- Email: [email protected]
Hybrid cryptosystem based on diffraction transfer function and phase-truncated Fourier transform encryption
Optics Communications 450 (2019) 87–96
Contents lists available at ScienceDirect
Optics Communications journal homepage: www.elsevier.com/locate/optcom
Hybrid cryptosystem based on diffraction transfer function and phase-truncated Fourier transform encryption Chuhan Wu a , Jun Chang a ,∗, Xiangxin Xu a , Yongjian Zhang b a
Key Laboratory of Photoelectronic Imaging Technology and System (Beijing Institute of Technology), Ministry of Education, School of Optics and Photonics, Beijing Institute of Technology, Beijing 100081, China b School of Information Science and Technology, University of International Relations, Beijing 100091, China
ARTICLE
INFO
Keywords: Optical information security Fourier optics Diffraction theory Phase retrieval
ABSTRACT A hybrid cryptosystem based on phase-truncated Fourier transform (PTFT) encryption and diffraction transfer function is designed. The designed cryptosystem cannot be decrypted by phase-retrieval-based attacks to which conventional phase-truncated Fourier transform cryptosystems are proven vulnerable. Compared with conventional PTFT encryption, the encryption process of this proposed cryptosystem needs no extra devices. With the help of Rayleigh–Sommerfeld diffraction theory, the inverse diffraction optically is realized and the decryption process can be performed using a liquid crystal spatial light modulator. Unlike conventional PTFT cryptosystem, no useful information can be retrieved in case of lacking any of ciphertext, private keys and diffraction parameters. The optical setup and numerical simulation results are provided to verify the effectiveness, security and robustness of proposed hybrid cryptosystem.
1. Introduction With rapid development of communication techniques, protecting personal privacy has become necessary. Therefore, information security technology is becoming increasingly significant [1,2]. Compared with other information security techniques, optical information security techniques have attracted considerable attention in recent decades due to their notable characteristics such as multidimensional capability, parallel processing, and high-speed encryption [3,4]. Since Refregier and Javidi proposed the pioneering work called double random phase encoding (DRPE) [5], which encrypts the input image into stationary white noise with a 4f optical system, various optical encryption schemes have been proposed [6–12]. For instance, to enlarge the key space, the DRPE scheme has been extended from the Fourier domain into the fractional Fourier and Fresnel domains [6,7, 13]. However, with the development of cryptanalysis, many security issues were exposed. DRPE-based cryptosystems have been proved vulnerable to various attacks because they are linear symmetric cryptosystems in which the decryption keys are identical to the encryption keys [14–19]. In 2010, Qin and Peng [20] presented an encryption system based on phase-truncated Fourier transform (PTFT). In the PTFT-based cryptosystem, the linearity of the classic DRPE cryptosystems is removed by a nonlinear operation called phase truncation, original plaintext is encrypted into a real-value noise-like ciphertext, and the decryption keys are different from the encryption keys. However, the cryptosystems are ∗
vulnerable to a specific attack, which is based on a two-step iterative amplitude-phase-retrieval algorithm (APRA) [21,22]. Furthermore, an improved attack using a novel median-filtering phase-retrieval method has been proposed [13]. Some PTFT-based variations have also been attacked [23–26]. Most recently, a hybrid attack based on knownplaintext attack and APRA was proposed to successfully decrypt the cryptosystem based on PTFT and a random amplitude mask [25,27,28]. These findings indicate that APRA is an urgent threat to PTFT-based asymmetry cryptosystems. According to the founders of Y-G algorithm [29,30], the APRA and Gerchberg–Saxton algorithms (GSA) are essentially identical [31], these approaches iteratively use a repeated Fourier transform (FT) to shift back and forth between the object and the Fourier domains to recover the lost phases [32]. APRA is easy to retrieve the intermediate phase as reported by Fienup [33–35]. A review of the PTFT-based cryptosystem schemes shows the drawback that the acquired constraints are suitable for using APRA, which can obtain the decryption keys by generating an intermediate phase. The cryptanalysis indicates that acquiring corresponding constraints are essential to conduct APRAbased attacks, thereby causing the insecurity of PTFT-based asymmetry cryptosystems. To enhance the security of conventional PTFT cryptosystems, a cryptosystem based on PTFT encryption and diffraction transfer function is proposed in this letter to prevent the cryptosystem being broken by APRA. By introducing diffraction, the adversary cannot acquire
Corresponding author. E-mail address: [email protected] (J. Chang).
https://doi.org/10.1016/j.optcom.2019.05.053 Received 19 April 2019; Received in revised form 24 May 2019; Accepted 25 May 2019 Available online 3 June 2019 0030-4018/© 2019 Elsevier B.V. All rights reserved.
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Step I. In the kth iteration, 𝜙𝑘 (𝑥, 𝑦) is the kth estimated phase in the spatial domain, { { }} 𝐴𝑀𝐹𝑘 (𝑢, 𝑣) = 𝑃 𝑇 𝐹 𝑇 𝜙𝑘 (𝑥, 𝑦) × 𝐴𝑀(𝑥, 𝑦) . (7)
corresponding constraints. Thus, the attacks based on APRA are not available. Besides, it increases key space and will not expose useful information in case of disclosing ciphertext and private keys. In Section 2, a theoretical description of the cryptosystem based on PTFT and diffraction transfer function is provided. In Section 3, one possible optical setup scheme is given. In Section 4 the simulation results and discussion are presented. In Section 5 the conclusion is given.
The 𝐴𝑀𝐹𝑘 (𝑢, 𝑣) is the corresponding frequency-domain’s amplitude in the 𝑘th iteration. Step II. The 𝜙𝑘+1 (𝑥, 𝑦) is acquired as follows { { }} 𝜙𝑘+1 (𝑥, 𝑦) = exp(𝑃 𝑅 𝐹 𝑇 𝐴𝑀𝐹𝑘 (𝑢, 𝑣) × 𝜑(𝑢, 𝑣) ). (8)
2. Principle
Substituting the acquired 𝜙𝑘+1 (𝑥, 𝑦) into Eq. (7) for the next iteration. After n iterations, the deviation between 𝜙𝑛−1 (𝑥, 𝑦) and 𝜙𝑛 (𝑥, 𝑦) is close to zero, and 𝜙𝑛 (𝑥, 𝑦) can be regarded as the estimated phase. Other phase-retrieval-based attacks have similar processes, such as the known-plaintext attacks and a new attack mentioned in reference [27,28]. The key to improve PTFT-based cryptosystem security is to prevent acquiring pairs of amplitude-phase constraints from the used cryptosystem.
2.1. Conventional PTFT cryptosystem The input plaintext image is denoted by 𝐼(𝑥, 𝑦) and 𝑖 denotes imaginary unit. The public keys, 𝑅1 (𝑥, 𝑦) and 𝑅2 (𝑢, 𝑣) are two independent random phase-only masks (RPM) distributed uniformly in the interval [0, 2𝜋], respectively. Through the PTFT cryptosystem, 𝐼(𝑥, 𝑦) can be encrypted into a noise-like ciphertext which can be expressed as follows { { { { }} 𝐶(𝑥, 𝑦) = 𝑃 𝑇 𝐼𝐹 𝑇 𝑃 𝑇 𝐹 𝑇 𝐼(𝑥, 𝑦) × exp(𝑖𝑅1 (𝑥, 𝑦)) }} × exp(𝑖𝑅2 (𝑢, 𝑣)) , (1)
2.3. Diffraction transfer function
where (𝑥, 𝑦) and (𝑢, 𝑣) are indices of an image in the image plane and Fourier plane, respectively. And 𝐶(𝑥, 𝑦) represents the ciphertext. The 𝐹 𝑇 {⋅}, 𝐼𝐹 𝑇 {⋅}, and 𝑃 𝑇 {⋅} denote Fourier transform operator, inverse Fourier transform operator, and phase truncated operator, respectively. The phase truncated operator is defined as a modulus operation that could be expressed as 𝑃 𝑇 {⋅} = |⋅|. The two private keys 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦) are acquired as { { }} 𝑃1 (𝑢, 𝑣) = 𝑃 𝑅 𝐹 𝑇 𝐼(𝑥, 𝑦) × exp(𝑖𝑅1 (𝑥, 𝑦)) , (2)
Diffraction was first used in optical encryption by Situ et al. [7]. A significant detail is that the inverse Fresnel diffraction process does not optically exist. Situ has given a method to realize the inverse Fresnel diffraction process by using photorefractive crystal and ciphertext’s complex conjugation. In proposed cryptosystem’s decryption process, the inverse Fresnel diffraction is realized using the liquid–crystal spatial light modulator (SLM) based on the Rayleigh–Sommerfeld (RS) diffraction theory. The RS diffraction can be expressed as [36,37]
{ { { { }} 𝑃2 (𝑥, 𝑦) = 𝑃 𝑅 𝐼𝐹 𝑇 𝑃 𝑇 𝐹 𝑇 𝐼(𝑥, 𝑦) × exp(𝑖𝑅1 (𝑥, 𝑦)) }} × exp(𝑖𝑅2 (𝑢, 𝑣)) ,
𝑉 (𝑥′ , 𝑦′ , 𝑧) = (3)
exp(𝑖𝑘𝑟) 𝑧 1 1 𝑉 (𝑥, 𝑦, 0) (𝑖𝑘 + )𝑑𝑥𝑑𝑦, 2𝜋 ∬𝑎𝑝𝑒𝑟𝑡𝑢𝑟𝑒 𝑟 𝑟 𝑟
(9)
the integration is over the open areas of the aperture which is located on plane of 𝑧 = 0. The diffraction distance along the optical axis is 𝑧. Besides, (𝑥, 𝑦) and (𝑥′ , 𝑦′ ) are indices at aperture and plane at 𝑧, respectively. The optical field function of aperture and diffraction distance at 𝑧 are 𝑉 (𝑥, 𝑦, 0) and 𝑉 (𝑥′ , 𝑦′ , 𝑧), respectively. In Eq. (9), 𝑟 = [(𝑥 − 𝑥′ )2 + (𝑦 − 𝑦′ )2 + 𝑧2 ]1∕2 , represents the distance from point (𝑥, 𝑦, 0) to point (𝑥′ , 𝑦′ , 𝑧). And 𝑘 = 2𝜋∕𝜆, which is the propagation constant. The wavelength is 𝜆. Eq. (9) indicates that the RS diffraction could be reformulated as a convolution of two functions
the phase reservation operator is represented by 𝑃 𝑅{⋅}. These two private keys are stationary white noise and different from the public keys. In addition, the private keys are only used in the decryption process. The decrypted process could be represented as { { { { }} ′ 𝐼 (𝑥, 𝑦) = 𝑃 𝑇 𝐼𝐹 𝑇 𝑃 𝑇 𝐹 𝑇 𝐶(𝑥, 𝑦) × exp(𝑖𝑃2 (𝑥, 𝑦)) }} × exp(𝑖𝑃1 (𝑢, 𝑣)) . (4) If the receiver uses the correct private keys to decrypt ciphertext, the decrypted image 𝐼 ′ (𝑥, 𝑦) is exactly the input plaintext 𝐼(𝑥, 𝑦).
𝑉 (𝑥′ , 𝑦′ , 𝑧) = 𝑉 (𝑥, 𝑦, 0) ∗
𝜕 exp(𝑖𝑘𝑟) [ ], 𝜕𝑧 𝑟
(10)
where the symbol ∗ is the convolution operator. According to Fourier transform’s convolution theorem, Eq. (10) can be expressed as
2.2. APRA However, the ciphertext 𝐶(𝑥, 𝑦) and 𝑅2 (𝑢, 𝑣) could form a pair of amplitude-phase constraints, according to the cryptanalysis in reference [21]. By using APRA, the estimated second private key 𝑃2′ (𝑥, 𝑦) is retrieved. With 𝑃2′ (𝑥, 𝑦) and 𝐶(𝑥, 𝑦), the estimated intermediate amplitude𝐼𝐴′ (𝑢, 𝑣) is acquired as { { }} 𝐼𝐴′ (𝑢, 𝑣) = 𝑃 𝑇 𝐹 𝑇 𝐶(𝑥, 𝑦) × exp(𝑖𝑃2′ (𝑥, 𝑦)) . (5)
𝑉 (𝑥′ , 𝑦′ , 𝑧) = 𝐼𝐹 𝑇 {𝐹 𝑇 {𝑉 (𝑥, 𝑦, 0)} × 𝐻(𝜉, 𝜂)} , { 𝐻(𝜉, 𝜂) = 𝐹 𝑇
} 𝜕 exp(𝑖𝑘𝑟) [ ] , 𝜕𝑧 𝑟
(11)
(12)
(𝜉, 𝜂) are the coordinates in frequency domain. According to G. Sherman’s research [37], 𝐻(𝜉, 𝜂) could be expressed as
The estimated amplitude 𝐼𝐴′ (𝑢, 𝑣) and 𝑅1 (𝑢, 𝑣) forms another pair of amplitude-phase constraints. Similarly, the estimated first private key 𝑃1′ (𝑥, 𝑦) is retrieved. Furthermore, the decrypted plaintext 𝐼 ′ (𝑥, 𝑦) is obtained with 𝑃1′ (𝑢, 𝑣) and 𝐼𝐴′ (𝑢, 𝑣) as follows { { }} 𝐼 ′ (𝑥, 𝑦) = 𝑃 𝑇 𝐼𝐹 𝑇 exp(𝑖𝑃1′ (𝑢, 𝑣)) × 𝐼𝐴′ (𝑢, 𝑣) . (6)
𝐻(𝜉, 𝜂) = exp[𝑖
2𝜋𝑧 (1 − 𝜆2 𝜉 2 − 𝜆2 𝜂 2 )]. 𝜆
(13)
As reported in reference [35], Eq. (13) can also be derived with Fresnel diffraction theory and angular spectrum theory. Eq. (13) indicates that 𝐻(𝜉, 𝜂) is related to the wavelength and diffracting distance. The diffraction transform operator is defined as 𝑅𝑆⋅ in this letter. Eq. (11) indicates that the operator’s expansion form is
The general process of APRA is described in detail. Supposing the spatial domain amplitude 𝐴𝑀(𝑥, 𝑦) and frequency domain phase 𝜑(𝑢, 𝑣) are acquired as a pair of amplitude-phase constraints. A random phase distribution in the spatial domain is provided as the initial estimated phase 𝜙1 (𝑥, 𝑦).
𝑅𝑆 {⋅} = 𝐼𝐹 𝑇 {𝐹 𝑇 {⋅} × 𝐻(𝜉, 𝜂)} . 88
(14)
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
all, the loss of diffraction parameters including diffraction distance and wavelength breaks the connection between plaintext and ciphertext. The decryption process of proposed cryptosystem is shown in Fig. 2. According to Section 2.3, the steps from 𝐶(𝑥, 𝑦) to 𝑈 𝑅𝑆(𝑢, 𝑣) are listed here.
2.4. Proposed cryptosystem In proposed scheme, as shown in Fig. 1, the previous several steps are listed as follows: 𝑀(𝑥, 𝑦) = 𝑅𝑆{𝐼(𝑥, 𝑦) × exp(𝑖𝑅𝑀1(𝑥, 𝑦))}, 𝑈 (𝑢, 𝑣) = 𝐹 𝑇 {𝑀(𝑥, 𝑦)} ,
(15)
(24)
𝑈 𝑅𝑆𝐴(𝑢, 𝑣) = 𝐹 𝑇 {𝐺(𝑥, 𝑦)} ,
(25)
𝑈 𝑅𝑆(𝑢, 𝑣) = 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) × exp(𝑖𝑅𝑀2∗ (𝑢, 𝑣)),
(26)
(16)
𝑈 𝑃 𝐻(𝑢, 𝑣) = 𝑃 𝑅 {𝑈 (𝑢, 𝑣)} ,
(17)
𝑈 𝑅𝑆(𝑢, 𝑣) = 𝑅𝑆 {𝑈 𝑃 𝐻(𝑢, 𝑣)} ,
(18)
𝑃1 (𝑢, 𝑣) = 𝑃 𝑇 {𝑈 (𝑢, 𝑣)} ∗ 𝑃 𝑇 {𝑈 𝑅𝑆(𝑢, 𝑣)} .
(19)
𝑅𝑀2∗ (𝑢, 𝑣)
where the is the conjugate of the second public key. By substituting Eq. (14) into Eq. (19), the relationship between 𝑈 𝑅𝑆(𝑢, 𝑣) and 𝑈 𝑃 𝐻(𝑢, 𝑣) is obtained { { }} 𝑈 𝑃 𝐻(𝑢, 𝑣) = 𝑃 𝑅 𝐼𝐹 𝑇 𝐹 𝑇 {𝑈 𝑅𝑆(𝑢, 𝑣)} × 𝐻 ∗ (𝜉, 𝜂) , (27)
𝐼(𝑥, 𝑦), 𝑅𝑀1(𝑥, 𝑦), 𝑀(𝑥, 𝑦), 𝑈 (𝑢, 𝑣), 𝑈 𝑃 𝐻(𝑢, 𝑣), 𝑈 𝑅𝑆(𝑢, 𝑣) and 𝑃1 (𝑢, 𝑣) denote the plaintext, first public key, input complex amplitude, Fourier transform of the input complex amplitude, phase part of 𝑈 (𝑢, 𝑣), the complex amplitude of 𝑈 𝑃 𝐻(𝑢, 𝑣) after diffraction and first private key, respectively. In proposed cryptosystem, to avoid 𝑃1 (𝑢, 𝑣) contains too much information, it is an amplitude distribution recorded as product of 𝑈 (𝑢, 𝑣) and 𝑈 𝑅𝑆(𝑢, 𝑣)’s normalized amplitude distributions. The amplitude part of 𝑈 𝑃 𝐻(𝑢, 𝑣)can be regarded as the amplitude of the plane wave. The last few steps of the encryption are identical to the process of conventional PTFT cryptosystem. The process is written as follows 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) = 𝑈 𝑅𝑆(𝑢, 𝑣) × exp(𝑖𝑅𝑀2(𝑢, 𝑣)),
𝐺(𝑥, 𝑦) = 𝐶(𝑥, 𝑦) × exp(𝑖𝑃2 (𝑥, 𝑦)),
{ } 𝑅𝑆 −1 ⋅ = 𝐼𝐹 𝑇 𝐹 𝑇 {⋅} × 𝐻 ∗ (𝜉, 𝜂)
where is the conjugate of 𝐻(𝜉, 𝜂). The inverse Fourier diffraction is marked by dashed box in Fig. 2 and its form is expressed in Eq. (28). The last few steps in decryption process can be written as
(20)
𝐺(𝑥, 𝑦) = 𝐼𝐹 𝑇 {𝑈 𝑅𝑆𝐴(𝑢, 𝑣)} ,
(21)
𝐶(𝑥, 𝑦) = 𝑃 𝑇 {𝐺(𝑥, 𝑦)} ,
(22)
𝑃2 (𝑥, 𝑦) = 𝑃 𝑅 {𝐺(𝑥, 𝑦)} ,
(23)
(28)
𝐻 ∗ (𝜉, 𝜂)
𝑈 (𝑢, 𝑣) = 𝑈 𝑃 𝐻(𝑢, 𝑣) × 𝑃1 (𝑢, 𝑣) × [𝑃 𝑇 {𝑈 𝑅𝑆(𝑢, 𝑣)}]−1 ,
(29)
𝑀(𝑥, 𝑦) = 𝐼𝐹 𝑇 {𝑈 (𝑢, 𝑣)} ,
(30)
{ } 𝐼(𝑥, 𝑦) = 𝑃 𝑇 𝑅𝑆 −1 𝑀(𝑥, 𝑦) .
(31)
where the []−1 represents the multiplicative inverse process. Eq. (13) shows that 𝐻(𝜉, 𝜂) is a phase-only distribution, thus, 𝐻 ∗ (𝜉, 𝜂) can be performed by SLM or phase mask. 𝑃 𝑇 {⋅} can be realized by using optical detectors. The phase reservation operation can be realized with a Hartman–Shack wave-front sensor (HSWS) or holographic recording. The Fourier transform and inverse Fourier transform can be realized with a Fourier lens. All these methods have been reported previously. Compared with conventional PTFT cryptosystems, the encryption process of proposed cryptosystem is easy to conduct without adding other devices. Extra devices are needed for realizing inverse diffraction in the decryption process. While the cost increases security.
where 𝑅𝑀2(𝑢, 𝑣) and 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) denote the second public key and new complex amplitude generated with 𝑈 𝑅𝑆(𝑢, 𝑣) and 𝑅𝑀2(𝑢, 𝑣). The 𝐺(𝑥, 𝑦) is the inverse Fourier transform of 𝑈 𝑅𝑆𝐴(𝑢, 𝑣). Ciphertext and the second private key are denoted by 𝐶(𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦), respectively. Following the theory proposed by the founders of Y–G algorithm [29,30], phase retrieval can be described as a general problem: if we have either amplitude or phase in spatial domain as spatial constraint, and either the amplitude or phase in frequency domain as frequency constraint, then, consequently, the remaining information could be calculated by iterations. A review of typical offensive and defensive process in references [23,25,27,28] indicates that realization of the attack depends on a pair of corresponding constraints obtained from spatial and frequency domains. For the APRA-based two-step special attack mentioned in reference [21], the adversary uses the ciphertext and the second public key as a pair of constraints, consequently, the second private key can be estimated. Then, the amplitude in frequency can be calculated by using the estimated second private key. Furthermore, the frequency amplitude and first public key can form another pair of constraints. Finally, the estimated first private key can be achieved to decrypt the plaintext. The flowchart of the proposed cryptosystem indicates that no corresponding constraint pair can be acquired by the adversary with introduction of diffraction. Supposing the adversary can acquire ciphertext and corresponding public keys. The acquired second public key 𝑅𝑀2(𝑢, 𝑣) could not be used as the ciphertext’s corresponding frequency domain constraint because the phase of 𝑈 𝑅𝑆(𝑢, 𝑣) was abandoned in the attack. The corresponding frequency domain phase of the ciphertext is the product of 𝑈 𝑅𝑆(𝑢, 𝑣)’s phase part and 𝑅𝑀2(𝑢, 𝑣). Similarly, if the adversary starts APRA-based attacks forcibly, the estimated 𝑈 𝑃 𝐻(𝑢, 𝑣) achieved by using APRA is not the corresponding phase to 𝑅𝑀1(𝑥, 𝑦). These facts lead to the inefficiency of APRA. Above
3. Optical setup This proposed cryptosystem scheme is based on real optoelectronic devices. One possible optical setup to realize proposed encryption and decryption processes is provided. Fig. 3 shows the optical setup of proposed cryptosystem’s encryption process. The ‘‘STEP I’’ illustrates the process from 𝐼(𝑥, 𝑦) to 𝑈 𝑃 𝐻(𝑢, 𝑣), and the ‘‘STEP II’’ illustrates the process from 𝑈 𝑃 𝐻(𝑢, 𝑣) to 𝐶(𝑥, 𝑦). SLM1 and SLM2 are transmitted amplitude-modulated and transmitted phase-modulated SLM, respectively. Lens1 is Fourier lens. The HSWS is used to realize phase reservation. The phase truncation operation is conducted with CCD detectors. The PC is used for controlling SLMs, receiving intensity images from CCDs and recording the private keys. A significant benefit of this setup is that switching from ‘‘STEP I’’ to ‘‘STEP II’’ could easily be performed by adding a second private key’s phase mask. In ‘‘STEP I’’, the plaintext is shown on SLM1 and 𝑅𝑀1(𝑥, 𝑦) is shown on SLM2. After diffracting certain distance D, 𝑀(𝑥, 𝑦) is achieved. It is notable that CCD1 is not used in ‘‘STEP I’’. Due to Lens1’s Fourier transform, 𝑈 (𝑢, 𝑣) is achieved. Its phase part 𝑈 𝑃 𝐻(𝑢, 𝑣) and amplitude part are detected by HSWS and CCD2, separately. And all the information is recorded by PC. In ‘‘STEP II’’, 𝑈 𝑃 𝐻(𝑢, 𝑣) is shown on SLM2. After diffracting certain distance D, the amplitude of 𝑈 𝑅𝑆(𝑢, 𝑣) is detected by CCD1 and 𝑃1 (𝑢, 𝑣) is calculated by PC according to Eq. (19). 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) 89
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 1. Flowchart of encryption process of proposed cryptosystem, RS denotes the diffraction process.
Fig. 2. Flowchart of decryption process of proposed cryptosystem.
Fig. 3. Sketch of optical setup for the encryption process of proposed cryptosystem.
Fig. 4. Sketch of optical setup for the decryption process of proposed cryptosystem.
is achieved after 𝑈 𝑅𝑆(𝑢, 𝑣) passing 𝑅𝑀2(𝑢, 𝑣)’s phase mask. Finally, 𝐶(𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦) are recorded on a PC after 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) passing Lens1.
the process from 𝐶(𝑥, 𝑦) to 𝑈 𝑃 𝐻(𝑢, 𝑣), and the ‘‘STEP II’’ illustrates the process from 𝑈 𝑃 𝐻(𝑢, 𝑣) to 𝐼(𝑥, 𝑦). The part in dashed box is 𝑅𝑆 −1 {⋅} process. A phase mask is used as 𝑅𝑀2∗ (𝑢, 𝑣). 𝐻 ∗ (𝜉, 𝜂) is shown on an
The optical setup for the decryption process is shown in Fig. 4. There are also two steps using a same setup. The ‘‘STEP I’’ illustrates
additional SLM3. Lens1, Lens2 and Lens3 are Fourier lens. 90
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 5. Simulation results of proposed cryptosystem. (a) plaintext, (b) ciphertext, (c) the first private key, (d) the second private key, (e) decrypted image with correct keys. Table 1 The private keys’ influence to conventional PTFT cryptosystem’s security.
In ‘‘STEP I’’, 𝐶(𝑥, 𝑦) is shown on SLM1 and 𝑃2 (𝑢, 𝑣) is displayed on SLM2. Due to Len1’s Fourier transform, 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) is achieved and its amplitude part is detected by CCD1. 𝑈 (𝑢, 𝑣)’s amplitude part is calculated with 𝑈 𝑅𝑆𝐴(𝑢, 𝑣)’s amplitude part and 𝑃1 (𝑢, 𝑣) by PC. The 𝑈 𝑅𝑆(𝑢, 𝑣) is achieved after 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) passing the phase mask. Then 𝑈 𝑅𝑆(𝑢, 𝑣) transformed to 𝑈 𝑅𝑆𝐹 (𝜉, 𝜂) after Lens2’s Fourier transform. And 𝑈 𝑅𝑆𝐹 (𝜉, 𝜂) turns to 𝑈 𝑅𝑆𝐹 𝐴(𝜉, 𝜂) after the light passing SLM3. Finally, 𝑈 𝑃 𝐻(𝑢, 𝑣) is captured after Lens3’s Fourier transforming. Its phase part and amplitude part are detected by HSWS and CCD2, separately. The information is recorded by PC. In ‘‘STEP II’’, the calculated 𝑈 (𝑢, 𝑣)’s amplitude is displayed on SLM1 and 𝑈 𝑃 𝐻(𝑢, 𝑣) is displayed on SLM2. After Lens1, 𝑀(𝑥, 𝑦) is achieved. The decrypted plaintext is captured by CCD2 after 𝑅𝑆 −1 {⋅} process shown in dashed box. The setup discussed here is one possible scheme. For increasing the experimental accuracy, the setup could be realized with help of precise mechanical platform and other means.
The CC value of decrypted plaintext and original plaintext
𝑃1 (𝑢, 𝑣)
𝑃2 (𝑥, 𝑦)
𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦)
Fake ciphertext Ciphertext
0.5826 0.5878
0.0076 0.0068
0.7910 1.0000
4.1. The influence of private keys and diffraction parameters on encryption– decryption effect
For conventional PTFT cryptosystem and its variations, the generated private keys contain much information, as mentioned in reference [38]. The influence of disclosing private keys in conventional PTFT cryptosystem is given in Table 1. The plaintext used here is also the ‘‘sleepy-cat’’ image, the CC values under different circumstances are given. The unexposed information is substituted with a random distribution function. For example, 0.5826 is the CC value between real plaintext and decrypted plaintext acquired by using correct 𝑃1 (𝑢, 𝑣), a random𝑃2 (𝑥, 𝑦) and a random ciphertext. It shows that most information can be retrieved only with correct 𝑃1 (𝑢, 𝑣) for conventional PTFT cryptosystem.
4. Simulation and discussion Given the limited resources in our laboratory, the computer simulation results are reported here. The influence of aberrations, diffraction limitation, and system errors are neglected in the numerical simulation. For performance comparison, the correlation coefficient (CC) is introduced. It denotes the similarity of the retrieved image 𝑓 ′ and the original image 𝑓 in the quantitative analysis and is defined as |𝐸[[𝑓 − 𝐸[𝑓 ]][𝑓 ′ − 𝐸[𝑓 ′ ]]]| | , 𝐶𝐶 = √ | (32) 𝐸[[𝑓 − 𝐸[𝑓 ]]2 ]𝐸[[𝑓 ′ − 𝐸[𝑓 ′ ]]2 ]
From Table 1, it shows that the first private key contains most information and the main information can be decrypted only with 𝑃1 (𝑢, 𝑣). Besides, the ciphertext is not significant. Plaintext can be retrieved only with private keys and a fake random distributed ciphertext, as discussed in reference [38]. As comparison, the influence of disclosing private keys and diffraction parameters in proposed cryptosystem is given in Table 2. The CC values are acquired in the same way as that in Table 1.
the expected value operator is defined as 𝐸[⋅], the absolute value operator is defined as |⋅| and the coordinates are omitted here. A simulation is carried out to validate the effectiveness of proposed cryptosystem. A gray-scale image ‘‘sleepy-cat’’ with a size of 256*256 pixels is used as the plaintext image and is shown in Fig. 5(a). Fig. 5(b) shows the achieved ciphertext which has no useful information, its CC value is 0.0062. In the encryption process of proposed cryptosystem, the wavelength of the illuminating light is 532 nm, and the diffraction distance is 10 mm. In simulation, two 𝑅𝑆⋅ operations are using the same diffraction parameters. Figs. 5(c) and 5(d) show the first private key and the second private key, respectively. These two private keys are all stationary white noise images. Fig. 5(e) shows the decrypted image which is retrieved from Fig. 5(b) with the correct private keys and correct diffraction information. The CC value between Fig. 5(a) and Fig. 5(e) is 0.9997, what means the plaintext has been decrypted precisely.
As shown in Table 2, plaintext can only be retrieved accurately with all the information. If not all encrypted information is disclosed, no useful information can be retrieved. Except the legal decryption result, the highest CC value appears in Table 2 is 0.1657. This is the situation of using correct ciphertext, 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦). Among the illegal decryption situations of conventional PTFT cryptosystem, the highest CC value is 0.7901. This is the situation of using correct 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦). The decrypted plaintexts of highest CC values for both cryptosystems are shown in Fig. 6. It illustrates that proposed cryptosystem are still secure in case of disclosure. 91
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Table 2 The private keys’ influence to proposed cryptosystem’s security. The CC value of decrypted plaintext and original plaintext
𝑃1 (𝑢, 𝑣)
𝑃2 (𝑥, 𝑦)
𝐻(𝜉, 𝜂)
𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦)
𝑃1 (𝑢, 𝑣) and 𝐻(𝜉, 𝜂)
𝑃2 (𝑥, 𝑦) and 𝐻(𝜉, 𝜂)
𝑃1 (𝑢, 𝑣), 𝑃2 (𝑥, 𝑦) and 𝐻(𝜉, 𝜂)
Fake ciphertext Ciphertext
0.0050 0.0251
0.0016 0.0207
0.0007 0.0284
0.0058 0.1657
0.0051 0.0392
0.0003 0.0949
0.0052 0.9997
𝑃2 (𝑥, 𝑦) in attacking proposed cryptosystem does not converge. In this numerical simulation, the decrypted private key with the highest CC value is used for attacking. Supposing the adversary has improved the attack mentioned in reference [21] with adding inverse diffraction process, i.e., the diffraction wavelength and diffraction distance are used in his attack. The simulation results under this condition are shown in Fig. 9, it shows that the adversary still cannot recover the plaintext’s information. Similarly, only the decrypted private key with highest CC value in every attack step is used in the numerical simulation. The CC value between decrypted plaintext and original plaintext is 0.0866. Above all, proposed cryptosystem has the ability of weakening APRA-based attack no matter if the adversary has the knowledge of proposed cryptosystem.
Fig. 6. The decrypted images of illegal decryption with highest CC values for both cryptosystems (a) The decrypted image with 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦) for conventional PTFT cryptosystem (CC value is 0.7910), (b) The decrypted image with correct ciphertext, 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦) for proposed hybrid cryptosystem (CC value is 0.1657).
4.3. Sensibility of diffraction parameters A numerical simulation is carried out for validating the sensitivity of diffraction information including wavelength and diffraction distance. The influence of the incorrect diffraction parameters on decrypting proposed cryptosystems with correct private keys is studied. Fig. 10(a) shows the decrypted plaintext’s CC value with correct diffraction distance and incorrect wavelength. Fig. 10(b) shows the decrypted plaintext’s CC value with correct wavelength and incorrect diffraction distance. Based on experience, a decrypted image of CC value more than 0.4 could be regarded that most plaintext’s information is retrieved. From Fig. 10, if all other encrypted information is correct, a 20 nm range of wavelength can be used for decryption and this value for diffraction distance is about 0.4 mm. Therefore, the diffraction information can be used as private keys and the key space is increased. In addition, the accurate decrypted image can be achieved only when the diffraction information is accurate.
Fig. 7. (a) Simulation result of decrypted plaintext image for attacking conventional PTFT cryptosystem (CC value is 0.4283), (b) simulation result of decrypted plaintext image for attacking proposed cryptosystem (CC value is 0.0040).
4.4. Security analysis 4.2. Comparison of attacking both conventional PTFT cryptosystems and proposed hybrid cryptosystems with APRA-based attacks
In this section, the security analysis of the proposed hybrid cryptosystem such as histogram analysis and correlation tests are discussed. Fig. 11(a)–(d) is the histograms for ‘‘sleepy-cat’’ and its ciphertext, the first private key and the second private key. For comparison, images from VOC dataset are used as plaintexts for proposed cryptosystem’s histogram analysis. Accordingly, the result illustrates that the ciphertext and private keys of different plaintexts have consistent statistical properties. Fig. 11 shows the ciphertext and the first private key are subject to Rayleigh distribution, and the second private key is subject to uniform distribution. Above all, ciphertext and private keys do not provide any useful information for the adversary. In addition to the histogram analysis, the correlation between two vertically, horizontally and diagonally adjacent pixels in plaintext and their ciphertext are also analyzed. The adjacent pixels’ correlation is defined as: | | ∑𝑁 1 ∑𝑁 1 ∑𝑁 | 𝑖=1 (𝑥𝑖 − 𝑁 𝑖=1 𝑥𝑖 )(𝑦𝑖 − 𝑁 𝑖=1 𝑦𝑖 )| | | , (33) 𝐶= √ ∑𝑁 ∑𝑁 1 ∑𝑁 1 ∑𝑁 2× 2 (𝑥 − 𝑥 ) (𝑦 − 𝑖=1 𝑖 𝑖=1 𝑖 𝑖=1 𝑖 𝑖=1 𝑦𝑖 ) 𝑁 𝑁
For validating the security enhancement, the APRA-based two-step specific attack mentioned in reference [21] is used to attack both conventional PTFT system and proposed cryptosystem. The simulation results are shown in Fig. 7. The original plaintext image is the ‘‘sleepy-cat’’ image shown in Fig. 5(a). Supposing the adversary have no knowledge of proposed cryptosystem, what means no diffraction information is used in the attack. For attacking conventional PTFT system, the CC value between decrypted image and original plaintext is 0.4283, it shows that original plaintext’s most information is achieved. For attacking the proposed cryptosystem, the CC value is nearly zero and the decrypted image is still a noise image. This result illustrates that the attack based on phase retrieval algorithm is inefficient for the proposed hybrid cryptosystem. The simulation result is in accordance with the theoretical derivation. As shown in Fig. 8, the CC values of decrypted private keys and real private keys in two iterative steps for attacking both kinds of cryptosystems are given. Referring to the curves, the CC values in every iterative step for attacking proposed cryptosystem are much lower than that of attacking conventional PTFT cryptosystem generally. This proves that the specific attack performs weaker in decrypting private key for attacking proposed cryptosystem than conventional PTFT cryptosystem. In addition, as shown in Fig. 8(c), the CC values of decrypted
where the 𝑥𝑖 and 𝑦𝑖 are a pair of pixels. Correlation of two adjacent pixels for both plaintext and ciphertext of ‘‘sleepy-cat’’ are given in Fig. 12. It is obvious that the correlation between the two adjacent pixels in ciphertext is more negligible than that in plaintext. Similarly, images from VOC dataset are also used for correlation test and some results are listed in Table 3 with only 92
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 8. The decrypted private keys’ CC values against iteration number in two iterative steps for attacking both conventional PTFT cryptosystem and proposed cryptosystem: (a) the CC value of decrypted 𝑃2′ (𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦) for attacking conventional PTFT cryptosystem (the highest CC Value is 0.6942), (b) the CC value of 𝑃1′ (𝑥, 𝑦) and 𝑃1 (𝑥, 𝑦) for attacking conventional PTFT cryptosystem (the highest CC Value is 0.5862), (c) the CC value of decrypted 𝑃2′ (𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦) for attacking proposed cryptosystem (the highest CC Value is 0.0055) and (d) the CC value of decrypted 𝑃1′ (𝑥, 𝑦) and 𝑃1 (𝑥, 𝑦) for attacking proposed cryptosystem (the highest CC Value is 0.1786).
Fig. 9. Simulation of attacking proposed cryptosystem with APRA and correct diffraction parameters: (a) the decrypted 𝑃2′ (𝑥, 𝑦) (the highest CC value is 0.0026), (b) the decrypted 𝑃1′ (𝑥, 𝑦) (the highest CC value is 0.1835) and (c) the decrypted plaintext (CC value is 0.0866).
Fig. 10. Simulation result of attacking proposed cryptosystem with correct private keys and incorrect diffraction parameters: (a) with incorrect diffraction distance from 0 mm to 15 mm, (b) with incorrect wavelength from 432 nm to 732 nm.
considering the correlation of two diagonally adjacent pixels. It shows
implies that no correlation between plaintext and its corresponding
the average correlation coefficient of ciphertext is very small which
ciphertext achieved by proposed hybrid cryptosystem. 93
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 11. Histograms: (a) histogram of plaintext ‘‘sleepy-cat’’, (b) histogram of its ciphertext, (c) histogram of the first private key, and (d) histogram of the second private key.
Fig. 12. Correlation of two adjacent pixels for ‘‘sleepy-cat’’: (a)–(c) correlation of two horizontally, vertically and diagonally adjacent pixels for plaintext, respectively, their correlation values are 0.9900, 0.9795 and 0.9714, (d)–(f) correlation of two horizontally, vertically and diagonally adjacent pixels for ciphertext, respectively, their correlation values are 0.0247, 0.0495 and 0.0027. Table 3 Correlation coefficients of plaintexts from VOC dataset and their corresponding ciphertexts. File name
File description
Correlation of two diagonally adjacent pixels for plaintext
Correlation of two diagonally adjacent pixels for ciphertext
2007_000027.png 2007_000032.png 2007_000039.png 2007_000042.png 2007_000061.png 2007_000063.png 2007_000129.png
Woman Airplane Computer Train Boat Dog Bicycle
0.9401 0.9753 0.9570 0.9315 0.9639 0.8950 0.8749
0.0407 0.0033 0.0010 0.0067 0.0129 0.0150 0.0036
by using the ciphertext contaminated by Gaussian noise with varying
4.5. Robustness analysis
standard deviations are given. And the corresponding decrypted images During ciphertext’s transmission process, it is possible that the ciphertext is contaminated by noise. Therefore, the robustness of proposed cryptosystem against noise is analyzed. As shown in Fig. 13, the CC values between plaintext ‘‘sleepy-cat’’ and decrypted image acquired
by using Gaussian noise whose standard deviation are 0.02, 0.06 and 0.1 are given in Fig. 14. It shows that decrypted image is still visible even ciphertext is contaminated with a little noise. 94
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
5. Conclusion In this paper, a hybrid cryptosystem based on PTFT encryption and diffraction theory is proposed to solve PTFT-based cryptosystems’ vulnerability to APRA-based attacks. The APRA’s iteration constraints are broken by introducing diffraction. A possible optical setup scheme is given. Employing APRA-based two-step attack for attacking proposed cryptosystem, no useful information of plaintext can be retrieved no matter if the adversary has knowledge of diffraction parameters. The proposed cryptosystem also increases ciphertext and private keys’ sensitivity. The accurate plaintext information cannot be acquired when receiver lack any of encrypted information. Besides preventing APRA-based attacks, diffraction wavelength and diffraction distance can also be used as private keys. Numerical simulation results have also validated the effectiveness, security and robustness of proposed cryptosystem.
Fig. 13. Decrypted image’s CC values against different Gaussian noise’s standard deviation.
Acknowledgments This work is supported by the National Key Research and Development Program of China (Grant No. 2017YFC0822700) and the National Natural Science Foundation of China (Grant No. 61471039).
Decryption is carried out with occluded ciphertext to test robustness against occlusion. Square sections with 1/256, 1/64, 1/16 and 1/4 of ciphertext’s size are blocked, as shown in Fig. 15(a)–(d). The
References
corresponding decrypted plaintexts and their CC values are shown in Fig. 15(e)–(h). When 1/4 of ciphertext is occluded, decrypted plaintext
[1] B. Javidi, J.L. Homer, Optical pattern recognition for validation and security verification, Opt. Eng. 33 (1994) 1752–1756.
is hard to see.
Fig. 14. Corresponding decrypted plaintext with ciphertext contaminated by Gaussian noise with (a) 0.02 standard deviation (CC value is 0.8922), (b) 0.06 standard deviation (CC value is 0.5254) and (c) 0.1 standard deviation (CC value is 0.3701).
Fig. 15. Tolerance to occlusion: (a)–(d) shows 1/256, 1/64, 1/16 and 1/4 of ciphertext is occluded, respectively, (e)–(f) shows the decrypted images with (a)–(d), and the CC values are 0.9357, 0.8238, 0.5752 and 0.2535, respectively.
95
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96 [22] J. Wu, W. Liu, Z. Liu, S. Liu, Cryptanalysis of an asymmetric optical cryptosystem based on coherent superposition and equal modulus decomposition, Appl. Opt. 54 (2015) 8921–8924. [23] X. Wang, D. Zhao, Double images encryption method with resistance against the specific attack based on an asymmetric algorithm, Opt. Express 20 (2012) 11994–12003. [24] Y. Xiong, A. He, C. Quan, Security analysis of a double-image encryption technique based on an asymmetric algorithm, J. Opt. Soc. Amer. A 35 (2018) 320–326. [25] X. Wang, D. Zhao, Amplitude-phase retrieval attack free cryptosystem based on direct attack to phase-truncated Fourier-transform-based encryption using a random amplitude mask, Opt. Lett. 38 (2013) 3684–3686. [26] Y. Xiong, A. He, C. Quan, Specific attack and security enhancement to optical image cryptosystem based on two random masks and interference, Opt. Lasers Eng. 107 (2018) 142–148. [27] Y. Xiong, A. He, C. Quan, Hybrid attack on an optical cryptosystem based on phase-truncated Fourier transforms and a random amplitude mask, Appl. Opt. 57 (2018) 6010–6016. [28] X. Wang, Y. Chen, C. Dai, D. Zhao, Discussion and a new attack of the optical asymmetric cryptosystem based on phase-truncated Fourier transform, Appl. Opt. 53 (2014) 208–213. [29] G. Yang, L. Wang, B. Dong, B. Gu, On the amplitude-phase retrieval problem in an optical system involving non-unitary transformation, Optik 75 (1987) 68–74. [30] L. Wang, B. Dong, G. Yang, Phase retrieval from two intensity measurements in an optical system involving nonunitary transformation, Appl. Opt. 29 (1990) 3422–3427. [31] R.W. Gerchberg, W.O. Saxton, A practical algorithm for the determination of phase from image and diffraction plane pictures, Optik 35 (2) (1972). [32] M. Piao, Z. Liu, Y. Piao, H. Wu, Z. Yu, N. Kim, Multi-depth three-dimensional image encryption based on the phase retrieval algorithm in the Fresnel and fractional Fourier transform domains, Appl. Opt. 57 (2018) 7609–7617. [33] J. Fienup, Phase retrieval algorithms: a personal tour [Invited], Appl. Opt. 52 (2013) 45–56. [34] J. Fienup, Phase retrieval algorithms: a personal tour [Invited], Appl. Opt. 52 (2013) 45–56. [35] C. Zhang, W. He, J. Wu, X. Peng, Optical cryptosystem based on phase-truncated Fresnel diffraction and transport of intensity equation, Opt. Express 23 (2015) 8845–8854. [36] M. Totzeck, Validity of the scalar kirchhoff and Rayleigh–sommerfeld diffraction theories in the near field of small phase objects, J. Opt. Soc. Amer. A 8 (1991) 27–32. [37] G. Sherman, Application of the convolution theorem to Rayleigh’s integral formulas, J. Opt. Soc. Amer. 57 (1967) 546–547. [38] Y. Xiong, A. He, C. Quan, Security analysis and enhancement of a cryptosystem based on phase truncation and a designed amplitude modulator, Appl. Opt. 58 (2019) 695–703.
[2] B. Javidi, Securing information with optical technologies, Phys. Today 50 (3) (1997) 27–32. [3] W. Chen, B. Javidi, X. Chen, Advances in optical security systems, Adv. Opt. Photonics 6 (2014) 120–155. [4] S. Liu, C. Guo, J.T. Sheridan, A review of optical image encryption techniques, Opt. Laser Technol. 57 (2014) 327–342. [5] P. Refregier, B. Javidi, Optical image encryption based on input plane and Fourier plane random encoding, Opt. Lett. 20 (1995) 767–769. [6] G. Unnikrishnan, J. Joseph, K. Singh, Optical encryption by double-random phase encoding in the fractional Fourier domain, Opt. Lett. 25 (2000) 887–889. [7] G. Situ, J. Zhang, Double random-phase encoding in the Fresnel domain, Opt. Lett. 29 (2004) 1584–1586. [8] Y. Zhang, B. Wang, Optical image encryption based on interference, Opt. Lett. 33 (2008) 2443–2445. [9] Y. Wang, C. Quan, C.J. Tay, Nonlinear multiple-image encryption based on mixture retrieval algorithm in Fresnel domain, Opt. Commun. 330 (2014) 91–98. [10] T. Demetrakopoulos, R. Mittra, Digital and optical reconstruction of images from suboptical diffraction patterns, Appl. Opt. 13 (1974) 665–670. [11] B. Deepan, C. Quan, Y. Wang, C.J. Tay, Multiple-image encryption by space multiplexing based on compressive sensing and the double-random phase-encoding technique, Appl. Opt. 53 (2014) 4539–4547. [12] W. Chen, X. Chen, Ghost imaging using labyrinth-like phase modulation patterns for high-efficiency and high-security optical encryption, Europhys. Lett. 109 (2015) 14001. [13] Y. Wang, C. Quan, C.J. Tay, Improved method of attack on an asymmetric cryptosystem based on phase-truncated Fourier transform, Appl. Opt. 54 (2015) 6874–6881. [14] A. Carnicer, M. Montes-Usategui, S. Arcos, I. Juvells, Vulnerability to chosencyphertext attacks of optical encryption schemes based on double random phase keys, Opt. Lett. 30 (2005) 1644–1646. [15] P. Kumar, J. Joseph, K. Singh, Known-plaintext attack-free double random phase– amplitude optical encryption: vulnerability to impulse function attack, J. Opt. 14 (2012) 045401. [16] Y. Frauel, A. Castro, T.J. Naughton, B. Javidi, Resistance of the double random phase encryption against various attacks, Opt. Express 15 (2007) 10253–10265. [17] U. Gopinathan, D.S. Monaghan, T.J. Naughton, J.T. Sheridan, A known-plaintext heuristic attack on the Fourier plane encryption algorithm, Opt. Express 14 (2006) 3181–3186. [18] G. Situ, G. Pedrini, W. Osten, Strategy for cryptanalysis of optical encryption in the Fresnel domain, Appl. Opt. 49 (2010) 457–462. [19] W. Qin, X. Peng, Vulnerability to known-plaintext attack of optical encryption schemes based on two fractional Fourier transform order keys and double random phase keys, J. Opt. A 11 (2009) 075402. [20] W. Qin, X. Peng, Asymmetric cryptosystem based on phase-truncated Fourier transforms, Opt. Lett. 35 (2010) 118–120. [21] X. Wang, D. Zhao, A special attack on the asymmetric cryptosystem based on phase-truncated Fourier transforms, Opt. Commun. 285 (2012) 1078–1081.
96
Contents lists available at ScienceDirect
Optics Communications journal homepage: www.elsevier.com/locate/optcom
Hybrid cryptosystem based on diffraction transfer function and phase-truncated Fourier transform encryption Chuhan Wu a , Jun Chang a ,∗, Xiangxin Xu a , Yongjian Zhang b a
Key Laboratory of Photoelectronic Imaging Technology and System (Beijing Institute of Technology), Ministry of Education, School of Optics and Photonics, Beijing Institute of Technology, Beijing 100081, China b School of Information Science and Technology, University of International Relations, Beijing 100091, China
ARTICLE
INFO
Keywords: Optical information security Fourier optics Diffraction theory Phase retrieval
ABSTRACT A hybrid cryptosystem based on phase-truncated Fourier transform (PTFT) encryption and diffraction transfer function is designed. The designed cryptosystem cannot be decrypted by phase-retrieval-based attacks to which conventional phase-truncated Fourier transform cryptosystems are proven vulnerable. Compared with conventional PTFT encryption, the encryption process of this proposed cryptosystem needs no extra devices. With the help of Rayleigh–Sommerfeld diffraction theory, the inverse diffraction optically is realized and the decryption process can be performed using a liquid crystal spatial light modulator. Unlike conventional PTFT cryptosystem, no useful information can be retrieved in case of lacking any of ciphertext, private keys and diffraction parameters. The optical setup and numerical simulation results are provided to verify the effectiveness, security and robustness of proposed hybrid cryptosystem.
1. Introduction With rapid development of communication techniques, protecting personal privacy has become necessary. Therefore, information security technology is becoming increasingly significant [1,2]. Compared with other information security techniques, optical information security techniques have attracted considerable attention in recent decades due to their notable characteristics such as multidimensional capability, parallel processing, and high-speed encryption [3,4]. Since Refregier and Javidi proposed the pioneering work called double random phase encoding (DRPE) [5], which encrypts the input image into stationary white noise with a 4f optical system, various optical encryption schemes have been proposed [6–12]. For instance, to enlarge the key space, the DRPE scheme has been extended from the Fourier domain into the fractional Fourier and Fresnel domains [6,7, 13]. However, with the development of cryptanalysis, many security issues were exposed. DRPE-based cryptosystems have been proved vulnerable to various attacks because they are linear symmetric cryptosystems in which the decryption keys are identical to the encryption keys [14–19]. In 2010, Qin and Peng [20] presented an encryption system based on phase-truncated Fourier transform (PTFT). In the PTFT-based cryptosystem, the linearity of the classic DRPE cryptosystems is removed by a nonlinear operation called phase truncation, original plaintext is encrypted into a real-value noise-like ciphertext, and the decryption keys are different from the encryption keys. However, the cryptosystems are ∗
vulnerable to a specific attack, which is based on a two-step iterative amplitude-phase-retrieval algorithm (APRA) [21,22]. Furthermore, an improved attack using a novel median-filtering phase-retrieval method has been proposed [13]. Some PTFT-based variations have also been attacked [23–26]. Most recently, a hybrid attack based on knownplaintext attack and APRA was proposed to successfully decrypt the cryptosystem based on PTFT and a random amplitude mask [25,27,28]. These findings indicate that APRA is an urgent threat to PTFT-based asymmetry cryptosystems. According to the founders of Y-G algorithm [29,30], the APRA and Gerchberg–Saxton algorithms (GSA) are essentially identical [31], these approaches iteratively use a repeated Fourier transform (FT) to shift back and forth between the object and the Fourier domains to recover the lost phases [32]. APRA is easy to retrieve the intermediate phase as reported by Fienup [33–35]. A review of the PTFT-based cryptosystem schemes shows the drawback that the acquired constraints are suitable for using APRA, which can obtain the decryption keys by generating an intermediate phase. The cryptanalysis indicates that acquiring corresponding constraints are essential to conduct APRAbased attacks, thereby causing the insecurity of PTFT-based asymmetry cryptosystems. To enhance the security of conventional PTFT cryptosystems, a cryptosystem based on PTFT encryption and diffraction transfer function is proposed in this letter to prevent the cryptosystem being broken by APRA. By introducing diffraction, the adversary cannot acquire
Corresponding author. E-mail address: [email protected] (J. Chang).
https://doi.org/10.1016/j.optcom.2019.05.053 Received 19 April 2019; Received in revised form 24 May 2019; Accepted 25 May 2019 Available online 3 June 2019 0030-4018/© 2019 Elsevier B.V. All rights reserved.
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Step I. In the kth iteration, 𝜙𝑘 (𝑥, 𝑦) is the kth estimated phase in the spatial domain, { { }} 𝐴𝑀𝐹𝑘 (𝑢, 𝑣) = 𝑃 𝑇 𝐹 𝑇 𝜙𝑘 (𝑥, 𝑦) × 𝐴𝑀(𝑥, 𝑦) . (7)
corresponding constraints. Thus, the attacks based on APRA are not available. Besides, it increases key space and will not expose useful information in case of disclosing ciphertext and private keys. In Section 2, a theoretical description of the cryptosystem based on PTFT and diffraction transfer function is provided. In Section 3, one possible optical setup scheme is given. In Section 4 the simulation results and discussion are presented. In Section 5 the conclusion is given.
The 𝐴𝑀𝐹𝑘 (𝑢, 𝑣) is the corresponding frequency-domain’s amplitude in the 𝑘th iteration. Step II. The 𝜙𝑘+1 (𝑥, 𝑦) is acquired as follows { { }} 𝜙𝑘+1 (𝑥, 𝑦) = exp(𝑃 𝑅 𝐹 𝑇 𝐴𝑀𝐹𝑘 (𝑢, 𝑣) × 𝜑(𝑢, 𝑣) ). (8)
2. Principle
Substituting the acquired 𝜙𝑘+1 (𝑥, 𝑦) into Eq. (7) for the next iteration. After n iterations, the deviation between 𝜙𝑛−1 (𝑥, 𝑦) and 𝜙𝑛 (𝑥, 𝑦) is close to zero, and 𝜙𝑛 (𝑥, 𝑦) can be regarded as the estimated phase. Other phase-retrieval-based attacks have similar processes, such as the known-plaintext attacks and a new attack mentioned in reference [27,28]. The key to improve PTFT-based cryptosystem security is to prevent acquiring pairs of amplitude-phase constraints from the used cryptosystem.
2.1. Conventional PTFT cryptosystem The input plaintext image is denoted by 𝐼(𝑥, 𝑦) and 𝑖 denotes imaginary unit. The public keys, 𝑅1 (𝑥, 𝑦) and 𝑅2 (𝑢, 𝑣) are two independent random phase-only masks (RPM) distributed uniformly in the interval [0, 2𝜋], respectively. Through the PTFT cryptosystem, 𝐼(𝑥, 𝑦) can be encrypted into a noise-like ciphertext which can be expressed as follows { { { { }} 𝐶(𝑥, 𝑦) = 𝑃 𝑇 𝐼𝐹 𝑇 𝑃 𝑇 𝐹 𝑇 𝐼(𝑥, 𝑦) × exp(𝑖𝑅1 (𝑥, 𝑦)) }} × exp(𝑖𝑅2 (𝑢, 𝑣)) , (1)
2.3. Diffraction transfer function
where (𝑥, 𝑦) and (𝑢, 𝑣) are indices of an image in the image plane and Fourier plane, respectively. And 𝐶(𝑥, 𝑦) represents the ciphertext. The 𝐹 𝑇 {⋅}, 𝐼𝐹 𝑇 {⋅}, and 𝑃 𝑇 {⋅} denote Fourier transform operator, inverse Fourier transform operator, and phase truncated operator, respectively. The phase truncated operator is defined as a modulus operation that could be expressed as 𝑃 𝑇 {⋅} = |⋅|. The two private keys 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦) are acquired as { { }} 𝑃1 (𝑢, 𝑣) = 𝑃 𝑅 𝐹 𝑇 𝐼(𝑥, 𝑦) × exp(𝑖𝑅1 (𝑥, 𝑦)) , (2)
Diffraction was first used in optical encryption by Situ et al. [7]. A significant detail is that the inverse Fresnel diffraction process does not optically exist. Situ has given a method to realize the inverse Fresnel diffraction process by using photorefractive crystal and ciphertext’s complex conjugation. In proposed cryptosystem’s decryption process, the inverse Fresnel diffraction is realized using the liquid–crystal spatial light modulator (SLM) based on the Rayleigh–Sommerfeld (RS) diffraction theory. The RS diffraction can be expressed as [36,37]
{ { { { }} 𝑃2 (𝑥, 𝑦) = 𝑃 𝑅 𝐼𝐹 𝑇 𝑃 𝑇 𝐹 𝑇 𝐼(𝑥, 𝑦) × exp(𝑖𝑅1 (𝑥, 𝑦)) }} × exp(𝑖𝑅2 (𝑢, 𝑣)) ,
𝑉 (𝑥′ , 𝑦′ , 𝑧) = (3)
exp(𝑖𝑘𝑟) 𝑧 1 1 𝑉 (𝑥, 𝑦, 0) (𝑖𝑘 + )𝑑𝑥𝑑𝑦, 2𝜋 ∬𝑎𝑝𝑒𝑟𝑡𝑢𝑟𝑒 𝑟 𝑟 𝑟
(9)
the integration is over the open areas of the aperture which is located on plane of 𝑧 = 0. The diffraction distance along the optical axis is 𝑧. Besides, (𝑥, 𝑦) and (𝑥′ , 𝑦′ ) are indices at aperture and plane at 𝑧, respectively. The optical field function of aperture and diffraction distance at 𝑧 are 𝑉 (𝑥, 𝑦, 0) and 𝑉 (𝑥′ , 𝑦′ , 𝑧), respectively. In Eq. (9), 𝑟 = [(𝑥 − 𝑥′ )2 + (𝑦 − 𝑦′ )2 + 𝑧2 ]1∕2 , represents the distance from point (𝑥, 𝑦, 0) to point (𝑥′ , 𝑦′ , 𝑧). And 𝑘 = 2𝜋∕𝜆, which is the propagation constant. The wavelength is 𝜆. Eq. (9) indicates that the RS diffraction could be reformulated as a convolution of two functions
the phase reservation operator is represented by 𝑃 𝑅{⋅}. These two private keys are stationary white noise and different from the public keys. In addition, the private keys are only used in the decryption process. The decrypted process could be represented as { { { { }} ′ 𝐼 (𝑥, 𝑦) = 𝑃 𝑇 𝐼𝐹 𝑇 𝑃 𝑇 𝐹 𝑇 𝐶(𝑥, 𝑦) × exp(𝑖𝑃2 (𝑥, 𝑦)) }} × exp(𝑖𝑃1 (𝑢, 𝑣)) . (4) If the receiver uses the correct private keys to decrypt ciphertext, the decrypted image 𝐼 ′ (𝑥, 𝑦) is exactly the input plaintext 𝐼(𝑥, 𝑦).
𝑉 (𝑥′ , 𝑦′ , 𝑧) = 𝑉 (𝑥, 𝑦, 0) ∗
𝜕 exp(𝑖𝑘𝑟) [ ], 𝜕𝑧 𝑟
(10)
where the symbol ∗ is the convolution operator. According to Fourier transform’s convolution theorem, Eq. (10) can be expressed as
2.2. APRA However, the ciphertext 𝐶(𝑥, 𝑦) and 𝑅2 (𝑢, 𝑣) could form a pair of amplitude-phase constraints, according to the cryptanalysis in reference [21]. By using APRA, the estimated second private key 𝑃2′ (𝑥, 𝑦) is retrieved. With 𝑃2′ (𝑥, 𝑦) and 𝐶(𝑥, 𝑦), the estimated intermediate amplitude𝐼𝐴′ (𝑢, 𝑣) is acquired as { { }} 𝐼𝐴′ (𝑢, 𝑣) = 𝑃 𝑇 𝐹 𝑇 𝐶(𝑥, 𝑦) × exp(𝑖𝑃2′ (𝑥, 𝑦)) . (5)
𝑉 (𝑥′ , 𝑦′ , 𝑧) = 𝐼𝐹 𝑇 {𝐹 𝑇 {𝑉 (𝑥, 𝑦, 0)} × 𝐻(𝜉, 𝜂)} , { 𝐻(𝜉, 𝜂) = 𝐹 𝑇
} 𝜕 exp(𝑖𝑘𝑟) [ ] , 𝜕𝑧 𝑟
(11)
(12)
(𝜉, 𝜂) are the coordinates in frequency domain. According to G. Sherman’s research [37], 𝐻(𝜉, 𝜂) could be expressed as
The estimated amplitude 𝐼𝐴′ (𝑢, 𝑣) and 𝑅1 (𝑢, 𝑣) forms another pair of amplitude-phase constraints. Similarly, the estimated first private key 𝑃1′ (𝑥, 𝑦) is retrieved. Furthermore, the decrypted plaintext 𝐼 ′ (𝑥, 𝑦) is obtained with 𝑃1′ (𝑢, 𝑣) and 𝐼𝐴′ (𝑢, 𝑣) as follows { { }} 𝐼 ′ (𝑥, 𝑦) = 𝑃 𝑇 𝐼𝐹 𝑇 exp(𝑖𝑃1′ (𝑢, 𝑣)) × 𝐼𝐴′ (𝑢, 𝑣) . (6)
𝐻(𝜉, 𝜂) = exp[𝑖
2𝜋𝑧 (1 − 𝜆2 𝜉 2 − 𝜆2 𝜂 2 )]. 𝜆
(13)
As reported in reference [35], Eq. (13) can also be derived with Fresnel diffraction theory and angular spectrum theory. Eq. (13) indicates that 𝐻(𝜉, 𝜂) is related to the wavelength and diffracting distance. The diffraction transform operator is defined as 𝑅𝑆⋅ in this letter. Eq. (11) indicates that the operator’s expansion form is
The general process of APRA is described in detail. Supposing the spatial domain amplitude 𝐴𝑀(𝑥, 𝑦) and frequency domain phase 𝜑(𝑢, 𝑣) are acquired as a pair of amplitude-phase constraints. A random phase distribution in the spatial domain is provided as the initial estimated phase 𝜙1 (𝑥, 𝑦).
𝑅𝑆 {⋅} = 𝐼𝐹 𝑇 {𝐹 𝑇 {⋅} × 𝐻(𝜉, 𝜂)} . 88
(14)
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
all, the loss of diffraction parameters including diffraction distance and wavelength breaks the connection between plaintext and ciphertext. The decryption process of proposed cryptosystem is shown in Fig. 2. According to Section 2.3, the steps from 𝐶(𝑥, 𝑦) to 𝑈 𝑅𝑆(𝑢, 𝑣) are listed here.
2.4. Proposed cryptosystem In proposed scheme, as shown in Fig. 1, the previous several steps are listed as follows: 𝑀(𝑥, 𝑦) = 𝑅𝑆{𝐼(𝑥, 𝑦) × exp(𝑖𝑅𝑀1(𝑥, 𝑦))}, 𝑈 (𝑢, 𝑣) = 𝐹 𝑇 {𝑀(𝑥, 𝑦)} ,
(15)
(24)
𝑈 𝑅𝑆𝐴(𝑢, 𝑣) = 𝐹 𝑇 {𝐺(𝑥, 𝑦)} ,
(25)
𝑈 𝑅𝑆(𝑢, 𝑣) = 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) × exp(𝑖𝑅𝑀2∗ (𝑢, 𝑣)),
(26)
(16)
𝑈 𝑃 𝐻(𝑢, 𝑣) = 𝑃 𝑅 {𝑈 (𝑢, 𝑣)} ,
(17)
𝑈 𝑅𝑆(𝑢, 𝑣) = 𝑅𝑆 {𝑈 𝑃 𝐻(𝑢, 𝑣)} ,
(18)
𝑃1 (𝑢, 𝑣) = 𝑃 𝑇 {𝑈 (𝑢, 𝑣)} ∗ 𝑃 𝑇 {𝑈 𝑅𝑆(𝑢, 𝑣)} .
(19)
𝑅𝑀2∗ (𝑢, 𝑣)
where the is the conjugate of the second public key. By substituting Eq. (14) into Eq. (19), the relationship between 𝑈 𝑅𝑆(𝑢, 𝑣) and 𝑈 𝑃 𝐻(𝑢, 𝑣) is obtained { { }} 𝑈 𝑃 𝐻(𝑢, 𝑣) = 𝑃 𝑅 𝐼𝐹 𝑇 𝐹 𝑇 {𝑈 𝑅𝑆(𝑢, 𝑣)} × 𝐻 ∗ (𝜉, 𝜂) , (27)
𝐼(𝑥, 𝑦), 𝑅𝑀1(𝑥, 𝑦), 𝑀(𝑥, 𝑦), 𝑈 (𝑢, 𝑣), 𝑈 𝑃 𝐻(𝑢, 𝑣), 𝑈 𝑅𝑆(𝑢, 𝑣) and 𝑃1 (𝑢, 𝑣) denote the plaintext, first public key, input complex amplitude, Fourier transform of the input complex amplitude, phase part of 𝑈 (𝑢, 𝑣), the complex amplitude of 𝑈 𝑃 𝐻(𝑢, 𝑣) after diffraction and first private key, respectively. In proposed cryptosystem, to avoid 𝑃1 (𝑢, 𝑣) contains too much information, it is an amplitude distribution recorded as product of 𝑈 (𝑢, 𝑣) and 𝑈 𝑅𝑆(𝑢, 𝑣)’s normalized amplitude distributions. The amplitude part of 𝑈 𝑃 𝐻(𝑢, 𝑣)can be regarded as the amplitude of the plane wave. The last few steps of the encryption are identical to the process of conventional PTFT cryptosystem. The process is written as follows 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) = 𝑈 𝑅𝑆(𝑢, 𝑣) × exp(𝑖𝑅𝑀2(𝑢, 𝑣)),
𝐺(𝑥, 𝑦) = 𝐶(𝑥, 𝑦) × exp(𝑖𝑃2 (𝑥, 𝑦)),
{ } 𝑅𝑆 −1 ⋅ = 𝐼𝐹 𝑇 𝐹 𝑇 {⋅} × 𝐻 ∗ (𝜉, 𝜂)
where is the conjugate of 𝐻(𝜉, 𝜂). The inverse Fourier diffraction is marked by dashed box in Fig. 2 and its form is expressed in Eq. (28). The last few steps in decryption process can be written as
(20)
𝐺(𝑥, 𝑦) = 𝐼𝐹 𝑇 {𝑈 𝑅𝑆𝐴(𝑢, 𝑣)} ,
(21)
𝐶(𝑥, 𝑦) = 𝑃 𝑇 {𝐺(𝑥, 𝑦)} ,
(22)
𝑃2 (𝑥, 𝑦) = 𝑃 𝑅 {𝐺(𝑥, 𝑦)} ,
(23)
(28)
𝐻 ∗ (𝜉, 𝜂)
𝑈 (𝑢, 𝑣) = 𝑈 𝑃 𝐻(𝑢, 𝑣) × 𝑃1 (𝑢, 𝑣) × [𝑃 𝑇 {𝑈 𝑅𝑆(𝑢, 𝑣)}]−1 ,
(29)
𝑀(𝑥, 𝑦) = 𝐼𝐹 𝑇 {𝑈 (𝑢, 𝑣)} ,
(30)
{ } 𝐼(𝑥, 𝑦) = 𝑃 𝑇 𝑅𝑆 −1 𝑀(𝑥, 𝑦) .
(31)
where the []−1 represents the multiplicative inverse process. Eq. (13) shows that 𝐻(𝜉, 𝜂) is a phase-only distribution, thus, 𝐻 ∗ (𝜉, 𝜂) can be performed by SLM or phase mask. 𝑃 𝑇 {⋅} can be realized by using optical detectors. The phase reservation operation can be realized with a Hartman–Shack wave-front sensor (HSWS) or holographic recording. The Fourier transform and inverse Fourier transform can be realized with a Fourier lens. All these methods have been reported previously. Compared with conventional PTFT cryptosystems, the encryption process of proposed cryptosystem is easy to conduct without adding other devices. Extra devices are needed for realizing inverse diffraction in the decryption process. While the cost increases security.
where 𝑅𝑀2(𝑢, 𝑣) and 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) denote the second public key and new complex amplitude generated with 𝑈 𝑅𝑆(𝑢, 𝑣) and 𝑅𝑀2(𝑢, 𝑣). The 𝐺(𝑥, 𝑦) is the inverse Fourier transform of 𝑈 𝑅𝑆𝐴(𝑢, 𝑣). Ciphertext and the second private key are denoted by 𝐶(𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦), respectively. Following the theory proposed by the founders of Y–G algorithm [29,30], phase retrieval can be described as a general problem: if we have either amplitude or phase in spatial domain as spatial constraint, and either the amplitude or phase in frequency domain as frequency constraint, then, consequently, the remaining information could be calculated by iterations. A review of typical offensive and defensive process in references [23,25,27,28] indicates that realization of the attack depends on a pair of corresponding constraints obtained from spatial and frequency domains. For the APRA-based two-step special attack mentioned in reference [21], the adversary uses the ciphertext and the second public key as a pair of constraints, consequently, the second private key can be estimated. Then, the amplitude in frequency can be calculated by using the estimated second private key. Furthermore, the frequency amplitude and first public key can form another pair of constraints. Finally, the estimated first private key can be achieved to decrypt the plaintext. The flowchart of the proposed cryptosystem indicates that no corresponding constraint pair can be acquired by the adversary with introduction of diffraction. Supposing the adversary can acquire ciphertext and corresponding public keys. The acquired second public key 𝑅𝑀2(𝑢, 𝑣) could not be used as the ciphertext’s corresponding frequency domain constraint because the phase of 𝑈 𝑅𝑆(𝑢, 𝑣) was abandoned in the attack. The corresponding frequency domain phase of the ciphertext is the product of 𝑈 𝑅𝑆(𝑢, 𝑣)’s phase part and 𝑅𝑀2(𝑢, 𝑣). Similarly, if the adversary starts APRA-based attacks forcibly, the estimated 𝑈 𝑃 𝐻(𝑢, 𝑣) achieved by using APRA is not the corresponding phase to 𝑅𝑀1(𝑥, 𝑦). These facts lead to the inefficiency of APRA. Above
3. Optical setup This proposed cryptosystem scheme is based on real optoelectronic devices. One possible optical setup to realize proposed encryption and decryption processes is provided. Fig. 3 shows the optical setup of proposed cryptosystem’s encryption process. The ‘‘STEP I’’ illustrates the process from 𝐼(𝑥, 𝑦) to 𝑈 𝑃 𝐻(𝑢, 𝑣), and the ‘‘STEP II’’ illustrates the process from 𝑈 𝑃 𝐻(𝑢, 𝑣) to 𝐶(𝑥, 𝑦). SLM1 and SLM2 are transmitted amplitude-modulated and transmitted phase-modulated SLM, respectively. Lens1 is Fourier lens. The HSWS is used to realize phase reservation. The phase truncation operation is conducted with CCD detectors. The PC is used for controlling SLMs, receiving intensity images from CCDs and recording the private keys. A significant benefit of this setup is that switching from ‘‘STEP I’’ to ‘‘STEP II’’ could easily be performed by adding a second private key’s phase mask. In ‘‘STEP I’’, the plaintext is shown on SLM1 and 𝑅𝑀1(𝑥, 𝑦) is shown on SLM2. After diffracting certain distance D, 𝑀(𝑥, 𝑦) is achieved. It is notable that CCD1 is not used in ‘‘STEP I’’. Due to Lens1’s Fourier transform, 𝑈 (𝑢, 𝑣) is achieved. Its phase part 𝑈 𝑃 𝐻(𝑢, 𝑣) and amplitude part are detected by HSWS and CCD2, separately. And all the information is recorded by PC. In ‘‘STEP II’’, 𝑈 𝑃 𝐻(𝑢, 𝑣) is shown on SLM2. After diffracting certain distance D, the amplitude of 𝑈 𝑅𝑆(𝑢, 𝑣) is detected by CCD1 and 𝑃1 (𝑢, 𝑣) is calculated by PC according to Eq. (19). 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) 89
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 1. Flowchart of encryption process of proposed cryptosystem, RS denotes the diffraction process.
Fig. 2. Flowchart of decryption process of proposed cryptosystem.
Fig. 3. Sketch of optical setup for the encryption process of proposed cryptosystem.
Fig. 4. Sketch of optical setup for the decryption process of proposed cryptosystem.
is achieved after 𝑈 𝑅𝑆(𝑢, 𝑣) passing 𝑅𝑀2(𝑢, 𝑣)’s phase mask. Finally, 𝐶(𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦) are recorded on a PC after 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) passing Lens1.
the process from 𝐶(𝑥, 𝑦) to 𝑈 𝑃 𝐻(𝑢, 𝑣), and the ‘‘STEP II’’ illustrates the process from 𝑈 𝑃 𝐻(𝑢, 𝑣) to 𝐼(𝑥, 𝑦). The part in dashed box is 𝑅𝑆 −1 {⋅} process. A phase mask is used as 𝑅𝑀2∗ (𝑢, 𝑣). 𝐻 ∗ (𝜉, 𝜂) is shown on an
The optical setup for the decryption process is shown in Fig. 4. There are also two steps using a same setup. The ‘‘STEP I’’ illustrates
additional SLM3. Lens1, Lens2 and Lens3 are Fourier lens. 90
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 5. Simulation results of proposed cryptosystem. (a) plaintext, (b) ciphertext, (c) the first private key, (d) the second private key, (e) decrypted image with correct keys. Table 1 The private keys’ influence to conventional PTFT cryptosystem’s security.
In ‘‘STEP I’’, 𝐶(𝑥, 𝑦) is shown on SLM1 and 𝑃2 (𝑢, 𝑣) is displayed on SLM2. Due to Len1’s Fourier transform, 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) is achieved and its amplitude part is detected by CCD1. 𝑈 (𝑢, 𝑣)’s amplitude part is calculated with 𝑈 𝑅𝑆𝐴(𝑢, 𝑣)’s amplitude part and 𝑃1 (𝑢, 𝑣) by PC. The 𝑈 𝑅𝑆(𝑢, 𝑣) is achieved after 𝑈 𝑅𝑆𝐴(𝑢, 𝑣) passing the phase mask. Then 𝑈 𝑅𝑆(𝑢, 𝑣) transformed to 𝑈 𝑅𝑆𝐹 (𝜉, 𝜂) after Lens2’s Fourier transform. And 𝑈 𝑅𝑆𝐹 (𝜉, 𝜂) turns to 𝑈 𝑅𝑆𝐹 𝐴(𝜉, 𝜂) after the light passing SLM3. Finally, 𝑈 𝑃 𝐻(𝑢, 𝑣) is captured after Lens3’s Fourier transforming. Its phase part and amplitude part are detected by HSWS and CCD2, separately. The information is recorded by PC. In ‘‘STEP II’’, the calculated 𝑈 (𝑢, 𝑣)’s amplitude is displayed on SLM1 and 𝑈 𝑃 𝐻(𝑢, 𝑣) is displayed on SLM2. After Lens1, 𝑀(𝑥, 𝑦) is achieved. The decrypted plaintext is captured by CCD2 after 𝑅𝑆 −1 {⋅} process shown in dashed box. The setup discussed here is one possible scheme. For increasing the experimental accuracy, the setup could be realized with help of precise mechanical platform and other means.
The CC value of decrypted plaintext and original plaintext
𝑃1 (𝑢, 𝑣)
𝑃2 (𝑥, 𝑦)
𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦)
Fake ciphertext Ciphertext
0.5826 0.5878
0.0076 0.0068
0.7910 1.0000
4.1. The influence of private keys and diffraction parameters on encryption– decryption effect
For conventional PTFT cryptosystem and its variations, the generated private keys contain much information, as mentioned in reference [38]. The influence of disclosing private keys in conventional PTFT cryptosystem is given in Table 1. The plaintext used here is also the ‘‘sleepy-cat’’ image, the CC values under different circumstances are given. The unexposed information is substituted with a random distribution function. For example, 0.5826 is the CC value between real plaintext and decrypted plaintext acquired by using correct 𝑃1 (𝑢, 𝑣), a random𝑃2 (𝑥, 𝑦) and a random ciphertext. It shows that most information can be retrieved only with correct 𝑃1 (𝑢, 𝑣) for conventional PTFT cryptosystem.
4. Simulation and discussion Given the limited resources in our laboratory, the computer simulation results are reported here. The influence of aberrations, diffraction limitation, and system errors are neglected in the numerical simulation. For performance comparison, the correlation coefficient (CC) is introduced. It denotes the similarity of the retrieved image 𝑓 ′ and the original image 𝑓 in the quantitative analysis and is defined as |𝐸[[𝑓 − 𝐸[𝑓 ]][𝑓 ′ − 𝐸[𝑓 ′ ]]]| | , 𝐶𝐶 = √ | (32) 𝐸[[𝑓 − 𝐸[𝑓 ]]2 ]𝐸[[𝑓 ′ − 𝐸[𝑓 ′ ]]2 ]
From Table 1, it shows that the first private key contains most information and the main information can be decrypted only with 𝑃1 (𝑢, 𝑣). Besides, the ciphertext is not significant. Plaintext can be retrieved only with private keys and a fake random distributed ciphertext, as discussed in reference [38]. As comparison, the influence of disclosing private keys and diffraction parameters in proposed cryptosystem is given in Table 2. The CC values are acquired in the same way as that in Table 1.
the expected value operator is defined as 𝐸[⋅], the absolute value operator is defined as |⋅| and the coordinates are omitted here. A simulation is carried out to validate the effectiveness of proposed cryptosystem. A gray-scale image ‘‘sleepy-cat’’ with a size of 256*256 pixels is used as the plaintext image and is shown in Fig. 5(a). Fig. 5(b) shows the achieved ciphertext which has no useful information, its CC value is 0.0062. In the encryption process of proposed cryptosystem, the wavelength of the illuminating light is 532 nm, and the diffraction distance is 10 mm. In simulation, two 𝑅𝑆⋅ operations are using the same diffraction parameters. Figs. 5(c) and 5(d) show the first private key and the second private key, respectively. These two private keys are all stationary white noise images. Fig. 5(e) shows the decrypted image which is retrieved from Fig. 5(b) with the correct private keys and correct diffraction information. The CC value between Fig. 5(a) and Fig. 5(e) is 0.9997, what means the plaintext has been decrypted precisely.
As shown in Table 2, plaintext can only be retrieved accurately with all the information. If not all encrypted information is disclosed, no useful information can be retrieved. Except the legal decryption result, the highest CC value appears in Table 2 is 0.1657. This is the situation of using correct ciphertext, 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦). Among the illegal decryption situations of conventional PTFT cryptosystem, the highest CC value is 0.7901. This is the situation of using correct 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦). The decrypted plaintexts of highest CC values for both cryptosystems are shown in Fig. 6. It illustrates that proposed cryptosystem are still secure in case of disclosure. 91
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Table 2 The private keys’ influence to proposed cryptosystem’s security. The CC value of decrypted plaintext and original plaintext
𝑃1 (𝑢, 𝑣)
𝑃2 (𝑥, 𝑦)
𝐻(𝜉, 𝜂)
𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦)
𝑃1 (𝑢, 𝑣) and 𝐻(𝜉, 𝜂)
𝑃2 (𝑥, 𝑦) and 𝐻(𝜉, 𝜂)
𝑃1 (𝑢, 𝑣), 𝑃2 (𝑥, 𝑦) and 𝐻(𝜉, 𝜂)
Fake ciphertext Ciphertext
0.0050 0.0251
0.0016 0.0207
0.0007 0.0284
0.0058 0.1657
0.0051 0.0392
0.0003 0.0949
0.0052 0.9997
𝑃2 (𝑥, 𝑦) in attacking proposed cryptosystem does not converge. In this numerical simulation, the decrypted private key with the highest CC value is used for attacking. Supposing the adversary has improved the attack mentioned in reference [21] with adding inverse diffraction process, i.e., the diffraction wavelength and diffraction distance are used in his attack. The simulation results under this condition are shown in Fig. 9, it shows that the adversary still cannot recover the plaintext’s information. Similarly, only the decrypted private key with highest CC value in every attack step is used in the numerical simulation. The CC value between decrypted plaintext and original plaintext is 0.0866. Above all, proposed cryptosystem has the ability of weakening APRA-based attack no matter if the adversary has the knowledge of proposed cryptosystem.
Fig. 6. The decrypted images of illegal decryption with highest CC values for both cryptosystems (a) The decrypted image with 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦) for conventional PTFT cryptosystem (CC value is 0.7910), (b) The decrypted image with correct ciphertext, 𝑃1 (𝑢, 𝑣) and 𝑃2 (𝑥, 𝑦) for proposed hybrid cryptosystem (CC value is 0.1657).
4.3. Sensibility of diffraction parameters A numerical simulation is carried out for validating the sensitivity of diffraction information including wavelength and diffraction distance. The influence of the incorrect diffraction parameters on decrypting proposed cryptosystems with correct private keys is studied. Fig. 10(a) shows the decrypted plaintext’s CC value with correct diffraction distance and incorrect wavelength. Fig. 10(b) shows the decrypted plaintext’s CC value with correct wavelength and incorrect diffraction distance. Based on experience, a decrypted image of CC value more than 0.4 could be regarded that most plaintext’s information is retrieved. From Fig. 10, if all other encrypted information is correct, a 20 nm range of wavelength can be used for decryption and this value for diffraction distance is about 0.4 mm. Therefore, the diffraction information can be used as private keys and the key space is increased. In addition, the accurate decrypted image can be achieved only when the diffraction information is accurate.
Fig. 7. (a) Simulation result of decrypted plaintext image for attacking conventional PTFT cryptosystem (CC value is 0.4283), (b) simulation result of decrypted plaintext image for attacking proposed cryptosystem (CC value is 0.0040).
4.4. Security analysis 4.2. Comparison of attacking both conventional PTFT cryptosystems and proposed hybrid cryptosystems with APRA-based attacks
In this section, the security analysis of the proposed hybrid cryptosystem such as histogram analysis and correlation tests are discussed. Fig. 11(a)–(d) is the histograms for ‘‘sleepy-cat’’ and its ciphertext, the first private key and the second private key. For comparison, images from VOC dataset are used as plaintexts for proposed cryptosystem’s histogram analysis. Accordingly, the result illustrates that the ciphertext and private keys of different plaintexts have consistent statistical properties. Fig. 11 shows the ciphertext and the first private key are subject to Rayleigh distribution, and the second private key is subject to uniform distribution. Above all, ciphertext and private keys do not provide any useful information for the adversary. In addition to the histogram analysis, the correlation between two vertically, horizontally and diagonally adjacent pixels in plaintext and their ciphertext are also analyzed. The adjacent pixels’ correlation is defined as: | | ∑𝑁 1 ∑𝑁 1 ∑𝑁 | 𝑖=1 (𝑥𝑖 − 𝑁 𝑖=1 𝑥𝑖 )(𝑦𝑖 − 𝑁 𝑖=1 𝑦𝑖 )| | | , (33) 𝐶= √ ∑𝑁 ∑𝑁 1 ∑𝑁 1 ∑𝑁 2× 2 (𝑥 − 𝑥 ) (𝑦 − 𝑖=1 𝑖 𝑖=1 𝑖 𝑖=1 𝑖 𝑖=1 𝑦𝑖 ) 𝑁 𝑁
For validating the security enhancement, the APRA-based two-step specific attack mentioned in reference [21] is used to attack both conventional PTFT system and proposed cryptosystem. The simulation results are shown in Fig. 7. The original plaintext image is the ‘‘sleepy-cat’’ image shown in Fig. 5(a). Supposing the adversary have no knowledge of proposed cryptosystem, what means no diffraction information is used in the attack. For attacking conventional PTFT system, the CC value between decrypted image and original plaintext is 0.4283, it shows that original plaintext’s most information is achieved. For attacking the proposed cryptosystem, the CC value is nearly zero and the decrypted image is still a noise image. This result illustrates that the attack based on phase retrieval algorithm is inefficient for the proposed hybrid cryptosystem. The simulation result is in accordance with the theoretical derivation. As shown in Fig. 8, the CC values of decrypted private keys and real private keys in two iterative steps for attacking both kinds of cryptosystems are given. Referring to the curves, the CC values in every iterative step for attacking proposed cryptosystem are much lower than that of attacking conventional PTFT cryptosystem generally. This proves that the specific attack performs weaker in decrypting private key for attacking proposed cryptosystem than conventional PTFT cryptosystem. In addition, as shown in Fig. 8(c), the CC values of decrypted
where the 𝑥𝑖 and 𝑦𝑖 are a pair of pixels. Correlation of two adjacent pixels for both plaintext and ciphertext of ‘‘sleepy-cat’’ are given in Fig. 12. It is obvious that the correlation between the two adjacent pixels in ciphertext is more negligible than that in plaintext. Similarly, images from VOC dataset are also used for correlation test and some results are listed in Table 3 with only 92
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 8. The decrypted private keys’ CC values against iteration number in two iterative steps for attacking both conventional PTFT cryptosystem and proposed cryptosystem: (a) the CC value of decrypted 𝑃2′ (𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦) for attacking conventional PTFT cryptosystem (the highest CC Value is 0.6942), (b) the CC value of 𝑃1′ (𝑥, 𝑦) and 𝑃1 (𝑥, 𝑦) for attacking conventional PTFT cryptosystem (the highest CC Value is 0.5862), (c) the CC value of decrypted 𝑃2′ (𝑥, 𝑦) and 𝑃2 (𝑥, 𝑦) for attacking proposed cryptosystem (the highest CC Value is 0.0055) and (d) the CC value of decrypted 𝑃1′ (𝑥, 𝑦) and 𝑃1 (𝑥, 𝑦) for attacking proposed cryptosystem (the highest CC Value is 0.1786).
Fig. 9. Simulation of attacking proposed cryptosystem with APRA and correct diffraction parameters: (a) the decrypted 𝑃2′ (𝑥, 𝑦) (the highest CC value is 0.0026), (b) the decrypted 𝑃1′ (𝑥, 𝑦) (the highest CC value is 0.1835) and (c) the decrypted plaintext (CC value is 0.0866).
Fig. 10. Simulation result of attacking proposed cryptosystem with correct private keys and incorrect diffraction parameters: (a) with incorrect diffraction distance from 0 mm to 15 mm, (b) with incorrect wavelength from 432 nm to 732 nm.
considering the correlation of two diagonally adjacent pixels. It shows
implies that no correlation between plaintext and its corresponding
the average correlation coefficient of ciphertext is very small which
ciphertext achieved by proposed hybrid cryptosystem. 93
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
Fig. 11. Histograms: (a) histogram of plaintext ‘‘sleepy-cat’’, (b) histogram of its ciphertext, (c) histogram of the first private key, and (d) histogram of the second private key.
Fig. 12. Correlation of two adjacent pixels for ‘‘sleepy-cat’’: (a)–(c) correlation of two horizontally, vertically and diagonally adjacent pixels for plaintext, respectively, their correlation values are 0.9900, 0.9795 and 0.9714, (d)–(f) correlation of two horizontally, vertically and diagonally adjacent pixels for ciphertext, respectively, their correlation values are 0.0247, 0.0495 and 0.0027. Table 3 Correlation coefficients of plaintexts from VOC dataset and their corresponding ciphertexts. File name
File description
Correlation of two diagonally adjacent pixels for plaintext
Correlation of two diagonally adjacent pixels for ciphertext
2007_000027.png 2007_000032.png 2007_000039.png 2007_000042.png 2007_000061.png 2007_000063.png 2007_000129.png
Woman Airplane Computer Train Boat Dog Bicycle
0.9401 0.9753 0.9570 0.9315 0.9639 0.8950 0.8749
0.0407 0.0033 0.0010 0.0067 0.0129 0.0150 0.0036
by using the ciphertext contaminated by Gaussian noise with varying
4.5. Robustness analysis
standard deviations are given. And the corresponding decrypted images During ciphertext’s transmission process, it is possible that the ciphertext is contaminated by noise. Therefore, the robustness of proposed cryptosystem against noise is analyzed. As shown in Fig. 13, the CC values between plaintext ‘‘sleepy-cat’’ and decrypted image acquired
by using Gaussian noise whose standard deviation are 0.02, 0.06 and 0.1 are given in Fig. 14. It shows that decrypted image is still visible even ciphertext is contaminated with a little noise. 94
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96
5. Conclusion In this paper, a hybrid cryptosystem based on PTFT encryption and diffraction theory is proposed to solve PTFT-based cryptosystems’ vulnerability to APRA-based attacks. The APRA’s iteration constraints are broken by introducing diffraction. A possible optical setup scheme is given. Employing APRA-based two-step attack for attacking proposed cryptosystem, no useful information of plaintext can be retrieved no matter if the adversary has knowledge of diffraction parameters. The proposed cryptosystem also increases ciphertext and private keys’ sensitivity. The accurate plaintext information cannot be acquired when receiver lack any of encrypted information. Besides preventing APRA-based attacks, diffraction wavelength and diffraction distance can also be used as private keys. Numerical simulation results have also validated the effectiveness, security and robustness of proposed cryptosystem.
Fig. 13. Decrypted image’s CC values against different Gaussian noise’s standard deviation.
Acknowledgments This work is supported by the National Key Research and Development Program of China (Grant No. 2017YFC0822700) and the National Natural Science Foundation of China (Grant No. 61471039).
Decryption is carried out with occluded ciphertext to test robustness against occlusion. Square sections with 1/256, 1/64, 1/16 and 1/4 of ciphertext’s size are blocked, as shown in Fig. 15(a)–(d). The
References
corresponding decrypted plaintexts and their CC values are shown in Fig. 15(e)–(h). When 1/4 of ciphertext is occluded, decrypted plaintext
[1] B. Javidi, J.L. Homer, Optical pattern recognition for validation and security verification, Opt. Eng. 33 (1994) 1752–1756.
is hard to see.
Fig. 14. Corresponding decrypted plaintext with ciphertext contaminated by Gaussian noise with (a) 0.02 standard deviation (CC value is 0.8922), (b) 0.06 standard deviation (CC value is 0.5254) and (c) 0.1 standard deviation (CC value is 0.3701).
Fig. 15. Tolerance to occlusion: (a)–(d) shows 1/256, 1/64, 1/16 and 1/4 of ciphertext is occluded, respectively, (e)–(f) shows the decrypted images with (a)–(d), and the CC values are 0.9357, 0.8238, 0.5752 and 0.2535, respectively.
95
C. Wu, J. Chang, X. Xu et al.
Optics Communications 450 (2019) 87–96 [22] J. Wu, W. Liu, Z. Liu, S. Liu, Cryptanalysis of an asymmetric optical cryptosystem based on coherent superposition and equal modulus decomposition, Appl. Opt. 54 (2015) 8921–8924. [23] X. Wang, D. Zhao, Double images encryption method with resistance against the specific attack based on an asymmetric algorithm, Opt. Express 20 (2012) 11994–12003. [24] Y. Xiong, A. He, C. Quan, Security analysis of a double-image encryption technique based on an asymmetric algorithm, J. Opt. Soc. Amer. A 35 (2018) 320–326. [25] X. Wang, D. Zhao, Amplitude-phase retrieval attack free cryptosystem based on direct attack to phase-truncated Fourier-transform-based encryption using a random amplitude mask, Opt. Lett. 38 (2013) 3684–3686. [26] Y. Xiong, A. He, C. Quan, Specific attack and security enhancement to optical image cryptosystem based on two random masks and interference, Opt. Lasers Eng. 107 (2018) 142–148. [27] Y. Xiong, A. He, C. Quan, Hybrid attack on an optical cryptosystem based on phase-truncated Fourier transforms and a random amplitude mask, Appl. Opt. 57 (2018) 6010–6016. [28] X. Wang, Y. Chen, C. Dai, D. Zhao, Discussion and a new attack of the optical asymmetric cryptosystem based on phase-truncated Fourier transform, Appl. Opt. 53 (2014) 208–213. [29] G. Yang, L. Wang, B. Dong, B. Gu, On the amplitude-phase retrieval problem in an optical system involving non-unitary transformation, Optik 75 (1987) 68–74. [30] L. Wang, B. Dong, G. Yang, Phase retrieval from two intensity measurements in an optical system involving nonunitary transformation, Appl. Opt. 29 (1990) 3422–3427. [31] R.W. Gerchberg, W.O. Saxton, A practical algorithm for the determination of phase from image and diffraction plane pictures, Optik 35 (2) (1972). [32] M. Piao, Z. Liu, Y. Piao, H. Wu, Z. Yu, N. Kim, Multi-depth three-dimensional image encryption based on the phase retrieval algorithm in the Fresnel and fractional Fourier transform domains, Appl. Opt. 57 (2018) 7609–7617. [33] J. Fienup, Phase retrieval algorithms: a personal tour [Invited], Appl. Opt. 52 (2013) 45–56. [34] J. Fienup, Phase retrieval algorithms: a personal tour [Invited], Appl. Opt. 52 (2013) 45–56. [35] C. Zhang, W. He, J. Wu, X. Peng, Optical cryptosystem based on phase-truncated Fresnel diffraction and transport of intensity equation, Opt. Express 23 (2015) 8845–8854. [36] M. Totzeck, Validity of the scalar kirchhoff and Rayleigh–sommerfeld diffraction theories in the near field of small phase objects, J. Opt. Soc. Amer. A 8 (1991) 27–32. [37] G. Sherman, Application of the convolution theorem to Rayleigh’s integral formulas, J. Opt. Soc. Amer. 57 (1967) 546–547. [38] Y. Xiong, A. He, C. Quan, Security analysis and enhancement of a cryptosystem based on phase truncation and a designed amplitude modulator, Appl. Opt. 58 (2019) 695–703.
[2] B. Javidi, Securing information with optical technologies, Phys. Today 50 (3) (1997) 27–32. [3] W. Chen, B. Javidi, X. Chen, Advances in optical security systems, Adv. Opt. Photonics 6 (2014) 120–155. [4] S. Liu, C. Guo, J.T. Sheridan, A review of optical image encryption techniques, Opt. Laser Technol. 57 (2014) 327–342. [5] P. Refregier, B. Javidi, Optical image encryption based on input plane and Fourier plane random encoding, Opt. Lett. 20 (1995) 767–769. [6] G. Unnikrishnan, J. Joseph, K. Singh, Optical encryption by double-random phase encoding in the fractional Fourier domain, Opt. Lett. 25 (2000) 887–889. [7] G. Situ, J. Zhang, Double random-phase encoding in the Fresnel domain, Opt. Lett. 29 (2004) 1584–1586. [8] Y. Zhang, B. Wang, Optical image encryption based on interference, Opt. Lett. 33 (2008) 2443–2445. [9] Y. Wang, C. Quan, C.J. Tay, Nonlinear multiple-image encryption based on mixture retrieval algorithm in Fresnel domain, Opt. Commun. 330 (2014) 91–98. [10] T. Demetrakopoulos, R. Mittra, Digital and optical reconstruction of images from suboptical diffraction patterns, Appl. Opt. 13 (1974) 665–670. [11] B. Deepan, C. Quan, Y. Wang, C.J. Tay, Multiple-image encryption by space multiplexing based on compressive sensing and the double-random phase-encoding technique, Appl. Opt. 53 (2014) 4539–4547. [12] W. Chen, X. Chen, Ghost imaging using labyrinth-like phase modulation patterns for high-efficiency and high-security optical encryption, Europhys. Lett. 109 (2015) 14001. [13] Y. Wang, C. Quan, C.J. Tay, Improved method of attack on an asymmetric cryptosystem based on phase-truncated Fourier transform, Appl. Opt. 54 (2015) 6874–6881. [14] A. Carnicer, M. Montes-Usategui, S. Arcos, I. Juvells, Vulnerability to chosencyphertext attacks of optical encryption schemes based on double random phase keys, Opt. Lett. 30 (2005) 1644–1646. [15] P. Kumar, J. Joseph, K. Singh, Known-plaintext attack-free double random phase– amplitude optical encryption: vulnerability to impulse function attack, J. Opt. 14 (2012) 045401. [16] Y. Frauel, A. Castro, T.J. Naughton, B. Javidi, Resistance of the double random phase encryption against various attacks, Opt. Express 15 (2007) 10253–10265. [17] U. Gopinathan, D.S. Monaghan, T.J. Naughton, J.T. Sheridan, A known-plaintext heuristic attack on the Fourier plane encryption algorithm, Opt. Express 14 (2006) 3181–3186. [18] G. Situ, G. Pedrini, W. Osten, Strategy for cryptanalysis of optical encryption in the Fresnel domain, Appl. Opt. 49 (2010) 457–462. [19] W. Qin, X. Peng, Vulnerability to known-plaintext attack of optical encryption schemes based on two fractional Fourier transform order keys and double random phase keys, J. Opt. A 11 (2009) 075402. [20] W. Qin, X. Peng, Asymmetric cryptosystem based on phase-truncated Fourier transforms, Opt. Lett. 35 (2010) 118–120. [21] X. Wang, D. Zhao, A special attack on the asymmetric cryptosystem based on phase-truncated Fourier transforms, Opt. Commun. 285 (2012) 1078–1081.
96