Expand this Topic clickable element to expand a topic
Skip to content
Optica Publishing Group
Journal Home About Issues in Progress Current Issue All Issues Feature Issues

Known-plaintext attack to optical encryption systems with space and polarization encoding

Shuming Jiao, Yang Gao, Ting Lei, and Xiaocong Yuan

Open Access Open Access

Abstract

Space-based optical encryption (SBOE) and double random polarization encoding (DRPO) are previously considered to be more secure than common random-phase-encoding-based optical cryptosystems. The known-plaintext attack (KPA) to SBOE and DRPO was seldomly investigated in the past. A matrix regression approach based on training samples is proposed in this paper to crack these two optical cryptosystems. The relationship between plaintexts and ciphertexts is directly modeled by a complex-amplitude weighting matrix, which is optimized by a gradient descent algorithm. This approach has a simple model compared with deep learning and the KPA can be implemented without recovering the exact key. Our proposed KPA schemes reveal the security flaws of SBOE and DRPO, as well as other linear optical cryptosystems.

© 2020 Optical Society of America under the terms of the OSA Open Access Publishing Agreement

1. Introduction

The research of optical security techniques [13] has received much attention in recent years. A plaintext image, in the form of an input light field, can be transformed to a ciphertext light field physically by an optical encryption system. Unauthorized users are not able to directly recover the plaintext image from the ciphertext without knowing the decryption key. Compared with digital encryption, optical encryption has some potential advantages such as high-speed parallel processing capability and direct processing of a physical object.

The most common optical encryption system is based on optical diffraction and cascaded phase masks [417]. Double random phase encoding (DRPE) [4] was first proposed by Refregier and Javidi more than two decades ago. In this system, the input plaintext image is optically Fourier transformed and inversely Fourier transformed by a double-lens 4f optical setup before becoming the ciphertext. At the same time, the light field is modulated by two random phase masks placed in the input plane and Fourier plane. Later, the DRPE scheme was extended to other domains such as fractional Fourier domain [5], Fresnel domain [6] and Gyrator domain [7,8]. The number of random phase masks was extended to more than two and phase retrieval can be included in the decryption [911]. Multiple-image encryption with a random-phase-encoding-based optical cryptosystem is implemented as well [1214]. Other security operations like scrambling are employed to enhance the random-phase-encoding optical cryptosystems [1517]. However, the security strength of random-phase-encoding optical encryption systems is challenged by various types of attacking methods [1829], such as chosen-plaintext attack, known-plaintext attack and ciphertext-only attack. These cryptanalysis works can disclose the security flaws of existing cryptosystems and provide a basis for further enhancing the security level.

In addition to random-phase-encoding, other dimensions of a light field can be employed as the encryption and decryption key, such as spatial distances and polarization states. A space-based optical encryption (SBOE) system was proposed in the previous work [30], where the pixels of the plaintext image are randomly shifted to different depth distances first before a diffractive light field propagation. Optical encryption schemes with a single polarization mask was first proposed [31,32] and a double random polarization encoding (DRPO) scheme was proposed in [33]. In this work, the random phase masks in a Fourier-domain DRPE system [4] are replaced with random polarization masks. The DRPO scheme can be extended to Fresnel domain [34] and multiple-image encryption [35] as well. Compared with random-phase-encoding optical cyptosystems, the cryptoanalysis of optical encryption with space and polarization encoding has not been extensively investigated. The attacking methods for random-phase-encoding cyptosystems [1829], mostly based on phase retrieval, are usually not applicable to SBOE and DRPO. For SBOE [30], as far as we know, no CPA, KPA or COA scheme has ever been proposed. For DRPO [33], an analytical CPA scheme was proposed very recently [36]. In addition, a heuristic search approach for attacking with simulated annealing was proposed [37] but the searching requires very high computational cost. No general KPA scheme has been proposed for DRPO so far.

In most works about the cryptanalysis of optical encryption systems, the objective is to directly retrieve the decryption keys (e.g. random phase masks) as accurate as possible. After the keys are known, for any given ciphertext, the corresponding plaintext can be recovered with the retrieved key. In fact, it is not necessary to know the keys exactly for cracking an optical cryptosystem. Alternatively, only the relationship between the ciphertext and the plaintext needs to be appropriately modeled. Recent works [3840] show that the ciphertext-plaintext relationship can be modeled by deep learning with training samples and the plaintext can be directly predicted by the trained neural network from a ciphertext. It shall be noted that the exact keys are not recovered by the deep learning network in these works [3840]. Furthermore, a complex-amplitude weighting matrix can be employed to model a linear system instead of a complicated deep learning network [41].

In this work, the KPAs for both SBOE and DRPO are implemented. The distance-shifting mask and polarization mask as the original encryption and decryption key are not directly retrieved. Instead, a decryption system is modeled by a weighting matrix and the elements in the matrix are optimized with multiple known plaintext-ciphertext pairs. The results indicate that SBOE and DRPO systems are vulnerable to KPA. In addition, similar attacking approaches can be generalized to other linear optical encryption systems.

2. Principles of spaced-based optical encryption (SBOE) and double random polarization encoding (DRPO)

2.1 Space-based optical encryption (SBOE)

In the previous work [30], a SBOE system in the Fresnel domain is proposed and its optical setup is shown in Fig. 1. The plaintext image $O(x,y)$ is multiplied with the first random phase mask ${P_1}(x,y)$. Then each object point (or pixel) is randomly shifted to different depth planes. Consequently, the distance between each pixel and the second phase mask ${P_2}(u,v)$ is different, denoted by ${d_1}(x,y)$. The plaintext image is transformed to a point cloud after the shifting operation. After that, the point cloud is diffracted under coherent light illumination and the propagating light field will be modulated by the second phase mask ${P_2}(u,v)$. Then it will further propagate by a distance of ${d_2}$. Finally, the amplitude and phase of the light field can be recorded as the ciphertext $C({x^{\prime}},{y^{\prime}})$ in the output plane by phase-shifting holography. The mathematical models of encryption and decryption steps in SBOE are given by Eqs. (1) and (2) respectively, where FrT denotes Fresnel field propagation.

$$C({x^{\prime}},{y^{\prime}}) = FrT\{ FrT[O(x,y){P_1}(x,y),{d_1}(x,y)]{P_2}(u,v),{d_2}\}$$
$$O(x,y) = FrT\{ FrT[C({x^{\prime}},{y^{\prime}}), - {d_2}]conj[{P_2}(u,v)], - {d_1}(x,y)\} \cdot conj[{P_1}(x,y)]$$

 figure: Fig. 1.

Fig. 1. Optical setup of a space-based optical encryption (SBOE) system.

Download Full Size | PDF

In a conventional DRPE system in the Fresnel domain [6], the distance between each object point and the first random phase mask are identical. The shifting-distance mask ${d_1}(x,y)$ in SBOE gains significantly enhanced security against phase retrieval attacks than DRPE.

2.2 Double random polarization encoding (DRPO)

In a DRPO scheme, the encryption and decryption are performed in a two-dimensional vector space. Each pixel in the input light field $O(x,y) = {[{O_x}(x,y)\textrm{ }{O_y}(x,y)]^T}$ has two polarization components in the horizontal and vertical direction, denoted by a Jones vector. Each component is complex-amplitude and has its own intensity and phase value. It is assumed that the original plaintext image is $f(x,y)$. The intensities of two components can be simply encoded as ${O_x}(x,y) = f(x,y)$ and ${O_y}(x,y) = \sqrt {1 - f{{(x,y)}^2}}$ initially. When the light field in either one polarization direction of $O(x,y)$ is known, the original plaintext image can be decoded. The optical setup of DRPO is shown in Fig. 2.

 figure: Fig. 2.

Fig. 2. Optical setup of a double random polarization encoding (DRPO) system.

Download Full Size | PDF

It is a double-lens 4f setup similar to Fourier-domain DRPE [4] but the random phase masks are replaced with random polarization masks ${P_1}(x,y)$ and ${P_2}(u,v)$. The mathematical models of encryption and decryption steps of DRPO are given by Eqs. (3) and (4) respectively. The first random polarization mask ${P_1}(x,y)$ will modulate the intensity and phase of the incident light field in both the two polarization directions, given by Eq. (5), where ${\varphi _1}(x,y)$ denotes phase retardations and ${\theta _1}(x,y)$ denotes rotation angles. The second random polarization mask ${P_2}(u,v)$ will modulate the intensity and phase of the light field in both the two polarization directions in the Fourier domain, given by Eq. (6), where ${\varphi _2}(u,v)$ denotes phase retardations and ${\theta _2}(u,v)$ denotes rotation angles. In a DRPO system, the light field will be optically Fourier transformed and inversely Fourier transformed as well by the two lens. The transform is performed separately for the complex-amplitude in the horizontal and vertical polarization directions. Finally, the encrypted vector light field $C(x,y) = {[{C_x}(x,y)\textrm{ }{C_y}(x,y)]^T}$ is obtained in the output plane. The input light field can be recovered in an inverse way and the plaintext image can be obtained when the two random polarization keys are known. The light field modulation of DRPO is performed in the two polarization directions, instead of only one polarization direction in a conventional optical encryption system. In addition, the random polarization masks cannot be directly recovered by phase retrieval algorithms, unlike random phase masks. Consequently, a DRPO system is robust to attacking methods that can crack random-phase-based optical cryptosystems.

$$C(x,y) = IFT\{ FT[O(x,y){P_1}(x,y)]{P_2}(u,v)\}$$
$$O(x,y) = IFT\{ FT[C(x,y)conj[{P_2}(u,v)]]\} \cdot conj[{P_1}(x,y)]$$
$$\begin{array}{l} {P_1}(x,y) = \\ \left[ {\begin{array}{{cc}} {\cos [\frac{{{\varphi_1}(x,y)}}{2}] - i \cdot \sin [\frac{{{\varphi_1}(x,y)}}{2}]\cos [2{\theta_1}(x,y)]}&{ - i \cdot \sin [\frac{{{\varphi_1}(x,y)}}{2}]\sin [2{\theta_1}(x,y)]}\\ { - i \cdot \sin [\frac{{{\varphi_1}(x,y)}}{2}]\sin [2{\theta_1}(x,y)]}&{\cos [\frac{{{\varphi_1}(x,y)}}{2}] + i \cdot \sin [\frac{{{\varphi_1}(x,y)}}{2}]\cos [2{\theta_1}(x,y)]} \end{array}} \right] \end{array}$$
$$\begin{array}{l} {P_2}(u,v) = \\ \left[ {\begin{array}{{cc}} {\cos [\frac{{{\varphi_2}(u,v)}}{2}] - i \cdot \sin [\frac{{{\varphi_2}(u,v)}}{2}]\cos [2{\theta_2}(u,v)]}&{ - i \cdot \sin [\frac{{{\varphi_2}(u,v)}}{2}]\sin [2{\theta_2}(u,v)]}\\ { - i \cdot \sin [\frac{{{\varphi_2}(u,v)}}{2}]\sin [2{\theta_2}(u,v)]}&{\cos [\frac{{{\varphi_2}(u,v)}}{2}] + i \cdot \sin [\frac{{{\varphi_2}(u,v)}}{2}]\cos [2{\theta_2}(u,v)]} \end{array}} \right] \end{array}$$

3. Proposed known-plaintext attack schemes to SBOE and DRPO

Our proposed known-plaintext attack (KPA) schemes for SBOE and DRPO are based on linear modeling and optimization. Even though the working principles of SBOE and DRPO are quite different, the two kinds of optical encryption systems are both essentially linear. For SBOE, it is assumed that there are totally N pixels in the plaintext image. Both the plaintext and ciphertext can be represented by a one-dimensional vector of length N. Their relationship can be modeled by a matrix multiplication, given by Eq. (7).

$$\left[ {\begin{array}{c} {O({x_1},{y_1})}\\ {O({x_2},{y_2})}\\ \vdots \\ {O({x_N},{y_N})} \end{array}} \right] = \left[ {\begin{array}{ccc} {{w_{11}}}& \cdots &{{w_{1N}}}\\ \vdots & \ddots & \vdots \\ {{w_{N1}}}& \cdots &{{w_{NN}}} \end{array}} \right]\left[ {\begin{array}{c} {C(x_1^{\prime},y_1^{\prime})}\\ {C(x_2^{\prime},y_2^{\prime})}\\ \vdots \\ {C(x_N^{\prime},y_N^{\prime})} \end{array}} \right]$$
If all the coefficients ${w_{mn}}\textrm{ }(1 \le m \le N,\textrm{ }1 \le n \le N)$ in the matrix W are obtained, the corresponding plaintext can be predicted from a given ciphertext. The matrix elements can be optimized iteratively from a number of training samples (or known plaintext-ciphertext pairs). For each training sample consisting a pair of ciphertext C and plaintext O, the matrix element ${w_{mn}}$ will be updated in the following way, given by Eq. (8).
$$w_{mn}^{\prime} = {w_{mn}} + r[O({x_m},{y_m}) - {O^{\prime}}({x_m},{y_m})]conj[C(x_n^{\prime},y_n^{\prime})]$$
where ${w_{mn}}$ denotes the coefficient before updating, $w_{mn}^{\prime}$ denotes the coefficient after updating, $O({x_m},{y_m})$ denotes the ${m_{th}}$ element in the plaintext of the training sample, ${O^{\prime}}({x_m},{y_m})$ denotes the ${m_{th}}$ element in the predicted plaintext by the current W matrix, $C(x_n^{\prime},y_n^{\prime})$ denotes the ${n_{th}}$ element in the ciphertext of the training sample, r denotes the learning rate and $conj[]$ denotes the complex conjugation operation. The values of all matrix elements are optimized to ensure the average error between all the actual plaintexts and the predicted plaintexts by a matrix multiplication with the ciphertexts in the training set is minimized. The matrix elements are iteratively updated in the gradient descent direction of the error function to approach the optimum point. For one training sample, each element in the matrix W will be updated once, and W will be updated for all the training samples in one iteration. Multiple iterations of optimization will be performed before the final weighting matrix W is obtained. The estimated weighting matrix will usually be increasingly more accurate as there are more training samples.

For DRPO, the relationship between the plaintext (i.e. ${O_x}({x_m},{y_m}),1 \le m \le N$) and the ciphertext can be modeled by Eq. (9).

$$\left[ {\begin{array}{c} {{O_x}({x_1},{y_1})}\\ {{O_x}({x_2},{y_2})}\\ \vdots \\ {{O_x}({x_N},{y_N})} \end{array}} \right] = \left[ {\begin{array}{ccc} {{w_{x11}}}& \cdots &{{w_{x1N}}}\\ \vdots & \ddots & \vdots \\ {{w_{xN1}}}& \cdots &{{w_{xNN}}} \end{array}} \right]\left[ {\begin{array}{c} {{C_x}({x_1},{y_1})}\\ {{C_x}({x_2},{y_2})}\\ \vdots \\ {{C_x}({x_N},{y_N})} \end{array}} \right] + \left[ {\begin{array}{ccc} {{w_{y11}}}& \cdots &{{w_{y1N}}}\\ \vdots & \ddots & \vdots \\ {{w_{yN1}}}& \cdots &{{w_{yNN}}} \end{array}} \right]\left[ {\begin{array}{c} {{C_y}({x_1},{y_1})}\\ {{C_y}({x_2},{y_2})}\\ \vdots \\ {{C_y}({x_N},{y_N})} \end{array}} \right]$$
Compared with Eq. (7), the difference is that two $N \times N$ matrices ${W_x}$ and ${W_y}$ need to be determined. The optimization algorithm will be the same as the one stated above.

4. Results and discussions

The two proposed KPA schemes to SBOE and DRPO are verified by simulation results. In the SBOE system, the wavelength is 632 nm and the pixel size is 8 µm. The second light-field propagation distance ${d_2}$ = 0.05m. The distances between each plaintext pixel and the first random phase mask are randomly distributed within the range [0.01m 0.09m]. The plaintext image has 32×32 pixels. For a fixed set of random encryption and decryption keys (${d_2}$, ${P_1}$, and ${P_2}$), different plaintext images are encrypted and then the output ciphertext is decrypted in an inverse way. In this work, the plaintext images for training and testing are randomly selected from the MNIST dataset [42] and the Fashion-MNIST dataset [43]. Some examples of plaintext images are shown in Fig. 3. The simulation environment is MATLAB R2018b with Intel Core i5-7200U CPU (2.50GHz) and 8GB RAM. In the iterative optimization of the weighting matrix, more iterations are favorable for achieving better recovered plaintext image quality. However, more iterations will increase the computation time. The number of iterations is set to be 100 in all the simulations as a balance between the retrieved plaintext image quality and the computational cost. The learning rate is fine-tuned to ensure that the algorithm converges within 100 iterations and the recovered image quality is optimized.

 figure: Fig. 3.

Fig. 3. Examples of plaintext images in (a) MNIST dataset [42]; and (b) Fashion-MNIST dataset [43].

Download Full Size | PDF

For both SBOE and DRPO, 50, 100 and 300 plaintext images and corresponding ciphertexts are employed as the training samples in our proposed KPA scheme. The ciphertexts generated from another 1000 different plaintext images in the same dataset are used as the testing set for evaluating the performance. For SBOE, some examples of testing results for the MNIST dataset are shown in Fig. 4.

 figure: Fig. 4.

Fig. 4. Attacking results for SBOE: (a) Original plaintext images; (b) Decrypted results with the correct key; (c) Decrypted results with the wrong key; Decrypted results using the optimized matrix in our proposed KPA scheme with (d) 50 training samples; (e) 100 training samples; (f) 300 training samples.

Download Full Size | PDF

The plaintext image can only be correctly decrypted from the ciphertext by Eq. (2) when the keys are correct, shown in Fig. 4(b) and Fig. 4(c). The results indicate that the security of plaintext can be protected in some extent by a SBOE system. It shall be noticed that the decrypted results in Fig. 4(b) still have some quality degradations even when the keys are correct. This is due to the defocus noise contamination in the backward light field propagation. In our KPA scheme, the decryption with the correct keys is modeled by a matrix and the matrix elements can be optimized by the algorithm described in Section 3. It can be observed that the plaintext images all can be approximately recovered by using our optimized matrix for the several testing samples. With more training samples, the predicted plaintext images will be more similar to the original ones. In the attacking of SBOE, the learning rate is 0.01. The average peak signal-to-noise ratio (PSNR) between original plaintext images and cracked plaintext images for 1000 testing samples is 16.55 dB for 50 training samples, 18.67 dB for 100 training samples and 23.22 dB for 300 training samples. The calculation time is 53.03 seconds, 103.00 seconds and 311.97 seconds under these three conditions. The relationship between the recovered plaintext image quality and the number of training samples (from S = 5 to S = 100) is illustrated in Fig. 7(a). The relationship between the calculation time and the number of training samples (from S = 5 to S = 100) is illustrated in Fig. 7(c).

Some examples of cracking results for the DRPO system are shown in Fig. 5 and Fig. 6. Similar to SBOE, the plaintext images can be approximately recovered by our proposed scheme when the keys are unknown. In the attacking of DRPO, the learning rate is 0.001. The average PSNR for 1000 testing samples from the MNIST dataset is 15.74 dB for 50 training samples, 17.54 dB for 100 training samples and 20.43 dB for 300 training samples. The average PSNR for 1000 testing samples from the Fashion-MNIST dataset is 15.90 dB for 50 training samples, 17.38 dB for 100 training samples and 20.56 dB for 300 training samples. The calculation time is 102.44 seconds, 200.81 seconds and 598.63 seconds for these three number of training samples. Similarly, the PSNR curves and computational time curves are shown in Fig. 7(b) and Fig. 7(c).

 figure: Fig. 5.

Fig. 5. Attacking results for DRPO (MNIST dataset): (a) Original plaintext images; (b) Decrypted results with the correct key; (c) Decrypted results with the wrong key; Decrypted results using the optimized matrix in our proposed KPA scheme with (d) 50 training samples; (e) 100 training samples; (f) 300 training samples.

Download Full Size | PDF

 figure: Fig. 6.

Fig. 6. Attacking results for DRPO (Fashion-MNIST dataset): (a) Original plaintext images; (b) Decrypted results with the correct key; (c) Decrypted results with the wrong key; Decrypted results using the optimized matrix in our proposed KPA scheme with (d) 50 training samples; (e) 100 training samples; (f) 300 training samples.

Download Full Size | PDF

It can be observed from Fig. 7(a) and Fig. 7(b) that the quality of recovered plaintext images will be gradually enhanced as the number of training samples increases in the attacking of both SBOE and DRPO with our proposed scheme. A minimum number of training samples are required for achieving a certain lower limit of average PSNR. For example, at least 25 to 30 known plaintext-ciphertext pairs are necessary for obtaining attacking results with PSNR higher than 14.5 dB. If the number of training samples is rather small, most recovered plaintext images will have very low quality and be hard to visually identify. Some examples for S = 10 are shown in Fig. 8(b), Fig. 8(c) and Fig. 8(f). It can be observed from Fig. 7(c) that the calculation time of our proposed scheme increases linearly as the number of training samples increases. The calculation time for attacking DRPO is approximately double of that for SBOE under the same conditions. The reason is that there are two matrices for the two polarization directions to be recovered in DRPO whereas there is only one single matrix to be recovered in SBOE.

 figure: Fig. 7.

Fig. 7. Average PSNR of recovered plaintext images versus number of training samples (from 5 to 100): (a) SBOE; (b) DRPO; Calculation time of KPA versus number of training samples (from 5 to 100) for (c) SBOE and DRPO.

Download Full Size | PDF

 figure: Fig. 8.

Fig. 8. (a) Original MNIST testing images; Attacking results with MNIST testing images: (b) 10 training samples from the MNIST dataset in SBOE; (c) 10 training samples from the MNIST dataset in DRPO; (d) 100 training samples from the Fashion-MNIST dataset in DRPO; (e) Original Fashion-MNIST testing images; Attacking results with Fashion-MNIST testing images: (f) 10 training samples from the Fashion-MNIST dataset in DRPO; (d) 100 training samples from the MNIST dataset in DRPO.

Download Full Size | PDF

Furthermore, the testing images and training images are usually from the same dataset in our proposed scheme. If they are from different datasets, the quality of attacking results may be heavily degraded since different kinds of images may have different common features. For DRPO, the attacking results are shown in Fig. 8(d) when the training images are from the Fashion-MNIST dataset and the testing images are from the MNIST dataset. The average PSNR is 11.96 dB. On the other hand, the attacking results are shown in Fig. 8(g) when the training images are from the MNIST dataset and the testing images are from the Fashion-MNIST dataset. The average PSNR is 14.12 dB. The attacking results with mismatched training and testing datasets usually have much lower quality than ones with matched datasets.

For a further investigation of how the quality of recovered plaintext images and the computational cost in the attack change versus the image size, a Crop101 dataset consisting of 700 grayscale natural object images with 96×96 pixels cropped from the Caltech101 dataset [44] is constructed. The Crop101 images are scaled to 24×24 pixels, 32×32 pixels and 48×48 pixels respectively, shown in Fig. 9. One hundred out of the 700 images are used as the testing images. The PSNR curves and computational time curves of attacking results for SBOE and DRPO with our proposed scheme based on varying number of Crop101 training images (from 50 to 600) are shown in Fig. 10. The learning rates for attacking SBOE are fine-tuned to be 0.005, 0.002 and 0.001 for images with 24×24 pixels, 32×32 pixels and 48×48 pixels respectively. The learning rates for attacking DRPO are fine-tuned to be 0.002, 0.001 and 0.0005 for images with 24×24 pixels, 32×32 pixels and 48×48 pixels respectively. It can be observed that the average PSNR will be generally higher as the image size is smaller for the same number of training samples. In other words, a smaller number of training samples are required for achieving the same image quality when the image contains fewer pixels. The calculation time depends on the image size N in a large extent. The average calculation time for N = 48×48 is 11.29 times of that when N = 24×24 and 4.63 times of that when N = 32×32 in attacking SBOE. The average calculation time for N = 48×48 is 13.08 times of that when N = 24×24 and 4.83 times of that when N = 32×32 in attacking DRPO. The calculation time will be further increased when N is even larger. For example, it takes around 12.1 hours to perform the attack when S = 600 and N = 72×72. In addition, it is evident that there is a linear relationship between the calculation time and the number of training samples S.

 figure: Fig. 9.

Fig. 9. (a) Image examples in the Crop101 dataset; Attacking results for SBOE with 400 training samples when the training and testing images are resized to (b) 24×24 pixels; (c) 32×32 pixels and (d) 48×48 pixels; Attacking results for DRPO with 400 training samples when the training and testing images are resized to (e) 24×24 pixels; (f) 32×32 pixels and (g) 48×48 pixels.

Download Full Size | PDF

 figure: Fig. 10.

Fig. 10. (a) Average PSNR of recovered plaintext images versus S and N in attacking SBOE; (b) Calculation time versus S and N in attacking SBOE; (c) Average PSNR of recovered plaintext images versus S and N in attacking DRPO; (d) Calculation time versus S and N in attacking DRPO (S: No. of training samples; N: No. of pixels in each image).

Download Full Size | PDF

The proposed linear matrix modeling approach in this work can be employed for attacking many other linear optical cryptosystems including both coherent ones and incoherent ones, in addition to SBOE and DRPO. Examples include DRPE in different domains [46] and encrypted single-pixel imaging [45]. But this scheme is not applicable to nonlinear optical cryptosystems [4648].

5. Conclusion

The research of optical encryption has received much attention in the past decade. Multiple dimensions of a light field can be used as the encryption and decryption keys. Cascaded random phase masks are most commonly adopted in many optical cryptosystems. But random-phase-encoding optical cryptosystems are often vulnerable to various attacking schemes such as phase-retrieval-based ones. As alternative approaches, space-based optical encryption (SBOE) systems and double random polarization encoding (DRPO) systems were proposed. Conventional attacking schemes for random-phase-encoding optical cryptosystems are usually not applicable to SBOE and DRPO. Previously, the known-plaintext attack (KPA) to SBOE and DRPO was seldomly investigated. Different from most attacking schemes aimed at directly retrieving all the keys, a linear matrix modeling approach based on training samples is proposed in this work. Our proposed KPA scheme can crack both SBOE and DRPO by modeling the overall linear relationship between plaintexts and ciphertexts. In addition, it has a much simpler model compared with recent deep-learning-based attacking schemes. Many other linear optical cryptosystems can be cracked by this approach as well. Our proposed KPA scheme is verified by simulation results. The results reveal the security flaws of SBOE and DRPO.

Our proposed schemes still have two major limitations. First, it is hard for this scheme to work when there is only a very small number of training samples, especially when the size of each plaintext image is large. Second, the amount of computation is heavy for recovering high-resolution plaintext images containing many pixels. The second limitation can be possibly overcome by parallel computing with graphic processing units (GPU) [49,50] since the updating of one individual weighting matrix element is in parallel with each other in each iteration. These two limitations will be further investigated in future works.

Funding

National Natural Science Foundation of China (61805145, 11774240); Leading Talents Program of Guangdong Province (00201505); Natural Science Foundation of Guangdong Province (2016A030312010).

Disclosures

The authors declare no conflicts of interest.

References

1. S. Liu, C. Guo, and J. T. Sheridan, “A review of optical image encryption techniques,” Opt. Laser Technol. 57, 327–342 (2014). [CrossRef]  

2. J. Chen, N. Bao, L. Y. Zhang, and Z. L. Zhu, “Optical information authentication using optical encryption and sparsity constraint,” Opt. Laser Eng. 107, 352–363 (2018). [CrossRef]  

3. S. Jiao, C. Zhou, Y. Shi, W. Zou, and X. Li, “Review on optical image hiding and watermarking techniques,” Opt. Laser Technol. 109, 370–380 (2019). [CrossRef]  

4. P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20(7), 767–769 (1995). [CrossRef]  

5. G. Unnikrishnan, J. Joseph, and K. Singh, “Optical encryption by double-random phase encoding in the fractional Fourier domain,” Opt. Lett. 25(12), 887–889 (2000). [CrossRef]  

6. G. Situ and J. Zhang, “Double random-phase encoding in the Fresnel domain,” Opt. Lett. 29(14), 1584–1586 (2004). [CrossRef]  

7. H. Singh, A. K. Yadav, S. Vashisth, and K. Singh, “Fully phase image encryption using double random-structured phase masks in gyrator domain,” Appl. Opt. 53(28), 6472–6481 (2014). [CrossRef]  

8. Z. Liu, Q. Guo, L. Xu, M. A. Ahmad, and S. Liu, “Double image encryption by using iterative random binary encoding in gyrator domains,” Opt. Express 18(11), 12033–12043 (2010). [CrossRef]  

9. W. Chen, X. Chen, and C. J. R. Sheppard, “Optical image encryption based on diffractive imaging,” Opt. Lett. 35(22), 3817–3819 (2010). [CrossRef]  

10. Y. Qin, Q. Gong, and Z. Wang, “Simplified optical image encryption approach using single diffraction pattern in diffractive-imaging-based scheme,” Opt. Express 22(18), 21790–21799 (2014). [CrossRef]  

11. E. Ahouzi, W. Zamrani, N. Azami, A. Lizana, J. Campos, and M. J. Yzuel, “Optical triple random-phase encryption,” Opt. Eng. 56(11), 1 (2017). [CrossRef]  

12. A. Alfalou and A. Mansour, “Double random phase encryption scheme to multiplex and simultaneous encode multiple images,” Appl. Opt. 48(31), 5933–5947 (2009). [CrossRef]  

13. M. Z. He, L. Z. Cai, Q. Liu, X. C. Wang, and X. F. Meng, “Multiple image encryption and watermarking by random phase matching,” Opt. Commun. 247(1-3), 29–37 (2005). [CrossRef]  

14. J. F. Barrera, R. Henao, M. Tebaldi, R. Torroba, and N. Bolognini, “Multiple image encryption using an aperture-modulated optical system,” Opt. Commun. 261(1), 29–33 (2006). [CrossRef]  

15. Z. Liu, S. Li, W. Liu, Y. Wang, and S. Liu, “Image encryption algorithm by using fractional Fourier transform and pixel scrambling operation based on double random phase encoding,” Opt. Laser Eng. 51(1), 8–14 (2013). [CrossRef]  

16. B. M. Hennelly and J. T. Sheridan, “Random phase and jigsaw encryption in the Fresnel domain,” Opt. Eng. 43(10), 2239–2250 (2004). [CrossRef]  

17. M. He, Q. Tan, L. Cao, Q. He, and G. Jin, “Security enhanced optical encryption system by random phase key and permutation key,” Opt. Express 17(25), 22462–22473 (2009). [CrossRef]  

18. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cypher text attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. 30(13), 1644–1646 (2005). [CrossRef]  

19. X. Peng, H. Wei, and P. Zhang, “Chosen-plaintext attack on lensless double-random phase encoding in the Fresnel domain,” Opt. Lett. 31(22), 3261–3263 (2006). [CrossRef]  

20. U. Gopinathan, D. S. Monaghan, T. J. Naughton, and J. T. Sheridan, “A known-plaintext heuristic attack on the Fourier plane encryption algorithm,” Opt. Express 14(8), 3181–3186 (2006). [CrossRef]  

21. C. Guo, S. Liu, and J. T. Sheridan, “Iterative phase retrieval algorithms. Part II: Attacking optical encryption systems,” Appl. Opt. 54(15), 4709–4719 (2015). [CrossRef]  

22. C. Guo, I. Muniraj, and J. T. Sheridan, “Phase-retrieval-based attacks on linear-canonical-transform-based DRPE systems,” Appl. Opt. 55(17), 4720–4728 (2016). [CrossRef]  

23. X. Liu, J. Wu, W. He, M. Liao, C. Zhang, and X. Peng, “Vulnerability to ciphertext-only attack of optical encryption scheme based on double random phase encoding,” Opt. Express 23(15), 18955–18968 (2015). [CrossRef]  

24. G. Li, W. Yang, D. Li, and G. Situ, “Cyphertext-only attack on the double random-phase encryption: experimental demonstration,” Opt. Express 25(8), 8690–8697 (2017). [CrossRef]  

25. S. Jiao, G. Li, C. Zhou, W. Zou, and X. Li, “Special ciphertext-only attack to double random phase encryption by plaintext shifting with speckle correlation,” J. Opt. Soc. Am. A 35(1), A1–A6 (2018). [CrossRef]  

26. Y. Frauel, A. Castro, T. J. Nauqhton, and B. Javidi, “Resistance of the double random phase encryption against various attacks,” Opt. Express 15(16), 10253–10265 (2007). [CrossRef]  

27. A. M. Youssef, “On the security of a cryptosystem based on multiple-parameters discrete fractional Fourier transform,” IEEE Signal Process. Lett. 15, 77–78 (2008). [CrossRef]  

28. T. Li and Y. Shi, “Security risk of diffractive-imaging-based optical cryptosystem,” Opt. Express 23(16), 21384–21391 (2015). [CrossRef]  

29. Y. Wang, C. Quan, and C. J. Tay, “Cryptanalysis of an information encryption in phase space,” Opt. Laser Eng. 85, 65–71 (2016). [CrossRef]  

30. W. Chen and X. Chen, “Space-based optical image encryption,” Opt. Express 18(26), 27095–27104 (2010). [CrossRef]  

31. T. Nomura and B. Javidi, “Polarization encoding for optical security systems,” Opt. Eng. 39(9), 2439–2443 (2000). [CrossRef]  

32. X. Tan, O. Matoba, Y. Okada-Shudo, M. Ide, T. Shimura, and K. Kuroda, “Secure optical memory system with polarization encryption,” Appl. Opt. 40(14), 2310–2315 (2001). [CrossRef]  

33. O. Matoba and B. Javidi, “Secure holographic memory by double-random polarization encryption,” Appl. Opt. 43(14), 2915–2919 (2004). [CrossRef]  

34. S. K. Rajput and N. K. Nishchal, “Image encryption using polarized light encoding and amplitude and phase truncation in the Fresnel domain,” Appl. Opt. 52(18), 4343–4352 (2013). [CrossRef]  

35. U. Gopinathan, T. J. Naughton, and J. T. Sheridan, “Polarization encoding and multiplexing of two-dimensional signals: application to image encryption,” Appl. Opt. 45(22), 5693–5700 (2006). [CrossRef]  

36. L. Wang, Q. Wu, and G. H. Situ, “Chosen-plaintext attack on the double random polarization encryption,” Opt. Express 27(22), 32158–32167 (2019). [CrossRef]  

37. M. Dubreuil, A. Alfalou, and C. Brosseau, “Robustness against attacks of dual polarization encryption using the Stokes-Muellerformalism,” J. Opt. 14(9), 094004 (2012). [CrossRef]  

38. H. Hai, S. Pan, M. Liao, D. Lu, W. He, and X. Peng, “Cryptanalysis of random-phase-encoding-based optical cryptosystem via deep learning,” Opt. Express 27(15), 21204–21213 (2019). [CrossRef]  

39. L. Zhou, Y. Xiao, and W. Chen, “Machine-learning attacks on interference-based optical encryption: experimental demonstration,” Opt. Express 27(18), 26143–26154 (2019). [CrossRef]  

40. L. Zhou, Y. Xiao, and W. Chen, “Vulnerability to machine learning attacks of optical encryption based on diffractive imaging,” Opt. Laser Eng. 125, 105858 (2020). [CrossRef]  

41. S. Jiao, Y. Gao, J. Feng, T. Lei, and X. Yuan, “Does deep learning always outperform simple linear regression in optical imaging?” Opt. Express 28(3), 3717–3731 (2020). [CrossRef]  

42. Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,” Proc. IEEE 86(11), 2278–2324 (1998). [CrossRef]  

43. H. Xiao, K. Rasul, and R. Vollgraf, “Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms,” arXiv preprint arXiv:1708.07747 (2017).

44. L. Fei-Fei, R. Fergus, and P. Perona, “Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories,” in Proceedings of IEEE Conference on Computer Vision and Pattern Recognition Workshop (IEEE, 2004), pp. 178.

45. S. Jiao, T. Lei, Y. Gao, Z. Xie, and X. Yuan, “Known-plaintext attack and ciphertext-only attack for encrypted single-pixel imaging,” IEEE Access 7, 119557–119565 (2019). [CrossRef]  

46. B. C. Chen and H. Z. Wang, “Optically-induced-potential-based image encryption,” Opt. Express 19(23), 22619–22627 (2011). [CrossRef]  

47. J. Hou, S. Huang, and G. Situ, “Nonlinear Optical Image Encryption,” Acta Opt. Sin. 35(8), 0807001 (2015). [CrossRef]  

48. A. Pan, K. Wen, and B. Yao, “Linear space-variant optical cryptosystem via Fourier ptychography,” Opt. Lett. 44(8), 2032–2035 (2019). [CrossRef]  

49. T. Shimobaba, Y. Sato, J. Miura, M. Takenouchi, and T. Ito, “Real-time digital holographic microscopy using the graphic processing unit,” Opt. Express 16(16), 11776–11781 (2008). [CrossRef]  

50. N. Takada, T. Shimobaba, H. Nakayama, A. Shiraki, N. Okada, M. Oikawa, N. Masuda, and T. Ito, “Fast high-resolution computer-generated hologram computation using multiple graphics processing unit cluster system,” Appl. Opt. 51(30), 7303–7307 (2012). [CrossRef]  

Cited By

Optica participates in Crossref's Cited-By Linking service. Citing articles from Optica Publishing Group journals and other participating publishers are listed here.

Alert me when this article is cited.


Figures (10)
Fig. 1.
Fig. 1. Optical setup of a space-based optical encryption (SBOE) system.

View in Article | Download Full Size | PDF

Fig. 2.
Fig. 2. Optical setup of a double random polarization encoding (DRPO) system.

View in Article | Download Full Size | PDF

Fig. 3.
Fig. 3. Examples of plaintext images in (a) MNIST dataset [42]; and (b) Fashion-MNIST dataset [43].

View in Article | Download Full Size | PDF

Fig. 4.
Fig. 4. Attacking results for SBOE: (a) Original plaintext images; (b) Decrypted results with the correct key; (c) Decrypted results with the wrong key; Decrypted results using the optimized matrix in our proposed KPA scheme with (d) 50 training samples; (e) 100 training samples; (f) 300 training samples.

View in Article | Download Full Size | PDF

Fig. 5.
Fig. 5. Attacking results for DRPO (MNIST dataset): (a) Original plaintext images; (b) Decrypted results with the correct key; (c) Decrypted results with the wrong key; Decrypted results using the optimized matrix in our proposed KPA scheme with (d) 50 training samples; (e) 100 training samples; (f) 300 training samples.

View in Article | Download Full Size | PDF

Fig. 6.
Fig. 6. Attacking results for DRPO (Fashion-MNIST dataset): (a) Original plaintext images; (b) Decrypted results with the correct key; (c) Decrypted results with the wrong key; Decrypted results using the optimized matrix in our proposed KPA scheme with (d) 50 training samples; (e) 100 training samples; (f) 300 training samples.

View in Article | Download Full Size | PDF

Fig. 7.
Fig. 7. Average PSNR of recovered plaintext images versus number of training samples (from 5 to 100): (a) SBOE; (b) DRPO; Calculation time of KPA versus number of training samples (from 5 to 100) for (c) SBOE and DRPO.

View in Article | Download Full Size | PDF

Fig. 8.
Fig. 8. (a) Original MNIST testing images; Attacking results with MNIST testing images: (b) 10 training samples from the MNIST dataset in SBOE; (c) 10 training samples from the MNIST dataset in DRPO; (d) 100 training samples from the Fashion-MNIST dataset in DRPO; (e) Original Fashion-MNIST testing images; Attacking results with Fashion-MNIST testing images: (f) 10 training samples from the Fashion-MNIST dataset in DRPO; (d) 100 training samples from the MNIST dataset in DRPO.

View in Article | Download Full Size | PDF

Fig. 9.
Fig. 9. (a) Image examples in the Crop101 dataset; Attacking results for SBOE with 400 training samples when the training and testing images are resized to (b) 24×24 pixels; (c) 32×32 pixels and (d) 48×48 pixels; Attacking results for DRPO with 400 training samples when the training and testing images are resized to (e) 24×24 pixels; (f) 32×32 pixels and (g) 48×48 pixels.

View in Article | Download Full Size | PDF

Fig. 10.
Fig. 10. (a) Average PSNR of recovered plaintext images versus S and N in attacking SBOE; (b) Calculation time versus S and N in attacking SBOE; (c) Average PSNR of recovered plaintext images versus S and N in attacking DRPO; (d) Calculation time versus S and N in attacking DRPO (S: No. of training samples; N: No. of pixels in each image).

View in Article | Download Full Size | PDF

Equations (9)

Equations on this page are rendered with MathJax. Learn more.

C ( x , y ) = F r T { F r T [ O ( x , y ) P 1 ( x , y ) , d 1 ( x , y ) ] P 2 ( u , v ) , d 2 }
O ( x , y ) = F r T { F r T [ C ( x , y ) , d 2 ] c o n j [ P 2 ( u , v ) ] , d 1 ( x , y ) } c o n j [ P 1 ( x , y ) ]
C ( x , y ) = I F T { F T [ O ( x , y ) P 1 ( x , y ) ] P 2 ( u , v ) }
O ( x , y ) = I F T { F T [ C ( x , y ) c o n j [ P 2 ( u , v ) ] ] } c o n j [ P 1 ( x , y ) ]
P 1 ( x , y ) = [ cos [ φ 1 ( x , y ) 2 ] i sin [ φ 1 ( x , y ) 2 ] cos [ 2 θ 1 ( x , y ) ] i sin [ φ 1 ( x , y ) 2 ] sin [ 2 θ 1 ( x , y ) ] i sin [ φ 1 ( x , y ) 2 ] sin [ 2 θ 1 ( x , y ) ] cos [ φ 1 ( x , y ) 2 ] + i sin [ φ 1 ( x , y ) 2 ] cos [ 2 θ 1 ( x , y ) ] ]
P 2 ( u , v ) = [ cos [ φ 2 ( u , v ) 2 ] i sin [ φ 2 ( u , v ) 2 ] cos [ 2 θ 2 ( u , v ) ] i sin [ φ 2 ( u , v ) 2 ] sin [ 2 θ 2 ( u , v ) ] i sin [ φ 2 ( u , v ) 2 ] sin [ 2 θ 2 ( u , v ) ] cos [ φ 2 ( u , v ) 2 ] + i sin [ φ 2 ( u , v ) 2 ] cos [ 2 θ 2 ( u , v ) ] ]
[ O ( x 1 , y 1 ) O ( x 2 , y 2 ) O ( x N , y N ) ] = [ w 11 w 1 N w N 1 w N N ] [ C ( x 1 , y 1 ) C ( x 2 , y 2 ) C ( x N , y N ) ]
w m n = w m n + r [ O ( x m , y m ) O ( x m , y m ) ] c o n j [ C ( x n , y n ) ]
[ O x ( x 1 , y 1 ) O x ( x 2 , y 2 ) O x ( x N , y N ) ] = [ w x 11 w x 1 N w x N 1 w x N N ] [ C x ( x 1 , y 1 ) C x ( x 2 , y 2 ) C x ( x N , y N ) ] + [ w y 11 w y 1 N w y N 1 w y N N ] [ C y ( x 1 , y 1 ) C y ( x 2 , y 2 ) C y ( x N , y N ) ]
Select as filters
Select Topics Cancel
Top
       
© Copyright 2024 | Optica Publishing Group. All rights reserved, including rights for text and data mining and training of artificial technologies or similar technologies.
Privacy | Terms of Use