- Email: [email protected]
Hybrid attack free optical cryptosystem based on two random masks and lower upper decomposition with partial pivoting
Optics and Laser Technology 109 (2019) 456–464
Contents lists available at ScienceDirect
Optics and Laser Technology journal homepage: www.elsevier.com/locate/optlastec
Full length article
Hybrid attack free optical cryptosystem based on two random masks and lower upper decomposition with partial pivoting Y. Xiong, C. Quan
T
⁎
Department of Mechanical Engineering, National University of Singapore, 9 Engineering Drive 1, Singapore 117576, Singapore
H I GH L IG H T S
LUDP with partial pivoting to decompose binary image with singular intensity matrix. • Validated nonlinear optical cryptosystem using LUDP and two random phase masks. • Proposed • Verified algorithm to noise, occlusion, known-plaintext, amplitude-phase retrieval attacks.
A R T I C LE I N FO
A B S T R A C T
Keywords: Optical image encryption Asymmetric cryptosystem Lower upper decomposition with partial pivoting (LUDP)
We propose a novel asymmetric optical image encryption scheme using two random phase masks (RPMs) and lower upper decomposition with partial pivoting (LUDP), in which the encryption process is different from the decryption process and encryption keys are also different from decryption keys. In the proposed algorithm, LUDP is a matrix decomposition operation, which is used to replace the phase-truncated (PT) operation in the encryption path of conventional optical image encryption schemes based on phase-truncated Fourier transform (PTFT). In the proposed decryption process, the original image is completely retrieved by an optical architecture based on the modified 4f system with two private keys generated in the encryption process. Compared to conventional PTFT-based cryptosystems which are vulnerable to special attacks based on the amplitude-phase retrieval technique, our proposed algorithm is immune to the iterative attack and has a higher security level. Numerical simulations are presented to demonstrate the feasibility and robustness of the proposed encryption scheme.
1. Introduction Due to its multiple-dimensional operation and high-speed parallel processing abilities, Optical technique used in information security systems plays an increasingly important role and has drawn much more attention. Since Refregier and Javidi [1] proposed a pioneering scheme named double random phase encoding (DRPE), various schemes using DRPE technique [2–8] have been widely employed in information security systems. Subsequently, formal optical cryptoanalysis has also been carried out to evaluate the security level of optical cryptosystems. It has been found that DRPE-based cryptosystems are vulnerable to various attacks due to their inherent linearity [9–12]. To address the issue, various nonlinear optical schemes based on phase retrieval algorithm [13–17] have been proposed. However, time-consuming iterative processes are involved into these algorithms, making the encryption and decryption processes more complex and difficult to achieved optically. Some other techniques, such as compressive sensing ⁎
[18–20], interference [21], nonuniform beam [22,23], spherical wave illumination [24], three-dimensional space [25,26], are also employed to build secure image encryption schemes. Besides the aforementioned methods, an asymmetric cryptosystem based on PTFT proposed by Qin and Peng [27] is one of the most attracting scheme to remove the inherent linearity of DRPE. In a PTFTbased cryptosystem, PT and phase-reserved (PR) operations are used to remove the linearity to ensure the security of the cryptosystem. In addition, decryption keys are generated in the encryption process and each plaintext corresponds to unique decryption keys. Hence, the decryption keys cannot be reused, which guarantees a high-level security. Moreover, two RPMs used as encryption keys are public keys, which can be used to encode different plaintexts. Since then, several optical image encryption techniques based on PTFT have been further developed [28–30]. However, in a PTFT-based cryptosystem, decryption keys are required to be transmitted to the authorized users in every communication, which causes the problem of key distribution.
Corresponding author. E-mail address: [email protected] (C. Quan).
https://doi.org/10.1016/j.optlastec.2018.08.033 Received 22 May 2018; Received in revised form 20 July 2018; Accepted 14 August 2018 0030-3992/ © 2018 Elsevier Ltd. All rights reserved.
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
that ap1 ≠ 0 . If there is no row exchange in the matrix A , the permutation matrix P is an identity matrix. From the generation process of the permutation matrix P , it can be seen that the matrix P is a non-singular matrix and the corresponding inverse matrix exists. In addition, the products of LUDP have asymmetric forms and this property can be utilized to image encryption. An image can be regarded as a matrix with nonnegative scalar entries from the viewpoint of the linear algebra. LUDP is used to extract algebraic features from an image. Hence, an image I can be expressed as:
Additionally, a PTFT-based cryptosystem has been found vulnerable to various specific attacks based on amplitude-phase retrieval technique [31–34]. Subsequently, some cryptosystems combining PTFT and other techniques have been proposed to resist the existing attacks. The motivation is to increase the number of private keys. For example, a position parameter set is used as an additional private key in the cryptosystem using PTFT and joint transform correlator (JTC) [35]. However, our recent work found that the position parameter set has low key sensitivity and contributes less to security strength [36]. Since the encryption keys RPMs are used as public keys, it provides enough constraints to crack the optical PTFT-based cryptosystem. Hence, some schemes to redesign the public and private key structures have been proposed. Wang and Zhao [37] proposed a cryptosystem using two PTFTs and a random amplitude mask (RAM), in which the plaintext is encrypted by the second PTFT using two encryption keys generated in the process that the RAM is encrypted by the first PTFT. Sui et al [38] proposed a cryptosystem using PTFT and interference, in which two RPMs are used as inputs of interference technique to generate two encryption keys in PTFT. Compared with the classical PTFT scheme, the security level of these cryptosystems has been further improved. However, it has been found these cryptosystems still can be cracked by our proposed attack [39,40]. He et al. [41] have made a comment on the concept of the optical asymmetric cryptosystem in [42]. They claimed that considering the PTFT-based cryptosystem and its derivates as asymmetric cryptosystems is inappropriate and the public and private keys should be independent of the plaintext in a true asymmetric cryptosystem. But in the reply to this comment [43], Liu et al. argued that novel schemes, algorithms according to the special features of the optical systems should be investigated and it is not necessary for optical cryptosystem to follow exactly terminology, structures, and algorithms of general cryptography. In this paper, we proposed a novel cryptosystem based on PTFT scheme in [27] using LUDP. In our proposed algorithm, LUDP is used to replace the PT operation in a PTFT-based scheme. The proposed scheme has some advantages. Firstly, two RPMs used as public keys can be used to encode different plaintexts. Secondly, the proposed encryption process can be easily achieved digitally while the decryption process can be easily implemented optically based on modified 4f system. No iterative process is involved in the encryption and decryption process. Thirdly, our proposed algorithm is immune to hybrid attacks, such as noise attack, occlusion attack, known-plaintext attack and special attack based on amplitude-phase retrieval technique.
P −1
represents an inwhere I represents an image to be decomposed, verse matrix of a permutation matrix. Compared to the conventional lower upper decomposition without pivoting (LUD), LUDP has two major advantages [44]. Firstly, LUD cannot work on a matrix in which a diagonal coefficient that is equal to 0, which may fail to decompose intensity matrices of binary images. In the LUDP, row interchange is used to rearrange the equations during the reduction to upper triangular form to avoid a zero pivot. Hence, LUDP can be used to decompose a singular matrix. Secondly, partial pivoting can reduce rounding error and improve calculation accuracy. At each stage of Gaussian elimination in LUDP, the pivotal equation is chosen to maximize the absolute value of the pivot. Thus, multipliers in the sequent subtraction process are reduced so that they are all at most one in magnitude. Any rounding errors preset are less likely to be magnified as they permeate the rest of the calculation. A simulation is carried out to perform LUD and LUDP on the binary image “QR” and the results are shown in Fig. 1. The original image “QR” to be decomposed is shown in Fig. 1(a). The products of LUDP (l1, u1 and p1) are respectively shown in Fig. 1(b)–(d) while the products of LUD (l2 and p2 ) are respectively shown in Fig. 1(e) and (f). The values of pixels on the 1st column and the diagonal in the intensity matrix l2 are 1 while the pixel values of other columns cannot obtain. The values of pixels on the 1st and 2nd rows in the intensity matrix p2 are 1 and 0, respectively while the values of pixels on other rows cannot obtain. From Fig. 1(e) and (f), it can be seen that the products of LUD have incorrect structures, which means that LUP fails to decompose the target image. Taking products of LUDP into Eq. (2), the retrieved image I1 is shown in Fig. 1(g). The retrieved image I2 using products of LUD is shown in Fig. 1(h) in which all pixel values in the intensity matrix cannot obtain. From the simulation results shown in Fig. 1, it can be seen that LUDP can be used to decompose the binary image which has a singular intensity matrix. Consequently, LUDP can be used in the image encryption system.
2. Theoretical analyses 2.1. Principle of LUDP
2.2. Principle of proposed cryptosystem
LUDP [44] is an operation to decompose a square matrix (dimension N × N ) into a permuted lower triangular matrix, an upper triangular matrix and a permutation matrix, which can be expressed as
The schematic diagram of the proposed cryptosystem is shown in Fig. 2. R1 (x , y ) and R2 (u, v ) are two random phase masks distributed uniformly in the interval [0, 2π ]. (x , y ) and (u, v ) are indices of an image in the input and Fourier plane, respectively. The intensity distribution of the plaintext f (x , y ) is imported to the cryptosystem and the digital image encryption is carried out as follows:
(1)
P×A=L×U
where L represents a lower triangular matrix having unit elements on the diagonal and the multipliers below the diagonal, U represents an upper triangular matrix having some coefficients on the diagonal and the multipliers above the diagonal, and P represents a permutation matrix of zeros and ones that in per-multiplying A performs the necessary row exchange. A is a matrix to be decomposed which have the following structure,
a a ⎛ 11 12 ⋮ ⋮ ⎜ A = ⎜ a p1 a p 2 ⎜ ⋮ ⋮ ⎝ an1 an2
(2)
I = P −1 × L × U
1. A Fourier transform is performed on f (x , y ) R1 (x , y ) and the Fourier spectrum is then divided by LUDP, the intermediate matrix g (u, v ) and a private keyKey1 are given by
[L1, U1, P1] = LUDP {FT [f (x , y ) R1 (x , y )]}, g (u, v ) = P1−1 (u, v ), Key1 = L1 × U1.
… a1n ⎞ ⋮ ⎟ … apn ⎟ ⋮ ⎟ … ann ⎠
(3)
where LUDP {·} denotes a lower upper decomposition with partial pivoting, PT {·} denotes a Fourier transform and {·}−1 is an operation to obtain the inverse matrix, symbol ‘×’ denotes the matrix multiplication,
If the first pivot a11 is zero, the 1st row is permuted with pth row such 457
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig. 1. Decomposition test on the binary image: (a) the original image “QR” to be decomposed, (b–d) products of LUDP (l1, u1 and p1), (e–f) products of LUD (l2 and p2 ), (g) the synthesized matrix I1 using the products of LUDP, (h) the synthesized matrix I2 using the products of LUD.
L1, U1 and P1 are three products of the first LUDP.
the attacker. Consequently, it will be difficult to retrieve the corresponding plaintext from the known ciphertext without any knowledge of private keys, which will improve the security level of our proposed algorithm. With the knowledge of two private keys, a decryption process can be described as:
2. An inverse Fourier transformed on g (u, v ) R2 (u, v ) followed by a second LUDP . The final encrypted image C (x , y ) and another private key Key2 are given by
[L2 , U2, P2] = LUDP {IFT [g (u, v ) R2 (u, v )]}, C (x , y ) = P2−1 (x , y ), Key 2 = L2 × U2.
1. The ciphertext C is firstly multiplied with the private key Key2 to obtain a resultant function followed by a Fourier transform on the function, an intermediate matrix g (u, v ) is given by
(4)
where L2 , U2 and P2 are products of the second LUDP, IFT {·} denotes an inverse Fourier transform. Key1 and Key2 generated in the encryption process are recorded and regarded as private keys. In our proposed algorithm, the inverse matrix of the permutation matrix P is recorded as an intermediate matrix or a final ciphertext, which has two advantages. Firstly, P −1 is a real-valued matrix which can be recorded by CCD directly. Hence, the ciphertext can be obtained without hologram technique. Secondly, since P −1 is a sparse matrix, the ciphertext cannot provide enough constraints in the iterative attack based on amplitudephase retrieval technique even though the real ciphertext is known by
g (u, v ) = abs {FT [C × Key 2]},
(5)
where abs {·} denotes an operation to obtain the amplitude part of a complex function. 2. Multiplexing the intermediate matrix g (u, v ) with the private key Key1 and then performing an inverse Fourier transform on the result, a decrypted image is given by
f (x , y ) = abs{IFT [g × Key1]}.
Fig. 2. Schematic diagram of (a) encryption process, (b) decryption process. 458
(6)
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
CCD1
SLM1
f
f
CCD2
SLM 2
f
encrypted image is obtained and shown in Fig. 4(b). To evaluate the reliability of the proposed cryptosystem, a mean square error (MSE) between the retrieved image I (x , y ) and the original image I (x , y ) is introduced:
f
MSE =
M−1 N −1
∑ ∑
|I (x , y )−I (x , y )| 2.
x=0 y=0
(7)
where M × N is the size of the image. The MSE value between Fig. 4(a) and (b) is 0.2831 and it can be seen that no useful information is visible, which means that the original image has been fully encrypted. Private keys generated in the encryption process are shown in Fig. 4(c) and (d), respectively. The decrypted image with correct private keys is shown in Fig. 4(e). The MSE value between Fig. 4(a) and (e) is 0.0067 which means the original image has been retrieved precisely.
Stage II
Stage I
1 M×N
PC Fig. 3. Optical setup for decryption.
It should be noted that both private keys (Key1, Key 2) required for decryption are different from two encryption (public) keys and the decryption process is also different from the encryption process. Hence, we claim this system is an asymmetric cryptosystem. The optical implementation of our proposed decryption algorithm is shown in Fig. 3. Two spatial light modulators, SLM1 and SLM2 , are used to modulate the amplitude and phase information. Matrix multiplication, such as C × Key2 and g × Key1, can be carried out with the help of the personal computer. The final decrypted image is obtained in a charge-coupled device (CCD) plane.
3.2. Robustness of the proposed method 3.2.1. Robustness of noise During practical information transmission and processing, images could be inevitably corrupted by different kinds of noise. Due to the imperfect recording equipment or other possible causes, the ciphertext may be polluted by the noise which could affect the quality of decrypted image. Thus, the sensitivity to noise of the cryptosystem should be seriously considered. In our proposed method, since the ciphertext C (x , y ) is a real-valued matrix, we have just considered amplitude noise attack. Noises with different intensities are added to the ciphertext to study the robustness of the system against noise. Suppose the ciphertext is added with noise as:
3. Numerical simulation and discussion of results 3.1. Feasibility and effectiveness of the proposed method
C′ (x , y ) = C (x , y )[1 + m ·σ ],
Numerical simulations have been carried out to examine the feasibility and effectiveness of the proposed cryptosystem. A gray-scale image (256 × 256 pixels) shown in Fig. 4(a) is used as an original image to be encrypted. Employing the proposed encryption algorithm, an
(8)
where parameter m represents a noise magnification factor. Function σ generates uniformly distributed random numbers in the interval [0, 1]. Function C′ (x , y ) denotes an encrypted noisy image employed in the
Fig. 4. Proposed encryption scheme: (a) the original image, (b) an encrypted image, (c) a private key Key1, (d) a private key Key2 , (e) a decrypted image. 459
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig.5. Decrypted results with noise corruption: (a) the relationship between MSE values and the noise magnification factor m, (b) a retrieved image obtained from a corrupted ciphertext.
Known Ciphertext
d
l
d
(a)
(b)
(c)
(d)
Fig. 6. Decrypted results with partially known ciphertext: (a) dimensions of known data in a whole ciphertext, (b) relationship between MSE values and ratio r, (c) a partially known ciphertext, (d) a retrieved image with correct private keys from (c).
decryption process. Using various values of coefficient m , Eq. (8) is utilized to obtain the corresponding decrypted image as shown in Fig. 5. From the MSE values of the decrypted image as shown in Fig. 5(a), it can be seen that the MSE values decrease with increasing absolute values of noise magnification factor (m) . Additionally, it also can be seen that the MSE values are close to zero when |m| ⩽ 0.2 , which means the retrieved image from the corresponding noisy ciphertext has good quality. Especially, the retrieved image from the corresponding noisy ciphertext is shown in Fig. 5(b) when m = −0.7 . The MSE value
between the retrieved and original image is 0.1852 and most information of the plaintext is retained, which shows that the proposed cryptosystem has a certain degree of effectiveness against noise corruption. 3.2.2. Robustness of occlusion Due to some unexpected cases, such as network failure, the uncoordinated transmission medium, partial information of the ciphertext may be lost in the practical process. Therefore, a cryptosystem should 460
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
d
Known Key
d
w
w
(a)
(b)
(c)
(d)
(e)
(f)
Fig. 7. Decrypted results with partially correct private keys Key1 and Key2 : (a) distributions of known private keys, (b) relationships between MSE and s values, (c) a decryption key Key1′, (d) a decrypted image using the correct Key2 and Key1′ shown in (c), (e) a decryption key Key2′, (f) a decrypted image using the correct Key1 and Key2′ shown in (e).
3.3. Security analysis
have certain degree against occlusion. A numerical simulation is carried out with only partial information of the ciphertext known to examine with occlusion contamination. Fig. 6(a) shows an image where l represents the width of known data in an image of width d and scale l r = d . In the decryption process, the area which contains unknown data is replaced with zero values. Correct private keys Key1 and Key2 are employed in the decryption process. The MSE values of decrypted results using the corresponding ciphertext with various scale (r ) values are shown in Fig. 6(b). As an example, a ciphertext for r = 0.6 is shown in Fig. 6(c) while the corresponding decrypted image with MSE = 0.1175 is shown in Fig. 6(d). As can be seen, occlusion would result in information lost in the decrypted result. Nevertheless, most information remains in the decrypted image, which means the occlusion would not lead to a decryption failure in our proposed scheme. Thus, it is shown that the proposed cryptosystem has a certain degree against occlusion.
3.3.1. Key sensitivity test The performance of a cryptosystem against some attacks, such as brute-force attack, is partially decided by the key sensitivity of the cryptosystem. Thus, we would like to test the key sensitivity of the proposed cryptosystem. Numerical simulations have been carried out with only the pixel values of parts of private keys (Key1 and Key 2) known. Fig. 7(a) shows an image where w represents the width of w known data in a private key of width d and scale s = d . The area which contains unknown data is replaced with zero values in the decryption process. One private key is wrong while another one is fixed at the correct value in the decryption process. The MSE values of decrypted results using the corresponding private keys are shown in Fig. 7(b). As an example, a private key Key1′ for s = 0.35 is shown in Fig. 7(c). A decrypted image using correct Key2 and Key1′ with MSE = 0.1003 is shown in Fig. 7(d). A private key Key2′ for s = 0.35 and the corresponding decrypted image with MSE = 0.2560 are respectively shown in Fig. 7(e) and (f). As can be seen with partially wrong private keys no useful information can be obtained, thus the high key sensitivity 461
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig. 8. KPA results: (a and b) a known plaintext-ciphertext pair, (c and d) private keys generated from the encryption process, (e) a retrieved image from Fig. 4(b) with KPA.
Fig. 9. Schematic diagram of a specific attack.
ciphertext in Fig. 4(b) using two deduced private keys (in Fig. 8(c) and (d)) is shown in Fig. 8(e). As can be seen no original information is visible from the attack result, it can be concluded that the proposed cryptosystem is immune to the known-plaintext attack.
ensures a robust security of the cryptosystem. 3.3.2. Resistance to known-plaintext attack In the proposed cryptosystem, the encryption process is nonlinear and each plaintext corresponds to unique private keys. Hence, the proposed cryptosystem should be resistant to a known-plaintext attack (KPA). In a KPA, it is assumed that the attackers have access to the encryption algorithm and a plaintext-ciphertext pair. Based on this prior knowledge, the secured image can be retrieved using the deduced decryption keys. Fig. 8(a) and (b) show a known plaintext and the corresponding ciphertext. Two retrieved private keys (Key1 and Key2 ) are shown in Fig. 8(c) and (d), respectively. A retrieved image from the
3.3.3. Resistance to amplitude-phase-retrieval attack It has been found that the classical PTFT-based cryptosystem is vulnerable to some special attacks based on the amplitude-phase retrieval technique. In our proposed algorithm, the PT operation is replaced by LUDP. To test the effectiveness against the specific attack, a simulation is carried out. The process of a specific attack based on amplitude-phase retrieval technique is shown in Fig. 9. A matrix 462
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig. 10. Specific attack results: (a) relationship between MSE values and iteration number k , (b) a retrieved image with iterations 200.
the decryption process and the encryption keys are also different from the decryption keys. The encryption process is easily to be achieved digitally while the decryption process can be optically implemented based on 4f system. In our cryptosystem, two RPMs are utilized in the encryption process and regarded as public keys. Two decryption (private) keys generated by LUDP in the encryption process correspond to unique plaintext, which can resist to the known-plaintext attack. Since the classical PTFT-based cryptosystem is vulnerable to some specific attacks based on phase retrieval technique, LUDP is introduced to replace the PT operation to ensure the security of our algorithm. Since the product P −1 regarded as the final ciphertext is a sparse matrix, the ciphertext cannot provide enough constraints in the iterative attack to make it stable. Consequently, our proposed algorithm is also immune to the special attack based on amplitude-phase retrieval algorithm. Numerical simulations have been carried out to demonstrate the effectiveness of proposed cryptosystem.
f0 (x , y ) = 1 is used as an initial estimated plaintext and the ciphertext C (x , y ) is used as a constraint to obtain the retrieved image. The iterative procedures can be expressed as follows: 1. The estimated private key Key1k and intermediate matrix gk (u, v ) at the kth iteration are given by
[L1k , U1k , P1k ] = LUDP {FT [fk (x , y ) R1 (x , y )]}, gk (u, v ) = P1−k1 (u, v ), Key1k = L1k × U1k .
(9)
where L1k ,U1k , P1k are three estimated products of the first LUDP at kth iteration. 2. The estimated private key Key2k at kth iteration is given by
[L2k , U2k , P2k ] = LUDP {FT [gk (u, v ) R2 (u, v )]}, Key 2k = L2k × U2k
(11) Acknowledgments
where L2k , U2k , P2k are three estimated products of the second LUDP at kth iteration.
We acknowledge the financial support provided by the National University of Singapore under research project number R-265-000-589114.
3. The real ciphertext C (x , y ) obtained by CCD is used as a constraint to retrieve the plaintext, the new estimated intermediate matrix gk′ (u, v ) and plaintext fk + 1 (x , y ) are given by
g ′k (u, v ) = abs [FT (C × Key 2k )], fk + 1 (x , y ) = abs [IFT (gk′ × Key1k )].
References [1] P. Refregier, B. Javidi, Optical image encryption based on input plane and Fourier plane random encoding, Opt. Lett. 20 (7) (1995) 767–769. [2] G. Unnikrishnan, J. Joseph, K. Singh, Optical encryption by double-random phase encoding in the fractional Fourier domain, Opt. Lett. 25 (12) (2000) 887–889. [3] G. Situ, J. Zhang, Double random phase encoding in the Fresnel domain, Opt. Lett. 29 (14) (2004) 1584–1586. [4] R. Tao, Y. Xin, Y. Wang, Double image encryption based on random phase encoding in the fractional Fourier domain, Opt. Express 15 (24) (2007) 16067–16079. [5] Y. Sheng, Z. Xin, M.S. Alam, X.F. Li, Information hiding based on double randomphase encoding and public-key cryptography, Opt. Express 17 (5) (2009) 3270–3284. [6] A. Alfalou, A. Mansour, Double random phase encryption scheme to multiplexing and simultaneous encode multiple images, Appl. Opt. 48 (31) (2009) 5933–5947. [7] H. Singh, A.K. Yadav, S. Vashisth, K. Singh, Double phase-image encryption using gyrator transforms and structured phase mask in the frequency plane, Opt. Lasers Eng. 67 (2015) 145–156. [8] W. Chen, X. Chen, Double random phase encoding using phase reservation and compression, J. Opt. 16 (2) (2014) 025402. [9] A. Carnicer, M. Montes-Usategui, S. Arcos, I. Juvells, Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys, Opt. Lett. 30 (13) (2005) 1644–1646. [10] X. Peng, H. Wei, P. Zhang, Chosen-plaintext attack on the lensless double-random phase encoding in the Fresnel domain, Opt. Lett. 31 (22) (2006) 3261–3263. [11] X. Peng, P. Zhang, H. Wei, B. Yu, Known-plaintext attack on optical encryption based on double random phase keys, Opt. Lett. 31 (8) (2006) 1044–1046.
(12)
where fk + 1 (x , y ) is the retrieved image at kth iteration and used as a input of (k + 1)th iteration. Steps 1–3 are repeated and when the iteration number reaches a preset threshold value, the iteration is terminated. The results of the specific attack are shown in Fig. 10. Referring to the MSE curve shown in Fig. 10(a), it can be seen that the MSE converges to 0.28 within a few iterations. This means that the cryptosystem can not be break by the specific attack even with more iterations. A retrieved image from the ciphertext in Fig. 4(b) by the specific attack is shown in Fig. 10(b). It can be seen that no useful information is visible, which further demonstrates that our proposed cryptosystem is resistant to the specific attack based on amplitude-phase retrieval technique. 4. Conclusions In this paper, we proposed a novel asymmetric cryptosystem using two RPMs and LUDP, in which the encryption process is different from 463
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
[12] P. Kumar, A. Kumar, J. Joseph, K. Singh, Vulnerability of the security enhanced double random phase-amplitude encryption scheme to point spread function attack, Opt. Lasers Eng. 50 (9) (2012) 1196–1201. [13] H.E. Hwang, H.T. Chang, W.N. Lie, Multiple-image encryption and multiplexing using a modified Gerchberg-Saxton algorithm and phase modulation in Fresneltransform domain, Opt. Lett. 34 (24) (2009) 3917–3919. [14] W. Chen, X, Chen, Optical multiple-image encryption based on multiplane phase retrieval and interference, J. Opt. 13 (11) (2011) 115401. [15] W. Liu, Z. Liu, S. Liu, Asymmetric cryptosystem using random binary phase modulation based on mixture retrieval type of Yang-Gu algorithm, Opt. Lett. 38 (10) (2013) 1651–1653. [16] S.K. Rajput, N.K. Nishchal, Fresnel domain nonlinear optical image encryption scheme based on Gerchberg-Saxton phase-retrieval algorithm, Appl. Opt. 53 (3) (2014) 418–425. [17] Y. Wang, C. Quan, C.J. Tay, Nonlinear multiple-image encryption based on mixture retrieval algorithm in Fresnel domain, Opt. Commun. 330 (2014) 91–98. [18] B. Deepan, C. Quan, Y. Wang, C.J. Tay, Multiple-image encryption by space multiplexing based on compressive sensing and the double-random phase-encoding technique, Appl. Opt. 53 (20) (2014) 4539–4547. [19] N. Zhou, A. Zhang, F. Zheng, L. Gong, Novel image compression-encryption hybrid algorithm based on key-controlled measurement matrix in compressive sensing, Opt. Laser Technol. 62 (2014) 152–160. [20] N. Zhou, S. Pan, S. Cheng, Z. Zhou, Image compression-encryption scheme based on hyper-chaotic system and 2D compressive sensing, Opt. Laser Technol. 82 (2016) 121–133. [21] Y. Zhang, B. Wang, Optical image encryption based on interference, Opt. Lett. 33 (21) (2008) 2443–2445. [22] Z. Liu, L. Xu, C. Lin, S. Liu, Image encryption by encoding with a nonuniform optical beam in gyrator transform domains, Appl. Opt. 49 (29) (2010) 5632–5637. [23] W. Chen, X. Chen, Arbitrarily modulated beam for phase-only optical encryption, J. Opt. 16 (10) (2014) 105402. [24] J. Zang, Z. Xie, Y. Zhang, Optical image encryption with spatially incoherent illumination, Opt. Lett. 38 (8) (2013) 1289–1291. [25] W. Chen, X. Chen, Space-based optical image encryption, Opt. Express 18 (26) (2010) 27095–27104. [26] W. Chen, X. Chen, Optical asymmetric cryptography using a three-dimensional space-based model, J. Opt. 13 (7) (2011) 075404. [27] W. Qin, X. Peng, Asymmetric cryptosystem based on phase-truncated Fourier transforms, Opt. Lett. 35 (2) (2010) 118–120. [28] S.K. Rajput, N.K. Nishchal, Image encryption using polarized light encoding and amplitude and phase truncation in the Fresnel domain, Appl. Opt. 52 (18) (2013)
4343–4352. [29] X. Wang, D. Zhao, Security enhancement of a phase-truncation based image encryption algorithm, Appl. Opt. 50 (36) (2011) 6645–6651. [30] S.K. Rajput, N.K. Nishchal, Known-plaintext attack-based optical cryptosystem using phase-truncated Fresnel transform, Appl. Opt. 52 (4) (2013) 871–878. [31] X. Wang, D. Zhao, A special attack on the asymmetric cryptosystem based on phasetruncated Fourier transforms, Opt. Commun. 285 (6) (2012) 1078–1081. [32] X. Wang, Y. Chen, C. Dai, D. Zhao, Discussion and a new attack of the optical asymmetric cryptosystem based on phase-truncated Fourier transform, Appl. Opt. 53 (2) (2014) 208–213. [33] Y. Wang, C. Quan, C.J. Tay, Improved method of attack on an asymmetric cryptosystem based on Fourier transform, Appl. Opt. 54 (22) (2015) 6874–6881. [34] I. Mehra, S.K. Rajput, N.K. Nishchal, Cryptanalysis of an image encryption scheme based on joint transform correlator with amplitude- and phase-truncation approach, Opt. Lasers Eng. 52 (2014) 167–173. [35] X. Wang, D. Zhao, Double images encryption method with resistance against the specific attack based on an asymmetric algorithm, Opt. Express 20 (2012) 11994–12003. [36] Y. Xiong, A. He, C. Quan, Security analysis of a double-image encryption technique based on asymmetric algorithm, J. Opt. Soc. Am. A 35 (2018) 320–326. [37] X. Wang, D. Zhao, Amplitude-phase retrieval attack free cryptosystem based on direct attack to phase-truncated Fourier transform-based encryption using a random amplitude mask, Opt. Lett. 38 (18) (2013) 3684–3686. [38] S. Liangsheng, W. Zhanmin, Amplitude-phase retrieval attack free image encryption based on two random masks and interference, Opt. Lasers Eng. 86 (2016) 1–10. [39] Y. Xiong, A. He, C. Quan, Hybrid attack on an optical cryptosystem based on phasetruncated Fourier transforms and a random amplitude mask, Appl. Opt. 57 (2018) 6010–6016. [40] Y. Xiong, A. He, C. Quan, Specific attack and security enhancement to optical image cryptosystem based on two random masks and interference, Opt. Lasers Eng. 107 (2018) 142–148. [41] W. He, X. Meng, X. Peng, Asymmetric cryptosystem using random binary phase nodulation based on mixture retrieval type of Yang-Gu algorithm: comment, Opt. Lett. 38 (2013) 4044–4044. [42] W. Liu, Z. Liu, S. Liu, Asymmetric cryptosystem using random binary phase modulation based on mixture retrieval type of Yang-Gu algorithm, Opt. Lett. 38 (2013) 1651–1653. [43] W. Liu, Z. Liu, S. Liu, Asymmetric cryptosystem using random binary phase nodulation based on mixture retrieval type of Yang-Gu algorithm: reply, Opt. Lett. 38 (2013) 4045–4045. [44] G. Meurant, Computer Solution of Large Linear Systems, Elsevier, 1999.
464
Contents lists available at ScienceDirect
Optics and Laser Technology journal homepage: www.elsevier.com/locate/optlastec
Full length article
Hybrid attack free optical cryptosystem based on two random masks and lower upper decomposition with partial pivoting Y. Xiong, C. Quan
T
⁎
Department of Mechanical Engineering, National University of Singapore, 9 Engineering Drive 1, Singapore 117576, Singapore
H I GH L IG H T S
LUDP with partial pivoting to decompose binary image with singular intensity matrix. • Validated nonlinear optical cryptosystem using LUDP and two random phase masks. • Proposed • Verified algorithm to noise, occlusion, known-plaintext, amplitude-phase retrieval attacks.
A R T I C LE I N FO
A B S T R A C T
Keywords: Optical image encryption Asymmetric cryptosystem Lower upper decomposition with partial pivoting (LUDP)
We propose a novel asymmetric optical image encryption scheme using two random phase masks (RPMs) and lower upper decomposition with partial pivoting (LUDP), in which the encryption process is different from the decryption process and encryption keys are also different from decryption keys. In the proposed algorithm, LUDP is a matrix decomposition operation, which is used to replace the phase-truncated (PT) operation in the encryption path of conventional optical image encryption schemes based on phase-truncated Fourier transform (PTFT). In the proposed decryption process, the original image is completely retrieved by an optical architecture based on the modified 4f system with two private keys generated in the encryption process. Compared to conventional PTFT-based cryptosystems which are vulnerable to special attacks based on the amplitude-phase retrieval technique, our proposed algorithm is immune to the iterative attack and has a higher security level. Numerical simulations are presented to demonstrate the feasibility and robustness of the proposed encryption scheme.
1. Introduction Due to its multiple-dimensional operation and high-speed parallel processing abilities, Optical technique used in information security systems plays an increasingly important role and has drawn much more attention. Since Refregier and Javidi [1] proposed a pioneering scheme named double random phase encoding (DRPE), various schemes using DRPE technique [2–8] have been widely employed in information security systems. Subsequently, formal optical cryptoanalysis has also been carried out to evaluate the security level of optical cryptosystems. It has been found that DRPE-based cryptosystems are vulnerable to various attacks due to their inherent linearity [9–12]. To address the issue, various nonlinear optical schemes based on phase retrieval algorithm [13–17] have been proposed. However, time-consuming iterative processes are involved into these algorithms, making the encryption and decryption processes more complex and difficult to achieved optically. Some other techniques, such as compressive sensing ⁎
[18–20], interference [21], nonuniform beam [22,23], spherical wave illumination [24], three-dimensional space [25,26], are also employed to build secure image encryption schemes. Besides the aforementioned methods, an asymmetric cryptosystem based on PTFT proposed by Qin and Peng [27] is one of the most attracting scheme to remove the inherent linearity of DRPE. In a PTFTbased cryptosystem, PT and phase-reserved (PR) operations are used to remove the linearity to ensure the security of the cryptosystem. In addition, decryption keys are generated in the encryption process and each plaintext corresponds to unique decryption keys. Hence, the decryption keys cannot be reused, which guarantees a high-level security. Moreover, two RPMs used as encryption keys are public keys, which can be used to encode different plaintexts. Since then, several optical image encryption techniques based on PTFT have been further developed [28–30]. However, in a PTFT-based cryptosystem, decryption keys are required to be transmitted to the authorized users in every communication, which causes the problem of key distribution.
Corresponding author. E-mail address: [email protected] (C. Quan).
https://doi.org/10.1016/j.optlastec.2018.08.033 Received 22 May 2018; Received in revised form 20 July 2018; Accepted 14 August 2018 0030-3992/ © 2018 Elsevier Ltd. All rights reserved.
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
that ap1 ≠ 0 . If there is no row exchange in the matrix A , the permutation matrix P is an identity matrix. From the generation process of the permutation matrix P , it can be seen that the matrix P is a non-singular matrix and the corresponding inverse matrix exists. In addition, the products of LUDP have asymmetric forms and this property can be utilized to image encryption. An image can be regarded as a matrix with nonnegative scalar entries from the viewpoint of the linear algebra. LUDP is used to extract algebraic features from an image. Hence, an image I can be expressed as:
Additionally, a PTFT-based cryptosystem has been found vulnerable to various specific attacks based on amplitude-phase retrieval technique [31–34]. Subsequently, some cryptosystems combining PTFT and other techniques have been proposed to resist the existing attacks. The motivation is to increase the number of private keys. For example, a position parameter set is used as an additional private key in the cryptosystem using PTFT and joint transform correlator (JTC) [35]. However, our recent work found that the position parameter set has low key sensitivity and contributes less to security strength [36]. Since the encryption keys RPMs are used as public keys, it provides enough constraints to crack the optical PTFT-based cryptosystem. Hence, some schemes to redesign the public and private key structures have been proposed. Wang and Zhao [37] proposed a cryptosystem using two PTFTs and a random amplitude mask (RAM), in which the plaintext is encrypted by the second PTFT using two encryption keys generated in the process that the RAM is encrypted by the first PTFT. Sui et al [38] proposed a cryptosystem using PTFT and interference, in which two RPMs are used as inputs of interference technique to generate two encryption keys in PTFT. Compared with the classical PTFT scheme, the security level of these cryptosystems has been further improved. However, it has been found these cryptosystems still can be cracked by our proposed attack [39,40]. He et al. [41] have made a comment on the concept of the optical asymmetric cryptosystem in [42]. They claimed that considering the PTFT-based cryptosystem and its derivates as asymmetric cryptosystems is inappropriate and the public and private keys should be independent of the plaintext in a true asymmetric cryptosystem. But in the reply to this comment [43], Liu et al. argued that novel schemes, algorithms according to the special features of the optical systems should be investigated and it is not necessary for optical cryptosystem to follow exactly terminology, structures, and algorithms of general cryptography. In this paper, we proposed a novel cryptosystem based on PTFT scheme in [27] using LUDP. In our proposed algorithm, LUDP is used to replace the PT operation in a PTFT-based scheme. The proposed scheme has some advantages. Firstly, two RPMs used as public keys can be used to encode different plaintexts. Secondly, the proposed encryption process can be easily achieved digitally while the decryption process can be easily implemented optically based on modified 4f system. No iterative process is involved in the encryption and decryption process. Thirdly, our proposed algorithm is immune to hybrid attacks, such as noise attack, occlusion attack, known-plaintext attack and special attack based on amplitude-phase retrieval technique.
P −1
represents an inwhere I represents an image to be decomposed, verse matrix of a permutation matrix. Compared to the conventional lower upper decomposition without pivoting (LUD), LUDP has two major advantages [44]. Firstly, LUD cannot work on a matrix in which a diagonal coefficient that is equal to 0, which may fail to decompose intensity matrices of binary images. In the LUDP, row interchange is used to rearrange the equations during the reduction to upper triangular form to avoid a zero pivot. Hence, LUDP can be used to decompose a singular matrix. Secondly, partial pivoting can reduce rounding error and improve calculation accuracy. At each stage of Gaussian elimination in LUDP, the pivotal equation is chosen to maximize the absolute value of the pivot. Thus, multipliers in the sequent subtraction process are reduced so that they are all at most one in magnitude. Any rounding errors preset are less likely to be magnified as they permeate the rest of the calculation. A simulation is carried out to perform LUD and LUDP on the binary image “QR” and the results are shown in Fig. 1. The original image “QR” to be decomposed is shown in Fig. 1(a). The products of LUDP (l1, u1 and p1) are respectively shown in Fig. 1(b)–(d) while the products of LUD (l2 and p2 ) are respectively shown in Fig. 1(e) and (f). The values of pixels on the 1st column and the diagonal in the intensity matrix l2 are 1 while the pixel values of other columns cannot obtain. The values of pixels on the 1st and 2nd rows in the intensity matrix p2 are 1 and 0, respectively while the values of pixels on other rows cannot obtain. From Fig. 1(e) and (f), it can be seen that the products of LUD have incorrect structures, which means that LUP fails to decompose the target image. Taking products of LUDP into Eq. (2), the retrieved image I1 is shown in Fig. 1(g). The retrieved image I2 using products of LUD is shown in Fig. 1(h) in which all pixel values in the intensity matrix cannot obtain. From the simulation results shown in Fig. 1, it can be seen that LUDP can be used to decompose the binary image which has a singular intensity matrix. Consequently, LUDP can be used in the image encryption system.
2. Theoretical analyses 2.1. Principle of LUDP
2.2. Principle of proposed cryptosystem
LUDP [44] is an operation to decompose a square matrix (dimension N × N ) into a permuted lower triangular matrix, an upper triangular matrix and a permutation matrix, which can be expressed as
The schematic diagram of the proposed cryptosystem is shown in Fig. 2. R1 (x , y ) and R2 (u, v ) are two random phase masks distributed uniformly in the interval [0, 2π ]. (x , y ) and (u, v ) are indices of an image in the input and Fourier plane, respectively. The intensity distribution of the plaintext f (x , y ) is imported to the cryptosystem and the digital image encryption is carried out as follows:
(1)
P×A=L×U
where L represents a lower triangular matrix having unit elements on the diagonal and the multipliers below the diagonal, U represents an upper triangular matrix having some coefficients on the diagonal and the multipliers above the diagonal, and P represents a permutation matrix of zeros and ones that in per-multiplying A performs the necessary row exchange. A is a matrix to be decomposed which have the following structure,
a a ⎛ 11 12 ⋮ ⋮ ⎜ A = ⎜ a p1 a p 2 ⎜ ⋮ ⋮ ⎝ an1 an2
(2)
I = P −1 × L × U
1. A Fourier transform is performed on f (x , y ) R1 (x , y ) and the Fourier spectrum is then divided by LUDP, the intermediate matrix g (u, v ) and a private keyKey1 are given by
[L1, U1, P1] = LUDP {FT [f (x , y ) R1 (x , y )]}, g (u, v ) = P1−1 (u, v ), Key1 = L1 × U1.
… a1n ⎞ ⋮ ⎟ … apn ⎟ ⋮ ⎟ … ann ⎠
(3)
where LUDP {·} denotes a lower upper decomposition with partial pivoting, PT {·} denotes a Fourier transform and {·}−1 is an operation to obtain the inverse matrix, symbol ‘×’ denotes the matrix multiplication,
If the first pivot a11 is zero, the 1st row is permuted with pth row such 457
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig. 1. Decomposition test on the binary image: (a) the original image “QR” to be decomposed, (b–d) products of LUDP (l1, u1 and p1), (e–f) products of LUD (l2 and p2 ), (g) the synthesized matrix I1 using the products of LUDP, (h) the synthesized matrix I2 using the products of LUD.
L1, U1 and P1 are three products of the first LUDP.
the attacker. Consequently, it will be difficult to retrieve the corresponding plaintext from the known ciphertext without any knowledge of private keys, which will improve the security level of our proposed algorithm. With the knowledge of two private keys, a decryption process can be described as:
2. An inverse Fourier transformed on g (u, v ) R2 (u, v ) followed by a second LUDP . The final encrypted image C (x , y ) and another private key Key2 are given by
[L2 , U2, P2] = LUDP {IFT [g (u, v ) R2 (u, v )]}, C (x , y ) = P2−1 (x , y ), Key 2 = L2 × U2.
1. The ciphertext C is firstly multiplied with the private key Key2 to obtain a resultant function followed by a Fourier transform on the function, an intermediate matrix g (u, v ) is given by
(4)
where L2 , U2 and P2 are products of the second LUDP, IFT {·} denotes an inverse Fourier transform. Key1 and Key2 generated in the encryption process are recorded and regarded as private keys. In our proposed algorithm, the inverse matrix of the permutation matrix P is recorded as an intermediate matrix or a final ciphertext, which has two advantages. Firstly, P −1 is a real-valued matrix which can be recorded by CCD directly. Hence, the ciphertext can be obtained without hologram technique. Secondly, since P −1 is a sparse matrix, the ciphertext cannot provide enough constraints in the iterative attack based on amplitudephase retrieval technique even though the real ciphertext is known by
g (u, v ) = abs {FT [C × Key 2]},
(5)
where abs {·} denotes an operation to obtain the amplitude part of a complex function. 2. Multiplexing the intermediate matrix g (u, v ) with the private key Key1 and then performing an inverse Fourier transform on the result, a decrypted image is given by
f (x , y ) = abs{IFT [g × Key1]}.
Fig. 2. Schematic diagram of (a) encryption process, (b) decryption process. 458
(6)
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
CCD1
SLM1
f
f
CCD2
SLM 2
f
encrypted image is obtained and shown in Fig. 4(b). To evaluate the reliability of the proposed cryptosystem, a mean square error (MSE) between the retrieved image I (x , y ) and the original image I (x , y ) is introduced:
f
MSE =
M−1 N −1
∑ ∑
|I (x , y )−I (x , y )| 2.
x=0 y=0
(7)
where M × N is the size of the image. The MSE value between Fig. 4(a) and (b) is 0.2831 and it can be seen that no useful information is visible, which means that the original image has been fully encrypted. Private keys generated in the encryption process are shown in Fig. 4(c) and (d), respectively. The decrypted image with correct private keys is shown in Fig. 4(e). The MSE value between Fig. 4(a) and (e) is 0.0067 which means the original image has been retrieved precisely.
Stage II
Stage I
1 M×N
PC Fig. 3. Optical setup for decryption.
It should be noted that both private keys (Key1, Key 2) required for decryption are different from two encryption (public) keys and the decryption process is also different from the encryption process. Hence, we claim this system is an asymmetric cryptosystem. The optical implementation of our proposed decryption algorithm is shown in Fig. 3. Two spatial light modulators, SLM1 and SLM2 , are used to modulate the amplitude and phase information. Matrix multiplication, such as C × Key2 and g × Key1, can be carried out with the help of the personal computer. The final decrypted image is obtained in a charge-coupled device (CCD) plane.
3.2. Robustness of the proposed method 3.2.1. Robustness of noise During practical information transmission and processing, images could be inevitably corrupted by different kinds of noise. Due to the imperfect recording equipment or other possible causes, the ciphertext may be polluted by the noise which could affect the quality of decrypted image. Thus, the sensitivity to noise of the cryptosystem should be seriously considered. In our proposed method, since the ciphertext C (x , y ) is a real-valued matrix, we have just considered amplitude noise attack. Noises with different intensities are added to the ciphertext to study the robustness of the system against noise. Suppose the ciphertext is added with noise as:
3. Numerical simulation and discussion of results 3.1. Feasibility and effectiveness of the proposed method
C′ (x , y ) = C (x , y )[1 + m ·σ ],
Numerical simulations have been carried out to examine the feasibility and effectiveness of the proposed cryptosystem. A gray-scale image (256 × 256 pixels) shown in Fig. 4(a) is used as an original image to be encrypted. Employing the proposed encryption algorithm, an
(8)
where parameter m represents a noise magnification factor. Function σ generates uniformly distributed random numbers in the interval [0, 1]. Function C′ (x , y ) denotes an encrypted noisy image employed in the
Fig. 4. Proposed encryption scheme: (a) the original image, (b) an encrypted image, (c) a private key Key1, (d) a private key Key2 , (e) a decrypted image. 459
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig.5. Decrypted results with noise corruption: (a) the relationship between MSE values and the noise magnification factor m, (b) a retrieved image obtained from a corrupted ciphertext.
Known Ciphertext
d
l
d
(a)
(b)
(c)
(d)
Fig. 6. Decrypted results with partially known ciphertext: (a) dimensions of known data in a whole ciphertext, (b) relationship between MSE values and ratio r, (c) a partially known ciphertext, (d) a retrieved image with correct private keys from (c).
decryption process. Using various values of coefficient m , Eq. (8) is utilized to obtain the corresponding decrypted image as shown in Fig. 5. From the MSE values of the decrypted image as shown in Fig. 5(a), it can be seen that the MSE values decrease with increasing absolute values of noise magnification factor (m) . Additionally, it also can be seen that the MSE values are close to zero when |m| ⩽ 0.2 , which means the retrieved image from the corresponding noisy ciphertext has good quality. Especially, the retrieved image from the corresponding noisy ciphertext is shown in Fig. 5(b) when m = −0.7 . The MSE value
between the retrieved and original image is 0.1852 and most information of the plaintext is retained, which shows that the proposed cryptosystem has a certain degree of effectiveness against noise corruption. 3.2.2. Robustness of occlusion Due to some unexpected cases, such as network failure, the uncoordinated transmission medium, partial information of the ciphertext may be lost in the practical process. Therefore, a cryptosystem should 460
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
d
Known Key
d
w
w
(a)
(b)
(c)
(d)
(e)
(f)
Fig. 7. Decrypted results with partially correct private keys Key1 and Key2 : (a) distributions of known private keys, (b) relationships between MSE and s values, (c) a decryption key Key1′, (d) a decrypted image using the correct Key2 and Key1′ shown in (c), (e) a decryption key Key2′, (f) a decrypted image using the correct Key1 and Key2′ shown in (e).
3.3. Security analysis
have certain degree against occlusion. A numerical simulation is carried out with only partial information of the ciphertext known to examine with occlusion contamination. Fig. 6(a) shows an image where l represents the width of known data in an image of width d and scale l r = d . In the decryption process, the area which contains unknown data is replaced with zero values. Correct private keys Key1 and Key2 are employed in the decryption process. The MSE values of decrypted results using the corresponding ciphertext with various scale (r ) values are shown in Fig. 6(b). As an example, a ciphertext for r = 0.6 is shown in Fig. 6(c) while the corresponding decrypted image with MSE = 0.1175 is shown in Fig. 6(d). As can be seen, occlusion would result in information lost in the decrypted result. Nevertheless, most information remains in the decrypted image, which means the occlusion would not lead to a decryption failure in our proposed scheme. Thus, it is shown that the proposed cryptosystem has a certain degree against occlusion.
3.3.1. Key sensitivity test The performance of a cryptosystem against some attacks, such as brute-force attack, is partially decided by the key sensitivity of the cryptosystem. Thus, we would like to test the key sensitivity of the proposed cryptosystem. Numerical simulations have been carried out with only the pixel values of parts of private keys (Key1 and Key 2) known. Fig. 7(a) shows an image where w represents the width of w known data in a private key of width d and scale s = d . The area which contains unknown data is replaced with zero values in the decryption process. One private key is wrong while another one is fixed at the correct value in the decryption process. The MSE values of decrypted results using the corresponding private keys are shown in Fig. 7(b). As an example, a private key Key1′ for s = 0.35 is shown in Fig. 7(c). A decrypted image using correct Key2 and Key1′ with MSE = 0.1003 is shown in Fig. 7(d). A private key Key2′ for s = 0.35 and the corresponding decrypted image with MSE = 0.2560 are respectively shown in Fig. 7(e) and (f). As can be seen with partially wrong private keys no useful information can be obtained, thus the high key sensitivity 461
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig. 8. KPA results: (a and b) a known plaintext-ciphertext pair, (c and d) private keys generated from the encryption process, (e) a retrieved image from Fig. 4(b) with KPA.
Fig. 9. Schematic diagram of a specific attack.
ciphertext in Fig. 4(b) using two deduced private keys (in Fig. 8(c) and (d)) is shown in Fig. 8(e). As can be seen no original information is visible from the attack result, it can be concluded that the proposed cryptosystem is immune to the known-plaintext attack.
ensures a robust security of the cryptosystem. 3.3.2. Resistance to known-plaintext attack In the proposed cryptosystem, the encryption process is nonlinear and each plaintext corresponds to unique private keys. Hence, the proposed cryptosystem should be resistant to a known-plaintext attack (KPA). In a KPA, it is assumed that the attackers have access to the encryption algorithm and a plaintext-ciphertext pair. Based on this prior knowledge, the secured image can be retrieved using the deduced decryption keys. Fig. 8(a) and (b) show a known plaintext and the corresponding ciphertext. Two retrieved private keys (Key1 and Key2 ) are shown in Fig. 8(c) and (d), respectively. A retrieved image from the
3.3.3. Resistance to amplitude-phase-retrieval attack It has been found that the classical PTFT-based cryptosystem is vulnerable to some special attacks based on the amplitude-phase retrieval technique. In our proposed algorithm, the PT operation is replaced by LUDP. To test the effectiveness against the specific attack, a simulation is carried out. The process of a specific attack based on amplitude-phase retrieval technique is shown in Fig. 9. A matrix 462
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
Fig. 10. Specific attack results: (a) relationship between MSE values and iteration number k , (b) a retrieved image with iterations 200.
the decryption process and the encryption keys are also different from the decryption keys. The encryption process is easily to be achieved digitally while the decryption process can be optically implemented based on 4f system. In our cryptosystem, two RPMs are utilized in the encryption process and regarded as public keys. Two decryption (private) keys generated by LUDP in the encryption process correspond to unique plaintext, which can resist to the known-plaintext attack. Since the classical PTFT-based cryptosystem is vulnerable to some specific attacks based on phase retrieval technique, LUDP is introduced to replace the PT operation to ensure the security of our algorithm. Since the product P −1 regarded as the final ciphertext is a sparse matrix, the ciphertext cannot provide enough constraints in the iterative attack to make it stable. Consequently, our proposed algorithm is also immune to the special attack based on amplitude-phase retrieval algorithm. Numerical simulations have been carried out to demonstrate the effectiveness of proposed cryptosystem.
f0 (x , y ) = 1 is used as an initial estimated plaintext and the ciphertext C (x , y ) is used as a constraint to obtain the retrieved image. The iterative procedures can be expressed as follows: 1. The estimated private key Key1k and intermediate matrix gk (u, v ) at the kth iteration are given by
[L1k , U1k , P1k ] = LUDP {FT [fk (x , y ) R1 (x , y )]}, gk (u, v ) = P1−k1 (u, v ), Key1k = L1k × U1k .
(9)
where L1k ,U1k , P1k are three estimated products of the first LUDP at kth iteration. 2. The estimated private key Key2k at kth iteration is given by
[L2k , U2k , P2k ] = LUDP {FT [gk (u, v ) R2 (u, v )]}, Key 2k = L2k × U2k
(11) Acknowledgments
where L2k , U2k , P2k are three estimated products of the second LUDP at kth iteration.
We acknowledge the financial support provided by the National University of Singapore under research project number R-265-000-589114.
3. The real ciphertext C (x , y ) obtained by CCD is used as a constraint to retrieve the plaintext, the new estimated intermediate matrix gk′ (u, v ) and plaintext fk + 1 (x , y ) are given by
g ′k (u, v ) = abs [FT (C × Key 2k )], fk + 1 (x , y ) = abs [IFT (gk′ × Key1k )].
References [1] P. Refregier, B. Javidi, Optical image encryption based on input plane and Fourier plane random encoding, Opt. Lett. 20 (7) (1995) 767–769. [2] G. Unnikrishnan, J. Joseph, K. Singh, Optical encryption by double-random phase encoding in the fractional Fourier domain, Opt. Lett. 25 (12) (2000) 887–889. [3] G. Situ, J. Zhang, Double random phase encoding in the Fresnel domain, Opt. Lett. 29 (14) (2004) 1584–1586. [4] R. Tao, Y. Xin, Y. Wang, Double image encryption based on random phase encoding in the fractional Fourier domain, Opt. Express 15 (24) (2007) 16067–16079. [5] Y. Sheng, Z. Xin, M.S. Alam, X.F. Li, Information hiding based on double randomphase encoding and public-key cryptography, Opt. Express 17 (5) (2009) 3270–3284. [6] A. Alfalou, A. Mansour, Double random phase encryption scheme to multiplexing and simultaneous encode multiple images, Appl. Opt. 48 (31) (2009) 5933–5947. [7] H. Singh, A.K. Yadav, S. Vashisth, K. Singh, Double phase-image encryption using gyrator transforms and structured phase mask in the frequency plane, Opt. Lasers Eng. 67 (2015) 145–156. [8] W. Chen, X. Chen, Double random phase encoding using phase reservation and compression, J. Opt. 16 (2) (2014) 025402. [9] A. Carnicer, M. Montes-Usategui, S. Arcos, I. Juvells, Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys, Opt. Lett. 30 (13) (2005) 1644–1646. [10] X. Peng, H. Wei, P. Zhang, Chosen-plaintext attack on the lensless double-random phase encoding in the Fresnel domain, Opt. Lett. 31 (22) (2006) 3261–3263. [11] X. Peng, P. Zhang, H. Wei, B. Yu, Known-plaintext attack on optical encryption based on double random phase keys, Opt. Lett. 31 (8) (2006) 1044–1046.
(12)
where fk + 1 (x , y ) is the retrieved image at kth iteration and used as a input of (k + 1)th iteration. Steps 1–3 are repeated and when the iteration number reaches a preset threshold value, the iteration is terminated. The results of the specific attack are shown in Fig. 10. Referring to the MSE curve shown in Fig. 10(a), it can be seen that the MSE converges to 0.28 within a few iterations. This means that the cryptosystem can not be break by the specific attack even with more iterations. A retrieved image from the ciphertext in Fig. 4(b) by the specific attack is shown in Fig. 10(b). It can be seen that no useful information is visible, which further demonstrates that our proposed cryptosystem is resistant to the specific attack based on amplitude-phase retrieval technique. 4. Conclusions In this paper, we proposed a novel asymmetric cryptosystem using two RPMs and LUDP, in which the encryption process is different from 463
Optics and Laser Technology 109 (2019) 456–464
Y. Xiong, C. Quan
[12] P. Kumar, A. Kumar, J. Joseph, K. Singh, Vulnerability of the security enhanced double random phase-amplitude encryption scheme to point spread function attack, Opt. Lasers Eng. 50 (9) (2012) 1196–1201. [13] H.E. Hwang, H.T. Chang, W.N. Lie, Multiple-image encryption and multiplexing using a modified Gerchberg-Saxton algorithm and phase modulation in Fresneltransform domain, Opt. Lett. 34 (24) (2009) 3917–3919. [14] W. Chen, X, Chen, Optical multiple-image encryption based on multiplane phase retrieval and interference, J. Opt. 13 (11) (2011) 115401. [15] W. Liu, Z. Liu, S. Liu, Asymmetric cryptosystem using random binary phase modulation based on mixture retrieval type of Yang-Gu algorithm, Opt. Lett. 38 (10) (2013) 1651–1653. [16] S.K. Rajput, N.K. Nishchal, Fresnel domain nonlinear optical image encryption scheme based on Gerchberg-Saxton phase-retrieval algorithm, Appl. Opt. 53 (3) (2014) 418–425. [17] Y. Wang, C. Quan, C.J. Tay, Nonlinear multiple-image encryption based on mixture retrieval algorithm in Fresnel domain, Opt. Commun. 330 (2014) 91–98. [18] B. Deepan, C. Quan, Y. Wang, C.J. Tay, Multiple-image encryption by space multiplexing based on compressive sensing and the double-random phase-encoding technique, Appl. Opt. 53 (20) (2014) 4539–4547. [19] N. Zhou, A. Zhang, F. Zheng, L. Gong, Novel image compression-encryption hybrid algorithm based on key-controlled measurement matrix in compressive sensing, Opt. Laser Technol. 62 (2014) 152–160. [20] N. Zhou, S. Pan, S. Cheng, Z. Zhou, Image compression-encryption scheme based on hyper-chaotic system and 2D compressive sensing, Opt. Laser Technol. 82 (2016) 121–133. [21] Y. Zhang, B. Wang, Optical image encryption based on interference, Opt. Lett. 33 (21) (2008) 2443–2445. [22] Z. Liu, L. Xu, C. Lin, S. Liu, Image encryption by encoding with a nonuniform optical beam in gyrator transform domains, Appl. Opt. 49 (29) (2010) 5632–5637. [23] W. Chen, X. Chen, Arbitrarily modulated beam for phase-only optical encryption, J. Opt. 16 (10) (2014) 105402. [24] J. Zang, Z. Xie, Y. Zhang, Optical image encryption with spatially incoherent illumination, Opt. Lett. 38 (8) (2013) 1289–1291. [25] W. Chen, X. Chen, Space-based optical image encryption, Opt. Express 18 (26) (2010) 27095–27104. [26] W. Chen, X. Chen, Optical asymmetric cryptography using a three-dimensional space-based model, J. Opt. 13 (7) (2011) 075404. [27] W. Qin, X. Peng, Asymmetric cryptosystem based on phase-truncated Fourier transforms, Opt. Lett. 35 (2) (2010) 118–120. [28] S.K. Rajput, N.K. Nishchal, Image encryption using polarized light encoding and amplitude and phase truncation in the Fresnel domain, Appl. Opt. 52 (18) (2013)
4343–4352. [29] X. Wang, D. Zhao, Security enhancement of a phase-truncation based image encryption algorithm, Appl. Opt. 50 (36) (2011) 6645–6651. [30] S.K. Rajput, N.K. Nishchal, Known-plaintext attack-based optical cryptosystem using phase-truncated Fresnel transform, Appl. Opt. 52 (4) (2013) 871–878. [31] X. Wang, D. Zhao, A special attack on the asymmetric cryptosystem based on phasetruncated Fourier transforms, Opt. Commun. 285 (6) (2012) 1078–1081. [32] X. Wang, Y. Chen, C. Dai, D. Zhao, Discussion and a new attack of the optical asymmetric cryptosystem based on phase-truncated Fourier transform, Appl. Opt. 53 (2) (2014) 208–213. [33] Y. Wang, C. Quan, C.J. Tay, Improved method of attack on an asymmetric cryptosystem based on Fourier transform, Appl. Opt. 54 (22) (2015) 6874–6881. [34] I. Mehra, S.K. Rajput, N.K. Nishchal, Cryptanalysis of an image encryption scheme based on joint transform correlator with amplitude- and phase-truncation approach, Opt. Lasers Eng. 52 (2014) 167–173. [35] X. Wang, D. Zhao, Double images encryption method with resistance against the specific attack based on an asymmetric algorithm, Opt. Express 20 (2012) 11994–12003. [36] Y. Xiong, A. He, C. Quan, Security analysis of a double-image encryption technique based on asymmetric algorithm, J. Opt. Soc. Am. A 35 (2018) 320–326. [37] X. Wang, D. Zhao, Amplitude-phase retrieval attack free cryptosystem based on direct attack to phase-truncated Fourier transform-based encryption using a random amplitude mask, Opt. Lett. 38 (18) (2013) 3684–3686. [38] S. Liangsheng, W. Zhanmin, Amplitude-phase retrieval attack free image encryption based on two random masks and interference, Opt. Lasers Eng. 86 (2016) 1–10. [39] Y. Xiong, A. He, C. Quan, Hybrid attack on an optical cryptosystem based on phasetruncated Fourier transforms and a random amplitude mask, Appl. Opt. 57 (2018) 6010–6016. [40] Y. Xiong, A. He, C. Quan, Specific attack and security enhancement to optical image cryptosystem based on two random masks and interference, Opt. Lasers Eng. 107 (2018) 142–148. [41] W. He, X. Meng, X. Peng, Asymmetric cryptosystem using random binary phase nodulation based on mixture retrieval type of Yang-Gu algorithm: comment, Opt. Lett. 38 (2013) 4044–4044. [42] W. Liu, Z. Liu, S. Liu, Asymmetric cryptosystem using random binary phase modulation based on mixture retrieval type of Yang-Gu algorithm, Opt. Lett. 38 (2013) 1651–1653. [43] W. Liu, Z. Liu, S. Liu, Asymmetric cryptosystem using random binary phase nodulation based on mixture retrieval type of Yang-Gu algorithm: reply, Opt. Lett. 38 (2013) 4045–4045. [44] G. Meurant, Computer Solution of Large Linear Systems, Elsevier, 1999.
464