Post-Quantum Homomorphic Encryption: A Case for Code-Based Alternatives

Abstract

Homomorphic Encryption (HE) allows secure and privacy-protected computation on encrypted data without the need to decrypt it. Since Shor’s algorithm rendered prime factorisation and discrete logarithm-based ciphers insecure with quantum computations, researchers have been working on building post-quantum homomorphic encryption (PQHE) algorithms. Most of the current PQHE algorithms are secured by Lattice-based problems and there have been limited attempts to build ciphers based on error-correcting code-based problems. This review presents an overview of the current approaches to building PQHE schemes and justifies code-based encryption as a novel way to diversify post-quantum algorithms. We present the mathematical underpinnings of existing code-based cryptographic frameworks and their security and efficiency guarantees. We compare lattice-based and code-based homomorphic encryption solutions identifying challenges that have inhibited the progress of code-based schemes. We finally propose five new research directions to advance post-quantum code-based homomorphic encryption.

1. Introduction

Homomorphic encryption (HE) allows computations to be performed directly on encrypted data without decryption, enabling privacy-preserving computation in applications such as secure cloud computing, medical data analysis, and federated learning [1]. HE ensures the confidentiality of sensitive data while still being usable for computation, making it a critical tool in modern cryptography. Homomorphic properties were first observed in classical public-key cryptosystems by Rivest et al. [2] where certain operations like multiplication could be performed homomorphically on the ciphertexts. Although the scheme was broken a decade later by Brickell and Yacobi [3], it initiated the research on homomorphic encryption (HE) schemes in the cryptography community.

Many early homomorphic encryption schemes were based on number-theoretic assumptions of NP-hardness. However, with the advent of quantum computing, classical cryptographic systems face significant threats. Quantum algorithms, such as Shor’s and Grover’s algorithms, can efficiently solve problems such as integer factorization and discrete logarithms, thus undermining the security foundations of widely used public-key schemes such as RSA and ECC [4]. As many early homomorphic encryption (HE) constructions rely on these same number-theoretic assumptions, the potential for quantum adversaries to break the underlying hard problems necessitated a comprehensive re-examination of HE for a post-quantum era. In response, research has increasingly focused on developing post-quantum homomorphic encryption (PQHE) schemes built on hard mathematical problems believed to be resistant to quantum attacks. According to NIST PQC project [5] CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, SPHINCS+ are the selected quantum safe cryptographic algorithms and HQC was selected as an alternative PQC KEM scheme. For this survey article, we will consider all fourth-round applicants, including those not selected due to practicality reasons.

In 2009, Gentry [6] proposed the first FHE scheme, which allowed both addition and multiplication operations to be performed on ciphertexts without observation of the plaintexts. The scheme used NP-hard problems based on lattice-theory. Subsequently, lattice-based cryptography emerged as a leading candidate to construct PQHE schemes. Cryptographic primitives based on the Learning With Errors (LWE) problem and its ring variant (RLWE) also offer robust security guarantees as no efficient quantum algorithm is currently known for solving these problems—even approximately [7]. These lattice-based approaches underpin modern schemes such as the Brakerski–Fan–Vercauteren (BFV) and Cheon–Kim–Kim–Song (CKKS) constructions, which have been reevaluated and adapted to meet post-quantum security requirements [8]. Parallel to these theoretical advancements, practical frameworks such as PALISADE [9] and its successor OpenFHE [10] have integrated lattice-based HE schemes optimized for post-quantum security. These efforts underscore the practical drive to transition existing systems to quantum-resistant alternatives while addressing efficiency challenges, such as managing noise growth during computations and optimizing bootstrapping procedures, to maintain the homomorphic properties essential for real-world applications [11]. Although most of the focus of HE schemes is still based on lattice-theory, in 2024 Chen [12] proposed new techniques involving Quantum Fourier Transforms that claimed to solve LWE problems and their reductions to other lattice-based hard problems in polynomial time. While the validity of the claim is questionable [13], it raised concerns about relying completely on the security of lattice-based cryptographic algorithms in the post-quantum era.

A complementary, though less explored, approach to developing post-quantum homomorphic encryption (PQHE) schemes involves NP-hard problems related to error-correcting codes. Code-based cryptography has emerged as a promising option for post-quantum homomorphic encryption due to its inherent resistance to quantum attacks and potential efficiency advantages. Here, security assumptions are based on NP-hard problems, such as the Syndrome Decoding Problem (SDP) and the Binary Goppa Code Distinguishing Problem [14], both of which are resilient to known quantum algorithms. Unlike lattice-based schemes, which depend on complex algebraic structures and intricate noise management techniques, code-based homomorphic encryption utilizes well-established error-correcting codes. This makes implementation simpler and allows for alternative security assumptions. The specific trade-offs between security, efficiency, and implementation complexity highlight the importance of exploring code-based methods for future cryptographic systems, particularly in a post-quantum landscape.

This review aims to be a resource for researchers wanting to advance PQHE using the less-studied code-based cryptography. It brings together the mathematical underpinnings of code-based HE schemes with the intention of deepening understanding of the NP-hard problems in this domain as well as presenting avenues to kickstart new research in the development of code-based PQFHE. The key contributions of this work are:

• Insights from reviews of existing Homomorphic Encryption Schemes: Identifies the lop-sided focus of current FHE schemes on lattice-based NP-hard problems. This demonstrates a clear weakness in PQFHE schemes if quantum lattice reduction algorithms are found.
• Systematic Review of Code-based Homomorphic Encryption Schemes: Provides a detailed analysis of code-based Homomorphic encryption schemes and their security guarantees.
• Comparative Analysis of Code-Based with Lattice-based Homomorphic Encryption schemes: Presents a detailed comparison of code-based HE with lattice-based HE and identifies the reasons code-based HE is not well studied.
• New directions for Code-based Homomorphic Encryption in the Post-Quantum Era: Outlines five clear research directions to advance the development of code-based PQ-FHE.

We will first analyse the existing reviews of homomorphic encryption schemes, and illustrate the difference of this review. In Section 3 we provide a background on homomorphic encryption schemes categorising them into partially homomorphic, somewhat homomorphic and fully homomorphic. Then in Section 4 we present the details of code-based cryptography, while in Section 5 we detail code-based homomorphic schemes, giving a comprehensive analysis of the strengths and weaknesses of each scheme and comparing them to lattice-based schemes. Finally, we present the conclusion along with the challenges in implementing code-based PQHE and a list of future research opportunities.

2. Existing Reviews of Homomorphic Encryption Schemes

To maximise the relevance of the current review, we analysed existing reviews on HE schemes. Scopus and IEEE databases were chosen as the source of our search process. On both databases we used the search terms “Homomorphic Encryption” and “Privacy-Preserving Encryption”, limited our results to only review articles and did not put limits on the year of publication. We found 108 articles, with the first review published in 2010. We found two duplicates across the database and they were removed. We screened the title and abstracts for relevance and excluded one article as it did not focus on HE or its applications. We then filtered out all articles published in the year 2020 and prior. This gave us 78 review articles on HE published in the last 5 years. Figure 1 illustrates the distribution of published articles over the last 5 years. The trend indicates a surge of research since 2023 driven by advancements in HE applications. Figure 2 presents the quality ratings of the journals where the review articles were published. It can be seen that only $33\%$ (26 articles) of the published reviews are in high quality Q1 journals. Most of the Q1 articles focussed on applications of HE in various fields rather than on the HE schemes and their theory. There were only four theoretical, non-application-based review articles and these were selected for further analysis.

Alaya et al. [15] provide an overview of homomorphic encryption (HE) systems, highlighting trends in efficiency, security, and usability, while addressing challenges such as computational overhead and scalability. Aloufi et al. [1] investigate multi-party computations and secure collaborative analytics, discussing various schemes, security guarantees, and practical applications. Gorantala et al. [16] explore advancements in fully homomorphic encryption (FHE) and its real-world feasibility, focusing on performance improvements and necessary breakthroughs for secure cloud computing. Dhiman et al. [17] evaluate software libraries and tools for homomorphic encryption, comparing their performance and usability to assist researchers in tool selection.

Figure 2. Scimago [18] journal quartile distribution of review papers on Homomorphic Encryption in 5 years.

Figure 2. Scimago [18] journal quartile distribution of review papers on Homomorphic Encryption in 5 years.

Table 1. Coverage of Homomorphic Encryption Topics in Previous Reviews. A ✓ indicates the review covers the topic, while a × indicates it does not.

Aspect	Alaya et al. [15]	Aloufi et al. [1]	Gorantala et al. [16]	Dhiman et al. [17]
Overview of HE systems	✓	✓	✓	✓
Multi-key HE	×	✓	×	×
Fully Homomorphic Encryption (FHE)	✓	✓	✓	✓
HE Libraries/Frameworks	×	×	×	✓
HE Toolkits	×	×	×	✓
HE Accelerators	×	×	×	✓
Challenges in HE	✓	×	✓	×
Future Trends	✓	×	✓	×
Code-based HE	×	×	×	×

compares the range of topics covered by these four articles. We assessed whether the reviews provided an overview of HE systems, discussed multi-key HE, included research on Fully Homomorphic Encryption (FHE), presented libraries or frameworks to practically apply HE, provided description of HE toolkits, indicated techniques to speed up HE algorithms including refresh key generation, identified existing and foreseeable challenges in the domain of HE and presented future trends in HE. We also investigated if any of these reviews included HE schemes that used code-based cryptography. As shown in the last row of Table 1, none of the review articles mention code-based HE or discussed the advantages of using such approaches in the post-quantum era. The current review starts to address this deficiency in the existing literature by providing a first step towards developing an alternative code-based approach for HE in the post-quantum era.

3. Background on Homomorphic Encryption

This section provides an overview of homomorphic encryption (HE), explaining its basic principles and levels of capability. Homomorphic encryption allows computations on encrypted data without decryption. Each of the different types: partially homomorphic encryption (PHE), somewhat homomorphic encryption (SWHE), and fully homomorphic encryption (FHE), offers varying degrees of flexibility and efficiency. This background helps in understanding the advancements and challenges in HE research.

3.1. Homomorphic Encryption: Definitions

Homomorphic encryption (HE) is a cryptographic technique that allows computations to be performed on encrypted data without the need for decryption. This property enables the processing and analysis of sensitive information while preserving its confidentiality and integrity.

3.1.1. Formal Definition of Homomorphic Encryption

Formally, a homomorphic encryption scheme can be defined as a tuple of probabilistic polynomial-time (PPT) algorithms, denoted as $\mathrm{HE}=(\mathrm{KeyGen},\mathrm{Enc},\mathrm{Eval},\mathrm{Dec})$ [1]. Each algorithm is described in detail below:

• Key Generation (KeyGen): $\mathrm{HE}.\mathrm{KeyGen}(1^{\lambda })\to (pk,sk,ek)$: Given a security parameter $\lambda$ that determines the level of security, the key generation algorithm outputs a public key $pk$, a secret key $sk$, and an evaluation key $ek$. The public key is used for encryption, the secret key for decryption, and the evaluation key for performing homomorphic operations.
• Encryption (Enc): $\mathrm{HE}.\mathrm{Enc}(pk,m)\to c$: Given a message m and the public key $pk$, the encryption algorithm outputs a ciphertext c. The ciphertext c is an encrypted version of the message m, which can be processed homomorphically without revealing the underlying plaintext.
• Evaluation (Eval): $\mathrm{HE}.\mathrm{Eval}(ek,f,c,c^{\prime })\to c_{\mathrm{eval}}$: Given two ciphertexts c and $c^{\prime }$, an evaluation key $ek$, and a homomorphic function f, the evaluation algorithm outputs an evaluated ciphertext $c_{\mathrm{eval}}=f(c,c^{\prime })$. The evaluation key $ek$ is used to enable homomorphic operations, and it plays a crucial role in the bootstrapping process, which refreshes the ciphertext to allow for further computations.
• Decryption (Dec): $\mathrm{HE}.\mathrm{Dec}(sk,c)\to m$: Given a ciphertext c encrypted under the public key $pk$, the decryption algorithm outputs the original message m using the corresponding secret key $sk$. This ensures that only the holder of the secret key can access the decrypted data.

Figure 3 provides a conceptual overview of how homomorphic encryption allows computations to be performed directly on encrypted data. The process happens in four main stages:

• Plaintext Inputs($X,Y$): Two plaintext values, labeled X (green) and Y (red), are shown in Figure 3. In this example, the goal is to compute the sum $Z=X+Y$ securely.
• Encryption ($A,B$): Each plaintext is independently encrypted, producing ciphertexts A (encrypted form of X) and B (encrypted form of Y). These ciphertexts are represented by the green and red circles, respectively.
• Homomorphic Evaluation(C): The ciphertexts A and B are processed by a homomorphic evaluation function (indicated by the arrow labeled “Eval”). Because the scheme is homomorphic, the evaluation computes the sum of the underlying plaintexts—i.e., it effectively adds X and Y—without ever decrypting them. This step yields a new ciphertext C.
• Decryption (Z): Finally, decrypting C recovers the result Z, which matches the sum $X+Y$. In other words, $\mathrm{Dec}\left(C\right)=Z=X+Y$.

3.1.2. Mathematical Definition of Homomorphic Encryption

Mathematically, a homomorphic encryption (HE) scheme is defined as follows:

Definition 1. 

A homomorphic encryption (HE) scheme is an encryption scheme that satisfies the following property: For all ciphertexts $C_1,C_2\in \mathcal{C}$, all plaintexts $M_1,M_2\in \mathcal{P}$, and for any key K, if

$$C_1=\mathrm{Enc}\left(M_1\right)\mathit{and}{C}_2=\mathrm{Enc}\left(M_2\right),$$

then

$$\mathrm{Dec}\left(C_1\circ C_2\right)=M_1\odot M_2.$$

Here, ∘ and ⊙ denote the group operations in the ciphertext space $\mathcal{C}$ and the plaintext space $\mathcal{P}$, respectively.

3.2. Levels of Homomorphism

HE schemes are often classified into three levels based on the types and number of homomorphic operations that can be supported. These are:

• Partially Homomorphic Encryption (PHE): Supports only one operation (e.g., addition or multiplication).
• Somewhat Homomorphic Encryption (SHE): Supports all operations, but has limitations on the number of operations of a certain type.
• Fully Homomorphic Encryption (FHE): Enables unlimited arbitrary computations on encrypted data.

Table 2. Features of Partial HE, Somewhat HE, and Fully HE.

Feature	Partial Homomorphic Encryption (PHE)	Somewhat Homomorphic Encryption (SWHE)	Fully Homomorphic Encryption (FHE)
Supported Operations	One type of operation (either addition or multiplication).	Both addition and multiplication but only for a limited number of operations (shallow circuit depth).	Arbitrary computations (both addition and multiplication without a fixed limit).
Noise Growth	Minimal noise accumulation, computationally efficient.	Noise accumulates with each operation (linear for additions; quadratic or even exponential for multiplications), limiting computation depth.	Requires advanced noise management techniques (bootstrapping, modulus switching, relinearization) to control error growth over arbitrary computations.
Complexity & Efficiency	Generally the most efficient and simplest in design (e.g., RSA, Paillier, ElGamal).	More complex than PHE; efficiency is affected by the need to manage noise, often limiting practical depth without additional techniques.	Most complex and computationally intensive due to elaborate noise control and the necessity for periodic refreshment of ciphertexts.
Common Examples	RSA (multiplicative), Paillier (additive), and ElGamal (multiplicative or adapted to additive in variants).	Early schemes such as Gentry’s original SWHE, later improved in the Brakerski–Gentry–Vaikuntanathan (BGV) and Fan–Vercauteren (FV) schemes.	Advanced lattice-based schemes including Gentry’s FHE, GSW, CKKS.
Security Assumptions	Relies on hardness problems such as the Integer Factorization Problem (IFP), Decisional Composite Residuosity (DCR), or the Discrete Logarithm Problem (DLP).	Based on lattice problems such as Learning With Errors (LWE) or Ring-LWE, with security intricately linked to noise management.	Built on advanced lattice assumptions (Ideal Lattice, LWE, RLWE, and variants) and often require additional measures to maintain security under extensive operations.

compares the salient features of the different levels of homomorphic encryption.

3.2.1. Partial Homomorphic Encryption (PHE)

Partial Homomorphic Encryption (PHE) schemes support either additive or multiplicative homomorphism, allowing a single type of operation to be performed on ciphertexts. These schemes are computationally efficient but limited in functionality, as they cannot support both operations simultaneously. One of the most well-known PHE schemes is the RSA cryptosystem, which exhibits multiplicative homomorphism. In RSA, the product of two ciphertexts corresponds to the encryption of the product of their plaintexts, i.e., $Enc\left(m_1\right)·Enc\left(m_2\right)=Enc(m_1·m_2)$. However, RSA in its textbook form is deterministic, making it semantically insecure. RSA’s security relies on the Integer Factorization Problem (IFP), where the public key consists of a modulus $N=pq$, where $p,q$ are prime numbers, and an exponent e coprime to $\varphi \left(N\right)$. This simple version of RSA is vulnerable to chosen-ciphertext attacks if used without proper padding [2].

Another widely used PHE scheme is the Paillier cryptosystem [19], which supports additive homomorphism. In Paillier, the sum of two ciphertexts corresponds to the encryption of the sum of their plaintexts, i.e., $Enc\left(m_1\right)+Enc\left(m_2\right)=Enc(m_1+m_2)\mathrm{mod}{n}^2$. Paillier is probabilistic, ensuring semantic security, and its hardness is based on the Decisional Composite Residuosity (DCR) assumption [19]. The public key in the Paillier cryptosystem consists of a modulus $n=pq$. Encryption is performed by computing $c=g^m·r^n\mathrm{mod}{n}^2$, where $g\in {\mathbb{Z}}_{n^2}^{\ast }$ and $0\le r\le n$ is a randomly chosen value such that $gcd(r,n)=1$. Paillier is particularly useful in applications such as electronic voting and privacy-preserving aggregation due to its additive properties.

The ElGamal cryptosystem and its variants, including EC-ElGamal, are also partially homomorphic encryption (PHE) schemes that exhibit multiplicative homomorphism. In ElGamal, the component-wise product of two ciphertexts corresponds to the encryption of the product of their plaintexts. Its security is based on the Discrete Logarithm Problem (DLP). The encryption process for plaintext m involves computing the ciphertext $c=(g^r,m·h^r)$ using a randomly selected number r where $1\le r\le n$. Here g is the generator of a cyclic group G of order n, x is the private key and is a random element of the group and $h=g^x$ is the public key [20]. Variants like EC-ElGamal extend this framework to support additive homomorphism over elliptic curves, making them suitable for specific cryptographic applications.

Other noteworthy PHE schemes include the Modified RSA Encryption Algorithm (MREA) [21], which extends RSA to support additive homomorphism, and the Chen-ElGamal (CEG) scheme [22], which combines features of Paillier and ElGamal for hybrid operations. However, these schemes often face challenges related to inefficiency or ciphertext expansion, which can limit their practicality for large-scale applications.

3.2.2. Somewhat Homomorphic Encryption (SWHE)

Somewhat Homomorphic Encryption (SWHE) schemes enable additive and multiplicative operations on encrypted data; however, their computational utility is inherently limited by the growth of noise in the ciphertext. Each homomorphic operation introduces a small error term, and while additions increase noise linearly, multiplications typically cause quadratic (or even exponential) noise growth. Once the accumulated noise exceeds a certain threshold, correct decryption becomes impossible.

The concept of SWHE was first introduced by Gentry in 2009 with a scheme based on ideal lattices [6]. In Gentry’s construction, the noise grows so rapidly with each multiplication that only circuits of very shallow depth can be evaluated reliably. To mitigate this, Gentry proposed the technique of bootstrapping — homomorphically evaluating the decryption function to refresh ciphertexts by reducing their noise. Despite its theoretical significance, the high computational cost of bootstrapping rendered early SWHE schemes impractical for many applications.

Subsequent research has focused on optimizing noise management to extend the viable depth of homomorphic computations without the need for frequent bootstrapping. The Brakerski–Gentry–Vaikuntanathan (BGV) scheme [8] introduced modulus switching, a technique that reduces the ciphertext modulus and thereby decreases noise in a linear manner. This innovation enabled leveled homomorphic encryption, where the maximum allowable circuit depth is determined by the chosen parameters.

Similarly, the Fan–Vercauteren (FV) scheme [23], which is based on the Ring Learning With Errors (RLWE) problem, employs efficient modulus reduction along with relinearization techniques to control noise growth. The FV scheme has proven particularly effective for applications such as encrypted database queries and privacy-preserving analytics [24].

Further advancements were made by Brakerski’s 2012 work [25], which introduced scale-invariant techniques. These schemes decouple noise accumulation from the magnitude of the plaintext, allowing the error to grow independently of the scale of the input data, thus enabling more efficient homomorphic computations.

More recently, alternative algebraic approaches have been explored to enhance both efficiency and security. For instance, a 2023 scheme based on random rank metric ideal codes [26] leverages the randomness inherent in code-based constructions to achieve competitive key and ciphertext sizes while supporting unlimited homomorphic additions and a fixed number of multiplications. In parallel, a scheme based on multivariate polynomial evaluation [27] utilizes the algebraic properties of multivariate polynomials to perform limited-depth homomorphic operations with controlled noise growth. A recent scheme [28] leverages the hardness of the sparse LPN (Learning Parities with Noise) problem combined with linear homomorphic properties. This construction supports the evaluation of bounded-degree polynomials on encrypted data while maintaining compact ciphertext sizes. It represents a departure from traditional lattice-based assumptions, thereby broadening the theoretical foundations for SWHE schemes.

Recent research has focused on refining noise management in SWHE schemes through optimized modulus switching and relinearization operations implemented in the Residue Number System (RNS) [29]. By mapping computations into smaller rings and managing the scale more precisely, these techniques allow for tighter control over noise growth—thus supporting deeper circuit evaluations before bootstrapping becomes necessary. Such advancements have also influenced approximate schemes like CKKS [30], which share similar noise management challenges to SWHE systems.

Although these advances have significantly improved the practicality of SWHE, noise management remains a central challenge. The trade-offs between computational depth, performance overhead, and security parameters continue to guide the design of modern SWHE systems, ensuring that even as new techniques are developed, careful attention must be paid to balancing noise accumulation against the desired homomorphic functionality.

3.2.3. Fully Homomorphic Encryption (FHE)

Gentry’s model [6] of homomorphic encryption relies on lattice-based cryptography. Over the past 15 years, there has been a significant surge in research and development focused on creating and enhancing homomorphic encryption schemes, resulting in a multitude of public key encryption methods capable of supporting homomorphic operations. Since the design of the first fully homomorphic encryption scheme, there have been nearly 40 public key schemes proposed, of which only one is based on coding theory, 10 are based on number theory, and the rest are based on lattices. Current research focusses not only on the construction of homomorphic encryption but also on its application and implementation to various technologies.

A Fully Homomorphic Encryption (FHE) scheme is a type of encryption scheme that permits direct operations on ciphertexts, eliminating the need for decryption to perform operations. Homomorphic addition and multiplication operations are crucial to this functionality, since they constitute a functionally complete set within the realm of finite rings. Put differently, an FHE scheme enables the execution of computations on encrypted data without the need for prior decryption. We can call any encryption scheme E homomorphic with respect to any function f if and only if the following statement is satisfied

$$Dec\left(Eval\right(f,Enc\left(x\right),Enc\left(y\right)\left)\right)=f(x,y),$$

where $x\mathrm{and}y$ are plain text.

Homomorphic encryption schemes possess two fundamental attributes: their ability to support a maximum degree of functions and the degree to which ciphertext length expands after each homomorphic operation. The first characteristic determines the types of functions the scheme can accurately evaluate. The second characteristic relates to the increase in ciphertext length, indicating how much the bit length of the ciphertext expands following each evaluation. When the limit on bit-length expansion remains consistent regardless of the complexity of the function, it is referred to as being compact.

3.3. The Evolution of FHE Schemes

In 2017 the Homomorphic Encryption Standard [31] classified FHE schemes into generations based on the efficiency of computation and the techniques used to manage noise in evaluating the ciphertext. This section describes the four generations of FHE schemes, the algorithms, their security assumptions, benefits and limitations.

Table 3. Comparison of Fully Homomorphic Encryption (FHE) Models with respect to the underlying hard problem, the key techniques, advantages, disadvantages and whether bootstrapping is necessary.

	FHE Model	Underlying Assumption/Hard Problem	Key Techniques	Advantages	Disadvantages	Bootstrapping Requirements
First Generation	Ideal Lattice FHE (Gentry’s Scheme)	Ideal lattice problems (e.g., SVP, SSSP, BDD)	Squashing to reduce decryption circuit complexity; Bootstrapping	Foundational breakthrough; supports arbitrary computations	High circuit complexity; challenging noise management; computationally expensive	Bootstrapping enabled via squashing (adds overhead)
	First Generation: AGCD-Based FHE (DGHV Scheme)	Approximate GCD, combined with SSSP	Integer arithmetic with modular noise reduction	Conceptually simple; non-lattice alternative	Large public key size; high computational cost; less efficient in practice	Bootstrapping is required to control noise accumulation
Second Generation	LWE/RLWE-Based FHE (BV, BGV, FV Schemes)	Learning With Errors (LWE) and its ring variant (RLWE)	Modulus switching, relinearization, batching, scale invariance	More practical and efficient; implemented in libraries such as Microsoft SEAL	Noise growth limits circuit depth without bootstrapping; parameter tuning can be complex	Leveled FHE variants may avoid bootstrapping for fixed-depth circuits; bootstrapping still used for deeper evaluations
	NTRU-Based FHE	NTRU assumption and circular security	Bootstrapping and modulus switching adapted to NTRU structure	Initially faster encryption operations	Vulnerabilities discovered; requires larger parameters for security; largely deprecated	Bootstrapping is incorporated, but overall robustness is lower
Third Generation	GSW-Based FHE (Approximate Eigenvector Method)	LWE/RLWE with an approximate eigenvector approach	Bit decomposition; optimized bootstrapping with reduced error growth	Improved noise management; supports deeper circuits with less noise amplification	Increased communication cost due to larger ciphertext sizes; higher computational overhead	Bootstrapping is more efficient, reducing overall complexity
Fourth Generation	Fourth Generation: CKKS Scheme	RLWE tailored for approximate arithmetic	Leveled encryption; plaintext embedding into complex number vectors; modulus scaling	Efficient for real-valued and approximate computations (e.g., ML applications)	Inherent approximation errors; requires careful precision management	Designed primarily as a leveled scheme (bootstrapping is optional)

summarises the comparison of the four generations of fully homomorphic encryption schemes. Note that code-based techniques have not been used in any of the four generations.

3.3.1. First Generation: FHE Based on Ideal Lattice

The Gentry model [6] represents the foundational framework for Fully Homomorphic Encryption (FHE), leveraging the hardness of problems in ideal lattices.

• Key Generation:

  -

  An ideal lattice is generated along with two bases: a secret basis ($B_{sk}$) and a public basis ($B_{pk}$).

  -

  Parameters such as the modulus and an error distribution are selected.

• Encryption:

  -

  A binary message is encoded into a real-valued vector by adding a small error vector, whose entries are randomly chosen from $\{0,\pm 1\}$ with equal probabilities for $+1$ and $-1$.

  -

  The resulting vector is then translated into a specific region (a parallelepiped) defined by the public basis $B_{pk}$.

• Decryption:

  -

  The ciphertext is translated back into a parallelepiped defined by the secret basis $B_{sk}$.

  -

  The original message is recovered by reducing the decoded vector modulo 2.

The public key is based on skewed vectors, making it unsuitable for decoding, and the secret key consists of nearly orthogonal vectors, enabling efficient decryption.

Bootstrapping: The scheme is not inherently bootstrappable due to the high complexity of the decryption circuit. To address this, Gentry introduced the squashing technique, which reduces the decryption complexity by embedding additional information about the secret key into the evaluation key.

The security of the scheme relies on three core mathematical problems:

• Sparse Subset Sum Problem (SSSP): Given a set of integers $S=\{a_1,\dots ,a_n\}\subseteq \mathbb{Z}$, determine whether there exists a sparse subset $I\subseteq \{1,\dots ,n\}$ such that ${\sum }_{i\in I}{a}_i=0$.
• Bounded Distance Decoding Problem (BDD): Given a lattice and a target vector that is close to the lattice, find the closest lattice vector.
• Ideal Shortest Vector Problem (Ideal SVP): Find the shortest non-zero vector in an ideal lattice.

Additionally, the scheme assumes circular security, which means that the encryption of the secret key does not compromise the overall security of the scheme.

Limitations and Vulnerabilities:

• Efficiency Challenges: Ideal lattice-based fully homomorphic encryption (FHE) schemes are computationally intensive due to the complex algebraic structures involved. Both the reliance on ideal lattices and the need for bootstrapping introduces significant overhead, limiting practical efficiency.
• Principal Ideal Vulnerability: Cramer et al. [32] identified a critical vulnerability in schemes based on principal ideal lattices. They demonstrated that key-recovery attacks are feasible if there exists a quantum polynomial-time or classical $2^{n^{\frac{2}{3}-ϵ}}$-time algorithm for solving the Principal Ideal Problem (PIP). This vulnerability undermines the security of schemes relying on principal ideal lattices, as an adversary could exploit the structure of the lattice to recover the secret key.

3.3.2. First Generation: FHE Based on AGCD Problem

In 2010, van Dijk et al. [33] introduced the DGHV Fully Homomorphic Encryption (FHE) scheme, which is built on number-theoretic assumptions. The DGHV scheme marks a significant milestone in the advancement of FHE, as it was the first construction to achieve fully homomorphic encryption using basic arithmetic operations over integers.

The DGHV scheme operates over the integers and relies on the hardness of the Approximate Greatest Common Divisor (AGCD) problem. The construction consists of three main algorithms: key generation, encryption, and decryption.

• Key Generation:

  -

  The secret key is an odd random integer chosen uniformly from a predefined range.

  -

  The public key consists of several integers. Each public key element is computed by multiplying the secret key with a large random integer and then adding a small random noise. One of the public key elements is chosen to be the largest odd integer in the set.

• Encryption:

  -

  To encrypt a bit:

  ∗

  A random subset of the public key elements is selected.

  ∗

  A small random noise is sampled.

  ∗

  The ciphertext is computed by combining the message, the sampled noise, and a sum over the selected public key elements. The result is reduced modulo the largest public key element.

  -

  The resulting ciphertext contains the message hidden among noise terms, which ensures security.

• Decryption:

  -

  The ciphertext is first reduced modulo the secret key, and then the result is further reduced modulo 2 to recover the original message.

  -

  The correctness of decryption depends on the small size of the noise relative to the secret key.

Security Assumptions

The security of the DGHV scheme is based on the following computational problems and assumptions:

• Approximate Greatest Common Divisor (AGCD) Problem: Given a set of integers $x_i=p·q_i+r_i$, where p is a secret odd integer and $r_i$ are small noise terms, the AGCD problem requires recovering p. This problem is believed to be computationally hard, even for quantum computers.
• Sparse Subset Sum Problem (SSSP): The scheme also relies on the hardness of the SSSP, which involves finding a sparse subset of integers that sums to a specific value.
• Circular Security: The DGHV scheme assumes circular security, meaning that the encryption of the secret key p does not compromise the overall security of the scheme.

Limitations and Drawbacks

Despite its theoretical significance, the DGHV scheme has several practical limitations:

• Large Public Key Size: The public key consists of $n+1$ integers, each of which is significantly larger than the secret key p. This results in large public key size, which can be impractical for real-world applications.
• High Computational Complexity: The encryption and decryption processes involve arithmetic operations on large integers, leading to high computational overheads.
• Noise Growth: While the scheme supports homomorphic operations, the noise in the ciphertext grows with each operation, eventually requiring bootstrapping to maintain correctness. However, bootstrapping in the DGHV scheme is computationally expensive.

3.3.3. Second Generation: FHE Based on LWE and RLWE

Brakerski and Vaikuntanathan introduced two Fully Homomorphic Encryption (FHE) schemes, marking the beginning of the second generation of FHE. These schemes are based on the Learning With Errors (LWE) problem [34] and the Ring Learning With Errors (RLWE) problem [8]. The symmetric scheme based on LWE, referred to as the BV scheme, and its RLWE-based counterpart, the BGV scheme, are foundational to modern FHE. Below, we provide a detailed description of these schemes, their algorithms, and their key innovations.

BV Scheme: LWE-Based FHE

The BV scheme is based on the LWE problem, which involves solving linear equations perturbed by small noise. The scheme consists of the following algorithms:

• Encryption:

  -

  To encrypt a bit:

  ∗

  A random vector is generated.

  ∗

  The ciphertext is formed as a pair consisting of this random vector and a computed value that includes the inner product with the secret key, a small noise term, and the message.

  ∗

  The noise term is sampled from a predefined error distribution.

• Decryption:

  -

  To decrypt:

  ∗

  The inner product of the random vector and the secret key is subtracted from the second component of the ciphertext.

  ∗

  The result is reduced modulo the underlying modulus, and then modulo 2 to recover the message.

  -

  Decryption works correctly as long as the error introduced during encryption remains below a specified threshold.

The BV scheme introduced two critical techniques to enable fully homomorphic encryption:

• Relinearization (Key-Switching): This technique reduces the size of ciphertexts after homomorphic multiplication. Specifically, it reduces the ciphertext size from $\mathcal{O}\left(n^2\right)$ to $\mathcal{O}\left(n\right)$, where n is the dimension of the LWE problem.
• Dimension-Modulus Reduction (Modulus Switching): This technique transforms a ciphertext $c^{\prime } \mathrm{mod}q$ into a ciphertext $c \mathrm{mod}p$, where $p\ll q$. Modulus switching reduces the noise growth during homomorphic operations, enabling deeper computations without bootstrapping.

By eliminating the need for Gentry’s squashing technique as well as the reliance on the Sparse Subset Sum Problem (SSSP), the BV scheme becomes more efficient and practical.

BGV Scheme: RLWE-Based FHE

The BGV scheme extends the BV framework to the Ring Learning With Errors (RLWE) setting, offering improved efficiency and scalability. The scheme operates over the ring $R=\mathbb{Z}\left[x\right]/\langle x^d+1\rangle$, where $d=2^M$ for some integer M. The BGV scheme is defined as follows:

• Key Generation:

  -

  The secret key is a vector consisting of the constant 1 and a small random element sampled from an error distribution.

  -

  The public key is a pair of ring elements. One element is chosen at random, and the other is computed by multiplying the choosen element with the secret part of the key and adding a small error, then reducing modulo a fixed modulus.

• Encryption:

  -

  The message is encoded as a two-component vector, placing the bit to be encrypted in the first component.

  -

  The ciphertext is computed by adding the encoded message, a small random error vector, and a product involving the public key and a random ring element.

• Decryption:

  -

  Decryption involves computing the inner product between the ciphertext and the secret key.

  -

  The message is recovered by reducing the result modulo 2.

Brakerski introduced a scale-invariant variant of the BGV scheme [25], achieved by scaling down both the ciphertext and the error by a factor of q, where q is the ciphertext modulus, thus reducing the noise growth during homomorphic multiplications from exponential to linear. This innovation replaces the traditional modulus switching technique, further improving the scheme’s efficiency.

FV Scheme: Optimized RLWE-Based FHE

The FV scheme, an optimized version of the BGV scheme, was introduced by Fan and Vercauteren [23]. It is designed for efficient modular arithmetic on encrypted integers and is implemented in Microsoft’s SEAL library [35]. The FV scheme operates as follows:

• Key Generation:

  -

  The secret key is a small random element sampled from a noise distribution.

  -

  The public key consists of two ring elements:

  ∗

  One is computed using the secret key and an additional small noise term.

  ∗

  The other is a random ring element.

• Encryption:

  -

  To encrypt a message, several small random elements are sampled.

  -

  The ciphertext is a pair of ring elements:

  ∗

  One includes the message scaled by a modulus ratio, combined with a noisy term and one part of the public key.

  ∗

  The other is formed similarly using the second part of the public key and additional noise.

• Decryption:

  -

  Decryption computes a linear combination of the ciphertext components using the secret key.

  -

  The result is scaled down and reduced to recover the original message.

The BGV and FV schemes have been further enhanced through techniques such as batching, modulus switching, and improved bootstrapping. These optimizations enable their integration into practical cryptographic libraries like HElib [36] and SEAL [35], making them suitable for applications such as privacy-preserving machine learning and secure computation.

3.3.4. Second Generation: FHE Based on NTRU

The NTRU encryption scheme, introduced by Hoffstein et al. in 1998 [37], is a lattice-based cryptosystem that has played a significant role in the development of post-quantum cryptography. The scheme was initially proposed with a provisional patent, which was later granted in 2000 [38]. NTRU is often referred to as the LTV scheme in the literature [39], and it incorporates techniques such as bootstrapping and modulus switching to achieve its functionality.

The NTRU scheme operates over the ring $R=\mathbb{Z}\left[x\right]/\langle x^d+1\rangle$, where $d=2^m$ for some integer m. The scheme consists of three main algorithms: key generation, encryption, and decryption.

• Key Generation:

  -

  Sample two small polynomials from a bounded distribution over the ring.

  -

  Construct the secret key by doubling one of the polynomials and adding one, ensuring it is invertible modulo a specified integer.

  -

  Compute the public key by multiplying the second sampled polynomial with the inverse of the secret key and scaling appropriately.

  -

  The public and secret keys form the key pair.

• Encryption:

  -

  For a binary message, sample two small polynomials from the error distribution.

  -

  The ciphertext is computed by combining the public key with the sampled polynomials and adding the message.

  -

  All operations are performed modulo a specified integer.

• Decryption:

  -

  Multiply the ciphertext by the secret key and reduce modulo the ring and modulo 2.

  -

  Correct decryption is ensured as long as the noise remains within acceptable bounds.

Security Assumptions

The security of the NTRU scheme is based on the following computational problems and assumptions:

• Circular Security: The scheme assumes that the encryption of the secret key does not compromise the overall security of the system.
• Ring Learning With Errors (RLWE) Problem: The hardness of solving the RLWE problem over the ring R is a fundamental assumption for the security of NTRU.
• Decisional Small Polynomial Ratio (DSPR) Problem: This problem involves distinguishing between a random polynomial and a ratio of two small polynomials in the ring R. The DSPR problem is believed to be computationally hard, even for quantum computers.

Limitations and Vulnerabilities

Despite its initial promise, the NTRU scheme has several limitations and vulnerabilities that have impacted its practical adoption:

• Parameter Sizing: To achieve security against known attacks, the parameters of NTRU-based schemes must be significantly larger than those initially proposed. This results in larger key sizes and reduced efficiency.
• Error Rates: Research by Lepoint and Naehrig [40] has shown that RLWE-based schemes exhibit lower error rates compared to NTRU-based schemes. This makes RLWE-based schemes more robust for practical applications.
• Attacks: Numerous attacks have been documented against NTRU-based schemes, including lattice reduction attacks and subfield attacks. While parameters have been improved to mitigate these attacks, the resulting schemes are less efficient than their RLWE counterparts.

Due to the aforementioned limitations, NTRU-based schemes are no longer widely used or supported by cryptographic libraries. The efficiency and security advantages of RLWE-based schemes have made them the preferred choice for lattice-based cryptography in both academic research and practical implementations.

3.3.5. Third Generation: FHE Based on LWE and RLWE

The third generation of homomorphic encryption introduced a novel approach known as the approximate eigenvector method [41]. This method significantly advances the field by eliminating the need for key and modulus switching techniques, which were critical in earlier schemes such as BGV and FV. A key advantage of this approach is its ability to control error growth during homomorphic multiplications, limiting it to a small polynomial factor. Specifically, when multiplying l ciphertexts with the same error level, the final error increases by a factor of $l·\mathrm{poly}\left(n\right)$, where n represents the dimension of the encryption scheme or lattice. This is a substantial improvement over previous schemes, where error growth was quasi-polynomial. This third-generation scheme is commonly referred to as the GSW scheme, named after its inventors Gentry, Sahai, and Waters. Below, we provide a detailed description of the GSW scheme, its algorithms, and its optimizations.

GSW Scheme: Approximate Eigenvector Method

The GSW scheme is based on the Learning With Errors (LWE) problem and employs an approximate eigenvector approach to achieve fully homomorphic encryption. The scheme consists of the following algorithms:

• Key Generation:

  -

  Generate a secret key as a vector starting with 1 followed by randomly chosen integers.

  -

  Construct a public matrix such that its product with the secret key yields a small error vector.

• Encryption:

  -

  Represent the message as a scalar multiple of the identity matrix.

  -

  Generate a random binary matrix and compute the ciphertext as the sum of the message matrix and the product of this random matrix with the public key.

  -

  The randomness in the binary matrix introduces encryption noise.

• Decryption:

  -

  Multiply the ciphertext with the secret key to retrieve the message component, while the noise term remains small.

  -

  Use the first coordinate of the resulting vector to approximate and recover the original message.

Homomorphic Multiplication and Bootstrapping

The GSW scheme employs bit decomposition for homomorphic multiplication allowing for efficient computation of products of ciphertexts. However, the scheme has some limitations:

• High Communication Costs: The ciphertext size in the GSW scheme is relatively large compared to the plaintext, leading to increased communication overhead.
• Computational Complexity: The scheme involves complex matrix operations, which can be computationally intensive.

To address these limitations, several optimizations have been proposed:

• Arithmetic Bootstrapping: Alperin-Sheriff and Peikert (AP) [42] introduced a bootstrapping algorithm that treats decryption as an arithmetic function rather than a Boolean circuit, significantly reducing computational complexity.
• Homomorphic Matrix Operations: Hiromasa et al. [43] extended the GSW scheme to support homomorphic matrix operations, further enhancing its applicability.
• Programmable Bootstrapping (PBS): Ducas and Micciancio [44] introduced the FHEW scheme, which incorporates the AP bootstrapping technique and enables programmable bootstrapping. This allows for the homomorphic evaluation of arbitrary functions, including the NAND operation, using lookup tables.

In addition to the GSW scheme, the third generation of homomorphic encryption includes three distinct schemes based on the torus:

• TLWE (Torus Learning With Errors): Generalizes the LWE problem to the torus $\mathbb{T}=\mathbb{R}/\mathbb{Z}$.
• TRLWE (Torus Ring Learning With Errors): Extends the RLWE problem to the torus, enabling encryption of plaintexts in the ring of integer polynomials R.
• TRGSW (Torus Ring GSW): A ring variant of the GSW scheme on the torus, which supports homomorphic operations on encrypted data.

The TRLWE scheme operates over the ring $R=\mathbb{Z}\left[x\right]/\langle x^d+1\rangle$, where $d=2^M$. The message space is defined as $T=R\left[x\right]/\langle x^d+1\rangle \mathrm{mod}1$, and the scheme is constructed as follows:

• Key Generation:

  -

  Choose a small secret key from a ring of polynomials modulo 2, where coefficients are in ${\mathbb{F}}_2$ and polynomials are reduced modulo a cyclotomic polynomial.

• Encryption:

  -

  Select a message from the torus $\mathbb{T}$, representing real numbers modulo 1.

  -

  Sample a random masking vector uniformly and add a small error drawn from a bounded distribution.

  -

  Construct the ciphertext as a pair, consisting of the mask and a linear combination of the secret key with the mask, added to the message and the error.

• Decryption:

  -

  Use the secret key to compute a linear combination that cancels the mask.

  -

  Subtract this value from the second component of the ciphertext to extract a noisy version of the message.

  -

  Round the result to the nearest valid message point in the torus.

Chillotti et al. [45] introduced several optimizations for torus-based FHE schemes, including the ability to generate fresh ciphertexts by linearly combining existing ones. However, non-linear operations remain challenging due to the limitations of TLWE. To address this, the TRGSW scheme was developed, which supports generalized scale-invariant operations and enables efficient switching between TRLWE and TLWE.

3.3.6. Fourth Generation: FHE Based on LWE and RLWE

In 2017, Cheon et al. introduced a groundbreaking collection of Fully Homomorphic Encryption (FHE) schemes [30], which are specifically designed for approximate arithmetic on real and complex numbers. This scheme, originally named HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers), is now commonly referred to as the CKKS scheme, named after its authors. The CKKS scheme provides a leveled homomorphic encryption framework, enabling efficient computations on encrypted data while maintaining approximate correctness. Additionally, the authors released an open-source library to facilitate the implementation and deployment of this scheme.

The CKKS scheme operates over the ring $R=\mathbb{Z}\left[x\right]/\langle x^d+1\rangle$, where $d=2^M$ for some integer M. The scheme is designed to handle approximate arithmetic, making it particularly suitable for applications involving real or complex numbers, such as machine learning and scientific computing. The CKKS scheme consists of the following algorithms:

• Key Generation:

  -

  Choose a base value, an initial modulus, and a level parameter.

  -

  Define appropriate distributions for noise and randomness.

  -

  Generate a secret key consisting of a fixed value and a random component.

  -

  Create a public key using a randomly chosen polynomial and an error term.

  -

  Construct an evaluation key using additional randomness and a scaled secret.

  -

  Output the secret key, public key, and evaluation key.

• Encryption:

  -

  To encrypt a message, choose random values for masking and noise.

  -

  Use the public key to compute a ciphertext as a pair of noisy polynomials encoding the message.

• Decryption:

  -

  Use the secret key to combine the ciphertext components and recover an approximation of the original message.

  -

  The correctness depends on the noise being sufficiently small.

A notable feature of the CKKS scheme is its ability to encode messages as elements in the extension field $\mathbb{C}$, which corresponds to the complex numbers. Specifically:

• The message space is defined as $S=R\left[x\right]/\langle x^d+1\rangle$, where the roots of the polynomial $x^d+1$ are the complex primitive roots of unity in $\mathbb{C}$.
• A message $m\in S$ can be embedded into a vector of complex numbers by evaluating it at these roots. This allows for efficient encoding and decoding of real and complex numbers, making the CKKS scheme particularly suitable for applications involving approximate arithmetic.

The CKKS scheme offers several advantages over previous FHE schemes:

• Approximate Arithmetic: The scheme is specifically designed for approximate computations, making it ideal for applications such as machine learning, where exact precision is not required.
• Efficient Encoding: The ability to encode messages as complex numbers allows for efficient representation of real and complex data, reducing the computational overhead associated with homomorphic operations.
• Leveled Homomorphism: The CKKS scheme supports leveled homomorphic encryption, enabling a predetermined number of homomorphic operations without the need for bootstrapping. This makes it more efficient for practical applications.

3.4. Security Assumptions of Current FHE Schemes

The security of lattice-based Fully Homomorphic Encryption (FHE) schemes relies on the hardness of several well-studied computational problems in lattice theory. These problems form the foundation of the cryptographic assumptions underlying the security of LWE (Learning With Errors) and RLWE (Ring Learning With Errors)-based schemes. Below, we provide a brief analysis of the various problems and their relevance to FHE. The reader can find more details about the NP-Hard problems in [7].

3.4.1. Shortest Vector Problem (SVP)

The Shortest Vector Problem (SVP) is a fundamental problem in lattice theory and serves as the basis for many lattice-based cryptographic schemes. Given a lattice L, the SVP involves finding the shortest non-zero vector in L. Several variants of the SVP are used in cryptographic constructions [7]:

• Approximate Shortest Vector Problem ($SV{P}_{\gamma }$):

  -

  Given a lattice and an approximation factor greater than or equal to 1, the goal is to find a short non-zero vector in the lattice.

  -

  The vector should be at most a factor $\gamma$ longer than the actual shortest non-zero vector in the lattice.

• Gap Shortest Vector Problem ($GapSV{P}_{\gamma ,r}$):

  -

  Given a lattice, a distance bound, and an approximation factor, the task is to decide whether the shortest non-zero vector is shorter than the bound or significantly longer than it.

  -

  Specifically, determine if the shortest vector is less than the given bound or at least $\gamma$ times larger.

• Unique Shortest Vector Problem ($uSV{P}_{\gamma }$):

  -

  Given a lattice and an approximation factor, the goal is to find the shortest non-zero vector assuming it is significantly shorter than all other non-parallel vectors.

  -

  That is, the first shortest vector is unique in that it is strictly shorter than the next shortest one by a factor of $\gamma$.

The hardness of these problems is crucial for the security of lattice-based FHE schemes. If the SVP is solvable, then the decisional variant $GapSV{P}_{\gamma ,r}$ is also solvable.

3.4.2. Closest Vector Problem (CVP)

The Closest Vector Problem (CVP) is a generalization of the SVP, where the goal is to find the lattice vector closest to a given target vector $t\in {\mathbb{R}}^n$. The CVP and its variants are defined as follows [7]:

• Approximate Closest Vector Problem ($CV{P}_{\gamma }$):

  -

  Given a lattice and a target point in space, the goal is to find a lattice vector that is close to the target.

  -

  The vector found should be no more than a factor $\gamma$ farther from the target than the actual closest lattice point.

• Gap Closest Vector Problem ($DCV{P}_{\gamma ,r}$):

  -

  Given a lattice, a target point, a distance bound, and an approximation factor, the task is to decide whether the target is very close to the lattice or significantly farther away.

  -

  Specifically, determine whether the distance is less than the given bound or at least $\gamma$ times larger.

• Bounded Distance Decoding Problem ($BD{D}_{\alpha }$):

  -

  Given a lattice and a target point that is guaranteed to be close to it, the goal is to find the closest lattice vector.

  -

  The guarantee is that the target lies within a certain fraction $\alpha$ of the shortest non-zero distance between lattice points.

The CVP and its variants are closely related to the SVP and are used in the security analysis of lattice-based cryptographic schemes.

3.4.3. Shortest Integer Solution (SIS) Problem

The Shortest Integer Solution (SIS) problem is another fundamental problem in lattice-based cryptography. It is defined as follows [7]:

• Short Integer Solution Problem ($SI{S}_{q,m,\beta }$):

  -

  Given a matrix with entries modulo q, the task is to find a short, non-zero integer vector.

  -

  This vector should make the matrix-vector product equal to zero modulo q.

  -

  Additionally, the vector must have a length (or norm) smaller than a specified bound $\beta$.

The SIS problem is equivalent to finding a short vector in the scaled dual lattice $L_q^{\perp }\left(A\right)$. It is used in the construction of cryptographic primitives such as digital signatures and hash functions.

3.4.4. Learning with Errors (LWE) and Ring-LWE

The Learning With Errors (LWE) problem and its ring variant (Ring-LWE) are central to the security of many lattice-based FHE schemes. These problems are defined as follows:

• Learning With Errors (LWE) Problem:

  -

  One is given a matrix and a corresponding noisy output vector.

  -

  This output is generated by multiplying a secret vector with the matrix and adding some small random noise.

  -

  The objective is to recover the secret vector from this noisy data.

• Ring Learning With Errors (Ring-LWE) Problem:

  -

  This is a structured variant of LWE that operates over polynomial rings.

  -

  Given a ring, a noisy polynomial is generated using a secret polynomial, a public random polynomial, and a small error.

  -

  The goal is to recover the hidden secret polynomial using the available public polynomials.

The security of LWE and Ring-LWE-based schemes relies on the hardness of solving these problems using lattice reduction algorithms. However, as demonstrated by Albrecht et al. [46], there is no universal attack that can efficiently solve all instances of these problems. The effectiveness of lattice reduction attacks depends on the choice of parameters, such as the modulus q, the dimension n, and the error distribution.

For Ring-LWE, the security analysis is similar to that of LWE, but with additional considerations due to the ring structure. According to the Homomorphic Encryption Security Standard, selecting an appropriate error distribution ensures that there are no superior attacks on Ring-LWE compared to LWE. However, the error distribution must be sufficiently spread to maintain security.

The security of lattice-based FHE schemes is grounded in the hardness of problems such as SVP, CVP, SIS, LWE, and Ring-LWE. These problems are believed to be resistant to quantum attacks, making lattice-based cryptography a promising candidate for post-quantum security. While lattice reduction algorithms pose a potential threat, careful parameter selection and error distribution management can mitigate these risks, ensuring the robustness of lattice-based cryptographic schemes.

Lattice-based homomorphic encryption (HE) schemes, like those based on Learning With Errors (RLWE) and NTRU, have made notable strides in efficiency and security. However, they still face challenges such as large ciphertext expansion, high computational overhead, and susceptibility to quantum attacks. Concerns about their long-term security arise from their reliance on lattice problems. To address these limitations, researchers are turning to alternative hardness assumptions. Code-based cryptography, known for its strength in post-quantum encryption, offers potential benefits for HE, including robust security and efficiency. Exploring code-based HE schemes may help overcome the shortcomings of lattice approaches while maintaining resistance to quantum threats.

4. Code-Based Cryptography

Code-based cryptography relies on the NP-hard problem of indistigushabilty and decoding a random linear code and is a promising option for post-quantum cryptography. Code-based cryptosystems work by choosing the private key as a linear code C, which can efficiently correct a predetermined number of errors. The public key, denoted as $C^{\prime }$, is a disguised version of the linear code and is designed so that it will appear random and not reveal the private key to an observer who doesn’t have access to C. With access to the public key $C^{\prime }$, a sender can encrypt their message and potentially add errors. An attacker who sees the ciphertext, will need to decode it to recover the message. As the ciphertext is a random codeword, there is no polynomial-time algorithm to do this. The receiver who has the private key C can transform the ciphertext into a codeword of C, which can be efficiently decoded to retrieve the message.

In this section we first introduce the NP-hard problems on which code-based cryptography is based. We will then introduce existing code-based ciphers.

4.1. NP-Hard Problems in Coding Theory

There are two categories of NP-hard problems in this area. The first is around the difficulty of decoding a random linear code and the second is around the difficulty of proving equivalence of codes. While the NP-hard problems in both categories are defined over the Hamming metric, we also present the analogous problems in the rank metric.

4.1.1. The Decoding Problems in Coding Theory

There are three variations of decoding problems, each of which is described below:

Decoding Problem (DP):

Let ${\mathbb{F}}_q$ be a finite field and consider a code defined by a generator matrix

$$G\in {\mathbb{F}}_q^{k\times n}.$$

Given a received vector $r\in {\mathbb{F}}_q^n$ and an integer t (representing an error weight threshold), the task is to decide whether there exists a message $m\in {\mathbb{F}}_q^k$ and an error vector $e\in {\mathbb{F}}_q^n$ with

$$\mathrm{wt}\left(e\right)\le t,\mathrm{such}\mathrm{that},r=mG+e.$$

This problem is fundamental in algebraic coding theory.

Syndrome Decoding Problem (SDP):

In the syndrome formulation, one is given a parity-check matrix

$$H\in {\mathbb{F}}_q^{(n-k)\times n},$$

a syndrome $s\in {\mathbb{F}}_q^{n-k}$, and an integer t. The goal is to find an error vector $e\in {\mathbb{F}}_q^n$ satisfying

$$e{H}^{\top }=s\mathrm{and}\mathrm{wt}\left(e\right)\le t.$$

By converting G into systematic form and obtaining the corresponding H, the DP can be recast as an SDP, and conversely, one can recover a DP instance from an SDP instance.

Given Weight Codeword Problem (GWCP):

Given a parity-check matrix H and an integer w, the problem asks whether there exists a codeword

$$c\in {\mathbb{F}}_q^n,$$

such that

$$c{H}^{\top }=0\mathrm{and}\mathrm{wt}\left(c\right)=w.$$

By augmenting the generator matrix with the received vector, one shows that GWCP is equivalent to the DP (and hence to the SDP).

4.1.2. Code Equivalence Problems

Code equivalence problem is known as the indistinguishability of a random linear code. Similar to decoding problems, there are three varieties of code equivalence problems.

Permutation Equivalence Problem (PEP):

Given two generator matrices

$$G,G^{\prime }\in {\mathbb{F}}_q^{k\times n},$$

find a permutation $\varphi \in S_n$ (the symmetric group on n elements) such that

$$\varphi \left(\langle G\rangle \right)=\langle G^{\prime }\rangle .$$

This problem is a special case of the broader linear equivalence issues.

Linear Equivalence Problem (LEP):

For $G,G^{\prime }\in {\mathbb{F}}_q^{k\times n}$, the goal is to find a mapping

$$\varphi \in {\left({\mathbb{F}}_q^{\ast }\right)}^n⋊S_n,$$

that sends the code generated by G to that generated by $G^{\prime }$.

Subcode Equivalence and the Permuted Kernel Problem (PKP/SEP):

• PKP: Given $G\in {\mathbb{F}}_q^{k\times n}$ and another matrix $H^{\prime }$ (typically related to a subcode), find a permutation matrix P such that

  $$H^{\prime }{\left(GP\right)}^{\top }=0.$$
• SEP: Reformulated as the subcode equivalence problem, one seeks a permutation matrix P such that

  $$\langle G^{\prime }\rangle \subset \langle GP\rangle .$$

A relaxed version of PKP requires only finding a non-zero codeword (i.e., a subcode of dimension 1) that meets the equivalence condition.

4.1.3. Rank-Metric Analogues and the MinRank Problem

There are analogues to the problems above with respect to the rank metric.

Rank Syndrome Decoding Problem (Rank SDP):

In the rank metric, where matrices are considered over ${\mathbb{F}}_{q^m}$, the problem is analogous to the classical SDP. Given a parity-check matrix

$$H\in {\mathbb{F}}_{q^m}^{(n-k)\times n},$$

a syndrome

$$s\in {\mathbb{F}}_{q^m}^{n-k},$$

and an integer t, the task is to find an error vector

$$e\in {\mathbb{F}}_{q^m}^n,$$

with rank weight

$${\mathrm{wt}}_R\left(e\right)\le t,$$

satisfying

$$e{H}^{\top }=s.$$

While reductions from the classical SDP suggest its hardness, the NP-completeness of the Rank SDP remains an open question.

MinRank Problem:

For ${\mathbb{F}}_q$-linear (matrix) codes, the MinRank problem is stated as follows. Given matrices

$$G_1,\dots ,G_k\in {\mathbb{F}}_q^{m\times n},$$

an integer t, and a matrix $R\in {\mathbb{F}}_q^{m\times n}$, the goal is to find a matrix

$$E\in {\mathbb{F}}_q^{m\times n}$$

of rank at most t, and scalars ${\lambda }_1,\dots ,{\lambda }_k\in {\mathbb{F}}_q$, such that

$$R={\lambda }_1{G}_1+\cdots +{\lambda }_k{G}_k+E.$$

This problem, which is equivalent to the decoding problem in the rank metric for matrix codes, is known to be NP-complete.

In summary, the Decoding Problem (DP), the Syndrome Decoding Problem (SDP), and the Given Weight Codeword Problem (GWCP) are shown to be equivalent formulations central to algebraic coding theory. These problems underpin many cryptographic constructions based on error-correcting codes. Additionally, several code equivalence problems (including PEP, LEP, and SEP/PKP) extend these ideas, while the rank-metric analogues such as the Rank SDP and the NP-complete MinRank problem further illustrate the complexity landscape in coding theory.

4.2. Frameworks in Code-Based Cryptography

This section describes the three existing cryptosystems built on NP-hard problems in coding theory. We will discuss the McEleice framework, the Niederiter Framework and two variants of the Alekhnovich Framework here. In addition to these, there are the Quasi-cyclic framework [47], Augot-Finiasz (AF) cryptosystem [48] and the GPT cryptosystem [49] which are widely in use and are derivative variations of the above three frameworks. Details of all the code-based frameworks can be found in [50].

4.2.1. McEliece Framework

McEliece [51] proposed a public key cryptosystem using a linear code, for example, a binary Goppa code. The secret key is chosen as one of the many possible generators of a chosen linear code. The public key is a new matrix created by adding randomness and permuting the generator. The new matrix looks like a random matrix and will not leak information about the actual generator. A sender will multiply this random matrix with the plaintext and the product will be added to a random binary error vector whose weight will be less than the error-correcting bound of the chosen linear code. The resulting ciphertext is sent back to the owner of the secret key. To decode the ciphertext, the receiver first performs the decoding algorithm to remove the error vector added in the encoding, then performs the inverse of the operations done to generate the random matrix and retrieve the original message. Without knowledge of the generator and the random transformation, an attacker observing the ciphertext will find it computationally hard to find the message.

The McEliece framework is described in

Table 4. The McEliece Cryptosystem Framework, giving the processes of key generation, encryption and decryption.

Transmitter (Key Owner)	Communication	Sender (Plaintext Owner)
Key Generation
1. Select linear code $C\subseteq {\mathbb{F}}_q^n$ with parameters $[n,k,t]$
2. Choose $k\times n$ generator matrix $\mathbf{G}$ for C
3. Generate a random $k\times k$ invertible matrix $\mathbf{S}\in {\mathrm{GL}}_k\left({\mathbb{F}}_q\right)$
4. Generate a random $n\times n$ permutation matrix $\mathbf{P}$
5. Compute the Public Key: ${\mathbf{G}}^{\prime }=\mathbf{SGP}$
Private Key: $(\mathbf{G},\mathbf{S},\mathbf{P})$	$\stackrel{\mathrm{Public}\mathrm{Key}(t,{\mathbf{G}}^{\prime })}{\to }$	Store public key $(t,{\mathbf{G}}^{\prime })$
Encryption
		1. Encode message $\mathbf{m}\in {\mathbb{F}}_q^k$
		2. Generate error vector $\mathbf{e}\in {\mathbb{F}}_q^n$ with $\mathrm{wt}\left(\mathbf{e}\right)\le t$
		3. Compute ciphertext: $\mathbf{c}={\mathbf{mG}}^{\prime }+\mathbf{e}$
	$\stackrel{\mathrm{Ciphertext}\mathbf{c}}{\leftarrow }$
Decryption
1. Compute ${\mathbf{cP}}^{-1}=\mathbf{mSG}+{\mathbf{eP}}^{-1}$
2. Decode using the Private Key C to recover $\mathbf{mS}$
3. Compute $\mathbf{m}=\mathbf{mS}·{\mathbf{S}}^{-1}$

. The parameters of the framework are $(q,n,k,t)$ where q is a prime or prime power, n the length of the codeword, k the length of the plaintext and t the error correcting capacity of the code. $G{L}_k$ is the general linear group of order k.

4.2.2. Niederreiter Framework

The Niederreiter framework [52] uses the parity-check matrix instead of the generator matrix, resulting in an equivalently secure system. Niederreiter originally proposed using GRS codes as secret codes. In this scheme the plaintext is encoded as a vector of length n and weight less than or equal to the error correcting capacity of the code. The general Niederreiter framework with a linear code is presented in

Table 5. The Niederreiter Cryptosystem Framework giving the processes of key generation, encryption and decryption.

Transmitter (Key Owner)	Communication	Sender (Plaintext Owner)
Key Generation
1. Select a linear code $C\subseteq {\mathbb{F}}_q^n$ with parameters $[n,k,t]$
2. Choose an $(n-k)\times n$ parity-check matrix $\mathbf{H}$ for C
3. Generate a random invertible matrix $\mathbf{S}\in {\mathrm{GL}}_{n-k}\left({\mathbb{F}}_q\right)$
4. Generate a random $n\times n$ permutation matrix $\mathbf{P}$
5. Compute the Public Key: ${\mathbf{H}}^{\prime }=\mathbf{SHP}$
Private Key: $(\mathbf{H},\mathbf{S},\mathbf{P})$	$\stackrel{\mathrm{Public}\mathrm{Key}(t,{\mathbf{H}}^{\prime })}{\to }$	Store public key $(t,{\mathbf{H}}^{\prime })$
Encryption
		1. Encode message $\mathbf{m}\in {\mathbb{F}}_q^n$ with $\mathrm{wt}\left(\mathbf{m}\right)\le t$
		2. Compute ciphertext: ${\mathbf{c}}^T={\mathbf{H}}^{\prime }{\mathbf{m}}^T$
	$\stackrel{\mathrm{Ciphertext}\mathbf{c}}{\leftarrow }$
Decryption
1. Compute ${\mathbf{S}}^{-1}{\mathbf{c}}^T=\mathbf{HP}{\mathbf{m}}^T$
2. Use the decoding algorithm of C to recover $\mathbf{P}{\mathbf{m}}^T$
3. Compute ${\mathbf{m}}^T={\mathbf{P}}^{-1}\left(\mathbf{P}{\mathbf{m}}^T\right)$

.

4.2.3. Alekhnovich’s Cryptosystem

Alekhnovich’s cryptosystem [53] is the first code-based cryptosystem with provable security proof. It relies solely on the decoding problem and lays the foundations for modern code-based cryptography, where researchers attempt to construct code-based cryptosystems with a provable reduction to the problem of distinguishing a random codeword from a uniform string. There are two variants of this cryptosystem, both relying on the hard problem of distinguishing a random vector from an erroneous codeword of the code C. We present the first (encrypts one bit at a time) and second (encrypts a vector of bits at a time) variants of the Alkehnovich cryptosystem in

Table 6. The Alekhnovich First Variant Framework, giving the processes of key generation, encryption and decryption.

Transmitter (Key Owner)	Communication	Sender (Plaintext Owner)
Key Generation
1. Select parameters: $t\in o\left(\sqrt{n}\right)$
2. Choose random matrix $\mathbf{A}\in {\mathbb{F}}_2^{k\times n}$
3. Generate random vector $\mathbf{e}\in {\mathbb{F}}_2^n$ with $\mathrm{wt}\left(\mathbf{e}\right)=t$
4. Generate random vector $\mathbf{x}\in {\mathbb{F}}_2^k$
5. Compute $\mathbf{y}=\mathbf{xA}+\mathbf{e}$
6. Construct ${\mathbf{H}}^T=({\mathbf{A}}^T,{\mathbf{y}}^T)$
7. Define code $C=\ker \left(\mathbf{H}\right)$
8. Choose generator matrix $\mathbf{G}\in {\mathbb{F}}_2^{(n-k)\times n}$ for C
Public Key: $(\mathbf{G},t)$
Private Key: $\mathbf{e}$	$\stackrel{\mathrm{Public}\mathrm{Key}(\mathbf{G},t)}{\to }$	Store public key $(\mathbf{G},t)$
Encryption
		1. Encode message $\mathbf{m}\in {\mathbb{F}}_2$
		2. If $\mathbf{m}=0$:
		- Choose $\mathbf{a}\in {\mathbb{F}}_2^{n-k}$
		- Choose ${\mathbf{e}}^{\prime }\in {\mathbb{F}}_2^n$ with $\mathrm{wt}\left({\mathbf{e}}^{\prime }\right)=t$
		- Compute ciphertext: $\mathbf{c}=\mathbf{aG}+{\mathbf{e}}^{\prime }$
		3. If $\mathbf{m}=1$:
		- Choose random $\mathbf{c}\in {\mathbb{F}}_2^n$
	$\stackrel{\mathrm{Ciphertext}\mathbf{c}}{\leftarrow }$
Decryption
1. Compute $\mathbf{b}=\langle \mathbf{e},\mathbf{c}\rangle$
2. If $\mathbf{b}=0$: Decrypt $\mathbf{m}=0$ (high probability)
3. If $\mathbf{b}=1$: Decrypt $\mathbf{m}=1$ (probability $1/2$)

and

Table 7. The Alekhnovich Second Variant Framework, giving the processes of key generation, encryption and decryption.

Transmitter (Key Owner)	Communication	Sender (Plaintext Owner)
Key Generation
1. Choose random matrices:
- $\mathbf{A}\in {\mathbb{F}}_2^{n/2\times n}$
- $\mathbf{X}\in {\mathbb{F}}_2^{n\times n/2}$
- $\mathbf{E}\in {\mathbb{F}}_2^{n\times n}$ with row weight t
2. Compute $\mathbf{M}=\mathbf{XA}+\mathbf{E}\in {\mathrm{GL}}_n\left({\mathbb{F}}_2\right)$
3. Define binary code $C_0$ capable of correcting errors from a BSC with transition probability $t^2/n$
4. Define map $\varphi :\mathbf{x}\mapsto \mathbf{Mx}$
5. Construct code $C={\varphi }^{-1}\left(C_0\right)\cap \ker \left(\mathbf{A}\right)$
6. Choose generator matrix $\mathbf{G}\in {\mathbb{F}}_2^{k\times n}$ for C
Public Key: $(\mathbf{G},t)$
Private Key: $\mathbf{E}$	$\stackrel{\mathrm{Public}\mathrm{Key}(\mathbf{G},t)}{\to }$	Store public key $(\mathbf{G},t)$
Encryption
		1. Encode message $\mathbf{m}\in {\mathbb{F}}_2^{k/2}$
		2. Choose random $\mathbf{r}\in {\mathbb{F}}_2^{k/2}$
		3. Choose random $\mathbf{e}\in {\mathbb{F}}_2^n$ with $\mathrm{wt}\left(\mathbf{e}\right)=t$
		4. Compute $\mathbf{x}=(\mathbf{m},\mathbf{r})\in {\mathbb{F}}_2^k$
		5. Compute ciphertext: $\mathbf{c}=\mathbf{xG}+\mathbf{e}$
	$\stackrel{\mathrm{Ciphertext}\mathbf{c}}{\leftarrow }$
Decryption
1. Compute ${\mathbf{y}}^T=\mathbf{E}{\mathbf{c}}^T={\mathbf{z}}^T+\mathbf{E}{\mathbf{e}}^T$
2. Decode $\mathbf{y}$ using $C_0$ to recover $\mathbf{z}$
3. Solve $\mathbf{xG}={\varphi }^{-1}\left(\mathbf{z}\right)$ to recover $\mathbf{x}$
4. Extract message $\mathbf{m}$ from $\mathbf{x}$

. In both variants n is the length of the ciphertext, t the error-correcting bound of C and k the number of rows in the generator matrix of C.

Despite the security advantages of code-based ciphers the challenges that have impeded its practical application are the large size of the keys and ciphertext expansion, making it costly and inefficient to communicate.

4.3. Advantages in the Post-Quantum Era

Code-based cryptosystems are known for their strong resistance to quantum attacks as no known quantum algorithms efficiently solve SDP or distinguish Goppa codes. Additionally, they involve simpler arithmetic operations compared to lattice-based schemes and avoid complex noise management techniques. Their relative simplicity and efficiency in implementation compared to lattice-based schemes make them attractive candidates for post-quantum cryptographic applications.

• Quantum Resistance: Code-based cryptography derives its security from the Syndrome Decoding Problem (SDP), which has been proven NP-hard [14], and the Goppa Code Distinguishing Problem. Unlike the Shor-vulnerable RSA/ECC systems, no known quantum algorithm solves SDP sub-exponentially [54]. The Classic McEliece cryptosystem, a NIST Post-Quantum Standardization finalist [55], exemplifies this resilience. While lattice-based schemes rely on LWE/Ring-LWE assumptions vulnerable to future quantum advances [56], code-based systems maintain security through decades-old coding theory foundations [57].
• Efficiency: Code-based HE replaces lattice-based polynomial ring arithmetic with finite field matrix operations. For example, encryption in McEliece variants requires only $\mathcal{O}(n^2)$ matrix-vector multiplications, compared to $\mathcal{O}(n^3)$ FFT-accelerated polynomial multiplications in Ring-LWE schemes. Maringer et al. [58] demonstrated 1.8× faster encryption in code-based RLWE hybrids compared to pure lattice implementations. The absence of probabilistic decryption failures further reduces redundant computations [59].
• Implementation Simplicity: Code-based schemes inherently manage noise through error-correcting codes rather than artificial noise sampling. Armknecht et al. [60] showed this eliminates lattice-style noise flooding and modulus switching. For example, McEliece-based HE uses predetermined error vectors from code distance properties, avoiding Gentry’s [6] complex bootstrapping framework. The implementations of [11] required 40% fewer code lines compared to lattice-based libraries. This simplicity extends to hardware acceleration - FPGA implementations show better area-time product than lattice analogs [61].

5. Code-Based Homomorphic Encryption Schemes

This section presents code-based HE constructions, along with their functionality and comparative analysis.

5.1. Bogdanov and Lee Homomorphic Encryption

This scheme [62] was constructed by combining the encryption structure of the local cryptosystem of Applebaum, Barak, and Wigderson [63] with a key scrambling of the McEliece cryptosystem [51].

The ABW PKE scheme is based on hardness-on-average assumptions for natural combinatorial NP-hard optimization problems with the following assumptions:

• It is infeasible to solve a random set of sparse linear equations mod 2, of which a small fraction is noisy.
• It is infeasible to distinguish between a random unbalanced bipartite graph and a graph in which a set S with only $\left|S\right|/3$ neighbors is planted at random on the large side.
• There is a pseudo-random generator, where every output depends on a random subset of the constant size of the input.

The basic idea here is to construct a generator matrix for the McEliece cryptosystem with the above assumptions. The encryption scheme can be described below:

• KeyGen
  Choose a uniformly random subset $S^{\prime }\subseteq \{1,\cdots ,n\}$ of size s and an $n\times r$ matrix M from the following distribution. First, choose a set of uniformly random but distinct values $a_1,\cdots ,a_n$ from $F_q$. Set the $i^{th}$ row $M_i$ to

  $$M_i=\left\{\begin{array}{cc}(a_i{a}_i^2\cdots a_i^{s/3}0\cdots 0),\hfill & \hfill \mathrm{if}i\in S^{\prime }\\ (a_i{a}_i^2\dots a_i^{s/3}{a}_i^{s/3+1}\dots a_i^r),\hfill & \hfill \mathrm{if}i\notin S^{\prime }\end{array}\right\}$$
  The secret key is the pair $(S^{\prime },M)$ and the public key is the matrix $P=MR$, where R is a random $r\times r$ matrix over $F_q$ with determinant 1.
• Encryption
  Given a public key P, to encrypt a message $m\in F_q$, choose a uniformly random $x\in F_q^r$ and an error vector $e\in F_q^n$ by choosing each of its entries independently at random from a random distribution $\chi$. Output the ciphertext $c=Px+m1+e$, where $1\in F_q^n$ is the all ones vector.
• Decryption
  Given a secret key $(S^{\prime },M)$, to decrypt a ciphertext $c\in F_q^n$, first find a solution to the following system of $(s/3)+1$ linear equations over variables $y_i\in F_q,i\in S^{\prime }$

  $$\sum _{i\in S^{\prime }}{y}_i{M}_i=0,$$

  $$\sum _{i\in S^{\prime }}{y}_i=1,$$

  with $y_i=0$ when $i\notin S^{\prime }$. Output the value ${\sum }_{i\in \left[n\right]}{y}_i{c}_i$.

5.2. Armknecht Scheme

Armknecht [60] provided a generic construction of a symmetric key homomorphic encryption scheme that can evaluate multivariate polynomials up to a fixed degree $\mu$.

• Key Generation (s, $\mu$, L)
  The input s represents the security parameter, L is the expected total number of encryptions, and $\mu$ is the maximum degree of supported polynomials. The setup algorithm will then select a codeword support x, a message support y, and two special evaluation codes C and $C^{\prime }$ in such a way that $C^{\mu }\subseteq C^{\prime }$, and the length of codewords is at least L. The choice of appropriate codes and parameters will vary depending on the coding scheme. Keygen will generate a set, I, of size T and a subset of $\left[n\right]$, where $\left[n\right]$ is the set $\{1,2\cdots n\}$. T depends on the above parameter and the deployed code. I represents the good locations for the generated encryptions and serves as the secret key of the scheme. The final output will be the secret key $k=(x,y,I)$.
• Encryption (m,k)
  The inputs are a plaintext message $m\in \mathbb{F}$, and a secret key $k=(x,y,I)$. Encrypt first chooses a random encoding $w\in C$ of m, using the Encode algorithm and the knowledge of the supports x and y. Then, it samples a uniformly random error vector $e\in {\mathbb{F}}^n$, such that $supp\left(e\right)\subseteq \left[n\right]I$ and computes $c=w+e$. Finally, the ciphertext is defined as the pair $(c,1)$ where the first entry is an erroneous codeword in $C\left(I\right)$ that encodes the plaintext m while the second entry, the integer, is a counter to keep track of the number of multiplications.
• Decryption ($(c,\gamma ),k$)
  Decrypt gets as input the secret key $k=(x,y,I)$ and a pair $(c,\gamma )$ with $c\in C\left(I\right)$ and $\gamma \le \mu$. It outputs $m=Decode(c,I)$ where Decode is used with respect to x and y.
• Add ($(c_1,{\gamma }_1),(c_2,{\gamma }_2)$), outputs $(c_1+c_2,\max ({\gamma }_1,{\gamma }_2))$.
• Mult ($(c_1,{\gamma }_1),(c_2,{\gamma }_2)$), outputs $(c_1·c_2,{\gamma }_1+{\gamma }_2)$.

Next, we will discuss Algebraic Geometry (AG) codes and types in detail for the applications of this scheme. We will also compare the variations of the codes to be used in this scheme.

Comparison and Security Implications from an AG Code Perspective

AG codes are codes constructed from algebraic curves over finite fields, providing a flexible framework for designing codes with various parameters and properties. From the perspective of AG codes, we can compare Reed-Muller (RM) codes, Reed-Solomon (RS) codes, and Goppa codes as follows:

Reed-Muller Codes: RM codes can be regarded as a special case of AG codes, specifically constructed from the projective line. They have a relatively simple structure, making them easier to analyze.

Reed-Solomon Codes: RS codes are also a special case of AG codes, but they are constructed from the projective line in a different manner. They exhibit a more complex structure compared to RM codes and offer enhanced error-correcting capabilities.

Goppa Codes: Goppa codes are more general than both RM and RS codes, as they can be constructed from a wider array of algebraic curves. This flexibility allows for the design of codes with improved security properties and higher error-correcting capabilities.

Goppa codes are generally considered to be more secure than RM and RS codes due to their less understood structure, along with the ability to choose parameters that enhance resistance to known attacks. However, it is essential to note that the security of any code-based cryptosystem relies on the specific choice of parameters and the use of appropriate decoding algorithms. A comparison of RM, RS and Goppa Codes can be found in

Table 8. Comparison of the three different Alegbraic Geometry Codes detailed above.

—	Reed-Muller (RM) Codes	Reed-Solomon (RS) Codes	Goppa Codes
Definition	Linear code defined by parity check matrix of monomials	Linear code defined by parity check matrix of polynomials	Linear code defined by a Goppa polynomial and a set of elements
Encoding	Multiplication by generator matrix	Multiplication by generator matrix	Multiplication by generator matrix
Decoding	Majority-logic decoding, Berlekamp’s algorithm	Berlekamp-Massey decoding, Euclidean algorithm	Sudan-Guruswami algorithm, McEliece cryptosystem
Efficiency	Generally less efficient than RS and Goppa codes	Efficient encoding and decoding	Efficient decoding for certain parameters
Security	Less secure than Goppa codes due to well-understood structure	Moderate security	Generally considered more secure than RM and RS codes
Key Size	Larger than RS codes for the same level of security	Smaller than RM and Goppa codes	Can be larger than RS codes depending on parameters

.

5.3. Rank Metric Based Homomorphic Encryption

The rank-metric-based homomorphic encryption scheme, introduced by Aguilar et al. [26], marks a significant advancement in the field of homomorphic encryption. The authors initially developed an additively homomorphic encryption (AHE) scheme and later extended it to support multiplicative homomorphism. By incorporating bootstrapping techniques and various optimizations, they transformed the scheme into a somewhat homomorphic encryption (SWHE) system capable of performing both addition and multiplication on encrypted data.

The AHE scheme is parameterized by the following values:

• q: The cardinality of the base field.
• m: The dimension of the field extension.
• n: The length of the vectors.
• w: The rank weight of the error, where $w<m$.

Key Generation (KeyGenAHE)

The key generation algorithm proceeds as follows:

• Sample $f=(f_1,\dots ,f_w)\stackrel{\$}{\leftarrow }{S}_w\left({\mathbb{F}}_{q^m}\right)$, where $S_w\left({\mathbb{F}}_{q^m}\right)$ denotes the set of w-dimensional subspaces over ${\mathbb{F}}_{q^m}$.
• Extend f into a basis $b=(f_1,\dots ,f_w,g_1,\dots ,g_{m-w})\in S_m\left({\mathbb{F}}_{q^m}\right)$.
• Define $g=(g_1,\dots ,g_{m-w})$.
• Compute the matrix $B=\mathrm{Mat}\left(b\right)$, by extending each element of b from ${\mathbb{F}}_{q^m}$ to ${\mathbb{F}}_q$.
• Define D as the last $m-w$ columns of ${\left(B^{-1}\right)}^T$.
• Sample $s\stackrel{\$}{\leftarrow }{\mathbb{F}}_q^n$ with $F=\mathrm{supp}\left(f\right)$.
• Return the secret key $sk=(f,g,D,s)$.

Encryption (EncryptAHE)

The encryption algorithm is defined as follows:

• Sample $r=(r_1,R_2)\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n\times M_{w,n}\left({\mathbb{F}}_q\right)$, where $M_{w,n}\left({\mathbb{F}}_q\right)$ denotes the set of $w\times n$ matrices over ${\mathbb{F}}_q$.
• Compute $u=r_1$ and $e=f{R}_2$.
• Compute $v=s·u+e+\widehat{m}$, where $\widehat{m}=g\left(1\right)\ast m\in {\mathbb{F}}_{q^m}^n$, and $g\left(1\right)$ is the first row of g.
• Return the ciphertext $ct=(u,v)$.

Decryption (DecryptAHE)

The decryption algorithm proceeds as follows:

• Compute $d^T\mathrm{Mat}(v-s·u)$, where $d=D\left(1\right)$.

The EncryptAHE and DecryptAHE algorithms are deterministic functions, meaning their outputs are solely determined by their inputs. The randomness in the encryption process is incorporated within the EncryptAHE function itself, ensuring that the function remains deterministic given the input message and the randomly sampled values. This property is crucial for the correctness and security of the AHE scheme.

In the EncryptAHE algorithm, the error term e is sampled as $e=f{R}_2$, where $R_2$ is randomly sampled from the matrix space $M_{w,n}\left({\mathbb{F}}_q\right)$. This is mathematically equivalent to directly sampling e from the vector space ${\mathbb{F}}_q^n$. Additionally, the term $\widehat{m}$, derived from the message m using the basis vector $g\left(1\right)$, is restricted to the subspace ${\langle g\left(1\right)\rangle }_{{\mathbb{F}}_q}^n$. This restriction plays a crucial role in ensuring the correctness and security of the AHE scheme.

To extend the AHE scheme to support multiplicative homomorphism, the following algorithms are introduced:

Given two ciphertexts $ct=(u,v)$ and $c{t}^{\prime }=(u^{\prime },v^{\prime })$, the multiplication algorithm computes:

$$\mathrm{Mul}(ct,c{t}^{\prime })=(v·v^{\prime },-(u·v^{\prime }+u^{\prime }·v),u·u^{\prime })\in {\mathbb{F}}_{q^m}^n\times {\mathbb{F}}_{q^m}^n\times {\mathbb{F}}_{q^m}^n.$$

Given the secret key $sk=(f,g,D,s)$ and the resulting ciphertext $(a,b,c)$ from the multiplication operation, the decryption algorithm computes:

$$\mathrm{DecryptMul}(sk,(a,b,c))=d^T\mathrm{Mat}(a+s·b+s·s·c),$$

where $d=D\left(2\right)$, the second column of D.

Key switching is a technique used to change the encryption key while preserving the ciphertext. This is essential for refreshing the key to improve security or to enable more efficient operations.

The key generation algorithm for key switching proceeds as follows:

• Generate a new basis $b_2$ of ${\mathbb{F}}_{q^m}$ and a new secret key $s{k}_2=(f_2,g_2,D_2,s_2)$ as in KeyGenSHE.
• For $1\le i\le m$, define $s_{1,i}=d^T\mathrm{Mat}({\gamma }_i\ast s_1)$, where $d=D\left(1\right)$, the first column of D.
• Define $ksk=(ks{k}_1,\dots ,ks{k}_m)$, where $ks{k}_i\stackrel{\$}{\leftarrow }\mathrm{EncryptSHE}(s{k}_2,s_{1,i})$.
• For $1\le i\le m$, define $p_i=d\left(i\right)\ast (1,0,\dots ,0)\in {\mathbb{F}}_{q^m}^n$, where $d\left(i\right)$ is the $i^{th}$ column of D.
• Define $projk=(proj{k}_1,\dots ,proj{k}_m)$, where $proj{k}_i\stackrel{\$}{\leftarrow }\mathrm{EncryptSHE}(s{k}_2,p_i)$.
• Return $(s{k}_2,ksk,projk)$.

The homomorphic decryption algorithm with key switching proceeds as follows:

• Define $u_i\in {\mathbb{F}}_q^n$ such that $u={\sum }_{i=1}^m{\gamma }_i\ast u_i$.
• Define $v_i\in {\mathbb{F}}_q^n$ such that $v={\sum }_{i=1}^m{\gamma }_i\ast v_i$.
• Compute $c{t}_1={\sum }_{i=1}^m{v}_i·proj{k}_i$.
• Compute $c{t}_2={\sum }_{i=1}^m{u}_i·ks{k}_i$.
• Return $c{t}_1-c{t}_2$.

The rank-metric-based homomorphic encryption scheme extends the capabilities of additively homomorphic encryption to support multiplicative homomorphism through the introduction of multiplication and key-switching algorithms. These enhancements enable the scheme to perform basic computations on encrypted data, making it suitable for applications requiring privacy-preserving computations. The deterministic nature of the encryption and decryption processes, combined with careful error sampling and message encoding, ensures the correctness and security of the scheme. Key switching further enhances the flexibility and security of the system, allowing for efficient key management and homomorphic operations.

5.4. Comparison of Code-Based HE with Lattice-Based HE

As illustrated in

Table 9. Efficiency Comparison of code-based vs lattice-based Homomorphic encryption.

Metric	Code-Based HE	Lattice-Based HE
Key Sizes	Large (e.g., McEliece keys: ≈1 MB–1 GB due to matrix-based structures). Recent code-based FHE schemes still struggle with key size reduction.	Smaller (e.g., Ring-LWE keys: ≈1–10 KB). Optimizations like NTT (Number Theoretic Transform) enable compact representations.
Computation Speed	Matrix/vector operations are parallelizable but computationally heavy. Simpler arithmetic (e.g., XOR-based operations in some schemes).	Faster due to polynomial ring optimizations (e.g., NTT accelerates multiplication in CKKS/BGV [30]).
Ciphertext Expansion	High (e.g., ciphertexts are large matrices or vectors).	Moderate (e.g., CKKS ciphertexts expand  8x plaintext size).

, code-based HE schemes typically suffer from significantly larger key sizes—often in the order of megabytes or even gigabytes—due to their reliance on matrix-based structures such as those in the McEliece cryptosystem. While their operations (often based on simple XOR and matrix-vector multiplications) can be parallelized, the computational overhead remains high. In contrast, lattice-based HE schemes, particularly those built on Ring-LWE, benefit from optimizations like the Number Theoretic Transform (NTT) that allow for much more compact key representations (usually in the range of 1–10 KB) and faster arithmetic operations. Ciphertext expansion in code-based schemes tends to be high. In contrast, lattice-based schemes offer more moderate expansion—for example, schemes like CKKS typically expand ciphertexts by about $8\times$ relative to the plaintext.

Noise management is a critical aspect of HE schemes.

Table 10. Noise Management Comparison of code-based vs lattice-based homomorphic encryption.

Aspect	Code-Based HE	Lattice-Based HE
Noise Growth	Inherits error-correction properties: errors are intentionally added but bounded by code distance. Noise grows linearly in some additive schemes (e.g., [60]).	Noise grows polynomially with multiplicative operations. Requires frequent management (e.g., modulus switching).
Bootstrapping	Limited progress, with high overhead.	Mature techniques (e.g., Gentry’s bootstrapping in BGV [25]). Optimized via sparse embeddings or hybrid key-switching.
Error Correction	Built-in error correction can mitigate noise.	Relies on probabilistic decryption; no inherent error correction.

summarizes that code-based HE inherits inherent error correction from the underlying codes (such as Goppa codes), which helps to keep noise growth bounded in additive settings. However, noise growth in these schemes is generally linear, as seen in some additive constructions [60]. In lattice-based HE, the noise grows polynomially with each multiplicative operation, necessitating frequent noise management strategies modulus switching and bootstrapping. Mature bootstrapping techniques, as pioneered by Gentry and further optimized in schemes such as BGV [25], mitigate the effects of noise accumulation, albeit at an additional computational cost.

The security foundations of code-based HE rest on NP-hard problems like the Syndrome Decoding Problem (SDP) and the Linear Code Distinguishing Problem. These problems have withstood quantum attacks, as there is no known quantum speedup for solving them. However, the large key sizes and relatively immature FHE implementations have limited their widespread adoption (

Table 11. Security Assumptions and Trade-offs between code-based vs lattice-based homomorphic encryption.

Criterion	Code-Based HE	Lattice-Based HE
Core Hard Problems	Syndrome Decoding Problem (SDP), Linear Code Distinguishing Problem (NP-hard).	Learning With Errors (LWE), Ring-LWE (reductions to worst-case lattice problems).
Quantum Resistance	SDP has no known quantum speedup; robust against Shor’s/Grover’s algorithms.	LWE/Ring-LWE are quantum-resistant but rely on newer assumptions.
Standardization	Limited adoption (e.g., Classic McEliece is a NIST PQC finalist but not HE-focused).	Dominates NIST PQC standards (e.g., Kyber, Dilithium). HE schemes (CKKS/BGV) are industry-tested.
Attack Surface	Structural attacks (e.g., weak code choice) and ISD attacks (exponential time).	Side-channel attacks, decryption failures, and novel lattice reductions (e.g., BKZ).

). On the other hand, Lattice-based HE relies on newer assumptions such as Learning With Errors (LWE) and its ring variant (RLWE), which provide strong security guarantees via worst-case hardness reductions. While these schemes have been integrated into many NIST-backed PQC standards and benefit from extensive industrial testing, their security also depends on emerging lattice reduction techniques and careful management of side-channel vulnerabilities.

Table 12. Summary of Trade-offs between code-based vs lattice-based homomorphic encryption.

Category	Code-Based HE	Lattice-Based HE
Strengths	- Provable NP-hard security. - Built-in error correction. - Simpler operations.	- Efficient bootstrapping. - Optimized libraries (e.g., Microsoft SEAL). - NIST-backed.
Weaknesses	- Large keys/ciphertexts. - Immature FHE implementations.	- Complex noise management. - Relies on newer security assumptions.

provides a concise summary of the strengths and weaknesses of both approaches. Code-based HE offers provable NP-hard security and built-in error correction along with simpler operational models. However, these advantages are offset by practical challenges such as large key and ciphertext sizes and less mature implementations. Lattice-based HE schemes, conversely, enjoy efficient bootstrapping, a host of optimized libraries (e.g., Microsoft SEAL), and robust backing from NIST initiatives. Their primary challenges lie in complex noise management and the reliance on relatively newer security assumptions that continue to be scrutinized by the research community.

The security of homomorphic encryption (HE) schemes, especially those based on lattice and code structures, is an area of ongoing research and evaluation. Lattice-based HE schemes, such as those relying on the Learning With Errors (LWE) problem, have played a crucial role in the development of fully homomorphic encryption systems. However, recent advancements in quantum algorithms have raised concerns about their long-term security. A recent study [12] proposed a polynomial-time quantum algorithm for solving the LWE problem under certain polynomial modulus-noise ratios; if this finding is correct, it could undermine the security assumptions of lattice-based HE schemes. Although a flaw was identified in this algorithm, the search for quantum solutions highlights potential vulnerabilities in lattice-based cryptosystems. On the other hand, code-based HE schemes, while less common, provide alternative security bases rooted in different hard problems, such as the Ideal Rank Syndrome Decoding (IRSD) problem. The security of these schemes is often associated with the difficulty of decoding random linear codes, a challenge that remains difficult even for quantum computers. A code-based somewhat homomorphic encryption scheme [26] has demonstrated security based on the IRSD problem, indicating resilience against certain quantum attacks.

5.5. Challenges in Code-Based HE

Code-based homomorphic encryption faces several technical challenges that must be addressed to fully harness its potential. Key issues include improving computational efficiency, reducing the overheads associated with large key and ciphertext sizes, and managing noise accumulation. While the inherent error-correcting properties of certain code families provide an advantage in controlling noise, significant work is still needed to refine these schemes for practical, high-performance deployment.

Brakerski [64] demonstrated that LPN (Learning Parity with Noise)-based schemes face fundamental limitations when adapted for homomorphic encryption, primarily due to their linear algebraic structure. These limitations directly parallel challenges in code-based HE. LPN-based HE relies on linear operations over finite fields (e.g., XORs). Braverski shows that repeated homomorphic operations expose linear relationships between ciphertexts, enabling adversaries to recover secret keys via linear algebra attacks. Braverski highlights that enforcing homomorphism in LPN requires relaxing noise distributions or code parameters, inadvertently reducing security margins. Code-based HE (McEliece variants) also depends on linear codes, where ciphertexts are generated via matrix-vector multiplications. Homomorphic operations (e.g., additions) preserve this linearity, creating similar attack surfaces. An adversary could exploit homomorphic additions to derive the structure of the generator matrix, weakening code secrecy [60]. So to enforce Homomorphic Encryption, a novel framework has to be constructed, which does not rely on algebraic structure.

6. Conclusions and Future Work

Code-based homomorphic encryption offers promise in the realm of post-quantum cryptography. Its strong security foundation is based on NP-hard problems, such as the syndrome decoding problem, and includes built-in error-correction capabilities, which provide robust protection against both classical and quantum threats. Although there are current challenges related to efficiency and noise management, ongoing research and efforts toward standardization are enhancing its practical implementation. As the cryptographic community continues to explore and improve these schemes, code-based homomorphic encryption is set to play a crucial role in securing sensitive computations in a future where quantum computing becomes a reality.

Research Opportunities

Code-based cryptography offers a promising avenue for post-quantum HE, but several challenges remain before it can be considered a practical standard. Addressing the efficiency of bootstrapping, key size reduction, error management, and security proofs are critical areas of future research. Advancements in these domains will be essential to establish code-based HE as a viable alternative to lattice-based schemes in the post-quantum era. Below we have provided these research opportunities in the order of priority.

• Limited Fully Homomorphic Encryption (FHE) Constructions
  Most research on post-quantum HE focuses on lattice-based schemes, leaving code-based HE relatively underdeveloped. The main challenge with the latter lies in designing efficient bootstrapping techniques for fully homomorphic encryption (FHE) based on coding theory. Existing proposals, such as those built on the McEliece cryptosystem, do not inherently support homomorphic operations efficiently. Developing bootstrapping methods that enable arbitrary-depth computation while maintaining practical key sizes and computational efficiency remains an open problem [59,65].
• Key Size and Efficiency Constraints
  One of the primary barriers to widespread adoption of code-based cryptographic schemes, including HE, is the relatively large key sizes. Traditional code-based encryption, such as the McEliece and Niederreiter cryptosystems, requires public keys that can be several megabytes in size. While variants using Quasi-Cyclic Moderate-Density Parity-Check (QC-MDPC) codes and Rank-Metric codes have been proposed to mitigate this issue, further research is needed to develop compression techniques and structured code families that reduce key sizes without compromising security [26,59].
  An alternative approach to tackling this problem can be found in the algebraic structure of the Torus. Chilloti et al. [66] constructed a third-generation homomorphic encryption scheme on a Torus that proved to be efficient in encrypting the data homomorphically and demonstrated scalablity in operations through modular arithmetic. If the computations on a code-based cryptosystem can be translated from a Field to a Torus, we have an opportunity to achieve efficiency along with the code-based guarantees of security against chosen plaintext attacks and ciphertext-only attacks.
• Efficient Error-Correction Mechanisms for HE Operations
  Homomorphic operations in code-based cryptography require mechanisms for handling accumulated noise, similar to error growth in lattice-based schemes. However, unlike LWE-based HE, where noise growth is well-studied, error propagation in code-based HE remains an open area. Designing efficient error-correction techniques that maintain the correctness of homomorphic computations while minimizing decryption failures is a crucial research direction [65]
• Security Assumptions and Standardization
  While code-based cryptosystems have withstood decades of cryptanalysis, their homomorphic counterparts lack comprehensive security analyses. The hardness of decoding random linear codes remains a strong assumption, but ensuring that code-based HE schemes are resilient against quantum attacks requires further investigation. Standardizing security reductions and proofs for homomorphic operations is essential for integrating code-based HE into post-quantum cryptographic standards [26].
• Integration with Secure Computation and Applications
  HE is often used in conjunction with other cryptographic protocols, such as secure multi-party computation (MPC) and zero-knowledge proofs (ZKP). Research into how code-based HE can efficiently integrate with these techniques is still in its early stages. Potential applications include privacy-preserving blockchain technologies, federated learning, and secure genomic data processing.