Survey on Fully Homomorphic Encryption, Theory, and Applications

Data privacy concerns are increasing significantly in the context of the Internet of Things, cloud services, edge computing, artificial intelligence applications, and other applications enabled by next-generation networks. Homomorphic encryption addresses privacy challenges by enabling multiple operations to be performed on encrypted messages without decryption. This article comprehensively addresses homomorphic encryption from both theoretical and practical perspectives. This article delves into the mathematical foundations required to understand fully homomorphic encryption (<inline-formula> <tex-math notation="LaTeX">$\textsf {FHE}$ </tex-math></inline-formula>). It consequently covers design fundamentals and security properties of <inline-formula> <tex-math notation="LaTeX">$\textsf {FHE}$ </tex-math></inline-formula> and describes the main <inline-formula> <tex-math notation="LaTeX">$\textsf {FHE}$ </tex-math></inline-formula> schemes based on various mathematical problems. On a more practical level, this article presents a view on privacy-preserving machine learning using homomorphic encryption and then surveys <inline-formula> <tex-math notation="LaTeX">$\textsf {FHE}$ </tex-math></inline-formula> at length from an engineering angle, covering the potential application of <inline-formula> <tex-math notation="LaTeX">$\textsf {FHE}$ </tex-math></inline-formula> in fog computing and cloud computing services. It also provides a comprehensive analysis of existing state-of-the-art <inline-formula> <tex-math notation="LaTeX">$\textsf {FHE}$ </tex-math></inline-formula> libraries and tools, implemented in software and hardware, and the performance thereof.


I. I N T R O D U C T I O N
The notion of fully homomorphic encryption (FHE), originally called privacy homomorphism, was introduced by Rivest et al. [1] in 1978. For more than 30 years, this concept was considered to be the holy grail of cryptography, until 2009, when Gentry [2] proposed the first FHE scheme in his Ph.D. thesis. Homomorphic encryption enables operations on plaintexts without decryption. Namely, a set of operations can be performed over ciphertexts such that these operations are reflected as additions and multiplications on the corresponding plaintexts. Thus, homomorphic encryption allows data manipulation in the encrypted domain. This has tremendous application potential since it allows privacy-preserving data processing, which can be adopted in new emerging fields, such as machine learning (ML), cloud computing, or in the different data processing layers of new generation networks.
Homomorphic encryption schemes that allow one type of operation or a limited number of operations have existed for a long time. Some examples are the RSA cryptosystem by Rivest et al. [3], encryption scheme of Goldwasser and Micali [4], ElGamal [5] Benaloh [6], Naccache and Stern [7], Paillier [8], and Boneh et al. [9]. In particular, Boneh et al. [9] proposed the first scheme capable of performing two operations: an arbitrary number of additions and just one multiplication, and then, again an arbitrary number of additions. Later, Melchor et al. [10] proposed a theoretical approach that permits chaining several homomorphic schemes in order to have a fixed amount of multiplications, i.e., more than one, for a given public key.
However, it was not until 2009, when Gentry [2], [11] proposed the first FHE scheme that supports the evaluation of arbitrary circuits. In his thesis, Gentry not only proposed an FHE scheme but also provided a method for constructing a general FHE scheme from a scheme with limited but sufficient homomorphic evaluation capacity. Since then, homomorphic encryption has triggered significant interest, and novel constructions on FHE have been proposed following Gentry's idea, with BGV [12], FV [13], TFHE [14], and CKKS [15] being the most representatives.
The majority of research efforts for FHE schemes focused on public key encryption (PKE) schemes. Symmetric FHE schemes have gained less popularity among the scientific community due to their more limited applicability to cloud computing. Also, some proposed symmetric key schemes still suffer from security vulnerabilities, as pointed out in [16]. Nevertheless, there are some papers that proposed symmetric key FHE schemes, which can be divided into two categories: 1) schemes with both symmetric key and public key versions [2], [17], [18], [19] and 2) purely symmetric key FHE schemes [20], [21]. It is also worth commenting that, in 2011, Rothblum [22] published a method to convert a symmetric key homomorphic encryption scheme with sufficient homomorphic evaluation capacity into an asymmetric one. This survey only covers public key FHE schemes, but more information on symmetric key schemes can be found in [16].
This survey provides a comprehensive vision of homomorphic encryption since its genesis. We extend previous surveys on the topic [16], [23], [24], [25], [26] to cover the most relevant advances on FHE and its applications. Specifically, the survey is structured as follows: 1) Section II provides the preliminaries, containing the required definitions on number theory and probability theory to understand the constructions of FHE schemes; 2) Section III introduces the mathematical definition of lattices and the main mathematical problems used in lattice-based cryptography; 3) Section IV defines the concept and the construction of FHE; 4) Section V caters to an extensive description of FHE schemes in the state of the art, classified according to their generation; and 5) Section VI discusses the security of FHE schemes by presenting the different mathematical problems on which they are based. Following a more practical perspective, the survey also describes: 1) the application of homomorphic encryption in ML in Section VII; 2) the potential adoption of homomorphic encryption for data aggregation in fog computing in Section VIII; 3) previously proposed techniques for the application of homomorphic encryption in cloud computing in Section IX; and 4) homomorphic encryption in practice, describing the current frameworks and libraries in Section X. Finally, Section XI discusses open challenges in the field and concludes this survey.

II. P R E L I M I N A R I E S
This section presents the mathematical foundations and the notation required to understand the developments of homomorphic encryption covered in Sections III-VI.

1) Groups:
A group G is a set with an associative operation such that there exists an identity element of G and every element of G has an inverse. If the group operation is commutative, the group is abelian (also called commutative). For t ∈ N, a finite group Zt is the subgroup of positive integers modulo t. This group is also referred to as Z/tZ in number theory, and it can be seen as the set of integers in (−t/2, t/2]. A multiplicative group Z × t , for some t ∈ N, is the set of integers modulo t that is coprime to t. Note that, if t is prime, then Zt is the (finite) field Ft.
2) Fields: A field is a set with two operations: addition and multiplication. The set is an abelian group under addition with 0 as identity, and its nonzero elements are an abelian group under multiplication with 1 as identity. The multiplication is distributive over addition. A finite field Fq is a field with q elements, and it exists if and only if q is a prime or prime power. Finally, a number field is a vector space with a finite dimension over rational numbers Q, and a cyclotomic field is a number field obtained by adjoining a complex root of unity to Q.

3) Rings:
A ring generalizes a field since multiplication does not need to be commutative, and some elements do not have the multiplicative inverse. A quotient ring R = Z[x]/f (x) is a ring of polynomials with integer coefficients modulo of the (monic) polynomial f (x). Note that the multiplication between two polynomials in R is a modular multiplication. If the coefficients of the polynomial are in Zq (integers modulo q), then we denote it Rq; specifically, Rq = Zq[x]/f (x). It is worth pointing out that the ring R is a field if and only if f (x) is an irreducible polynomial over Z.

4) Sets:
Given a set E, we denote by E n the set of vectors such that E n = {e = (e 1 , . . . , en) : ei ∈ E}. Let E be a commutative ring; then, the dot product of two vectors u, v in E n is defined as u, v = È n i=1 ui · vi. Similarly, M h,w (E) denotes the set of matrices of size h×w with entries in E. Specifically, the term (Zq) h denotes a vector of size h with elements in Zq and (Zq) h×w a matrix of size h × w also with elements in Zq.

5) Ideal:
An ideal I is a subset of a ring R containing 0 (i.e., the inverse element of the addition) such that the addition of two elements in I is also in I, and the multiplication of an element in I by an element in R is also in I. A principal ideal is an ideal generated by one element.
In other words, a principal ideal generated by a is the set of multiples of a.

6) Real Torus:
The real torus T is the set R/Z of real numbers' modulo 1. Note that T is a group when using the addition. 7) Norms: Let x be a vector in E; then, we define ||x|| := ( È i |xi| ) 1/ as the -norm and ||x||∞ := maxi |xi| the infinity-norm of x, where xi are the elements in x. We denote by ||x|| the Euclidean norm of the vector x, which is equivalent to the two-norm. The Euclidean norm can also be referred to as the length of a vector. The norms ||g(x)|| and ||g(x)||∞ of a real or integer polynomial g(x) are the norms of its coefficient vector. If g(x) is a polynomial mod x n + 1, we take the norm of its unique representative of degree less or equal than n−1. Moreover, when E is the real torus T, then the -norm of x ∈ T k is the -norm of the representative of x with all coefficients in (−1/2, 1/2]. With abuse of notation, we denote it by ||x|| .

1) Negligible and Overwhelming
Probability: Let f (κ) : N → R be a function where, for any possible integer c, there exists a value N such that, for all κ > N, it holds that |f (κ)| < (1/κ c ). This function is said to be negligible. If the output of a negligible function is a probability, then the probability is negligible. In cryptography, κ is frequently referred to as a security parameter, and it represents the length of the secret values. Normally, provably secure schemes are defined by presenting an attack whose probability of success is negligible with respect to the security parameter, i.e., it can become arbitrarily small by increasing κ. Analogously, an overwhelming probability is the output of a function f (κ) = 1 − f (κ) such that f is a negligible function. Hence, an overwhelming probability can become arbitrarily close to 1 by increasing κ.
2) Gaussian Distribution: The general form of a normal (or Gaussian) distribution χ for a random variable x ∈ R is where μ is the center or mean of the distribution and σ is its standard deviation. Note that, in the majority of the FHE literature, χ is defined as a discrete Gaussian distribution on Z with center zero and width parameter αq denoted by D Z,αq . The discrete Gaussian distribution D Z,αq over the integers is defined by assigning a weight proportional to exp(−πx 2 /(αq) 2 ) to all x ∈ Z, namely, [27] for any x ∈ Z Moreover, the standard deviation of D Z,αq is σ ≈ αq/(2π) 1/2 if σ is bigger than the smoothing parameter η(Z) of Z [28].
Let R = Z[x]/f (x) be a polynomial ring. Informally, we denote a B-bounded distribution χ over R if the norm of the coefficients of a polynomial sampled from χ is less than B with overwhelming probability. In general, B is set to be as small as possible while maintaining security (e.g., if χ in Rq, B q). In the rest of this work, we denote small element as any sample from a B-bounded distribution χ.

III. L A T T I C E S
This section introduces the mathematical definition of lattices, and it also describes the main mathematical problems on which the security of lattice-based homomorphic encryption schemes relies. The section intends to be selfcontained, but it also provides references for interested readers to find full mathematical descriptions and proofs.

A. Definitions
A k-dimensional lattice is a discrete additive subgroup of R n . Let B = (b 1 , . . . , b k ) be linearly independent vectors in R n ; then, we can define the lattice L(B) generated by B as the set of all integer linear combinations of elements of B The term B is called base of the lattice, and the parallelepiped associated with the basis B is defined as The rank k of a lattice L ⊂ R n is the dimension of its linear span, that is, k = dim(span(L)). When k = n, the lattice is said to be full rank. The volume of L (also called determinant) is defined as Vol(L) = (det(B t B)) 1/2 . In the special case that L is a full rank lattice, we have that Vol(L) = | det(B)|.
The dual of a lattice L is the set Note that, for any B ∈ R n×n , L(B) * = L((B −1 ) T ). From this, it follows that det(L * ) = 1/ det(L). Moreover, given a matrix A ∈ (Zq) m×n for some integers q, m, and n, we can define two integer q-ary lattices [29] Lq(A) :={x ∈ Z m : x = As mod q for some s ∈ Z n } L ⊥ q (A) :={x ∈ Z m : xA ≡ 0 mod q}.
It is also worth defining the ideal lattice L(I), which is an I ⊆ Z[x]/f is an ideal, and f is a monic polynomial of degree n.
The Hermite factor δ n 0 is defined as where b 1 is a first basis vector, i.e., a shortest vector, in the base B of the full rank lattice L. The factor δ 0 is called the root Hermite factor. It is worth highlighting that the root Hermite factor is an important indicator of the quality of some lattice attacks, as shown in Section VI.

B. Lattice Distance
Most of the known attacks on FHE schemes are based on the notion of distance. The concept of distance comes in natural a way. Specifically, for any vector t in R n and any element v of a lattice L, the distance between these two vectors is defined as dist(t, v) = ||t − v||. Consequently, the minimum distance between t and any element in L is Let us define the minimum distance of lattice L as λ 1 (L), which is the length of a shortest nonzero vector in L, i.e., We can generalize the notion of minimum distance by defining the ith successive minimum λi(L) as the smallest radius r of a zero-centered ball that contains i (or more) linearly independent lattice points.

C. Shortest Vector Problem
The security of many lattice-based FHE schemes relies on the intractability of the shortest vector problem and its variants. The shortest vector problem (SVP) consists of finding the shortest nonzero vector in a given lattice. If we restrict the set of input lattices to ideal lattices, then we obtain the ideal-SVP [32]. The relevant variants of the SVP problem are defined in the following.
Note that, if the shortest vector problem is solvable, then the decisional shortest vector problem is also solvable, namely, GapSVP γ,r ≤ SVP. Interested readers can find concrete instantiations of the SVP problem in [33].

D. Closest Vector Problem
A generalization of the shortest vector problem is the closest vector problem (CVP). In this generalization, a target vector t ∈ R n is given instead of using the zero vector, and the problem consists of finding a vector in the lattice v ∈ L that is the closest to t, i.e., dist(t, v) = dist(t, L). This problem also has some variants.
1) The γ-approximate closest vector problem (CVPγ ) consists of finding a vector in the lattice that is almost a closest to the target vector. Formally, given γ ≥ 1 and t ∈ R n , it consists of finding v ∈ L such that problem consists of, given a target vector t such that dist(t, L) < αλ 1 (L), finding a lattice vector v ∈ L closest to t.

F. Short Integer Solution Problem
The short integer solution (SIS) problem was introduced in 1996 by Ajtai [40]. The goal of the SIS problem is to find an integer vector with a small norm that is a solution to a given system of integer equations. More specifically, let q ∈ Z, and let A ∈ (Zq) m×n be a matrix. Then, given β < q, the SIS q,m,β problem consists of finding a nonzero vector Vol. 110 x ∈ Z m with ||x|| ≤ β such that xA ≡ 0 mod q. It is worth noting that solving the SIS q,m,β problem is equivalent to finding a vector v with norm ||v|| ≤ β in the scaled dual L ⊥ q (A) of the lattice Lq(A). Thus, this problem can be seen as a kind of SVPγ for this particular family of lattices. Moreover, it is important to highlight that the solution to the SIS problem needs to be bounded on the length, i.e., ||x|| ≤ β. Without this restriction, it would be easy to find x with the Gaussian elimination technique.
The ring version of this problem is given by Micciancio [41] in 2002 (extended version in 2007 [42]). Informally, let q ∈ Z and Rq = Zq is a monic polynomial of degree d, and let a ∈ (Rq) m be a vector of m polynomials. Then, given β < q, the ring-SIS q,m,β problem [43] consists of finding a nonzero vector of small polynomials x ∈ R m with ||x|| ≤ β such that a T x ≡ 0 mod q.

G. Learning With Errors Problem
The key role that lattice-based problems play in cryptography nowadays is especially due to the learning with errors (LWE) problem and its decisional version, which were introduced by Regev [44] in 2005 (full version [45] in 2009) as an extension of the "learning from parity with error" problem of Blum et al. [46]. Their definitions are provided in the following. 1) Given a vector b ∈ Z m q and a matrix A ∈ (Zq) m×n , the LWE problem 1 consists of finding an unknown vector s ∈ Z n q such that where e ∈ Z m q is sampled coordinatewise from an error distribution χ. In other words, the goal is to find a vector s ∈ Z n q given a list of m = n + 1 noisy equations from 2) The decision learning with errors (DLWE) problem consists of distinguishing (with nonnegligible advantage) m samples chosen according to As,χ (for uniformly random s ∈ Z n q ) from m samples chosen according to the uniform distribution over Z n q × Zq. Regev [44] reduced the worst case decisional shortest vector GapSVP in a lattice to the LWE problem via a quantum reduction. Namely, this article shows that, if it is possible to find an algorithm to solve the LWE problem in polynomial time, then it is also possible to solve quantumly the GapSVP problem in polynomial time. Because of that, the security of LWE-based homomorphic encryption schemes is intimately related to lattice problems, such as SVP and its variants. In the same paper, Regev proved that the LWE problem and its decisional version are computationally equivalent for any prime q that is polynomially bounded poly(n). Subsequently, this result was extended to any modulus q in [47], [48], [49], [50], and [51]. In 2009, Peikert [47] (and successively Lyubashevsky and Micciancio [36]) provided a classical reduction from GapSVP problem to LWE with exponential modulus. Brakerski et al. [51] proved that the LWE with polynomial modulus is at least as hard as worst case lattice problems via a classical reduction.

H. Ring Learning With Errors Problem
The ring learning with errors (RLWE) problem, introduced by Stehlé et al. [32], is the "ring version" of LWE.
is a monic, irreducible polynomial of degree d and q is a prime.
1) The RLWE problem is to discover s ∈ Rq given access to arbitrarily many independent samples (a, b = s · a + e) ∈ Rq × Rq, where a is chosen uniformly at random in Rq, and e ∈ Rq is sampled from an error distribution χ.
2) The decision ring learning with errors (DRLWE) problem consists of distinguishing with nonnegligible advantage between independent and uniformly random samples in Rq × Rq and the same number of independent RLWE instances (where s ∈ Rq is uniformly random).
It is worth highlighting that the secret s can be chosen from the error distribution since, as Applebaum et al. [52] proved, it does not affect the hardness of the LWE problem.
Initially, the RLWE problem was called ideal-LWE problem in [32], and later, its decision version was called polynomial learning with errors (PLWE) by Brakerski and Vaikunthanathan [18]. Also, Lyubashevsky et al. [53] slightly modified the initial definition of RLWE proposed in [32]. Namely, the secret s and the noisy polynomial b are in R ∨ q , where R ∨ is a particular ideal that is dual to R. One of the main contributions of this article is a search form for decision reduction.

I. Relations Between LWE, RLWE, and Hard Lattice Problems
As explained in Sections III-G and III-H, the hardness of LWE and RLWE problems is related to various well-known hard lattice problems [28], [29], [45], [51], [53]. Specifically, the hardness of the RLWE problem is described in [32], where the search variant was proven hard under the ideal-SVP, and [53], where Lyubashevsky et al. cater for a quantum reduction from the γ-approximate SVP to the RLWE problem and a classical reduction from search to decisional RLWE assumption. Unlike quantum reduction, which works for any number field and (almost) any modulus, classical reduction works only for particular modulus q and defines polynomial f (x). Ducas and Durmus [54] partially improved [53] by generalizing over f (x). The restriction on q was lifted by Langlois and Stehlé [55]. Finally, in 2017, Peikert et al. [56] presented a polynomial-time quantum reduction from worst case (ideal) lattice problems to decision RLWE, which works in any number field and any modulus.
For completeness, we also mention the general learning with errors (GLWE) problem introduced by Brakerski et al. [12]. The GLWE problem is the interpolation between the RLWE and LWE problems. Specifically, it consists of finding s ∈ R k q given a list of noisy equations from For R = Z, we have LWE, and for k = 1, we have RLWE. The GLWE problem was proven to be hard by Langlois and Stehlé [55], hence generalizing the results of [53]. From a cryptographic point of view, schemes based on the RLWE problem are more computationally efficient and more compact (in terms of ciphertext size) than the ones based on LWE [31]. We refer readers to [31] by Peikert for a comprehensive and more detailed explanation of LWE, RLWE, and the hardness of these problems.

IV. F U L L Y H O M O M O R P H I C E N C R Y P T I O N
An FHE scheme can be defined as an encryption scheme where, given some ciphertexts, any operation over the plaintexts can be performed without decryption by manipulating the ciphertexts directly. Such functionality is achievable if and only if the addition and multiplication operations can be performed homomorphically since these two operations constitute a functionally complete set over finite rings. Specifically, any Boolean (arithmetic) circuit can be represented using only XOR (addition) and AND (multiplication) gates. In other words, given two ciphertexts Enc(x) and Enc(y), where x and y are plaintexts and Enc is the encryption operation, we can obtain the encryption of x + y (or x · y) without decrypting Enc(x) and Enc(y) by simply adding (or multiplying) these two ciphertexts, and this is sufficient to evaluate any function over encrypted data such that Dec(Enc(x) Enc(y)) = x y where is the operation sum or product and Dec is the decryption operation.
As shown in Section IV-A, homomorphic encryption is based on probabilistic algorithms. Generally, the encryption procedure adds a random element r, which is called noise or error. 2 The intrinsic feature of FHE is that the error 2 The noise can be added directly as input in the encryption algorithm or included indirectly, e.g., in the public key [57].
increases any time a homomorphic operation is carried out. Thus, after a certain number of multiplications (or additions), the ciphertext cannot be decrypted correctly due to the error growth. This problematic limits encryption schemes with homomorphic properties from being fully homomorphic. Only a bounded number of operations can be performed homomorphically before the plaintext cannot be decrypted correctly; hence, these schemes are referred to as somewhat homomorphic. To overcome this limitation, Gentry [2], [11] introduced a new technique, bootstrapping, which is detailed in Section IV-B. This procedure can be used to convert a scheme that is not fully homomorphic into one that is. The method proposed by Gentry can be divided into two steps: 1) creating a somewhat homomorphic encryption scheme, that is, a scheme that supports a limited number of homomorphic operations; 2) using bootstrapping to reduce the error added during encryption, and making the ciphertext compact.
It is worth commenting that Gentry proposes an additional step, before bootstrapping, to reduce the decryption complexity. This technique is called squashing, and it is used to express the decryption function as a function with a lower degree. Squashing the decryption circuit is necessary in order to have a bootstrappable decryption circuit in Gentry's scheme. However, unlike bootstrapping, the squashing technique was not generally adopted in subsequent schemes.
We refer the reader to the following interesting overviews on FHE [23], [24] and to the Homomorphic Encryption Security Standard white paper [58], where the authors provide tables of recommended parameters used for specific FHE schemes at various security levels, considering particular attacks.

A. Definitions and Basic Notions
A public key homomorphic encryption scheme E [2] is composed of a set of probabilistic polynomial-time (PPT) algorithms (KeyGen, Enc, Dec, Eval) such that the following holds.
1) The public key-generation algorithm KeyGen takes as input the security parameter λ and outputs the secret key sk, the public key pk, and the (public) evaluation key evk, which is needed to perform homomorphic operations over ciphertexts.
2) The public encryption algorithm Enc takes as input the public key pk and a message m from the message space. Subsequently, it outputs a ciphertext c. that it decrypts to the result of the evaluation of (m 1 , . . . , mt) over f , i.e., c f = Eval evk (f, (c 1 , . . . , ct)) and Dec sk (c f ) = f (m 1 , . . . , mt). Note that the ciphertexts c f and c ← Enc pk (f (m 1 , . . . , mt)) are equivalent in the sense that they decrypt to the same plaintext but different in their construction (e.g., they may have different noise levels). There are two essential characteristics of a homomorphic encryption scheme E : 1) the maximum degree of a function that the scheme supports and 2) the length increase of the ciphertext after each homomorphic operation. The first property defines what functions E are able to evaluate correctly. Specifically, the scheme E is F-homomorphic if it can correctly evaluate any function f in F, that is, if there exists an evaluation algorithm Eval such that

3) The decryption algorithm
where ci ← Enc pk (mi) for any i ∈ {1, . . . , t}. Also, it defines whether an evaluated ciphertext c f , namely, an output of Eval, can be used as an input of the evaluation algorithm. Specifically, in a multihop homomorphic scheme [59], a sequence of any (polynomial) i functions can be homomorphically evaluated one by one on a ciphertext c produced by encrypting a message m. The second property refers to the ciphertext expansion, i.e., how much the ciphertext bit length grows after each evaluation. In the sense, if the bound of the bit-length growth is independent of the complexity of f , it is called compact [59].
Depending on the previous notions, we have different definitions of homomorphic encryption schemes.
1) The FHE scheme E is an encryption scheme where the ciphertexts are compact, and the scheme is F-homomorphic, where F is the set of all the (efficiently computable) functions [60]. 2) The leveled fully homomorphic scheme is a scheme that supports the evaluation of specific depth circuits. More formally, it is F-homomorphic, where F is the set of all functions of some specific degree and the bound over the length of the ciphertext is independent of such degree (i.e., it is compact) [12]. In this type of scheme, the depth is treated as a setup parameter of the scheme and can adopt any value. It is worth commenting that, if the degree is bounded to a maximum value L, then the scheme is called L-leveled fully homomorphic scheme. Note that L-leveled schemes may not be compact.
3) The somewhat homomorphic encryption (SHE) scheme is a scheme that is F-homomorphic for a limited class F, e.g., capable of evaluating "low-degree" multivariate polynomials homomorphically [12]. Similar to L-leveled schemes, in an SHE scheme, the compactness of ciphertexts could be violated. It is worth highlighting that, as mentioned in Section IV, an SHE scheme (and a leveled fully homomorphic scheme), with sufficient homomorphic evaluation capacity, can be transformed into an FHE scheme by using the bootstrapping technique.

B. Bootstrapping
Bootstrapping is a technique to decrease the error of the ciphertext, proposed by Gentry [2], [11]. Essentially, it consists of a reencryption procedure of a ciphertext c to refresh it, i.e., encrypt it again under another key obtaining a new ciphertext (for the same plaintext) but with a smaller error.
Let us consider a somewhat homomorphic encryption scheme E , two pairs of keys (sk 1 , pk 1 ) and (sk 2 , pk 2 ), the encryption algorithm Enc, and the ciphertext c = Enc pk 1 (m) that encrypts m under pk 1 . The procedure to refresh c is conducted in three steps as follows.
The objective of bootstrapping is to reduce the error of the ciphertext. Conceptually, bootstrapping applies the decryption function and simultaneously performs second encryption. These operations produce a new ciphertext. This new ciphertext contains the error of new encryption plus the error increase resulting from the homomorphic evaluation of the decryption circuit. Hence, the error of the obtained ciphertext is higher than a fresh ciphertext (obtained with the encryption algorithm) but lower than a ciphertext obtained after homomorphic evaluating functions with higher depth than the decryption circuit. The idea of bootstrapping is illustrated in Fig. 1. Bootstrapping can be applied to any ciphertext; hence, it can be used after several homomorphic evaluations to reduce the error level. This enables the homomorphic evaluation of functions with arbitrarily large depth but requires the decryption circuit to be boostrappable.
The cornerstone result obtained by Gentry is the proof that constructing an FHE scheme suffices to construct a scheme that is capable of evaluating only a particular set of small degree functions, i.e., an SHE scheme, whose security holds when the encryption of the secret key is published. If that is the case, then bootstrapping can be applied (and squashing if necessary) to obtain an FHE scheme. It is worth highlighting that bootstrapping is the only known way to obtain FHE schemes. Unfortunately, bootstrapping is computationally complex and requires a large memory space.

C. Security Properties
A homomorphic encryption scheme must be semantically secure, but, optionally, it can also be a function or circuit private. The scheme is secure if and only if it is semantically secure. Semantic security is formally captured by the concept of indistinguishability under chosen-plaintext attack (IND-CPA security), where an attacker can obtain encryptions of arbitrary plaintexts, but it cannot decrypt arbitrary ciphertexts (note that the encryption algorithm and the encryption key pk are public, whereas the decryption key sk is not). If we limit the message space to {0, 1}, then: Let E = (KeyGen, Enc, Dec, Eval) be a public homomorphic scheme and m b a message with {0, 1} as the message space. Let us define an adversary A that knows the evaluation key evk and the public key pk and is given an encryption Enc pk (m) for m ∈ {0, 1}. A can make queries to the encryption oracle. After a polynomial number of queries, A tries to guess whether m = 0 or m = 1. Then, the scheme is IND-CPA secure if, for an efficient adversary A, it holds that ¬ ¬ ¬Pr[A(pk,evk,Encpk(0)) = 1] − Pr[A(pk, evk, Enc pk (1))) = 1] where (sk, pk, evk) ← KeyGen(λ).
The definition above expresses the fact that the adversary is not able to tell apart encryptions of 0 from encryptions of 1 with nonnegligible probability. It is worth noting that IND-CPA security is only achievable if the encryption scheme randomizes the ciphertexts. If there is no randomization, the adversary can encrypt messages and then compare them with the received ciphertext Enc pk (m).
Finally, an encryption scheme that is secure against adversaries who observe an encryption of the scheme's secret key under its public key is called circular secure. Current constructions of FHE schemes require an encryption of the secret key to be bootstrappable; hence, all known FHE constructions require circular security. This implies that IND-CPA security has to hold under circular security. Most FHE schemes are not proven IND-CPA secure under circular security, and it is, in general, adopted as an additional assumption on top of the scheme's underlying security assumptions. Optionally, the homomorphic encryption scheme can be function private, that is, a ciphertext that has been homomorphically evaluated over a function f and does not reveal any information about f , beyond the outputs for the queried inputs. Function privacy is the relaxed version of the original circuit privacy [2], which requires that the evaluated ciphertext is statistically indistinguishable from a fresh ciphertext [61]. Note that, for a scheme to be circuit or function private, the property has to hold even against an adversary that knows the secret key and can decrypt any ciphertext.

V. F U L L Y H O M O M O R P H I C E N C R Y P T I O N S C H E M E S
Gentry's seminal works [2], [11] paved the way for novel FHE schemes in four main research branches: 1) the schemes based on ideal lattices (see Section V-A); 2) the schemes over integers based on the approximate-greatest common divisor (AGCD) problem (see Section V-B); 3) the schemes based on the LWE problem and its ring version (see Sections V-C, V-E, and V-F); and 4) the schemes based on NTRU (see Section V-D). In addition, other research works have proposed schemes based on other mathematical problems (see Section V-H). Fig. 2 describes the timeline of the main FHE schemes.

A. First Generation: FHE Based on Ideal Lattices
The first FHE scheme presented by Gentry [2], [11] is based on ideal lattices. Fig. 3 describes the main schemes based on ideal lattices.
Following the notation of Silverberg [62], we describe one of the constructions presented by Gentry. This scheme uses the integer sublattice L(I) ⊆ Z m defined by the ideal I. The encryption and decryption algorithms work as follows.
where e is a small error, namely, a random vector with coefficients in {0, ±1}, where the values ±1 are taken with equal probability. The ciphertext c is the translation of a into the parallelepiped P(B pk ), where B pk is the public key. Namely, c = a − (aB −1 pk B pk ), where · denotes rounding to the nearest integer.
where B sk is the secret key, and then outputs a mod 2 as the decrypted plaintext.
Both the public and secret keys, B pk and B sk , are bases of the ideal lattice L(I). However, the public key is a bad basis for I, in the sense that it is formed by skewed vectors, whereas the secret key is a good basis because it is formed by orthogonal vectors (see Fig. 4).
Unfortunately, the scheme that we just described is not bootstrappable due to the complexity of the decryption algorithm (i.e., it cannot be evaluated homomorphically). To solve this problem, Gentry proposed a method to squash the decryption function of an SHE scheme. This method consists of transforming the original SHE scheme E into another scheme E * with the same homomorphic capacity but with a simpler decryption function that allows bootstrapping. To reduce the decryption algorithm's complexity, Gentry [2], [11] proved that it is enough to add to the evaluation key some "extra information" about the secret key. Such extra information consists of a set of vectors S = {si | i = 1, . . . , S} from which a subset T is derived. The secret key sk is the sum of elements of T , and the public information included in the evaluation key is the set S. The security of this new scheme E * is based on the fact that set T is sparse and secret such that the sparse subset sum problem (SSSP) applies. SSSP consists of verifying, given a set of n integers S = {a 1 , . . . , an} ⊆ Z, whether

Fig. 4. Good and bad bases for an ideal lattice.
a sparse subset of S exists such that È i∈I ai = 0, where I ⊆ {1, . . . , n}. Its security is based on three mathematical problems: 1) the sparse subset sum problem; 2) the bounded distance decoding problem (see Section III-D); and 3) the ideal-shortest vector problem (see Section III-C). Circular security is also required, but no proof is given in this article; hence, it is an additional security assumption for this scheme.
Gentry's scheme was initially implemented by Smart and Vercauteren [63] who used principal ideal lattices and introduced the batching technique. The batched version of a scheme enables the packing of a vector of plaintexts to be encrypted in a single ciphertext using the Chinese remainder theorem (CRT). This technique permits processing several messages simultaneously. The Smart-Vercauteren implementation was improved in 2011 by Gentry and Halevi [64] who also simplified the squashing procedure. Successively, Scholl and Smart [65] ameliorated the Gentry-Halevi technique providing a generalization over any cyclotomic field. Stehlé and Steinfeld [66] reduced the bit complexity (i.e., the quantity of operations per bit) for refreshing the ciphertext. Their technique can be applied to different FHE schemes, such as Gentry [2] and Smart and Vercauteren [63].
A drawback of ideal lattice-based FHE schemes is that they are based on mathematical constructions that are difficult to implement efficiently. Also, a vulnerability in schemes using principal ideals was found by Cramer et al. [67] in 2016. Specifically, a key-recovery attack for cryptographic constructions based on principal ideal lattices is possible, given a quantum polynomial-time or classical 2 n 2/3− -time algorithm for finding the short generator of the principal ideal problem.

B. First Generation: FHE Based on the AGCD Problem
A new (and simpler than ideal lattice-based) family of FHE schemes dawned in 2010 thanks to van Dijk et al. [19] who introduced an FHE scheme over integers. The basic construction of the DGHV scheme is given in the following. 1) Key generation: It outputs the secret key p, i.e., an odd random integer, and the public key (x 0 , . . . , xn), where x 0 is odd and x 0 > xi ∀i, where xi = pqi + ri with qi, ri random integers. 2) Encryption: The message m ∈ F 2 is encoded into the The security of this scheme is based on SSSP and the AGCD problem that consists of finding the "common near divisor" p, given a set of integers {x 0 , . . . , xn} ∈ Z, all randomly chosen and close to multiples of a large integer p. The scheme also assumes circular security.
The main drawbacks of the DGHV scheme are its high computational complexity and large public key size. Several optimizations and implementations have been proposed, as depicted in Fig. 5. Specifically, Coron et al. [68] reduced the elements of the public key that has to be stored (2(n) 1/2 instead of n elements) since the rest of the key elements can be recovered. This optimization only requires a slight modification of the encryption procedure. Chan and Nguyen [69] presented new algorithms to solve the AGCD problem, which is exponentially faster than the previous one. As a consequence, they proved that the scheme in [68] achieves a lower security level than initially claimed. Later, Coron et al. [70] further reduced the size of the public key using the modulo switching technique. The security of both these schemes is based on the AGCD assumption with the error-free problem. Informally, this problem is similar to the AGCD problem but with the stronger assumption that x 0 does not have the error r 0 considered in the conventional AGCD assumption. It is worth commenting that this is quantumly broken by Shor [71].
A batch version of DGHV scheme was independently proposed in 2013 by Kim et al. [72] and Coron et al. [73] (the merged version is in [74]). Moreover, Nuida and Kurosawa [75] proposed the batching technique for nonbinary message spaces. In 2014, Coron et al. [76] improved the DGHV scheme using the scale-invariance property given by Brakerski [50]. In 2015, Cheon and Stehlé [77], inspired by Brakerski [50], introduced a reduction from LWE to AGCD and then presented a new AGCD-based FHE scheme based on the hardness of this new variant. It is worth highlighting that this construction is the first DGHV variant that did not require the SSSP hardness assumption.  the circular security assumption. These works, as described in Fig. 6, initiated the second generation of FHE schemes. The LWE-based symmetric scheme described in [78], known as BV, is described as follows.

C. Second Generation
where e is the error randomly chosen from an error distribution χ and s ∈ Z n q is the secret key composed of random elements in Zq.

2) Decryption: It outputs the plaintext
The decryption works properly if e is small enough, specifically e < q/2.
In this article, the authors also introduced two novel techniques called relinearization and dimension-modulus reduction. The relinearization is needed to reduce the multiplication ciphertext size from almost n 2 /2 back to regular size, i.e., n+1. To obtain this reduction, the authors transform the quadratic equation of c 1 · c 2 into a linear equation by means of "encrypting" all the terms of the symmetric key under a new key. Later on, Brakerski et al. [12] called this technique key switching The dimension-modulus reduction technique (called also modulus switching [12] in subsequent works) converts an SHE into an FHE scheme transforming a ciphertext c modulo q into another ciphertext c modulo p, where p is sufficiently smaller than q. Specifically, each element in Zq is converted into an element in Zp by first multiplying it by p/q and then taking the closest integer. An interesting side effect of this operation is that the error in the ciphertext decreases. 3 The lower noise growth due to the adoption of modulus switching allows us to homomorphically evaluate the decryption circuit without the squashing method proposed by Gentry. Thus, the SSSP assumption is no longer required (see Section IV-B).
Brakerski and Vaikunthanathan [18] proposed a new version of the BV scheme, where the scheme security is based on the polynomial LWE (PLWE) problem. Note that the PLWE problem is equivalent to the RLWE problem [32] (see Section III-H). The main difference between the LWE version of the BV scheme and the RLWE version is that it represents the message, the ciphertext, and the keys, is a polynomial of degree d and q is a prime.
Brakerski et al. [12] proposed a method for defining a leveled fully homomorphic scheme (see Section IV-A), which avoids the computationally expensive bootstrapping technique. Based on this method, they defined the BGV scheme, and provided batching and modulus switching techniques. In addition, the authors also gave a bootstrapping technique to transform the leveled version into an FHE version.
This new method made the scheme applicable to practical scenarios, thus fostering increasing interest from the research community. The authors introduced two variants of the BGV scheme (one based on LWE and another on the RLWE assumption). The RLWE-based version of the BGV scheme, as described in Scheme 1, is more efficient than the LWE counterpart, and it is implemented in the widely used FHE library HElib [79] (from IBM). The library, implemented by Shai Halevi and Victor Shoup, is open source, and it enables the construction of a Boolean circuit of any depth (more information about libraries can be found in Section V-G). It is worth commenting that the architecture of the library is based on a variant of the BGV scheme that introduces some optimizations, proposed by Gentry et al. [80], for the specific implementation of the AES circuit [81]. Also, Gentry et al. [82], using the batch techniques of Smart and Vercauteren [63] and Brakerski et al. [17], provided the asymptotically fastest scheme, with significant impact toward fast bootstrapping.
Scheme 1 (BGV RLWE-Based Scheme [12]): Let d be a power of 2, q be an odd positive integer modulus, and χ be an error distribution over R, where R = Z[x]/x d + 1. Let B be bound (with overwhelming probability) on the length of elements outputted by χ. B is set to be as small as possible while maintaining security. For any natural integer p, we write Rp = Zp[x]/x d + 1. The scheme works as follows. 1) Key generation: It takes as input the security parameter λ, randomly chooses a small secret element s ∈ χ, and sets the secret key sk = s = (1, s) ∈ R 2 q . It generates a ∈ Rq uniformly at random and computes b = a s + 2 e, where e is a random error in χ. It outputs sk, and pk = a = (b, −a ). Note that a, s = 2 e. 2) Encryption: It takes as input the public key pk ∈ R 2 q and the message m ∈ R 2 . It converts m into a vector m = (m, 0) ∈ R 2 q and chooses random r, e 0 , e 1 ∈ χ. It outputs the ciphertext c = m + 2 (e 0 , e 1 ) + ar. Namely, c = (c 0 , c 1 ) = (m + 2e 0 + br, 2e 1 − a r) ∈ R 2 q . 3) Decryption: It takes as input the secret key s ∈ R 2 q and the ciphertext c ∈ R 2 q . It computes c, s = c 0 + c 1 s = m + 2e 0 + 2 e 1 s + 2er and outputs ((m + 2(e 0 + e 1 s + er)) mod q) mod 2 = m. Note that the decryption works properly because e, e 0 , e 1 and s are small enough (since are elements of χ).

4) (Homomorphic) properties:
a) The addition is a componentwise addition. The decryption works as long as the resulting error does not overlap the modulus q. b) The multiplication is slightly more complicated.
Note that Thus, the extended ciphertext (d 0 , d 1 , d 2 ) can be decrypted using a extended secret key (1, s, s 2 ). The inconvenience is that every multiplication expands the decryption key. Thus, to reduce the decryption key, the authors use the key switching technique. Roughly speaking, the basic idea of this method is to convert the ciphertext term d 2 s 2 toc 0 +c 1 s using the encryption of s 2 under s (this is possible under a circular security assumption). Indeed, Encs(s 2 ) = (β, −α), where (β, −α) = (s 2 + 2e + a rs, 2 e 1 − a r) Thus, s 2 ≈ β − αs, and the extended ciphertext d 0 +d 1 s+d 2 s 2 becomes a normal ciphertextc 0 +c 1 s encrypting the same plaintext.
The leveled version of the schemes can be found in [12, sec. 4.4].
Brakerski [50] provided another variant of the BGV scheme based on a technique called scale invariant. This technique reduces the error increase produced by homomorphic multiplications from exponential to linear. Intuitively, the idea behind the scale-invariant technique is to scale down the ciphertext and the error by a factor of q, where q is the ciphertext modulus. This method replaces the modulus switching technique.
Another relevant contribution of [50] is a classical reduction to prove that the security of the scheme is based Vol. 110 on the hardness of the GapSVP problem (see Section III-C). Previous schemes were, initially, proven secure only with quantum reductions (although now they also count with classical reductions).
The RLWE version of the Brakerski scheme was implemented and optimized by Fan and Vercauteren [13] and named the FV scheme (see Scheme 2). In the following sections, we refer to these two schemes as the B/FV scheme, namely, for the LWE/RLWE variants. The FV scheme is one of the three schemes implemented in Microsoft's Simple Encrypted Arithmetic Library (SEAL) [83], and it allows modular arithmetic to be performed on encrypted integers. Other libraries implementing the B/FV scheme can be found in Section V-G.
Following this research line, Bajard et al. [84] proposed an optimization, called RNS FV (BEHZ variant), when the ciphertext has large coefficients. It is based on the residue number system (RNS) since it uses CRT representation. This variant is improved in a subsequent work by Halevi et al. [85] (HPS variant). Both approaches were evaluated by Al Badawi et al. [86], where the authors show that the HPS variant [85] has better decryption and homomorphic multiplication runtimes with respect to [84]. However, a subsequent note on this work by Bajard et al. [87] shows that the noise growth for the BEHZ and HPS variants is actually very close, and HPS provides only a slightly better runtime with respect to BEHZ.
Chen and Han [88] improved the bootstrapping technique of both BGV and FV schemes for a large plaintext modulus (i.e., a large prime power). Based on this work, Halevi and Shoup [89] proposed an improved variant for BGV, which was implemented by the same authors in HElib [90]. Another modification of the FV scheme is proposed by Chen et al. [91]. The plaintext space is switched from Rt to Z b n +1 , by means of using the Hoffstein and Silverman trick [92] where the plaintext modulus t is substituted by a polynomial x − b, specifically A recent generalization of this work is given in [93] where Bootland et al. proposed a plaintext modulus as [91] and [93], follow a strand of articles [94], [95], [96] studying an encoding method for transforming a real input data (namely, integer, rational, or a complex number) into a polynomial, which is an element of the message space (i.e., plaintext) of an RLWE scheme. It is worth highlighting that both Chen et al. [91] and Bootland et al. [93] achieve a reduction of the error growth compared to the original version of the FV scheme, and, as a consequence, both of them enable the evaluation of circuits with higher multiplicative depth. The main difference between these two approaches is that, while Chen et al. [91] encode fractional numbers, Bootland et al. [93] encode complex numbers.
In BGV and B/FV schemes (and similarly in other FHE schemes), each ciphertext includes an error that grows with each homomorphic operation. To avoid decryption failure, the error must be below a certain threshold. This implies a tradeoff between security level and error margin that influences the parameter selection, and that is specific to each use case. Such parameter choice requires a complex study of error growth, which has motivated some research works. Namely, Costache et al. [97], extending a previous performance evaluation of Costache and Smart [98], compared the error growth for BGV and FV schemes. Specifically, Costache et al. [97] proved that, for a particular small plaintext modulus and circuit depth, BGV requires a larger parameter set than FV. On the other hand, BGV outperforms FV when the plaintext modulus is medium or large. However, the analysis performed in [97] does not consider some of the available optimizations for BGV and FV. Mono et al. [99] provided a dynamic (i.e., level dependent) noise estimation following previous works [80], [97], [98] but also considering the new features on BGV. Moreover, they provided an easy-to-use interactive parameter generator tool. 4 Kim et al. [100] proposed several optimizations to the FV and the BGV schemes and suggested a different approach to compute the ciphertext modulus of the BGV scheme, which does not require dynamic noise estimation, but at the cost of increasing the ciphertext modulus. With these optimizations, their FV variant has better noise growth than BGV for all plaintext moduli. However, their FV variant is faster than BGV only for small plaintexts, while BGV is still faster for intermediate and large plaintexts. The differences regarding the error growth between [97] and [100] can be explained by two factors: 1) Kim et al. [100] performed a static noise estimation, whereas, in [97], it is dynamic and 2) the analysis of Costache et al. [97] has some inaccuracies when computing the noise growth for FV, as pointed out in [100].
Scheme 2 (FV Scheme [13]): , where d is a power of 2. Let q and p be positive integers; let Δ = q/p and rt(q) = q mod p. For any natural number t, we write Rt = Zt[x]/x d + 1. Let χ be a B-bounded probability distribution over Rq. Then, the FV scheme is constructed as follows.
1) Key generation: It takes as input the security parameter λ and outputs the small secret key sk = s ∈ χ. It generates a ∈ Rq uniformly at random and computes −(a · s + e) mod q, where e ∈ χ is a small random error. It outputs sk and pk = (p 0 , p 1 ) = (−(a · s + e) mod q, a). 2) Encryption: It takes as input the message m ∈ Rp and the public key pk ∈ R 2 q . It chooses at random the values u, e 1 , e 2 ∈ χ and outputs the ciphertext c = (c 0 , c 1 ), where c 0 = (p 0 · u + e 1 + Δm) mod q and c 1 = (p 1 · u + e 2 ) mod q. 3) Decryption: It takes as input the secret key s ∈ Rq and the ciphertext a) The addition is trivial: The multiplication of two ciphertexts gives as a result a quadratic polynomial which can be transformed into a decryptable ciphertext by means of a relinearization process, which reduces by one the degree of the ciphertext.

D. Second Generation: FHE Based on NTRU
NTRU [101] is a lattice-based encryption scheme introduced by Hoffstein et al. in 1996, with a provisional patent filed, and granted in 2000 [102]. Since its inception, the security of this scheme was under discussion by the research community, until 2011, when Stehlé and Steinfeld [103] slightly modified the scheme to obtain a variant in which security is based on the RLWE assumption. One year later, López-Alt et al. [104] introduced the first FHE scheme inspired from the Stehlé-Steinfeld NTRU variant. It is considered part of the second generation of FHE schemes. Specifically, the authors propose a new notion of homomorphic encryption scheme called multikey FHE, which supports computation on ciphertexts encrypted under different keys (for more details on multikey FHE (MKFHE), see [25]). This scheme, called LTV, uses the bootstrapping and modulus switching techniques, and it is constructed as follows.
1) Key generation: It chooses two small random polyno- It outputs the secret key f = 2f + 1 ∈ R, where f ≡ 1 mod 2 and f is invertible in Rq, and the public key h = 2gf −1 mod q ∈ Rq. 2) Encryption: It computes the ciphertext as c = hs+2e+ m ∈ Rq, where m ∈ F 2 is the message, and s and e are random small elements in χ. The ciphertext is an element of Rq = Zq[x]/x d + 1. 3) Decryption: It computes m = (fc mod q) mod 2.
The security of this scheme is based on circular security, the RLWE problem, and the decisional small polynomial ratio (DSPR) problem. The DSPR problem states that it is hard to distinguish between h (as defined in the scheme construction) and uniformly random polynomials in Rq. One year later, Bos et al. [105] modified the LTV scheme [104] proposing two schemes: 1) Yet Another Somewhat Homomorphic Encryption (YASHE) scheme, for which they removed the DSPR assumption using the scale-invariant at the cost of having a large evaluation key and a complex key switching method and 2) a YASHE version including again the DSPR assumption to achieve a more practical construction. In 2016, Albrecht et al. [106] and, in an independent work, Cheon et al. [107] provided a subfield lattice attack that renders any NTRU-like scheme based on the DSPR problem insecure for some particular parameters' choice. Finally, Doröz and Sunar [108] adapted the GSW scheme [57] (see Section V-E) to the NTRU setting by removing the DSPR assumption.
Although NTRU-like schemes are, in general, faster than RLWE schemes, the work by Lepoint and Naehrig [109] showed that the FV scheme [19] has lower error than the YASHE scheme [105]. Also, Kim and Lauter [110] proved that YASHE is better than BGV for a low-degree computation, but BGV is more efficient than YASHE for high circuit depths. Moreover, Costache and Smart [98] demonstrated that YASHE is more efficient than BGV for small plaintexts modulus, but BGV is more efficient for large plaintexts. Fig. 7 shows the diagram of second-generation schemes based on NTRU, including the most relevant papers providing performance comparisons. To conclude this section, it is worth commenting that the parameters' choice for NTRU-based schemes is affected by the attacks proposed in [106] and [107]. Namely, to obtain a secure NTRU-based scheme, the parameters should be significantly increased with respect to the sizes proposed before these attacks were published. This rendered NTRU-based schemes significantly less efficient than their counterparts; thus, they are no longer used nor supported by any library.

E. Third Generation: FHE Based on LWE and RLWE
A second family of (R)LWE schemes (also called third generation FHE, as Peikert notes in [31]) started with the Gentry et al. [57] (GSW) scheme. The GSW scheme proposes a different approach to perform homomorphic operations, introducing the approximate eigenvector method, which removes the requirement for key and modulus Vol. 110  switching techniques. This new technique reduces the error growth introduced by homomorphic multiplications to a small polynomial factor. As shown in [111], when multiplying ciphertexts, all starting with the same error level, the final error grows by a poly(n) factor, where n is the dimension of the scheme (i.e., the dimension of the lattice). This is a distinctive aspect with respect to previous schemes, such as BGV or FV, for which the final error grows by a quasi-polynomial factor. The RLWE version of this scheme was given by Khedr et al. [112]. Fig. 8 describes this second family of (R)LWE schemes.
Adopting the notations used in [60] and [113], the (simplified) GSW scheme construction 5 is given as follows.
1) Key generation: It outputs the secret key s = (1, s 2 , . . . , sn) ∈ Z n q , where si's are chosen at random and a public key A ∈ Z n×n q that is a matrix n × n such that A · s = e ≈ 0. 2) Encryption: It computes the ciphertext C = m In + RA, where m ∈ Zq is the message, In is the identity matrix, and R is a random matrix with size n × n and with coefficients in F 2 . This means that the entries of R are small. 3) Decryption: It, first, computes C s = m In s + RAs = m In + Re ≈ m Ins. Note that, because R is small, if As ≈ 0, then RAs ≈ 0. Finally, outputs the first element of the vector x ≈ m Ins ≈ (ms 1 , . . . , m sn), which is m, since s 1 = 1.
The main drawbacks of the GSW scheme are the high communication costs (the ciphertext is large with respect to the corresponding plaintext) and the computation complexity. To reduce the computational overhead, various optimizations have been proposed to improve the bootstrapping procedure (see Fig. 8). Specifically, Alperin-Sheriff and Peikert (AP) [113], [114] suggested a new bootstrapping algorithm considering decryption as an arithmetic function instead of a Boolean circuit. Hiromasa et al. [115] optimized the AP procedure [113] constructing an FHE scheme (based on GSW scheme) that supports homomorphic matrix operations. Moreover, Brakerski and Vaikunthanathan [111], starting from GSW, proposed the first work that managed to get FHE scheme based on GapSVP with polynomial approximation factors (and circular security). Ducas and Micciancio [116] proposed a ring variant, the FHEW scheme, of the AP bootstrapping technique [113]. They introduced a new method to homomorphically compute the NAND of two standard LWE ciphertexts (with the standard that we refer to the ones of Regev's scheme [44]) by evaluating a lookup table during bootstrapping. This technique was later called programmable bootstrapping (PBS) [117].
In this work, they also adopt the complex FFT that enables the implementation of the scheme with the Fastest Fourier Transform in the West [118] library (the "W" of the scheme's name FHEW comes from this). These set of optimizations render the GSW's scheme bootstrapping procedure faster than the BGV's scheme.
In a subsequent paper, Chillotti et al. [14] improved the Ducas-Micciancio's result and used a different bootstrapping technique, namely, the one proposed by Gama, Izabachène, Nguyen, and Xie (GINX) [119]. The authors proposed three different FHE schemes over the Torus, generally called TFHE: 1) TLWE, which is a generalized version of the LWE problem for the Torus; TRLWE, which is its ring variant and 2) TRGSW, which improves the ring version of GSW scheme. The messages of the TLWE scheme are in the torus T and the ciphertexts in T n+1 , whereas the ring version TRLWE of this scheme works with plaintexts in the R-module, where R is the ring of integer polynomials. Namely, the message space is T = R[x]/x d + 1 mod 1. The TRGSW scheme encrypts elements of the ring of integer polynomials into a vector of TRLWE ciphertexts, namely, C ∈ T (k+1) . It is worth commenting that [14] is an extended and improved version of previous articles presented in Asiacrypt 2016 [120], where they speed up the bootstrapping procedure and reduce the bootstrapping key size compared to FHEW, and Asiacrypt 2017 [121], where they improve the leveled version of TFHE.
A detailed description of the TRLWE scheme is provided in Scheme 3.
Scheme 3 (TRLWE Scheme [14]): Let us consider the following notations: that is, any element in R 2 is a polynomial in R with binary coefficients (in a recent work [117], the authors used Zq instead of a torus). Then, the TRLWE scheme is constructed as follows.
1) Key generation: It takes as input the security parameter λ and outputs the small secret key s ∈ R n 2 . 2) Encryption: It takes as input the secret key s ∈ R n 2 , the error parameter α, and the message m ∈ T . Then, it chooses a uniformly random mask a ∈ T n and a small error e ∈ χ, where χ is a B-bounded distribution. Then, it outputs the ciphertext c := (a, s · a + m + e) ∈ T n × T.
3) Decryption: It takes as input the secret key s ∈ R n 2 and the ciphertext c ∈ T n+1 . Then, it computes the secret linear κ-Lipschitz function ϕs (called phase) of the ciphertext c. The phase ϕs : Note that this function is parametrized by the secret key s ∈ R n 2 . The phase ϕs(c) is close to the actual message We consider c = È p i=1 fi · ci such that the error amplitude remains smaller than 1/4, that is, ||e||∞ ≤ 1/4. Then, by [14,Fact 3.5], c is a ciphertext and fi · Decs(ci).
Chillotti et al. [14] pointed out that the ciphertexts can be linearly combined to obtain a new ciphertext, which is the linear combination of the messages. However, when we have to manipulate the ciphertext nonlinearly, TLWE seems to miss some properties. In order to avoid this problem, Chillotti et al. [14] proposed the generalized scale invariant version of GSW, called TRGSW. Note that to "switch" from TRLWE to TLWE (and vice versa), we only have to consider the real torus instead of T , {0, 1} instead of B and Z instead of R.
Micciancio and Polyakov [122] compared FHEW and TFHE schemes and proved that the performance difference is determined by the different bootstrapping algorithms adopted in both schemes: AP [113] for FHEW and GINX [119] for TFHE. Specifically, TFHE is faster than FHEW for a binary secret, whereas, for higher secret sizes (above ternary), FHEW outperforms TFHE in running time. In terms of memory, TFHE has a bootstrapping key smaller than FHEW. However, it is worth commenting that, in a very recent paper [123], Lee et al. introduced a new bootstrapping procedure that achieves the advantages of both algorithms: AP and GINX. The new method supports arbitrary secret key distributions without increasing the running time (such as AP/FHEW), and it also achieves a considerably small bootstrapping key size (such as GINX/TFHE).
A relevant feature of the TFHE scheme is that the bootstrapping technique enables a univariate function to be evaluated simultaneously to the noise reduction operation [117] (i.e., PBS). Several optimizations have been proposed to improve the TFHE scheme and, in particular, its PBS procedure. Namely, Carpov et al. [124] proposed a multioutput version of the PBS, that is, a new technique to perform several homomorphic operations over different variables with a single bootstrapping execution. This construction can also be used to evaluate homomorphically several functions over the same encrypted message simultaneously. In a recent work, Guimarães et al. [125] optimized the bootstrapping procedure to evaluate multiple functions on large ciphertexts, and Chillotti et al. [117] proposed several enhancements, including a generalized method to evaluate several functions at once without adding additional error. Finally, Chen et al. [126] proposed a multikey homomorphic encryption scheme from TFHE. They provide two methods to multiply a ciphertext encrypted with a single key by a ciphertext encrypted with multiple keys. To conclude this section, we would like to refer interested readers and TFHE practitioners to the recently published guide of Joye [127], which presents

F. Fourth Generation: FHE Based on LWE and RLWE
In 2017, a new generation of FHE schemes (see Fig. 9) was introduced by Cheon et al. [15]. The authors proposed a method to construct a leveled homomorphic encryption scheme for approximate arithmetic numbers and included an open-source library implementing the scheme. This scheme was initially called HEAAN, but, nowadays, the research community refers to the scheme as CKKS (from the authors' names), while HEAAN is used to denote the library. The scheme construction is described in Scheme 4. The scheme was extended one year later to an FHE scheme by Cheon et al. [128], and subsequently, Cheon et al. [129] presented a variant of CKKS scheme by means of including a ciphertext packing technique based on the CRT. Boemer et al. [130] introduced several optimizations, based on complex packing, to improve the runtime of scalar encoding and ciphertext-plaintext addition and multiplication operations. Moreover, a different kind of complex packing was introduced by Kim and Song [131]. Kim et al. [132] improved the usability of CKKS and its RNS variant by proposing a new technique that minimizes the error during computation. Specifically, the idea is to rescale the ciphertext before multiplication and not after, thus obtaining a smaller error before performing the multiplication. Also, the bootstrapping version [128] of CKKS was enhanced by Chen et al. [133], whereas Han and Ki [134] discussed and improved the bootstrapping version of [129]. The bootstrapping version of [128] includes a homomorphic modular reduction, which is approximated by a trigonometric function to improve efficiency. Parallel works improved this approximation, such as Lee et al. [135] who improved the bootstrapping of the RNS-CKKS leveraging the technique proposed in [132]. Also, Jutla and Manohar [136] proposed a sine series to approximate the modular reduction and achieved a significantly higher precision than the previous works. It is also worth mentioning other works that approximate the modular reduction without relying on trigonometric functions, such as Jutla and Manohar [137] and Lee et al. [138]. Bossuat et al. [139] proposed the most efficient RNS-CKKS bootstrapping implementation and the first practical instance of a bootstrapping algorithm with a dense secret. The problematic of performing bootstrapping with a dense secret is that the bootstrapping circuit depth increases, as well as the bootstrapping failure probability. On the other hand, adopting a sparse secret makes bootstrapping more efficient but renders the scheme less secure due to some recent attacks (see Li-Micciancio attack in the next paragraph and Section VI). Motivated by this tradeoff, Bossuat et al. [140] proposed a sparse-secret encapsulation technique, which overcomes the security vulnerability problem of sparse secrets while preserving a negligible bootstrapping failure probability. However, the bootstrapping technique in [139] is still faster than [140] at the cost of higher failure probability and slightly less precision.
In a recent work, Li and Micciancio [141] presented an attack against CKKS that works for a specific application scenario. The authors proved that the CKKS scheme (as well as all improvements and implementations of approximate encryption schemes) is vulnerable to an attack by an adversary that has access to the encryption functionality. Namely, the adversary can extract a secret key using only linear algebra or lattice reduction techniques. Specifically, the secret key can be obtained if the decrypted element and corresponding ciphertext are both known because the error is a linear combination of the secret key's elements (see Scheme 4). However, as Cheon et al. pointed out in [142], this attack can be prevented if the owner of the secret key does not share the result of the decrypted messages. Unfortunately, some applications, such as secure multiparty computation (MPC) or differential privacy techniques, require sharing some plaintexts. In such cases, Li and Micciancio suggested that their attack could be probably avoided by modifying the decryption function by means of adding an error at the end of the decryption process, as suggested in [141].
Scheme 4 (CKKS Scheme [15]): Let R = Z[x]/x d + 1 and d = 2 M . For a base p, a modulus q 0 , and a natural integer L (chosen level), let q = p · q 0 for = 1, . . . , L. Note that a ciphertext of level is a vector in Rq . Let us consider the following relevant distributions. For a real number σ, DG(σ 2 ) is a vectorial discrete Gaussian distribution over Z d , which samples each of its components from independent discrete Gaussian distributions of variance σ 2 . For a real number 0 < ρ < 1, the distribution ZO(ρ) is the distribution over {−1, 0, 1} d , which draws 0 with probability 1 − ρ and −1 or 1 with probability ρ/2. Finally, let us consider χ a B-bounded distribution.
The leveled CKKS scheme is constructed as follows.
1) Key generation: It takes as input the security parameter λ and chooses M , integers h and t, and a real number σ so that the best attack against the associated RLWE instance achieves a complexity 2 λ .

Fig. 9. Main fourth-generation FHE schemes based on the LWE and RLWE problems.
It computes a secret key sk = (1, s), where s ∈ χ. It generates a ∈ Rq L uniformly at random and computes −as+e mod qL, where e is DG(σ 2 ). Finally, it samples a ∈ Rt·q L and e ∈ DG(σ 2 ), and computes b = −as + e + ts mod t · qL. It outputs the secret key sk = (1, s), the public key pk = (b, a), and the evaluation key evk = (b , a ). 2) Encryption: It takes as input the message m ∈ R and the public key pk ∈ R 2 q L . It chooses at random the values v ∈ ZO(1/2) and e 0 , e 1 ∈ DG(σ 2 ), and outputs c = (β, α) = vpk + (m + e0, e 1 ) mod q .

3) Decryption: It takes as input the secret key sk =
(1, s) and the ciphertext c ∈ R 2 q . It computes m = c, sk mod q = β + αs mod q .
It is worth clarifying that, when we have two ciphertexts c and c of two different levels < , we should reduce the level of the ciphertext with a higher level to match both levels, i.e., = .
This can be achieved with a rescaling procedure that takes a ciphertext c ∈ R 2 q at level and outputs c = q /q mod q .
An interesting feature of CKKS is that the message space can be represented as elements in the extension field C. Informally, the message m can be embedded in S = R[x]/x d +1. Since the roots of x d +1 are the complex primitive roots of unity in C, to convert the m ∈ S into a vector of complex numbers, it is sufficient to evaluate it at these complex roots. For more details, see [15, sec. 3].
The fourth-generation schemes are similar to the second generation. The main difference is that the fourth-generation schemes are approximate schemes, i.e., they use approximate computation, which is considerably faster. Specifically, the fourth generation embeds the message space into a complex hyperplane, and the error during encryption is inserted as part of the approximation error that is inherently introduced during a computation over real-valued numbers. An interesting feature of CKKS is the capability to homomorphically operate over approximations of real numbers, which makes it a suitable scheme to work with floating-point arithmetic. Another similarity is that the schemes from both generations have efficient packing techniques, and they can only compute fast sum and product (any nonlinear operation becomes computationally expensive).
It is important to highlight the work proposed by Boura et al. [143], the CHIMERA scheme, which is a hybrid solution combining three RLWE-based FHE schemes: TFHE [14], B/FV [13], [50], and CKKS [128]. CHIMERA has the special property that it enables the switching between the three schemes. The authors start by defining a common plaintext space between the three schemes by constructing an embedding 6 of the different message spaces. By leveraging the bootstrapping technique, CHIMERA enables switching ciphertexts from TFHE to FV (and vice versa) and CKKS to FV (and vice versa). FV must be used as an intermediate step for transformations between TFHE and CKKS. CHIMERA was first presented as a solution to the Idash'18 Track 2 competition [124], [144], and it was later improved in PEGASUS by Lu et al. [145].

G. Final Considerations
To the best of our knowledge, BGV [12], B/FV [13], TFHE [14], and CKKS [128] are the most practical and widely adopted schemes. The second-generation schemes, BGV and B/FV, are suitable to work with finite fields in modular exact arithmetic. They are equipped with efficient packing, which enables the use of SIMD (namely, single instruction multiple data) instructions to perform computations over vectors of integers (i.e., batching). Thus, these schemes are excellent candidates when large arrays of numbers are to be processed simultaneously.
Second-generation schemes are not good candidates for circuits where bootstrapping is required (i.e., circuits with large multiplicative depth) or where nonlinear functions are to be implemented. Third-generation schemes should be adopted instead, namely, TFHE, which can outperform previous schemes for bitwise operations, i.e., when computations are expressed as Boolean circuits [58]. The main limitation of TFHE is the lack of support for CRT packing (i.e., batching); hence, the scheme can be outperformed by previous approaches when processing large amounts of data simultaneously. The fourth generation, i.e., CKKS, is the best option for real numbers arithmetic. Table 1 provides a comparison among the schemes' families, and Fig. 10 depicts the main applications for each generation of schemes. It is worth clarifying that, although TFHE provides the fastest bootstrapping procedure, the batching feature of second-and fourth-generation schemes allows for the parallel bootstrapping of several plaintexts. For the specific case of CKKS, it is possible to obtain a more efficient amortized bootstrapping than for TFHE (this special case has been reflected in Table 1 with the • symbol). This is, however, not true for second-generation schemes because the number of slots is significantly lower than for CKKS. For example, in BGV, the number of slots is only about 1000 compared to 2 15 or so for CKKS. This renders CKKS bootstrapping more than one order of magnitude (often two) faster than BGV bootstrapping.

H. Other Works
In a recent work by Doröz et al. [146], an FHE scheme based on a new hard problem was introduced, finite field isomorphism problems, which is based on the difficulty of recovering a secret isomorphism between two finite fields. Moreover, in 2019, Joux [147] proposed a scheme whose techniques are similar to those of (R)LWE but with arithmetic modulo large Fermat numbers, namely, numbers given by the expression F = 2 2 f + 1, where f ∈ N.

VI. S E C U R I T Y O F S C H E M E S B A S E D O N (R)LWE P R O B L E M S
As described in Section III-G, the LWE problem consists of finding the secret vector s ∈ Z n q , given b ∈ Z m q and A ∈ (Zq) m×n such that As + e = b mod q, where e ∈ Z m q is sampled from the error distribution χ. The security of LWE-based schemes depends on the intractability of this problem, and attacks on these schemes are based on finding efficient algorithms to solve them. In this framework, Albrecht et al. [148] presented three different methodologies to solve the LWE-problem (see Fig. 11): 1) based on the BDD problem (see Section VI-B); 2) based on the SIS problem (see Section VI-C); and 3) a direct search of the secret s (see Section VI-D). Conceptually, the central part of the first and the second methodology is based on a lattice reduction. Namely, starting from a bad (i.e., long) lattice basis, find a better (i.e., reduced and more orthogonal) basis. Note that Albrecht et al. [148] showed that there is no single-best attack against all possible parameters. Regarding the schemes based on the RLWE problem, the same considerations apply. According to the Homomorphic Encryption Security Standard [58], if we choose correctly the error distribution, then there are no better attacks on RLWE than on LWE. This is because the best known attacks do not leverage any property of the ring structure. In this claim, the correct choice of the error distribution only refers to a sufficiently well spread distribution [149], [150], [151] (see Section VI-E).
A comprehensive explanation of lattice attacks can be found in [148], [152], [153], and [154]. Moreover, the work of Bindel et al. [155] extends previous studies with an analysis of how the number of samples affects the hardness of LWE. It is worth highlighting the work of Albrecht et al. [148], which not only describes in detail LWE attacks but also provides a software tool to determine the security level of LWE instances. The first version of this tool is referred to as the LWE estimator 7 and has been adopted in the Homomorphic Encryption Security Standard [58] to provide specific parameters for FHE schemes. The new version, denoted by lattice estimator, 8 "was born out of frustration with the limitations of the old codebase" as Albrecht [156] mentioned in his blog. Fig. 12 shows the timeline and fundamentals of the main lattice attacks proposed until the present time.

A. Lattice Reduction Algorithms
The most well-known lattice reduction algorithm used in practice is BKZ (block Korkin-Zolotarev reduction) due to Schnorr and Euchner [157]. This is a blockwise iterative algorithm for basis reduction that can be seen as a generalization of the LLL algorithm introduced in 1982 by Lenstra et al. [158]. Recently, several variants of the BKZ algorithm have been proposed [159], [160], [161], [162], [163]. In these algorithms, the time complexity and the outcome quality (i.e., the orthogonality of the reduced basis) are characterized by the Hermite factor [164] and are given as a tradeoff. Specifically, the run time of the BKZ algorithm is higher when the root Hermite factor δ 0 is smaller [157]. This is also shown in Lindner and Peikert's estimation [165] (see Fig. 12). This result is also supported by a more realistic estimation 9 provided in [148]. Starting from the data provided by Liu and Nguyen [166], a similar relation between δ 0 and the run time of the BKZ 2.0 algorithm [159] was found by Albrecht et al. [167] (see Fig. 12). It is also worth commenting that the quality of the output decreases with higher values of δ 0 . The formula linking the root Hermite factor attainable by BKZ and the block size b of this algorithm was heuristically established (and well-verified experimentally) by Chen [168] in his Ph.D. thesis For more details about lattice reduction algorithms, we refer the readers to [148] by Albrecht et al. and the survey on algorithms for the SVP and CVP by Hanrot et al. [169].

B. Attacks Based on Bounded Distance Decoding Problem
These attacks are based on solving LWE by solving the BBD problem (see Section III-D). Specifically, the main strategy of this kind of attack consists of finding v, the closest vector to As + e, for a lattice L = L(A). Note that, knowing v, which equals As, we can obtain s and, thus, solve the LWE problem. The following strategies have been proposed.

1) BDD Enumeration (Decoding):
This attack was proposed by Lindner and Peikert [165] who modified the nearest plane algorithm analyzed by Babai [170] using multiple planes to decrease the failure probability of finding the vector A t s. The Lindner-Peikert algorithm has two main steps. First, it applies lattice reduction (using BKZ) to obtain a new basis {β 1 , . . . , βn}. Second, it performs a recursive search for an integer combination of the basis vectors βi that are close to the target vector v. In 2013, Liu and Nguyen [166], starting from the paper by Gama et al. [171], ameliorated the Lindner-Peikert algorithm and Babai's.
Subsequently, Buchmann et al. [172] provided a hybrid attack for the LWE setting, following the approach of Howgrave-Graham [173], who combined the lattice reduction and the meet-in-the-middle (MITM) attacks. The authors showed that, for specific parameters and in the binary error setting (i.e., the errors are random vectors in {0, 1} m ), their attack surpasses previous attacks on LWE. We refer to Wunderer's Ph.D. thesis for the analysis of the hybrid decoding attack [174].
2) Reduction of BDD Problem to uSVP: The attacks based on uSVP try to solve the LWE problem by constructing an integer embedding lattice using either the Bai-Galbraith [175] or Kannan [176] technique. The main idea is to embed the lattice L(A) = {Ay : y ∈ Z n q } into a higher dimensional lattice L(A ), where A = (A|Im| − b) and This new lattice L(A ) has dimension d = n+m+1 (note that the dimension of L(A) is n) and a unique shortest vector v = (s, e, 1), where e is the error and s is the secret of the LWE instance (A, As + e). Thus, finding the shortest vector v in L(A ) is equivalent to solving the LWE problem. There are two methods to estimate the cost for solving LWE using the uSVP strategy. The first one is proposed by Gama and Nguyen [164] (called 2008 estimate) and later updated by Albrecht et al. [177]. The second method (called 2016 estimate) is given by Alkim et al. [178], where the authors predicted that e can be found if where σ is the standard deviation of the error distribution, b is the block size of the underlying lattice reduction algorithm, and δ 0 is the root Hermite factor (see Section III-A). After that, Albrecht et al. [179] compared these two estimates and verified experimentally the prediction of [178] when the error vector was sampled coefficientwise from a discrete Gaussian distribution. In 2019, Bai et al. [180] revisited the previous analysis of Alkim et al. [178] and Albrecht et al. [179], and provided experiments on estimating the cost of solving LWE via the uSVP suggesting that the 2016 estimate has higher accuracy than the 2008 estimate. In a recent work, Dachman-Soled et al. [181] generalized the uSVP attack and proved that the predictions of Alkim et al. [178] and Albrecht et al. [179] are not accurate for small block sizes (i.e., b ≤ 30). In a parallel work, Chen et al. [182] showed similar results. Namely, they found that, for settings with a small error and secret values, i.e., sampled from binary and ternary distributions, the 2008 and 2016 estimations [178] are optimistic for a small block size (i.e., b ≤ 45). These studies show that the security levels for small block sizes are smaller than initially described by the online LWE estimator [148]. However, it is important to mention that, as Dachman-Soled et al. [181] confirm, small block sizes are not relevant. In 2021, Postlethwaite and Virdia [183] improved the result of Dachman-Soled et al. [181] and provided a simulator that predicts the block sizes needed to solve uSVP instances via lattice reduction.

C. Attacks Based on the Short Integer Solution Problem
The attacks based on the dual strategy (also called dual attack) consist of solving the LWE problem via the SIS strategy (see Section III-F), namely, of finding a short vector in the scaled dual lattice L ⊥ q = {x ∈ Z m q : xA ≡ 0 mod q}. Note that this problem is equivalent to solve the Decision-LWE problem. Indeed, given LWE samples (A, b), we can decide whether b = As + e or b is uniformly random by Since v, e is short (i.e., v and e are sufficiently short), the adversary has to check if v, b is close to zero modulo q.
The advantage of distinguishing v, e from random, computed by Lindner and Peikert [165], is close to e −π(||v||α) 2 where α is given by the Gaussian distribution χ, namely, αq is the width parameter of χ (see Section II-B). To produce such a short v, we require a lattice reduction algorithm. Note that the outcome of the lattice reduction is a vector ||v|| ≈ δ m 0 q n/m , but δ 0 depends on the algorithm used, and Micciancio and Regev [29] showed that the minimum for f (m) = δ m 0 q n/m is obtained when m = sn log q/ log δ 0 . Albrecht [152] presented a variant for the dual attack taking into consideration small and sparse secrets. Also, Cheon et al. [184] proposed a new hybrid attack combining the dual attack of Albrecht [152] and the MITM attack on NTRU by Howgrave-Graham et al. [185]. This hybrid attack outperforms the dual attack for some specific parameter sets of the homomorphic encryption scheme, namely, for sparse ternary secrets, but it was extended by Espitau et al. [186] to binary secrets as well.

D. Exhaustive Search on Secret Key s
This strategy consists of directly finding s such that ||As − b|| is small. This can be achieved by performing the Arora-Ge algorithm [187]. This algorithm uses a linearization technique that mainly consists of adding new variables in the system to transform nonlinear into linear equations. It also adopts the assumption that the error lies in a fix range. The Arora-Ge algorithm solves the LWE in time 2 O(n 2ε ) , where ε is such that αq = n ε and αq is the width parameter of the Gaussian distribution χ (see Section II-B).

E. Attacks on the RLWE Problem
As previously mentioned, RLWE-based schemes are, for known attacks, equally secure as the LWE version when the error distribution is correctly chosen. However, there are known examples of error distributions that are insecure for certain rings. In 2015, Elias et al. [188] provided an attack on the decision version of the RLWE problem for two specific families of polynomial functions (namely, the definition of the polynomial considers the ciphertext modulus of the scheme). Chen et al. [189] generalized this attack to certain Galois number fields and defined a new solution for the RLWE problem. These papers were later improved by Chen et al. [190] and Castryck et al. [149], [150].
Note that, in the Homomorphic Encryption Security Standard paper [58], the authors provide secure parameters for RLWE schemes over power-of-two cyclotomic rings. On the other hand, for generic cyclotomic rings, Ducas and Durmus [54], Lyubashevsky et al. [53], [191], and Crockett and Peikert [192] investigated the types of the error distribution and proposed different ways of choosing a safe error polynomial.

F. Concrete Parameters
Finding an optimal set of parameters for a specific FHE scheme is challenging since it is function-dependent. For example, for the second-generation schemes, the complexity (i.e., depth) of the function to be homomorphically Vol. 110 evaluated impacts the error growth. Higher depths require higher ciphertext modulus q, and the adoption of a higher modulus decreases the security level. The security level can be increased by adopting a higher polynomial degree, but this impacts efficiency. Some works [97], [98], [99] have proposed theoretical bounds for error growth estimation, which can be used to obtain the parameters heuristically. However, these works are too conservative with respect to the parameters used in practice. The reason for this is that these theoretical bounds seek for very low failure probability (e.g., less than 2 −55 ), whereas, in practical scenarios, smaller values are still probabilistically acceptable. The main open problem in the field of parameter selection is that there is a significant gap between the parameters obtained theoretically using the previously proposed heuristics and the parameters used in practice and obtained in a trial an error fashion [97].
The Homomorphic Encryption Security Standard [58] presents some recommended (and conservative) parameters for FHE schemes, following the LWE estimator [148]. Specifically, starting from the dimension n = 2 k (with k = {10, . . . , 15}), Albrecht et al. [58] cater for recommended values of the q, for a given security level λ ∈ {128, 192, 256}. In this standard, the error follows a discrete Gaussian distribution with a standard deviation σ ≈ 3.2, whereas the distribution for the secret key can be the following: 1) uniform ternary, i.e., the secret s is chosen uniformly at random from {−1, 0, 1} n ; 2) uniform, i.e., the secret s is chosen uniformly at random from Z n q ; 3) Gaussian with σ ≈ 3.2, the same as the error distribution.
It is worth commenting that, despite the valuable contribution and the impact of the Homomorphic Encryption Security Standard [58], there are some limitations that have been pointed out by Curtis and Player [193].
1) The standard does not consider a sparse ternary secret of Hamming weight h (i.e., a distribution where the elements are sampled uniformly at random from {−1, 0, 1} n with exactly h components different from zero). Note that many implementations use exactly this secret distribution (e.g., CKKS uses a sparse ternary secret with h = 64).
2) The consideration of sparse secrets is not included in the standard since there exists a wider range of attacks that can be applied [193].
3) The standard and LWE estimators do not consider hybrid attacks. In particular, when the secret vector follows a sparse distribution with Hamming weight h = 128, hybrid attacks are very powerful, and as a result, we have a noticeable security loss [193]. In fact, the new version of the estimator, i.e., the lattice estimator, considers this kind of attack. It is also worth mentioning that the lattice estimator was updated to state-of-the-art attacks, hence covering not Weight h 128 and Hybrid Attacks as in [193,Table 2] only hybrid but also exhaustive search and MITM attacks (see the blog [194] of Curtis and Walter).
To conclude this section, we highlight the weakness of adopting secrets from a sparse distribution and the deleterious effects of hybrid attacks with one example reported by [193,Table 2] in Table 2. Specifically, in Table 2, λtarget is the currently standardized LWE security level for specific n = 2 10 and q for a uniform ternary secret [88]. The last four columns represent the security of each parameter set against uSVP attacks (see Section VI-B2), dual attacks (see Section VI-C), hybrid decoding attacks [172] (see Section VI-B1), and hybrid dual attacks [184] (see Section VI-C) for a sparse secret with Hamming weight h = 128, using the BKZ algorithm. Note that Curtis and Player [193] used a conservative analysis for both hybrid attacks.

VII. FHE F O R M A C H I N E L E A R N I N G
This section provides a comprehensive view of the combined topic of privacy-preserving and ML, which, though fairly new, has been the subject of multiple research efforts. ML refers to a set of algorithms and computing systems used to build models that incorporate or learn structural knowledge of input datasets. A limitation to a wide adoption is the fact that ML mandates access to a large amount of data to achieve high accuracy rates, thus introducing data privacy and security concerns. FHE facilitates arithmetic evaluations of encrypted data of real numbers, which, in turn, enables the development of privacy-preserving ML (PPML) training algorithms and potentially provides a way to overcome the aforementioned privacy and security concerns. FHE plays a critical role in distributed ML as it has the ability to support confidential secure computing scenarios. An example of a potential PPML model is shown in Fig. 13.

A. Support Vector Machines
Support vector machines (SVMs) are widely used for their performance in classification tasks, and multiple privacy-preserving SVM computing schemes have been proposed. Laur et al. [195] proposed a privacy-preserving scheme for both SVM training and classification using additively homomorphic encryption and secret sharing or secure MPC protocols. Park et al. [196] present an algorithm based on homomorphic encryption for the SVM training phase, which avoids inefficient operations within an encrypted domain. Rahulamathavan et al. [197] proposed a two-class and multiclass classification protocol, which uses SVMs, which exploits Paillier's cryptosystem [8]  and secure two-party computation (client and server parties hold a share of the secret). In a more practical implementation, Makri et al. [198] present EPIC, an image classification system trained with an SVM computing scheme, while input features are extracted based on the techniques of transfer learning. EPIC used MPC tools to achieve privacy-preserving classification tasks and can be applied to the homomorphic encryption domain.

B. Neural Networks and Other Machine Learning Models
Neural networks can be thought of as a generalization of regression to present elaborate relationships between high-dimensional input data and output data. PPML with neural networks has been addressed by multiple research efforts even though computational complexity remains a challenge especially when neural networks are used for training over encrypted data.
Graepel et al. [199] use training algorithms, which can be expressed as low-degree polynomials, in order to train over encrypted data leveraging SHE. While this works well on very limited applications, the accuracy of the proposed system is relatively low and cannot compete with neural networks. It also cannot be scaled to more complex operations, such as division or exponentiation. Nikolaenko et al. [200] created a high-performance ridge regression system using the homomorphic encoding (additively homomorphic encryption) and garbled circuits, and evaluated it on very-large-scale datasets. Bost et al. [201] propose a scheme that uses three homomorphic systems (i.e., Paillier cryptosystem, quadratic residuosity, and BGV scheme) and garbled circuits to provide a privacy-preserving classification for three different ML algorithms: hyperplane decision, naïve Bayes, and decision trees (DTs), where features' description is assumed public. Mohassel and Zhang [202] present protocols for PPML for linear regression, logistic regression, and neural network training using the stochastic gradient descent method. Aslett et al. [203] present methodologies to train ML models, such as random forests-using a stochastic fraction estimator-and naïve Bayes-using a semiparametric model for class decision boundary-and demonstrate their accuracy when applied to data encrypted with homomorphic encryption. Khedr et al. [204] present a hardware architecture that implements Bayesian filters and DTs for homomorphically encrypted data. Li et al. [205] investigate MKFHE using collaborative learning over input datasets encrypted with different encryption schemes and keys. The approach, however, suffers from scalability issues and high computational complexity. Dowlin et al. [206] present CryptoNets that apply a neural network-an artificial feed-forward neural network, known to a specific party and trained on plaintext data-to make predictions with high accuracy on homomorphically encrypted data. The performance of CryptoNets is rather limited due to the replacement of the sigmoidal activation function and the computational overhead. Zhang et al. [207] propose a privacy-preserving deep learning model-a double-projection deep computation model, whereas learning is outsourced to a cloud layer to improve the learning efficiency-trained with a back-propagation algorithm and uses a BGV scheme. Improving on CryptoNets, Brutzkus et al. [208] present a version of this latter, which improves latency and memory usage. Lee et al. [209] show the possibility of applying FHE (with bootstrapping) to a deep neural network model by implementing ResNet-20 over the RNS CKKS scheme.
The viability of FHE's usage on large-scale data and sharing frameworks has been demonstrated in multiple works. Hesamifard et al. [210] present a methodology to train a convolutional neural network (CNN) model using homomorphically encrypted data, yielding high-performance overheads. Al Badawi et al. [211] present a CNN used for image classification with FHE properties on graphics processing units (GPUs) to accelerate classification while maintaining a high accuracy rate. Blat et al. [212] propose a toolbox of optimized statistical techniques that leverage FHE in order to perform studies on reformulated genomic data and prove the viability of using homomorphic encryption on large-scale data. Zhang and Zhu [213] propose the usage of homomorphic encryption to preserve privacy in sharing frameworks. The authors present a novel privacypreserving architecture, which collaboratively trains a deep neural network while preserving the privacy of the data of sharing parties via homomorphic encryption.

C. Industry Role
In addition to research efforts, multiple commercial products are being proposed to solve real-world problems across industry verticals. Zama's open-source technology [214] enables trained ML models, regardless of the underlying architecture or training method, to run inference on encrypted user data using homomorphic encryption. The application of this technology could be extended to the medical field, image classification, autonomous environments, and smart cities data processing. Ant Group [216] have announced a joint effort [217] to build PPML on top of Intel's Software Guard Extensions (SGXs) and Occlum, Ant Group's memory-safe, and multiprocess library operating system for Intel SGX, using cryptographic technologies, such as homomorphic encryption and differential privacy. Duality Technologies [218] is a company providing privacy-preserving data collaboration platforms using homomorphic encryption. It has been chosen by DARPA along with other top research institutes to accelerate the use of FHE as part of DARPA's Data Protection in Virtual Environments (DPRIVE) program, which seeks to develop a hardware accelerator for FHE computations [219].

D. Research Directions
While considerable advances have been achieved, privacy-preserving neural networks using homomorphic encryption still suffer from high computational complexity, low efficiencies, and inadequacy of deployment in realworld scenarios. Further research is required to develop efficient frameworks enabling the training and evaluation of complex neural networks over encrypted data or encrypted neural networks trained over plaintext data. Research directions could include the following.

1) Algorithmic improvements:
This includes the usage of pretrained models to reduce computational complexity during the training phase, approximation of activation functions using polynomials, and so on. 2) Hardware acceleration: This includes parallelization and partitioning of the implementation of privacy-preserving models using homomorphic encryption and inherent operations on GPU cores (including hybrid CPU-GPU architectures), FPGAs, ASICs, and reconfigurable processors.

VIII. H E I N F O G C O M P U T I N G F O R I o T
Fog computing was initially proposed by CISCO to support scalable massive Internet-of-Things (IoT) deployments [220], [221], but a similar concept has been adopted in 5G/6G cellular networks and referred to as edge computing [222]. It defines a layer between the IoT device and the cloud service, as close as possible to the device, where data are preprocessed. Pushing preprocessing operations close to the device is paramount to reduce both bandwidth consumption and the latency of IoT applications. In this scenario, HE can provide the missing privacy feature since preprocessing tasks can be done over encrypted data. However, fog computing also presents intrinsic characteristics that must be taken into account at the time of applying HE. Unlike cloud computing, fog computing considers data in motion, i.e., moving through the network at the generation rate of each specific device. Data processing is event-driven (triggered by the device) and performed packet-by-packet. Thus, data processing is delay intolerant, and the scope of the processing tasks is limited to the information contained in a single data packet: relevance/category evaluation; formatting; encoding; expanding/compressing; filtering; or assessing thresholds and real-time alerts. The smart city scenario provides an example of the applicability of fog computing and how HE can become relevant. Smart cities cover a wide set of applications [223], such as intelligent transportation, efficient resource distribution (lighting, water, and waste management), safety and security, or environmental monitoring. These applications have a common requirement; they are supported by massive IoT deployments composed of small sensors constantly fuelling data to smart city data collectors. The fog layer is in charge of preprocessing the data in intermediate gateways, which is fundamental to maintain scalability [224]. HE can be adopted to provide privacy preservation for citizens. Specifically, sensors can encrypt the data with the data collector's public key, and the fog layer processing operations can be performed over encrypted data. Only the data collector can decrypt the data with its secret key. This approach not only prevents data disclosure in fog nodes but also provides privacy for IoT nodes with respect to the data collector since data samples are aggregated [225], [226].
Despite its potential, HE presents a difficult fit in IoT due to its computational complexity and ciphertext expansion. The latter refers to the fact that ciphertext is far larger than the corresponding plaintext; hence, it adds considerable communication overhead. The former incurs a computational delay at the time of acquiring and transmitting data samples. This is aggravated by the limited hardware capabilities and computational constraints of IoT devices and the bandwidth constraints of current IoT communication standards. The aforementioned constraints have fostered research on hybrid protocols combining HE and symmetric key encryption (SKE). In hybrid homomorphic encryption (HHE), the IoT device encrypts data using an SKE scheme, with a randomly generated key, and then encrypts this key with an HE scheme using the data collector's public key. An SKE scheme is less complex and is not affected by ciphertext expansion. The intermediate fog nodes can homomorphically evaluate the decryption circuit of the SKE scheme and convert SK-encrypted data into HE-encrypted data. Then, the data can be processed homomorphically and sent to the data collector (see Fig. 14).
The advantage is that the ciphertext expansion and the complexity are moved from the IoT devices to the fog nodes. The IoT device is only required to encrypt homomorphically a short key. Several works have proposed AES as an SKE scheme [76], [80] since hardware acceleration for AES is a common feature in modern chips integrated into IoT devices. However, the AES decryption circuit requires a multiplicative depth of at least 40, which increases the complexity of fog nodes. Some other approaches suggest PKE instead of SKE [227] since the multiplicative depth is lower. However, PKE has higher ciphertext expansion and complexity than SKE. In this framework, low-depth symmetric key ciphers, such as [228], [229], and [230], can provide noticeable gains.
Fog computing is not limited to the smart city scenario. New emerging concepts, such as Industry 4.0 or eHealth, which have coined the terms Industrial IoT (IIoT) and Internet of Medical Things (IoMT), will also depend on the feasibility of deploying scalable microsensor systems. These scenarios will impose even more strict privacy requirements that could be potentially solved with HE. In general, hybrid HE should be envisioned as a solution for privacy-preserving data aggregation. However, it is worth commenting that hybrid protocols are effective when data are encrypted with the receiver's public key (the data collector in the smart city scenario). In a scenario where the IoT device encrypts with its own public key and the communication is bidirectional (the IoT device receives the encrypted processed data), the ciphertext expansion problem is unavoidable.

IX. H E I N C L O U D C O M P U T I N G
Homomorphic encryption can become a cornerstone component for technologies within the 5G/6G realm, namely, for fog computing, but also for overarching technologies, such as cloud computing. While fog computing is a distributed and decentralized infrastructure, cloud computing is a centralized system where data processing is query-based and can be performed over large datasets from multiple application sessions. At first glance, it seems that HE provides a perfect solution to achieve privacy for cloud services. However, some cloud service scenarios impose requirements that make plain HE schemes unsuitable.

A. Homomorphic Proxy Reencryption
One of such scenarios occurs when a cloud service processes data from multiple users. The majority of HE schemes only support homomorphic operations over ciphertexts encrypted with the same public key. Hence, ciphertexts from different users must be converted into ciphertexts encrypted with the same key. This is called homomorphic proxy reencryption (HPRE).
Proxy reencryption (PRE) is a widely adopted technique in cloud computing for conventional (nonhomomorphic) encryption. PRE is used to transform a ciphertext from one user (the delegator) into a ciphertext of a different user (the delegatee) through a proxy. As a result, the delegatee can decrypt the delegator's ciphertext without learning the delegator's secret key. The proxy can convert ciphertexts without learning the plaintext or the users' keys. In HPRE, this process has an additional value since it allows the cloud service to perform homomorphic operations over converted ciphertexts. Fortunately, in his thesis, Gentry proposes a simple construction to achieve HPRE. The delegator generates two ciphertexts: 1) encrypts homomorphically the secret key with the delegatee's public key and 2) encrypts the data with its own public key. Then, the proxy can evaluate the decryption circuit of the homomorphic scheme to reencrypt the ciphertext with the delegatee's public key (this technique is identical to bootstrapping). Fig. 15 shows how this process can be used to evaluate data from different users. Unfortunately, Gentry's approach is not resilient to weak collusion attacks. Specifically, the delegatee and the proxy can collude to obtain the delegator's secret key. New works based on key-switching techniques propose HPRE schemes that are resilient to collusion. Specifically, Derler et al. [231] and Kawai et al. [232] propose a single-hop (only one reencryption is allowed) HPRE scheme that is partially homomorphic (only some homomorphic operations are possible after ciphertext conversion). Other works cater for fully homomorphic single-hop PRE schemes, such as Ma et al. [233] and Yasuda et al. [234]. Polyakov et al. [235] provided two IND-CPA secure constructions for multihop HPRE for BV and NTRU schemes, which outperforms previous lattice-based PRE schemes [236], [237] based on NTRU and BV, respectively. Also, Li et al. [238] and Zengpeng et al. [239] provided multihop HPRE schemes that are fully homomorphic via branching programs.
All these works solve the collusion attack that Gentry's approach presents; however, they are not resilient to strong collusion attacks. Namely, the proxy and the delegatee cannot obtain the delegator's secret key, but they can still obtain some information about the delegator's secret key [240]. Moreover, as stated in [241], known HPRE schemes are only CPA secure, which is not adequate in some scenarios [242]. Although it is well known that HE schemes cannot achieve CCA2 security (according to its standard definition), some can be CCA1-secure [243]. This is not true for HPRE; all known CCA1-secure HPRE schemes are only partially homomorphic.

B. Homomorphic Authenticated Encryption
In some scenarios, privacy is not sufficient. The user may pay for a specific service [244] or use remote data processing for safety-critical applications [245]. Thus, a guarantee that the data have been processed correctly by the cloud service may be required. Note that, even if the cloud service is not malicious, it maybe be willing to submit the wrong data to avoid the heavy computational load of processing homomorphically encrypted data. In this scenario, the user should be able to verify that the decrypted data are the result of a specific arithmetic circuit over the transmitted encrypted data. Fortunately, this feature can be achieved with homomorphic authenticated encryption (HAE). HAE can be obtained by composing HE and homomorphic authentication (HA) [246], [247]. Specifically, the user sends the ciphertexts and attaches homomorphic authenticators in the form of homomorphic signatures (HSs). These signatures can be evaluated homomorphically, similar to ciphertexts, to produce a valid signature for the processed data (see Fig. 16). In fact, composing HE and HA caters to the interesting property that, if both the HE and HA schemes are CPA secure, then the resulting HAE scheme is CCA1 secure [246].
HS was initially proposed for linear arithmetic circuits [248], [249], [250], [251]. Scenarios such as secure random linear network coding (RLNC) adopted HS [252] to counteract tag pollution attacks although a symmetrickey-based solution, such as homomorphic MACs [253], can also fit in RLNC. Subsequent works provided HS schemes that accept polynomial homomorphic operations [254], [255], [256]. Gorbunov et al. [257] and Gennaro and Wichs [258] provided constructions with the desirable feature of being fully homomorphic (although the former is only leveled fully homomorphic), hence enabling fully HAE (FHAE). However, previous HS schemes (except for [257]) are selectively secure (i.e., the attacker is only provided with signatures of chosen messages before the challenge is available). Adaptive security was first achieved by Boyen et al. [259] and subsequent works, such as [257] and [260]. Unfortunately, previous HS constructions have a limitation in terms of efficiency for circuits of polynomial depth [259]. Another solution, potentially more efficient, is the adoption of verifiable computation (VC) schemes that work over encrypted data [261], [262], [263]. A VC scheme provides a proof that each arithmetic gate of the arithmetic circuit has had its inputs processed. Moreover, it is even possible to provide such a proof of computation over a partially private circuit (known only to the cloud service) since the cloud service could prove that part in zero knowledge.

C. Homomorphic Encryption in Multiparty Computation
HE provides a solution for the centralization of private computations. However, in a scenario where several parties aim to interact, the direct application of HE is not so intuitive. Specifically, several cloud services may want to evaluate a function combining their private datasets without leaking any information about the inputs (except for what can be inferred from the output). Such scenario can be addressed with secure MPC [264], [265], [266]. There are different kinds of MPC protocols optimized for arithmetic and Boolean circuits based on secret sharing techniques [267], [268] and garbled circuits [269], [270], respectively. Interestingly, some of these protocols follow a preprocessing model where the computation is divided into two phases. The first phase happens before the parties' inputs are defined and consists of the generation of cryptographic material (secret-shared elements or gabled circuits) that is later consumed to speed up the second phase. In the second phase, parties define their inputs and evaluate the circuit privately. The concept of consuming elements refers to the fact that this material cannot be used twice; hence, it must be generated for each execution. It is precisely in the generation of the preprocessing material where HE still plays a fundamental role in MPC. Protocols like SHE-BMR [270], Overdrive [268], and the matrix multiplication protocol in [271] use leveled HE. It is worth commenting that, in this context, HE could be replaced by oblivious transfer (OT). In some protocols, OT is more efficient than HE, but this must be evaluated per individual cases. Specifically, Overdrive [268] adopts an HE-based approach that improves the OT-based version of the same protocol, i.e., MASCOT [272]. However, HSS17 [273] adopts OT and is more efficient than SHE-BMR [270], which uses SHE. The key piece that makes HE faster than OT in Overdrive is the existence of an efficient zero-knowledge proof to prove knowledge of plaintext in an HE-encrypted ciphertext, which is required to provide active security. On the other hand, HSS17 adopts OT because the OT protocol is compatible with an optimization generally adopted in garbled circuits (the FreeXOR technique).
Although less efficient than previous approaches, MPC can also be constructed directly with MKFHE. The work in [274] proposes construction that requires only two communication rounds (see Fig. 17). In the first round, each party encrypts its inputs under multiple keys and broadcasts the ciphertexts to all parties. Then, each party evaluates the circuit homomorphically. Finally, in the second round, each party partially decrypts the result and broadcasts its share of the output. All shares can be combined locally by each party to obtain the output.
In MKFHE, a ciphertext cannot be decrypted without all partial decryptions from the secret key holders. Hence, input privacy is guaranteed. However, this also means that, if only one party fails in delivering its share of the output, the MPC protocol would fail. This was addressed in [275] with a three-round MPC protocol that adopts threshold MKFHE (TMFHE). TMFHE enables a smaller subset of parties to decrypt a ciphertext. Hence, after an initial round of input sharing, any subset of sufficient size can reconstruct the output. This makes the protocol resilient to failures, but it also requires trust since smaller subsets can decrypt the parties' private inputs. It is worth commenting that MKFHE is sufficient to provide MPC with passive security, i.e., malicious parties follow the protocol specification and try to extract information from the transmitted messages. However, in a setting where parties can deviate from the protocol specification (e.g., transmit wrong shares of the output), active security is needed and can be achieved by integrating zero-knowledge proofs.

X. T O W A R D P R A C T I C A L FHE -B A S E D A P P L I C A T I O N S
The first FHE schemes were about 10 9 times slower than plaintext computations [2] and were, hence, considered far from being practical. Optimizations achieved over the past decade have tremendously improved the performance of FHE schemes [31].
From a software perspective, FHE libraries have been pivotal in helping researchers, practitioners write the first FHE-based applications, and their evolution and optimization have significantly increased the efficiency of such applications over the past years. However, utilizing such APIs requires deep knowledge of FHE schemes. Recently, higher level tools have evolved, attempting to bridge the gap between engineers developing privacy-preserving applications and the technical FHE libraries at hand. Along the same lines, a number of FHE compilers have become available with the objective of converting high-level programs to FHE-based implementations. These compilers are Table 3 Open-Source Libraries for FHE Schemes a key step toward making FHE available to nonexperts that require such foundational blocks to design privacypreserving applications, hence contributing to broad FHE adoption.
From a hardware point of view, considerable efforts leveraging specific hardware architectures (e.g., FPGAand ASIC-based) have been made. Such designs are referred to as FHE accelerators and provide substantial improvements of FHE schemes performance in software.
The rest of this section presents an overview of the most relevant software and hardware works proposed in the literature, discusses tradeoffs observed in terms of performance and other metrics, and describes few real-world applications currently leveraging FHE in production systems.

A. FHE Libraries
The principal objective of FHE libraries is to make FHE scheme operations available via an API. Besides the core functionality provided by KeyGen, Enc, Dec, and Eval, most of the widely used libraries incorporate additional features that allow ciphertext maintenance (i.e., noise growth management during computations) and manipulation, as well as homomorphic addition and multiplication methods. However, the correct utilization is left to the developers who must have an in-depth knowledge of what each API call entails in a given privacy-preserving solution. Table 3 provides available open-source FHE libraries, the language in which they are written, supported FHE schemes, and the date of the last update release. The first library ever published is the Homomorphic Encryption Library (HElib) by Halevi and Shoup [79], [287], which is implemented in C++ and built on top of the NTL library [288]. SEAL, which is developed by Microsoft [83], is implemented in C++ and C# (to support .NET). It utilizes Intel's HEXL [289], a library providing efficient implementations of homomorphic encryption operations, specifically targeting AVX512-enabled processors. PALISADE is developed by a DARPA consortium, including Duality Technologies, the New Jersey Institute of Technology, Raytheon BBN Technologies, the Massachusetts Institute of Technology (MIT), the University of California at San Diego, and others [276]. It is written in C++ and can be configured to use the NTL library.
Lattigo [277] was proposed by Mouchet et al. [290] and is the first library written in Go. The FHEW library [278] by Ducas and Micciancio is written in C++ and, however, has not been updated since 2017. The TFHE library [279] was provided by the authors of the TFHE paper [14], is written in C++ and C, and requires at least one fast Fourier transform (FFT) processor to run. TFHE is considered to be the successor of the FHEW library. Concrete [280], [291] is Zama's variant of TFHE implemented in Rust. The HEAAN library [281] is implemented in C++ and is built on top of the NTL library. The RNS-HEAAN library [282] by Kyoohyung and Miran is implemented in C++; it has not been updated since 2018. FV-NFLlib [283] is written in C++, and it is based on the NFLlib C++ library [292]. NFLlib is a library dedicated to ideal lattice-based cryptography, and it is based on the number theoretic transform (NTT). It is important to note that FV-NFLlib has not been updated in the last five years.

B. FHE Compilers
FHE compilers are high-level tools that aim at abstracting the technical APIs exposed by FHE libraries so that a wider range of developers are able to implement privacy-preserving mechanisms securely. As noted by Viand et al. [294], FHE compilers tackle some of the most common engineering challenges that exist nowadays when designing FHE-based applications: values for FHE schemes resulting in secure and efficient instances is not a simple task. Some FHE compilers allow for some sort of automatic parameter generation according to some predefined requirements. 2) Plaintext encoding: In FHE, the semantics of the plaintext message are strictly related to the type of homomorphic computations that can be conducted. Some context-specific FHE compilers can already be used to aid in this particular item (e.g., nGraph-HE). 3) Data-independent execution: Given that FHE operations are data-independent by nature, it is not trivial to conduct data-dependent branching steps using FHE because they can break privacy properties. In this case, it is possible to have branching operations by means of evaluating both branches and selecting the result at the end. 4) Packing or batching: FHE schemes allowing for message packing or batching into a single ciphertext can directly leverage SIMD instruction sets. Some FHE compilers already actively optimize for vectorized operations. 5) Ciphertext maintenance: Optimally managing how noise grows during FHE operations is not straightforward, and FHE compilers are starting to use advanced strategies to assist in this traditionally complicated part. Table 4 presents a list of FHE compilers showing in which programming language they are written, what FHE libraries (from the ones previously highlighted in this work) they utilize, and the date of their latest released update. ALCHEMY is a compiler written in Haskell by Crockett, Peikert, and Sharp [295], [306], [307]. It implements BGV utilizing Λ • λ [308] (pronounced "L O L"), a library for ring-based lattice cryptography that supports also FHE. Cingulata (previously called Armadillo) is a compiler written in C++ by Carpov, Dubrulle, and Sirdey [296], [309]. It is built on top of the FLINT [310] and Sage [311] libraries. The encrypteverything-everywhere (E 3 ) is a framework presented by Chielle, Mazonka, Tsoutsos, and Maniatakos [297], [312]. It is mainly written in C++ and supports a variety of FHE libraries. SHEEP [298], a recursive acronym for SHEEP, is a homomorphic encryption evaluation platform, which is a framework developed by the Turing Institute, written in C++ and comes with several off-the-shelf Jupyter notebooks containing examples on how to use SHEEP. The Encrypted Vector Arithmetic Language and Compiler (EVA) was presented by Dathathri et al. [299], [313], is written in C++, and incorporates CHET [303] to support tensor circuits. Marble [300], [314] is a C++ compiler written by Viand and Shafagh, and RAMPARTS [301] is a compiler written in Julia by Archer et al. The transpiler [302], [315] is a C++ tool developed by Gorantala et al., which is currently leveraging one FHE library. The nGraph-HE compiler by Boemer, Lao, Cammarota, and Wierzynski [304], [316] is based on Intel's nGraph ML compiler [317]. Support for nonpolynomial activation functions was added subsequently [318]. Finally, SEALion was presented by van Elsloo, Patrini, and Ivey-Law [305]. It is important to highlight that CHET, nGraph-HE, and SEALion are domainspecific FHE compilers designed particularly for ML applications. To the best of our knowledge, we note that the libraries without a date provided for their last committed update have not been found publicly. For more details about the FHE libraries and compilers, we would like to refer the readers to [294] by Viand et al.

C. FHE Accelerators
Previous sections presented state-of-the-art software tools that are proving crucial in the wider adoption of FHE for developing privacy-preserving solutions. Although such tools have enabled a significant acceleration of FHE schemes, the corresponding performance still falls short with respect to plaintext computations. Therefore, FHE hardware accelerators have emerged as a practical alternative to highly optimized software implementations, thus enabling a wider range of use cases where FHE can be utilized.
Doröz et al. [319] designed an accelerator for the Gentry and Halevi scheme [64] and were able to significantly improve run times of FHE operations. Later on, Cousins et al. [320] designed an FPGA-based accelerator focusing on the second-generation, NTRU-based scheme, Vol. 110 LTV. They targeted a Xilinx Virtex-7 FPGA and benchmarked the performance of the CRT (and its inverse). Their results showed an improvement of two orders of magnitude compared to the available reference software and CPU-based version. Roy et al. [321] presented an RLWE-based coprocessor targeting NTT optimizations and achieved considerable speeds on a Virtex-6 FPGA. Moreover, Roy et al. [322] proposed an architecture where they are able to offload operations of the FV FHE scheme to an FPGA-based accelerator. They validated their design on a Xilinx Zynq UltraScale+ FPGA and obtained an improvement of over 13 times with respect to a reference FV scheme optimized software implementation. Riazi et al. [323] provided a new hardware design that heavily improved the NTT operation, implemented the CKKSN scheme, and can be used with a wide range of parameter sets. They compared their proposal on two FPGA devices from Intel, namely, Arria 10 and Stratix 10, with an optimized version of the SEAL library and demonstrated an improvement of more than two orders of magnitude. Finally, Turan et al. [324] proposed the first accelerator to leverage FPGAs available in the Amazon AWS cloud and achieved a 20 times improvement with respect to the software implementation of the smart meter application that they consider in their case study.
Even though FPGA-based designs bear considerable improvements and can be run on accessible FPGA platforms, they miss an important element of FHE computations, the data movement, which, in extremely optimized designs, becomes a nonnegligible bottleneck. ASIC-based designs enable the possibility to tackle potential issues caused by data movement congestion. Following this approach, Juvekar et al. [325] designed Gazelle, which combines two conventional techniques, namely, homomorphic encryption and garbled circuits. A low-latency ASIC targeting a secure neural network inference running on Gazelle achieved two to three orders of magnitude speedups. Subsequently, Gazelle was improved (i.e., 79 times faster) by Reagen et al. [326]. Recently, Feldmann et al. [327] have presented F1, a programmable FHE accelerator that employs a wide-vector processor, which is based on a static scheduling strategy and minimizes data movement. F1 is capable of producing speedups of up to three to four orders of magnitude with respect to state-of-the-art software implementations and supports BGV, HEEAN, and GSW. Moreover, F1 demonstrates that ASIC-based accelerators can also be programmable, given that the same resulting hardware can accelerate a variety of programs, including multiple FHE schemes.

D. Standardization and Broad Adoption
Sections X-A-X-C provide a comprehensive list of the most relevant works in software and hardware that have contributed toward making FHE more practical, hence broadening its adoption.
However, other types of initiatives equally play a key role in having large-scale FHE deployments. For instance, the homomorphic encryption open industry/government/academic consortium [58] is working on a standard for homomorphic encryption. The consortium was created in 2017 by Microsoft, IBM, and Duality Technologies and, at the time of writing this work, has more than 40 participants from industry, government, and academia. Moreover, industrial players, such as Zama AI [214], Duality Technologies [218], or Cryptolab [328] aiming at deploying FHE-based solutions, are greatly contributing to the overall ecosystem. Finally, large tech-based companies, such as Intel and Google, are starting to leverage homomorphic encryption in privacy-preserving solutions, such as building PPML on top of Intel's SGX [217] and Google's Password Checkup [329], which employs private set intersection.

XI. C O N C L U S I O N
Homomorphic encryption has been a prolific research field over the past decade. Since Gentry's first proposed scheme in 2009, several generations of schemes have emerged, fostered by the evolution of privacy-preserving technologies. Moreover, synergies with other research fields (such as ML) and with other cryptographic protocols (such as secure MPC) have increased its relevance.
Nevertheless, despite the tremendous potential of the field, current FHE schemes still present limitations that hinder their applicability within real environments. The computational complexity and ciphertexts expansion render FHE unsuitable to delay-intolerant or bandwidthlimited applications. These latter are the main impediments to FHE's widespread adoption in new generation networks.
In addition, there are no known common schemes that encompass features offered by second-, third-, and fourth-generation schemes simultaneously, which would otherwise be convenient in some scenarios, such as PPML. More specifically, second-and fourth-generation schemes are equipped with packing techniques, which make them efficient for matrix multiplication, while third-generation schemes are the only ones to enable efficient evaluation of nonlinear functions. Moreover, second-and fourth-generation schemes are not equipped with fast bootstrapping techniques; this limits their application to their leveled version, not their fully homomorphic version. Another limitation is the absence of thorough efforts related to noise analysis, mainly for second-generation schemes. There is still a gap between theoretical bounds and real noise growth, which increases the complexity of parameter selection. These limitations have triggered numerous research proposals, not only on new schemes and analytical studies on parameters but also on hardware accelerators. New technologies, such as memory-based computation, have also been proposed for memory-hungry applications, such as private deep neural networks. It is precisely the advancement in hardware acceleration that can make FHE a reality, by reducing its time complexity by several orders of magnitude: cloud computing will require more efficient implementations that cannot be achieved with software-based optimizations. The potential integration of FHE in massive IoT deployments will also depend on the ongoing research efforts on hardware. These new scenarios will define strict specifications in terms of latency, bandwidth, and energy efficiency, and the FHE layers would have to meet these requirements.
A c k n o w l e d g m e n t The authors would like to thank Prof. Damien Stehlé for the technical discussions and his feedback on this article. They would also like to thank the anonymous reviewers for their thorough reading of the manuscript and the very detailed comments provided.