Inferensys

Glossary

Key Switching

A cryptographic operation that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the same message under a different secret key, used for relinearization and rotation.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
CRYPTOGRAPHIC OPERATION

What is Key Switching?

A fundamental noise management and access-control mechanism in lattice-based homomorphic encryption that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the identical plaintext under a different secret key.

Key switching is a cryptographic operation that transforms a ciphertext encrypted under a source secret key s1 into a ciphertext encrypting the same message under a target secret key s2, without decrypting the underlying plaintext. This procedure is essential for controlling ciphertext dimension growth after homomorphic multiplication and for enabling ciphertext rotation in packed SIMD schemes. The operation relies on a public switching key, which is essentially an encryption of s1 under s2, allowing the evaluator to homomorphically re-encrypt the data.

In practice, key switching is the core mechanism behind relinearization, which reduces a product ciphertext from three ring elements back to two to maintain compact representation, and behind Galois automorphisms, which cyclically shift the slots within a packed ciphertext. Because the switching key is a public evaluation key, the operation can be performed by an untrusted server, but the computational overhead is significant, often dominating the latency of encrypted neural network inference in schemes like CKKS and BFV.

CRYPTOGRAPHIC PRIMITIVE

Key Properties of Key Switching

Key switching is a fundamental operation in lattice-based cryptography that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the same plaintext under a different secret key, without decrypting the underlying data.

01

Core Mechanism: Key-Switching Key Generation

Key switching relies on a public evaluation key (also called a switching key) that encodes the relationship between two secret keys. This key is generated by encrypting fragments of the source secret key under the target secret key, typically using a gadget decomposition technique to control noise growth. The operation is unidirectional: a switching key from key A to key B cannot be used to switch from B to A. Security is preserved because the evaluation key is a public parameter that does not reveal either secret key, relying on the hardness of the Ring Learning With Errors (RLWE) problem.

O(n log n)
Computational Complexity
Unidirectional
Directionality
02

Relinearization: Controlling Ciphertext Size

The primary application of key switching is relinearization, which reduces ciphertext dimension after homomorphic multiplication. When two ciphertexts are multiplied, the result grows from 2 ring elements to 3 ring elements, and the secret key becomes the quadratic product of the original key. Relinearization applies key switching to transform this expanded ciphertext back to 2 elements under the original linear secret key. Without this step, successive multiplications would cause exponential growth in ciphertext size, making computation impractical after only a few operations.

3 → 2
Ring Element Reduction
Per Multiplication
Application Frequency
03

Galois Keys and Slot Rotation

Key switching enables homomorphic rotation of packed ciphertext slots through Galois keys. In schemes like CKKS and BFV, plaintext vectors are encoded into ciphertext slots for SIMD parallelism. Rotating these slots requires applying an automorphism that changes the underlying secret key. A Galois key is a specialized key-switching key that transforms the ciphertext back to the original secret key after the rotation. Common Galois keys include left/right rotation by 1, and rotation by powers of 2 for efficient arbitrary shifts.

SIMD
Parallelism Model
Powers of 2
Common Rotation Steps
04

Noise Management and Decomposition

Key switching introduces additional noise into the ciphertext, which must be carefully managed. The operation uses gadget decomposition to break the input ciphertext into smaller components before applying the switching key, reducing the noise added per operation. The decomposition base and digit count are tunable parameters: a smaller base reduces noise but increases computational cost. In practice, key switching noise is additive and predictable, allowing cryptographers to budget it alongside multiplication noise within the overall noise budget of the scheme.

Additive
Noise Type
Tunable
Decomposition Parameters
05

Proxy Re-Encryption via Key Switching

Key switching generalizes to proxy re-encryption, where a semi-trusted proxy transforms ciphertexts between different parties' public keys without accessing the plaintext. This enables secure data sharing scenarios: a data owner can delegate access by generating a re-encryption key from their key to a recipient's key. The proxy applies this key to convert stored ciphertexts, but never learns the underlying data. This primitive is foundational for secure cloud storage, encrypted email forwarding, and access control in privacy-preserving systems.

Semi-Trusted
Proxy Trust Model
No Decryption
Privacy Guarantee
06

Bootstrapping and Key Switching Interaction

In Fully Homomorphic Encryption (FHE), bootstrapping homomorphically evaluates the decryption circuit to refresh ciphertext noise. This process internally uses key switching to transform the encrypted secret key bits into a form compatible with the refreshed ciphertext. Specifically, bootstrapping requires switching from a high-noise ciphertext under a complex key representation back to a clean ciphertext under the original secret key. The efficiency of this key-switching step directly impacts bootstrapping latency, making it a critical optimization target in schemes like TFHE and CKKS.

Critical Path
Bootstrapping Role
Latency Bottleneck
Performance Impact
KEY SWITCHING EXPLAINED

Frequently Asked Questions

Clear answers to the most common technical questions about key switching, its role in homomorphic encryption, and how it enables efficient encrypted computation.

Key switching is a cryptographic operation that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the same plaintext message under a different secret key, without ever decrypting the underlying data. This operation is fundamental to managing ciphertext size and enabling complex homomorphic operations. In practice, key switching is used extensively for relinearization after multiplication and for rotation of packed ciphertext slots. The process relies on a public evaluation key—often called a switching key—that encodes the relationship between the source and target secret keys in an encrypted form. During execution, the operation decomposes the input ciphertext into smaller components, multiplies them against the switching key, and reassembles the result under the new key, all while adding a controlled amount of noise to the ciphertext's noise budget.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.