Optics Communications 285 (2012) 1078–1081
Contents lists available at SciVerse ScienceDirect
Optics Communications
journal homepage: www.elsevier.com/locate/optcom
A special attack on the asymmetric cryptosystem based on phase-truncated
Fourier transforms
Xiaogang Wang a, b, Daomu Zhao a,⁎
a
Department of Physics, Zhejiang University, Hangzhou 310027, China
b
School of Sciences, Zhejiang A & F University, Lin'an, Zhejiang Province 311300, China
a r t i c l e i n f o a b s t r a c t
Article history: We analyze the security of a recently proposed asymmetric cryptosystem that based on the phase-truncated
Received 19 September 2011 Fourier transforms (PTFTs), and describe a specific attack method to break the cryptosystem. This specific
Received in revised form 19 November 2011 attack, which is based on a two-step iterative amplitude retrieval approach and works by using the public
Accepted 1 December 2011
keys and ciphertexts, would allow an attacker to reveal the encrypted information and the decryption keys
Available online 14 December 2011
that generated in the encryption procedure. The numerical simulation results, which are given to show the
Keywords:
effectiveness of the proposed specific attack, imply that some appropriate measurements should be made
Asymmetric cryptosystem to enhance the resistance of the PTFT-based cryptosystem against the specific attack when it is used as a
Attack public-key cryptosystem.
Amplitude retrieval © 2011 Elsevier B.V. All rights reserved.
1. Introduction only it were able to resist various attacks. Therefore, it is no doubt
that making attacks on a new cryptosystem is an important and
In 1995, Refregier and Javidi proposed a double random phase meaningful thing.
encoding (DRPE) technique to transform an input image into a sta- In this paper, we propose a specific attack method that based on a
tionary white noise [1]. Based on their creating research works, two-step iterative amplitude retrieval approach to try to reveal the
a number of subsequent proposals for optical security and encryption encrypted information. Unfortunately, the results show that the cryp-
have been proposed in the past decades [2–11]. In practice, however, tosystem is vulnerable to this attack. In the attack, discussed in this
the DRPE encryption scheme presents some weakness against attacks paper, the two RPMs used for encryption and the ciphertext are
[12–16]. Its main weakness lies in its linearity and the most danger- known by the attacker and the initial random phase codes used in
ous attack only requires two known plain images [16]. Recently, Qin the iteration process are just the two encryption keys, which mean
and Peng have proposed an asymmetric cryptosystem based on the the attack is very special to some extent. That is why we refer to
PTFTs to remove the linearity of DRPE by the nonlinear operation of this as a specific attack, which can lead to an unpredictable decryp-
phase truncation [17]. In the PTFT-based cryptosystem, the two tion. The simulation results also imply that some appropriate mea-
phase distributions in the Fourier plane and output plane are kept surements should be made to enhance the resistance of the PTFT-
as decrypting keys and the keys for encryption will be not used for based cryptosystem against the specific attack when it is used as a
decryption. One of the benefits is that the two encryption keys can public-key cryptosystem. In this following, we will show how the
be used as public keys to encode different images. Since almost all PTFT scheme is vulnerable to the specific attack and how an opponent
reported optical encryption techniques belong to the category of can decrypt the ciphertext.
symmetric cryptosystems, from the perspective of cryptology, the
proposed PTFT-based asymmetric cryptosystem has great practical 2. The asymmetric cryptosystem based on the PTFTs
significance. However, if the encryption keys are used as two public
keys and applied to encode different plaintexts, the cryptosystem In the asymmetric cryptosystem that based on the PTFTs [17], two
will be placed into a more exposed and vulnerable position. As we statistically independent RPMs R(x) and R′(u) are placed at the image
know, a cryptosystem could be described as robust and secure if and Fourier planes, respectively. With the help of the RPM R(x), the
input image I(x) can be transformed into:
g ðuÞ ¼ PT fFT ½I ðxÞRðxÞ�g; ð1Þ
⁎ Corresponding author. Tel.: + 86 57188863887; fax: + 86 571 87951328. where the operators PT{} and FT[] denote the phase truncation and
E-mail address: zhaodaomu@yahoo.com (D. Zhao). Fourier transform, respectively. Note that the phase truncation of
0030-4018/$ – see front matter © 2011 Elsevier B.V. All rights reserved.
doi:10.1016/j.optcom.2011.12.017
� X. Wang, D. Zhao / Optics Communications 285 (2012) 1078–1081 1079
the complex amplitude just leads to amplitude reservation. By using Fourier plane, the amplitude part and phase part of the distribution
the RPM R′(u), the primary image can be encoded into a stationary at the plane that the encoded image locates are written as
white noise which is expressed mathematically as
n h io
′
g k ðuÞ ¼ PT FT E0 ðxÞP k ðxÞ ; ð5Þ
n h io
′
E0 ðxÞ ¼ PT IFT g ðuÞR ðuÞ ; ð2Þ
n h io
′
Ekþ1 ðxÞ ¼ PT IFT g k ðuÞR ðuÞ ; ð6Þ
where the operator IFT[] represents an inverse Fourier transform. In
this method, the decryption keys can be written as
n h io
′ ′
P kþ1 ðxÞ ¼ PR IFT g k ðuÞR ðuÞ ; ð7Þ
P ðuÞ ¼ PRfFT ½IðxÞRðxÞ�g; ð3Þ
where the initial phase code P′0(x) is arbitrarily chosen and the func-
n h io tions E0(x) and R′(u) are used as the constraints in the two planes,
′ ′
P ðxÞ ¼ PR IFT g ðuÞR ðuÞ ; ð4Þ
respectively. The mean square error (MSE), which is used to show
the convergence of the iterative method, can be written as
where the operator PR{} denotes the phase reservation or amplitude
truncation.
In the PTFT-based asymmetric cryptosystem, the main objective is
� � 1 X M X N � �
�E ði; jÞ−E ði; jÞ�2 ;
MSE Ekþ1 ; E0 ¼ ð8Þ
to break the linearity of conventional systems, and decryption keys M � N i¼1 j¼1 kþ1 0
that generated in the encryption process are directly related to the
plaintext and encryption keys. Thus, it should be mentioned that
where the less the value of MSE, the more precise the recovered sig-
the cryptosystem is valuable when different phase-only masks are
nal. Suppose that we obtain an approximate amplitude distribution g′
applied for different plaintexts during each encryption operation.
(u) = gm(u) after the number of iterations m. Thus, the approximate
However, the cryptosystem will be placed into a more exposed and
decryption key of P′(x) can be written as P′m + 1(x).
vulnerable position if the encryption keys are treated as two public
Obviously, the next step is to obtain the decrypted image I′(x) by
keys and used to encode different images. That is to say, the security
using the g′(u) and R(x) in the same way. Similarly, in the kth
strength of the system should be taken more seriously when the
(k = 0,1,2,3, …) iteration, we have
PTFT-based cryptosystem is treated as a public-key system.
n h io
′
Ik ðxÞ ¼ PT IFT g 0 ðuÞP k ðuÞ ; ð9Þ
3. A specific attack on the cryptosystem based on the PTFTs
′
The attack process can be completed by a two-step approach g kþ1 ðuÞ ¼ PT fFT ½Ik ðxÞRðxÞ�g; ð10Þ
which can be described as follows: the first step is to access g′(u)
which is an estimate of g(u) by using R′(u) and the ciphertext E0(x), P kþ1 ðuÞ ¼ PRfFT ½Ik ðxÞRðxÞ�g; ð11Þ
and the second step is to achieve an estimate of primary image by
using g′(u) and R(x). In the following, we will explain the two steps where g′0(u) = g′(u) and the initial phase code P0(u) is arbitrarily
in detail. chosen. The functions g′0(u) and R(x) are used as the constraints in
An iteration process is used to achieve the aim of the first step. In the two planes, respectively. The MSE between g′k + 1(u) and g′(u)
the kth(k = 0,1,2,3, …) iteration, the amplitude distribution at the is used to show the convergence of the iterative method. Suppose
Fig. 1. (a) Plaintext; the phase distributions of (b) R(x), (c) R′(u), (d) P(u), and (e) P′(x); (f) ciphertext.
�1080 X. Wang, D. Zhao / Optics Communications 285 (2012) 1078–1081
Fig. 5. (a) Plaintext, (b) ciphertext and the recovered image with the iterations of (c)100,
and (d) 1200.
Fig. 2. The relation between the iteration times and (a) the MSE (between Em(x) and E0 Fig. 1(a), is taken as the input image. The two public keys R(x) and R′(u)
(x)) in the first step, (b) the MSE (between In(x) and I(x)) in the second step. with the sizes of 256 × 256 pixels are shown in Fig. 1(b) and Fig. 1(c)
respectively. Fig. 1(d)–(e) shows the two decryption keys generated
the iteration number in the iteration process is set to n. We will ob- in the encryption procedure. In the first step of our attack, the RPM R
tain the decrypted image I′(x) = In(x) and an approximate decryption (x) is used as the initial phase code. The ciphertext that produced by
key of P(u) that denoted by Pn + 1(u). the PTFT-based asymmetric cryptosystem can be shown in Fig. 1(f).
The MSE between Em(x) (m = 1,2,3, …) and the original ciphertext
4. Numerical simulations and discussion E0(x) is shown in Fig. 2(a). The iteration number m in the first step
is 300 with the corresponding MSE of 4.388 × 10 − 6. Now we use the
Numerical simulations have been performed to test the effective- retrieved amplitude distribution g300(u) and the public key R(x) to
ness of the proposed attack technique by using two types of normalized obtain the decryption image In(x). Fig. 2(b) illustrates the MSE be-
images. A gray-scale image with a size of 256 × 256 pixels, as shown in tween the recovered image In(x) and the primary image. The different
Fig. 3. Attack results corresponding to the iteration times of (a) 2, (b) 35, and (c) 100.
Fig. 4. (a) Rm + 1(x), (b)R′n + 1(u). (c) The recovered image with the keys Rm + 1(x) and R′n + 1(u).
� X. Wang, D. Zhao / Optics Communications 285 (2012) 1078–1081 1081
as shown in Fig. 2(b). The result shows that the two different types
of images have different error cumulative effects or error propaga-
tions in the second step.
5. Conclusions
In conclusion, we have demonstrated that the PTFT-based asym-
metric cryptosystem is vulnerable to a specific attack, which is
based on a two-step iterative amplitude retrieval approach. In this
attack, the public keys are used as the initial random phase codes dur-
ing the iteration process. We tested the approach by decrypting a
gray-scale image Lena and a binary image that encoded with the
same two public keys. The effectiveness of the proposed specific
attack has been demonstrated by the simulation results. However, it
does not imply that the proposed cryptosystem does not work even
if it is found to be vulnerable to a certain attack; it means that a
new process to eliminate this vulnerability must be generated [18].
Undoubtedly, the simplest solution is to keep the encryption keys as
private keys or apply different phase keys for different plaintexts dur-
ing the encryption to avoid known public key attack, as well as our
proposed specific attack [19–22]. Additionally, the recovered ampli-
tude in the first step will lead to fewer erroneous results than that
of recovered plaintext in the second step. Therefore, the recovered
plaintext by using the proposed attack algorithm would be much
noiselike when more cycles are applied in the cryptosystem. Besides
the above-mentioned typical methods, an improvement over the
asymmetric cryptosystem may be taken by relocating the amplitude
Fig. 6. The relation between the MSE and iteration times in (a) the first step and (b) the
values in the output plane. That will be our research content in next
second step.
works.
Acknowledgment
features between Fig. 2(a) and Fig. 2(b) lie in the fact that the recov-
ered amplitude g′(u) in the first step leads to fewer erroneous results This work was supported by the Zhejiang Provincial Natural
than that of recovered plaintext in the second step. In other words, Science Foundation of China (R1090168), the National Natural
the estimate of g(u) would be more close to its true values while Science Foundation of China (NSFC) (11074219 and 10874150), the
the recovered plaintext I′(x) would have contained more errors Excellent Young Teacher Item Fund of Zhejiang Education Depart-
than that of the estimate g(u) due to the error propagations. It can ment (Z. J. Edu. GKC (2010) No.175) and the Program for Innovative
also be shown from Fig. 2(b) that the MSE reaches its minimum Research Team of Young Teachers in Zhejiang A & F University
when the iteration number is about 30 in the second step. After the (2009RC01).
iteration number of 30, a bigger iteration number does not mean a
better quality of recovery. Decryption results with different iteration References
numbers in the second step are shown in Fig. 3(a)–(c). The corre-
sponding MSEs between Fig. 3(a)–(c) and the primary image are [1] P. Refregier, B. Javidi, Optics Letters 20 (1995) 767.
0.0508, 0.0328 and 0.0350, respectively. The two approximate de- [2] G. Unnikrishnan, J. Joseph, K. Singh, Optics Letters 25 (2000) 887.
[3] B. Zhu, S. Liu, Q. Ran, Optics Letters 25 (2000) 1159.
cryption keys in the simulation (m = 300,n = 40) are shown in Fig. 4 [4] S. Liu, Q. Mi, B. Zhu, Optics Letters 26 (2001) 1242.
(a)–(b). Fig. 4(c) shows the recovered image by using the two keys. [5] H. Chang, W. Lu, C. Kuo, Applied Optics 41 (2002) 4825.
A binary image as shown in Fig. 5(a) is taken as another numerical [6] G. Lin, H. Chang, W. Lai, C. Chuang, Optical Engineering 42 (2003) 2331.
[7] B. Hennelly, J.T. Sheridan, Optics Communication 226 (2003) 61.
example for testing our approach. Fig. 5(b) illustrates the encrypted [8] G. Situ, J. Zhang, Optics Letters 29 (2004) 1584.
result with the same keys R(x) and R′(u). The recovered results [9] N.K. Nishchal, J. Joseph, K. Singh, Optics Communication 235 (2004) 253.
with different numbers of iterations in the second step are shown in [10] R. Tao, Y. Xin, Y. Wang, Optics Express 15 (2007) 16067.
[11] A. Alfalou, C. Brosseau, Advances in Optics and Photonics 1 (2009) 589.
Fig. 5(c)–(d). Note that the number of iterations in the first step is [12] A. Carnicer, M. Montes-Usategui, S. Arcos, I. Juvells, Optics Letters 30 (2005) 1644.
300. It can be seen that the gray-scale image has much stronger [13] X. Peng, P. Zhang, H. Wei, B. Yu, Optics Letters 31 (2006) 1044.
noise immunity than does the binary image. Although the quality of [14] U. Gopinathan, D.S. Monaghan, T.J. Naughton, J.T. Sheridan, Optics Express 14
(2006) 3181.
the decoded result is poor for a binary image, enough information is [15] G. Situ, U. Gopinathan, D.S. Monaghan, J.T. Sheridan, Applied Optics 46 (2007)
still provided for plaintext recognition. Theoretically, RPMs that dif- 5257.
ferent from the public keys can also be applied in the first attack [16] Y. Frauel, A. Castro, T.J. Naughton, B. Javidi, Optics Express 15 (2007) 10253.
[17] W. Qin, X. Peng, Optics Letters 35 (2010) 118.
step, but lots of simulation results, in practice, have indicated that
[18] J.F. Barrera, C. Vargas, M. Tebaldi, N. Bolognini, R. Torroba, Optics Communication
the final decryption images have too much noise to recognize. It 283 (2010) 3917.
means that initial phase codes applied in the iteration process must [19] X. Wang, D. Zhao, Optics Communication 284 (2011) 148.
be relevant to the ciphertext in an effective attack. The MSE between [20] W. Chen, X. Chen, Journal of Optics 13 (2011) 075404.
[21] W. Qin, X. Peng, X. Meng, B. Gao, Optical Engineering 50 (2011) 080501.
the recovered image and the input image is illustrated in Fig. 6, where [22] X. Wang, D. Zhao, Optics Communication 284 (2011) 4441.
the MSE value in the second step doesn't increase after 30 iterations
