Vulnerability to ciphertext-only attack of optical encryption scheme based on double random phase encoding

Xiaoli Liu; Jiachen Wu; Wenqi He; Meihua Liao; Chenggong Zhang; Xiang Peng

doi:10.1364/OE.23.018955

1. Introduction

With optical information processing technology developed in the past decades, optical encryption emerged as a research hotspot for several years [1–25 ]. Compared with traditional encryption scheme, optical encryption techniques have some unique advantages such as intrinsic parallelism and multiple dimensions because the wavelength, propagation distance and polarization status of the illumination light could be designed as the secret key of an encryption system. As a milestone invention, Refregier and Javidi first proposed a scheme called double random phase encoding (DRPE) to successfully encrypt a plaintext image into a noisy-like image in 1995 [1], since then, optical image encryption method have developed various forms based on DRPE or other encryption schemes [2–25 ]. In 1999, Osamu Matoba et al. first proposed an encrypted optical memory system based on DRPE using three dimensional keys [2], and wavelength key [3], Situ et al. have implemented the DRPE in Fresnel transform domain without lens in 2004 [6], and succeeded to the multiple-image encryption schemes by wavelength multiplexing and position multiplexing respectively [7, 8 ]. Unnikrishnan et al. and Liu et al. independently proposed an optical encryption method using random phase encoding in the Fractional Fourier transform (FRFT) domain [9–12 ], subsequently several DRPE-based schemes of multiple-image encryption have also been presented in FRFT domain [13–16 ]. In addition, Hartley transform domain and Gyrator transform domain have also been introduced into optical encryption schemes recently [17–21 ]. Besides the DRPE scheme, some other optical encryption architectures have been put forward [22–25 ]. Nevertheless, the canonical DRPE scheme has been wildly studied for its simple and feasible structure, and its security problems are attracting more and more attention [26–33 ]: Carnicer et al. first proved that the DRPE was vulnerable to chosen-ciphertext attacks (CCA) in 2005 [26]. Gopinathan et al. proposed a known-plaintext attack (KPA) scheme that the key is obtained through a simulated annealing process [27]. Soon after, Peng et al. demonstrate an approach to known-plaintext attack on DRPE system by using phase retrieval algorithm [28]. Yann Frauel et al. proposed a technique to recover the exact keys with two known plain images base on solving equations [29]. Tang et al. proposed ciphertext-only attack (COA) method by estimating plaintext’s support [30]. Meanwhile, DRPE in Fresnel domain was also proved to be vulnerable to chosen-plaintext attack (CPA) [31]. In 2009, Qin et al. successful implement KPA on DRPE in FRFT domain [32]. In 2012, He et al. proposed a hybrid two-step attack on a security-enhanced DRPE cryptosystem [33].

Among the aforementioned attack methods, the CCA and the CPA require some well-designed ciphertext-plaintext pairs, and the KPA need at least a pair of plaintext-ciphertext. However, it’s usually impractical to acquire so many resources in a real world. In this paper, we present a ciphertext-only attack (COA) method, which deduces the decryption key from ciphertext without the additional prior information. The proposed COA method against DRPE mainly relies on a hybrid iterative phase retrieval (HIPR) algorithm. Compared with the above cryptanalysis methods (CCA, CPA, and KPA), we require the least resources, this is an important feature in practical applications, and it is more accurate and effective than Tang’s COA method [30].

The rest of the paper is organized as follows. Section 2 gives an overview of cryptanalysis to the optical encryption scheme based on DRPE. Section 3 introduces some basic theory of the number of nonzero pixel (NNP) constraint, which is related to HIPR algorithm. Section 4 describes the COA process of DRPE based on HIPR algorithm. Section 5 presents the simulation results. The conclusion and discuss are described in last section.

2. Overview of the optical encryption scheme based on DRPE

In this section, we briefly review the principle of the DRPE technique, in which the classic 4-F imaging system is employed to perform the image encryption. In order to make the following description more explicit, we stipulate the coordinate in spatial domain and frequency domain are denoted $(x, y)$ and $(u, v)$ respectively. As shown in Fig. 1 , the plaintext $f (x, y)$ is modulated by the first random phase mask $\exp [i 2 π n (x, y)]$ , and then is optically Fourier transformed and multiplied by the second random phase mask $\exp [i 2 π b (u, v)]$ , the two random phase masks are independent and severed as the two secret keys of the cryptosystem. After that, an inverse Fourier transformation is introduced to produce the ciphertext $ψ (x, y)$ , which can be represented by the Eq. (1):

Fig. 1 Schematic diagrams of double random phase encryption scheme.

Download Full Size | PDF

ψ (x, y) = {FT}^{- 1} {FT {f (x, y) \exp [i 2 π n (x, y)]} \cdot \exp [i 2 π b (u, v)]}

The procedure of decryption is exact a reverse process from that of encryption. More details about the decryption can be found in [1]. Here, we have to clarify that the all the plaintexts used in this manuscript will be a pure amplitude-based distribution.

As well known, key space refers to the set of all possible keys that can be used to generate a key, and is one of the most important attributions to assess the security strength of a cryptosystem. In DRPE system, each phase key is usually discretized to $N$ pixels and $L$ discrete phase levels in computer simulations, so the two phase keys totally provide a key space containing $L^{2 N}$ possible combinations. If the size of the phase mask is 100 × 100 pixels and the phase levels is 256, for a brute-force attack, an attacker need try $256^{2 \times 100 \times 100}$ key combinations to find the exact one in principle, this number is quite huge, it’s almost impossible for attacker to find the correct and unique phase keys. However, researchers found out that the phase keys are not sensitive to the mistakes, that’s to say, one could always find many phase keys to decrypt a plaintext with tolerable errors [29, 34, 35 ].

Furthermore, according to the well-known Kerckhoffs’ principle in the research area of cryptanalysis that everything about the cryptosystem, except the key, is public knowledge, we can first compute the Fourier transform of the ciphertext based on Eq. (1) to get $Ψ (x, y)$ :

Ψ (u, v) = FT {ψ (x, y)} = FT {f (x, y) \exp [i 2 π n (x, y)]} \cdot \exp [i 2 π b (u, v)]

Let

f^{'} (x, y) = f (x, y) \exp [i 2 π n (x, y)]

and

F (u, v) = FT {f^{'} (x, y)}

, then Eq. (2) can be simplified as:

\begin{matrix} Ψ (u, v) = FT {f^{'} (x, y)} \cdot \exp [i 2 π b (u, v)] \\ = F (u, v) \cdot \exp [i 2 π b (u, v)] \end{matrix}

Then take the modulus operator on both sides of Eq. (3), we get:

| Ψ (u, v) | = | F (u, v) |

Suppose we know one ciphertext $ψ (x, y)$ , and then the magnitude of $F (u, v)$ (the Fourier transform of $f^{'} (x, y)$ , which is a complex distribution combined by the plaintext and the first phase mask) will also be easily obtained according to Eq. (4). Thereafter, it is possible to recover the intensity of the corresponding plaintext by using the single intensity phase retrieval algorithm with the frequency magnitude constraint (the magnitude of $F (u, v)$ ), and further determine the secret keys of the cryptosystem.

The most widely used single intensity phase retrieval algorithm is the hybrid input-output (HIO) algorithm proposed by Fienup [36]. However, it needs not only the magnitude distribution (also known as modulus constraint) in Frequency domain but also the compact support constraint in spatial domain. In next section (section 3), we will introduce an easier and efficient way (NNP constraint) to replace the compact support constraint mentioned above and verifies that DRPE is vulnerable to our proposed HIPR algorithm (section 4).

3. Iterative phase retrieval algorithm with the number of nonzero pixel (NNP) constraint

As mentioned above, the iterative phase retrieval algorithm based on single intensity measurement, such as the error reduction (ER) and hybrid input-output (HIO), usually needs a magnitude constraint in the frequency domain and the corresponding support constraint in the object domain [36]. In this section, we would like to introduce the NNP constraint to substitute for the traditional support constraint [37–40 ]. It is the truth that, for any a single intensity iterative phase retrieval algorithm, the support constraint is not easy to estimate and evaluate. As the NNP constraint, just a number, consist of all the support constraints which have identical number of pixel in the support, the NNP constraint is looser but also effective while implementing a phase retrieval algorithm compare with traditional support constraints [40].

A flow chart of the iterative phase retrieval algorithm with NNP constraint is shown in Fig. 2 . First of all, an initialized random signal $g_{0} (x, y)$ is generated as the input function in the object domain. Suppose the iteration algorithm proceeds to the $n$ th iteration, the following steps could be described as:

Fig. 2 Flow chart of iterative phase retrieval with NNP constraint in the nth iteration.

Download Full Size | PDF

1. Fourier transform $g_{n} (x, y)$ to obtain $G_{n} (u, v)$ ;
2. Keep the current phase part of $G_{n} (u, v)$ , and impose the frequency magnitude constraint ( $| F (u, v) |$ ) leading to ${G^{'}}_{n} (u, v) = | F (u, v) | \frac{G_{n} (u, v)}{| G_{n} (u, v) |}$ ;
3. Inverse Fourier transform ${G^{'}}_{n} (u, v)$ to obtain ${g^{'}}_{n} (x, y)$ ;
4. Sort the elements of ${g^{'}}_{n} (x, y)$ (regarded as a matrix) by their magnitude modulus in descending order, then extract the first K elements’ coordination as current dynamic support $S_{n}$ (we assume NNP is K);
5. With the support $S_{n}$ , impose object domain constraint to obtain $g_{n + 1} (x, y)$ , whose form depends on the specific algorithm, such as HIO, CF or ER. The specified details can be found in the following part immediately after step 6;
6. Go back to step 1 and continue the next iteration with $g_{n + 1} (x)$ as the new input substituting for $g_{n} (x)$ .

For HIO algorithm:

g_{n + 1} (x) = {\begin{cases} {g^{'}}_{n} (x) x \in S_{n} \\ g_{n} (x) - β {g^{'}}_{n} (x) x \notin S_{n} \end{cases}

For CF algorithm:

g_{n + 1} (x) = {\begin{cases} {g^{'}}_{n} (x) x \in S_{n} \\ - {g^{'}}_{n} (x) x \notin S_{n} \end{cases}

For ER algorithm:

g_{n + 1} (x) = {\begin{cases} {g^{'}}_{n} (x) x \in S_{n} \\ 0 x \notin S_{n} \end{cases}

It can be seen from the above iterative algorithm that the dynamic support

S_{n}

is updated in each iteration process. In [39], HIO algorithm working with a dynamic support

S_{n}

was called dynamic HIO (DHIO), and this method is adopted as one part of our scheme.

Meanwhile, it is worth to point out that only if the NNP is less than 25% of the whole pixels in the image (object, two-dimensional signal) the constraint can work, because a signal in two or more dimensions can be uniquely specified, except for flipping and shifting, by the magnitude of its twice oversampled discrete Fourier transform (DFT) [41]. The validity and feasibility of the iterative phase retrieval algorithm with the NNP constraint has been heuristically proved by the convex optimization theory [42].

The aforementioned iterative phase retrieval algorithm with NNP constraint can be turned into as that of finding a function g that satisfies the NNP constraint (N) in object domain and magnitude constraint (M) in frequency domain simultaneously, that is to find the function $g \in N \cap M$ . Then the iterative procedure can be considered as the alternative projections between the two constraints sets N and M. the iteration procedure will not stop until the projection achieves the intersection of N and M (Fig. 3 ). The frequency domain constraint M is a function set satisfied:

M = {g \in ℒ : | FT {g} | = F}

where

ℒ

is a square-integrable vector space, F is the given frequency domain magnitude constraint. For NNP constraint:

N = {g \in ℒ : {‖ g ‖}_{0} = K}

K is a non-negative integer denoting the number of non-zero pixels, and symbol

{‖ \cdot ‖}_{0}

represents the operation of counting the number of a vector’s non-zero elements. Obviously, the support constraint S is the subset of NNP constraint N, namely

S \subset N

.

Fig. 3 Visualization of alternating projections in 3-dimention real vector space. (a) The comparison: alternating projection with support constraint and NNP constraint. (b) The comparison: projection algorithm (ER), over projection algorithm (CF), and HIO algorithm.

Download Full Size | PDF

Furthermore, we would like to intuitively show the advantages of NNP constraint over the traditional support constraint by tracing the alternative projection routes of the iteration procedures with the two different constraints, respectively. Assume that in a 3-dimensional real vector space $ℝ^{3}$ (Fig. 3), all the objective constraints are located on a 2-dimensonal real vector space, and the frequency constraint is determined by vector $F = (3, 5, 5)$ , which is equally described by two circles in $ℝ^{3}$ . The red route (projections) represents the iteration procedures between the traditional support constraint S ( $x - y$ plane) and the frequency domain constraint M (the two blue circles), the iterative procedures (initialized at point $g_{0}$ ) will not stop until the projections convergences to the point $(1.254, - 4.254, 0)$ , which is one of the intersection of S and M. In other hand, the green route (projections) represents the iteration procedures between the NNP constraint N ( $x - y$ plane, $y - z$ plane, and $x - z$ plane) and the Frequency domain constraint M (the two blue circles), the iteration procedure, with the same initial point $g_{0}$ , coincides with the red route at first several points in $x - y$ plane, and then it jumps to $g_{2}$ in $y - z$ plane (the yellow plane). Because the distance, between ${g^{'}}_{1}$ and the $y - z$ plane, is closer, than that of ${g^{'}}_{1}$ and the $x - y$ plane. In other words, the projecting onto NNP constraint set in the iterations is always choosing the closest constraint plane. At last, it convergences to the point $(0, - 4.254, 1.254)$ , which is a flipping solution of the previous result by using of the traditional support constraint. Intuitively, the introducing of NNP constraint increases the possible number of intersection (solution). In fact, according to the theory about uniqueness of solution developed by Hayes [41], the additional solutions, named trivial solutions, are identical with the real solution except for the flipping and shifting, and which solution the iterative procedure will lead to only depends on the initial value $g_{0}$ .

It’s worth mentioning that the reason of using ER algorithm in Fig. 3(a) as the example is just because it is more concise and intuitive, but in this paper we adopt CF algorithm and HIO algorithm which are over projection algorithm in order to accelerate the speed of convergence and escape from the local minimums. One other thing to note is the practical situation has much higher dimensions and is much more complicated than this example, but we believe that a visualized demonstration into NNP constraint together with the traditional support constraint in a lower dimension (3-dimention) is valuable.

4. Ciphertext-only attack (COA) on the optical encryption scheme based on DRPE

For a COA method, an attacker is assumed to be only able to obtain the ciphertexts, and is expected to retrieve the corresponding plaintexts or even the secret key(s). As the magnitude (squared) of a signal’s Fourier transform and its autocorrelation are Fourier transform pair:

FT {f^{'} (x, y) \otimes f^{'} (x, y)} = {| F (u, v) |}^{2}

where

\otimes

is the correlation operator, an attacker could get the autocorrelation of

f^{'} (x, y)

according to Eq. (4) and (10) . Meanwhile, our experience shows that the NNP of an object is always falling in 1/6 to 1/4 of the NNP of the object’s autocorrelation, therefore an attacker could further estimate the NNP of the corresponding plaintext. Although such estimation is not accurate enough, a one-dimensional parameter search is then easier and feasible compared with estimating a support in two-dimensional space. As soon as we (attacker) get the estimated NNP of the object, we can move to the main steps of our hybrid iterative phase retrieval (HIPR) algorithm to explore its feasibility, and further demonstrate that not only the corresponding plaintext but also the secret keys could be largely retrieved only by one given ciphertext.

For a 256 × 256 image encryption system based on DRPE scheme, The proposed attack method using of our designed HIPR algorithm usually consists of 200 times dynamic HIO iterations (provide an initialized support), 800 times traditional HIO iterations, followed by another 200 times iterations alternatively employing the HIO and CF. As for the reason why the algorithms are organized like this, a reasonable interpretation is that, the DHIO algorithm is first adopted to roughly estimate the object domain support, then the HIO algorithm is used to further explore the whole object domain including the phase term, and finally the participation of CF algorithm can update the support as well as reduce the error by modifying the object constraint (Eq. (6)). To judge whether the solution has been found, a convergence criterion R is introduced. It is defined by the difference between $| F |$ and $| G_{n} |$ :

R = \frac{\sum_{i = 1, j = 1}^{M, N} | | G_{n} (u_{i}, v_{j}) | - F (u_{i}, v_{j}) |}{\sum_{i = 1, j = 1}^{M, N} F (u_{i}, v_{j})}

A threshold value c is used to decide whether or not to terminate the iterative process, if

R > c

, the iteration will turn back and re-start from the HIO. Once

R \leq c

, the iteration stops and the output

g (x, y)

is what we expected. The flow chart is show in Fig. 4 (the symbol

^

in Fig. 4 denote the estimated value).

Fig. 4 Flow chart of the COA process of DRPE based on HIPR algorithm

Download Full Size | PDF

In addition, to eliminate the speckle noise in the dynamic support, ${g^{'}}_{n} (x, y)$ is filtered by convolving a circle function in each iteration [39]. Certainly, various image processing techniques can be also applied to remove the support noise, such as morphologically remove small objects, or fill image regions and holes.

It is worthy pointing out that the recovered plaintext will always existing pixel shifting or flipping compared with the original plaintext, as shown in section 5. This will of course affect the final result unless we make a corresponding invers-shifting or invers-flipping.

Now, we would like to describe how to remove the influence of shifting and flipping. First, if the recovered plaintext only have a shifting amount $(x_{0}, y_{0})$ , namely, $g (x, y) = f^{'} (x - x_{0}, y - y_{0})$ , according to Fourier shift theorem, the Fourier transform of recovered object is

G (u, v) = FT {g (x, y)} = \exp [- j 2 π (u x_{0} + v y_{0})] \cdot F (u, v)

We could then directly obtain the shifted frequency domain key

\hat{φ} (u, v)

by

\hat{φ} (u, v) = \frac{Ψ (u, v)}{G (u, v)} = \exp [j 2 π (u x_{0} + v y_{0})] \cdot \exp [j b (u, v)]

the symbol

^

denote the estimation value. As we have mentioned that what we concern is only the amplitude-only plaintext, there is no need to further calculate the spatial domain key.

And then we use the shifted key $\hat{φ} (u, v)$ to decrypt a subsequent ciphertext $ψ_{s} (x, y)$ , we have

\begin{matrix} {\hat{f}}_{s} (x, y) = | {FT}^{- 1} {FT {ψ_{s} (u, v)} \cdot {\hat{φ}}^{*}} | \\ = | {FT}^{- 1} {FT {f_{s} (x, y) \exp [j n (x, y)]} \exp [j b (α, β)] \cdot {\hat{φ}}^{*}} | \\ = | {FT}^{- 1} {FT {f_{s} (x, y) \exp [j n (x, y)]} \cdot \exp [- j 2 π (u x_{0} + v y_{0})]} | \\ = f_{s} (x - x_{0}, y - y_{0}) \end{matrix}

The superscript asterisk “*” denotes complex conjugation. We can see that the subsequently recovered plaintext by using the shifted frequency key has the same shifting characteristic. To solve the problem, we need only modify the phase key by multiplying a fixed phase term

\exp [- j 2 π (u x_{0} + v y_{0})]

, namely,

φ (u, v) = \hat{φ} (u, v) \cdot \exp [- j 2 π (u x_{0} + v y_{0})]

Furthermore, if the recovered plaintext is not only have a shifting amount $(x_{0}, y_{0})$ , but also rotate 180 degrees, that means $g (x, y) = {f^{'}}^{*} (- (x - x_{0}), - (y - y_{0}))$ , so

G (u, v) = FT {g (x, y)} = \exp [j 2 π (u x_{0} + v y_{0})] \cdot F^{*} (u, v)

Reformulate Eq. (16)

F (u, v) = G^{*} (u, v) \cdot \exp [j 2 π (u x_{0} + v y_{0})]

So the correct frequency domain key is

φ (u, v) = \frac{Ψ (u, v)}{F (u, v)} = \frac{Ψ (u, v)}{G^{*} (u, v)} \cdot \exp [- j 2 π (u x_{0} + v y_{0})]

5. Computer simulation

We performed a set of numerical simulations to verify our proposed HIPR algorithm strategy, our experimental environment is as follow: Intel Core i3-3220 CPU 3.30Ghz, 8Gb RAM, the software of MATLAB version is 7.10.0.499 (R2010a). To illustrate our COA strategy on the image encryption scheme based on DRPE, we (attacker) are assumed to know two ciphertexts shown in Fig. 5(b) and 5(f) , the corresponding original plaintexts are a 8-bit gray-scale image and a binary one with the same size of 256 × 256 pixels, as shown in Fig. 5(a) and 5(e). Taking the analysis in section 4 into account, both of the autocorrelations of complex-valued plaintexts (plaintext with spatial domain phase key) can be first calculated by using of the given ciphertexts separately, and the supports of them can be also acquired by employing the binarization scheme with a small threshold, e.g. 0.0002 [Fig. 5(c) and 5(g)]. We can then obtain the NNP of plaintext’s autocorrelations by counting the number of pixels in white regions. According to the conclusion in section 4 (object’s NNP is between 1/6 and 1/4 of its autocorrelation’s NNP), an estimation range of the plaintext’s NNP can be got. At last, a few values are chosen from this range to perform the presented HIPR algorithm respectively, and then we select the most highly recognizable images from the results as final recovered image [Fig. 5(d) and 5(h)]. How to select the values for the plaintext’s NNP? We would like to take the gray-scale image as example, the proportion of white region in Fig. 5(c) is 45.64%, and so the NNP’s percentage should between 7.61% and 11.41%. Relying on a mass of experiments we found out that the plaintext can be recovered with a high enough fidelity if the mistake of NNP is less than 5% [39], in this simulations, we choose 1% as the search step and then 8%, 9%, 10%, 11% and 12% are the 5 values to be used in our simulation. Finally, we can find that 9% is the optimal value (see Fig. 6 ).

Fig. 5 (a) The original gray-scale plaintext ‘dog’, (b) amplitude distribution of the corresponding ciphertext of (a), (c) the support of autocorrelation of plaintext (a), (d) recovered plaintext from (b) by use our proposed attack scheme, (e) the original binary plaintext ‘SZU’, (f) amplitude distribution of the corresponding ciphertext of (e), (g) the support of autocorrelation of plaintext (e), (d) recovered plaintext from (f) by using our proposed attack scheme.

Download Full Size | PDF

Fig. 6 Recovered plaintext with 5 estimated NNP parameter. The NNP’s percentages are (a) 8%, (b) 9%, (c) 10%, (d) 11%, and (e) 12%.

Download Full Size | PDF

The variation in R factors during iterations of the algorithm is shown in Fig. 7(a) . For a 256 × 256 image, the elapsed time of whole process of iteration is about 21 seconds. We also tested a 1024 × 1024 image, the elapsed time is about 300 seconds. It is not hard to find that the elapsed time is almost linearly respect to the number of pixels. To specify the different stages during the iteration process, the algorithms used are indicated in Fig. 7(a). The R factor decreases rapidly for the first 200 iterations, which is the dynamic HIO procedure, then continues by HIO only. At last, the R factors in our current test approaches almost zero by using alternate iteration between HIO and CF. We find that during the HIO iteration process, the convergence curve is nearly flat, this phenomenon plausibly tells us the HIO doesn’t work. Actually, HIO greatly contribute to search the global optimum solution, the pixel value in support will be closer to true value when the image is expected to approach global optimum solution. Nevertheless, the values out of support usually will result in the R factors staying at a high level [see Fig. 7(b) and 7(c)], and the introducing of CF algorithm will improve the distribution of the values out of the support and therefore let the R factors fall rapidly.

Fig. 7 (a) The R factors as a function of iteration number for both gray-scale image and binary image respectively. (b) Reconstructed gray-scale image after 1000th iteration. (c) Reconstructed binary image after 1000th iteration.

Download Full Size | PDF

To evaluate the similarity between the original plaintext and recovered one, we also introduce correlation coefficient (cc) as another metrics for convergence, the cc is defined as

c c = \frac{\sum_{i = 1, j = 1}^{M, N} (f_{i, j} - f_{m e a n}) ({\hat{f}}_{i, j} - {\hat{f}}_{m e a n})}{\sqrt{(\sum_{i = 1, j = 1}^{M, N} {(f_{i, j} - f_{m e a n})}^{2}) (\sum_{i = 1, j = 1}^{M, N} {({\hat{f}}_{i, j} - {\hat{f}}_{m e a n})}^{2})}}

where

f

and

\hat{f}

represent the original plaintext and the recovered plaintext,

f_{m e a n}

and

{\hat{f}}_{m e a n}

represent mean value of original plaintext and the recovered plaintext, respectively. The variation in cc during iterations of the algorithm is shown in Fig. 8 .

Fig. 8 The correlation coefficient (cc) as a function of iteration number for both gray-scale image and binary image respectively.

Download Full Size | PDF

In above two cases, the recovered objects have certain degree of shifting and flipping compared with origin object, which is the trivial solutions as the analysis in section 3 and its influence could be removed as proved in section 4.

Furthermore, to verify the validity of estimated (cracked) phase key, we select a subsequent ciphertext [Fig. 9(b) ], the original plaintext of which is a Lena image [Fig. 9(a)]. Figure 9(c) are decrypted plaintexts by unmodified key calculated from above gray-scale image case, obviously, the picture have a displacement, we can judge the position of picture edge empirically and measure the shift distance, then by using Eq. (15), we can get the modified phase key picture without displacement shown in Fig. 9(d). The correlation coefficient between plaintext and decryption result is 0.9664.

Fig. 9 Decryption result of the subsequent ciphertext with the cracked keys. (a) The original Lena image. (b) The ciphertext corresponding to (a). (c) Decryption result by unmodified key. (d) Decryption result by modified key.

Download Full Size | PDF

To the best of our knowledge, only one published work analyzed the DRPE encryption system with a COA method [30], which adopted a cumbersome method [43] to estimated support and then using the HIO algorithm to retrieve the plaintext. And when the iterative time is 5000, the corresponding correlation coefficient is about 0.6. It’s worth to point out that, compared with Tang’s work, this work need less iteration times but possesses of higher image quality (see Fig. 10 ).

Fig. 10 The comparison of simulation result by using different COA methods. (a), (b), (c) The estimated support of “dog”, recovered plaintext and decrypted subsequent Lena image by using the approach proposed in [30] and [43], respectively. (d), (e), (f) The estimated support of “dog”, recovered plaintext and decrypted subsequent Lena image by our approach respectively.

Download Full Size | PDF

In addition, we added another simulation results to demonstrate the effectiveness of our HIPR algorithm. The plaintext is an image of a “tree” which has an intricate support structure. The corresponding results clearly indicates that the proposed HIPR algorithm have a high robustness to an intricate support structure (see Fig. 11 ).

Fig. 11 (a) The original gray-scale plaintext ‘tree’, (b) amplitude distribution of the corresponding ciphertext of (a), (c) the recovered support of plaintext (a), (d) recovered plaintext from (b) by use our proposed attack scheme, (e) The R factors as a function of iteration number. (f) The correlation coefficient as a function of iteration number.

Download Full Size | PDF

6. Conclusion

In summary, we have demonstrated the optical encryption based on the DRPE scheme is vulnerable to COA. The proposed COA strategy converts the COA issue into a single intensity phase retrieval problem. As the NNP constraint is easier to obtain and more effective than the traditional support constraint in phase retrieval algorithm, we introduced the NNP constraint into the phase retrieval algorithm and proposed a HIPR algorithm that requires less resources and iteration times while attacking the original DRPE system compared with other attack methods. A set of numerical simulations has been provided to verify the feasibility and validity of our method.

Moreover, we would also like to point out that the presented COA scheme would fail if the plaintext were not sparse enough. As a matter of fact, if the encryption process were implemented in optical setups, the ciphertext would be continuous in the actual physical environment and it is usually oversampled by image sensor, therefore the redundant information introduced by oversampling in ciphertext offers a possibility to recover the plaintext by the proposed HIPR algorithm.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (61171073, 61201355, 61307003, 61377017), and the Sino-German Center for Research Promotion (GZ 760). The grants from Scientific and Technological Project of the Shenzhen government (JCYJ20140828163633999) is also acknowledged.

References and links

1. P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20(7), 767–769 (1995). [CrossRef] [PubMed]

2. O. Matoba and B. Javidi, “Encrypted optical memory system using three-dimensional keys in the Fresnel domain,” Opt. Lett. 24(11), 762–764 (1999). [CrossRef] [PubMed]

3. O. Matoba and B. Javidi, “Encrypted optical storage with wavelength-key and random phase codes,” Appl. Opt. 38(32), 6785–6790 (1999). [CrossRef] [PubMed]

4. O. Matoba, T. Nomura, E. Perez-Cabre, M. S. Millan, and B. Javidi, “Optical Techniques for Information Security,” Proc. IEEE 97(6), 1128–1148 (2009). [CrossRef]

5. W. Chen, B. Javidi, and X. Chen, “Advances in optical security systems,” Adv. Opt. Photonics 6(2), 120–155 (2014). [CrossRef]

6. G. Situ and J. Zhang, “Double random-phase encoding in the Fresnel domain,” Opt. Lett. 29(14), 1584–1586 (2004). [CrossRef] [PubMed]

7. G. Situ and J. Zhang, “Multiple-image encryption by wavelength multiplexing,” Opt. Lett. 30(11), 1306–1308 (2005). [CrossRef] [PubMed]

8. G. Situ and J. Zhang, “Position multiplexing for multiple-image encryption,” J. Opt. A, Pure Appl. Opt. 8(5), 391–397 (2006). [CrossRef]

9. G. Unnikrishnan, J. Joseph, and K. Singh, “Optical encryption by double-random phase encoding in the fractional Fourier domain,” Opt. Lett. 25(12), 887–889 (2000). [CrossRef] [PubMed]

10. G. Unnikrishnan and K. Singh, “Double random fractional Fourier-domain encoding for optical security,” Opt. Eng. 39(11), 2853–2859 (2000). [CrossRef]

11. B. Zhu, S. Liu, and Q. Ran, “Optical image encryption based on multifractional Fourier transforms,” Opt. Lett. 25(16), 1159–1161 (2000). [CrossRef] [PubMed]

12. S. Liu, L. Yu, and B. Zhu, “Optical image encryption by cascaded fractional Fourier transforms with random phase filtering,” Opt. Commun. 187(1), 57–63 (2001). [CrossRef]

13. R. Tao, Y. Xin, and Y. Wang, “Double image encryption based on random phase encoding in the fractional Fourier domain,” Opt. Express 15(24), 16067–16079 (2007). [CrossRef] [PubMed]

14. Z. Liu and S. Liu, “Double image encryption based on iterative fractional Fourier transform,” Opt. Commun. 275(2), 324–329 (2007). [CrossRef]

15. Z. Liu, J. Dai, X. Sun, and S. Liu, “Triple image encryption scheme in fractional Fourier transform domains,” Opt. Commun. 282(4), 518–522 (2009). [CrossRef]

16. Z. Liu, Q. Li, J. Dai, X. Sun, S. Liu, and M. A. Ahmad, “A new kind of double image encryption by using a cutting spectrum in the 1-D fractional Fourier transform domains,” Opt. Commun. 282(8), 1536–1540 (2009). [CrossRef]

17. L. Chen and D. Zhao, “Optical image encryption with Hartley transforms,” Opt. Lett. 31(23), 3438–3440 (2006). [CrossRef] [PubMed]

18. H. Li and Y. Wang, “Double-image encryption based on iterative gyrator transform,” Opt. Commun. 281(23), 5745–5749 (2008). [CrossRef]

19. Z. Liu, L. Xu, C. Lin, and S. Liu, “Image encryption by encoding with a nonuniform optical beam in gyrator transform domains,” Appl. Opt. 49(29), 5632–5637 (2010). [CrossRef] [PubMed]

20. Z. Liu, L. Xu, C. Lin, J. Dai, and S. Liu, “Image encryption scheme by using iterative random phase encoding in gyrator transform domains,” Opt. Lasers Eng. 49(4), 542–546 (2011). [CrossRef]

21. M. R. Abuturab, “Color image security system based on discrete Hartley transform in gyrator transform domain,” Opt. Lasers Eng. 51(3), 317–324 (2013). [CrossRef]

22. T. Nomura and B. Javidi, “Optical encryption using a joint transform correlator architecture,” Opt. Eng. 39(8), 2031–2035 (2000). [CrossRef]

23. Y. Zhang and B. Wang, “Optical image encryption based on interference,” Opt. Lett. 33(21), 2443–2445 (2008). [CrossRef] [PubMed]

24. P. Clemente, V. Durán, V. Torres-Company, E. Tajahuerce, and J. Lancis, “Optical encryption based on computational ghost imaging,” Opt. Lett. 35(14), 2391–2393 (2010). [CrossRef] [PubMed]

25. W. Chen, X. Chen, and C. J. Sheppard, “Optical image encryption based on diffractive imaging,” Opt. Lett. 35(22), 3817–3819 (2010). [CrossRef] [PubMed]

26. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. 30(13), 1644–1646 (2005). [CrossRef] [PubMed]

27. U. Gopinathan, D. S. Monaghan, T. J. Naughton, and J. T. Sheridan, “A known-plaintext heuristic attack on the Fourier plane encryption algorithm,” Opt. Express 14(8), 3181–3186 (2006). [CrossRef] [PubMed]

28. X. Peng, P. Zhang, H. Wei, and B. Yu, “Known-plaintext attack on optical encryption based on double random phase keys,” Opt. Lett. 31(8), 1044–1046 (2006). [CrossRef] [PubMed]

29. Y. Frauel, A. Castro, T. J. Naughton, and B. Javidi, “Resistance of the double random phase encryption against various attacks,” Opt. Express 15(16), 10253–10265 (2007). [CrossRef] [PubMed]

30. H. Tang, X. Peng, and J. Tian, “Ciphertext-only attack on double random phase encoding optical encryption system,” Wuli Xuebao 56(5), 2629–2636 (2007).

31. X. Peng, H. Wei, and P. Zhang, “Chosen-plaintext attack on lensless double-random phase encoding in the Fresnel domain,” Opt. Lett. 31(22), 3261–3263 (2006). [CrossRef] [PubMed]

32. W. Qin and X. Peng, “Vulnerability to known-plaintext attack of optical encryption schemes based on two fractional Fourier transform order keys and double random phase keys,” J. Opt. A, Pure Appl. Opt. 11(7), 075402 (2009). [CrossRef]

33. W. He, X. Peng, and X. Meng, “A hybrid strategy for cryptanalysis of optical encryption based on double-random phase–amplitude encoding,” Opt. Laser Technol. 44(5), 1203–1206 (2012). [CrossRef]

34. D. S. Monaghan, U. Gopinathan, T. J. Naughton, and J. T. Sheridan, “Key-space analysis of double random phase encryption technique,” Appl. Opt. 46(26), 6641–6647 (2007). [CrossRef] [PubMed]

35. D. S. Monaghan, G. Situ, U. Gopinathan, T. J. Naughton, and J. T. Sheridan, “Analysis of phase encoding for optical encryption,” Opt. Commun. 282(4), 482–492 (2009). [CrossRef]

36. J. R. Fienup, “Phase retrieval algorithms: a comparison,” Appl. Opt. 21(15), 2758–2769 (1982). [CrossRef] [PubMed]

37. G. Oszlányi and A. Süto, “Ab initio structure solution by charge flipping,” Acta Crystallogr. A 60(2), 134–141 (2004). [CrossRef] [PubMed]

38. J. S. Wu, U. Weierstall, J. C. H. Spence, and C. T. Koch, “Iterative phase retrieval without support,” Opt. Lett. 29(23), 2737–2739 (2004). [CrossRef] [PubMed]

39. J. S. Wu and J. C. H. Spence, “Reconstruction of complex single-particle images using charge-flipping algorithm,” Acta Crystallogr. A 61(2), 194–200 (2005). [CrossRef] [PubMed]

40. H. He, “Simple constraint for phase retrieval with high efficiency,” J. Opt. Soc. Am. A 23(3), 550–556 (2006). [CrossRef] [PubMed]

41. M. H. Hayes, “The reconstruction of a multidimensional sequence from the phase or magnitude of its Fourier transform,” IEEE Trans. Acoust. Speech Signal Process. 30(2), 140–154 (1982). [CrossRef]

42. H. H. Bauschke, P. L. Combettes, and D. R. Luke, “Phase retrieval, error reduction algorithm, and Fienup variants: a view from convex optimization,” J. Opt. Soc. Am. A 19(7), 1334–1345 (2002). [CrossRef] [PubMed]

43. T. Crimmins, J. Fienup, and B. Thelen, “Improved bounds on object support from autocorrelation support and application to phase retrieval,” J. Opt. Soc. Am. A 7(1), 3–13 (1990). [CrossRef]

Vulnerability to ciphertext-only attack of optical encryption scheme based on double random phase encoding

Abstract

1. Introduction

2. Overview of the optical encryption scheme based on DRPE

3. Iterative phase retrieval algorithm with the number of nonzero pixel (NNP) constraint

4. Ciphertext-only attack (COA) on the optical encryption scheme based on DRPE

5. Computer simulation

6. Conclusion

Acknowledgments

References and links

Cited By

Figures (11)

Equations (19)

Optics Express