Asymmetric image encryption based on optical interference using modified error-reduction phase retrieval algorithm

In 1995 Refrégiér and Javidi proposed the double random phase encoding [1] technique, which shows that optical information processing has a high-speed multidimension data processing capability and a high degree of freedom to multiply parameters. From then on, optical image encryption [1, 2] has attracted more and more attention from many researchers due to its advantages. Many various optical structures and algorithms are introduced into the field of image encryption, such as various optical transforms (including fractional Fourier transform (FT) [3], multiple-parameter fractional FT [4], gyrator transform [5] and so on), polarized light [6], holography [7, 8], coherent diffraction [9, 10] and interference [11].

Especially in interference-based encryption (IBE) [11], proposed by Zhang, the intensity of the interference fringe between two coherent beams is the decrypted image, which can be recorded by an intensity detector directly. Although IBE has the easy optical decryption, it has a drastic drawback: the silhouette problem [12–16]. Zhang [12] proposed to exchange the corresponding parts of two POMs to remove the silhouette. Wang [17] and Zhong [18] inserted an additional random phase mask (RPM) before the two POMs or in the third beam path. Recently some phase retrieval algorithm-based IBE schemes [19–21] have been proposed. They not only have an additional diffraction distance, but they all also remove the silhouette. However, most of the aforementioned IBE schemes are symmetric with a small key space, which makes these schemes vulnerable to illegal attacks [16, 22, 23]. To break the linearity, Cai and et. presented an asymmetric IBE with the aid of equal modulus decomposition (EMD) [24]. However, the illegal intrusions can access easily the plaintext via an amplitude-phase retrieval algorithm (APRA) [25, 26].

Conventionally, the ciphertexts are the same size as the plaintext, so the efficiency of the storage and transmission needs enhancement. Although the image compression can be processed easily via critical sampling in the transformation domain, such as with a discrete cosine transform [27, 28], discrete wavelet transform [29] and FT [30], the digital post-processing makes the decryption process of those schemes complex.

In this work, we propose an asymmetric IBE scheme by using a modified error-reduction phase retrieval algorithm (mERPRA). Unlike the traditional IBE schemes, the image compression and asymmetric encryption can be simply realized by the mERPRA in the structure of optical interference. As a result, our method provides a low burden of transmission and storage, and high resistance against illegal attacks. In addition, compared to EMD-based IBE [24–26], our method generates a plaintext-dependent key using mERPRA, thus resulting in larger key space and robustness against APRA. All of these significantly enhance the encryption performance and security of our method. Simulation results are presented to verify the effectiveness and robustness of our method.

The original image f (u,v) and one fixed RPM (denoted as P1) are set as two known constraints in the encryption process. A(x,y ) and P(x,y ) represent the amplitude and phase of the iteratively calculated diffraction pattern with a predefined smaller size. They are unknown and can be simultaneously figured out by using mERPRA. The flowchart of the encryption process is shown in figure 1.

Zoom In Zoom Out Reset image size

In the initialization of the encryption process, an RAM generated randomly in the interval [0, 1] is used as A⁰(x,y )  ×  P⁰(x,y ). P1(x, y ) is a fixed RPM and used as a public key. The kth iteration loop is depicted as:

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \begin{array}{@{}cccccccccccccccccccc@{}} & T_{1}^{k}(u,v)=Fr{{T}_{({{d}_{2}},\lambda)}}\left[{{A}^{k-1}}(x,y)\times {{P}^{k-1}}(x,y) \right] \nonumber \\ & +Fr{{T}_{({{d}_{1}},\lambda)}}\left[P1(x,y) \right] \end{array}\nonumber \end{align} \tag{ 1 }$$

where FrT denotes a 2D Fresnel transform, (x,y ) and (u,v) denote the coordinates of the spatial domain and spectral domain. d₁ denotes a distance between P1(x, y ) and the image plane, and d₂ denotes a distance between A(x,y )  ×  P(x,y ) and the image plane, which can be different from d₁.

Apply the amplitude constraint f (u,v) at the image plane to update the $T_{1}^{k}$(u,v):

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle T_{2}^{k}(u,v)={\sqrt{f(u,v)}T_{1}^{k}(u,v)}/{\left| T_{1}^{k}(u,v) \right|} \nonumber \end{align} \tag{ 2 }$$

where f (u,v) denotes a normalized original image.

Then remove the item of P1(x,y ) and propagate back to A(x,y )  ×  P(x,y ) plane.

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle T_{3}^{k}(x,y)=Fr{{T}_{(-{{d}_{2}},\lambda)}}\left[T_{2}^{k}(u,v)-Fr{{T}_{({{d}_{1}},\lambda)}}\left[P1(x,y) \right] \right].\nonumber \end{align} \tag{ 3 }$$

The updated A^k(x, y ) and P^k(x, y ) can be calculated as follows:

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle {{A}^{k}}(x,y)=abs\left[T_{3}^{k}(x,y) \right]\nonumber \end{align} \tag{ 4 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle {{P}^{k}}(x,y)=\exp \left\{\,j\times \arg \left[T_{3}^{k}(x,y) \right] \right\}\nonumber \end{align} \tag{ 5 }$$

where abs[] and arg[] indicate the amplitude extraction and the phase extraction, respectively.

In every iteration, A^k(x, y ) and P^k(x, y ) should be updated as follows:

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle {{A}^{k}}(x,y)\times {{P}^{k}}(x,y)=\left\{\begin{array}{@{}cccccccccccccccccccc@{}} & {{A}^{k}}(x,y)\times {{P}^{k}}(x,y),(x,y)\in \gamma \nonumber \\ & 0, \begin{matrix} \begin{matrix} {} & {} & {} \nonumber \\ \end{matrix} & {} & {} \nonumber \\ \end{matrix}(x,y)\notin \gamma \end{array} \right.,\nonumber \end{align} \tag{ 6 }$$

where γ indicates a region of interest (ROI), for which the elements are inside the predefined shrinked area. It should be noted that the pixels outside the ROI of the ciphertext A, public key P1 and private key P are all zero and useless. It is unnecessary to store and transmit the data outside the ROI. A desired compression rate can be obtained by controlling the area of γ. As a result, the burden of the transmission and storage decreases.

The loop iteration would be repeated until the predefined precision or iteration number is achieved. When the encryption process is completed, a ciphertext A(x,y ) and a private key P(x,y ) can be obtained.

The optical schematics of the decryption process are shown in figure 2. The ciphertext A, public key P1 and private key P are displayed on spatial light modulators (SLMs). Two coherent collimated beams cross the SLMs and their diffraction wavefronts interfere with each other at the image plane, resulting in the decrypted image captured by the CCD camera. Note that the size of the captured image is larger than that of the ROI of the ciphertext A but similar to that of the original image.

Zoom In Zoom Out Reset image size

The decrypted image can be expressed

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle f\prime (u,v)={{\left| \begin{array}{@{}cccccccccccccccccccc@{}} & Fr{{T}_{({{d}_{1}},\lambda)}}\left[A(x,y)\times P(x,y) \right] \nonumber \\ & +Fr{{T}_{({{d}_{2}},\lambda)}}\left[P1(x,y) \right] \end{array} \right|}^{2}}.\nonumber \end{align} \tag{ 7 }$$

In this scheme, P1, the illuminating wavelength and the diffraction distances serve as the public keys. A(x,y ) can be stored and transmitted as the compressed and encrypted image, while P(x,y ) serves as a private key. The private key P(x,y ), which is highly plaintext-dependent, makes our proposed IBE scheme asymmetric.

Various numerical simulations are performed to demonstrate the feasibility and effectiveness of this proposed scheme. As previously described in the encryption process, the size of ROI is a constraint of encryption. A shrunken ROI with 160  ×  160 pixels (occupying 39.06% of the original size) is set for the numerical simulations. The illuminating wavelength is 632.8 nm, while the diffraction distance d₁ is set as 50 mm and the diffraction distance d₂ is set as 51 mm.

The original image with the size of 256  ×  256 pixels is shown in figure 3(a), the ROI of P1 used for encryption, as shown in figure 3(b). The ROI of the compressive ciphertext A(x,y ) is presented in figure 3(c), which has a smaller size of 160  ×  160 pixels and appears like useless information. The ROI of the private key P(x,y ) with a size of 160  ×  160 pixels, is shown in figure 3(d). The correct decrypted image is illustrated in figure 3(e). For clarity, only the areas containing efficient pixels are shown.

Zoom In Zoom Out Reset image size

In the simulation we can get the high-quality decrypted image with CC  =  0.9823 while a compression rate of 60.94% can be obtained compared with previous IBE schemes. Unlike the critical sampling used in [27–30], the proposed method does not require extra image processing in encryption and decryption processes.

To demonstrate the relationship between the CC values and the iteration number, the plot is depicted in figure 4. It is apparent that this proposed scheme can achieve fast convergence and high-quality decryption.

Zoom In Zoom Out Reset image size

The diffraction distances are important keys in this scheme. Figure 5 shows the CC value influenced by the diffraction distance d₁, in which ▵d means the deviation of d₁. Only the right distance is used, the CC value reaches the peak. Obviously, this scheme is very sensitive to the diffraction distance, which enhances the security of this scheme.

Zoom In Zoom Out Reset image size

In the simulation, the wavelength is set at 633 nm. Figure 6(a) shows the decrypted image when 632 nm is used as the wavelength for decryption, while figure 6(b) shows the decrypted image when 634 nm is used as the wavelength for decryption. It is obvious that any little deviation of wavelength would result in decryption failure.

Zoom In Zoom Out Reset image size

The silhouette-free capability is further analysed for only one or two of P1, A and P when the wavelength and distance are correct; some results are shown in figure 7. It is obvious that no information from the original image can be observed, and the silhouette problem of the IBE is removed. In other words, all of the ciphertext A, the public key P1 and the private key P are necessary for decryption.

Zoom In Zoom Out Reset image size

Compared with the previously published IBE schemes, our proposal retrieved a plaintext-dependent private key, which makes our proposal asymmetric and more secure. To test its resistance against the APRA, it is assumed that the public keys, such as P1, the wavelength, the diffraction distances and the size of ROI, the ciphertext and even the encryption algorithm are known to the attacker. Based on known conditions, the attacker is able to develop a modified APRA attack to retrieve an image. The modified APRA attack for this scheme can be described as follows.

In the kth (k  =  0, 1, 2, 3...) iteration, the decrypted image I(u,v) can be written as

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \begin{array}{@{}cccccccccccccccccccc@{}} & T_{k}^{1}(u,v)=Fr{{T}_{({{d}_{2}},\lambda)}}\left[A(x,y)\times P_{k-1}^{\prime}(x,y) \right] \nonumber \\ & +Fr{{T}_{({{d}_{1}},\lambda)}}\left[P1(x,y) \right]. \end{array}\nonumber \end{align} \tag{ 8 }$$

Because the image is real-valued, just extract the amplitude of $T_{k}^{1}$(u, v)

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle T_{k}^{2}(u,v)=\left| T_{k}^{1}(u,v) \right|.\nonumber \end{align} \tag{ 9 }$$

Remove P1 and backpropagate to A(x,y )  ×  P(x,y ) plane

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle T_{k}^{3}(x,y)=Fr{{T}_{(-{{d}_{2}},\lambda)}}\left[T_{k}^{2}(u,v)-Fr{{T}_{({{d}_{1}},\lambda)}}\left[P1(x,y) \right] \right].\nonumber \end{align} \tag{ 10 }$$

Then apply the size of ROI to the iteratively retrieved private key P'(x,y )

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle P_{k}^{\prime}(x,y)=\exp \left\{\,j\times \arg \left[T_{k}^{3}(x,y) \right] \right\}\nonumber \end{align} \tag{ 11 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle P_{k}^{\prime}(x,y)=\left\{\begin{array}{@{}llcccccccccccccccccc@{}} P_{k}^{\prime}(x,y),(x,y)\in \gamma \nonumber \\ 0, \begin{matrix} {} & {} \nonumber \\ \end{matrix}(x,y)\notin \gamma \end{array} \right..\nonumber \end{align} \tag{ 12 }$$

At the end of the kth iteration, the decrypted image can be calculated

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \begin{array}{@{}cccccccccccccccccccc@{}} & I_{k}^{\prime}(u,v)=Fr{{T}_{({{d}_{2}},\lambda)}}\left[A(x,y)\times P_{k}^{\prime}(x,y) \right] \nonumber \\ & \quad +Fr{{T}_{({{d}_{1}},\lambda)}}\left[P1(x,y) \right]. \end{array}\nonumber \end{align} \tag{ 13 }$$

Furthermore, to demonstrate the resistance on the modified APRA attack, the CC values verses the iteration number is shown in figure 8.

Zoom In Zoom Out Reset image size

Obviously, after 100 iterative calculation, the retrieved image still has a very low CC value. Therefore, the APRA attack cannot access any information from the original image in our proposed scheme.

In this paper, we propsed a mERPRA in the structure of optical interference to achieve image compression and asymmetric encryption simultaneously. Different to the previous IBE schemes, the ciphertext in our proposal has less pixels. In addition, a plaintext-dependent private key is retrieved in the encryption process, which makes this scheme asymmetric. Due to the asymmetry and the high sensitivity of keys, such as the wavelength and diffraction distances, this proposed IBE scheme obtains much higher security. Simulation results are presented to prove the validity of the proposed scheme.

This work was supported by National Natural Science Foundation of China (61775046); Heilongjiang Science Foundation of China (LC2018027); PhD Student Research and Innovation Fund of the Fundamental Research Funds for the Central Universities (HEUGIP201812).