Security risk of diffractive-imaging-based optical cryptosystem

Tuo Li; Yishi Shi

doi:10.1364/OE.23.021384

1. Introduction

The proposed diffractive-imaging-based optical cryptosystem, first proposed in 2010 [1]. Due to its simple setup and high security, it raises many researchers’ interest in the past five years. At present, multiple works directly using the diffractive-imaging based technique for different encryption targets have been proposed [2–11]. And these techniques may open up a new research perspective for optical image encryption [10]. However, as any optical cryptosystem [12–15], the diffractive-imaging-based cryptosystem could be trusted only if it is able to endure various attacks from the third party under certain conditions [16–24], such as chosen ciphertext attack (CCA) [16], chosen plaintext attack(CPA) [17–19], known plaintext attack(KPA) [20–24] and even ciphertext-only attack(COA) [25]. However, all the existed optical cryptanalysis methods fail to breach the diffractive-based cryptosystem and thus it is thought as security at present.

In this paper, we show how an encryption model with the architecture diffractive-imaging is vulnerable to CPA. By using the proposed approach, we demonstrate that the diffractive-imaging-based optical cryptosystem is insecure to CPA and the nearly perfect attack results are given.

The rest of this paper is organized as follows. In Section 2, we give a brief review to the principle of the diffractive-imaging-based optical cryptosystem. Section 3 describes how to perform the cryptanalysis and the simulation attack results are shown. Section 3 tests the feasibility and robustness of the proposed method. In Section 5, the conclusion is given.

2. Principle of diffractive-imaging-based cryptosystem

Since there are multiple derivatives of diffractive-imaging-based cryptosystems, we just take attacking the newest diffractive-imaging-based cryptosystem as an example in this paper, which is shown in Fig. 1 [10]. f stands for the primary image to be encoded, and M₁, M₂ and M₃ represent three phase only masks, which are statistically independent. The whole system is illustrated by a collimated monochromatic plane wave with a wavelength of λ. Under the Fresnel approximation, the diffraction intensity distribution recoded by the CCD camera can be expressed as

C (μ, v) = {| F r T_{λ, z_{3}} {F r T_{λ, z_{2}} {F r T_{λ, z_{1}} {f \cdot M_{1} (x, y)} \cdot M_{2} (η, ξ)} \cdot M_{3} (p, q)} |}^{2}

where | • | denotes a modulus operation. In this article, C(µ, v) is saved as the ciphertext. Till now, the encryption process is finished.

Fig. 1 Scheme setup of diffractive-imaging-based optical cryptosystem.

Download Full Size | PDF

With the correct phase keys, the ciphertext can be decrypted with high quality by using the decryption algorithm [10]. Here, for brevity, the decryption algorithm is not shown.

3. Cryptanalysis and simulation results

3.1 Attack method

In CPA, it is always assumed that attackers are familiar with the encryption algorithm, several skillfully designed plaintexts and its corresponding ciphertexts [17]. Let us assume that Q pairs of plaintexts and ciphertexts {(f_q, C_q) | q = 1, 2 …Q} and the diffraction distance z₁, z₂, and z₃ are known. Note that it is also reasonable to acquire the parameters of the encryption architecture of diffraction distance from the point of view of cryptanalysis for CPA [17]. In this section, we try to use these known resources to deduce the key of optical cryptosystem based on diffractive imaging by using the proposed method. From the perspective of mathematics, the proposed approach can be thought as a special case of a new type of multi-slice ptychographic phase retrieval algorithm [26].

In multi-slice ptychography, the specimen is enlightened by multiple probes, generating multiple diffraction patterns in the Fresnel domain. Since the neighboring probes cover up some common area of the specimen, their diffraction patterns partially carry the common information about the specimen. Using all the diffraction patterns, each slice of the specimen can be recovered. Inspired by the concept of ptychography, we tansformed the problem of attack on diffractive-imaging based cryptosystem into a question of multi-slice ptychographic phase retrieval: The phase keys (M₁, M₂, and M₃) are seen as the specimen to be retrieved; the ciphertexts C_i are viewed as the corresponding diffraction patterns; the chosen plaintexts f_i are seen as the probes. Since the core concept of the multi-slice ptychography is that the probes used should be overlapped, the chosen plaintexts should be designed to be overlapped.

The algorithm of the proposed attack is described as below:

1. Random guess the function of each key M_i(r) (i = 1, 2 …N) and begin the following iterative process.
2. Compute the exit wave from the first key as $ψ_{_{e, 1}}^{k} = f_{q} \cdot M_{1} (r)$
where k represents the each iteration number, q represents the seuence of plaintext and ciphertext pair. Note that employing the plaintext in different sequence will just affect the convergence speed of the proposed method but not affect the final convergence results [25]. In this paper, we employ the plaintext in sequence since it is a natural way and have a fast convergence.
Propagate this wave to second key, creating a subsequent incident wave $ψ_{_{i, 2}}^{k} = P_{Δ z_{n}} [ψ_{e, 1}^{k} (r)]$ _, where $P_{Δ z_{n}}$ is an angular spectrum propagator over distance $Δ z_{n} = z_{n + 1} - z_{n}$
3. Compute the exit wave from the second key as $ψ_{_{e, 2}}^{k} = ψ_{_{i, 2}}^{k} \cdot M_{2} (r)$ and propagate this wavefront to the third key to give $ψ_{_{i, 3}}^{k} = P_{Δ z_{n}} [ψ_{_{e, 2}}^{k} (r)]$ .
4. Continue this multiply-propagate process through subsequent keys until the exit-wave for the final key $ψ_{e, N}^{k}$ has been reached.
5. Propagate this wavefront to the detector to give $ψ_{_{q}}^{k} = F r T_{λ, z} [ψ_{_{e, N}}^{k} (r)]$ , where the propagator in this instance is Fresnel propagator over the distance z.
6. Correct the modulus of $ψ_{q}^{k}$ according to the ciphertexts $\sqrt{C_{q}}$ to give ${ψ^{'}}_{q}^{k} = \sqrt{C_{q}} \frac{ψ_{_{q}}^{k}}{| ψ_{_{q}}^{k} |}$
7. Back-propagate the corrected wavefront to the plane of the N-th key, giving a revised estimate of ${ψ^{'}}_{e, N}^{k}$ ${ψ^{'}}_{_{e, N}}^{k} = F r T_{λ, z}^{- 1} [{ψ^{'}}_{q}^{k}]$
8. The forward multi-slice calculation must now be unraveled in order to update each key. This is accomplished using an update function that can be posed in terms of three functions and a single constant parameter α as: $u [f (r), g (r), Δ ψ (r)] = f (r) + α \frac{g^{*} (r)}{| g (r) |} Δ ψ (r)$
Where α is a single constant parameter, which is weight factor. The value of α is always between 0.5 and 1.2. Using Eq. (5), the update computation proceeds by the following “update-back propagate” steps:
9. Set $Δ ψ^{k} (r) = Δ {ψ^{'}}^{k}_{e, N} (r) - Δ ψ_{_{e, N}}^{k} (r)$ and update the N-th incident wavefront and N-th key according to ${ψ^{'}}_{i, N}^{k} (r) = u [ψ_{_{i, N}}^{k} (r), M_{N} (r), Δ ψ^{k} (r)]$ ${M^{'}}_{N} (r) = u [M_{N} (r), ψ_{i, N}^{k} (r), Δ ψ^{k} (r)]$
10. Back propagate the revised incident wave, ${ψ^{'}}_{i, N} (r)$ to the (N-1)-th key: ${ψ^{'}}_{e, N - 1}^{k} (r) = P_{- Δ z_{(N - 1)}} [{ψ^{'}}_{i, N}^{k} (r)]$
11. Set $Δ ψ^{k} (r) = Δ {ψ^{'}}_{e, N - 1}^{k} (r) - Δ ψ_{e, N - 1}^{k} (r)$ and update the (N-1)-th incident wave and key: ${ψ^{'}}_{i, N - 1}^{k} (r) = u [ψ_{_{i, N - 1}}^{k} (r), M_{N - 1} (r), Δ ψ^{k} (r)]$ ${M^{'}}_{N - 1} (r) = u [M_{N - 1} (r), ψ_{_{i, N - 1}}^{k} (r), Δ ψ^{k} (r)]$
12. Repeat steps 10 and 11 for keys N-2, N-3, until the second key is reached.
13. Set $Δ ψ^{k} (r) = Δ {ψ^{'}}_{e, 1}^{k} (r) - Δ ψ_{e, 1}^{k} (r)$ and update the first key exactly as: ${M^{'}}_{1} (r) = u [M_{1} (r), f_{1}, Δ ψ^{k} (r)]$
14. Set $M_{n} (r) = {M^{'}}_{n} (r)$ for every n.

Steps 2-14 repeat until all of the ciphertexts have been addressed, which completes a single iteration of the algorithm. Further iterations follow, until either a terminating condition is met or a fixed number of iterations are completed. Till now, the attack method is finished.

To evaluate the performance of the proposed CPA method, the correlation coefficient (Co) between two images A and B is defined as follows:

C o = \frac{\sum_{m} \sum_{n} (A_{m n} - \bar{A}) (B_{m n} - \bar{B})}{\sum_{m} \sum_{n} [\sqrt{{(A_{m n} - \bar{A})}^{2}}] [\sqrt{{(B_{m n} - \bar{B})}^{2}}]}

where

\bar{A}

and

\bar{B}

denote the mean value of images A and B. A_mn and B_mn are the pixel values at the coordinate (m, n) of images A and B, respectively.

3.2 Attack results

We have performed a series of simulations to test the proposed method in MATLAB 2013a environment. Assume that an attacker has obtained 100 pairs of plaintexts and ciphertexts {P_q, C_q| q = 1, 2 …100}. Note that it is common case in cryptanalysis and conforms to the chosen plaintext premise [17]. For simplicity, only four plaintext and ciphertexts pairs are shown in Fig. 2, in which the gray levels are used to denote the different amplitude distributions. Note that the black regions in Fig. 2 indicate where the incident light is totally blocked and the white regions indicate where the incident light is totally transmitted. And the summation of 100 pairs of plaintexts is shown in Fig. 3, which is normalized between 0 and 1. As shown in Fig. 2, the elaborately designed plaintext is overlapped, which satisfies the requirements of the proposed method according to Section 3.

Fig. 2 Chosen plaintext-ciphertext pairs (128 × 128 × 8 bits). (a)-(b), (c)-(d), (e)-(f), and (g)- (h) represents the first, second, third and fourth plaintext-ciphertext pair applied in the attack, respectively.

Download Full Size | PDF

Fig. 3 (Color on line) Summation of all the known chosen plaintext applied in the proposed attack.

Download Full Size | PDF

Assume that in the encryption procedure, the three random phase keys of the cryptosystem are shown in Figs. 4(a)-4(c), respectively. The phase distribution of the three phase keys are between 0 and pi. The distance between these three phase keys is 20mm, 30mm, and 50mm, respectively. The constant parameter α in Eq. (5) is set to 1. Note that similar retrieved results can be acquired when the value of α is between 0.5 and 1.2.

Fig. 4 Phase distributions of original and retrieved keys. (a), (b) and (c) are the phase distribution of M₁, M₂ and M₃, respectively; (d), (e), and (f) are the retrieved phase distribution of M₁, M₂ and M₃, respectively.

Download Full Size | PDF

With the chosen plaintext-ciphertext pairs {P_q, C_q| q = 1, 2 …100}, the three phase keys of diffractive-based cryptosystem (M₁, M₂, and M₃) can be retrieved by using the proposed attack after 100 iterations, which are shown in Figs. 4(d)-4(f). This computation takes about 144 seconds. The cross sections on Figs. 4(c) and 4(f) are given, shown in Fig. 4. We can see that the phase of each pixel on the sections can be well retrieved. To further evaluate the performance of the proposed method, we also provide the convergence curve of the retrieved plaintext with the original one. The Co as a function of the iteration times is shown in Fig. 5. We can see that the Co value climbs nearly to one after 20 iterations, which represents that the key is nearly perfectly retrieved.

Fig. 5 Convergence curve of the original keys with the retrieved keys.

Download Full Size | PDF

Then the retrieved decryption keys are applied to decrypt the intercepted ciphertext shown in Fig. 6(a). The decryption result is shown in Fig. 6(b). Moreover, the recovered key is applied to decrypt many other ciphertext images and the similar results can be obtained (The Co value is close to one). These perfect attack results indicate validity of the proposed method.

Fig. 6 (a) Unknown ciphertext, (b) attack result by using the retrieved keys.

Download Full Size | PDF

4. Feasibility and robustness of the proposed method

Firstly, the shape diversity of the chosen plaintext has been tested for optical attack. In the above example, the shape of the plaintexts applied in the attack is chosen as circular aperture shown in Fig. 2. In this section, we replace the plaintexts in Fig. 2 (circular aperture with black background) with the plaintexts in Fig. 7 (arbitrary images with black regions). Note that the black regions in Fig. 7 indicate where the incident light is totally blocked, and the gray-scale image regions indicate where the incident light is partially transmitted (different gray levels represents different transmittances). From the Fig. 7, we can see that gray-scale images are overlapped, which also satisfies the core requirement of ptychography. Consequently, the three phase keys of the diffractive-based cryptosystem (M₁, M₂, and M₃) can be retrieved by applying the proposed attack. After 100 iterations, we can obtain the high quality phase key similar to those present in Fig. 4, which are not shown for brevity. This computation takes about 144 seconds. From the above results, we can see that the requirement of the proposed method is that the plaintext should be overlapped no matter what shape the chosen plaintext is. It indicates that the diversity of the shape of the chosen plaintext provides a freedom of the plaintexts designing.

Fig. 7 Chosen plaintext-cipertext pairs (128 × 128 × 8 bits). (a)-(b), (c)-(d), (e)-(f), and (g)-(h) represents the first, second, third and fourth plaintext-ciphertext pair applied in the attack, respectively.

Download Full Size | PDF

Secondly, the robustness of the proposed CPA method has been proved. As the ciphertexts {C_q| q = 1, 2 ….100} used in the attack may be contaminated by noise in practical case, the performances of proposed method are tested in the noise condition. The random noise is generated by ({Mean[|C_i|]}/SNR)*V, where Mean denotes a mean value of the ciphertext, V is 2D variable randomly distributed in a range of [-0.5, 0.5] and SNR represents the signal-to-noise ratio [3, 27]. Figures 8(a)-8(d) are decryption results after 200 iterations when the ciphertexts {C_q| q = 1, 2 ….100} are contaminated with noise (SNR value 20, 10, 5, and even 1, respectively). These results demonstrate that the method is robustness.

Fig. 8 Robustness of the proposed attack method when the ciphertexts are contaminated by noise, (a)-(d) are decryption results when the ciphertext with random noise (SNR = 20, 10, 5, 1).

Download Full Size | PDF

Note that the scope of the proposed method is limited to analyze the security of conventional diffractive-imaging cryptosystem; it cannot include the one-time pads system which updates key for each image [24]. In other words, as long as the system is not the one-time pads system, the analysis of the proposed method is available.

5. Conclusion

We demonstrate that there is security risk in the diffractive-imaging based cryptosystem. To our best knowledge, this should be the first work to attack the diffractive-imaging system. A set of numerical simulation results have demonstrated that the diffractive-imaging based cryptosystem is vulnerable to the CPA scheme. This work may motivate further researching how to enhance the security of the diffractive-imaging based cryptosystem.

Acknowledgments

The authors quite appreciate the anonymous reviewers for their constructive comments. This research was supported by National Natural Science Foundation of China (61350014 and 61307018).

References and links

1. W. Chen, X. Chen, and C. J. R. Sheppard, “Optical image encryption based on diffractive imaging,” Opt. Lett. 35(22), 3817–3819 (2010). [CrossRef] [PubMed]

2. J. S. Chen, Y. B. Chen, P. F. Hsu, N. Nguyen-Huu, and Y. L. Lo, “Cryptographic scheme using genetic algorithm and optical responses of periodic structures,” Opt. Express 19(9), 8187–8199 (2011). [CrossRef] [PubMed]

3. W. Chen and X. D. Chen, “Structured-illumination-based lensless diffractive imaging and its application to optical image encryption,” Opt. Commun. 285(8), 2044–2047 (2012). [CrossRef]

4. Y. Shi, T. Li, Y. Wang, Q. Gao, S. Zhang, and H. Li, “Optical image encryption via ptychography,” Opt. Lett. 38(9), 1425–1427 (2013). [CrossRef] [PubMed]

5. W. Chen and X. D. Chen, “Optical color-image verification using multiple-pinhole phase retrieval,” J. Opt. 16(7), 075403 (2014). [CrossRef]

6. Q. Gao, Y. Wang, T. Li, and Y. Shi, “Optical encryption of unlimited-size images based on ptychographic scanning digital holography,” Appl. Opt. 53(21), 4700–4707 (2014). [CrossRef] [PubMed]

7. S. Liu, C. L. Guo, and J. T. Sheridan, “A review of optical image encryption techniques,” Opt. Laser Technol. 57, 327–342 (2014). [CrossRef]

8. Z. P. Wang, S. Zhang, H. Z. Liu, and Y. Qin, “Single-intensity-recording optical encryption technique based on phase retrieval algorithm and QR code,” Opt. Commun. 332, 36–41 (2014). [CrossRef]

9. Y. Qin, Z. Wang, and Q. Gong, “Diffractive-imaging-based optical image encryption with simplified decryption from single diffraction pattern,” Appl. Opt. 53(19), 4094–4099 (2014). [CrossRef] [PubMed]

10. Y. Qin, Q. Gong, and Z. Wang, “Simplified optical image encryption approach using single diffraction pattern in diffractive-imaging-based scheme,” Opt. Express 22(18), 21790–21799 (2014). [CrossRef] [PubMed]

11. I. Mehra, K. Singh, A. K. Agarwal, U. Gopinathan, and N. K. Nishchal, “Encrypting digital hologram of three-dimensional object using diffractive imaging,” J. Opt. 17(3), 035707 (2015). [CrossRef]

12. P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20(7), 767–769 (1995). [CrossRef] [PubMed]

13. X. C. Cheng, L. Z. Cai, Y. R. Wang, X. F. Meng, H. Zhang, X. F. Xu, X. X. Shen, and G. Y. Dong, “Security enhancement of double-random phase encryption by amplitude modulation,” Opt. Lett. 33(14), 1575–1577 (2008). [CrossRef] [PubMed]

14. W. Qin and X. Peng, “Asymmetric cryptosystem based on phase-truncated Fourier transforms,” Opt. Lett. 35(2), 118–120 (2010). [CrossRef] [PubMed]

15. W. Chen, B. Javidi, and X. D. Chen, “Advances in optical security systems,” Adv. Opt. Photonics 6(2), 120–155 (2014). [CrossRef]

16. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. 30(13), 1644–1646 (2005). [CrossRef] [PubMed]

17. X. Peng, H. Wei, and P. Zhang, “Chosen-plaintext attack on lensless double-random phase encoding in the Fresnel domain,” Opt. Lett. 31(22), 3261–3263 (2006). [CrossRef] [PubMed]

18. W. Q. He, X. Peng, and X. F. Meng, “A hybrid strategy for cryptanalysis of optical encryption based on double-random phase-amplitude encoding,” Opt. Laser Technol. 44(5), 1203–1206 (2012). [CrossRef]

19. W. Q. He, X. Peng, X. F. Meng, and X. L. Liu, “Collision in optical image encryption based on interference and a method for avoiding this security leak,” Opt. Laser Technol. 47, 31–36 (2013). [CrossRef]

20. G. Situ, G. Pedrini, and W. Osten, “Strategy for cryptanalysis of optical encryption in the Fresnel domain,” Appl. Opt. 49(3), 457–462 (2010). [CrossRef] [PubMed]

21. X. Peng, P. Zhang, H. Wei, and B. Yu, “Known-plaintext attack on optical encryption based on double random phase keys,” Opt. Lett. 31(8), 1044–1046 (2006). [CrossRef] [PubMed]

22. J. F. Barrera, C. Vargas, M. Tebaldi, R. Torroba, and N. Bolognini, “Known-plaintext attack on a joint transform correlator encrypting system,” Opt. Lett. 35(21), 3553–3555 (2010). [CrossRef] [PubMed]

23. X. Wang, Y. Chen, C. Dai, and D. Zhao, “Discussion and a new attack of the optical asymmetric cryptosystem based on phase-truncated Fourier transform,” Appl. Opt. 53(2), 208–213 (2014). [CrossRef] [PubMed]

24. Y. Frauel, A. Castro, T. J. Naughton, and B. Javidi, “Resistance of the double random phase encryption against various attacks,” Opt. Express 15(16), 10253–10265 (2007). [CrossRef] [PubMed]

25. C. Zhang, M. Liao, W. He, and X. Peng, “Ciphertext-only attack on a joint transform correlator encryption system,” Opt. Express 21(23), 28523–28530 (2013). [CrossRef] [PubMed]

26. A. M. Maiden, M. J. Humphry, and J. M. Rodenburg, “Ptychographic transmission microscopy in three dimensions using a multi-slice approach,” J. Opt. Soc. Am. A 29(8), 1606–1614 (2012). [CrossRef] [PubMed]

27. T. Li, Y. Wang, J. Zhang, and Y. Shi, “Analytic known-plaintext attack on a phase-shifting interferometry-based cryptosystem,” Appl. Opt. 54(2), 306–311 (2015). [CrossRef] [PubMed]

Security risk of diffractive-imaging-based optical cryptosystem

Abstract

1. Introduction

2. Principle of diffractive-imaging-based cryptosystem

3. Cryptanalysis and simulation results

3.1 Attack method

3.2 Attack results

4. Feasibility and robustness of the proposed method

5. Conclusion

Acknowledgments

References and links

Cited By

Figures (8)

Equations (12)

Optics Express