## A known-plaintext heuristic attack on the Fourier plane encryption algorithm

Optics Express, Vol. 14, Issue 8, pp. 3181-3186 (2006)

http://dx.doi.org/10.1364/OE.14.003181

Acrobat PDF (157 KB)

### Abstract

The Fourier plane encryption algorithm is subjected to a known-plaintext attack. The simulated annealing heuristic algorithm is used to estimate the key, using a known plaintext-ciphertext pair, which decrypts the ciphertext with arbitrarily low error. The strength of the algorithm is tested by using this estimated key to decrypt a different ciphertext which was also encrypted using the same original key. We assume that the plaintext is amplitude-encoded real-valued image, and analyze only the mathematical algorithm rather than a real optical system that can be more secure. The Fourier plane encryption algorithm is found to be susceptible to a known-plaintext heuristic attack.

© 2006 Optical Society of America

## 1. Introduction

1. B. Javidi, ed. *Optical and Digital Techniques for Information Security*, (Springer Verlag, 2005). [CrossRef]

7. E. Tajahuerce and B. Javidi, “Encrypting three-dimensional information with digital holography,” Appl. Opt. **39**, 6595–6601 (2000). [CrossRef]

9. T.J. Naughton and B. Javidi, “Compression of encrypted three-dimensional objects using digital holography,” Opt. Eng. **43**, 2233–2238 (2004). [CrossRef]

10. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. **30**, 1644–1646 (2005). [CrossRef] [PubMed]

2. Ph. Réfrégier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. **20**, 767–769 (1995). [CrossRef] [PubMed]

10. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. **30**, 1644–1646 (2005). [CrossRef] [PubMed]

10. A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. **30**, 1644–1646 (2005). [CrossRef] [PubMed]

13. S. Kirkpatrick, C. D. Gellatt, and M. P. Vecchi, “Optimization by simulated annealing,” Science **220**, 771–680 (1983). [CrossRef]

## 2. Fourier plane encoding algorithm

*f*to a stationary white noise by using two statistically independent random phase codes in the input plane and Fourier plane. The image is multiplied by the first random phase code

*R*

_{1}. A Fourier transform is performed on this product and multiplied by the second random phase code

*R*

_{2}. A second Fourier transform gives the encrypted image. The encoded image

*ψ*can be expressed mathematically as

*X̂*denotes the Fourier transform of X, and ∗ denotes a convolution. The intensity of the approximated input image

*f̃*is decoded as

*R*

_{3}is the SA algorithm’s estimation of the complex conjugate of

*R*

_{2}. If we assume that the input image is real-valued, then we are only interested in ∣

*f*∣ and can effectively ignore

*R*

_{1}. Therefore in our analysis, when we refer to the decryption key we mean mask

*R*

_{2}.

## 3. Known-plaintext attack using SA algorithm

*t*searches would be approximately

*tK*

^{-1}where

*K*is the size of the key space. For an

*N*×

*N*pixel encryption phase mask with

*m*phase levels, the key space is as large as

*K*=

*m*

^{N×N}. If one considers that some fraction

*r*(ε) ∈ [0,1] of the keys could give a decryption with some acceptable error ε, then the probability of finding one of these (estimated) keys increases to

*t*[

*r*(ε)

*K*]

^{-1}for a particular ε. If the attacker finds any one of these estimated keys (s)he would decrypt the ciphertext with some error. The important question, however, is whether or not this estimated decryption key can also be used to decrypt another (unseen) image, encrypted with the same original encryption key. If a single unseen image is decrypted, then one could consider the encryption key as having been broken. If no unseen image can be found that is adequately decrypted, then one could consider the encryption algorithm as having withstood a SA heuristic decryption attack using that particular computing platform for that amount of time.

13. S. Kirkpatrick, C. D. Gellatt, and M. P. Vecchi, “Optimization by simulated annealing,” Science **220**, 771–680 (1983). [CrossRef]

*ψ*(∙) to give an estimated plaintext

*f̃*(∙) such that the normalized root mean squared (NRMS) error is equal to or less than some threshold ε. The NRMS error is calculated as

*I*(∙) = ∣

_{d}*f̃*(∙)∣

^{2}and

*I*(∙) = ∣

*f*(∙)∣

^{2}

**Step 1:**

*R*

_{3}is made by assigning the phase of the Fourier transform of the encrypted image

*ψ*(∙)to every other pixels in both dimensions (i.e. half the number of pixels) [14

14. M. Nieto-Vesperinas, R. Navarro, and J. F. Fuentes, “Performance of a simulated annealing algorithm for phase retrieval,” J. Opt. Soc. Am. A **5**, 30–38 (1988). [CrossRef]

*π*). The step counter

*n*is initialized to zero and the error threshold ε is set to the desired value. The initial temperature

*T*is chosen sufficiently high so that the perturbation probability in Step 4 will be large.

**Step 2:**

*E*is calculated as the NRMS error between the decrypted image and the original plaintext image.

**Step 3:**

*R*

_{3}is randomly selected and perturbed by

*α*where

_{n}π*α*is the scale of perturbation [14

_{n}14. M. Nieto-Vesperinas, R. Navarro, and J. F. Fuentes, “Performance of a simulated annealing algorithm for phase retrieval,” J. Opt. Soc. Am. A **5**, 30–38 (1988). [CrossRef]

*n*step, chosen as [

^{th}*B log*(

*A*+

*E*)/

_{n}*C*]

^{p}where

*E*denotes the cost function calculated at the

_{n}*n*step as in Step 2. The parameters

^{th}*A*,

*B*,

*C*and

*p*will have been fixed at the beginning of the algorithm so that

*α*

_{0}≈ 1.

*p*determines the rate of decrease of α.The new cost function,

*E*, is calculated using the perturbed phase mask.

^{new}**Step 4:**

*E*=

*E*-

^{new}*E*. The newly perturbed mask is accepted if Δ

*E*< 0. Otherwise, the mask is accepted with a probability

*p*(Δ

*E*) = exp(-Δ

*E*/

*T*) where

*T*is the temperature parameter.

**Step 5:**

*T*. The system is considered to have converged if ∣Δ

*E*∣ is less than 5% of the initial value for each iteration.

**Step 6:**

*T*=

*T*

_{0}/(1 +

*n*), and the step number

*n*is incremented.

## 4. Results and discussion

*A*and its encrypted ciphertext

*ψ*, encrypted using the Fourier plane encoding algorithm. The SA algorithm was used to estimate the key that would decrypt

_{A}*ψ*with an error (NRMS error) of 0.1. The estimated key

_{A}*R*

_{3}is used to decrypt a different ciphertext

*ψ*corresponding to a plaintext

_{B}*B*. The NRMS error in the decrypted image is measured. The error in the estimated image

*B*is expected to be greater than that of

*A*. We performed 25 trials each for two cases when image

*A*has 32×32 and 64 × 64 pixels. For each trial we chose a different starting point for the SA algorithm. We used a Dell Optiplex GX280 Intel Pentium 4 CPU 2.8 GHz PC with 504 MB of RAM memory and MATLAB version 7 for our trials. The time taken for the algorithm to converge to an NRMS error of 0.1 in the decrypted image

*A*for 25 trials is shown in Fig. 1. The NRMS error in the decrypted image

*B*for 25 trials is shown in Fig. 2. Images

*A*and

*B*are shown in Fig. 3(a) and Fig. 3(e), respectively.

*B*for these 22 trials is 0.44. However trials 9, 22, and 25 have an average of 144 minutes and their average error is 0.86. When

*A*is a 64 × 64 pixel image, the average time taken in 24 out of 25 trials is 343 minutes. The error in decrypted image

*B*for these 24 trials is 0.4. The time taken for the remaining trails (trial 3 in Figs. 1 and 2) is 560 minutes and the corresponding error for the decrypted image

*B*is 0.87.

*A*and

*B*are shown in Fig. 3(a) and (e), respectively. The real and imaginary parts of the complex-valued encrypted image

*ψ*are shown in Fig. 3(b) and (c), respectively. Figs. 3(f) and (g) show the real and imaginary part of the complex valued encrypted image

_{A}*ψ*. The decrypted image of

_{B}*ψ*with an error of 0.1 is shown in Fig. 3(d) and that of

_{A}*ψ*with an error of 0.4 is shown in Fig. 3(h).

_{B}*ψ*with an error of 0.1. Of these 50 trials, in 46 cases, the key successfully decrypts another unseen encrypted image

_{A}*ψ*with an error of 0.4 [that is still sufficient to read the information, see Fig. 3(h)]. Only in four cases, was the error in decrypting

_{B}*ψ*twice this value (approx. twice as large) and thus we regard these cases as having failed to decrypt. The existence of these four failed cases potentially adds to the security of the Fourier plane encryption technique and poses a problem for any attacker. If an attacker cannot identify such failed cases, since plaintext

_{B}*B*is unseen, (s)he might never to able to tell, given a plaintext-ciphertext pair (

*A*,

*ψ*), whether or not a key that correctly decrypts

_{A}*ψ*has been identified. However, we note that the algorithm also takes much longer to converge in these four cases. This provides a clear indication as to whether a key, which successfully decrypt

_{B}*ψ*, has been found or not. Therefore our proposed use of the SA technique is as follows:

_{B}**Step (a).**

*A*,

*ψ*) and an unseen ciphertext

_{A}*ψ*, run in parallel

_{B}*s*= 3 trials of the SA algorithm.

**Step (b).**

*s*trials converges, accept that key and decrypt

*ψ*.

_{B}*ψ*within 3×343 minutes (given a 64×64 pixel image and our particular computing platform). We have assumed that the probability of a failed case is 4/50 = 0.08, and that our statistical sample of 50 trials in this paper is sufficient to determine this fact. Regardless of the sufficiency of our sample, if the probability of a failed case is less than 0.5 (as it certainly appears to be) running SA for

_{B}*s*> 3 trials and picking the majority answer will increase even further the probability of successfully attacking the Fourier plane encryption algorithm using the known-plaintext SA heuristic attack. We have found that the average time for attack is

*O*(

*n*

^{2}) where ‘n’ is the number of pixels in the plaintext and ciphertext.

## 5. Conclusion

## Acknowledgments

## References and links

1. | B. Javidi, ed. |

2. | Ph. Réfrégier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. |

3. | G. Unnikrishnan, J. Joseph, and K. Singh, “Optical encryption system that uses phase conjugation in a photorefractive crystal,” Appl. Opt. |

4. | O. Matoba and B. Javidi, “Encrypted optical memory system using three-dimensional keys in the Fresnel domain,” Opt. Lett. |

5. | B. Javidi and T. Nomura, “Securing information by use of digital holography,” Opt. Lett. |

6. | P. C. Mogensen and J. Glckstad, “Phase-only optical encryption,” Opt. Lett. |

7. | E. Tajahuerce and B. Javidi, “Encrypting three-dimensional information with digital holography,” Appl. Opt. |

8. | B. M. Hennelly and J. T. Sheridan, “Optical image encryption by random shifting in fractional Fourier domains,” Opt. Lett. |

9. | T.J. Naughton and B. Javidi, “Compression of encrypted three-dimensional objects using digital holography,” Opt. Eng. |

10. | A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, “Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys,” Opt. Lett. |

11. | Y. Frauel, A. Castro, T.J. Naughton, and B. Javidi, “Security analysis of optical encryption,” Proc. SPIE |

12. | W. Stallings, |

13. | S. Kirkpatrick, C. D. Gellatt, and M. P. Vecchi, “Optimization by simulated annealing,” Science |

14. | M. Nieto-Vesperinas, R. Navarro, and J. F. Fuentes, “Performance of a simulated annealing algorithm for phase retrieval,” J. Opt. Soc. Am. A |

**OCIS Codes**

(070.2580) Fourier optics and signal processing : Paraxial wave optics

(070.4560) Fourier optics and signal processing : Data processing by optical means

(200.3050) Optics in computing : Information processing

**ToC Category:**

Fourier Optics and Optical Signal Processing

**History**

Original Manuscript: January 31, 2006

Revised Manuscript: March 31, 2006

Manuscript Accepted: April 3, 2006

Published: April 17, 2006

**Citation**

Unnikrishnan Gopinathan, David S. Monaghan, Thomas J. Naughton, and John T. Sheridan, "A known-plaintext heuristic attack on the Fourier plane encryption algorithm," Opt. Express **14**, 3181-3186 (2006)

http://www.opticsinfobase.org/oe/abstract.cfm?URI=oe-14-8-3181

Sort: Year | Journal | Reset

### References

- B. Javidi, ed. Optical and Digital Techniques for Information Security, (Springer Verlag, 2005). [CrossRef]
- Ph. R´efr ´ egier and B. Javidi, "Optical image encryption based on input plane and Fourier plane random encoding," Opt. Lett. 20, 767-769 (1995). [CrossRef] [PubMed]
- G. Unnikrishnan, J. Joseph, and K. Singh, "Optical encryption system that uses phase conjugation in a photorefractive crystal," Appl. Opt. 37, 8181-8186 (1998). [CrossRef]
- O. Matoba and B. Javidi, "Encrypted optical memory system using three-dimensional keys in the Fresnel domain," Opt. Lett. 24, 762-764 (1999). [CrossRef]
- B. Javidi and T. Nomura, "Securing information by use of digital holography," Opt. Lett. 25, 28-30 (2000). [CrossRef]
- P. C. Mogensen and J. Glckstad, "Phase-only optical encryption," Opt. Lett. 25, 566-568 (2000). [CrossRef]
- E. Tajahuerce and B. Javidi, "Encrypting three-dimensional information with digital holography," Appl. Opt. 39, 6595-6601 (2000). [CrossRef]
- B. M. Hennelly and J. T. Sheridan, "Optical image encryption by random shifting in fractional Fourier domains," Opt. Lett. 28, 269-271 (2003). [CrossRef] [PubMed]
- T.J. Naughton and B. Javidi, "Compression of encrypted three-dimensional objects using digital holography," Opt. Eng. 43, 2233-2238 (2004). [CrossRef]
- A. Carnicer, M. Montes-Usategui, S. Arcos, and I. Juvells, "Vulnerability to chosen-cyphertext attacks of optical encryption schemes based on double random phase keys," Opt. Lett. 30, 1644-1646 (2005). [CrossRef] [PubMed]
- Y. Frauel, A. Castro, T.J. Naughton, and B. Javidi, "Security analysis of optical encryption," Proc. SPIE 5986, 25-34 (2005).
- W. Stallings, Cryptography and Network Security, Third edition, (Prentice Hall, 2004).
- S. Kirkpatrick, C. D. Gellatt and M. P. Vecchi, "Optimization by simulated annealing," Science 220, 771-680 (1983). [CrossRef]
- M. Nieto-Vesperinas, R. Navarro, and J. F. Fuentes, "Performance of a simulated annealing algorithm for phase retrieval," J. Opt. Soc. Am. A 5, 30-38 (1988). [CrossRef]

## Cited By |
Alert me when this paper is cited |

OSA is able to provide readers links to articles that cite this paper by participating in CrossRef's Cited-By Linking service. CrossRef includes content from more than 3000 publishers and societies. In addition to listing OSA journal articles that cite this paper, citing articles from other participating publishers will also be listed.

« Previous Article | Next Article »

OSA is a member of CrossRef.