## Abstract

A double-image encryption technique that based on an asymmetric algorithm is proposed. In this method, the encryption process is different from the decryption and the encrypting keys are also different from the decrypting keys. In the nonlinear encryption process, the images are encoded into an amplitude cyphertext, and two phase-only masks (POMs) generated based on phase truncation are kept as keys for decryption. By using the classical double random phase encoding (DRPE) system, the primary images can be collected by an intensity detector that located at the output plane. Three random POMs that applied in the asymmetric encryption can be safely applied as public keys. Simulation results are presented to demonstrate the validity and security of the proposed protocol.

© 2012 OSA

## 1. Introduction

Information security has become an important issue in data communication. The classical optical DRPE technique that proposed by Refregier and Javidi [1] provided a theoretical foundation for many subsequent proposals for optical encryption and authentication systems [2–7]. One of the shortcomings of these security schemes is that the phase part of the encrypted image has to be recorded by using holography techniques. Thus, a joint transform correlator (JTC) has been an alternative encrypting architecture [8], as well as the systems based on phase retrieval [9, 10]. Most of these optical encryption techniques belong to the category of secret-key (symmetric) cryptography, in which the encryption process is the same as its decryption process and the encryption key is identical to the decryption too. Recently, some investigations have shown that the DRPE-based encryption schemes were vulnerable to several attacks [11–15].

In order to resist such attacks, Qin and Peng have proposed an encryption system that based on phase-truncated Fourier transforms (PFFTs), in which the decryption keys and encryption keys were separated [16]. By adopting the phase truncation operations, the system assures a benefit of breaking the linearity of conventional DRPE-based systems, which is the main weakness against attacks. Additionally, an asymmetric cryptosystem has some advantages in practical use compared with symmetric methods, in particular, under the network environment, such as key distribution and management [16, 17]. Based on the phase-truncated Fourier transform, two images can be self-encoded in the manner that one of the two images is directly separated into two POMs and used as keys for encryption [18]. Multiple-image encryption also can be achieved by applying more cycles in the cryptosystem [19, 20]. Recently, an optical color image encryption method based on phase-truncated strategy and the conventional three-channel construction has also been presented [21]. However, the nonlinear operation of phase truncation has to be performed by digital holography techniques and the decryption procedure is still the same as the encryption procedure in these methods [18–21], which means the optical decryption process consists of several steps. Although it has very high robustness against common attacks such as brute force attacks and known plaintext attack [16], the PFFT-based encryption system recently has been found to be vulnerable to a specific attack when the encrypting keys are used as public keys [22]. The simplest solution to the specific attack is to keep the encryption keys as private keys [18–21] or apply different phase keys for different plaintexts during the encryption to avoid this specific known public key attack, which will actually crack the asymmetry of cryptosystems. The problem could also be solved by modulating the amplitude distribution in the output plane [23]. However, the implementation of the optical recovery is still complex and inefficient in practice as the previous methods [16–21]. Therefore, an asymmetric cryptosystem which has both convenient and efficient decryption and high resistance against the specific attack has yet to be developed.

In this paper, we propose a double-image encryption technique that based on an asymmetric algorithm, in which the encryption process is different from the decryption and the encryption keys are also different from the decryption keys. The encryption process is performed digitally while the decryption process can be implemented optically or digitally. In this asymmetric method, phase truncation of a joint Fourier transform is used to transform two images into a noise image in the encryption process. By using the classical DRPE system, in which the amplitude mask (AM) acts as the input image while the two POMs generated in the encryption procedure are treated as two phase keys, the primary images can be collected without being superimposed by an intensity detector that located at the output plane. In this method, three random POMs applied in this asymmetric encryption algorithm can be used as public keys in safety. Computer simulation results show the cryptosystem has a high level of robustness against some common attacks, including brute force attacks, known plaintext attack and known public key attack.

The paper is organized as follows: In Section 2, we construct a public-key encryption scheme based on an asymmetric algorithm. The security analysis is described in Section 3 and security proofs against several attacks are given in Section 4. Finally, a conclusion of this paper is given in Section 5.

## 2. Double images encryption based on an asymmetric algorithm

In our method, two positive images can be encoded into two POMs and one AM. The AM are kept as cyphertext while the two POMs are kept as private keys for decryption. Let ${f}_{1,2}$, $E$, and ${P}_{1,2}$ denote the two primary images to be encoded, the AM and two POMs respectively. The simple optical method of DRPE can be implemented for decoding, as shown in Fig. 1 .

If a CCD array is placed at the output, the decoded image can be expressed by

where $D(x)$ contains the information of the two primary images. In the following, we will show how to encode two images into the AM $E(x)$ and the two POMs ${P}_{1}(x)$ and ${P}_{2}(u)$ asymmetrically.The production process of the AM and two POMs can be shown in Fig. 2 . ${R}_{1}(x)$, ${R}_{2}(x)$ and ${R}_{3}(u)$ are three random phase keys, which are mathematically represented by $\mathrm{exp}[i{m}_{1}(x)]$, $\mathrm{exp}[i{m}_{2}(x)]$ and $\mathrm{exp}[i{m}_{3}(u)]$ respectively. Note that ${m}_{1}(x)$, ${m}_{2}(x)$ and ${m}_{3}(u)$ denote three independent white sequences uniformly distributed in $[0,\text{2}\pi ]$. The input images ${f}_{1}(x)$, ${f}_{2}(x)$ that located in the position $({a}_{1},0)$, $({a}_{2},0)$ are combined with ${R}_{1}(x)$ and ${R}_{2}(x)$ respectively. Thus, the input information can be represented by

*f*system [7] or a JTC architecture [8].

After the operation of joint Fourier transform, we obtain the Fourier spectrum $FT[{u}_{0}(x)]$. By performing phase truncation in the Fourier domain, the amplitude part and phase part can be separated from the Fourier spectrum and written as

The amplitude distribution ${g}_{0}(u)$ is multiplied by a RPM ${R}_{3}(u)$ and then inverse Fourier transformed, the distribution in the out plane can be given by

By the same way, the amplitude part and phase part of ${u}_{1}(x)$ can be written as

respectively. Thus, now we have obtained the AM $E(x)$ and the POM${P}_{1}(x)$. In our method, the POM ${P}_{2}(u)$ that remains undecided in Eq. (1) can be given bywhere the symbol $\ast $ denotes the complex conjugate. The two POMs ${P}_{1}(x)$ and ${P}_{2}(u)$ are kept as decrypting keys.With the help of Eqs. (3)-(8), Eq. (1) can be easily simplified as $D(x)=PT\left\{{u}_{0}(x)\right\}$, which means the decrypted images can be recovered without being superimposed. It also can be seen that the position parameters ${a}_{1}$, ${a}_{2}$ and the random phase keys ${R}_{1}(x)$, ${R}_{2}(x)$ and ${R}_{3}(u)$ are not required for a correct decryption. In our proposed method, the encryption process is nonlinear while the decryption process is linear. The AM and two POMs can be assigned to three different users for highly secure verification, and the primary images can be obtained if all the three masks were correctly placed in the verification system as shown in Fig. 1 by the authorized users.

## 3. Analysis of the encryption security

In this section, we will discuss the security of our proposed method. A cryptosystem could be described as robust and secure if only it were able to resist various attacks. Due to its symmetry and linearity, the classical DRPE system has been demonstrated weak against chosen cyphertext and known-plaintext attacks [12, 13]. Although the decryption procedure of the proposed method is a direct application of the DRPE technique, it will not encounter the troubles that presented in the symmetric systems as it is just a part of the asymmetric cryptosystem. A brief explanation is given in the following. Usually, an intruder obtains the keys in the encryption process and uses the decrypted keys in the decryption process. The information or data can be accessed by an attacker may include the encrypted result and the public keys, but not the private keys which are directly related to the plaintext. Thus, trying to recover the plaintext or the private keys in the encryption system by using the public keys and the cypher is the most important thing for an attacker. If one tries to complete the attack with the decryption machine, the only thing he/she can do is just to place the public keys or random chosen keys in the 4*f* processor. It is important to emphasize that the private keys, which are kept by authorized users, are not used as fixed public-keys in the decryption procedure. If an attacker has accessed the private keys, then try to decode these keys by using the methods in [12, 13]. Obviously, it is meaningless. In this case, the probable way for an illegal user to recover the plaintext is to use no keys, or arbitrarily selected keys, or the public keys in the decryption procedure.

When we only consider three random POMs used for encryption and the ciphertext are known by the attacker, as well as our proposed encryption algorithm, therefore, the proposed cryptosystem that based on the asymmetric algorithm would be threatened by several attacks as below: (1) Brute force attack. There are two possible ways to perform this attack: one is using two arbitrarily selected phase keys as the decrypting keys, the other is the direct decryption without any key, which means both ${P}_{1}(x)$ and ${P}_{2}(u)$ in Eq. (1) are replaced by an identity matrix in the decryption procedure. (2) Chosen plaintext attacks. Obviously, it is easy for one to produce two phase keys by using two arbitrary chosen input images and the three public keys. (3) Know public key attack. There are also two ways to perform this attack: one is the specific attack algorithm, the other is the direct application of the public keys, which means the functions ${P}_{1}(x)$ and ${P}_{2}(u)$ in Eq. (1) will be replaced by two of the three encrypting keys in the decryption procedure.

Since the PTFT-based encryption scheme has been proved to be vulnerable to the specific attack, which can be seen as an application of the hybrid input-output algorithm [24], the security level of the proposed encryption system against the specific attack needs to pay more attention. A cryptosystem will be placed into a more exposed and vulnerable position if the encryption keys are treated as public keys and used to encode different images. But an important factor that must be considered in the specific attack is the number of the public keys. In this paper, the specific attack could be completed by a two-step approach. The process can be described as follows: the first step is to access ${{g}^{\prime}}_{0}(u)$ which is an estimate of ${g}_{0}(u)$ by using ${R}_{3}(u)$ and the ciphertext $E(x)$, the second step is to achieve the estimate of primary image by using ${{g}^{\prime}}_{0}(u)$ and the phase masks in the input plane. However, the two-step specific attack algorithm has great difficulty with double-image encryption.

As discussed in [22], an iteration process can be used to achieve the aim of the first step, where the functions $E(x)$ and ${R}_{3}(u)$ are used as the constraints in the two planes respectively. Compared to the attack against the single-image encryption [16], the operation of the second step of the specific become more complex because there are two primary images in the input plane even if one has obtained the parameters ${a}_{1}$, ${a}_{2}$. In this case, it is necessary to choose another constraint while ${{g}^{\prime}}_{0}(u)$ has already been determined as one of the two constraints. Two ways can be considered to perform the second step of the specific attack: (1) the direct attack by using the estimate of ${g}_{0}(u)$ and one of the random POMs in the input plane as the two constraints in the process of computation; (2) for the solution of one plain image${f}_{1}(x)$, the other plaintext ${f}_{2}(x)$ is assumed to have fixed values. This means that ${R}_{1}(x)$ is to act as a constraint while the distribution $FT\left\{[{f}_{2}(x){R}_{2}(x)]\otimes \delta (x-{a}_{2})\right\}$, which is now treated as a known quantity, will form another constraint together with ${{g}^{\prime}}_{0}(u)$ in the iterative process. Then try to obtain the estimate of ${f}_{2}(x)$ by using the solution of ${f}_{1}(x)$. We call the second way as the indirect attack.

It should be pointed out that the proposed public-key cryptography is still functional for single-image encryption. In this case, we have ${f}_{2}(x)=1$ in Eq. (1) while the function ${f}_{1}(x)$ denotes the only plaintext. Obviously, the single-image encryption is just a special case of above double-image encryption. Comparing to PTFT-based single-image encryption [15], the decryption process is more simple and efficient. But it should be specially noted that single-image encryption has made the cryptosystem be more vulnerable to the indirect specific attack as only one plaintext needs to be recovered. Nevertheless, our proposed method can be proved to possess the ability to resist the specific attack.

## 4. Numerical simulations and discussion

Computer simulations on the MATLAB 7.9 platform have been conducted to show the correctness and security of this cryptography.

Two normalized images, Woodstatue ($200\times 200$ pixels) and Mudiao ($200\times 200$ pixels), which can be shown in Fig. 3(a) and Fig. 3(b) respectively, are used for double-image encryption. In order to meet the needs of the calculation and data displaying, we use the two centered and zero-padded images ($512\times 512$ pixels) as the input plaintexts, and the two parameters ${a}_{1}$, ${a}_{2}$ are set as $-128$(pixels) and $140$ (pixels) respectively. Figure 3(c), which looks like white noise, is the ciphertext by using three arbitrarily chosen random POMs. With the help of Eq. (1), the correctly recovered image is shown in Fig. 3(d), where the two plain images are positioned side by side. The two decryption keys generated in the encryption procedure and used for the correct decryption are presented in Fig. 4 .

We first test the ability of the algorithm against brute force attack. Figures 5(a) -5(b) show the decrypted results using no keys, arbitrarily selected phase keys. However, it is impossible for hackers to achieve useful information in such a way.

Figures 6(a) -6(b), with the names of Office and Spanner, are the two fake plain images that used to generate decrypting keys. The two keys that generated from the above images can be shown in Fig. 6(c) and Fig. 6(d) respectively. As can be seen from Fig. 6(e), the recovered image provides no valuable information but the fake plaintexts themselves when the fake keys are used for decryption. When two of the encrypting keys are arbitrarily selected for decryption, the decrypted image is shown in Fig. 6(f).

In the specific attack, we use the mean square error (MSE) to show the convergence of the iterative method, which is given by

Several examples of the specific attack are given in Figs. 8(a) -8(d), which practically present a high level of robustness of our cryptosystem against the known public-key attack.

In this section, we also investigate the performance of our proposed algorithm on single-image encryption. We replace the image Mudiao with an identity matrix in the following simulations. Figures 9(a)
and 9(b) show the encrypted result of Fig. 3(a) and the correct decrypted result respectively. In this case, the cryptosystem is more vulnerable to the indirect specific attack. Nevertheless, simulation results indicate that the cryptography does not become insecure. Figure 10(a)
show the relations between the iteration number and the MSE (between ${g}_{0}(u)$ and its estimate) in the first step. The relation between the iteration number and the MSE (between Fig. 9(b) and its estimate) in the indirect attack is given by Fig. 10(b), which also implies that a larger iteration number cannot ensure a good quality of recovery. An example of the indirect specific attack (*m* = 500, *n* = 100) is illustrated in Fig. 10(e). Obviously, no valuable information about the primary image could be observed. Comparing to PTFT-based single-image encryption, the proposed method provides a good performance in resistance against known public key attack.

## 5. Conclusion

In summary, we propose a double-image encryption technique that based on an asymmetric algorithm, in which the encryption process is different from the decryption and the encryption keys are also different from the decryption keys. The encryption process is performed digitally while the decryption process can be implemented optically. The main purpose of the nonlinear operations in the encryption is to achieve an asymmetry property and a high level of robustness against attacks while retaining the linearity of decryption scheme is to provide a convenient decryption for authorized users. Simulations results have shown that the cryptosystem has a very high level of robustness against some common attacks including brute force attacks, known plaintext attack and known public key attack. Additionally, it should be pointed out that the cryptography can also be safely applied in single-image encryption. As most of the optical image encryption methods, nevertheless, a secure communication channel is required for transmitting the decrypting keys. Of course, some digital techniques such as Rivest-Shamir-Adelman (RSA) public-key encryption algorithm and steganographic approaches, can be used to realize the simultaneous transmission for the encrypted image and the private keys [25].

## Acknowledgments

The authors would like to thank the anonymous referees for their valuable comments and suggestions to improve this paper. This work was supported by the Zhejiang Provincial Natural Science Foundation of China (R1090168), the National Natural Science Foundation of China (NSFC) (11074219 and 10874150), the Program for New Century Excellent Talents in University (NCET-07-0760), the Excellent Young Teacher Item Fund of Zhejiang Education Department (Z. J. Edu. GKC (2010) No.175) and the Program for Innovative Research Team of Young Teachers in Zhejiang A&F University (Grant No. 2009RC01).

## References and links

**1. **P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. **20**(7), 767–769 (1995). [CrossRef]

**2. **G. Unnikrishnan, J. Joseph, and K. Singh, “Optical encryption by double-random phase encoding in the fractional Fourier domain,” Opt. Lett. **25**(12), 887–889 (2000). [CrossRef]

**3. **B. Hennelly and J. T. Sheridan, “Optical image encryption by random shifting in fractional Fourier domains,” Opt. Lett. **28**(4), 269–271 (2003). [CrossRef]

**4. **G. Situ and J. Zhang, “Double random-phase encoding in the Fresnel domain,” Opt. Lett. **29**(14), 1584–1586 (2004). [CrossRef]

**5. **H. Suzuki, M. Yamaguchi, M. Yachida, N. Ohyama, H. Tashima, and T. Obi, “Experimental evaluation of fingerprint verification system based on double random phase encoding,” Opt. Express **14**(5), 1755–1766 (2006). [CrossRef]

**6. **A. Alfalou and C. Brosseau, “Optical image compression and encryption methods,” Adv. Opt. Photon. **1**(3), 589–636 (2009). [CrossRef]

**7. **J. F. Barrera and R. Torroba, “One step multiplexing optical encryption,” Opt. Commun. **283**(7), 1268–1272 (2010). [CrossRef]

**8. **T. Nomura and B. Javidi, “Optical encryption using a joint transform correlator architecture,” Opt. Eng. **39**(8), 2031–2035 (2000). [CrossRef]

**9. **H. T. Chang, W. C. Lu, and C. J. Kuo, “Multiple-phase retrieval for optical security systems by use of random-phase encoding,” Appl. Opt. **41**(23), 4825–4834 (2002). [CrossRef]

**10. **H. E. Hwang, H. T. Chang, and W. N. Lie, “Fast double-phase retrieval in Fresnel domain using modified Gerchberg-Saxton algorithm for lensless optical security systems,” Opt. Express **17**(16), 13700–13710 (2009). [CrossRef]

**11. **J. F. Barrera, C. Vargas, M. Tebaldi, R. Torroba, and N. Bolognini, “Known-plaintext attack on a joint transform correlator encrypting system,” Opt. Lett. **35**(21), 3553–3555 (2010). [CrossRef]

**12. **A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. **30**(13), 1644–1646 (2005). [CrossRef]

**13. **X. Peng, P. Zhang, H. Wei, and B. Yu, “Known-plaintext attack on optical encryption based on double random phase keys,” Opt. Lett. **31**(8), 1044–1046 (2006). [CrossRef]

**14. **Y. Frauel, A. Castro, T. J. Naughton, and B. Javidi, “Resistance of the double random phase encryption against various attacks,” Opt. Express **15**(16), 10253–10265 (2007). [CrossRef]

**15. **H. Tashima, M. Takeda, H. Suzuki, T. Obi, M. Yamaguchi, and N. Ohyama, “Known plaintext attack on double random phase encoding using fingerprint as key and a method for avoiding the attack,” Opt. Express **18**(13), 13772–13781 (2010). [CrossRef]

**16. **W. Qin and X. Peng, “Asymmetric cryptosystem based on phase-truncated Fourier transforms,” Opt. Lett. **35**(2), 118–120 (2010). [CrossRef]

**17. **W. Stallings, *Cryptography and Network Security: Principles and Practice* (Prentice Hall, 2003).

**18. **X. Wang and D. Zhao, “Multiple-image encryption based on nonlinear amplitude-truncation and phase-truncation in Fourier domain,” Opt. Commun. **284**(1), 148–152 (2011). [CrossRef]

**19. **X. Wang and D. Zhao, “Double-image self-encoding and hiding based on phase-truncated Fourier transforms and phase retrieval,” Opt. Commun. **284**(19), 4441–4445 (2011). [CrossRef]

**20. **W. Chen and X. Chen, “Optical asymmetric cryptography using a three-dimensional space-based model,” J. Opt. **13**(7), 075404 (2011). [CrossRef]

**21. **W. Chen and X. Chen, “Optical color image encryption based on an asymmetric cryptosystem in the Fresnel domain,” Opt. Commun. **284**(16-17), 3913–3917 (2011). [CrossRef]

**22. **X. Wang and D. Zhao, “A special attack on the asymmetric cryptosystem based on phase-truncated Fourier transforms,” Opt. Commun. **285**(6), 1078–1081 (2012). [CrossRef]

**23. **X. Wang and D. Zhao, “Security enhancement of a phase-truncation based image encryption algorithm,” Appl. Opt. **50**(36), 6645–6651 (2011). [CrossRef]

**24. **J. R. Fienup, “Phase retrieval algorithms: a comparison,” Appl. Opt. **21**(15), 2758–2769 (1982). [CrossRef]

**25. **S. Yuan, X. Zhou, D. H. Li, and D. F. Zhou, “Simultaneous transmission for an encrypted image and a double random-phase encryption key,” Appl. Opt. **46**(18), 3747–3753 (2007). [CrossRef]