We demonstrate experimentally that the traditional double random phase encoding (DPRE) technique is vulnerable to the cyphertext-only attack (COA). With the statistical ergodic property of the speckle, we show that the plaintext image can be recovered from the cyphertext alone owing to the fact that their energy spectral density functions are identical. Our result reveals the most serious security issue with the DRPE as it suggests that even the one-time-pad does not guarantee its security. This will open up new inside understanding of current optical security techniques.
© 2017 Optical Society of America
The double random-phase encoding (DRPE)  is the most well-known method proposed so far for optical image encryption. Its basic principle is to encode a primary image into white noise by using two random phase masks located at the input plane and the Fourier plane, respectively, in a coherent 4-f system. The two random phase masks served as the keys to the system. The security of the DRPE system relies on the extremely large key space, which is in the order of ΩM ×N, where Ω is the quantified level and M × N the pixel count of the random phase mask. Although it is unlikely to find the original keys in the key space by using the burst force attack within feasible time , the DRPE method indeed is encountered with various security issues [3,4]. In particular, it is vulnerable to various cryptanalysis attacks based on phase retrieval techniques. Dependent on the type of information available to perform an attack, typical cryptanalysis techniques can be categorized as the known-plaintext attack [5, 6], the chosen-plaintext attack , the chosen-cyphertext attack [3, 4], and the cyphertext-only attack (COA) . Among these, the COA is the most challenging one as it requires the lest knowledge about the encryption machine. Therefore, an encryption method is generally said to be not secure at all if it is vulnerable to the COA , as any plaintext encrypted by it will be disclosed by properly analyzing the corresponding cyphertext alone.
The coherent optical security technique has been demonstrated to be difficult as it is very sensitive to the alignment of the random phase mask  as well as the presence of laser speckle . The recovered image suffers from degradation  even when the original random phase keys were used for decryption. Thus people have turned to the incoherent optical system , in which at least the speckle can be smoothed out. Therefore it is reasonable to expect that it is even difficult to recover the plaintext image from the cyphertext without the knowledge of the keys. Even in numerical simulations, the recovered images usually exhibit certain level of noise  because phase retrieval is an ill posed problem, and the unique solution is not necessarily to be found algorithmatically . Nevertheless, a recently experiment has shown that the incoherent single random-phase encryption (SRPE) system proposed in Ref.  is vulnerable to the COA . However, the SRPE system has been theoretically proved by Refregier and Javidi to be insecure as the resulting cyphertext image is not white or stationary .
Here in this paper, we demonstrate theoretically and experimentally that the classical DRPE technique is vulnerable to the cyphertext-only attack. We note that Guo et al.  has reported a numerically demonstration of a COA on the DRPE. But their algorithm replies on a strong assumption that the tight and sharp support of plaintext image should be exactly known. This condition is hard to satisfy in practical situations. Alternatively, the algorithm we employed in the present work is inspired by the imaging correlation method proposed by Idell et al. [16, 17], and it works without the need to have the a priori knowledge about the support of plaintext image. To the best of our knowledge, it is the first experimental demonstration of COA to the DRPE method. Our study deepens the understanding of the DRPE technique, revealing a critical security issue that should be taken into account seriously when designing an optical information security system.
First let us make a brief description about the DRPE method. As mentioned in the Introduction, the coherent 4-f optical imaging system is usually employed to perform the classical DRPE, the process of which can be mathematically described as 
To perform the COA, it is reasonable to assume that one has full access to the cyphertext image g(r), and this is the only information that is available besides the knowledge of the encryption algorithm (Kerckhoffs assumption ). Inverse Fourier transforming both sides of Eq. (1) and taking the modulus square of the spectrum, one can obtain that the intensity pattern right behind the second random phase maskEquation (2) suggests that the random phase key RPM2 at the Fourier plane have no contribution to I(u) from the theoretical point of view. This is indeed surprisingly contradictory to the traditional understanding of the DREP, which states that RPM2 plays the most crucial role in the encryption procedure [3–7].
Note that the form of Eq. (2) is equivalent to the fully developed speckle produced by the random phase screen exp[iR1(r)] illuminated by the shaped beam f (r). The speckle pattern I(u), though random, contains information about the image f (r). Indeed, from many realizations of the speckle intensity, we can get the ESD of the plaintext from the averaged autocorrelation as :
Apparently, Eq. (3) suggests that with a sufficient number of realizations of the speckle, one can extract the ESD of the plaintext image which contains all the information about it. With a phase retrieval algorithm, such as the one proposed by Fienup , the plaintext image can be uniquely determined from its autocorrelation. Usually, different realizations of the speckle can be obtained by coherently illuminating the plaintext with different random phase. In the context of optical encryption, this requires the use of many different random phase keys to encrypt one plaintext image, which is not reasonable. Thus, one should employ an alternative approach. Here we note that the speckle is spatially stationary and ergodic , and propose to replace time average as in Eq. (3) by spatial average, allowing the possibility of reconstructing the plaintext image with only one intensity measurement (cyphertext). The flowchart of our COA algorithm is schematically illustrated in Fig. 1.
3.1. Simulation results
We first carried out a simulation analysis of the proposed method. In our first simulation, the plaintext image was a binary image of the text SIOM zero-padded to the size of 4096 × 4096 pixels, as shown in Fig. 2(a). We first encrypted the plaintext image using the classical coherent DRPE described by Eq. (1) and the resulting cyphertext image was shown in Fig. 2(b). After inverse Fourier transforming the cyphertext and taking the square moduli of the result, we got the far field speckle pattern I(u) described by Eq. (2). Then we used a sharp square aperture, denoted by P(u), to select a portion of the speckle pattern I(u). As schematically illustrated in Fig. 2(c) and (d), we moved the aperture stepwise in a raster manner across the speckle pattern, and obtained a sequence of subimages. The size of P(u) was chosen so that most information of |Γ(Δu)|2 can be collected (its size was 400 × 400 pixels in this work). To take the use of the finite pixel number of the speckle pattern, any two neighboring subimages had a 400 × 200 pixels overlapping. Then we calculated the autocorrelation of each subimage and averaged them out to generate an estimation of the plaintext’s ESD according to Eq. (3), as shown in Fig. 2(e).
The recovered ESD was then fed into a phase retrieval algorithm , resulting in a typical reconstructed plaintext image shown in Fig. 2(f). The correlation coefficient between it and the original plaintext in Fig. 2(a) is as high as 0.885, suggesting that the plaintext image has been faithfully reconstructed.
3.2. Experimental results
We first made an experimental cyphertext-only attack on the coherent SRPE system. Although theoretical study has suggested that it does not provide sufficient security by using only one random phase mask , it has been employed by several groups of workers to secure data using a coherent  and incoherent system . We noted that Liao et al.  has reported a COA on the incoherent SRPE system , it is thus necessary as well to perform the attack to its coherent counterpart.
Without loss of generality, we used the coherent SRPE system schematically shown in Fig. 3 (a) to encrypt the plaintext image. In the experiment, a collimated and expanded He-Ne laser beam at 632.8 nm was guided to illuminate the plaintext image, which was a part of a USAF resolution target (Thorlabs, R3L3S1N). Note that a thin ground glass can be modelled as a random phase function , and it has been used in all the optical encryption experimental systems [9–12, 14], here we adopted it (Thorlabs) as the random phase mask as well, and placed it at about 0.5 cm behind the plaintext image. The random-phase encoded wavefront then propagated over a distance of about 30 cm, where an sCMOS camera (PCO Edge 4.2) was placed to record the speckle pattern. The plaintext image and the corresponding cyphertext image are plotted in the insets in Fig. 3(a). With the cyphertext alone, we performed the proposed COA attack, and obtained the reconstructed image shown in Fig. 3 (b). The correlation coefficient between it and the plaintext is 0.795, suggesting that the secret information were revealed faithfully.
Now let us turn to the COA on the coherent DRPE system. To construct the DRPE system, we used two ground glass diffusers (from Thorlabs) separated by a distance of about 1.2 meters, as schematically shown in Fig. 4. As the laser beam is about 0.5 cm in diameter, the distance is long enough so that we have the Fraunhofer transform of the wavefront right behind the first diffuser (RPM1) at the plane of the second one (RPM2). Again, a small portion of the USAF resolution chart was selected as the plaintext image, and it was placed about 0.5 cm before RPM1. When the system was illuminated by the collimated He-Ne laser beam, we have the speckle pattern I(u) right behind RPM2 described by Eq. (2). A Nikon camera lens (AF Nikkor, 50mm f/1.4D) was used to delay the image of the speckle I(u) onto an sCMOS camera (PCO Edge 4.2). One can see from the insets in Fig. 4 an example of the cyphertext and the corresponding plaintext image.
The cryptanalysis results are shown in Fig. 5. Figure 5(a), 5(c) and 5(e) are the three examples of the images that we reconstructed from their cyphertext alone, and Fig. 5(b), 5(d) and 5(f) are their corresponding plaintext images, respectively. It is clear that all the visible features of the plaintext image have been reconstructed. We calculated the correlation coefficient between the reconstructed and the plaintext image, and the values associated with the three images in Fig. 5 are 0.853, 0.768 and 0.782, respectively.
To implement the COA to the DRPE system, one should make a good estimation to the plain-text’s ESD from the autocorrelation of speckle intensity. There are two major factors that matter. The first one is the number of independent realizations of speckle that can be obtained from the single cyphertext image. Ideally, one would expect to divide the speckle pattern into as many subimages as possible. However, the size of the subimage P(u) should be large enough so that one subimage contains sufficient information of plaintext’s ESD. As a result, one should make a trade-off between the number of independent speckle realizations and the size of the plaintext’s ESD. The second factor is a practical one. Due to the fact that the plaintext’s ESD is estimated from the speckle intensity in the Fourier domain, one needs to reduce the speckle produced by RMP2 alone. Otherwise, the contrast of I(u) is reduced and the estimated ESD becomes blurred.
The proposed COA algorithm is different from the one proposed in Ref.  in two main ways. The first one is that Liao et al.’s algorithm relies on the memory effect  so that the autocorrelation of the cyphertext is identical to that of the plaintext. Whereas in our case, this relation does not hold. Although both algorithms employ the phase retrieval technique to recover the phase, the fundamental physics is different. The second one is that, as we have mentioned before, the algorithm proposed in Ref.  was applied to an incoherent SRPE system with only one RPM. In contrast, our work is to attack the classical coherent DRPE system, which has much larger key space, and strongly affected by the speckle . This makes it a significant step forward to the cryptanalysis of current optical security systems.
In conclusion, we have numerically and experimentally demonstrated the cyphertext-only attack on the coherent double random-phase encryption technique. The COA algorithm we introduced here is inspired by the principle of imaging correlation [16, 17], except that we have taken the advantage of the ergodic property of speckle in the estimation of the ESD. This enables us to recover the plaintext image from a single acquisition of cyphertext alone, without additional knowledge about the plaintext. Our study reveals the most serious security issue of the DRPE method. That is, even operating in the one-time-pad manner, it may not guarantee secure protection of the data of interest. Therefore, we urge the workers in this field to take this security issue into account when designing optical security systems. For instance, one can utilize the bilineariry of the ambiguity function of the plaintext [22, 23], and others .
Although we used some simple binary images as the plaintext in our demonstration, the COA algorithm is indeed applicable to a more general set of images. For the set of grayscale images, the spectrum, and the autocorrelation function, usually contains more complicated features. Thus, one needs to have a finer design of the algorithm as well as the image acquisition system to improve the overall quality of the reconstructed image.
National Natural Science Foundation of China (61377005); Chinese Academy of Sciences (QYZDB-SSW-JSC002).
References and links
4. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. 30, 1644–1646 (2005). [CrossRef] [PubMed]
5. U. Gopinathan, D. S. Monaghan, T. J. Naughton, and J. T. Sheridan, “A known-plaintext heuristic attack on the Fourier plane encryption algorithm,” Opt. Express 14, 3181–3186 (2006). [CrossRef] [PubMed]
8. W. Stallings, Cryptography and Network Security (Prentice Hall, 2004).
9. C.-C. Sun and W.-C. Su, “Three-dimensional shifting selectivity of random phase encoding in volume holograms,” Appl. Opt. 40, 1253–1260 (2001). [CrossRef]
10. L. G. Neto and Y. Sheng, “Optical implementation of image encryption using random phase encoding,” Opt. Eng. 35, 2459–2463 (1996). [CrossRef]
11. O. Matoba, T. Nomura, E. Pérez-Cabré, M. S. Millán, and B. Javidi, “Optical techniques for information security,” Proc. IEEE 97, 1128–1148 (2009). [CrossRef]
13. Y. Shechtman, Y. C. Eldar, O. Cohen, H. N. Chapman, J. Miao, and M. Segev, “Phase retrieval with application to optical imaging,” IEEE Sig. Proc. Mag. May , 87–109 (2015). [CrossRef]
14. M. Liao, W. He, D. Lu, and X. Peng, “Ciphertext-only attack on optical cryptosystem with spatially incoherent illumination: from the view of imaging through scattering medium,” Sci. Rep. 7, 41789 (2017). [CrossRef] [PubMed]
15. P. Refregier and B. Javidi, “Optical image encryption using input plane and Fourier plane random encoding,” Proc. SPIE. , 2565, 62–68 (1995). [CrossRef]
19. I. Freund, “Correlation imaging through multiply scattering media,” Phys. Lett. A 147, 502–506 (1990). [CrossRef]
21. Ori Katz, Pierre Heidmann, Mathias Fink, and Sylvain Gigan, “Non-invasive single-shot imaging through scattering layers and around corners via speckle correlations,” Nat. Photon. 8, 784–790 (2014). [CrossRef]
24. B. Javidi, A. Carnicer, M. Yamaguchi, T. Nomura, E. Pérez-Cabré, M. S. Millán, N. K. Nishchal, R. Torroba, J. F. Barrera, W. He, X. Peng, A. Stern, Y. Rivenson, A. Alfalou, C. Brosseau, C. Guo, J. T. Sheridan, G. Situ, M. Naruse, T. Matsumoto, I. Juvells, E. Tajahuerce, J. Lancis, W. Chen, X. Chen, P. W. H. Pinkse, A. P. Mosk, and A. Markman, “Roadmap on optical security,” J. Opt. 18, 083001 (2016). [CrossRef]