Relinearization is a noise management and size-reduction operation in lattice-based homomorphic encryption. When two ciphertexts—each represented by two polynomials—are multiplied, the result is a ciphertext with three ring elements. Without intervention, subsequent multiplications would cause exponential growth, making computation and storage impractical. Relinearization applies a key-switching procedure using a public evaluation key to collapse the three-element product back into a standard two-element ciphertext, maintaining a constant size for further operations.
Glossary
Relinearization

What is Relinearization?
Relinearization is a key-switching procedure that reduces the size of a ciphertext after multiplication back to two ring elements, preventing quadratic growth in ciphertext dimension.
The procedure relies on a relinearization key, a public key derived from the secret key that enables the transformation without decryption. During the operation, the quadratic term of the multiplied ciphertext is decomposed and re-encrypted under the original secret key, effectively eliminating the extra polynomial. This introduces a small additive noise growth penalty, which must be tracked against the ciphertext's noise budget. In schemes like CKKS and BFV, relinearization is essential after every multiplication to enable deep circuit evaluation without ciphertext dimension explosion.
Key Characteristics of Relinearization
Relinearization is a critical key-switching procedure that prevents the exponential growth of ciphertext dimension following homomorphic multiplication, constraining the result back to two ring elements for practical storage and continued computation.
The Quadratic Growth Problem
Homomorphic multiplication of two ciphertexts (each with 2 polynomials) naturally produces a result with 3 polynomials. Without intervention, subsequent multiplications cause the ciphertext size to grow to 4, then 5, then more polynomials, making storage and further computation exponentially more expensive. Relinearization eliminates this quadratic growth in ciphertext dimension by reducing the product back to a standard 2-element ciphertext.
Key-Switching Mechanism
Relinearization is a specific application of the key-switching primitive. It transforms a degree-2 ciphertext (encrypted under a 'squared' secret key s²) back into a degree-1 ciphertext (encrypted under the original secret key s). This is achieved using a public relinearization key (relin key), which is a masked version of s² encrypted under s, allowing the evaluator to homomorphically convert the ciphertext without accessing the secret key.
Noise Budget Cost
Relinearization is not free. The key-switching operation introduces additional noise into the ciphertext, consuming a portion of the finite noise budget. The magnitude of this added noise is proportional to the decomposition base used in the key-switching algorithm. A larger decomposition base reduces computational cost but adds more noise, creating a direct security-efficiency trade-off that must be managed for deep circuits.
Role in Packed Computation
In schemes like CKKS and BFV that support ciphertext packing, relinearization is essential for maintaining SIMD parallelism. After multiplying two packed ciphertexts, the 3-element result cannot be used for further packed operations until it is relinearized. Without it, the slot structure becomes corrupted, and subsequent rotations or multiplications would produce meaningless results.
Relinearization vs. Rescaling
These are distinct but complementary operations in CKKS:
- Relinearization: Reduces ciphertext size (number of polynomials) after multiplication
- Rescaling: Reduces ciphertext scale and modulus to manage precision and noise Both are typically applied after each multiplication: first relinearization to restore size, then rescaling to manage the scale factor. Skipping relinearization while rescaling is possible but leaves a larger ciphertext that costs more to store and operate on.
Computational Overhead
Relinearization is one of the most expensive operations in HE, often dominating multiplication latency. It requires:
- NTT (Number Theoretic Transform) conversions on the extended ciphertext
- Modular polynomial multiplications with the relin key components
- Digit decomposition of the ciphertext polynomials Hardware acceleration via GPU or FPGA implementations often focuses on optimizing this specific operation to reduce end-to-end encrypted inference time.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to common questions about the key-switching procedure that prevents ciphertext size explosion in homomorphic encryption schemes.
Relinearization is a key-switching procedure that reduces a ciphertext's size back to two ring elements after a homomorphic multiplication. Without relinearization, each multiplication would increase the ciphertext dimension—multiplying two ciphertexts of size 2 produces a ciphertext of size 3, and subsequent multiplications cause quadratic growth. This dimensional explosion renders computation impractical, as both storage and subsequent operation costs scale with ciphertext size. Relinearization applies a public evaluation key to transform the extended ciphertext into a canonical two-element form encrypting the same plaintext, enabling an unbounded chain of multiplications without dimensional blowup. The operation is essential in all major lattice-based schemes including BFV, BGV, and CKKS.
Related Terms
Master the core cryptographic operations that enable practical homomorphic computation. These techniques manage noise, reduce ciphertext size, and enable complex encrypted operations.
Key Switching
A fundamental cryptographic operation that transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the same plaintext under a different secret key. Relinearization is a specific application of key switching that reduces ciphertext size after multiplication.
- Uses public switching keys generated from the original and target secret keys
- Enables rotation of packed ciphertext slots when combined with Galois keys
- Adds a small additive noise term during transformation
- Essential for multi-key HE schemes and threshold decryption
Noise Budget
The finite capacity for error accumulation within a lattice-based ciphertext. Each homomorphic operation—especially multiplication—consumes this budget by increasing the embedded noise. Once the noise exceeds a critical threshold, decryption returns corrupted plaintext.
- Fresh ciphertexts start with a noise budget determined by encryption parameters
- Addition consumes negligible noise; multiplication causes quadratic growth
- Bootstrapping refreshes the budget to enable unlimited computation depth
- Monitoring noise budget is critical for circuit design in leveled FHE
Modulus Switching
A noise management technique that scales down a ciphertext to a smaller modulus, proportionally reducing the absolute noise magnitude. This operation is performed without access to the secret key, making it a lightweight alternative to bootstrapping.
- Reduces both the ciphertext modulus and embedded noise by a scaling factor
- Preserves the encrypted message with some precision loss in approximate schemes
- Used iteratively in leveled FHE to manage noise after each multiplication
- In CKKS, the analogous operation is called rescaling
Ciphertext Packing
A technique that encodes multiple plaintext values into a single ciphertext using SIMD (Single Instruction Multiple Data) parallelism. A single homomorphic operation on the packed ciphertext simultaneously applies to all encoded slots.
- Dramatically improves amortized throughput for vector and matrix operations
- Requires Galois keys to rotate slots for cross-slot interactions
- Packing density depends on the ring dimension of the RLWE instance
- Critical for efficient encrypted neural network inference where layers operate on vectors
Bootstrapping
A cryptographic technique that refreshes a ciphertext by homomorphically evaluating its own decryption circuit. This resets the noise budget to near-fresh levels, enabling unlimited computation depth in fully homomorphic encryption.
- The most computationally expensive operation in FHE
- Programmable bootstrapping (TFHE) also evaluates a lookup table simultaneously
- Eliminates the need to pre-determine circuit depth in leveled FHE
- Modern implementations achieve sub-second latency for single-bit bootstrapping
Galois Keys
Public evaluation keys that enable homomorphic rotation of the slots within a packed ciphertext. These keys are essential for implementing operations that require data movement between slots, such as convolution and matrix multiplication.
- Generated from the secret key for specific rotation amounts
- Enable cyclic shifts of the SIMD-packed plaintext vector
- Required for summing across slots or broadcasting values
- A form of key switching specialized for automorphism operations

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us