Noise growth is the accumulation of a random error component within a lattice-based ciphertext with each successive homomorphic operation. This error, intentionally injected during encryption to ensure security under the Ring Learning With Errors (RLWE) assumption, expands additively during addition but multiplies during multiplication, rapidly consuming the ciphertext's finite noise budget.
Glossary
Noise Growth

What is Noise Growth?
The progressive accumulation of error inherent in lattice-based ciphertexts during homomorphic computation, which must be strictly managed to prevent decryption failure.
If noise exceeds a critical threshold relative to the ciphertext modulus, the original message becomes irrecoverable upon decryption. Management techniques such as bootstrapping, modulus switching, and rescaling in the CKKS scheme are employed to reset or reduce this error, enabling deeper circuits without compromising the integrity of the encrypted computation.
Key Characteristics of Noise Growth
Noise growth is the central engineering constraint in lattice-based homomorphic encryption, dictating the depth and complexity of computable circuits. Understanding its mechanics is essential for designing viable encrypted inference pipelines.
Additive vs. Multiplicative Noise
Homomorphic operations impact the noise budget asymmetrically. Addition introduces a small, linear increase in noise, typically negligible for circuit depth planning. Multiplication, however, causes the internal noise terms to multiply together, resulting in quadratic noise growth. This disparity means that the multiplicative depth of a circuit—the longest chain of sequential multiplications—is the primary determinant of whether a ciphertext will decrypt correctly. Managing this requires careful circuit design, minimizing multiplication depth where possible.
The Noise Budget Ceiling
Every ciphertext is initialized with a finite noise budget, determined by the encryption parameters (modulus size and error distribution). This budget represents the maximum error the ciphertext can accumulate before the plaintext message is corrupted beyond recovery. Key aspects include:
- Initial Budget: Set during encryption; larger moduli provide deeper computation capacity but increase ciphertext size.
- Budget Consumption: Each multiplication consumes a significant fraction of the remaining budget.
- Decryption Failure: Occurs when the accumulated noise exceeds the threshold, causing the plaintext to be lost in the statistical error.
Noise Management Techniques
To prevent decryption failure, modern FHE schemes employ active noise management:
- Bootstrapping: Homomorphically evaluates the decryption circuit on a noisy ciphertext, producing a new ciphertext encrypting the same message with a refreshed noise budget. This enables unlimited computation depth but is computationally expensive.
- Modulus Switching: Scales down the ciphertext modulus, which proportionally reduces the absolute noise magnitude without decryption. This is a lightweight, leveled technique used in schemes like BGV and BFV.
- Rescaling (CKKS): After a multiplication, the ciphertext is divided by a scale factor to maintain a stable scale and truncate noise, analogous to managing floating-point precision.
Impact on Encrypted Inference
Noise growth directly constrains the architecture of models used for encrypted inference. Deep neural networks with many sequential layers (high multiplicative depth) are challenging to evaluate directly. Mitigation strategies include:
- Polynomial Approximation: Replacing non-linear activation functions (ReLU, sigmoid) with low-degree polynomial approximations to reduce multiplicative depth.
- Circuit Bootstrapping: Using programmable bootstrapping in TFHE to evaluate non-linear functions as lookup tables while simultaneously refreshing noise.
- Hybrid Protocols: Offloading non-linear operations to a Multi-Party Computation (MPC) protocol, which does not suffer from noise growth, while using HE for linear layers.
Ciphertext Dimension Expansion
Beyond noise magnitude, multiplication causes the ciphertext dimension to grow. In RLWE-based schemes, multiplying two ciphertexts of dimension 2 produces a ciphertext of dimension 3. Without correction, subsequent multiplications would cause exponential dimension growth, making storage and computation impractical. Relinearization is a key-switching operation that reduces the product ciphertext back to dimension 2, enabling a chain of multiplications without dimensional explosion. This requires specific evaluation keys (relinearization keys) to be generated by the secret key holder.
Parameter Selection Trade-offs
Selecting encryption parameters is a direct negotiation with noise growth. Larger parameters increase the initial noise budget and computational capacity but degrade performance:
- Polynomial Modulus Degree (N): Higher N increases security and budget but slows operations.
- Coefficient Modulus (Q): A larger Q provides a deeper budget but must be carefully chosen to avoid security vulnerabilities.
- Error Distribution: A smaller standard deviation reduces initial noise but can weaken security if too aggressive. The goal is to select the minimal parameters that satisfy both the security level (e.g., 128-bit) and the circuit's multiplicative depth requirement.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Noise Management Techniques Compared
A comparison of the primary cryptographic techniques used to control noise growth in lattice-based homomorphic encryption schemes, preventing decryption failure.
| Feature | Modulus Switching | Relinearization | Bootstrapping |
|---|---|---|---|
Primary Function | Reduces absolute noise magnitude by scaling down the ciphertext modulus. | Reduces ciphertext size after multiplication to prevent quadratic dimension growth. | Homomorphically evaluates the decryption circuit to reset the noise budget to a fixed level. |
Operates On | Ciphertext modulus and noise | Ciphertext dimension (ring elements) | Entire ciphertext (noise budget) |
Requires Secret Key | |||
Computational Cost | Low (simple scaling operation) | Medium (key-switching operation) | Extremely High (evaluates AES-like circuit) |
Impact on Noise Budget | Proportionally reduces absolute noise, maintaining budget ratio. | No direct noise reduction; prevents noise from growing faster due to size. | Resets noise budget to a fixed, low level, enabling unlimited depth. |
Typical Usage Frequency | After every multiplication | After every multiplication | Periodically, when the noise budget is nearly exhausted |
Scheme Compatibility | BGV, BFV, CKKS (as Rescaling) | BGV, BFV, CKKS | FHEW, TFHE, CKKS (with approximation) |
Enables Unlimited Computation |
Frequently Asked Questions
Core questions about the accumulation of error in lattice-based ciphertexts during homomorphic computation, and the techniques used to manage it before decryption failure occurs.
Noise growth is the progressive accumulation of error inherent in lattice-based ciphertexts with each successive homomorphic operation. In schemes built on the Ring Learning With Errors (RLWE) hardness assumption, a small random error is deliberately injected into ciphertexts during encryption to ensure security. Each homomorphic addition adds the errors of the two input ciphertexts linearly, while each homomorphic multiplication causes the errors to multiply together, resulting in exponential growth relative to the multiplicative depth of the circuit. If the total accumulated noise exceeds the modulus of the ciphertext space, the signal becomes indistinguishable from the error, and decryption returns a corrupted plaintext. Managing this noise budget is the central engineering constraint in designing practical Fully Homomorphic Encryption (FHE) applications.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us