- Email: [email protected]
Cryptanalysis and security enhancement of optical cryptography based on computational ghost imaging
Optics Communications 365 (2016) 180–185
Contents lists available at ScienceDirect
Optics Communications journal homepage: www.elsevier.com/locate/optcom
Cryptanalysis and security enhancement of optical cryptography based on computational ghost imaging Sheng Yuan a,n, Jianbin Yao a, Xuemei Liu a, Xin Zhou b, Zhongyang Li a a b
Department of Information and Engineering, North China University of Water Resources and Electric Power, Zhengzhou 450011, China Department of Opto-electronics Science and Technology, Sichuan University, Chengdu 610065, China
art ic l e i nf o
a b s t r a c t
Article history: Received 29 October 2015 Received in revised form 1 December 2015 Accepted 11 December 2015
Optical cryptography based on computational ghost imaging (CGI) has attracted much attention of researchers because it encrypts plaintext into a random intensity vector rather than complexed-valued function. This promising feature of the CGI-based cryptography reduces the amount of data to be transmitted and stored and therefore brings convenience in practice. However, we find that this cryptography is vulnerable to chosen-plaintext attack because of the linear relationship between the input and output of the encryption system, and three feasible strategies are proposed to break it in this paper. Even though a large number of plaintexts need to be chosen in these attack methods, it means that this cryptography still exists security risks. To avoid these attacks, a security enhancement method utilizing an invertible matrix modulation is further discussed and the feasibility is verified by numerical simulations. & 2015 Elsevier B.V. All rights reserved.
Keywords: Optical cryptography Chosen-plaintext attack Computational ghost imaging
1. Introduction Optical processing techniques have been widely applied in the field of information security since the pioneering work reported by Refregier and Javidi on the double random-phase encoding (DRPE), owing to its inherent advantages such as high-speed parallel processing capability and muti-dimensional operation [1–14]. Furthermore, optical procedures are the natural medium to deal with images or holograms and benefit from continuous advantages in electro-optic devices. As the accompanying complementary opposites, the corresponding security analyses have also been carried out and promoted the further development of optical encryption techniques [15–20]. However, most of these existed optical cryptosystems based on the random-phase encoding encrypt the plaintext image into a complex-valued function, which will bring inconvenience in data transmission and storage. On the contrary, optical encryption scheme based on the computational ghost imaging (CGI) has noticeably reduced the number of bits required to transmit the image, because the encryption of the object image is not a complex-valued matrix but simply an intensity vector [21]. In the CGI-based encryption n
Corresponding author. E-mail address: [email protected] (S. Yuan).
http://dx.doi.org/10.1016/j.optcom.2015.12.013 0030-4018/& 2015 Elsevier B.V. All rights reserved.
scheme, a spatially coherent laser beam is modified by a set of random-phase masks and repeatedly illuminates on a secret image, then the transmitted lights are recorded by a bucket detector (a single-pixel sensor without spatial resolution) to obtain a ciphertext. A sequence of random seeds used to generate the random-phase masks are taken as the key. The secret image is retrieved by correlating the ciphertext with the intensity patterns computed by the key in the reference beam. In the past few years, the CGI-based security technique has achieved rapid development and some new schemes are also derived [22–26]. For examples recently, a higher security and better robustness optical encryption based on CGI with QR code has been proposed [23]. To improve the efficiency for data storage or transmission and enhance the security of the system, CGI-based encryption techniques using labyrinth-like phase modulation patterns and compressive sensing has also been investigated [24–26]. All these encryption techniques derived from Ref. [21] have effectively enlarged the application domain of CGI for optical security. However, we find that the CGI-based encryption scheme is vulnerable to chosen-plaintext attack because of the linear relationship between the input and output of the encryption system. As long as enough plaintexts are chosen, the key can be retrieved by solving a set of linear equations. In order to overcome this security risk, a security enhancement strategy utilizing an invertible matrix modulation is further investigated. The feasibility and security of the proposed scheme
S. Yuan et al. / Optics Communications 365 (2016) 180–185
181
are verified by numerical simulations.
2. CGI-based encryption scheme The schematic diagram of the CGI-based encryption scheme [21] is shown in Fig. 1. A collimated laser beam is generated for illumination. The light firstly passes through a spatial light modulator (SLM), which is controlled by computer to introduce a series of independent random-phase profiles as the secret keys of the encryption scheme. Then, the source is splitted into two beams, object and reference, which are measured by a bucket detector (without spatial resolution) and a charge coupled device (CCD), respectively. For one random-phase profile ϕk (x, y ) ( k = 1, 2, 3, ⋯, K ) generated by the SLM, the free-space propagation field at the distance z from the SLM can be described by
Ek (ξ , η) = exp ⎡⎣ jϕk (x, y) ⎤⎦ ⊗ h (x, y ; z )
(1)
where (ξ, η) denotes the coordinate on the CCD plane, j = −1 , ⊗ represents the convolution operation, and h (x, y; z ) is the point pulse function of the Fresnel transform which can be described by
h (x, y ; z ) =
⎡ jπ 2 ⎤ exp (j2πz/λ ) exp ⎢ x + y2 ⎥ ⎣ λz ⎦ jλz
(
)
(2)
where z is the Fresnel propagation distance between the SLM and the CCD plane (or the object plane), λ denotes wavelength of the laser. Thus, the intensity pattern detected by CCD can be calculated by
Ik (ξ , η) = Ek (ξ , η) 2
(3)
Actually as the CGI notes, the intensity patterns at the reference arm are unnecessary to be detected by CCD, which can be replaced with a “virtual detector” by calculating the propagation of the field of the reference beam (indicated by the dashed box in Fig. 1). In the object beam, the light illuminates the object with the transmission function T (ξ, η), and the collected intensities measured by the bucket detector can be described by
Bk =
∫ dξdηIk (ξ, η) T (ξ, η)
(4)
The operation is repeated K times for K different phase profiles ϕk (x, y ). Thus, the object information is encoded in a vector of K components {Bk }, i.e., ciphertext. In order to reconstruct the object, the computed intensity patterns at the object plane {Ik (ξ, η)} are cross-correlated with the intensities measured by the bucket detector {Bk }, i.e.,
1 T˜ (ξ , η) = K
Fig. 1. Schematic of the CGI-based encryption scheme. SLM: spatial light modulator, BS: beam splitter, CCD: charge coupled device (CCD).
can be seen from Eq. (5), the decryption key is the series of intensity patterns {Ik (ξ, η)} computed by the encryption key {ϕk (x, y )}. In other words, as long as attacker acquires the intensity patterns {Ik (ξ, η)} through a certain means, the CGI-based encryption scheme will be broken. According to the chosen-plaintext attack mode, there may be three strategies to break the encryption scheme. Strategy 1. In the CGI-based encryption scheme, the sequence {Bk } is the linear superposition of the product of {Ik (ξ, η)} and T (ξ, η) (known from Eq. (4)), which forms a set of linear equations. If a series of linearly independent matrices with real-valued elements are selected as the plaintexts to be encrypted, the relationship between the input and output of the encryption system will be described by a set of nonhomogeneous linear equations, which can be solved by conventional linear least-squares methods [27]. The solutions of the equations are indeed the intensity patterns {Ik (ξ, η)}. Thus, the encryption scheme will be broken. Strategy 2. As can be seen from Eqs. (4) and (5), Ik (ξ, η) and T (ξ, η) are symmetrical and they play the same role in ghost imaging. If one chooses a series of random real-valued masks {Tk (ξ, η)} to modulate the intensity pattern Ik (ξ, η), thus Eq. (4) becomes
K
∑ ( Bk −
B ) Ik (ξ , η)
k=1
(5)
where T˜ (ξ, η) is the reconstructed object image, and B is the average value for the measured intensity sequence {Bk }.
3. Vulnerability of the CGI-based encryption scheme Chosen-plaintext attack is an attack mode in cryptanalysis. In this method, the attacker can choose a certain number of plaintexts in advance, encode them by the encryption scheme, and get the corresponding ciphertexts. The purpose for the attacker is to obtain some information about the encryption scheme through this process, so that they can effectively decrypt the ciphertexts encoded by the same encryption scheme (as well as the related key) in the future. For the CGI-based encryption scheme proposed in Ref. [21], as
Bk′ =
∫ dξdηIk (ξ, η) Tk (ξ, η)
(6)
and Ik (ξ, η) can be ghostly imaged by
1 I˜k (ξ , η) = K
K
∑ ( Bk′ − k=1
B′ ) Tk (ξ , η)
(7)
where I˜k (ξ, η) is the reconstructed intensity pattern of Ik (ξ, η) , and B′ is the average value for the measured intensity sequence {Bk′ }. Then the encryption scheme can also be broken. Strategy 3. For a spatial case, if one chosen plaintext Tk only has a pixel valued 1 and other 0 (schematically shown in Fig. 2), Bk measured by the bucket detector is the intensity of {Ik (ξ, η)} in the position of the 1-valued pixel (known from Eq. (4)). All the values of the intensity pattern Ik (ξ, η) can be acquired by removing the 1-valued pixel in turns in the whole chosen plaintext, which is shown schematically in Fig. 2. Thus the decryption key {Ik (ξ, η)}
182
S. Yuan et al. / Optics Communications 365 (2016) 180–185
Fig. 2. Schematic diagram of the chosen plaintexts for Strategy 3.
can be retrieved as long as K plaintexts with only one 1-valued pixel are chosen, here K should be equal to the size of Ik (ξ, η) . It should be noted that only the intensity patterns {Ik (ξ, η)} in the reference beam rather than the random-phase masks {ϕk (x, y )} are directly extracted by the three strategies. However in the decryption process, the intensity patterns {Ik (ξ, η)} act as the decryption key (known from Eq. (5)), so the CGI-based encryption scheme [21] can still be broken even though the encryption key (i.e. the random-phase masks {ϕk (x, y )}) are not acquired. In addition, chosen-plaintext attack is effective on the unchanged encryption scheme as well as the encryption key, so the attack method proposed in this paper can be feasible only when the same series of phase masks is repeatedly applied as the keys for encoding different plaintexts. When different keys, such as different series of phase-only masks, are applied for encoding different plaintexts (i.e. one-time pad encryption scheme), the proposed method in this paper is not applicable. Therefore, when the encryption key can be easily updated for different plaintexts, the attack method proposed in this paper cannot be applicable on this kind of scheme, such as the CGI-based encryption technique proposed in Ref. [24], in which the encryption keys can be easily updated for encoding different plaintexts without occupying much space.
4. Numerical simulations 4.1. Simulation results of the CGI-based encryption scheme As shown in Fig. 1, a collimated laser beam with the wavelength of λ = 632.8 nm is generated for illumination. The distance from the SLM to the CCD plane (or the object plane) is taken as z = 50 cm. An image with the size of 1 × 1 cm2 and 128 × 128
pixels is chosen as the object to be encrypted and shown in Fig. 3 (a). In this computational experiment, K measurements are carried out for encryption and K = 128 × 128 = 16384 , i.e., 16384 randomphase masks are generated by the SLM to encrypt the secret image. The intensity vector measured by the bucket detector as the ciphertext is shown in Fig. 3(b). As can be seen that the values distribute in the interval [1200, 1500] without any order. To evaluate the similarity between the original and the decrypted image, the peak signal-to-noise ratio (PSNR) metric is used, which is defined as
⎧ ⎪ 1 PSNR = − 10* lg ⎨ l − 1 2X × Y ⎪ 2 ⎩
(
)
X
⎫ ⎪ ⎡⎣ g˜ (x, y) − g (x, y) ⎤⎦2⎬ ⎪ y=1 ⎭ Y
∑∑ x=1
(8)
where X × Y is the size of image, l represents the gray level number, g and g˜ represent the original image and the obtained image, respectively. The PSNR is an indicator of image quality. It is based on the sum of the squared differences between corresponding pixels of two images, and decreases as the difference between g and g˜ increases. The decrypted image is shown in Fig. 3 (c) with the PSNR ¼21.2 dB. 4.2. Feasibility of the three strategies In this section, three strategies for chosen-plaintext attack are verified. In Strategy 1, 16384 random real-valued matrices are taken as the plaintexts to be encrypted. The set of linear equations composed by the pairs of plaintext and ciphertext are solved by the conventional linear least-squares methods and the results are the decryption key (i.e. the intensity patterns {Ik (ξ, η)}). The secret image is decrypted by the retrieved key and shown in Fig. 4 (a) with the PSNR ¼19.2 dB. For Strategy 2, 16384 random realvalued matrices are also taken as the plaintexts to be encrypted. The decryption key {Ik (ξ, η)} is retrieved by Eq. (7), and the
Fig. 3. Simulation results of the CGI-based encryption scheme. (a) object image to be encrypted, (b) distribution of the ciphertext, and (c) decrypted image.
S. Yuan et al. / Optics Communications 365 (2016) 180–185
183
Fig. 4. Results of the chosen-plaintext attack. Retrieved images by strategy (a) 1, (b) 2, and (c) 3, and the PSNRs of them are 19.2, 15.2, 21.0 dB, respectively.
retrieved image is shown in Fig. 4(b) with the PSNR ¼15.2 dB. For the last strategy, we choose an image with only a pixel valued 1 and other 0 as the plaintext. The decryption key {Ik (ξ, η)} is obtained by removing the position of 1-valued pixel from left to right and top to bottom in the plaintext image, and the decrypted image is also shown in Fig. 4(c) with the PSNR ¼ 21.0 dB. Comparing the results, we can get some conclusions. Firstly, the quality of the retrieved image with Strategy 2 is worst, and that with Strategy 1 is clear but long time spent on solving the large number of the linear equations will be needed. In comparison, Strategy 3 may be a simple and effective method to break the CGI-based encryption scheme because not only the most clear image is retrieved with it but also no complicated operation is need. 4.3. Analysis In the three strategies of chosen-plaintext attack proposed in this paper, the number of plaintexts to be chosen must be large enough because it will influence the quality of the decrypted image. For Strategy 1, the decryption key {Ik (ξ, η)} is retrieved by least-square fitting and the linear regression coefficient will be decreased with the decrease of the number of plaintexts to be chosen, so more errors will be induced in the retrieved decryption key which will further influence the quality of the decrypted image. Similarly, Strategy 2 is based on the principle of CGI. Reducing the number of plaintexts to be chosen is equivalent to decreasing the number of measurements, which will also bring more errors in the retrieved decryption key, and then the quality of the decrypted image become worse. Fig. 5 shows curves of the PSNR with the number of chosen plaintexts for strategies 1 and 2. However for Strategy 3, one plaintext with a 1-valued pixel and other 0 is chosen to retrieve only one pixel value of each decryption key Ik (ξ, η). If the number of plaintexts to be chosen is less than the size of the decryption key, part of the decryption key will lose, so the corresponding part of the secret image will not be retrieved. Fig. 6 (a) and (b) respectively present the decrypted images when 12288 (75% of the size of the decryption key) and 8192 (50% of the size of the decryption key) plaintexts are chosen to retrieve the decryption key. As can be seen from the results that the retrieved images are incomplete. Therefore, we must choose enough number of plaintexts for Strategy 3 to avoid information loss of the retrieved image.
5. Security enhancement method To avoid these attacks, a simple security enhancement scheme based on an invertible matrix modulation is discussed and the
Fig. 5. The curves of the PSNR with the number of chosen plaintexts for strategies 1 and 2.
flow chart is shown in Fig. 7. In this scheme, an object image is firstly encoded by the CGI system (shown in Fig. 1) to obtain the intensity vector {Bk } by the bucket detector. And then the 1-dimensional (1-D) vector {Bk } is transformed into a 2-dimensional (2-D) matrix C with M × N elements, and modulated by a N × N invertible matrix Φ to obtain the ciphertext D , i. e.,
D = CΦ
(9)
where the invertible matrix Φ can be generated by randomly performing multiple elementary operations on the identity matrix according to the theory of linear algebra [27]. There are three elementary operations, i.e., (1) replace one row (or column) by the sum of itself and a multiple of another row (or column), (2) interchange two rows (or columns), and (3) multiply all entries in a row (or column) by a nonzero constant. Decryption is the inverse operation of encryption, so the 2-D matrix C is firstly computed by
C = DΦ − 1
(10)
where Φ−1 is the inverse matrix of Φ . Thus, the 1-D intensity vector {Bk } is obtained by the 2-D matrix of C . Then the object image is further retrieved by Eq. (5). Here, the 1-D intensity vector with 16384 elements (shown in Fig. 2(b)) are transformed into a 128 × 128 matrix shown in Fig. 8 (a), and an invertible matrix with 128 × 128 elements is adopted
184
S. Yuan et al. / Optics Communications 365 (2016) 180–185
Fig. 6. Decrypted images retrieved by choosing (a) 12288 (75% of the size of the decryption key) and (b) 8192 (50% of the size of the decryption key) plaintexts for Strategy 3.
Fig. 7. Flow chart of the security enhancement scheme.
as the additional key to modulate it, then the ciphertext D is obtained and presented in Fig. 8(b). The secret image is retrieved by carrying out the invert operation of encryption and shown in Fig. 8 (c) with the PSNR ¼21.2 dB. In this scheme except for the random-phase keys {ϕk (x, y )} generated by the SLM, the invertible matrix Φ is regarded as an additional key which is used to enhance the security of the CGIbased encryption scheme. If the matrix Φ is unknown, the intensity vector {Bk } can not be acquired. Thus the strategies 1 and 2 mentioned in Section 3 are invalid, and the retrieved images with the two strategies are respectively shown in Fig. 9(a) and (b). Here, an inertible matrix Φ′ is arbitrarily selected as the decryption key. For Strategy 3, we assume that an image with only a 1-valued pixel positioned in (s, t ) and other valued 0 is chosen as a plaintext to be encrypted. The matrix C is composed by the intensity of
{Ik (s, t )} and the ciphertext D is computed by N
D (m, n) =
∑ C (m, i) Φ (i, n) i=1
(11)
In other words, the ciphertext D is the sum of C (i. e., {Ik (s, t )}) after modulated by Φ . Thus the decryption key {Ik } can not be obtained in absence of Φ , so Strategy 3 is also incapable of breaking the encryption scheme. A wrong invertible matrix is adopted to retrieve the secret image, and the result is shown in Fig. 9(c). Therefore, this security enhancement method based on the invertible matrix modulation is effective to avoid the attacks mentioned in this paper. As mentioned in Section 3, the attack methods proposed in this paper are applicable to the condition that the encryption key (i.e. the phase-only masks) is unchanged for encoding different
Fig. 8. Simulation results of the security enhancement method. (a) 2-D matrix transformed by the 1-D intensity vector {Bk }, (b) ciphertext D , and (c) decrypted image.
S. Yuan et al. / Optics Communications 365 (2016) 180–185
185
Fig. 9. Results of the chosen-plaintext attack on the security enhancement CGI-based encryption scheme by strategies (a) 1, (b) 2 and (c) 3.
plaintexts. Therefore, besides the invertible matrix modulation method, there are some other potential strategies to enhance the security of the CGI-based cryptography. For instance, (1) simple modification of mask sequence for encoding different plaintexts, (2) using different transform domains for the encoding, or (3) simply scrambling phase-only mask to generate different phase masks for encoding different plaintexts. All of these strategies mentioned above will achieve a quasi one-time pad encryption scheme which is secure against chosen-plaintext attack.
6. Conclusions In this paper, we have analyzed the principle of the CGI-based encryption scheme and found that it is vulnerable to chosenplaintext attack, owing to the linear relationship between the input and the output of the encryption system. Three strategies have been proposed and discussed and the effectiveness of them has also been verified by numerical simulation. In these attack method, even though large number of plaintexts are required, the CGIbased encryption scheme exists the security risk. In addition, according to the three strategies of chosen-plaintext attack, a security enhancement method based on invertible matrix modulation has been investigated and analyzed theoretically. Computational results show that this method is simple but effective to avoid these attacks mentioned in this paper.
Acknowledgment This work was supported by the National Natural Science Foundation of China (Grant nos. 61205003, 61177009, 61475104 and 61201101), the Program for Innovative Research Team (in Science and Technology) in University of Henan Province
(IRTSTHN) (Grant no. 13IRTSTHN023), the Innovation Scientists and Technicians Troop Construction Projects of Henan Province and the Young Backbone Teachers in University of Henan Province (Grants no. 2014GGJS-068).
References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27]
P. Refregier, B. Javidi, Opt. Lett. 20 (1995) 767. W. Chen, B. Javidi, X. Chen, Adv. Opt. Photonics 6 (2014) 120. G. Unnikrishnan, J. Joseph, K. Singh, Opt. Lett. 25 (2000) 887. G. Situ, J. Zhang, Opt. Lett. 29 (2004) 1584. X.F. Meng, L.Z. Cai, X.F. Xu, X.L. Yang, X.X. Shen, G.Y. Dong, Y.R. Wang, Opt. Lett. 31 (2006) 1414. Y. Zhang, B. Wang, Opt. Lett. 33 (2008) 2443. A. Alfalou, C. Brosseau, Adv. Opt. Photonics 1 (2009) 589. W. Qin, X. Peng, Opt. Lett. 35 (2010) 118. W. Chen, X. Chen, C.J.R. Sheppard, Opt. Lett. 35 (2010) 3817. W. Liu, Z. Liu, S. Liu, Opt. Lett. 28 (2013) 1651. Y. Shi, T. Li, Y. Wang, Q. Gao, S. Zhang, H. Li, Opt. Lett. 38 (2013) 1425. S.K. Rajput, N.K. Nishchal, J. Opt. Soc. Am. A 31 (2014) 1233. J. Liu, X. Xu, Q. Wu, J.T. Sheridan, G. Situ, Opt. Lett. 40 (2015) 859. L. Sui, B. Liu, Q. Wang, Y. Li, J. Liang, Opt. Commun. 354 (2015) 184. A. Carnicer, M. Montes-Usategui, S. Arcos, I. Juvells, Opt. Lett. 30 (2005) 1644. X. Peng, P. Zhang, H. Wei, B. Yu, Opt. Lett. 31 (2006) 1044. J. Wu, W. Liu, Z. Liu, S. Liu, Opt. Commun. 338 (2015) 164. X. Liu, J. Wu, W. He, M. Liao, C. Zhang, X. Peng, Opt. Express 23 (2015) 18955. X.C. Cheng, L.Z. Cai, Y.R. Wang, X.F. Meng, H. Zhang, X.F. Xu, X.X. Shen, G. Y. Dong, Opt. Lett. 33 (2008) 1575. P. Kumar, A. Kumar, J. Joseph, K. Singh, Opt. Lett. 34 (2009) 331. P. Clemente, V. Duran, V. Torres-Company, E. Tajahuerce, J. Lancis, Opt. Lett. 35 (2010) 2391. M. Tanha, R. Kheradmand, S. Ahmadi-Kandjani, Appl. Phys. Lett. 101 (2012) 101108. S. Zhao, L. Wang, W. Liang, W. Cheng, L. Gong, Opt. Commun. 353 (2015) 90. W. Chen, X. Chen, Europhys. Lett. 109 (2015) 14001. J. Li, J.S. Li, Y.Y. Pan, R. Li, Sci. Rep. 5 (2015) 10374. J. Li, H. Li, J.S. Li, Y.Y. Pan, R. Li, Opt. Commun. 344 (2015) 166. D.C. Lay, Linear Algebra and its Applications, 3rd ed., Addison Wesley, Pearson Education Asia Limited (2011), pp. 7–8.
Contents lists available at ScienceDirect
Optics Communications journal homepage: www.elsevier.com/locate/optcom
Cryptanalysis and security enhancement of optical cryptography based on computational ghost imaging Sheng Yuan a,n, Jianbin Yao a, Xuemei Liu a, Xin Zhou b, Zhongyang Li a a b
Department of Information and Engineering, North China University of Water Resources and Electric Power, Zhengzhou 450011, China Department of Opto-electronics Science and Technology, Sichuan University, Chengdu 610065, China
art ic l e i nf o
a b s t r a c t
Article history: Received 29 October 2015 Received in revised form 1 December 2015 Accepted 11 December 2015
Optical cryptography based on computational ghost imaging (CGI) has attracted much attention of researchers because it encrypts plaintext into a random intensity vector rather than complexed-valued function. This promising feature of the CGI-based cryptography reduces the amount of data to be transmitted and stored and therefore brings convenience in practice. However, we find that this cryptography is vulnerable to chosen-plaintext attack because of the linear relationship between the input and output of the encryption system, and three feasible strategies are proposed to break it in this paper. Even though a large number of plaintexts need to be chosen in these attack methods, it means that this cryptography still exists security risks. To avoid these attacks, a security enhancement method utilizing an invertible matrix modulation is further discussed and the feasibility is verified by numerical simulations. & 2015 Elsevier B.V. All rights reserved.
Keywords: Optical cryptography Chosen-plaintext attack Computational ghost imaging
1. Introduction Optical processing techniques have been widely applied in the field of information security since the pioneering work reported by Refregier and Javidi on the double random-phase encoding (DRPE), owing to its inherent advantages such as high-speed parallel processing capability and muti-dimensional operation [1–14]. Furthermore, optical procedures are the natural medium to deal with images or holograms and benefit from continuous advantages in electro-optic devices. As the accompanying complementary opposites, the corresponding security analyses have also been carried out and promoted the further development of optical encryption techniques [15–20]. However, most of these existed optical cryptosystems based on the random-phase encoding encrypt the plaintext image into a complex-valued function, which will bring inconvenience in data transmission and storage. On the contrary, optical encryption scheme based on the computational ghost imaging (CGI) has noticeably reduced the number of bits required to transmit the image, because the encryption of the object image is not a complex-valued matrix but simply an intensity vector [21]. In the CGI-based encryption n
Corresponding author. E-mail address: [email protected] (S. Yuan).
http://dx.doi.org/10.1016/j.optcom.2015.12.013 0030-4018/& 2015 Elsevier B.V. All rights reserved.
scheme, a spatially coherent laser beam is modified by a set of random-phase masks and repeatedly illuminates on a secret image, then the transmitted lights are recorded by a bucket detector (a single-pixel sensor without spatial resolution) to obtain a ciphertext. A sequence of random seeds used to generate the random-phase masks are taken as the key. The secret image is retrieved by correlating the ciphertext with the intensity patterns computed by the key in the reference beam. In the past few years, the CGI-based security technique has achieved rapid development and some new schemes are also derived [22–26]. For examples recently, a higher security and better robustness optical encryption based on CGI with QR code has been proposed [23]. To improve the efficiency for data storage or transmission and enhance the security of the system, CGI-based encryption techniques using labyrinth-like phase modulation patterns and compressive sensing has also been investigated [24–26]. All these encryption techniques derived from Ref. [21] have effectively enlarged the application domain of CGI for optical security. However, we find that the CGI-based encryption scheme is vulnerable to chosen-plaintext attack because of the linear relationship between the input and output of the encryption system. As long as enough plaintexts are chosen, the key can be retrieved by solving a set of linear equations. In order to overcome this security risk, a security enhancement strategy utilizing an invertible matrix modulation is further investigated. The feasibility and security of the proposed scheme
S. Yuan et al. / Optics Communications 365 (2016) 180–185
181
are verified by numerical simulations.
2. CGI-based encryption scheme The schematic diagram of the CGI-based encryption scheme [21] is shown in Fig. 1. A collimated laser beam is generated for illumination. The light firstly passes through a spatial light modulator (SLM), which is controlled by computer to introduce a series of independent random-phase profiles as the secret keys of the encryption scheme. Then, the source is splitted into two beams, object and reference, which are measured by a bucket detector (without spatial resolution) and a charge coupled device (CCD), respectively. For one random-phase profile ϕk (x, y ) ( k = 1, 2, 3, ⋯, K ) generated by the SLM, the free-space propagation field at the distance z from the SLM can be described by
Ek (ξ , η) = exp ⎡⎣ jϕk (x, y) ⎤⎦ ⊗ h (x, y ; z )
(1)
where (ξ, η) denotes the coordinate on the CCD plane, j = −1 , ⊗ represents the convolution operation, and h (x, y; z ) is the point pulse function of the Fresnel transform which can be described by
h (x, y ; z ) =
⎡ jπ 2 ⎤ exp (j2πz/λ ) exp ⎢ x + y2 ⎥ ⎣ λz ⎦ jλz
(
)
(2)
where z is the Fresnel propagation distance between the SLM and the CCD plane (or the object plane), λ denotes wavelength of the laser. Thus, the intensity pattern detected by CCD can be calculated by
Ik (ξ , η) = Ek (ξ , η) 2
(3)
Actually as the CGI notes, the intensity patterns at the reference arm are unnecessary to be detected by CCD, which can be replaced with a “virtual detector” by calculating the propagation of the field of the reference beam (indicated by the dashed box in Fig. 1). In the object beam, the light illuminates the object with the transmission function T (ξ, η), and the collected intensities measured by the bucket detector can be described by
Bk =
∫ dξdηIk (ξ, η) T (ξ, η)
(4)
The operation is repeated K times for K different phase profiles ϕk (x, y ). Thus, the object information is encoded in a vector of K components {Bk }, i.e., ciphertext. In order to reconstruct the object, the computed intensity patterns at the object plane {Ik (ξ, η)} are cross-correlated with the intensities measured by the bucket detector {Bk }, i.e.,
1 T˜ (ξ , η) = K
Fig. 1. Schematic of the CGI-based encryption scheme. SLM: spatial light modulator, BS: beam splitter, CCD: charge coupled device (CCD).
can be seen from Eq. (5), the decryption key is the series of intensity patterns {Ik (ξ, η)} computed by the encryption key {ϕk (x, y )}. In other words, as long as attacker acquires the intensity patterns {Ik (ξ, η)} through a certain means, the CGI-based encryption scheme will be broken. According to the chosen-plaintext attack mode, there may be three strategies to break the encryption scheme. Strategy 1. In the CGI-based encryption scheme, the sequence {Bk } is the linear superposition of the product of {Ik (ξ, η)} and T (ξ, η) (known from Eq. (4)), which forms a set of linear equations. If a series of linearly independent matrices with real-valued elements are selected as the plaintexts to be encrypted, the relationship between the input and output of the encryption system will be described by a set of nonhomogeneous linear equations, which can be solved by conventional linear least-squares methods [27]. The solutions of the equations are indeed the intensity patterns {Ik (ξ, η)}. Thus, the encryption scheme will be broken. Strategy 2. As can be seen from Eqs. (4) and (5), Ik (ξ, η) and T (ξ, η) are symmetrical and they play the same role in ghost imaging. If one chooses a series of random real-valued masks {Tk (ξ, η)} to modulate the intensity pattern Ik (ξ, η), thus Eq. (4) becomes
K
∑ ( Bk −
B ) Ik (ξ , η)
k=1
(5)
where T˜ (ξ, η) is the reconstructed object image, and B is the average value for the measured intensity sequence {Bk }.
3. Vulnerability of the CGI-based encryption scheme Chosen-plaintext attack is an attack mode in cryptanalysis. In this method, the attacker can choose a certain number of plaintexts in advance, encode them by the encryption scheme, and get the corresponding ciphertexts. The purpose for the attacker is to obtain some information about the encryption scheme through this process, so that they can effectively decrypt the ciphertexts encoded by the same encryption scheme (as well as the related key) in the future. For the CGI-based encryption scheme proposed in Ref. [21], as
Bk′ =
∫ dξdηIk (ξ, η) Tk (ξ, η)
(6)
and Ik (ξ, η) can be ghostly imaged by
1 I˜k (ξ , η) = K
K
∑ ( Bk′ − k=1
B′ ) Tk (ξ , η)
(7)
where I˜k (ξ, η) is the reconstructed intensity pattern of Ik (ξ, η) , and B′ is the average value for the measured intensity sequence {Bk′ }. Then the encryption scheme can also be broken. Strategy 3. For a spatial case, if one chosen plaintext Tk only has a pixel valued 1 and other 0 (schematically shown in Fig. 2), Bk measured by the bucket detector is the intensity of {Ik (ξ, η)} in the position of the 1-valued pixel (known from Eq. (4)). All the values of the intensity pattern Ik (ξ, η) can be acquired by removing the 1-valued pixel in turns in the whole chosen plaintext, which is shown schematically in Fig. 2. Thus the decryption key {Ik (ξ, η)}
182
S. Yuan et al. / Optics Communications 365 (2016) 180–185
Fig. 2. Schematic diagram of the chosen plaintexts for Strategy 3.
can be retrieved as long as K plaintexts with only one 1-valued pixel are chosen, here K should be equal to the size of Ik (ξ, η) . It should be noted that only the intensity patterns {Ik (ξ, η)} in the reference beam rather than the random-phase masks {ϕk (x, y )} are directly extracted by the three strategies. However in the decryption process, the intensity patterns {Ik (ξ, η)} act as the decryption key (known from Eq. (5)), so the CGI-based encryption scheme [21] can still be broken even though the encryption key (i.e. the random-phase masks {ϕk (x, y )}) are not acquired. In addition, chosen-plaintext attack is effective on the unchanged encryption scheme as well as the encryption key, so the attack method proposed in this paper can be feasible only when the same series of phase masks is repeatedly applied as the keys for encoding different plaintexts. When different keys, such as different series of phase-only masks, are applied for encoding different plaintexts (i.e. one-time pad encryption scheme), the proposed method in this paper is not applicable. Therefore, when the encryption key can be easily updated for different plaintexts, the attack method proposed in this paper cannot be applicable on this kind of scheme, such as the CGI-based encryption technique proposed in Ref. [24], in which the encryption keys can be easily updated for encoding different plaintexts without occupying much space.
4. Numerical simulations 4.1. Simulation results of the CGI-based encryption scheme As shown in Fig. 1, a collimated laser beam with the wavelength of λ = 632.8 nm is generated for illumination. The distance from the SLM to the CCD plane (or the object plane) is taken as z = 50 cm. An image with the size of 1 × 1 cm2 and 128 × 128
pixels is chosen as the object to be encrypted and shown in Fig. 3 (a). In this computational experiment, K measurements are carried out for encryption and K = 128 × 128 = 16384 , i.e., 16384 randomphase masks are generated by the SLM to encrypt the secret image. The intensity vector measured by the bucket detector as the ciphertext is shown in Fig. 3(b). As can be seen that the values distribute in the interval [1200, 1500] without any order. To evaluate the similarity between the original and the decrypted image, the peak signal-to-noise ratio (PSNR) metric is used, which is defined as
⎧ ⎪ 1 PSNR = − 10* lg ⎨ l − 1 2X × Y ⎪ 2 ⎩
(
)
X
⎫ ⎪ ⎡⎣ g˜ (x, y) − g (x, y) ⎤⎦2⎬ ⎪ y=1 ⎭ Y
∑∑ x=1
(8)
where X × Y is the size of image, l represents the gray level number, g and g˜ represent the original image and the obtained image, respectively. The PSNR is an indicator of image quality. It is based on the sum of the squared differences between corresponding pixels of two images, and decreases as the difference between g and g˜ increases. The decrypted image is shown in Fig. 3 (c) with the PSNR ¼21.2 dB. 4.2. Feasibility of the three strategies In this section, three strategies for chosen-plaintext attack are verified. In Strategy 1, 16384 random real-valued matrices are taken as the plaintexts to be encrypted. The set of linear equations composed by the pairs of plaintext and ciphertext are solved by the conventional linear least-squares methods and the results are the decryption key (i.e. the intensity patterns {Ik (ξ, η)}). The secret image is decrypted by the retrieved key and shown in Fig. 4 (a) with the PSNR ¼19.2 dB. For Strategy 2, 16384 random realvalued matrices are also taken as the plaintexts to be encrypted. The decryption key {Ik (ξ, η)} is retrieved by Eq. (7), and the
Fig. 3. Simulation results of the CGI-based encryption scheme. (a) object image to be encrypted, (b) distribution of the ciphertext, and (c) decrypted image.
S. Yuan et al. / Optics Communications 365 (2016) 180–185
183
Fig. 4. Results of the chosen-plaintext attack. Retrieved images by strategy (a) 1, (b) 2, and (c) 3, and the PSNRs of them are 19.2, 15.2, 21.0 dB, respectively.
retrieved image is shown in Fig. 4(b) with the PSNR ¼15.2 dB. For the last strategy, we choose an image with only a pixel valued 1 and other 0 as the plaintext. The decryption key {Ik (ξ, η)} is obtained by removing the position of 1-valued pixel from left to right and top to bottom in the plaintext image, and the decrypted image is also shown in Fig. 4(c) with the PSNR ¼ 21.0 dB. Comparing the results, we can get some conclusions. Firstly, the quality of the retrieved image with Strategy 2 is worst, and that with Strategy 1 is clear but long time spent on solving the large number of the linear equations will be needed. In comparison, Strategy 3 may be a simple and effective method to break the CGI-based encryption scheme because not only the most clear image is retrieved with it but also no complicated operation is need. 4.3. Analysis In the three strategies of chosen-plaintext attack proposed in this paper, the number of plaintexts to be chosen must be large enough because it will influence the quality of the decrypted image. For Strategy 1, the decryption key {Ik (ξ, η)} is retrieved by least-square fitting and the linear regression coefficient will be decreased with the decrease of the number of plaintexts to be chosen, so more errors will be induced in the retrieved decryption key which will further influence the quality of the decrypted image. Similarly, Strategy 2 is based on the principle of CGI. Reducing the number of plaintexts to be chosen is equivalent to decreasing the number of measurements, which will also bring more errors in the retrieved decryption key, and then the quality of the decrypted image become worse. Fig. 5 shows curves of the PSNR with the number of chosen plaintexts for strategies 1 and 2. However for Strategy 3, one plaintext with a 1-valued pixel and other 0 is chosen to retrieve only one pixel value of each decryption key Ik (ξ, η). If the number of plaintexts to be chosen is less than the size of the decryption key, part of the decryption key will lose, so the corresponding part of the secret image will not be retrieved. Fig. 6 (a) and (b) respectively present the decrypted images when 12288 (75% of the size of the decryption key) and 8192 (50% of the size of the decryption key) plaintexts are chosen to retrieve the decryption key. As can be seen from the results that the retrieved images are incomplete. Therefore, we must choose enough number of plaintexts for Strategy 3 to avoid information loss of the retrieved image.
5. Security enhancement method To avoid these attacks, a simple security enhancement scheme based on an invertible matrix modulation is discussed and the
Fig. 5. The curves of the PSNR with the number of chosen plaintexts for strategies 1 and 2.
flow chart is shown in Fig. 7. In this scheme, an object image is firstly encoded by the CGI system (shown in Fig. 1) to obtain the intensity vector {Bk } by the bucket detector. And then the 1-dimensional (1-D) vector {Bk } is transformed into a 2-dimensional (2-D) matrix C with M × N elements, and modulated by a N × N invertible matrix Φ to obtain the ciphertext D , i. e.,
D = CΦ
(9)
where the invertible matrix Φ can be generated by randomly performing multiple elementary operations on the identity matrix according to the theory of linear algebra [27]. There are three elementary operations, i.e., (1) replace one row (or column) by the sum of itself and a multiple of another row (or column), (2) interchange two rows (or columns), and (3) multiply all entries in a row (or column) by a nonzero constant. Decryption is the inverse operation of encryption, so the 2-D matrix C is firstly computed by
C = DΦ − 1
(10)
where Φ−1 is the inverse matrix of Φ . Thus, the 1-D intensity vector {Bk } is obtained by the 2-D matrix of C . Then the object image is further retrieved by Eq. (5). Here, the 1-D intensity vector with 16384 elements (shown in Fig. 2(b)) are transformed into a 128 × 128 matrix shown in Fig. 8 (a), and an invertible matrix with 128 × 128 elements is adopted
184
S. Yuan et al. / Optics Communications 365 (2016) 180–185
Fig. 6. Decrypted images retrieved by choosing (a) 12288 (75% of the size of the decryption key) and (b) 8192 (50% of the size of the decryption key) plaintexts for Strategy 3.
Fig. 7. Flow chart of the security enhancement scheme.
as the additional key to modulate it, then the ciphertext D is obtained and presented in Fig. 8(b). The secret image is retrieved by carrying out the invert operation of encryption and shown in Fig. 8 (c) with the PSNR ¼21.2 dB. In this scheme except for the random-phase keys {ϕk (x, y )} generated by the SLM, the invertible matrix Φ is regarded as an additional key which is used to enhance the security of the CGIbased encryption scheme. If the matrix Φ is unknown, the intensity vector {Bk } can not be acquired. Thus the strategies 1 and 2 mentioned in Section 3 are invalid, and the retrieved images with the two strategies are respectively shown in Fig. 9(a) and (b). Here, an inertible matrix Φ′ is arbitrarily selected as the decryption key. For Strategy 3, we assume that an image with only a 1-valued pixel positioned in (s, t ) and other valued 0 is chosen as a plaintext to be encrypted. The matrix C is composed by the intensity of
{Ik (s, t )} and the ciphertext D is computed by N
D (m, n) =
∑ C (m, i) Φ (i, n) i=1
(11)
In other words, the ciphertext D is the sum of C (i. e., {Ik (s, t )}) after modulated by Φ . Thus the decryption key {Ik } can not be obtained in absence of Φ , so Strategy 3 is also incapable of breaking the encryption scheme. A wrong invertible matrix is adopted to retrieve the secret image, and the result is shown in Fig. 9(c). Therefore, this security enhancement method based on the invertible matrix modulation is effective to avoid the attacks mentioned in this paper. As mentioned in Section 3, the attack methods proposed in this paper are applicable to the condition that the encryption key (i.e. the phase-only masks) is unchanged for encoding different
Fig. 8. Simulation results of the security enhancement method. (a) 2-D matrix transformed by the 1-D intensity vector {Bk }, (b) ciphertext D , and (c) decrypted image.
S. Yuan et al. / Optics Communications 365 (2016) 180–185
185
Fig. 9. Results of the chosen-plaintext attack on the security enhancement CGI-based encryption scheme by strategies (a) 1, (b) 2 and (c) 3.
plaintexts. Therefore, besides the invertible matrix modulation method, there are some other potential strategies to enhance the security of the CGI-based cryptography. For instance, (1) simple modification of mask sequence for encoding different plaintexts, (2) using different transform domains for the encoding, or (3) simply scrambling phase-only mask to generate different phase masks for encoding different plaintexts. All of these strategies mentioned above will achieve a quasi one-time pad encryption scheme which is secure against chosen-plaintext attack.
6. Conclusions In this paper, we have analyzed the principle of the CGI-based encryption scheme and found that it is vulnerable to chosenplaintext attack, owing to the linear relationship between the input and the output of the encryption system. Three strategies have been proposed and discussed and the effectiveness of them has also been verified by numerical simulation. In these attack method, even though large number of plaintexts are required, the CGIbased encryption scheme exists the security risk. In addition, according to the three strategies of chosen-plaintext attack, a security enhancement method based on invertible matrix modulation has been investigated and analyzed theoretically. Computational results show that this method is simple but effective to avoid these attacks mentioned in this paper.
Acknowledgment This work was supported by the National Natural Science Foundation of China (Grant nos. 61205003, 61177009, 61475104 and 61201101), the Program for Innovative Research Team (in Science and Technology) in University of Henan Province
(IRTSTHN) (Grant no. 13IRTSTHN023), the Innovation Scientists and Technicians Troop Construction Projects of Henan Province and the Young Backbone Teachers in University of Henan Province (Grants no. 2014GGJS-068).
References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27]
P. Refregier, B. Javidi, Opt. Lett. 20 (1995) 767. W. Chen, B. Javidi, X. Chen, Adv. Opt. Photonics 6 (2014) 120. G. Unnikrishnan, J. Joseph, K. Singh, Opt. Lett. 25 (2000) 887. G. Situ, J. Zhang, Opt. Lett. 29 (2004) 1584. X.F. Meng, L.Z. Cai, X.F. Xu, X.L. Yang, X.X. Shen, G.Y. Dong, Y.R. Wang, Opt. Lett. 31 (2006) 1414. Y. Zhang, B. Wang, Opt. Lett. 33 (2008) 2443. A. Alfalou, C. Brosseau, Adv. Opt. Photonics 1 (2009) 589. W. Qin, X. Peng, Opt. Lett. 35 (2010) 118. W. Chen, X. Chen, C.J.R. Sheppard, Opt. Lett. 35 (2010) 3817. W. Liu, Z. Liu, S. Liu, Opt. Lett. 28 (2013) 1651. Y. Shi, T. Li, Y. Wang, Q. Gao, S. Zhang, H. Li, Opt. Lett. 38 (2013) 1425. S.K. Rajput, N.K. Nishchal, J. Opt. Soc. Am. A 31 (2014) 1233. J. Liu, X. Xu, Q. Wu, J.T. Sheridan, G. Situ, Opt. Lett. 40 (2015) 859. L. Sui, B. Liu, Q. Wang, Y. Li, J. Liang, Opt. Commun. 354 (2015) 184. A. Carnicer, M. Montes-Usategui, S. Arcos, I. Juvells, Opt. Lett. 30 (2005) 1644. X. Peng, P. Zhang, H. Wei, B. Yu, Opt. Lett. 31 (2006) 1044. J. Wu, W. Liu, Z. Liu, S. Liu, Opt. Commun. 338 (2015) 164. X. Liu, J. Wu, W. He, M. Liao, C. Zhang, X. Peng, Opt. Express 23 (2015) 18955. X.C. Cheng, L.Z. Cai, Y.R. Wang, X.F. Meng, H. Zhang, X.F. Xu, X.X. Shen, G. Y. Dong, Opt. Lett. 33 (2008) 1575. P. Kumar, A. Kumar, J. Joseph, K. Singh, Opt. Lett. 34 (2009) 331. P. Clemente, V. Duran, V. Torres-Company, E. Tajahuerce, J. Lancis, Opt. Lett. 35 (2010) 2391. M. Tanha, R. Kheradmand, S. Ahmadi-Kandjani, Appl. Phys. Lett. 101 (2012) 101108. S. Zhao, L. Wang, W. Liang, W. Cheng, L. Gong, Opt. Commun. 353 (2015) 90. W. Chen, X. Chen, Europhys. Lett. 109 (2015) 14001. J. Li, J.S. Li, Y.Y. Pan, R. Li, Sci. Rep. 5 (2015) 10374. J. Li, H. Li, J.S. Li, Y.Y. Pan, R. Li, Opt. Commun. 344 (2015) 166. D.C. Lay, Linear Algebra and its Applications, 3rd ed., Addison Wesley, Pearson Education Asia Limited (2011), pp. 7–8.