Ciphertext-only attack on a joint transform correlator encryption system Chenggong Zhang, Meihua Liao, Wenqi He, and Xiang Peng* College of Optoelectronics Engineering, Key Laboratory of Optoelectronic Devices and Systems of Ministry of Education and Guangdong Province, Shenzhen University, Shenzhen 518060, China * [email protected]
Abstract: A ciphertext-only attack (COA) on a joint transform correlator (JTC) encryption system is proposed. From the perspective view of optical cryptanalysis, we find out that the issue to be solved in the COA scheme could be transferred into a phase retrieval problem with single intensity measurement. And in this paper, the hybrid input-output (HIO) algorithm is employed to handle this issue with the help of an inartificial signal domain support and a given frequency domain constraint. Meanwhile, we provide a set of numerical simulations to demonstrate the validity and feasibility of the presented method. ©2013 Optical Society of America OCIS codes: (060.4785) Optical security and encryption; (070.0070) Fourier optics and signal processing.
References and links 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.
B. Javidi, “Securing information with optical technologies,” Phys. Today 50(3), 27 (1997). P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20(7), 767–769 (1995). G. Unnikrishnan, J. Joseph, and K. Singh, “Optical encryption by double-random phase encoding in the fractional Fourier domain,” Opt. Lett. 25(12), 887–889 (2000). G. H. Situ and J. J. Zhang, “Double random-phase encoding in the Fresnel domain,” Opt. Lett. 29(14), 1584– 1586 (2004). X. C. Cheng, L. Z. Cai, Y. R. Wang, X. F. Meng, H. Zhang, X. F. Xu, X. X. Shen, and G. Y. Dong, “Security enhancement of double-random phase encryption by amplitude modulation,” Opt. Lett. 33(14), 1575–1577 (2008). T. Nomura and B. Javidi, “Optical encryption using a joint transform correlator architecture,” Opt. Eng. 39(8), 2031–2035 (2000). Y. Zhang and B. Wang, “Optical image encryption based on interference,” Opt. Lett. 33(21), 2443–2445 (2008). B. Wang and Y. Zhang, “Double images hiding based on optical interference,” Opt. Commun. 282(17), 3439– 3443 (2009). Y. Zhang, B. Wang, and Z. Dong, “Enhancement of image hiding by exchanging two phase masks,” J. Opt. A, Pure Appl. Opt. 11(12), 125406 (2009). W. He, X. Peng, and X. Meng, “Optical multiple-image hiding based on interference and grating modulation,” J. Opt. 14(7), 075401 (2012). W. He, X. Peng, X. Meng, and X. Liu, “Collision in optical image encryption based on interference and a method for avoiding this security leak,” Opt. Laser Technol. 47, 31–36 (2013). T. Nomura and B. Javidi, “Optical encryption system with a binary key code,” Appl. Opt. 39(26), 4783–4787 (2000). D. Abookasis, O. Arazi, J. Rosen, and B. Javidi, “Security optical systems based on a joint transform correlator with significant output images,” Opt. Eng. 40(8), 1584–1589 (2001). S. J. Park, J. Y. Kim, J. K. Bae, and S. J. Kim, “Fourier-plane encryption technique based on removing the effect of phase terms in a joint transform correlator,” Opt. Rev. 8(6), 413–415 (2001). M. Yamazaki and J. Ohtsubo, “Optimization of encrypted holograms in optical security systems,” Opt. Eng. 40(1), 132–137 (2001). T. Nomura, S. Mikan, Y. Morimoto, and B. Javidi, “Secure optical data storage with random phase key codes by use of a configuration of a joint transform correlator,” Appl. Opt. 42(8), 1508–1514 (2003). C. La Mela and C. Iemmi, “Optical encryption using phase-shifting interferometry in a joint transform correlator,” Opt. Lett. 31(17), 2562–2564 (2006). L. C. Lin and C. J. Cheng, “Optimal key mask design for optical encryption based on joint transform correlator architecture,” Opt. Commun. 258(2), 144–154 (2006).
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28523
19. G. Situ, U. Gopinathan, D. S. Monaghan, and J. T. Sheridan, “Cryptanalysis of optical security systems with significant output images,” Appl. Opt. 46(22), 5257–5262 (2007). 20. D. Amaya, M. Tebaldi, R. Torroba, and N. Bolognini, “Multichanneled encryption via a joint transform correlator architecture,” Appl. Opt. 47(31), 5903–5907 (2008). 21. D. Amaya, M. Tebaldi, R. Torroba, and N. Bolognini, “Digital color encryption using a multi-wavelength approach and a joint transform correlator,” J. Opt. A, Pure Appl. Opt. 10(10), 104031 (2008). 22. D. Amaya, M. Tebaldi, R. Torroba, and N. Bolognini, “Wavelength multiplexing encryption using joint transform correlator architecture,” Appl. Opt. 48(11), 2099–2104 (2009). 23. E. Rueda, J. F. Barrera, R. Henao, and R. Torroba, “Optical encryption with a reference wave in a joint transform correlator architecture,” Opt. Commun. 282(16), 3243–3249 (2009). 24. R. Henao, E. Rueda, J. F. Barrera, and R. Torroba, “Noise-free recovery of optodigital encrypted and multiplexed images,” Opt. Lett. 35(3), 333–335 (2010). 25. C. A. Rios, E. Rueda, J. F. Barrera, R. Henao, and R. Torroba, “Optodigital protocol to avoid an external reference beam in a Jtc encrypting processor,” in OSA Technical Digest (CD) (Optical Society of America, 2010), JWA27. 26. C. Lin and X. Shen, “Analysis and design of impulse attack free generalized joint transform correlator optical encryption scheme,” Opt. Laser Technol. 44(7), 2032–2036 (2012). 27. J. F. Barrera, C. Vargas, M. Tebaldi, and R. Torroba, “Chosen-plaintext attack on a joint transform correlator encrypting system,” Opt. Commun. 283(20), 3917–3921 (2010). 28. W. Qin, X. Peng, and X. Meng, “Cryptanalysis of optical encryption schemes based on joint transform correlator architecture,” Opt. Eng. 50(2), 028201 (2011). 29. J. F. Barrera, C. Vargas, M. Tebaldi, R. Torroba, and N. Bolognini, “Known-plaintext attack on a joint transform correlator encrypting system,” Opt. Lett. 35(21), 3553–3555 (2010). 30. M. Liao, W. He, X. Peng, X. Liu, and X. Meng, “Cryptanalysis of optical encryption with a reference wave in a joint transform correlator architecture,” Opt. Laser Technol. 45, 763–767 (2013). 31. H. Tang, X. Peng, and J. Tian, “Ciphertext-only attack on double random phase encoding optical encryption system,” Acta Phys. Sin. 56, 2629–2636 (2007). 32. J. R. Fienup, “Phase retrieval algorithms: a comparison,” Appl. Opt. 21(15), 2758–2769 (1982).
1. Introduction Optical encryption technique has drawn a lot of attentions due to its inherent capability for parallel processing [1]. Since the double random phase encoding (DRPE) with a 4-f optical processor was invented by Refregier and Javidi in 1995 [2], a lot of optical cryptographic techniques have been studied extensively, such as the DRPE scheme in Fractional Fourier domain [3], Fresnel transform domain [4] as well as the security-enhanced method [5], etc. Besides, some other optical setups have been introduced to this research area, such as the joint transformation correlator [6] and the interference-based architecture [7–11]. The DRPE-based schemes use two independent random phase masks, regarded as secret keys, to encrypt an image (plaintext) into a stationary white noise (ciphertext). For decryption, the DRPE method requires extremely accurate alignment in the optical setups, and needs to generate an extra complex conjugate of the phase mask in order to recover the plaintext. Besides, the ciphertext is a complex function which is difficult for storage and transmission. To overcome the deficiency of the DRPE scheme, Nomura and Javidi proposed an alternative approach for optical encryption based on the joint transformation correlator (JTC) architecture [6]. In this scheme, the plaintext bonded with a random phase mask is placed side by side with a key code on the input plane, and the outcome of the JTC scheme, a joint power spectrum (JPS), is taken as a ciphertext and could be stored and transmitted conveniently since it is an intensity distribution. In addition, the JTC scheme does not require accurate optical alignment and there is also no need to create the conjugate of the key code because the decryption procedure can be implemented with exact the same key code just as used in the encryption process. For this reason the JTC scheme has been widely studied and spawned several variation techniques [12–26]. Recently, researchers have also performed an extensive security assessment of the JTC encryption scheme by adopting various strategies, and they could be classified as two categories: one is the chosen-plaintext attack (CPA) [27, 28]; the other is the know-plaintext attack (KPA) [29, 30]. Both the CPA and the KPA have revealed the weakness of the JTC scheme from different perspectives. Nevertheless, we would like to emphasize that the CPA and the KPA still require too many resources in order to make an attack to the optical
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28524
encryption scheme based on the JTC scheme. In this paper, we will show how the JTC encryption scheme is vulnerable to the ciphertext-only attack (COA) and how an attacker can retrieve an arbitrary plaintext by using only a ciphertext. As far as we know, this would be the first work to make a cryptanalysis of the JTC encryption system by employing a COA method, and the only other similar work, in the research field of optical cryptanalysis, was focused on the DRPE system and it was reported in 2007 by Tang and Peng et al. [31]. The rest of this paper is organized as follows. In section 2, we give a brief review to the principle of the JTC-based optical encryption system. Section 3 describes the method of the COA on JTC encryption system with support by a series of simulations, and a conclusion is made in section 4. 2. Overview of the joint transform correlator encryption scheme The JTC encryption technique was first reported by Nomura and Javidi in 2000 [6], and its encryption and decryption processes could be illustrated by Fig. 1. Let f ( x, y ) , b( x, y ) and h ( x, y ) denote the plaintext, random phase mask (RPM) and secret key code, respectively. The plaintext f ( x, y ) bonded with b( x, y ) is placed side by side with h ( x, y ) on the front focal plane of the Fourier transform lens at coordinates x = −a and x = a , respectively. On the back focal plane, the joint power spectrum is recorded as a ciphertext by an intensity detector such as CCD. The ciphertext can be formulated in Eq. (1).
Fig. 1. Schematic diagrams of optical encryption based on the JTC architecture (a) encryption and (b) decryption.
E (ξ ,η ) = FT[ f ( x + a, y )b( x + a , y ) + h ( x − a , y )] 2
= F (ξ ,η ) ∗ B (ξ ,η ) + H (ξ ,η )
2
2
+ [ F (ξ ,η ) ∗ B (ξ ,η )]∗ H (ξ ,η ) exp[ − j 4π aξ ]
(1)
+ [ F (ξ ,η ) ∗ B (ξ ,η )]H ∗ (ξ ,η ) exp[ j 4π aξ ]
Where FT denotes the Fourier transformation, F (ξ ,η ) , B (ξ ,η ) and H (ξ ,η ) denote the Fourier transforms of f ( x, y ) , b( x, y ) and h ( x, y ) , respectively. The symbol “*” denotes the convolution operation, and the superscript asterisk “*” denotes complex conjugation. And γ represents the light blue point set, which is also regarded as the signal domain support in our COA scheme, it will be further clarified in the Section 3. #199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28525
For decryption, the secret key code h ( x, y ) is placed at x = a on the input plane and then Fourier transformed and multiplied by the ciphertext, which is located at the Fourier transform plane as shown in Fig. 1(b). Then the product term is inverse Fourier transformed to obtain the plaintext. Meanwhile, it is important to point out that there are two general choices for the secret key code h ( x, y ) : (a) it is designed to be the inverse Fourier transform of a random phase-only mask just as the situation in [6] by Nomura and Javidi; (b) it is a random phase-only mask in itself just as the situation in [24] by Barrera et al. In this contribution, the two versions of JTC-based cryptosystem are named as Scheme A and B, respectively, and we will demonstrated their weakness to our proposed COA method for both of them. 3. Cryptanalysis and simulation results For the COA method, as previously mentioned, an attacker is supposed to have only the ciphertexts, and how to retrieve the corresponding plaintexts comes to be the key issue. In the JTC encryption scheme, the ciphertext E (ξ ,η ) is a joint power spectrum of the multipleinput as shown in Eq. (1). In order to simplify the following description of our COA scheme, we would like to first calculate the modulus of the Fourier transform of the multiple-input by taking the square root of the ciphertext, which is presumed to be known by an attacker. FT[ f ( x + a, y )b( x + a, y ) + h( x − a, y )] = E (ξ ,η ) (2) Then the issue to be solved can be converted to an equivalent problem, that is, given the modulus of the Fourier transform of the multiple-input ( FT[ f ( x + a, y )b( x + a , y ) + h ( x − a , y )] ) in the frequency domain, as well as all the architecture parameters of the JTC-based cryptosystem, how does one retrieve the f ( x + a, y ) in the signal domain? To this point, we recognize that this particular issue happens to be an iterative phase retrieval [32] problem with single intensity measurement, and we are able to solve it by adopting the hybrid input-output (HIO) algorithm proposed by Fienup [32]. The HIO method mainly consists of five steps: (1) initialize an estimation of the multiple-input in the object domain, specifically to say, we arbitrarily generate three different number sequences in computer, which are then used to construct the first estimations of f ( x, y ) , b( x, y ) and h ( x, y ) , respectively; (2) Fourier transform the estimation in the signal domain; (3) replace the modulus of the result in step (2) with E (ξ ,η ) , which is regarded as the frequency domain constraint, to form an estimation of the complex amplitude in the frequency domain; (4) inverse Fourier transform the result of step (3) leading to another complex amplitude in the signal domain; (5) impose the signal domain support, which will be mentioned in the following paragraph, on the complex amplitude in step (4) to obtain an output and it is then taken as the new input of the next loop. Then, the modulus of the Fourier transform result of the new input is compared with the constraint in the frequency domain E (ξ ,η ) . If they are similar enough, the iteration algorithm will be stopped, otherwise, the steps (2)-(5) should be repeated. The kth iteration process is illustrated in Fig. 2 and the aforementioned steps (2)-(5) are formulated as follows: Gk (ξ ,η ) = FT{g k ( x, y )} = Gk (ξ ,η ) exp[iΦ k (ξ ,η )] Gk′ (ξ ,η ) = E (ξ ,η ) exp[iΦ k (ξ ,η )] g k′ ( x, y ) = FT −1{Gk′ (ξ ,η )} = g k′ ( x, y ) exp[iϕ k′ ( x, y )]
(3)
x, y ∉ γ g ′ ( x, y ), g k +1 ( x, y ) = k x, y ∈ γ g k ( x, y ) − β g k′ ( x, y ), Where γ represents a point set at which g k′ ( x ) violates the signal domain support, β is an experienced constant value and it is set as 0.7 in our numerical simulations. It’s worth to
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28526
point out that, according to the Kerckhoffs’ principle (a fundamental assumption in cryptanalysis), an attacker could know all the details of a cryptosystem, including the algorithms and implementations except the secret keys. Therefore, in this work, it is reasonable to suppose that all the parameters of the cryptosystem including the sizes and locations of the plaintext and the key code are known to the attacker, and these parameters are together regarded as the signal domain support. For the JTC cryptosystem, the parameters of the multiple-input (shown in Figs. 3(b), 3(f), 3(j) and 3(n)) are inartificial support in the signal domain, therefore the point set γ can be determined directly (also shown in Fig. 1(a)). In this paper, we choose the MSE as a criterion to decide whether or not to terminate the iterative process, and the MSE is conventionally defined as: M ,N 2 1 g k +1 ( xi , y j ) − f ( xi , y j ) MSE = (4) M × N i =1, j =1 where f ( xi , y j ) represents the original image and g k +1 ( xi , y j ) stands for an estimated one after k + 1 iterations.
Fig. 2. Flow chart of the kth iteration.
To verify our approach, we illustrate the COA strategy with numerical simulations in Matlab2010a environment. As mentioned in section 2, the JTC encryption system normally involves two architectures, scheme A and scheme B. For each one, we prepare two plaintexts (a gray-scale image and a binary one) to verify the validity of proposed COA method and each plaintext (Figs. 3(a), 3(e), 3(i) and 3(m)) has a size of 256 × 256 pixels. According to the characteristics of the JTC architecture, the plaintext and the key code are placed in the input plane (896 × 896 pixels) as shown in Figs. 3(b), 3(f), 3(j) and 3(n). Let us assume that an attacker has already known all the corresponding ciphertexts (Figs. 3(c), 3(g), 3(k) and 3(o)), the image sizes and the locations of the plaintexts in the input plane. By using of the presented COA method, one can obtain the retrieved plaintexts, which are shown in Figs. 3(d), 3(h), 3(l) and 3(p). It is obvious that all retrieved images look extremely similar with the original plaintext images, and the corresponding MSE values are as follows: 2.3634 × 10−5, 3.2553 × 10−5, 2.1801 × 10−5 and 6.9501 × 10−5, respectively. For a COA scheme, it could be regarded as a successful break if the plaintext has been obtained from its corresponding ciphertext, or
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28527
even better if the secret key code has also been retrieved. In our proposed method, the plaintexts can be retrieved successfully as the simulation result shows, but it’s not true for the RPM b( x, y ) and the secret key code h( x, y ) . Furthermore, to evaluate the performance of the proposed method, we also provide the convergence curve of the retrieved plaintext with the original one. The MSE as a function of the iteration times for both gray-scale image (red line) and binary image (blue line) is shown in Fig. 4.
Fig. 3. The simulation results. (a)-(h) and (i)-(p) are the results of scheme A and scheme B, respectively. Specifically, (a) gray-scale image ‘Lena’, (b) multiple-input corresponding to (a), (c) ciphertext corresponding to (b), (d) retrieved plaintext with COA. (e) Binary image ‘SZU’, (f) multiple-input corresponding to (e), (g) ciphertext corresponding to (f), (h) retrieved plaintext with COA. (i) Gray-scale image ‘Baboon’, (j) multiple-input corresponding to (i), (k) ciphertext corresponding to (j), (l) retrieved plaintext with COA. (m) Binary image ‘Chinese characters’, (n) multiple-input corresponding to (m), (o) ciphertext corresponding to (n), (p) retrieved plaintext with COA.
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28528
Fig. 4. The convergence of the (a) scheme A and (b) scheme B for both gray-scale image and binary image, respectively.
In practice, the parameters (the sizes and locations of the plaintext and the key code in the input plane) may be regarded as auxiliary secret keys which are not available for the attacker. For such a condition, we also get some considerations: an attacker could utilize an exhaustive search method to find the possible parameters. In fact, there are very limited amount of possible combinations of parameters because the plaintext and the secret key code must keep an appropriate distance to avoid frequency aliasing in the decrypting process. We also find that if the speculated size (as the signal domain support in the described phase retrieval algorithm) is a little larger than the actual size of the original plaintext, a plaintext can be also observed with an acceptable degradation. The retrieved plaintext using a speculated size (276 × 276 pixels other than 256 × 256) was shown as Fig. 5. It’s worth to note that we, in this contribution, focus on the original and fundamental work by Nomura and Javidi [6], in which the parameters weren’t regarded as the auxiliary secret keys.
Fig. 5. (a) Binary image ‘SZU’ (256 × 256 pixels), (b) multiple-input (896 × 896 pixels) corresponding to (a), (c) ciphertext (896 × 896 pixels) corresponding to (b), (d) retrieved plaintext (276 × 276 pixels) with COA using a speculated size (276 × 276 pixels) as the signal domain support.
4. Conclusion In summary, we proposed a COA scheme to evaluate the security strength of optical encryption based on the JTC scheme. The proposed COA strategy converts the COA into a phase retrieval problem with single intensity measurement. Therefore the HIO iterative phase retrieval technique can be used to solve this problem. To the best of our knowledge, this should be the first work to attack the JTC encryption system with a COA method. From the point of view of cryptanalysis it is also reasonable to acquire the parameters of the encryption architecture, which are then used to construct the signal domain support. In such a way, a ciphertext of JTC encryption scheme can be successfully retrieved with sufficient precision. A set of numerical simulation results have demonstrated the feasibility and validity of the #199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28529
proposed method and show that the JTC encryption scheme is vulnerable to the COA scheme. Moreover, we would also like to point out that the described COA scheme would fail if the plaintext is a phase-only distribution or a phase-only version of a gray-scale image. It is almost impossible to attack such an architecture due to the hardness of retrieving the phase information from single intensity for the phase retrieval algorithm. Acknowledgments This work is supported by the National Natural Science Foundation of China (61171073 and 61307003), the Sino-German Center for Research Promotion (GZ 760) and China Postdoctoral Science Foundation (2013M540662).
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28530
Abstract: A ciphertext-only attack (COA) on a joint transform correlator (JTC) encryption system is proposed. From the perspective view of optical cryptanalysis, we find out that the issue to be solved in the COA scheme could be transferred into a phase retrieval problem with single intensity measurement. And in this paper, the hybrid input-output (HIO) algorithm is employed to handle this issue with the help of an inartificial signal domain support and a given frequency domain constraint. Meanwhile, we provide a set of numerical simulations to demonstrate the validity and feasibility of the presented method. ©2013 Optical Society of America OCIS codes: (060.4785) Optical security and encryption; (070.0070) Fourier optics and signal processing.
References and links 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.
B. Javidi, “Securing information with optical technologies,” Phys. Today 50(3), 27 (1997). P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20(7), 767–769 (1995). G. Unnikrishnan, J. Joseph, and K. Singh, “Optical encryption by double-random phase encoding in the fractional Fourier domain,” Opt. Lett. 25(12), 887–889 (2000). G. H. Situ and J. J. Zhang, “Double random-phase encoding in the Fresnel domain,” Opt. Lett. 29(14), 1584– 1586 (2004). X. C. Cheng, L. Z. Cai, Y. R. Wang, X. F. Meng, H. Zhang, X. F. Xu, X. X. Shen, and G. Y. Dong, “Security enhancement of double-random phase encryption by amplitude modulation,” Opt. Lett. 33(14), 1575–1577 (2008). T. Nomura and B. Javidi, “Optical encryption using a joint transform correlator architecture,” Opt. Eng. 39(8), 2031–2035 (2000). Y. Zhang and B. Wang, “Optical image encryption based on interference,” Opt. Lett. 33(21), 2443–2445 (2008). B. Wang and Y. Zhang, “Double images hiding based on optical interference,” Opt. Commun. 282(17), 3439– 3443 (2009). Y. Zhang, B. Wang, and Z. Dong, “Enhancement of image hiding by exchanging two phase masks,” J. Opt. A, Pure Appl. Opt. 11(12), 125406 (2009). W. He, X. Peng, and X. Meng, “Optical multiple-image hiding based on interference and grating modulation,” J. Opt. 14(7), 075401 (2012). W. He, X. Peng, X. Meng, and X. Liu, “Collision in optical image encryption based on interference and a method for avoiding this security leak,” Opt. Laser Technol. 47, 31–36 (2013). T. Nomura and B. Javidi, “Optical encryption system with a binary key code,” Appl. Opt. 39(26), 4783–4787 (2000). D. Abookasis, O. Arazi, J. Rosen, and B. Javidi, “Security optical systems based on a joint transform correlator with significant output images,” Opt. Eng. 40(8), 1584–1589 (2001). S. J. Park, J. Y. Kim, J. K. Bae, and S. J. Kim, “Fourier-plane encryption technique based on removing the effect of phase terms in a joint transform correlator,” Opt. Rev. 8(6), 413–415 (2001). M. Yamazaki and J. Ohtsubo, “Optimization of encrypted holograms in optical security systems,” Opt. Eng. 40(1), 132–137 (2001). T. Nomura, S. Mikan, Y. Morimoto, and B. Javidi, “Secure optical data storage with random phase key codes by use of a configuration of a joint transform correlator,” Appl. Opt. 42(8), 1508–1514 (2003). C. La Mela and C. Iemmi, “Optical encryption using phase-shifting interferometry in a joint transform correlator,” Opt. Lett. 31(17), 2562–2564 (2006). L. C. Lin and C. J. Cheng, “Optimal key mask design for optical encryption based on joint transform correlator architecture,” Opt. Commun. 258(2), 144–154 (2006).
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28523
19. G. Situ, U. Gopinathan, D. S. Monaghan, and J. T. Sheridan, “Cryptanalysis of optical security systems with significant output images,” Appl. Opt. 46(22), 5257–5262 (2007). 20. D. Amaya, M. Tebaldi, R. Torroba, and N. Bolognini, “Multichanneled encryption via a joint transform correlator architecture,” Appl. Opt. 47(31), 5903–5907 (2008). 21. D. Amaya, M. Tebaldi, R. Torroba, and N. Bolognini, “Digital color encryption using a multi-wavelength approach and a joint transform correlator,” J. Opt. A, Pure Appl. Opt. 10(10), 104031 (2008). 22. D. Amaya, M. Tebaldi, R. Torroba, and N. Bolognini, “Wavelength multiplexing encryption using joint transform correlator architecture,” Appl. Opt. 48(11), 2099–2104 (2009). 23. E. Rueda, J. F. Barrera, R. Henao, and R. Torroba, “Optical encryption with a reference wave in a joint transform correlator architecture,” Opt. Commun. 282(16), 3243–3249 (2009). 24. R. Henao, E. Rueda, J. F. Barrera, and R. Torroba, “Noise-free recovery of optodigital encrypted and multiplexed images,” Opt. Lett. 35(3), 333–335 (2010). 25. C. A. Rios, E. Rueda, J. F. Barrera, R. Henao, and R. Torroba, “Optodigital protocol to avoid an external reference beam in a Jtc encrypting processor,” in OSA Technical Digest (CD) (Optical Society of America, 2010), JWA27. 26. C. Lin and X. Shen, “Analysis and design of impulse attack free generalized joint transform correlator optical encryption scheme,” Opt. Laser Technol. 44(7), 2032–2036 (2012). 27. J. F. Barrera, C. Vargas, M. Tebaldi, and R. Torroba, “Chosen-plaintext attack on a joint transform correlator encrypting system,” Opt. Commun. 283(20), 3917–3921 (2010). 28. W. Qin, X. Peng, and X. Meng, “Cryptanalysis of optical encryption schemes based on joint transform correlator architecture,” Opt. Eng. 50(2), 028201 (2011). 29. J. F. Barrera, C. Vargas, M. Tebaldi, R. Torroba, and N. Bolognini, “Known-plaintext attack on a joint transform correlator encrypting system,” Opt. Lett. 35(21), 3553–3555 (2010). 30. M. Liao, W. He, X. Peng, X. Liu, and X. Meng, “Cryptanalysis of optical encryption with a reference wave in a joint transform correlator architecture,” Opt. Laser Technol. 45, 763–767 (2013). 31. H. Tang, X. Peng, and J. Tian, “Ciphertext-only attack on double random phase encoding optical encryption system,” Acta Phys. Sin. 56, 2629–2636 (2007). 32. J. R. Fienup, “Phase retrieval algorithms: a comparison,” Appl. Opt. 21(15), 2758–2769 (1982).
1. Introduction Optical encryption technique has drawn a lot of attentions due to its inherent capability for parallel processing [1]. Since the double random phase encoding (DRPE) with a 4-f optical processor was invented by Refregier and Javidi in 1995 [2], a lot of optical cryptographic techniques have been studied extensively, such as the DRPE scheme in Fractional Fourier domain [3], Fresnel transform domain [4] as well as the security-enhanced method [5], etc. Besides, some other optical setups have been introduced to this research area, such as the joint transformation correlator [6] and the interference-based architecture [7–11]. The DRPE-based schemes use two independent random phase masks, regarded as secret keys, to encrypt an image (plaintext) into a stationary white noise (ciphertext). For decryption, the DRPE method requires extremely accurate alignment in the optical setups, and needs to generate an extra complex conjugate of the phase mask in order to recover the plaintext. Besides, the ciphertext is a complex function which is difficult for storage and transmission. To overcome the deficiency of the DRPE scheme, Nomura and Javidi proposed an alternative approach for optical encryption based on the joint transformation correlator (JTC) architecture [6]. In this scheme, the plaintext bonded with a random phase mask is placed side by side with a key code on the input plane, and the outcome of the JTC scheme, a joint power spectrum (JPS), is taken as a ciphertext and could be stored and transmitted conveniently since it is an intensity distribution. In addition, the JTC scheme does not require accurate optical alignment and there is also no need to create the conjugate of the key code because the decryption procedure can be implemented with exact the same key code just as used in the encryption process. For this reason the JTC scheme has been widely studied and spawned several variation techniques [12–26]. Recently, researchers have also performed an extensive security assessment of the JTC encryption scheme by adopting various strategies, and they could be classified as two categories: one is the chosen-plaintext attack (CPA) [27, 28]; the other is the know-plaintext attack (KPA) [29, 30]. Both the CPA and the KPA have revealed the weakness of the JTC scheme from different perspectives. Nevertheless, we would like to emphasize that the CPA and the KPA still require too many resources in order to make an attack to the optical
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28524
encryption scheme based on the JTC scheme. In this paper, we will show how the JTC encryption scheme is vulnerable to the ciphertext-only attack (COA) and how an attacker can retrieve an arbitrary plaintext by using only a ciphertext. As far as we know, this would be the first work to make a cryptanalysis of the JTC encryption system by employing a COA method, and the only other similar work, in the research field of optical cryptanalysis, was focused on the DRPE system and it was reported in 2007 by Tang and Peng et al. [31]. The rest of this paper is organized as follows. In section 2, we give a brief review to the principle of the JTC-based optical encryption system. Section 3 describes the method of the COA on JTC encryption system with support by a series of simulations, and a conclusion is made in section 4. 2. Overview of the joint transform correlator encryption scheme The JTC encryption technique was first reported by Nomura and Javidi in 2000 [6], and its encryption and decryption processes could be illustrated by Fig. 1. Let f ( x, y ) , b( x, y ) and h ( x, y ) denote the plaintext, random phase mask (RPM) and secret key code, respectively. The plaintext f ( x, y ) bonded with b( x, y ) is placed side by side with h ( x, y ) on the front focal plane of the Fourier transform lens at coordinates x = −a and x = a , respectively. On the back focal plane, the joint power spectrum is recorded as a ciphertext by an intensity detector such as CCD. The ciphertext can be formulated in Eq. (1).
Fig. 1. Schematic diagrams of optical encryption based on the JTC architecture (a) encryption and (b) decryption.
E (ξ ,η ) = FT[ f ( x + a, y )b( x + a , y ) + h ( x − a , y )] 2
= F (ξ ,η ) ∗ B (ξ ,η ) + H (ξ ,η )
2
2
+ [ F (ξ ,η ) ∗ B (ξ ,η )]∗ H (ξ ,η ) exp[ − j 4π aξ ]
(1)
+ [ F (ξ ,η ) ∗ B (ξ ,η )]H ∗ (ξ ,η ) exp[ j 4π aξ ]
Where FT denotes the Fourier transformation, F (ξ ,η ) , B (ξ ,η ) and H (ξ ,η ) denote the Fourier transforms of f ( x, y ) , b( x, y ) and h ( x, y ) , respectively. The symbol “*” denotes the convolution operation, and the superscript asterisk “*” denotes complex conjugation. And γ represents the light blue point set, which is also regarded as the signal domain support in our COA scheme, it will be further clarified in the Section 3. #199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28525
For decryption, the secret key code h ( x, y ) is placed at x = a on the input plane and then Fourier transformed and multiplied by the ciphertext, which is located at the Fourier transform plane as shown in Fig. 1(b). Then the product term is inverse Fourier transformed to obtain the plaintext. Meanwhile, it is important to point out that there are two general choices for the secret key code h ( x, y ) : (a) it is designed to be the inverse Fourier transform of a random phase-only mask just as the situation in [6] by Nomura and Javidi; (b) it is a random phase-only mask in itself just as the situation in [24] by Barrera et al. In this contribution, the two versions of JTC-based cryptosystem are named as Scheme A and B, respectively, and we will demonstrated their weakness to our proposed COA method for both of them. 3. Cryptanalysis and simulation results For the COA method, as previously mentioned, an attacker is supposed to have only the ciphertexts, and how to retrieve the corresponding plaintexts comes to be the key issue. In the JTC encryption scheme, the ciphertext E (ξ ,η ) is a joint power spectrum of the multipleinput as shown in Eq. (1). In order to simplify the following description of our COA scheme, we would like to first calculate the modulus of the Fourier transform of the multiple-input by taking the square root of the ciphertext, which is presumed to be known by an attacker. FT[ f ( x + a, y )b( x + a, y ) + h( x − a, y )] = E (ξ ,η ) (2) Then the issue to be solved can be converted to an equivalent problem, that is, given the modulus of the Fourier transform of the multiple-input ( FT[ f ( x + a, y )b( x + a , y ) + h ( x − a , y )] ) in the frequency domain, as well as all the architecture parameters of the JTC-based cryptosystem, how does one retrieve the f ( x + a, y ) in the signal domain? To this point, we recognize that this particular issue happens to be an iterative phase retrieval [32] problem with single intensity measurement, and we are able to solve it by adopting the hybrid input-output (HIO) algorithm proposed by Fienup [32]. The HIO method mainly consists of five steps: (1) initialize an estimation of the multiple-input in the object domain, specifically to say, we arbitrarily generate three different number sequences in computer, which are then used to construct the first estimations of f ( x, y ) , b( x, y ) and h ( x, y ) , respectively; (2) Fourier transform the estimation in the signal domain; (3) replace the modulus of the result in step (2) with E (ξ ,η ) , which is regarded as the frequency domain constraint, to form an estimation of the complex amplitude in the frequency domain; (4) inverse Fourier transform the result of step (3) leading to another complex amplitude in the signal domain; (5) impose the signal domain support, which will be mentioned in the following paragraph, on the complex amplitude in step (4) to obtain an output and it is then taken as the new input of the next loop. Then, the modulus of the Fourier transform result of the new input is compared with the constraint in the frequency domain E (ξ ,η ) . If they are similar enough, the iteration algorithm will be stopped, otherwise, the steps (2)-(5) should be repeated. The kth iteration process is illustrated in Fig. 2 and the aforementioned steps (2)-(5) are formulated as follows: Gk (ξ ,η ) = FT{g k ( x, y )} = Gk (ξ ,η ) exp[iΦ k (ξ ,η )] Gk′ (ξ ,η ) = E (ξ ,η ) exp[iΦ k (ξ ,η )] g k′ ( x, y ) = FT −1{Gk′ (ξ ,η )} = g k′ ( x, y ) exp[iϕ k′ ( x, y )]
(3)
x, y ∉ γ g ′ ( x, y ), g k +1 ( x, y ) = k x, y ∈ γ g k ( x, y ) − β g k′ ( x, y ), Where γ represents a point set at which g k′ ( x ) violates the signal domain support, β is an experienced constant value and it is set as 0.7 in our numerical simulations. It’s worth to
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28526
point out that, according to the Kerckhoffs’ principle (a fundamental assumption in cryptanalysis), an attacker could know all the details of a cryptosystem, including the algorithms and implementations except the secret keys. Therefore, in this work, it is reasonable to suppose that all the parameters of the cryptosystem including the sizes and locations of the plaintext and the key code are known to the attacker, and these parameters are together regarded as the signal domain support. For the JTC cryptosystem, the parameters of the multiple-input (shown in Figs. 3(b), 3(f), 3(j) and 3(n)) are inartificial support in the signal domain, therefore the point set γ can be determined directly (also shown in Fig. 1(a)). In this paper, we choose the MSE as a criterion to decide whether or not to terminate the iterative process, and the MSE is conventionally defined as: M ,N 2 1 g k +1 ( xi , y j ) − f ( xi , y j ) MSE = (4) M × N i =1, j =1 where f ( xi , y j ) represents the original image and g k +1 ( xi , y j ) stands for an estimated one after k + 1 iterations.
Fig. 2. Flow chart of the kth iteration.
To verify our approach, we illustrate the COA strategy with numerical simulations in Matlab2010a environment. As mentioned in section 2, the JTC encryption system normally involves two architectures, scheme A and scheme B. For each one, we prepare two plaintexts (a gray-scale image and a binary one) to verify the validity of proposed COA method and each plaintext (Figs. 3(a), 3(e), 3(i) and 3(m)) has a size of 256 × 256 pixels. According to the characteristics of the JTC architecture, the plaintext and the key code are placed in the input plane (896 × 896 pixels) as shown in Figs. 3(b), 3(f), 3(j) and 3(n). Let us assume that an attacker has already known all the corresponding ciphertexts (Figs. 3(c), 3(g), 3(k) and 3(o)), the image sizes and the locations of the plaintexts in the input plane. By using of the presented COA method, one can obtain the retrieved plaintexts, which are shown in Figs. 3(d), 3(h), 3(l) and 3(p). It is obvious that all retrieved images look extremely similar with the original plaintext images, and the corresponding MSE values are as follows: 2.3634 × 10−5, 3.2553 × 10−5, 2.1801 × 10−5 and 6.9501 × 10−5, respectively. For a COA scheme, it could be regarded as a successful break if the plaintext has been obtained from its corresponding ciphertext, or
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28527
even better if the secret key code has also been retrieved. In our proposed method, the plaintexts can be retrieved successfully as the simulation result shows, but it’s not true for the RPM b( x, y ) and the secret key code h( x, y ) . Furthermore, to evaluate the performance of the proposed method, we also provide the convergence curve of the retrieved plaintext with the original one. The MSE as a function of the iteration times for both gray-scale image (red line) and binary image (blue line) is shown in Fig. 4.
Fig. 3. The simulation results. (a)-(h) and (i)-(p) are the results of scheme A and scheme B, respectively. Specifically, (a) gray-scale image ‘Lena’, (b) multiple-input corresponding to (a), (c) ciphertext corresponding to (b), (d) retrieved plaintext with COA. (e) Binary image ‘SZU’, (f) multiple-input corresponding to (e), (g) ciphertext corresponding to (f), (h) retrieved plaintext with COA. (i) Gray-scale image ‘Baboon’, (j) multiple-input corresponding to (i), (k) ciphertext corresponding to (j), (l) retrieved plaintext with COA. (m) Binary image ‘Chinese characters’, (n) multiple-input corresponding to (m), (o) ciphertext corresponding to (n), (p) retrieved plaintext with COA.
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28528
Fig. 4. The convergence of the (a) scheme A and (b) scheme B for both gray-scale image and binary image, respectively.
In practice, the parameters (the sizes and locations of the plaintext and the key code in the input plane) may be regarded as auxiliary secret keys which are not available for the attacker. For such a condition, we also get some considerations: an attacker could utilize an exhaustive search method to find the possible parameters. In fact, there are very limited amount of possible combinations of parameters because the plaintext and the secret key code must keep an appropriate distance to avoid frequency aliasing in the decrypting process. We also find that if the speculated size (as the signal domain support in the described phase retrieval algorithm) is a little larger than the actual size of the original plaintext, a plaintext can be also observed with an acceptable degradation. The retrieved plaintext using a speculated size (276 × 276 pixels other than 256 × 256) was shown as Fig. 5. It’s worth to note that we, in this contribution, focus on the original and fundamental work by Nomura and Javidi [6], in which the parameters weren’t regarded as the auxiliary secret keys.
Fig. 5. (a) Binary image ‘SZU’ (256 × 256 pixels), (b) multiple-input (896 × 896 pixels) corresponding to (a), (c) ciphertext (896 × 896 pixels) corresponding to (b), (d) retrieved plaintext (276 × 276 pixels) with COA using a speculated size (276 × 276 pixels) as the signal domain support.
4. Conclusion In summary, we proposed a COA scheme to evaluate the security strength of optical encryption based on the JTC scheme. The proposed COA strategy converts the COA into a phase retrieval problem with single intensity measurement. Therefore the HIO iterative phase retrieval technique can be used to solve this problem. To the best of our knowledge, this should be the first work to attack the JTC encryption system with a COA method. From the point of view of cryptanalysis it is also reasonable to acquire the parameters of the encryption architecture, which are then used to construct the signal domain support. In such a way, a ciphertext of JTC encryption scheme can be successfully retrieved with sufficient precision. A set of numerical simulation results have demonstrated the feasibility and validity of the #199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28529
proposed method and show that the JTC encryption scheme is vulnerable to the COA scheme. Moreover, we would also like to point out that the described COA scheme would fail if the plaintext is a phase-only distribution or a phase-only version of a gray-scale image. It is almost impossible to attack such an architecture due to the hardness of retrieving the phase information from single intensity for the phase retrieval algorithm. Acknowledgments This work is supported by the National Natural Science Foundation of China (61171073 and 61307003), the Sino-German Center for Research Promotion (GZ 760) and China Postdoctoral Science Foundation (2013M540662).
#199406 - $15.00 USD Received 14 Oct 2013; revised 6 Nov 2013; accepted 6 Nov 2013; published 13 Nov 2013 (C) 2013 OSA 18 November 2013 | Vol. 21, No. 23 | DOI:10.1364/OE.21.028523 | OPTICS EXPRESS 28530
