Diffractive-imaging-based optical image encryption with simplified decryption from single diffraction pattern Yi Qin,* Zhipeng Wang, and Qiong Gong College of Physics and Electronic Engineering, Nanyang Normal University, Nanyang 473061, China *Corresponding author: [email protected] Received 24 April 2014; revised 14 May 2014; accepted 16 May 2014; posted 20 May 2014 (Doc. ID 210640); published 23 June 2014

In this paper, we propose a novel method for image encryption by employing the diffraction imaging technique. This method is in principle suitable for most diffractive-imaging-based optical encryption schemes, and a typical diffractive imaging architecture using three random phase masks in the Fresnel domain is taken for an example to illustrate it. The encryption process is rather simple because only a single diffraction intensity pattern is needed to be recorded, and the decryption procedure is also correspondingly simplified. To achieve this goal, redundant data are digitally appended to the primary image before a standard encrypting procedure. The redundant data serve as a partial input plane support constraint in a phase retrieval algorithm, which is employed for completely retrieving the plaintext. Simulation results are presented to verify the validity of the proposed approach. © 2014 Optical Society of America OCIS codes: (060.4785) Optical security and encryption; (070.0070) Fourier optics and signal processing. http://dx.doi.org/10.1364/AO.53.004094

1. Introduction

Over the past decades, various optical informationprocessing methods have been developed for image security applications [1–7]. One of the most widespread techniques, double random phase encryption (DRPE), could transform the primary image into stationary white noise by using two statistically independent random phase masks, one bonded with the primary image and another placed in the Fourier plane [8]. Due to its remarked advantages, such as huge key space and robustness against brute force attack, the DRPE method was later extended to the Fresnel domain [9] and fractional Fourier domain [10]. However, the method has been found to be vulnerable to known plaintext [11], chosen plaintext [12], chosen ciphertext [13] attacks, and so on. 1559-128X/14/194094-06$15.00/0 © 2014 Optical Society of America 4094

APPLIED OPTICS / Vol. 53, No. 19 / 1 July 2014

Moreover, the ciphertext is complex and should always be recorded with holographic methods, of which high stability of the encryption architecture is obligatory. More recently, to enhance cryptosystem security and avoid the holographic architecture, beampropagation-based optical imaging techniques are introduced for image encryption. For instance, a method for optical image encryption based on diffractive imaging has been proposed by Chen et al. [14], and afterward some derivatives of it are also developed [15,16]. In addition, Shi et al. applied ptychography in optically encrypting the complex-amplitude image [17]. The main merit of these methods is that the optical setup is simplified by avoiding the interferometric optical path, and the system security is also enhanced since only the intensity of the encrypted complex field is preserved. Another common ground of these approaches resides in the fact that phase retrieval algorithms are necessary for image

decryption by using an iterative operation between real and reciprocal spaces, so in order to enhance the convergence rate and mitigate stagnation problems during phase retrieval, particular illuminations [15] or movements of optical elements [14] are required for encryption; therefore at least three intensity images must be recorded to complete the decryption process. We believe it would be more attractive and efficient if the encryption procedure could be further simplified. In this regard, we propose here, to our best knowledge, a novel approach for image encryption, which is based on diffractive imaging and which enables one to retrieve the primary image from a single intensity pattern with a novel phase retrieve algorithm. Different from the above methods, the problems of convergence rate and stagnation are resolved by employing a special constraint in the input plane rather than the currently available means. The special constraint is the redundant data, which is added to the primary image in advance through simple digital means. Compared with previous methods, both the encryption and decryption processes have been utterly facilitated; however, the proposal cannot be claimed to be with higher security due to the relative small key space. The rest of this paper is organized as follows. The encryption and decryption principle is described in Section 2. The simulation results together with discussions are presented in Section 3, and a brief conclusion is drawn in Section 4. 2. Theoretical Analysis

To illustrate the proposed method, a typical diffractive imaging architecture using three random phase masks in the Fresnel domain, as shown Fig. 1, is employed [16]. In principle, it is convenient to apply the proposal to most current optical encryption systems based on diffractive imaging, so we just take this architecture as an example. A collimated plane wave is generated to illuminate an input image (i.e., plaintext), and the diffraction intensity pattern is recorded by a CCD camera. M1, M2, and M3 denote statistically independent phase only masks randomly distributed in a range of [0, 2π]. For convenience, symbols
x; y,
η; ξ,
p; q, and
μ; ν are used to, respectively, denote coordinates of the input image, M2, M3, and the CCD plane. In the Fresnel approximation, the complex-valued wavefront just before the phase only mask, M2, is expressed as [9]

Fig. 1. Schematic optical setup for the proposed optical security system. U, plaintext; M, phase only mask; CCD, charge-coupled device.

U
η; ξ 

exp
j2πd1 ∕λ jλd1

ZZ U
x; yM 1
x; y

× expjπ
x − η2 
y − ξ2 ∕λd1 dxdy;

(1)

where U
x; y is the input image, and λ denotes the light wavelength. For brevity, Eq. (1) is rewritten in the form of U
η; ξ  FrTλ U
x; yM 1
x; y; d1 :

(2)

Therefore the intensity map recorded in the CCD plane can be described by [16] I
μ; ν  jFrTλ FrTλ fFrTλ U
x; yM 1
x; y; d1  ×M 2
η; ξ; d2 gM 3
p; q; d3 j2 ;

(3)

where jj denotes a modulus operation. I
μ; ν is saved as the ciphertext. Compared with previous works, the encryption procedure will be completed once I
μ; ν is recorded and therefore can be claimed to be simplified. However, the decryption is not so straightforward since an iterative phase retrieval algorithm is still requested. Before the description of the decryption principle, it is desirable to recall some previous works that originate from the diffractive imaging techniques [14–17]. In these works, phase retrieval algorithms are employed to extract the plaintext from several diffraction patterns. However, if two ciphertexts or less are used for plaintext reconstruction, the iterative phase retrieval algorithm will encounter the stagnation problems, and the plaintext will hence be retrieved with severe noise, since the ciphertexts do not contain sufficiently useful information for plaintext retrieval [16,18]. In this sense, we propose to append some redundant data to the primary image before the standard encrypting procedure, which further serves as the partial support constraint in the plaintext plane (i.e., input plane) during the decryption process. As a consequence, the phase retrieval algorithm is expected to converge to a satisfactory point. In general, there are many ways for appending the redundant data, and the most straightforward one is described in Fig. 2. Figure 2(a) shows the original image that has a size of 256 × 256 pixels. Figure 2(b) shows the original image with the redundant data (300 × 300 pixels), which is treated as the plaintext and will be put into

Fig. 2. (a) Original image. (b) Original image with redundant data. (c) Support constraint formed by the redundant data. 1 July 2014 / Vol. 53, No. 19 / APPLIED OPTICS

4095

the cryptosystem for encryption. The values of the redundant data are zeros and represented by the dark area of Fig. 2(b). The support constraint formed by the redundant data is given in Fig. 2(c), in which the white area denotes ones while the dark area denotes zeros. To facilitate the discussion, a parameter ρ is introduced for quantitatively describing the redundant data, which is defined as ρ

Quantity of the redundant data
Pixels : Quantity of the original image
Pixels

(4)

By simple calculation, we can have ρ  0.37 for Fig. 2(b). It should be highlighted that the redundant data together with the three phase only masks should be saved as the secrete keys for the retrieval of the primary image. Since the redundant data is completely irrelevant to the original image, its storage and transmission will be safe. Keeping this in mind, our algorithm for retrieving the plaintext can be described as follows. Let n denote the iterative number. First of all, assume an initial random or constant real-valued distribution T n
x; y, n  1 for the plaintext, and then propagate it forward to the CCD plane [16]: U n
μ; ν  FrTλ FrTλ fFrTλ T n
x; yM 1
x; y; d1  × M 2
η; ξ; d2 gM 3
p; q; d3 :

(5)

Subsequently, a support constraint with the intensity pattern I
μ; ν is employed to update the real part of the obtained complex amplitude, and we have [16] U n
μ; ν  I
μ; ν1∕2 U n
μ; ν∕jU n
μ; νj:

(6)

Thereafter this new complex amplitude is propagated back to the input plane, and the intensity of the input plane can be expressed as [16] T n
x; y  jFrTλ FrTλ fFrTλ U n
μ; ν; −d3  ×M 3
p; q; −d2 gM 2
η; ξ; −d1 j2 ;

(7)

where the superscript  denotes the complex conjugate. Then we construct a new estimated plaintext by combining the support constraint and the intensity estimation indicated by Eq. (7), which is given by T n1
x; y  RD
x; y; ρT n
x; y;

(8)

If the iterative error is larger than a preset threshold (δ), the iterative process goes on, and T n1
x; y is employed as a new estimate to substitute T n
x; y in Eq. (5). Otherwise, the iteration stops. Once the iteration process is terminated, T n1
x; y is considered as a decrypted plaintext, and the redundant data are removed to obtain the retrieved primary image U r
x; y. The correlation coefficient (CC) is further adopted to evaluate the similarity between the primary image U o
x; y and the retrieved primary image, EfU o − E
U o U r − E
U r g ; CC  p











































































EfU o − E
U o 2 gEfU r − E
U r 2 g

(10)

where E is the expectation value. The coordinates are omitted here for brevity. 3. Numerical Results and Discussion

Computer simulations are performed to verify the validity of the proposed technique. The gray-scale image comprising 256 × 256 pixels, as shown in Fig. 2(a), is chosen as the primary image to be encoded. The primary image with redundant data is shown in Fig. 2(b), which corresponds to ρ  0.37. The redundant data of the primary image, which is used for partial input plane support constraint, is show in Fig. 2(c). The axial distances are set as d1  d2  d3  100 mm. The threshold δ in the iterative retrieval algorithm is predefined as 0.0001. Figures 3(a)–3(c) show the phase only masks M1, M2, and M3, which are randomly distributed in [0; 2π]. The diffraction intensity pattern (i.e., ciphertext) recorded by CCD camera is presented in Fig. 3(d). In practical applications, the ciphertext and the phase only masks should be transmitted via different communication channels to achieve high security, and both of them can be further compressed [5] to reduce the burden of transmission. The decrypted plaintext is shown in Fig. 4(a), and the retrieved primary image after removing the redundant data from the decrypted plaintext is shown in Fig. 4(b), for which the CC value is 1. Hence it can be concluded that the original image is completely retrieved. To illustrate the iterative process, the relationship between the number of iterations and iterative errors (with a logarithm scale) is presented in Fig. 4(c). It can be seen from Fig. 4(c) that there are only 165 iterations before the iterative error reaches 0.0001; thus it can be concluded that the proposed method has a rapid convergence rate.

where RD
x; y; ρ stands for the support constraint with the parameter of ρ. One iteration is completed when Eq. (8) is conducted. Then we judge whether the iterative process should proceed by calculating the iterative error between T n1
x; y and T n
x; y, which can be expressed by [16] Error  4096

X

jT n
x; yj − jT n1
x; yj2 :

APPLIED OPTICS / Vol. 53, No. 19 / 1 July 2014

(9)

Fig. 3. Phase-only masks: (a) M1, (b) M2, and (c) M3. (d) Diffraction intensity pattern recorded by CCD camera.

Fig. 4. (a) Decrypted plaintext. (b) Retrieved primary image after removing the redundant data from (a). (b) Corresponding relationship between the number of iterations and iterative errors

Performance of security keys (i.e., phase only masks) is also analyzed during image decryption. Figure 5(a) shows the decrypted image after 2000 iterations when only the phase only masks M1 is incorrect, and no useful information about the primary images could be observed from it. The CC value for it is −0.005. The behavior of CC value versus iteration number is also investigated and is shown in Fig. 5(b). The performances of M2 and M3 are similar to that of M1, and the charts for describing them are omitted for the sake of brevity. During image decryption, the wavelength and axis distances d1 and d2 can be considered as the additional keys. When the wavelength has a deviation of 10 um from the original one during decryption, the retrieved image after 2000 iterations is shown in Fig. 6(a), for which the CC value is 0.0015. The dependence of CC on the iteration number is shown in Fig. 6(b). Similarly, the sensitivity of the decrypted results with respect to the error of the axial distance d1 is also studied. Figure 6(c) shows the decrypted image after 2000 iterations when there is a distance error of 1 mm in d1 , for which the CC value is 0.0067. In this case, the dependence of CC on the iteration number is shown in Fig. 6(d). For the sake of brevity, the performance of d2 is not analyzed here. It can be seen in Figs. 6(a)–6(d) that a correctly decrypted image will not be obtained when any one of the additional security keys is incorrect. During data storage or transmission, the ciphertext may be contaminated or partially lost. Keeping this in mind, we first test the robustness of the proposed method against occlusion attack. Figures 7(a) and 7(d) show the occluded ciphertexts with 6.5% and 13% content losses, respectively. Figures 7(b)

Fig. 5. Decrypted image (a) after 2000 iterations by using wrong M1. (b) Corresponding dependence of CC on iteration number.

Fig. 6. Decrypted images after 2000 iterations by using (a) wrong wavelength and (b) wrong d1, and the dependences of CC on iteration number [(b) and (d)] corresponding to (a) and (c).

and 7(e) show the corresponding decrypted images obtained after 2000 iterations using all correct keys, for which the CC value is 0.5348 and 0.4069. The behavior of CC values versus iteration number in these cases is shown in Figs. 7(c) and 7(f). It can be seen from Figs. 7(a)–7(f) that this proposal is not so robust against occlusions attack, so the ciphertext should be carefully protected from possible occlusions. To test the reconstruction of the primary images in the presence of noise, the ciphertext is assumed to be contaminated by additive white noise that is randomly distributed in [0, α], where α is a positive number. The contaminated images are shown in Figs. 8(a) and 8(d) when α takes the value of 0.01 and 0.1, and

Fig. 7. (a) 6.5% occluded ciphertext; the decrypted image (b) obtained after 2000 iterations and the dependence of CC on iteration number corresponding to (a); (d) 13% occluded ciphertext; decrypted image (e) obtained after 2000 iterations and the dependence of CC on iteration number corresponding to (d). 1 July 2014 / Vol. 53, No. 19 / APPLIED OPTICS

4097

Fig. 8. Noise robustness tests. Contaminated images [(a), (d)], decryption results [(b), (e)], and the correlation outputs [(c), (f)] for verification with white noise distributed within [0; α]. (a), (b), (c) α  0.01; (d), (e), (f) α  0.1.

the decoded images after 2000 iterations are shown in Figs. 8(b) and 8(e), for which the CC values are 0.9991 and 0.8894. The corresponding relationships between CC and the iteration number are depicted in Figs. 8(c) and 8(f); therefore it is safe to say the method is also with high robustness against noise attack. Equivalent results are expected for input multiplicative noise. It can be known from the principle of the proposal that the parameter ρ, which determines the quantity of redundant data and which is used for the input plane support constraint, plays an important role in the decryption procedure. It can be inferred that a larger ρ will lead to a better convergence rate. Figure 9 shows the relationship between CC and the iteration number when ρ takes the values of 0.20, 0.37, and 0.56, corresponding to the iteration numbers, which are 449, 154, and 87 before CCs reach 1. Therefore the prediction has been fully supported. It may be expected that ρ is as large as possible for better convergence rate. However, the increase of ρ will lead to the increase of the sizes of the ciphertext as well as the phase only masks; as a result, the data storage and transmission will be further burdened. Thus the value of ρ should be carefully chosen for different actual applications. Additionally, it is significant to give a comparison between the proposal and some previous works. The main advantage of the proposed method resides in

Fig. 9. Relationship between CC and iteration number when ρ takes different values. 4098

APPLIED OPTICS / Vol. 53, No. 19 / 1 July 2014

the fact that it has extremely simplified the encryption and decryption procedures. However, some consequent drawbacks are also obvious in comparison with the multiple-exposure approaches [14–16]. First of all, as it can be seen from Figs. 7 and 8, the algorithm convergence cannot be highly guaranteed under ciphertext contaminations; therefore multiple recordings can be more suitable when high-level ciphertext contaminations become the potential risks [19]. Second, the changes of the optical architecture in the multiple-exposure approaches, such as the lateral translation of the phase mask [14], will produce additional secret keys and hence generate a huge key space. By contrast, our method cannot be claimed to be with higher security due to its relative small key space. Third, the proposed method requires appending data to the primary image before a standard encrypting procedure; thus the encryption efficiency would be reduced to some extent. 4. Conclusion

In summary, this paper presents a novel diffractiveimaging-based approach for conducting image encryption. Different from some previous works [14–17], the ciphertext of the proposal is a single diffraction intensity pattern that can be directly registered by CCD camera; thus the encryption procedure is extremely simplified. To retrieve the plaintext, we developed a novel phase retrieval algorithm using redundant data of the primary image as partial support constraint in the input plane. The feasibility and effectiveness of the proposal have been demonstrated by numerical experiments. This study was supported by the Excellent Young Teacher Fund of Nanyang Normal University (QN2014016, QN2014017). References 1. B. Javidi and J. L. Horner, “Optical pattern recognition for validation and security verification,” Opt. Eng. 33, 1752– 1756 (1994). 2. S. Liu, C. Guo, and J. T. Sheridan, “A review of optical image encryption techniques,” Opt. Laser Technol. 57, 327–342 (2014). 3. T. Nomura and B. Javidi, “Optical encryption using a joint transform correlator architecture,” Opt. Eng. 39, 2031–2035 (2000). 4. Y. Zhang and B. Wang, “Optical image encryption based on interference,” Opt. Lett. 33, 2443–2445 (2008). 5. A. Alfalou and C. Brosseau, “Optical image compression and encryption methods,” Adv. Opt. Photon. 1, 589–636 (2009). 6. W. Qin and X. Peng, “Asymmetric cryptosystem based on phase-truncated Fourier transforms,” Opt. Lett. 35, 118– 120 (2010). 7. H. E. Hwang, H. T. Chang, and W. N. Lie, “Fast double-phase retrieval in Fresnel domain using modified Gerchberg-Saxton algorithm for lensless optical security systems,” Opt. Express 17, 13700–13710 (2009). 8. P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20, 767–769 (1995). 9. G. Situ and J. Zhang, “Double random-phase encoding in the Fresnel domain,” Opt. Lett. 29, 1584–1586(2004). 10. G. Unnikrishnan, J. Joseph, and K. Singh, “Optical encryption by double-random phase encoding in the fractional Fourier domain,” Opt. Lett. 25, 887–889 (2000).

11. X. Peng, P. Zhang, H. Wei, and B. Yu, “Known-plaintext attack on optical encryption based on double random phase keys,” Opt. Lett. 31, 1044–1046 (2006). 12. X. Peng, H. Wei, and P. Zhang, “Chosen-plaintext attack on lensless double-random phase encoding in the Fresnel domain,” Opt. Lett. 31, 3261–3263 (2006). 13. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-ciphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. 30, 1644–1646 (2005). 14. W. Chen, X. Chen, and C. J. R. Sheppard, “Optical image encryption based on diffractive imaging,” Opt. Lett. 35, 3817–3819 (2010).

15. W. Chen, X. Chen, and C. J. R. Sheppard, “Optical double-image cryptography based on diffractive imaging with a laterally translated phase grating,” Appl. Opt. 50, 5750–5757 (2011). 16. W. Chen, X. Chen, A. Anand, and B. Javidi, “Optical encryption using multiple intensity samplings in the axial domain,” J. Opt. Soc. Am. A 30, 806–812 (2013). 17. Y. Shi, T. Li, Y. Wang, Q. Gao, S. Zhang, and H. Li, “Optical image encryption via ptychography,” Opt. Lett. 38, 1425–1427 (2013). 18. R. P. Yu and D. M. Paganin, “Blind phase retrieval for aberrated linear shift-invariant imaging systems,” New J. Phys. 12, 073040 (2010). 19. W. Chen, B. Javidi, and X. Chen, “Advances in optical security systems,” Adv. Opt. Photon. 6, 120–155 (2014).

1 July 2014 / Vol. 53, No. 19 / APPLIED OPTICS

4099