The advancement of biometric technology has facilitated wide applications of biometrics in law enforcement, border control, healthcare and financial identification and verification. Given the peculiarity of biometric features (e.g., unchangeability, permanence and uniqueness), the security of biometric data is a key area of research. Security and privacy are vital to enacting integrity, reliability and availability in biometric-related applications. Homomorphic encryption (HE) is concerned with data manipulation in the cryptographic domain, thus addressing the security and privacy issues faced by biometrics.
Biometrics is the measurement of human physiological and behavioural characteristics with the purpose of recognising and describing individuals 
. Biometric traits include biological traits (e.g., fingerprint, face and iris) and behavioural traits (e.g., voice, signature and keystroke). Thanks to the desirable attributes of biometric traits 
, such as distinctiveness, invariance and robustness, biometric systems are now extensively used for identity verification in many applications (e.g., e-health, e-banking and border control). Biometric recognition overcomes the disadvantages of traditional password- or token-based authentication; for example, passwords can be forgotten or guessed and tokens can be stolen or lost.
A typical biometric system consists of two phases: the enrolment phase and the verification phase. In the enrolment phase, a user’s biometric data are extracted from his or her biometric sample (e.g., facial image or fingerprint scan) and stored in a database as a template. In the verification phase, the biometric data of a query, processed in the same way as in the enrolment phase, are compared or matched with the template to calculate a similarity score. If this score is greater than a pre-defined threshold, matching is successful; otherwise, matching is unsuccessful. Figure 1 shows a biometric system equipped with a privacy-preserving functionality (e.g., homomorphic encryption).
A privacy-preserving biometric system (adapted from 
), with the facial image sourced from the ORL face database 
and the fingerprint image from the FVC2002 fingerprint database 
Despite the benefits brought by biometrics, biometric systems have their own weaknesses. Biometric data are uniquely linked to a person’s identity, and no two individuals in the world own exactly the same biometrics. Biometric data leaked in one application mean that they would be compromised in all other applications that depend on the same biometrics, which could lead to a data breach and identity fraud. With biometric security being a growing concern 
, researchers have developed a variety of biometric template protection techniques. Biometric template protection aims to secure the privacy and confidentiality of biometric template data while providing satisfactory recognition performance. Biometric template protection can be broadly divided into three categories—cancelable biometrics, biometric cryptosystems and homomorphic encryption (HE). These categories differ in their protection techniques, such as non-invertible transformation used by cancelable biometrics, key binding/generation employed in biometric cryptosystems and operation on ciphertext conducted by HE. The selection of the protection technique depends on specific applications and the desired level of security, as each category has its own properties, advantages and disadvantages, which are described below:
Cancelable biometrics: For security reasons, cancelable biometric systems do not store the original biometric data as templates. Instead, raw biometric data are transformed by a non-invertible transformation function in the enrolment phase, and the transformed data are stored in the database. Such a transformation is intentional and reproducible 
. An essential property of cancelable biometrics is irreversibility, meaning that it should be computationally infeasible to retrieve the original biometric data from the transformed template 
. In the verification phase, the same transformation is applied to the query data. Matching is performed in the transformed domain so that no original biometric data are divulged. If the stored (transformed) template is compromised, a new version can be generated by altering the transformation parameters. Cancelable biometrics is considered relatively simple and easy to implement.
Biometric cryptosystems: Bio-cryptosystems combine the benefits of biometrics and cryptography. In bio-cryptosystems, secret keys are either technically tied to or directly produced from biometric data. The original biometric data are encrypted by a secure sketch (e.g., Fuzzy Commitment 
, Fuzzy Vault 
and PinSketch 
) with helper data as the output. The helper data are generated by an irreversible cryptographic process so that it is difficult for adversaries to acquire the original biometric features from the helper data 
Homomorphic encryption (HE): HE tackles the data privacy issues by performing multiple operations on the encrypted data without any decryption 
. Because the result of the HE computation remains encrypted and can only be decrypted by the data owners, confidentiality is kept and any third party can operate over the ciphertext without accessing the original plaintext 
HE is relatively new and promising compared to cancelable biometrics and bio-cryptosystems. It allows mathematical operations to be performed on encrypted biometric data without the need to decrypt them for authentication. In other words, biometric data can be encrypted and stored in databases without being decrypted during matching, thus preventing unauthorised access or privacy breaches. In addition, unlike cancelable biometrics, HE does not affect recognition accuracy. Overall, the application of HE in biometrics can protect the security and privacy of biometric data, while allowing for highly accurate identity verification.
2. Homomorphic Encryption
A notion originated by Rivest, Adleman, and Dertouzos in 1978, HE allows calculation over encrypted data. This feature of HE is reflected in some well-known public key cryptosystems, such as the classic RSA 
or El-Gamal 
, but it only works for one operation (addition or multiplication) and, sometimes, for a very limited number of two operations 
. Several decades later, Gentry 
in 2009 first proposed a public key encryption scheme capable of any kind of operation, namely fully homomorphic encryption (FHE).
HE allows for certain types of operations on ciphertexts without accessing the secret key. In addition, HE produces an encrypted result in which the decryption matches the computed result on the plaintext 
. HE is classified based on a list of mathematical operations on encrypted data. The effectiveness and flexibility of HE are closely related to the number of operations on the list. HE schemes with a higher number of operations are considered more flexible, but have lower efficiency. Conversely, schemes with a smaller number of operations are less flexible, but more efficient 
. Depending on the number of operations that are arbitrarily evaluated on the encrypted data, HE can be classified into different types, including FHE, partially homomorphic encryption (PHE) and somewhat homomorphic encryption (SHE).
2.1. The Basics of HE
Building an HE scheme requires four steps 
: key generation, encryption, decryption and homomorphic arithmetic operations (e.g., addition and multiplication). An encryption scheme is considered homomorphic 
if it supports homomorphic addition and/or homomorphic multiplication, expressed by:
where E represents an HE algorithm, M is the set of all possible messages, “+” denotes the addition operation and “*” the multiplication operation.
2.2. Partially Homomorphic Encryption
PHE allows an infinite number of operations of one type. For instance, additive HE allows an unlimited number of additions, but does not allow multiplication 
. Below is a selection of the main PHE schemes:
: Inspired by the Diffie–Hellmann key exchange problem 
, RSA was proposed in 1978. RSA is one of the first public key encryption methods for securing communication on the Internet. According to 
, RSA is considered the first multiplicative PHE.
: GM is the first probabilistic public key encryption scheme proposed by Goldwasser and Micali. The GM cryptosystem is based on the hardness of the quadratic residuosity problem.
: Being a multiplicative PHE scheme, the El-Gamal algorithm was derived from Diffie–Hellmann key exchange. Its security is based on the difficult mathematical problem known as the decisional discrete logarithm problem 
: Paillier is another probabilistic public key encryption scheme based on the composite residuosity problem 
, similar to the quadratic residuosity problem in GM. The Paillier scheme is homomorphic over addition and several extra basic operations on plaintexts.
2.3. Somewhat Homomorphic Encryption
SHE supports a predefined number of homomorphic operations, with the restriction on the number of permitted operations. Every operation adds to the underlying noise, so its proper evaluation relies only on performing a limited number of operations. When noise exceeds a certain threshold, the decryption of messages fails 
. The key features of two main SHE schemes are introduced below:
: Developed by Dan Boneh, Eu-Jin Goh and Kobbi Nissim, the BGN scheme was the first to support the addition and multiplication of ciphertexts with a constant size. It allows for any number of additions and a single multiplication operation on a ciphertext of a specified length. The homomorphic property of BGN allows users to evaluate multi-variate polynomials of a total degree of two given the encrypted inputs. The security of BGN is achieved under the assumption of the subgroup decision problem 
: Proposed by Jung Cheon, Andrey Kim, Miran Kim and Yongsoo Song, the CKKS scheme permits approximate addition and multiplication over ciphertexts whose plaintexts can be vectors of real or complex values. Since many HE schemes only work on binary or integer values, this feature of CKKS has attracted many researchers’ attention 
2.4. Fully Homomorphic Encryption
For FHE, there is no limit to the number of operations that can be undertaken 
. The inherent characteristic of HE is that, each time a homomorphic operation is performed, the errors increase 
. As a result, after a certain number of multiplications or additions, ciphertexts cannot be decrypted correctly because of the growth in the error. To address this issue, Gentry 
introduced a technique, known as bootstrapping, which converts a scheme that is not fully homomorphic (e.g., SHE) into one that is fully homomorphic. In other words, FHE is built on a bootstrappable SHE. Two main FHE schemes are described below:
: This scheme was a credit to Zvika Brakerski, Craig Gentry and Vinod Vaikuntanathan based on learning with error (LWE) or ring-LWE (RLWE) 
, without Gentry’s bootstrapping procedure 
. Considered one of the hardest problems, which can be addressed in polynomial time, LWE has been intensively studied to build postquantum cryptographic solutions. As an algebraic variant of LWE, RLWE was put forth to have more efficient real-world applications with stronger security.
: Considering the complexity and efficiency issues of FHE, Brakerski proposed several LWE-based FHE schemes, including Brakerski’s scale-invariant scheme 
. BFV is the Fan–Vercauteren variant of Brakerski’s scale-invariant scheme 
. It modifies the LWE setting in 
to be RLWE. Using a simple modulus switching trick, BFV is more efficient than Brakerski’s scale-invariant scheme 
according to 
. The security of BFV-type cryptosystems is based on the RLWE problem.
2.5. Possible Attacks on HE Systems
Although HE can provide robust security, it is not exempt from attacks. A number of attacks can be initiated against HE systems, the application of HE to biometrics are:
Side-channel attacks 
: Side-channel attacks assume that an adversary has access to some information about the secret key of the encryption algorithm. For example, the adversary launches timing attacks 
that take advantage of the time a system spends on calculations while the encryption/decryption algorithm is being executed. Side-channel attacks are especially troublesome for HE as the encryption/decryption process involves a complex computation, which may leave a trace of information that can be exploited. A desirable security requirement for HE schemes is to have resistance to such attacks, often called leakage resilience, meaning that semantic security should not be breached, even in the case of side-channel attacks.
Black box attacks 
: A black box attack on HE takes place when an adversary gains access to the encrypted data and manipulates them, but the adversary has no access to the secret key. The adversary’s objective is to obtain information about the plaintext data by examining the output of the homomorphic operation. Through randomised encoding, such as adding a random value to the plaintext before encryption, black box attacks can be tackled.
Lattice attacks 
: A lattice attack is a form of attack exploiting the vulnerabilities in lattice structures to restore the secret key in a lattice-based cryptosystem. This type of attack can be used to target some lattice-based HE schemes. For example, it was shown in 
that, under certain parameter settings, an attacker could directly derive the plaintext from the ciphertext and public key even without using the secret key of the lattice-based FHE.
Other attacks: Other attacks that target HE include attacks on broadcast encryption 
, chosen ciphertext key recovery attacks 
, chosen related plaintext attacks 
, decoding attacks on LWE 
and reaction attacks 
3. Potential HE Libraries for Biometric Security
HE libraries play a pivotal role in helping researchers and professionals implement HE in many applications including biometrics. The efficiency of these applications has been greatly improved by the evolution and optimisation of HE libraries over the past few years . HE libraries  that have been adopted or will potentially be implemented for biometric security are summarised in Table 1.
HE libraries for biometric security (adapted from 
||HE Schemes Supported
||BGV and CKKS
||BGV, BFV and CKKS
||Ring variant of GSW
||BGV, BFV and CKKS
||Python and Cython
||BGV, BFV and CKKS
||BGV, BFV and CKKS
||C++ or Python
||BGV, BFV and CKKS
4. HE-Based Approaches to Biometric Security
4.1. HE-Based Approaches to Face Security
Shahreza et al.  proposed a hybrid solution to securing face templates by combining the cancelable biometric (CB) technique and HE. Since the protected templates are irreversible even in the case of a compromised secret key (often referred to as the fully compromised case), using CB prior to HE strengthens the security and privacy of the whole system and reduces template dimensions, which accelerates the computation of ciphertexts. Román et al.  used public key encryption and HE to protect facial data. The experimental results showed that recognition performance is retained after protection. The proposed method also renders size-reduced protected templates and keys and a fast execution time compared to other lattice-based HE schemes. Bauspieß et al.  developed an improved coefficient-packing-based FHE method to secure face templates. Capable of feature dimensionality reduction, the proposed method streamlines computations. The experimental evaluation over a public face database showed that efficient face recognition in the cryptographic domain (up to a 1.6% reduction in computing time) can be achieved on off-the-shelf hardware with no loss in recognition accuracy.
4.2. HE-Based Approaches to Iris Security
In iris recognition, cameras are used to capture high-resolution images of the iris, from which unique features are extracted, such as the texture, shape and pattern of the iris. As one of the most-accurate biometric authentication modalities, there is ongoing research in protecting iris data .
Morampudi et al.  proposed a secure and verifiable classification-based iris authentication system, named SvaS, with FHE on a malicious cloud server. SvaS aims at privacy-preserving training and privacy-preserving classification of nearest-neighbour and multiclass perceptron models. The BFV scheme  provides security protection to iris templates. In this scheme, the ensemble verification vector is responsible for verifying the correctness of the computed classification results. Song et al.  introduced an iris-based ciphertext authentication system using FHE and the fuzzy vault. Authentication is performed with no decryption of iris templates whose homomorphic ciphertexts are stored in the database, so there is no disclosure about the iris templates. Furthermore, the proposed system eliminates the need for trust centre authentication as authentication is conducted directly on the server side using a one-time message authentication code.
4.3. HE-Based Approaches to Fingerprint Security
Fingerprints are one of the most-widely used biometric traits. Fingerprint recognition utilises the unique pattern of the ridges and valleys on a person’s fingerprints for identity authentication 
. HE-based methods for fingerprint security are discussed below.
Yang et al. 
proposed an HE-based fingerprint authentication system for access control and protecting sensitive fingerprint template data. Due to the use of HE, fingerprint matching takes place in the encrypted domain, making it difficult for adversaries to gain access to the original fingerprint template in the absence of the private key. The scholars also analysed the trade-off between computing time and recognition accuracy.
4.4. HE-Based Approaches to Gait Security
Each person has a distinctive gait, which can be used to distinguish them. Gait recognition utilises the way a person walks to recognise them. Lin et al. 
proposed HE-based gait recognition to protect sensitive gait feature data. Different from fingerprint or face data, which are time-independent, gait features are time-dependent and continuous. The scholars modified a convolutional neural network (CNN) and combined it with FHE to handle encrypted gait data.
4.5. HE-Based Approaches to Voice Security
Voice recognition 
, also referred to as speaker recognition, authenticates individuals according to the unique characteristics of a person’s voice, such as intonation, tone of voice and accent. Rahulamathavan 
redesigned the back-end of speaker verification systems to alleviate the privacy concerns of speech features. Based on the Newton–Raphson method, the scholars proposed a solution to addressing the limitation of CKKS (i.e., computing the inverse square root of encrypted numbers), yielding negligible loss in recognition accuracy with reduced multiplication depth.
4.6. HE-Based Approaches to Signature Security
Signature recognition makes use of the unique characteristics of a person’s signature to identify them 
. In signature recognition systems, a digital pen or touchpad is used to capture users’ signatures, which are processed to extract distinctive features, such as the order of strokes, stress and writing speed. Barrero et al. 
proposed HE-based biometric template protection, in which only encrypted data are processed and templates are of a fixed length. In a completely repeatable experimental framework, the scholars analysed different distance measures in the scenario of online signatures, showing that all requirements for biometric template protection (e.g., irreversibility, unlinkability and renewability) are met without compromising recognition performance and with a low computational cost.
5. Integrating HE with Other Technologies for Biometric Security
5.1. HE with Blockchain
Blockchain is an advanced technology that delivers the service of decentralised data storage and the capability to record and protect transactions using cryptography 
. All the nodes involved in the blockchain know every transaction that occurs in the blockchain 
. Integrating HE and blockchain technology provides a powerful combination for biometric security, allowing sensitive biometric data to be processed without compromising security.
5.2. HE with Machine/Deep Learning
With machine/deep learning technology entering many industries, as well as people’s lives, privacy and security concerns arise from system users, operators and administrators. Since CNNs are extensively employed to handle complicated visual tasks, integrating HE with machine/deep learning offers strong privacy protection for biometric systems. Wingarz et al. 
detailed the steps to create a privacy-preserving CNN and analysed its applicability and scalability in the real world. In this context, a homomorphically encrypted neural network was implemented for face recognition. The simulation results showed that running a CNN on homomorphically encrypted inputs achieved the same recognition accuracy as in a conventional CNN case.
5.3. HE with Differential Privacy
With applications in many fields (e.g., statistics and data analysis), differential privacy (DP) provides a robust protocol for privacy preservation. The basic idea of DP is to protect the privacy of individual data points by incorporating “noise” in the data so that nobody’s data can be distinguished from any other individual’s data 
. Combining HE and DP in biometric systems renders an effective tool for protecting the privacy of biometric data, while permitting sophisticated data manipulation and analysis.