A survey on implementations of homomorphic encryption schemes

With the increased need for data confidentiality in various applications of our daily life, homomorphic encryption (HE) has emerged as a promising cryptographic topic. HE enables to perform computations directly on encrypted data (ciphertexts) without decryption in advance. Since the results of calculations remain encrypted and can only be decrypted by the data owner, confidentiality is guaranteed and any third party can operate on ciphertexts without access to decrypted data (plaintexts). Applying a homomorphic cryptosystem in a real-world application depends on its resource efficiency. Several works compared different HE schemes and gave the stakes of this research field. However, the existing works either do not deal with recently proposed HE schemes (such as CKKS) or focus only on one type of HE. In this paper, we conduct an extensive comparison and evaluation of homomorphic cryptosystems’ performance based on their experimental results. The study covers all three families of HE, including several notable schemes such as BFV, BGV, FHEW, TFHE, CKKS, RSA, El-Gamal, and Paillier, as well as their implementation specification in widely used HE libraries, namely Microsoft SEAL, PALISADE, and HElib. In addition, we also discuss the resilience of HE schemes to different kind of attacks such as indistinguishability under chosen plaintext attack and integer factorization attacks on classical and quantum computers.


Introduction
For a long time, information security has always been a controversial topic due to its importance in technology particularly and in society generally. When implementing a technological tool or service, the first and foremost concern of researchers is about the applicable security that it can provide.
By the unavoidable data growth in nearly all organizations, the demand for data storage and computation has been increasing significantly over the past few decades. A traditional infrastructure for data management, such as in-house or local services, can only offer a limited storage and access controls. In the Internet-based world, this method is no longer applicable since a huge amount of sensitive data is produced every second from business transactions. One potential solution for this problem is to seek a third-party expert, i.e., cloud computing providers, outside of the company to place its trust. However, to put this paradigm into practice, we need to deal with one of its biggest challenges: data confidentiality.
In this situation, cryptography has come to the forefront to provide both data confidentiality and data operations for this outsourcing problem. As the foundation of modern security systems, cryptography helps to ease the concern of data leakage to an untrusted third party or server side. Data must now be encrypted by the user before being sent to the server. Later, after retrieving the encrypted result from the server, only the user can decrypt it using his secret key and get its value. Although this technique would preserve the data privacy, the encrypted data are not meaningful to the server, so it is not able to maintain its computation efficiency. That was why for that moment, a new cryptographic topic, called homomorphic encryption, got a major attention when it allows to perform certain computable functions on the encrypted data while keeping the characteristics of the function and format of the ciphertexts. In [1], A. Acar et al. present this process on Fig. 1, where C is a client and S is a server. Following this survey, in terms of the number of allowed operations on encrypted data, HE can be classified into three types: (1) partially homomorphic encryption (PHE) allows only one type of operation to be performed an unlimited number of times; (2) somewhat homomorphic encryption (SWHE) allows some types of operations with a limited number of times; (3) fully homomorphic encryption (FHE) allows an unlimited number of operations for an unlimited number of times. Figure 2 presents the most known HE-based systems and their timeline, while their application scenarios are demonstrated in Table 1. Fig. 1 A simple client-server HE scenario [1] So far, there are many HE schemes that have been introduced. Within the scope of the paper, we concentrate on the ones which are the most widely used in cryptography applications and serve as the basis for other schemes. Being proposed in 1978, RSA is one of the first public key encryption methods for securing communication on the Internet, inspired by Diffie-Hellman's research ( [2], 1976). Little while later, El-Gamal ( [3], 1985) and Paillier cryptosystems ( [4], 1999) were introduced, respectively, marking an important milestone for PHE. The calculation on ciphertexts remained limited until C. Gentry presented the first FHE scheme ( [5], 2009), using bootstrapping technique. Technically, the bootstrapping method is an intermediate procedure to refresh a ciphertext with large error to be a new one with smaller error, so that it allows more computations. This is also how the SWHE scheme is converted into a fully homomorphic one. Three years later, based on the Gentry's work, two main FHE schemes to perform exact computations over finite fields and integers were born: Brakerski-Gentry-Vaikuntanathan (BGV) [6] and Brakerski/Fan-Vercauteren (BFV) [7]. The latest newcomer to join SWHE is CKKS ( [8], 2016), which allows to perform computations over approximated numbers. CKKS is an essential element of the HE family, where it complements previous schemes by natively dealing with real and complex numbers.   [15] Banking and credit card transaction (Parmar et al., [16]) ElGamal, 1985 [3] In Hybrid Systems (Parmar et al., [16]) Paillier, 1999 [4] E-Voting (Parmar et al., [16]) BGN, 2005 [17] A Novel IoT Data Protection Scheme Based on BGN Cryptosystem (S. Halder et al., [18]) BGV, 2011 [6] For the security of integer polynomials (Parmar et al., [16]) BFV, 2012 [7] A fast oblivious linear evaluation (OLE) protocol (Leo de Castro [19]) CKKS, 2016 [8] Homomorphic Machine Learning Big Data Pipeline for the Financial Services Sector (Masters et al., [20]) FHEW, 2014 [9] TFHE: Fast Fully Homomorphic Encryption over the Torus (Chillotti et al., [10]) TFHE, 2020 [10] An homomorphic LWE based E-voting Scheme (Chillotti et al., [21])

3
A survey on implementations of homomorphic encryption schemes Although FHE schemes are efficient and secure, they are not very practical in real-life contexts since Gentry's bootstrapping procedure requires heavy computations to refresh noisy ciphertexts and keep computing on encrypted data. In 2014, Ducas and Micciancio [9] introduced a new method to homomorphically compute simple bit operations, and refresh (bootstrap) the resulting output, called "fastest homomorphic encryption in the west" (FHEW). According to the authors, FHEW can improve the time required to bootstrap the ciphertext, which is homomorphic evaluation of a NAND gate "in less than a second". In 2020, an improvement of FHEW was initially proposed by I. Chillotti et al. [10], which described a fast fully homomorphic encryption scheme over the torus (TFHE) and revisited FHE based on GSW ( [11], 2013). Following Ducas et al. [12], the most important difference between TFHE and FHEW is that TFHE uses (an optimized version of) the FHEW accumulators to implement a ring variant of the bootstrapping procedure described in [13], rather than [14]. Thanks to this difference and other optimizations, the bootstrapping runtime is reduced to less than 0.1 s. All of these improvements marked a milestone in the FHE implementation, as well as contributed greatly to bridging the gap between FHE security and its efficiency in practice.
The rest of the paper is structured as follows. Section 2 reviews some of the related works in the similar field, regarding the performance evaluation of different HE schemes. The most important properties of HE schemes and their libraries are discussed in Sect. 3. Then, Sects. 4 and 5, respectively, elaborate the implementation method and results of evaluation analysis. In Sect. 6, a discussion on the security of HE under notable security notions and Shor's quantum algorithm is given. Finally, Sect. 7 presents conclusions and indicates directions of future work.

Related work
As previously mentioned, one of the related works is a survey conducted by A. Acar et al. in 2018 [1] that covers important PHE, SWHE, and all the major FHE schemes. Similarly, the survey of P. Martins et al. (2017) [22] presents fundamental concepts of FHE schemes and their performance, mainly from an engineering perspective, refraining from introducing complex mathematical definitions. These works, however, do not mention CKKS encryption [8], an usefully practical HE proposed recently in 2016 for computing real and complex input numbers. Lately, a study of Kim et al. [23], published in 2021, implements their improved variants of BFV and BGV in PALISADE and evaluates their experimental performance for several benchmark computations. From a same point of view, Lepoint and Naehrig in [24] offer theoretical and practical comparisons of different HE schemes, as well as explain how to choose parameters to ensure algorithms' correctness and security. Even so, the papers delve deeply into the mathematics, making them more suitable for expert readers and mathematicians. In contrast, the survey conducted by Alaya et al. [25] makes a easy-to-understand comparison of advantages and limitations of different HE algorithms. Unfortunately, it only presents the theoretical information of the schemes, while implementation aspects have not been brought up. Most recently, Sidorov et al. [26] published a paper on performance analysis of HE in 1 3 several libraries, but the paper does not specify which homomorphic schemes were used in each library, either the input parameters. In opposition to [26], Migliore et al. [27] proposes a study of the current best solutions for setting up parameters of HE schemes, but only approaches of SWHE schemes.
Considering the related works in the field and their scopes summarized in Table 2, it is obvious that among existing HE surveys, they either do not study newborn schemes (such as CKKS, FHEW, TFHE) or do not cover all three HE families. As a result, there is still a need in this field for a comprehensively up-to-date survey that provides key concepts of the main encryption schemes in all three HE categories, together with their experimental performance comparisons. The survey needs to be practical and show newly interested users how to build their own HE-based projects in popular HE libraries.
Our contribution: Our work aims to provide readers with fundamental principles of HE schemes without delving too deep into the mathematics. Furthermore, the paper conducts a comprehensively theoretical and practical comparison of important HE schemes, covering all three HE categories: FHE, SWHE, and PHE. For different HE schemes in each family, we analyze their input parameters, together with their constraints, and then compare them together. This hands-on experience helps unprofessional practitioners distinguish libraries' properties and makes them easy to apply in building their own HE-based projects. In addition, we provide experimental results on performance evaluation of each HE scheme in most-used libraries such as SEAL [28], PALISADE [29], HELib [30], and HEAAN [31]. Although PHE schemes are now not available in mentioned open-source libraries, our own implementations of Paillier, El-Gamal, and RSA are used as partially homomorphic cryptosystems in the experimental study. For each execution case, we also come up with assessments and results' explanations. Furthermore, in the last part, we deliver a concrete discussion on the security of aforementioned schemes against IND-CPA (indistinguishability under chosen plaintext attack), IND-CCA (indistinguishability under chosen ciphertext attack), as well as integer factorization attacks on classical and quantum computers.

Libraries
HElib (Homomorphic-Encryption Library) [30] is the first open-source library implementing HE. Being published in 2013, it focuses on effective use of BGV and CKKS schemes, together with ciphertext packing techniques and the Gentry-Halevi-Smart optimizations. HElib is still under development by Shai Halevi (IBM), Victor Shoup (NYU, IBM) and available on github [35]. In 2018, the authors implemented several algorithmic improvements, including faster homomorphic linear transformations [36], that made HElib 30-75 times faster than those previously built for typical parameters.

3
A survey on implementations of homomorphic encryption schemes  [29] is an open-source C++ project that provides efficient implementations of lattice cryptography building blocks. The library supports varied HE schemes, such as: BGV, BFV, CKKS, FHEW, and TFHE. In addition, it also supports multi-party extensions of certain schemes and related cryptography primitives, namely digital signature schemes, proxy re-encryption, and program obfuscation. PALISADE can be found on github [37]. According to the newest PALISADE's announcement, the PALISADE community has merged the PALISADE project into the next-gen OpenFHE open-source FHE software library. OpenFHE ( [38], 2022) has all of the features of PALISADE, merged with selected capabilities of HElib and HEAAN.
SEAL (Simple Encrypted Arithmetic Library) [28] is another HE library, developed by the Cryptography and Privacy Research Group at Microsoft. According to his author, Kim Laine, the first version of SEAL was released in 2015 with the specific goal of providing a well-engineered and documented HE library. SEAL was designed to use both by experts and by non-experts with little or no cryptographic background. The updated version of Microsoft SEAL, which is available on github [39], has implemented various forms of HE schemes, including BGV, BFV, and CKKS. Besides, there is a SEAL version in Python, called SEAL-Python [40]. This is a Python wrapper implementation of the SEAL library, using pybind11 [41].
To have an extensive comparison for CKKS encryption, apart from these three mentioned libraries, we also measure its running time in HEAAN library [31], developed in 2016 by its own authors. HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers) is an open-source cross-platform software library which implements the approximate HE scheme proposed by Cheon, Kim, Kim, and Song (CKKS). HEAAN executes only CKKS schemes with its complete properties. Following its owners, the library allows additions and multiplications to be performed by fixed point arithmetics and approximate operations between rational numbers. Table 3 illustrates the distribution of several encryption schemes in each library.
To study the advantages and drawbacks of aforementioned libraries, we define a set of criteria. The first criterion is whether the library is open source. It is important for the transparency reason and could be a drawback for not opensource libraries. Ease of use criterion of the library means that it is easy to integrate with existing systems and have clear documentation and examples. The library should also have a well-designed API and be easy to use for developers.
The compatibility criterion explains the dependence of the library for a specific platform and/or hardware. For example, if the system is based on a particular operating system or hardware platform, the library should be compatible with that platform. The reliability criterion indicates that the library implementation is stable with minimal bugs. Based on these criteria, Table 4 presents the comparison study while the more + sign means that the library meets more of the criterion. All four libraries are open source and freely available under permissive licenses. This means that they can be used, modified, and distributed by developers without restriction. For ease of use purpose, the four libraries offer abstractions of the details of the HE schemes. HElib is known for its ease of use because it is currently well documented. HElib and PALISADE are primarily designed for x86-based CPUs compatibility, while SEAL and HEAAN can be used on a wider range of platforms, including ARM-based CPUs. For reliability, the four discussed libraries are reliable and well tested. However, HElib and SEAL are more mature and have been used in production systems for several years, while PALISADE and HEAAN are newer and still be undergoing active development. For the compatibility feature, Microsoft SEAL has been built on various platforms (Windows, Linux, macOS/iOS, Android, and FreeBSD), while HEAAN is checked working well on Ubuntu. In addition, PALISADE and HElib are adaptable with Linux, MacOS, and Windows. The previous versions of HElib have also included Fedora, CentOS, and macOS Mojave. Although all four libraries are compatible with various operating systems, they differ in their performance. The performance of implemented HE schemes in these libraries is discussed in Sect. 5.

Homomorphic encryption schemes
In this part, we explain basic properties of HE, followed by a brief description of some notable PHE, SWHE, and FHE schemes. An HE scheme is based on five main homomorphic operations: key generation (KeyGen), encryption (Enc), decryption (Dec), homomorphic addition (Add), and homomorphic multiplication (Mult).
The fundamentals of homomorphic cryptography is presented in [1]. An encryption scheme is called homomorphic over an operation " ⋆ " (e.g., Add, Mult) if it supports the following equation (high-level concept): where E is the encryption algorithm and M is the set of all possible messages.

RSA
This HE was first introduced by Rivest et al. [15]. The security of the cryptosystem relies on the practical hardness of factoring the product of two large prime numbers [42], called the factoring problem. Given a security parameter , RSA is defined as follows:

El-Gamal
The encryption system is a widely used HE in public key cryptography, proposed by T. ElGamal in 1985 [3]. The advent of El-Gamal algorithm is based on the Diffie-Hellman key exchange, while its security strength is relied on the hardness of solving discrete logarithms.
-KeyGen( ): Firstly a cyclic group G of order N and its generator g ∈ ℤ * N are generated. After randomly drawing an integer x from {1, … , N − 1} , h = g x is computed. The public key pk consists of (G, N, g, h), while sk = x is kept secret.

Paillier
The encryption of Paillier (1999) [4] is an additively homomorphic cryptosystem, which is based on the composite residuosity problem and gathers many good properties.

BFV
In 2012, J. Fan and F. Vercauteren [7] modified the scheme proposed by Brakerski [43] from the learning-with-errors (LWE) setting to the Ring-LWE setting. By using a simple modulus switching trick, BFV (so-called FV) provides a more efficient approach and also simplifies the analysis of the bootstrapping step. The security of BFV-type cryptosystems is based on the LWE over rings (or RLWE) assumption [44]. The RLWE( , q, ) assumption states that it is very hard to distinguish two distributions ( a, b = a ⋅ s + e ) and (a, u), where a, s, and u are randomly selected from R q and e is selected from an error distribution , referencing security parameter . This assumption has been proved hard over ideal lattices [45].
Let R = ℤ[x]∕f (x) be a ring of polynomials in which the operations of BFV will be performed, where f (x) = x N + 1 is a cyclotomic polynomial with N being a power of 2. The ring is used to define the RLWE problem with coefficients in ℤ q , denoted by R q = ℤ q [x]∕f (x) . Additionally, the message space is defined as R t for an integer t > 1.
where e ← and a ← R q . -Enc(pk, m ∈ R t ): Given a plain message m, let p 0 = pk[0] , p 1 = pk [1] , and draw u, e 1 , e 2 ← , the ciphertext is: -Mult(c 1 , c 2 ): By multiplying two ciphertexts c 1 (s) and c 2 (s) , the result is One encountered problem is that resulting ciphertext has size 3 (degree 2) and must be reduced to a size 2 (degree 1) [7]. This process is called relinearization. To start, a relinearization key rlk is generated by choosing an integer p and sampling a new a ← R pq and e ← � ( � ≠ )

BGV
BGV encryption was invented in 2011 by Brakerski, Gentry, and Vaikuntanathan [6]. BGV is a leveled FHE that works for both an LWE and an RLWE. A leveled FHE means that the parameters of the scheme depend (polynomially) on the maximum number of multiplications that can be executed (called level L). The hardness of the scheme is also based on RLWE problem [45]. To keep the ciphertext error within a given bound, they used the technique of modulus switching as introduced in [46]. This modulo reduction maps a ciphertext c defined in a ring R q , to a ring R q ′ while preserving correctness, where q ′ < q [47]. By combining the modulus switching method with the bootstrapping procedure after performing desired operations on the ciphertext, BGV scheme can be turned into FHE [48].
In original BGV, public key and switch keys are matrices. A detailed explanation of the scheme can be found in [49]. Given a security parameter , level L, and plaintext modulus p, the first step is to generate L large primes q 0 , … q L−1 satisfying q 0 < ⋯ < q L−1 .
-KeyGen( , , L ): A vector s is selected randomly as a sk.
and t i is an integer.
A survey on implementations of homomorphic encryption schemes -Enc(pk, m ∈ ℤ p ): A plaintext m can be encrypted by The addition of two ciphertexts of a same level c 1 = (c 10 , c 11 , i) and The relinearization procedure results a compressed ciphertext with degree 1: . The ciphertext c * will be mapped to c ∈ R q i−1 as the output by SwitchModulus method.
-SwitchModulus(c = (c 0 , c 1 , i) ): Supposing to have two modulus q i and q j where i > j , and a ciphertext c in ring R q i , we calculate modulo inverse element

CKKS
As mentioned in the previous section, CKKS, a HE for approximate arithmetic, was introduced in 2016 in [8]. What makes CKKS draw attention to many researchers is that it allows to perform approximate additions and multiplications of ciphertexts, where its plaintexts can be vectors of real and complex values. This has been done by encoding and decoding method, where the inputs are converted from C N∕2 × ℝ to R = ℤ[x]∕(x N + 1) and vice versa [8]. In this step, we need to use a rounding technique, which might destroy some significant numbers. Thus, if we had an initial vector of real or complex values z, roughly speaking it will be multiplied by a scale Δ > 0 during encoding and then divided by Δ during decoding to keep a precision of 1 Δ . Figure 3 describes all algorithms in CKKS scheme [50].
As well as many other HE schemes, the foundation of CKKS is also the RLWE problem. Similarly to previously presented schemes, in this part, we simply describe  [50] the five main algorithms of CKKS. To start, it begins with a integer p > 0 , number of multiplication L, and modulus q 0 . For 0 < l ≤ L , we define q l = p l q 0 .
• KeyGen( , q L ): First, a vector s is sampled from a set of signed binary vectors in {0, 1, −1} N whose Hamming weight is exactly an integer h. Next, a ← R q L , and e ← . We set the secret key sk Similarly to introduced HE scheme, the multiplication of CKKS also accompanies a relinearlization step. For One problem produced is that underlying value contained in the plaintext and ciphertext is Δ ⋅ z as mentioned above. So after multiplying two ciphertexts c 1 , c 2 , the result holds z 1 ⋅ z 2 ⋅ Δ 2 . By doing many multiplications, the resulting ciphertext will have grown exponentially. To reduce its size, Rescale RS l→l ′ is introduced with its goal being to actually keep the scale constant, and also reduce the noise present in the ciphertext. .

TFHE/FHEW
FHEW [9] and TFHE [10] have joined FHE family since 2014. Both of them are based on a variant of the GSW cryptosystem [11] to build a homomorphic accumulator (ACC ), which is needed for refreshing procedure. As per [51], there are two efficient bootstrapping methods to FHEW-like schemes using the GSW cryptosystem on the polynomial hardness of LWE, called AP and GINX. The former is proposed by Alperin-Sheriff and Peikert [14], which is the basis of the original FHEW scheme, and the GINX is introduced by Gama, Izabachene, Nguyen and Xie [13], adopted by TFHE. In particular, FHEW introduced a ring version of the GSW (based on the Ring-LWE problem) and applied AP method to efficiently implement an ACC , using a single (Ring) LWE ciphertext. Later on, TFHE improved FHEW by replacing integer arithmetic modulo q with real arithmetic over the unit interval [0,1) and use GINX bootstrapping procedure rather than AP for building the homomorphic ACC . This is also the main difference that makes the performance improvement of TFHE over FHEW substantial [12]. Like other FHE schemes, FHEW/TFHE's hardness is based on RLWE assumption. Using the similar mentioned notation, a ciphertext in FHEW/ TFHE cryptosystem encrypting a message m ∈ R t under the key s ∈ R n q is c = (a, b) = (a, a ⋅ s + e + m) , with a ← R n q and e ← chosen from a discrete Gaussian distribution. The decryption is done by computing b − a ⋅ s = e + m and evaluating an appropriate decoding function to correct the error e and recover the message m. One example of the decoding function is scaling m by a factor Δ = ⌊q∕t⌋ as BFV scheme, which is described in 3.2.4. Being inherited the properties of RLWE, TFHE/FHEW is also homomorphically additive and multiplicative. The development that makes TFHE/FHEW a breakthrough in FHE timeline is bootstrapping technique. In FHEW setting, given an LWE ciphertext (a, b) ) an encryption E(m) of the same message under a different encryption scheme E is computed by homomorphically evaluating the LWE decryption procedure on the encrypted key E(m) to yield: The encryption E is an intermediate scheme that allows to encrypt the secret key s Following FHEW authors, once this computation is done, it remains to homomorphically extract the most significant bit of b − a ⋅ s as an LWE ciphertext. In other words, the result of the computation is also an encryption E(m) of the message, but with smaller noise. D. Micciancio et al. [12] showed that the noise of the output ciphertext E(m) only depends on the noise of E(s), but not on the noise of the ciphertext (a, b).
To accelerate bootstraping procedure, the ACC described in [9] holds values from ℤ q and supports a quadruple of algorithms (E, Initialize, Update, Extract) together with moduli t, q, where E and Extract may require key material related to an LWE key s as follows: Rewrite ek = E(s) = (E(s 1 ), … , E(s n )) and a = (a 1 , … , a n ) , the bootstrapping procedure is presented in algorithm 1.
The aforementioned difference between AP and GINX can be clearly explained by the method how to implement the accumulator operations. Here, the former supports the basic update procedure ACC + ← E(s) for arbitrary s ∈ R q , whereas the latter supports basic updates ACC The detailed explanation of bootstrapping technique is complex and requires much mathematical background. As presented at the beginning, within the scope of our work, we aim to provide readers and newly interested users with fundamental principles of HE schemes without delving too deep into the mathematics. Thus, for expert readers and mathematicians, a complete description of the bootstrapping method can be found in their original papers in [9] and [10].

Experimental implementation
The main focus of our work is to compare the performance of each available scheme in different libraries. For this reason, in each library, we build our own "simple" project as a regular end-user. Each project is corresponding to one scheme, which includes five main homomorphic operations: KeyGen, Enc, Dec, Add, and Mult. The execution time needed to perform each operation will be recorded and then compared to each other. Every program collecting the performance metrics is carried out on an average commodity computer equipped with an Intel(R) Core(TM) i7-10700 CPU running at 2.90GHz under Ubuntu 20.04. In the results presented in the next section, Table 5 lists some useful notations.
To ensure the consistency in test results, every experiment is executed according to the strategy below: Depending on different HE schemes' properties, chosen plaintext will be differed. BFV and BGV schemes allow modular arithmetic on encrypted integers, while CKKS supports homomorphic operations on real or complex ones. Within the scope of the paper, plaintext batching technique is applied for all evaluated FHE and SWHE schemes. The main idea behind batching concept is to pack n plaintexts/ messages into one ciphertext for parallel processing. Here the first element of the batch is drawn randomly from a uniform distribution over the same range p, and the remaining elements are set to be 0. The diversity in input setting for each scheme will be explained with greater detail in Sect. 5.

BFV
Although BFV scheme is available in both SEAL and PALISADE as mentioned in Table 3, they also have their differences in the implementation, indicated in Table 6. PALISADE allows users to change the parameters p, N, L as inputs, whereas SEAL-Python keeps L unchangeable from the user side. To accelerate the batching technique, the two libraries require that the chosen plaintext modulus p needs to be a prime number and congruent to 1 (mod 2n) . This is the condition to operate on n packed integers in a SIMD (Single Instruction, Multiple Data) manner [28]. In order to assess the relative practical efficiency of two libraries for BFV encryption, different implementations are done with the same input parameters and working environment given in Table 7.  Unlike SEAL, PALISADE can calculate required N and Q based on chosen L and p to ensure a security level of 128 bits. In contrast, SEAL sets 128-bit encryption security level as default and allows users to enter N. SEAL then displays satisfied Q and p with the entered inputs. Table 7 contains many options for PALISADE's inputs with the same p and N in order to have 128-bit security. However, to have fair comparison between these two, the value of Q in PALISADE is chosen to be close to the one in SEAL. In Table 8, we provide timings for five main cryptographic functions, using the parameters recommended in Table 7.
After examining these tables, it is clear that the ciphertext dimension N has a significant effect on BFV's performance. In most cases, the running times of decryption and addition are less than the others. In general, when N increases, the execution times of all operations are increased, especially multiplication, which approximately grows up 4 times compared to the previous N in both two libraries. However, in particular, the mean multiplication execution time of SEAL is less than that of PALISADE. One explanation for this is that the latter always counts the relinearization procedure whenever doing multiplication (EvalMult function), while in the former, it is separately computed. Within the scope of our experiments, the decryption is executed only on a fresh ciphertext without doing multiplication before. Therefore, it is not necessary to do relinearization step. That is why the timing in SEAL does not involve relinearization. In Fig. 4, we depict experimental results in vertical comparison, where timings are illustrated based on each operation. It is obvious that the mean execution times of all cryptographic functions in two libraries are close to each other, but SEAL is still performing better. While the rest are almost similar, the biggest variance is displayed in multiplication time, where N = 32768 , and SEAL is approximately 2 times faster than PALISADE.

BGV
Unlike BFV, all three libraries SEAL, PALISADE, and HElib have implemented BGV. Generally, in doing the experiments, the encryption parameters of BGV, namely p, Q, N, and security level, are kept unchanged, compared to BFV. The number of slots in one batch is n = N = (m) , except for the last case of Helib where N = 32768 and n = 8192 as indicated in Table 9. This number is impacted by several parameters, including the maximum supported computation depth of the circuit (L) [30]. As L is varied to allow more computation, it also affects the cost of the computation. Additionally, in practical implementation, some technical definitions have been introduced in HE libraries, noise budget is one of them. According to A. Kim [28], noise budget (invariant) is defined as the total amount of noise we have left until decryption will fail. To be more precise, the BGV implementation for each library is specified as follows.

PALISADE:
In the library, noise budget is managed by a method called ModReduceInPlace, a method for reducing modulus of ciphertext and the private key used for encryption [29]. As explained above, in our scope of evaluation, this function will not be included. For BGV multiplication, the BFV operation of EvalMult is reused, so key-switching or relinearlization is already added. Besides, other properties of BGV implementation are remained the same as BFV's, such as the solution to calculate required N, Q, as well as the condition of inputs as mentioned in Table 6. BFV key generation

Fig. 4 Vertical comparison of BFV's execution time
HElib: Helib allows to calculate its security level based on p, m, and bits (the number of bits of the modulus chain). When bits increase, its execution time is also raised up. Thus, in comparison with other libraries as given in Table 9, we choose these variables such that the security level is close to or at least 128 bits. Table 9 shows that the performance of HElib can be considered as good as the other two libraries if the timings of key generation and decryption were not such slow. To explain this, we need to examine the execution of key-switching matrices addSome1DMatrices in KeyGen process. Table 10 displays the differentiation in running time of computing or not the addSome1DMatrices function. Without adding this procedure, key generation has been much less timeconsuming. For instance, in case N = 32768 , it took almost 2 s to generate its key pair with addSome1DMatrices, whereas this process costed only 40 milliseconds approximately without it.
In contrast, key-switching matrices have not been mentioned in SEAL and PALI-SADE. Instead, PALISADE calculates required N and Q as illustrated in Table 11.
The different pairs of L and Q in each line have the same level of security. Hence, in the horizontal comparison of Table 9, we selected PALISADE results with lower (L, Q) to compare with others. On the other hand, Table 12 contains the timing results when implementing the lowest and highest pairs of (L, Q) in each particular case of N value. Based on its behaviors, (L, Q) shows an impressing effect on PALISADE's execution time, especially on KeyGen procedure. For instance, at the same level N = 32768 , L = 17 took more than 1 s to generate key pair, whereas 0.3 s is its cost when L = 9 . Last but not least, Fig. 5 exposes the visibly vertical comparison of the two based on timings of each operation. A deep analysis of the Fig. 5 and Table 9 shows that the SEAL and PALISADE are performing much better than the HElib for KeyGen and Dec operations. In contrast, Helib running time is the best in multiplication and encryption. On the other hand, PALISADE and SEAL have equally good performance in all operations.

A survey on implementations of homomorphic encryption schemes
Although there is dissimilarity between them in multiplication and addition, since the actual time counted in s, it is not really a great distance.

TFHE/FHEW
The FHEW fully homomorphic encryption [9] and its TFHE variant [10] are the well-known methods to compute simple bit operations on encrypted data. TFHE and FHEW are both Ring-LWE encryption, followed by a bootstrapping n, lattice parameter for the LWE scheme; -N, ring dimension for RLWE; q, LWE modulus; -Q, RLWE modulus used in the core bootstrapping procedure based on an accumulator.
Both AP/FHEW and GINX/TFHE are implemented in PALISADE (now OpenFHE). Based on proposed parameter sets by D. Micciancio et al. [12] and PALISADE configuration, we conduct the experiments with different values as shown on Table 13. PALISADE provides several parameter sets corresponding to various levels of security: STD128, STD192, STD256, STD128_AP, STD128Q, STD192Q, and STD256Q, where "STD" means HE security standard in [52], and "Q" stands for the quantum attack estimates. For example, STD128 is HE standard set with more than 128 bits of security with reference to classical computer attacks, while STD128Q is the same as STD128 security but with reference to quantum computer attacks. For the 128-bit security, STD128_AP is added, which supports a more efficient option with d g = 3 , while STD128 is with d g = 4 , where d g is the number of digits that integers (mod Q) are broken into.
The method to conduct experiments for TFHE/FHEW is similar to previous experimental implementations in PALISADE as presented in Sect. 4. In particular, for each scheme we build a project as a regular end-user. Since FHEW and TFHE can evaluate arbitrary Boolean circuits on encrypted data by bootstrapping after each gate evaluation [12], we focus on performing and comparing two main operations: key generation (KeyGen) and NAND gate evaluation (NAND). The former includes generating refresh and switching keys, while the latter is evaluating a NAND gate. A NAND gate is functionally complete. Hence, every possible Boolean circuit can be realized with combinational logic made entirely of NAND gates. Every experiment collecting the performance metrics is carried out on an average computer equipped with an 12th Gen Intel(R) Core(TM) i5-1245U CPU  Table 14 counted by milliseconds (ms). The number of security bits has a great impact on the running time of both two cryptosystems. It is understandable that the increase in security level leads to the increase in KeyGen and gate evaluation timings in both two schemes. This is most clearly shown in the fact that the system was not able to compute any results for FHEW/AP when STD256Q is reached. In general, GINX bootstrapping method provides better performance when it always produces bootstrapping keys and evaluates the NAND gate much faster than AP. Talking about this, TFHE authors [10] explained that they used a smaller bootstrapping key than the one in AP. In their experiment, using 16MB bootstrapping key instead of 1GB, the running time of FHEW bootstrapping is decreased from 690ms to 13ms single core, but still preserving the security parameter. Comparing the two, Y. Lee et al. [51] stated that GINX/TFHE bootstrapping uses much smaller evaluation keys, but it restricts the scheme's applicability because it is directly applicable only to binary secret keys. On the other hand, AP/FHEW supports arbitrary secret key distributions, which is critical for a number of important applications, such as threshold and some multi-key HE schemes.

Somewhat homomorphic encryption
The CKKS scheme is called leveled homomorphic encryption, an "extended" form of SWHE. In contrast to BFV and BGV encryption, where exact values are necessary, CKKS allows both additions and multiplications on encrypted complex numbers, but yields only approximate results [28]. According to A. Kim [39], one should take advantage of CKKS encryption in applications such as summing up encrypted real numbers, evaluating machine learning models on encrypted data, or computing distances of encrypted locations. As a result, CKKS scheme has been implemented in four HE libraries as communicated in Table 3. To perform experiments with CKKS, in addition to the default setting mentioned above, the input parameters are the same for all libraries, where:  In this encryption, there is no condition of plaintexts. Based on its properties, we chose inputs as real numbers. The method to draw packed messages keeps unchanged as discussed in section 4.

PALISADE:
The ring dimension of the HE scheme is chosen following the security standards. Hence, to meet a requirement of 128-bit security level, the minimum value of N is 8192. In Table 15, we presents the detail of input parameters. SEAL: Like other CKKS implementation, SEAL does not use the plaintext modulus parameter p. Moreover, instead of providing a ciphertext modulus Q, users working with CKKS must provide a modulus chain of prime sizes (e.g., q = [60,40,40,60] ) [39]. The number of moduli is equal to the number of iterations/multiplications. Additionally, the log 2 Q bit as shown in Table 7 is kept unchanged, but now it is corresponding to the maximal sum of these primes, called CoeffModulus.
Before going to the evaluation part of different libraries' performance, Table 16 illustrates how SEAL behaves sensitively with ciphertext modulus and its modulus composition for each value of N. Although addition and decryption time are not changed significantly, the calculation time is climbed up more than 2 times in the three remaining operations.
HElib: One of the most advantages of working with HElib is its transformation of complex mathematical calculations in order to be easier and more understandable for non-expert practitioners. For example, to add two ciphertexts cipher_a and cipher_b, HElib supports to simply declare a new one as a sum of the two: Ctxt cipher_add_ab = cipher_a; cipher_add_ab += cipher_b. There is no need to specify technical steps such as relinearization or rescaling. Being  different from other libraries, HElib allows users to calculate encryption security level based on input parameters. Table 17 contains the experimental results with the encryption security sec_level being the closest to 128-bit level, while still preserving HElib's usage recommendation. HEAAN: The last library was developed by its own authors. HEAAN takes advantage of fully built-in algorithms, where it is able to deal with complex numbers. An input message in HEAAN can consist of n complex numbers, where n ≤ N∕2.
By analyzing different results displayed in Fig. 6, one can see that overall performance of HEAAN and Helib are quite slower than SEAL and PALISADE. In overall, SEAL owns the best performance, while HEAAN is much more timeconsuming compared to the others. Considering PALISADE's presentation in both Table 17 and Fig. 6, it is obvious that its most time-consuming procedure is decryption and multiplication. One reason needed to bring up is that, the relinearization step is always included in multiplication function EvalMult. Moreover, for the decryption process (cc->Decrypt(keys.secretKey, cMul, &result)), calculated time of rescaling algorithm is also taken into account. In contrast, SEAL does not include relinearization and rescaling schemes in multiplication and decryption, respectively. Instead, it can be done by coding separately with two functions: evaluator.relinearize_inplace and evaluator. rescale_to_next_inplace.

Partially homomorphic encryption
This part presents our own implementations of partially homomorphic cryptosystems, including Paillier (additive), El-Gamal (multiplicative), and RSA (multiplicative). The source code is available at github [53]. Table 18 and Fig. 7 illustrate horizontal and vertical comparison results, respectively. According to PHE's properties as introduced in section 1, one PHE scheme can possess four following operations: Key generation, encryption, decryption, and addition/multiplication. Unlike FHE and SWHE, here the inputs are identified as p (plaintext modulus) and log 2 N (the number of bits of N), where N is one factor in public (encryption) keys. For each cryptosystem, we measure the execution time when selecting pairs of ( log 2 N, p ) in the similar manner of selecting ( log 2 Q, p ) in FHE. In addition, we execute the second situation where p is in ℤ N and the bits of N are so large such that they can reach 128-bit security level as stated in [54]. As same as the previous implementations, the time unit is microseconds; each operation was executed in 1000 iterations and the timings presented are its average. The implementations are set up following their original papers: Paillier [4], El-Gamal [3], and RSA [15]. Table 18 and Fig. 7 demonstrate the experimental results.

Paillier encryption
In Paillier cryptosystem, although the input is N, the cipher space or ciphertext modulus is N 2 (see Sect. 3). In spite of that, generally the algorithm performs all four operations very well as shown in Table 18. In the second situation, when both p and N increase, there is no much difference in time execution of Add. However, for three others, they are both climbed up. Particularly, when N is 4096 bits, the average time for one KeyGen is almost 4.3 s. Table 18 indicates that all three operations of encryption, decryption, and multiplication in El-Gamal method have a better performance compared to Paillier. Apart from that, KeyGen appears to be a very time-consuming procedure. The cryptosystem needs more than 5 s to generate key pairs if log 2 N = 881 , not mention to say that it needs more than 15 min when log 2 N = 3072 or more. Regarding to this problem, its author Taher ElGamal explained that in any of the cryptographic systems based on discrete logarithms like El-Gamal, N must be chosen such that N − 1 has at least one large prime factor [3]. If N − 1 has only small prime factors, computing discrete logarithms would be easy [55]. Hence, our implementation is set up such that this condition is satisfied. N is considered as a safe prime if (N − 1)∕2 is also a prime. Figure 7 shows that RSA has represented the best performance among the three PHE schemes, even in case of very large ciphertext space. As its authors stated in [15], the secret key d in RSA is very easy to choose, which is relatively prime to (N) , where N = pq . To be more specific, any prime number greater than max(p , q ) will do. This is one of the reasons why RSA does not take much time to generate keys like El-Gamal encryption and why it is commonly used in practice.

RSA encryption
In Fig. 7, the first graph on the top left side displays the running time of Addition (Add) in Paillier and Multiplication (Mult) for the remaining two cryptosystems. Although the difference among them is demonstrated visibly, it is still considered as marginally small for the time unit is in s.

HE under security notions
All four general-purpose libraries presented in the paper were based on RLWEbased systems. The most interesting advantage of LWE or RLWE is that it is considered as one of the hardest problems to solve in practical time for even postquantum algorithms [45]. However, this does not mean that RLWE-based HE schemes are totally secure. In fact, to prove security of encryption algorithms, two security models commonly referred are IND-CPA is modeled by a game between an adversary (A) and a verifier (V) as illustrated in Fig. 8. In general, after generating pk, sk, and other security parameters of an encryption system, V sends pk to A. From this point, A is free to perform any computations using pk. A then chooses two different plaintexts a, b and send them to V. V computes encryption of a or b uniformly at random and sends A the result, called challenge. Finally, A needs to conclude the received value is the encryption of a or b. The cryptosystem is said to be secure in terms of IND-CPA if no adversary can output the correct value with probability significantly better than 1 2 . Likewise, the definition of IND-CCA is similar to IND-CPA, but here in both IND-CCA1 and IND-CCA2, the attacker can ask for the decryption of any ciphertexts, except the challenge that the verifier sent. In particular, IND-CCA1 and IND-CCA2 all allow the attacker to make queries to the decryption oracle to decrypt any arbitrary ciphertexts before the step 3 in Fig. 8

RLWE-based FHE and SWHE schemes
In 1999, Bellare et al. [56] proved that all homomorphic encryption schemes are not secure against IND-CCA2 attacks. Subsequently, although IND-CCA2 is the strongest of the three security definitions, it is universally acknowledged that IND-CCA1 is the strongest security notion for HE. Apart from these three, Chenal and Tang [57] mentioned one variation of these security notions, called key recovery attacks. Following the authors, the key recovery attack is stronger than a typical IND-CCA1 and allows an adversary to recover the private keys through a number of decryption oracle queries. Table 19 lists several FHE and SWHE schemes presented in our work and corresponding attacks, together with their related papers. It is obvious that three schemes are secure against IND-CPA attacks [58]; however, they all suffers from IND-CCA1 and key recover attacks. According to Fauzi et al., the key recovering attack as presented by Chenal and Tang also works on a on several schemes based on (R)LWE, and FHEW/TFHE is one of them. When the decryption is computed as a rounding function that maps elements from ℝ q into the plaintext space, it is vulnerable to an attacker who asks for decryptions of c = (e i , b) , where e i ∈ ℝ n is the unit vector with 1 at position i and 0 everywhere else. As a consequence, this leaks information on secret s i .

PHE schemes
In contrast to FHE and SWHE, one of PHE schemes, namely RSA, is weak even under IND-CPA norm. The reason is that Schoolbook RSA is deterministic. Therefore, comparing to IND-CPA model in Fig. 8 [4]. Similar to Paillier system, El-Gamal encryption scheme is also known as being IND-CPA secure under the decisional Diffie-Hellman assumption [63]. However, when discussing the security of El-Gamal under IND-CCA1, Wu and Stinson [64] supposed that it is conjectured, but there has been no formal proof. Integer factorization problem (IFP). Apart from attacks on security notions, IFP is also worth discussing in our context when we have the security of both RSA and Paillier cryptosystems depending on factoring problem. Given a composite number N, The IFP is defined as finding two integers p and q such that pq = N . Once p and q are discovered, it can be shown that RSA and Paillier encryption are insecure (see section 3). Two of widely used algorithms to factor an integer, as well as to be the basis of other factorization methods, are Pollard's rho and Pollard's p − 1 , invented by John Pollard in 1974Pollard in -1975. Our implementation and experimental results of each method are presented in detail at [66].
With complexity of time and space O( √ N) by the birthday paradox, Pollard's rho relies on several important mathematical concepts, one of them is cycle-finding algorithm.
It can be seen that Pollard's rho takes a lot of time to find a factor of medium size. The second method to factor N is Pollard's p − 1 algorithm, which is based on Fermat's little theorem [65]. Unlike the previous method, the possibility of finding a factor p of given size is not determined solely by its size, but rather by the smoothness of p − 1 (see algorithm 3). There are two cases of failure: d = 1 or d = N . In the first case, a M − 1 is co-prime with N, which implies that the search bound B is too small, and thus, one should rerun the algorithm with a larger B. In the second case, d = N implies that N has a B-smooth prime factor p, but the randomized base a has order less than p − 1 (a 128-bit RSA modulus) (a 128-bit RSA modulus) modulo p (hence omitted for gcd computation in the loop from line 8 to 11). In this case we choose another base a and restart the whole process. Here, to improve the algorithm's performance, we implement the two-stage variant of Pollard's p − 1 (the detail is presented in [66]). The second-stage is performed by choosing a second bound B 2 > B , normally B 2 = 100B . While Pollard's rho takes much time to find a factor of medium size, our implementation of the two-stage Pollard's p − 1 is able to find larger factors of some record numbers listed in [67]. The running time for each is displayed in Table 22, where: We found the factor of each number as below: It is obvious that Pollard's p − 1 is capable to find large factors of a composite N; however, in practice, when the system applies N from 2048 bits, it is not sufficient to find its large-size factors using Pollard's rho and Pollard's p − 1 methods on a classical machine. Therefore, the invention of Shor's algorithm by Peter Shor, a quantum computer algorithm to solve IFP, marks an important milestone for the security of public key cryptography systems.

3
A survey on implementations of homomorphic encryption schemes

Shor's quantum algorithm
Being developed in 1994, Shor's algorithm [68] is one of the first quantum algorithms that demonstrated the advantage of quantum computers over classical ones. In general, the method allows to find prime decomposition of big integers in polynomial time, namely O((log N) 3 ) time and O(log N) space, given a sufficiently large quantum computer. The basic idea of Shor's algorithm relies on period-finding problem. Given integers a and N, r is called the period of a modulo N if r is the smallest positive integer such that a r − 1 is a multiple of N, or a r − 1 is divisible by N. For example, given a = 7 and N = 15 , its period is found as r = 4 , we have 7 4 = 1 (mod 15) . The name "period" comes from the fact that a i+r (mod N) = a i a r (mod N) = a i (mod N) (because a r = 1 (mod N) ) for any integer i. Based on the period's property, we have N|(a r − 1) . If r is even, then N|[(a r∕2 − 1)(a r∕2 + 1)] . By computing gcd((a r∕2 − 1), N)) and gcd((a r∕2 + 1), N) , we can find the factors of N. In the whole process, a quantum algorithm is applied to compute the period r of a modulo N by using quantum Fourier transforms [69], where a is a randomly chosen element.
So far, the largest numbers factored by Shor's algorithm are 51 and 85 by Geller and Zhou in 2013 using eight qubits [70]. Before that, Vandersypen et al. [71] in 2001 and Martín-López et al. [72] in 2012 also implemented Shor's algorithm to factor 15 and 21, respectively. The most recent paper was of Gidney et al. [73], published in 2021, which presented how to factor 2048-bit RSA integers using 20 million noisy qubits in 8 h.
With the efficiency of quantum computers, the security provided by cryptosystems, which are based on IFP and discrete logarithmic problems (DLP), seems to be short-lived. Speaking of IFP, RSA and Paillier encryption are vulnerable against Shor's algorithm. In [80], Suo et al. indicate some implementations of Shor's algorithm over different quantum prototype computers, together with their number of qubits and quantum gate complexities, as given in Table 23 (for IFP) and Table 24 (for DLP).
Similarly, El-Gamal with its hardness of computing discrete logarithms is also a victim of quantum algorithms [68]. In 2010, Wang [83] defined a circuit for quantum computers to solve DLP as shown on Fig. 9, where F p−1 is the Fourier transform over Z p−1 , and U f being a quantum circuit.
Some argue that although quantum encryption breaking is a potential possibility, it is not a peril as there are still solutions for it. One is to increase the bit lengths, so that attackers need a larger and larger quantum computer to be able to

Conclusion and future work
Nowadays, in the vibrant and active world, when data privacy plays a more significant role, HE is a new promising domain that allows external third parties to perform computations on the encrypted data without decrypting it in advance. However, one big challenge is to build a HE scheme that provides simultaneously both the required security and the performance efficiency. In this paper, we contributed an in-depth study of the different uses and implementations of HE schemes in most-used HE libraries, including SEAL, PALISADE, HElib, and HEAAN. First, we highlighted the principles and mathematical models of adopted schemes, followed by a brief description of linked libraries. By comparing execution time of five main homomorphic operations (KeyGen, Enc, Dec, Add, and Mult).
We present a computational overview of performance evaluation of different HE cryptosystems in different libraries. Through experimental results, it is easier for Veldral et al. [75] 1996 O(n 3 ) 4n+3 Beauregard [76] 2003 O(n 3 log n log 1 ) 2n+3 Takahashi et al. [77] 2006 O(n 3 log n log 1 ) 2n+2 Haner et al. [78] 2016 O(n 3 log n) 2n+2 Gidney [79] 2017 O(n 3 log n) 2n+1  Fig. 9 A circuit of DLP [83] non-experienced practitioners to set input parameters for encryption schemes, as well as to choose an appropriate library for building their own HE-based projects. We also discussed an overview of the security of six aforementioned HE schemes under notable security notions such as IND-CPA, IND-CCA1, and IND-CCA2. Two classical attacks of Prof. John Pollard on Integer factorization problem are presented before introducing Shor's quantum algorithm for the same problem. The performance comparison in this work covers several notable HE schemes in the three homomorphic encryption categories: Partially HE, Somewhat HE, and Fully HE. The results clearly suggest that partially homomorphic cryptosystems are significantly faster than the others at addition and multiplication operations. RSA possesses the fastest key generation procedure, whereas El-Gamal is quite slow when ciphertext modulus increases. On the other hand, the presentation between evaluated FHE schemes and CKKS is inconsistent, especially for multiplication timings. For both BFV and BGV, SEAL and PALISADE demonstrate a slower multiplication compared to CKKS. In contrast, HElib makes that of CKKS be a time-consuming process in comparison with the other two. Besides, between BFV and BGV, performance analysis has shown that the former is performing better than the latter in terms of execution time for key generation in both SEAL and PALISADE, mostly when the ciphertext dimension is climbed up. It is also clear that the efficiency of the PHE schemes becomes crucial in the overall performance. Due to the fact that PHE schemes are not implemented in mentioned libraries, we used our own implementations of Paillier, El-Gamal, and RSA as partially homomorphic cryptosystems in the emulation. For that reason, we plan to continue our work on optimizing PHE schemes in their implementation and performance. Besides, working with different HE libraries, we have seen that a part from doing encryption between a typical two parties, some libraries also support threshold encryption. Using threshold decryption in a public key cryptosystem allows n parties to communicate in which a minimal number of parties-a "threshold" number-need to cooperate in order to decrypt a ciphertext. This prevents the situation where an individual keyholder is able to decrypt all sensitive information on his own. This aspect will certainly be addressed by future work.

Funding Information
The research depicted in this paper is funded by the French National Research Agency (ANR), project ANR-19-CE23-0005 BI4people (Business Intelligence for the people).
Data Availability All of the material is owned by the authors and/or no permissions are required.

Declarations
Conflict of interest I declare that the authors have no competing interests as defined by Springer, or other interests that might be perceived to influence the results and/or discussion reported in this paper.