Conventional double random phase encoding (DRPE) encrypts plaintext to white noise-like ciphertext which may attract attention of eavesdroppers, and recent research reported that DRPE is vulnerable to various attacks. Here we propose a security enhanced optical encryption system that can hide the existence of secret information by watermarking. The plaintext is encrypted using iterative fractional Fourier transform with random phase key, and ciphertext is randomly permuted with permutation key before watermarking. Cryptanalysis shows that linearity of the security system has been broken and the permutation key prevent the attacker from accessing the ciphertext in various attacks. A series of simulations have shown the effectiveness of this system and the security strength is enhanced for invisibility, nonlinearity and resistance against attacks.
©2009 Optical Society of America
With the rapid development of networked multimedia techniques, the information security is facing more and more challenges nowadays. Optical systems are of growing interests for image encryption because of their distinct advantages of processing two-dimensional complex data in parallel and at high speed. Since the pioneer work of optical encryption based on the concept of double random phase encoding (DRPE) proposed by Réfrégier and Javidi , the research area in optical cryptography has been enlightened and various optical encryption schemes have been proposed during the past decades [2–8]. These methods convert the plaintext to stationary white noise by use of two random phase keys. However, the characteristics of ciphertext may expose the existence of secret information in the data transmission and attract attention of eavesdroppers. The security of optical cryptographic system has become a great concern in recent years [9–16]. According to cryptanalysis, any optical security system could not be claimed secure unless it was able to endure various attacks. Chosen-ciphertext attack , known-plaintext attack [10–12] and chosen-plaintext attack  were proposed to explore the security strength of DRPE. Those attacks have demonstrated that the security flaws originate from the linearity of the DRPE [14–16].
To conceal the existence of secret information, various optical information hiding [17–19] and watermarking [20–22] methods have been proposed. However these methods conceal the secret information without considering the security strength. Therefore the embedded secret information is vulnerable at various attacks. Here we propose an optical security system combines the high security strength of encryption system and invisibility of watermarking technique. The proposed method is based on cascaded fractional Fourier transform system. The plaintext image is first encoded to ciphertext by iterative fractional Fourier transform with use of random phase key. Then the ciphertext is random permuted and embedded in an overt image. The watermarked image for transmission is not white noise-like ciphertext as in DRPE, but similar to overt image with subtle changes that eavesdroppers may not notice. After authorized user receives the watermarked image, ciphertext can be extracted and then restored by inverse permutation. Decryption can be simply performed by fractional Fourier transform with the correct phase key. Cryptanalysis indicates that system linearity has been broken. Furthermore, the security system has good resistance against various attacks because permutation key prevent attacker from accessing the ciphertext directly. A series of numerical simulations have verified the effectiveness of this method and its resistance against attacks.
This paper is organized as follows: In Section 2 the security system is proposed and the encryption and watermarking principle is presented in detail. In Section 3 numerical simulations verify the effectiveness of this method, and also, the phase key quantization and robustness of watermarked image are discussed. In Section 4, we analyze the system linearity and demonstrate the resistances against known-plaintext attack and chosen-plaintext attack respectively. Conclusions are presented in Section 5.
2. Security scheme
The proposed optical encryption and hiding system consists of two fractional Fourier transform (FrFT) systems with fractional order P1 and P2 cascaded together as illustrated in Fig. 1 . We consider three planes of this optical system, referred to as input plane, encryption plane, and output plane. Two Fourier transform lenses are sandwiched in three planes. The input and the encryption planes are two planes located symmetrically with respect to lens 1. Similarly, the encryption plane and the output plane located symmetrically with respect to lens 2. The plaintext for encryption is placed on input plane, and a random phase mask is placed on encryption plane as secret key. The phase distributions on the input plane and output plane can be regarded as two virtual phase masks (VPMs). The VPM in the output plane is defined as ciphertext. The encryption is carried out using iterative FrFT with plaintext and overt image as magnitude constraint conditions. After detailed encryption process that given below, the ciphertext is obtained and then embedded in the overt image as watermark after permutation. The watermarked image has no hint of white noise. Eavesdropper may not notice the secret image in the watermarked image. Since the permutation operation interchange pixel positions of the ciphertext, it is impossible to extract the ciphertext without knowledge of permutation key even if the eavesdropper perceives the existence of secret image. In decryption, the authorized user can extract and restore the ciphertext from watermarked image with inverse permutation operation. The ciphertext is first multiplied with overt image and then transformed by lens 2. Multiplied with the complex conjugation of phase key at encryption plane, the complex amplitude is transformed to input plane by lens 1. Considering the error in the iterative algorithm, the amplitude at input plane can be obtained as an approximation of the plaintext. The decryption can be expressed mathematically as
The objective of encryption algorithm is to calculate phase distribution in the output plane with the known amplitudes of input and output planes which can be referred to a phase retrieval problem. Gerchberg-Saxton (G-S) algorithm  is an efficient and extensively used phase retrieval algorithm in Fourier transform domain. Y. Shi et al have extended the phase retrieval algorithm to Fresnel domain for optical image hiding  and multiple-image hiding . In this paper, we utilize iterative phase retrieval in fractional Fourier transform domain for encryption. As the flowchart shown in Fig. 2 , the algorithm can be described as follows:
- Step 1. Initialize and phase key . Here is VPM of the input plane and phase key can be expressed as . We assign and with random phase uniformly distributed in [0, 2π). The complex amplitude on the input plane is , where is input plaintext image to be encrypted.
- Step 2. Transform complex amplitude in input plane to the encryption plane by FrFT with fractional order P1, then multiply with the phase key , and then transform to output plane by FrFT with fractional order P2. This process can be expressed mathematically as
- Step 3. Impose magnitude constraint in the output plane by replacing the amplitude with overt image while keeping the phase unchanged.
- Step 4. Transform the complex amplitude in the output plane backward to the encryption plane. Then multiply with the complex conjugation of phase key , and then transform to input plane. This process can be expressed mathematically as
- Step 5. Evaluate the amplitude with preset plaintext . One common used criterion is mean square error (MSE) which can be defined as
- Step 6. If the convergence condition is not satisfied, replace the amplitude of input plane using , while retaining the phase component unchanged, and then return to Step 2.
After iteration, is extracted as the ciphertext. Then each pixel of ciphertext is permuted according to a permutation key which controls the random interchange of pixels. Permutation operation is widely used in cryptography  and optical security system [7, 25]. The permuted ciphertext is generally like a random noise distribution, and the original ciphertext can be restored by inverse permutation with the same permutation key. The permutation operation provides additional freedom for encryption, and furthermore the permutation key enhances the security level by preventing phase retrieval in attacks.
To hide the existence of ciphertext, the ciphertext is then embedded in the overt image with a proper weighting factor α. The permutation and spatial domain watermarking can be expressed as
When the authorized user received the watermarked image, ciphertext can be extracted and restored by inverse permutation. Then plaintext can be easily decrypted using Eq. (1).
3. Numerical simulations
In order to verify the feasibility of proposed optical encryption and hiding method, a series of computer simulations have been carried out. In all simulations the images are 256×256 pixels in size, and 256 gray levels for grayscale images. Considering the cascaded FrFT system shown in Fig. 1, the parameters are d 1=80mm, d 2=90mm, and f 1=100mm, f 2=120mm, and the corresponding fractional orders are P1=0.8718, and P2=0.7836 .
In the simulation, we encrypt a binary image shown in Fig. 3(a) to demonstrate the information encryption and hiding ability of the security scheme. The overt image shown in Fig. 3(b) is used as magnitude constraint in the output plane and also can be used as host image in the watermarking. Without lose of generality, we use random phase distributions, which are uniform distribution between [0, 2π), as initial values of and . After each loop, the amplitude in the input plane is measured by MSE criterion. From the MSE evolution curve shown in Fig. 4 , we can find that MSE is converging fast at first, and then slow down after 20 loops. So we can set maximum loop number as 20 to save computation time. The ciphertext shown in Fig. 3(c) is obtained by extracting the phase component at output plane. Then the ciphertext is permuted according to the permutation key. The permuted ciphertext shown in Fig. 3(d) looks like random white noise. Next, we utilize spatial domain watermarking to hide the ciphertext with weighting factor 0.02. The value range of weighting factor has been studied intensively [20, 22]. In Ref. 20, the cases of constant-level weighting and image-dependent weighting are discussed, and Ref. 22 exhibits the effect of different weighting factors on retrieved hidden image. Here we take a small value as weighting factor to hide the ciphertext invisibly. From the watermarked image shown in Fig. 3(e), it is impossible to perceive the secret information with human vision. Even eavesdroppers find the hidden information, it is hard to restore the ciphertext without the knowledge of permutation key. The authorized user can restore the ciphertext with permutation key and decrypted it with phase key. The decrypted image shown in Fig. 3(f) contains some noises because after encryption the amplitude of input plane is an approximation of plaintext . The MSE for decrypted image is 0.014 as given in Table 1 . Considering the maximum loop number is 20, a smaller MSE may be achieved with a large loop number. Besides, noises in Fig. 3(f) can be suppressed by filtering.
In above simulation the plaintext and overt images have 256 gray levels. In the phase key which can be expressed as , is float point of 32 bit for calculating ciphertext at maximum accuracy. Taking the state-of-the-art fabrication technology into account, it is reasonable to represent the phase key in discrete form. By uniform quantization , we quantize phase key to 2 level, 4 level and 8 level phase keys respectively. From the decrypted results (using 2 level, 4 level and 8 level phase keys) shown in Fig. 5(a) –5(c), we notice that the noises in the decrypted images decrease with more quantization levels, and 4 level quantization may obtain a recognizable decryption result for binary plaintext images.
Quantization noise in the decryption results can be evaluated using MSE criterion. The MSEs of decrypted images after 20th loop are calculated using different quantized phase keys. From the MSE evolution curves shown in Fig. 6 , it can be concluded that MSEs are in the same level for a certain phase quantization level. The reason for the same MSE level is the same quantization error level of quantized phase key. In a desire to recover plaintext image with high fidelity, more quantization level should be adopted.
The watermarked image can be sent to the receiver through public communication channel. In data transmission, JPEG compression [27, 28] is widely used to reduce the image size. We have investigated the effect of JPEG compression on the watermarked image as well as the noise and occlusion robustness of this security system. The watermarked image shown in Fig. 3(e) is compressed in Matlab R2008b with 8 bit-depth and quality factor 80 . In the JPEG compression, some original image information is lost and cannot be restored. From the compressed image shown in Fig. 7(a) , it has little perceptible difference with Fig. 3(e) because the eliminated high frequency details are beyond human visual sense. However, as shown in Fig. 7(d), the decryption result using the compressed image is degenerated seriously.
As we can obverse from Table 1, the MSE value of Fig. 7(d) is much larger than the MSE of Fig. 3(f). The watermarked image with Gaussian noise of mean 0 and variance 0.01 is shown in Fig. 7(b), and corresponding decryption result is shown in Fig. 7(e). The occlusion is applied by cutting of 25% of watermarked image as shown in Fig. 7(c). Corresponding decryption result exhibited in Fig. 7(f) reveals that occlusion has less effect on decryption because only 25% of ciphertext is lost. As can be concluded from simulation results, this security technique is vulnerable to JPEG compression and noise attack. The main reason is that the ciphertext embedded in high frequency components of watermarked image which is compressed or disturbed in the JPEG compression and noise attack. To achieve better JPEG compression and noise resistance, we can employ some watermarking techniques with high frequency attack robustness. We will investigate it in our future work.
Cracking a security system means finding the value of keys with some knowledge about the input and corresponding output of the system. According to the Kerckhoffs’ principle [24, 30], the security system is publicly-known except the keys. As illustrated in the previous work [1–6], the benefit of two dimensional phase key is that the key space is extraordinarily large so that brute force attack is computationally intractable. In this section, we first analysis the security system linearity, and then testify the resistance against known-plaintext attack, chosen-ciphertext attack and chosen-plaintext attack.
4.1 System linearity analysis
The optical security system based on DRPE and its extensions have been found vulnerable under various attacks [9–16]. The flaws originate from the linearity of the encryption algorithm. For a linear system, the output of a weighted sum of two (or more) functions is simply the identically weighted sum of their individual outputs . This relation can be expressed mathematically asEq. (2) after iteration. Since and are reaching and respectively, Eq. (2) can be rewritten asEq. (8) violates Eq. (6) because may not always equal to , and besides there is a phase variable that taking random value in every iteration. And similarly, it is not possible to solve plaintext as a linear function of ciphertext from Eq. (1). Therefore the linearity between input plaintext and output ciphertext is broken in the security system.
The system nonlinearity can be further exhibited by the simulations. To show evident results, the decryption result of sum of two ciphertext images is compared with sum of their individual decryption results. First, we encrypted two plaintexts using the same phase key, and the corresponding ciphertext images are shown in Fig. 8(a) and 8(b) respectively. Their individual decryption results are shown in Fig. 8(c) and 8(d). Figure 8(e) shows retrieved plaintext with the sum of two ciphertext images using the same phase key. Obviously, it is completely different from the sum of individual decryption results shown in Fig. 8(f). The simulation results confirm that the system linearity has been broken by random VPM and substitution operations.
4.2 Known-plaintext attack
The optical security system based on DRPE and its extensions have been found vulnerable under various attacks [9–15]. Chosen-ciphertext attack , known-plaintext attack [10, 11] and chosen-plaintext attack  have been proposed to explore the security strength of optical system based on DRPE. The security system based on Projection-Onto-Constraint-Sets has also been cracked by Peng et al  using known-plaintext attack. The attack principle is to convert the known-plaintext attack to phase retrieval problem with some prior knowledge. To resist this type of attack, we can permute the pixel position of ciphertext randomly before watermarking. The two dimensional permutation can be realized by row permutation and column permutation respectively. The key space of permutation key is 256!×256!≈7×101013 which is large enough to exhaust attackers. Therefore it is impossible to retrieve correct plaintext without the permutation key.
Similarly, it is also impossible to implement known-plaintext attack without the permutation key. Suppose an attacker intercepts the watermarked image as shown in Fig. 3(e) and extracts the secret image as shown in Fig. 3(d). Because the attacker does not have the permutation key or even does not know the application of permutation, he uses to crack the phase key using KPA method in Ref. 12. The KPA includes three steps: calculate the amplitude in encryption plane; obtain phase distribution of input plane using phase retrieval; crack the phase key with the knowledge of complex amplitudes of input plane and output plane. The cracked phase key is given byFig. 9(a) . The phase key evolution can be measured by correlation coefficient (CC) [7, 8] which shown the difference of the cracked phase key and original phase key. From the MSE curve shown in Fig. 9(a), we can find that the MSE curve is converging, while the CC shown in Fig. 9(b) won’t reach 1 as the attacker expected. When MSE reach a preset threshold value, the attacker gets the cracked phase key. However, the cracked key can be used for this plaintext and ciphertext pair only. Figure 10(a) shows the decryption result for the original ciphertext and Fig. 10(b) shows another plaintext for phase key test. This plaintext is encrypted with and the corresponding ciphertext is attacked using . From the attack result shown in Fig. 10(c), obviously the attack result with cracked phase key cannot reveal any information of plaintext. Therefore the introduction of permutation key enhanced the resistance against known-plaintext attack.
4.3 Chosen-plaintext attack
The optical security system based on DRPE has been cracked by chosen-plaintext attack  and chosen-ciphertext attack . As we know, chosen-plaintext attack and chosen-ciphertext attack on iterative encryption system such have not been reported. Here we investigate the resistance of proposed security system against this chosen-plaintext attack.
In chosen-plaintext attack, we assume the attacker has the ability to trick a legitimate user of the system into encrypting particular images. As reported in Ref. 14, a simple and yet effective attack can be mounted by obtaining the ciphertext corresponding to a Dirac delta function as plaintext. The corresponding ciphertext is , and the complex amplitude of encryption plane after phase key is known as From Eq. (2), we can deduce that13]. Using above cracked phase key, the ciphertext of Fig. 10(b) can be cracked successfully as shown in Fig. 11(a) . As a conclusion, this security system is vulnerable to chosen-plaintext attack in the absence of permutation key because there is only one phase key. When permutation key is applied, the attacker can only obtain the permuted ciphertext . Another phase key can be cracked as shown in Fig. 11(b), however it is completely different with correct phase key. The ciphertext of Fig. 10(b) is attacked using this phase key, but the decryption result shown in Fig. 11(c) cannot reveal any information of original plaintext, Therefore, the resistance against chosen-ciphertext attack is greatly enhanced by permutation key.
In chosen-ciphertext attack, the attacker can decrypt any ciphertext and obtain corresponding plaintext. Thus the phase of output plane can be arbitrarily designed, and then is arbitrary. From Eq. (1), we can deduce that
From above analysis, we can conclude that permutation key play an important role in the security system. The resistances against known-plaintext attack and chosen-plaintext attack are greatly enhanced by denying direct accessing to the ciphertext.
In this paper, we have proposed a security enhanced optical encryption system by random phase key and permutation key. The encryption is realized by phase retrieval in fractional Fourier transform domain with the random phase key, and after random permutation the ciphertext is hidden in the overt image by watermarking. The ciphertext is invisible in watermarked image. The security strength of this system is then enhanced because the attacker may not perceive the existence of secret image. Even if the watermarked image is intercepted, the attacker cannot extract the ciphertext without the permutation key. Numerical simulations have verified the performance of the encryption system, and the robustness of watermarked image against compression, noise and occlusion have been discussed. Cryptanalysis indicates that the system linearity has been broken by random VPM and substitution operations. In known-plaintext attack and chosen-plaintext attack, the permutation key prevents the attacker from accessing the ciphertext directly. Hence the security strength is significantly enhanced by introducing the permutation key. In conclusion, security enhanced encryption with invisibility, nonlinearity and attack resistance has been achieved by using random phase key and permutation key.
This work is supported by National Basic Research Program of China (2009CB724007), National Natural Science Foundation of China (60807005), and 863 High Technology (2009AA01Z112). We also thank the reviewers for their useful suggestions.
References and links
2. T. Nomura and B. Javidi, “Optical encryption using a joint transform correlator architecture,” Opt. Eng. 39(8), 2031–2035 ( 2000). [CrossRef]
7. X. F. Meng, L. Z. Cai, X. L. Yang, X. X. Shen, and G. Y. Dong, “Information security system by iterative multiple-phase retrieval and pixel random permutation,” Appl. Opt. 45(14), 3289–3297 ( 2006). [CrossRef] [PubMed]
8. X. C. Cheng, L. Z. Cai, Y. R. Wang, X. F. Meng, H. Zhang, X. F. Xu, X. X. Shen, and G. Y. Dong, “Security enhancement of double-random phase encryption by amplitude modulation,” Opt. Lett. 33(14), 1575–1577 ( 2008). [CrossRef] [PubMed]
9. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. 30(13), 1644–1646 ( 2005). [CrossRef] [PubMed]
10. U. Gopinathan, D. S. Monaghan, T. J. Naughton, and J. T. Sheridan, “A known-plaintext heuristic attack on the Fourier plane encryption algorithm,” Opt. Express 14(8), 3181–3186 ( 2006), http://www.opticsinfobase.org/abstract.cfm?URI=oe-14-8-3181. [CrossRef] [PubMed]
12. H. Wei and X. Peng, “Known-Plaintext Attack on Optical Cryptosystem Based on Projection-Onto-Constraint-Sets Algorithm and a 4f Correlator,” Acta Opt. Sin. 28(3), 429–434 ( 2008). [CrossRef]
14. Y. Frauel, A. Castro, T. J. Naughton, and B. Javidi, “Resistance of the double random phase encryption against various attacks,” Opt. Express 15(16), 10253–10265 ( 2007), http://www.opticsinfobase.org/oe/abstract.cfm?URI=oe-15-16-10253. [CrossRef] [PubMed]
15. T. J. Naughton, B. M. Hennelly, and T. Dowling, “Introducing secure modes of operation for optical encryption,” J. Opt. Soc. Am. A 25(10), 2608–2617 ( 2008). [CrossRef]
16. D. S. Monaghan, U. Gopinathan, G. Situ, T. J. Naughton, and J. T. Sheridan, “Statistical investigation of the double random phase encoding technique,” J. Opt. Soc. Am. A 26(9), 2033–2042 ( 2009). [CrossRef]
18. Y. Shi, G. Situ, and J. Zhang, “Optical image hiding in the Fresnel domain,” J. Opt. A, Pure Appl. Opt. 8(6), 569–577 ( 2006). [CrossRef]
22. H. Zhang, L. Z. Cai, X. F. Meng, X. F. Xu, X. L. Yang, X. X. Shen, and G. Y. Dong, “Image watermarking based on an iterative phase retrieval algorithm and sine–cosine modulation in the discrete-cosine-transform domain,” Opt. Commun. 278(2), 257–263 ( 2007). [CrossRef]
24. B. Schneier, Applied Cryptography, 2nd ed. (John Wiley & Sons, 1996).
26. J. N. Mait, “Understanding diffractive optic design in the scalar domain,” J. Opt. Soc. Am. A 12(10), 2145–2158 ( 1995). [CrossRef]
27. G. K. Wallace, “The JPEG still picture compression standard,” IEEE Trans. Consum. Electron. 38(1), 18–34 ( 1992). [CrossRef]
28. R. C. Gonzalez, and R. E. Woods, Digital Image Processing, 2nd ed. (Prentice Hall, 2002).
31. J. W. Goodman, Introduction to Fourier Optics, 2nd ed. (McGraw-Hill, 1996).