Key switching is a cryptographic operation that transforms a ciphertext encrypted under a source secret key s1 into a ciphertext encrypting the same message under a target secret key s2, without decrypting the underlying plaintext. This procedure is essential for controlling ciphertext dimension growth after homomorphic multiplication and for enabling ciphertext rotation in packed SIMD schemes. The operation relies on a public switching key, which is essentially an encryption of s1 under s2, allowing the evaluator to homomorphically re-encrypt the data.
Glossary
Key Switching

What is Key Switching?
A fundamental noise management and access-control mechanism in lattice-based homomorphic encryption that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the identical plaintext under a different secret key.
In practice, key switching is the core mechanism behind relinearization, which reduces a product ciphertext from three ring elements back to two to maintain compact representation, and behind Galois automorphisms, which cyclically shift the slots within a packed ciphertext. Because the switching key is a public evaluation key, the operation can be performed by an untrusted server, but the computational overhead is significant, often dominating the latency of encrypted neural network inference in schemes like CKKS and BFV.
Key Properties of Key Switching
Key switching is a fundamental operation in lattice-based cryptography that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the same plaintext under a different secret key, without decrypting the underlying data.
Core Mechanism: Key-Switching Key Generation
Key switching relies on a public evaluation key (also called a switching key) that encodes the relationship between two secret keys. This key is generated by encrypting fragments of the source secret key under the target secret key, typically using a gadget decomposition technique to control noise growth. The operation is unidirectional: a switching key from key A to key B cannot be used to switch from B to A. Security is preserved because the evaluation key is a public parameter that does not reveal either secret key, relying on the hardness of the Ring Learning With Errors (RLWE) problem.
Relinearization: Controlling Ciphertext Size
The primary application of key switching is relinearization, which reduces ciphertext dimension after homomorphic multiplication. When two ciphertexts are multiplied, the result grows from 2 ring elements to 3 ring elements, and the secret key becomes the quadratic product of the original key. Relinearization applies key switching to transform this expanded ciphertext back to 2 elements under the original linear secret key. Without this step, successive multiplications would cause exponential growth in ciphertext size, making computation impractical after only a few operations.
Galois Keys and Slot Rotation
Key switching enables homomorphic rotation of packed ciphertext slots through Galois keys. In schemes like CKKS and BFV, plaintext vectors are encoded into ciphertext slots for SIMD parallelism. Rotating these slots requires applying an automorphism that changes the underlying secret key. A Galois key is a specialized key-switching key that transforms the ciphertext back to the original secret key after the rotation. Common Galois keys include left/right rotation by 1, and rotation by powers of 2 for efficient arbitrary shifts.
Noise Management and Decomposition
Key switching introduces additional noise into the ciphertext, which must be carefully managed. The operation uses gadget decomposition to break the input ciphertext into smaller components before applying the switching key, reducing the noise added per operation. The decomposition base and digit count are tunable parameters: a smaller base reduces noise but increases computational cost. In practice, key switching noise is additive and predictable, allowing cryptographers to budget it alongside multiplication noise within the overall noise budget of the scheme.
Proxy Re-Encryption via Key Switching
Key switching generalizes to proxy re-encryption, where a semi-trusted proxy transforms ciphertexts between different parties' public keys without accessing the plaintext. This enables secure data sharing scenarios: a data owner can delegate access by generating a re-encryption key from their key to a recipient's key. The proxy applies this key to convert stored ciphertexts, but never learns the underlying data. This primitive is foundational for secure cloud storage, encrypted email forwarding, and access control in privacy-preserving systems.
Bootstrapping and Key Switching Interaction
In Fully Homomorphic Encryption (FHE), bootstrapping homomorphically evaluates the decryption circuit to refresh ciphertext noise. This process internally uses key switching to transform the encrypted secret key bits into a form compatible with the refreshed ciphertext. Specifically, bootstrapping requires switching from a high-noise ciphertext under a complex key representation back to a clean ciphertext under the original secret key. The efficiency of this key-switching step directly impacts bootstrapping latency, making it a critical optimization target in schemes like TFHE and CKKS.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to the most common technical questions about key switching, its role in homomorphic encryption, and how it enables efficient encrypted computation.
Key switching is a cryptographic operation that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the same plaintext message under a different secret key, without ever decrypting the underlying data. This operation is fundamental to managing ciphertext size and enabling complex homomorphic operations. In practice, key switching is used extensively for relinearization after multiplication and for rotation of packed ciphertext slots. The process relies on a public evaluation key—often called a switching key—that encodes the relationship between the source and target secret keys in an encrypted form. During execution, the operation decomposes the input ciphertext into smaller components, multiplies them against the switching key, and reassembles the result under the new key, all while adding a controlled amount of noise to the ciphertext's noise budget.
Related Terms
Key switching is a fundamental building block in lattice-based cryptography. The following concepts are essential for understanding how ciphertexts are managed, transformed, and kept computationally viable during homomorphic operations.
Relinearization
A specific application of key switching that reduces a ciphertext's size back to two ring elements after a homomorphic multiplication. Without relinearization, each multiplication would increase the ciphertext dimension quadratically, making further computation impractical. The operation transforms a degree-2 ciphertext (encrypted under s⊗s) back to a degree-1 ciphertext (encrypted under s) using a relinearization key, which is a public evaluation key generated from the secret key.
Galois Keys
Public evaluation keys that enable homomorphic rotation of the slots within a packed ciphertext. These keys are generated via key switching and allow the evaluator to cyclically shift the plaintext vector encoded in a ciphertext without decrypting it. Essential for implementing matrix transposition, convolution, and summation operations in the encrypted domain. Each distinct rotation step requires its own Galois key, creating a storage trade-off between key material size and computational flexibility.
Bootstrapping
A noise-management technique that homomorphically evaluates the decryption circuit on a ciphertext, producing a fresh encryption of the same plaintext with a reset noise budget. Bootstrapping itself relies heavily on key switching to transform ciphertexts between different key representations during the recursive evaluation. In the TFHE scheme, bootstrapping is performed after every gate operation; in CKKS, it enables arbitrary-depth computation by periodically refreshing the ciphertext.
Modulus Switching
A noise management technique that scales a ciphertext down to a smaller modulus, proportionally reducing the absolute noise magnitude. Unlike key switching, modulus switching does not require an evaluation key and operates without knowledge of the secret key. It is a lightweight alternative for noise control in the BGV scheme, often used in conjunction with key switching to maintain ciphertext integrity across a chain of decreasing moduli.
Proxy Re-Encryption
A cryptographic primitive allowing a semi-trusted proxy to transform a ciphertext encrypted under Alice's public key into a ciphertext encrypted under Bob's public key without ever decrypting the underlying plaintext. While conceptually similar to key switching, proxy re-encryption operates at the application layer for access delegation rather than at the circuit layer for noise management. The proxy uses a re-encryption key generated by Alice from her secret key and Bob's public key.
Noise Budget
The finite capacity for error accumulation within a lattice-based ciphertext. Each homomorphic operation—especially multiplication—consumes a portion of this budget. Key switching itself introduces a small additive noise term, contributing to budget depletion. Once the noise exceeds a critical threshold relative to the ciphertext modulus, decryption becomes unreliable or impossible. Managing this budget through key switching, modulus switching, and bootstrapping is the central engineering challenge in FHE.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us