget
The finite amount of cryptographic noise a ciphertext can tolerate before decryption fails. Each homomorphic operation consumes this budget, and the initial noise level is directly correlated with ciphertext expansion. Larger ciphertexts often embed more noise capacity to enable deeper circuits, creating a direct trade-off between storage overhead and computational depth.
Relinearization
A key-switching technique that reduces ciphertext size after a homomorphic multiplication. Without relinearization, the number of ciphertext components grows quadratically with each multiplication, causing uncontrolled ciphertext expansion. This operation is essential for maintaining a compact, predictable data footprint during encrypted computation.
Modulus Switching
A noise management technique that scales down the ciphertext modulus to proportionally reduce absolute noise. While it does not directly compress the ciphertext, it extends the noise budget without bootstrapping. The choice of initial modulus directly dictates the expansion factor, as larger moduli require more bits per ciphertext element.
SIMD Packing
A technique that encodes multiple plaintext values into a single ciphertext using the Chinese Remainder Theorem. While the raw ciphertext remains large, SIMD packing dramatically improves the amortized expansion rate by dividing the storage cost across hundreds or thousands of logical data slots, effectively reducing the per-element overhead.
Ring Learning With Errors (RLWE)
The computational hardness assumption underpinning efficient lattice-based schemes. The ring dimension n and modulus q define the ciphertext size. A typical RLWE ciphertext is 2n log₂(q) bits, meaning the expansion factor is a direct function of the security parameters chosen to resist lattice reduction attacks.
CKKS Scheme
A homomorphic encryption scheme optimized for approximate arithmetic on real numbers. CKKS ciphertexts exhibit significant ciphertext expansion—often 10,000x or more—because they must preserve precision through a deep rescaling chain. The expansion is managed by carefully selecting the initial scale factor and modulus chain length.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us