## 1.

## Introduction

With the rapid popularity of computer networks, images as an effective carrier of information have been widely used in various fields of modern society and image encryption issues have become an important field for information security. Since Refregier and Javidi^{1} proposed the classical optical double-random phase encoding (DRPE) technique, many optical encryption and authentication systems in Fourier transform (FT), Fresnel transform (FrT), fractional Fourier transform (FrFT), and gyrator transform (GT) domains have been proposed during the past decades.^{2}3.4.5.6.7.8.9.10.^{–}^{11} Moreover, Alfalou and Brosseau^{12} pointed out that these techniques can be used for compression operations simultaneously. Though most reported optical encryption techniques based on DRPE have the excellent parallel and multidimensional capability of signal processing, it should be pointed out that these schemes belong to the category of symmetric cryptosystems, where the keys in the encryption process are used for decryption. Some research investigations indicate that these schemes are vulnerable to the conventional attacks because of the inherently linear property of mathematical or optical transformation.^{13}14.^{–}^{15} In order to resist these attacks, Qin and Peng^{16} proposed an asymmetric encryption based on the phase-truncated Fourier transform (PTFT), where the decryption keys are different from the encryption keys and the linearity of the cryptosystem is broken by using the nonlinear operation of phase truncation.

Recently, multiple-image encryption based on multiplexing techniques has received increasing attention in the field of information security since Situ and Zhang^{17} proposed the multiple-image encryption approaches using wavelength and position multiplexing with Gaussian low-pass filtering. Alfalou and Mansour^{18} proposed an encryption scheme which is divided into two security layers, and target images are multiplexed and simultaneous encoded by using the iterative Fourier transformations in the first layer. In subsequent work, Alfalou et al.^{19} implemented simultaneous fusion, compression, and encryption of multiple images based on the discrete cosine transform. Wang and Zhao^{20} proposed a fully phase image encryption based on superposition principle and hologram, where a real-valued original image is encoded into a phase-only function (POF). Deng and Zhao^{21} suggested a multiple-image encryption by using a phase retrieval algorithm and intermodulation in the Fourier domain, which avoids the cross-talk of decrypted images. Hwang et al.^{22} proposed a multiple-image encryption and multiplexing approach based on a modified Gerchberg–Saxton algorithm (MGSA) in the FrT domain, which reduces the cross-talks significantly. Chang et al.^{23}^{,}^{24} also suggested the position multiplexing encryption using cascaded phase-only masks based on the MGSA.

As a special case, double-image encryption also has attracted much attention in optical cryptosystem. Li and Wang^{25} proposed a double-image encryption algorithm based on phase-retrieval technique and GT, where two images can be simultaneously encrypted into a single one as the amplitudes of gyrator. Liu et al.^{26} encrypted two original images into the real part and imaginary part of a complex function, respectively, which are exchanged randomly by using a random binary encoding data generated by chaotic map. Wang and Zhao^{27} suggested an asymmetric algorithm to encrypt two covert images into an overt image based on phase retrieval and PTFT, in which the encryption keys are different from those in decryption process. However, Wang and Zhao^{28} designed a specific attack by using a two-step iterative amplitude-retrieval approach according to PTFT-based cryptosystems. With this attack, the encrypted information would be revealed when the encryption keys are used as public keys. Subsequently, Wang and Zhao^{29} suggested another asymmetric double-image encryption, which has a high level of robustness against this attack. Li and Wang^{30} proposed a double-image encryption based on discrete fractional random transform and chaotic maps, which can raise the efficiency when encrypting, storing, or transmitting. Zhang and Xiao^{31} designed a double-optical images encryption using discrete Chirikov standard map and chaos-based discrete fractional random transform, where Chirikov standard map is utilized to scramble the pixel positions and intensity values, respectively.

In this article, a double-image encryption scheme is proposed based on an asymmetric technique, in which the encryption and decryption processes are different and the encryption keys are not identical to the decryption ones. The encryption process can be performed digitally, in which the POFs of two plain images are obtained by using the iterative phase retrieval algorithm, and the interim-encrypted matrices generated with POFs are modulated into a complex image with the convolution operation in FrFT domain. Finally, the complex image is transformed to the real-value ciphertext with stationary white-noise distribution. The decryption process can be implemented optically and only two decryption keys produced in the encryption process are used as phase masks, which is convenient and efficient by using the classical DRPE system. Simulation results and security analysis verify that the proposed double-image encryption has a high level of robustness against brute-force attack, known plaintext attack and specific attack.

The rest of this article is organized as follows. In Sec. 2, the basic principles and the processed of encryption and decryption are introduced in detail. In Sec. 3, numerical simulation results and security analysis are given. Finally, the conclusion is given in Sec. 4.

## 2.

## Encryption and Decryption Process

## 2.1.

### Phase-Retrieval Algorithm Based on Iterative FrFT

The Gerchberg–Saxton algorithm (GSA) is a powerful tool which is used in image encryption cryptosystems, which is usually employed to encode plaintext into a POF in the Fourier domain. Though it is sufficient to retrieve the phase function with the FTs back and forth between the object and the Fourier domains, it suffers from some drawbacks such as slow convergence speed in practical applications. In order to solve this problem, a POF-retrieval algorithm shown in Fig. 1 is implemented in Ref. 32.

The FrFT at order $\alpha $ of a two-dimensional function $f({x}_{i},{y}_{i})$ can be expressed as

## (1)

$$f({x}_{o},{y}_{o})={F}^{\alpha}[{f}_{i}({x}_{i},{y}_{i})]({x}_{o},{y}_{o})={\iint}_{-\infty}^{+\infty}K({x}_{i},{y}_{i};{x}_{o},{y}_{o})f({x}_{i},{y}_{i})\mathrm{d}{x}_{i}\mathrm{d}{y}_{i},$$## (2)

$$K({x}_{i},{y}_{i};{x}_{o},{y}_{o})={A}_{\varphi}\mathrm{exp}\{i\pi [({x}_{i}^{2}+{y}_{i}^{2}+{x}_{o}^{2}+{y}_{o}^{2})\mathrm{cot}\text{\hspace{0.17em}}{\varphi}_{\alpha}\phantom{\rule{0ex}{0ex}}-2({x}_{i}{x}_{o}+{y}_{i}{y}_{o})\mathrm{csc}\text{\hspace{0.17em}}{\varphi}_{\alpha}]\},$$## (3)

$${A}_{\varphi}=\frac{\mathrm{exp}[-i\pi \text{\hspace{0.17em}}\mathrm{sgn}(\mathrm{sin}\text{\hspace{0.17em}}{\varphi}_{\alpha})/2+i{\varphi}_{\alpha}]}{|\mathrm{sin}\text{\hspace{0.17em}}{\varphi}_{\alpha}|}.$$The ${A}_{\varphi}$ is a trivial phase parameter and ${\varphi}_{\alpha}=\alpha \pi /2$ is the transform angle. The FrFT is linear and has the property that it is index additive

In addition, the FrFT satisfies the Parseval energy conservation theorem

## (5)

$${\iint}_{-\infty}^{+\infty}{|{F}^{\alpha}[f({x}_{i},{y}_{i})]|}^{2}\mathrm{d}{x}_{0}\mathrm{d}{y}_{0}={\iint}_{-\infty}^{+\infty}{|f({x}_{i},{y}_{i})|}^{2}\mathrm{d}{x}_{i}\mathrm{d}{y}_{i}.$$The POF-retrieval algorithm is based on the iterative FrFT process between two grayscale images proposed firstly in Ref. 33. Images $f$ and $g$ are placed at the input and output planes, respectively, between which are three phase masks placed in three continuous FrFT planes. Let the function $h$ denotes an interim-encrypted image and ${\alpha}_{1}$, ${\alpha}_{2}$, ${\beta}_{1}$, ${\beta}_{2}$ denote two different groups of fractional orders. Giving five-phase functions, which are distributed in the interval $[0,2\pi ]$ and denoted by ${\varphi}_{1}$, ${\varphi}_{2}$, ${\xi}_{1}$, ${\xi}_{2}$ and $\psi $, respectively, the relationship between the images and phase functions is expressed as

## (6)

$$h\text{\hspace{0.17em}}\mathrm{exp}(j\psi )={F}^{{\alpha}_{2}}\{{F}^{{\alpha}_{1}}[f\text{\hspace{0.17em}}\mathrm{exp}(j{\varphi}_{1})]\mathrm{exp}(j{\varphi}_{2})\}={F}^{{\beta}_{2}}\{{F}^{{\beta}_{1}}[g\text{\hspace{0.17em}}\mathrm{exp}(j{\xi}_{1})]\mathrm{exp}(j{\xi}_{2})\},$$## (7)

$${F}^{-{\beta}_{1}}({F}^{{\alpha}_{2}-{\beta}_{2}}\{{F}^{{\alpha}_{1}}[f\mathrm{exp}(j{\varphi}_{1})]\mathrm{exp}(j{\varphi}_{2})\}\mathrm{exp}(-j{\xi}_{2}))=g\text{\hspace{0.17em}}\mathrm{exp}(j{\xi}_{1}).$$According to Eq. (7), the phase functions ${\varphi}_{1}$, ${\varphi}_{2}$, ${\xi}_{1}$ and ${\xi}_{2}$ are obtained with the iterative process, which consists of a number of cycling iterations. Suppose that in the $k$’th iteration the phase distributions ${\varphi}_{1}^{k}$, ${\varphi}_{2}^{k}$, ${\xi}_{2}^{k}$ are known, then the output-complex image ${\widehat{g}}^{k}$ is expressed as

## (8)

$${\widehat{g}}^{k}={F}^{-{\beta}_{1}}({F}^{{\alpha}_{2}-{\beta}_{2}}\{{F}^{{\alpha}_{1}}[f\text{\hspace{0.17em}}\mathrm{exp}(j{\varphi}_{1}^{k})]\mathrm{exp}(j{\varphi}_{2}^{k})\}\mathrm{exp}(-j{\xi}_{2}^{k})).$$Its phase and amplitude are expressed as follows

## (9)

$${\xi}_{1}^{k}=\mathrm{arg}\{{\widehat{g}}^{k}\},\phantom{\rule[-0.0ex]{2em}{0.0ex}}{g}^{k}=|{\widehat{g}}^{k}|.$$Substituting the phase function ${\xi}_{1}^{k}$ into Eq. (6), the phase functions ${\xi}_{2}^{k+1}$, ${\varphi}_{2}^{k+1}$, ${\varphi}_{1}^{k+1}$ in next iteration are updated by

## (10)

$${\xi}_{2}^{k+1}=\mathrm{arg}\left(\frac{{F}^{{\alpha}_{2}-{\beta}_{2}}\{{F}^{{\alpha}_{1}}[f\text{\hspace{0.17em}}\mathrm{exp}(j{\varphi}_{1}^{k})]\mathrm{exp}(j{\varphi}_{2}^{k})\}}{{F}^{{\beta}_{1}}[g\text{\hspace{0.17em}}\mathrm{exp}(j{\xi}_{1}^{k})]}\right),$$## (11)

$${\varphi}_{2}^{k+1}=\mathrm{arg}\left(\frac{{F}^{{\beta}_{2}-{\alpha}_{2}}\{{F}^{{\beta}_{1}}[g\text{\hspace{0.17em}}\mathrm{exp}(j{\xi}_{1}^{k})]\mathrm{exp}(j{\xi}_{2}^{k+1})\}}{{F}^{{\alpha}_{1}}[f\text{\hspace{0.17em}}\mathrm{exp}(j{\varphi}_{1}^{k})]}\right),$$## (12)

$${\varphi}_{1}^{k+1}=\mathrm{arg}[{F}^{-{\alpha}_{1}}({F}^{{\beta}_{2}-{\alpha}_{2}}\{{F}^{{\beta}_{1}}[g\text{\hspace{0.17em}}\mathrm{exp}(j{\xi}_{1}^{k})]\phantom{\rule{0ex}{0ex}}\mathrm{exp}(j{\xi}_{2}^{k+1})\}\mathrm{exp}(-j{\varphi}_{2}^{k+1}))].$$In order to decide whether the iteration stops, the correlation coefficient (CC) or the mean square error (MSE) between the iterated image and the original one is used as convergent criterion. These criterions are expressed as

## (13)

$$\mathrm{CC}=\frac{E\{[g-E(g)][{g}^{k}-E({g}^{k})]\}}{\sqrt{E\{{[g-E(g)]}^{2}\}}\sqrt{E\{{[{g}^{k}-E({g}^{k})]}^{2}\}}},$$## (15)

$${\varphi}_{1}={\varphi}_{1}^{K},\phantom{\rule[-0.0ex]{1em}{0.0ex}}{\varphi}_{2}={\varphi}_{2}^{K},\phantom{\rule[-0.0ex]{1em}{0.0ex}}{\xi}_{1}={\xi}_{1}^{K-1},\phantom{\rule[-0.0ex]{1em}{0.0ex}}{\xi}_{2}={\xi}_{2}^{K}.$$In Fig. 1, $f({x}_{i},{y}_{i})$ and $g({x}_{o},{y}_{o})$ denote the input and output image, respectively. In order to compute the POF of the image $f({x}_{i},{y}_{i})$, $g({x}_{o},{y}_{o})$ is constrained to unity amplitude [$g({x}_{o},{y}_{o})=1$]. When the convergent criterion between $f({x}_{i},{y}_{i})$ and its approximation $\widehat{f}({x}_{i},{y}_{i})$ is reached, the resultant pure phase functions ${\varphi}_{1}({x}_{i},{y}_{i})$ and ${\xi}_{1}({x}_{o},{y}_{o})$ are obtained, respectively, where the function ${\xi}_{1}({x}_{o},{y}_{o})$ is finally used as the POF of image $f({x}_{i},{y}_{i})$. At the beginning of the iterative process, the initial phase masks ${\varphi}_{1}^{0}$, ${\varphi}_{2}^{0}$, ${\xi}_{2}^{0}$ are generated randomly.

## 2.2.

### Encryption and Decryption Processes

The proposed double-image encryption is based on the iterative phase-retrieval algorithm, which belongs to the category of asymmetric cryptosystem. The encryption process is shown in Fig. 2. Let ${f}_{i}(i=1,2)$ denote two original plaintext images to be encoded, the encryption process is described as follows:

• Given a three initial random phase function ${\varphi}_{1}^{0}$, ${\varphi}_{2}^{0}$, ${\xi}_{2}^{0}$, the iterative phase-retrieval process is performed on the image ${f}_{i}$ in the POF-retrieval module. First, the relationship between ${f}_{i}$ and the unity amplitude image $g$ is built by using Eq. (6), and then the iterative phase-retrieval process is performed by using Eqs. (10)–(12). The convergent criterion is set to a MSE threshold. When the MSE between ${f}_{i}$ and its approximation ${\widehat{f}}_{i}$ is lower than the threshold, the iteration process ends and the optimized phase functions ${\varphi}_{i,1}$, ${\varphi}_{i,2}$, ${\xi}_{i,1}$, and ${\xi}_{i,2}$ are obtained by using Eq. (15). In this process, the fractional orders ${\alpha}_{1}$, ${\alpha}_{2}$ are used for the plaintext image ${f}_{i}$ and ${\beta}_{1}$, ${\beta}_{2}$ for the unity amplitude image $g$. In addition, the phase function ${\varphi}_{i,2}$ will be used as the decryption key.

• In the interim image generation module, a complex matrix is produced by using the unity amplitude image $g$ and two corresponding phase functions ${\xi}_{i,1}$, ${\xi}_{i,2}$, which is expressed as

• In the phase modulation, two matrices ${H}_{i}$ are combined into one complex matrix $H$ by using convolution and the combined matrix $H$ can be written as

where the symbol * denotes the convolution operation.• The combined matrix $H$ is transformed to $\widehat{H}$ by using the FrFT with the fractional order ${\alpha}_{3}$, which is expressed as

In the same time, the amplitude of $\widehat{H}$ is extracted as the real-value ciphertext ${C}_{\text{final}}$ by using following equation

## (19)

$${C}_{\text{final}}=|\widehat{H}|=|{F}^{{\alpha}_{3}}\{[{h}_{1}\text{\hspace{0.17em}}\mathrm{exp}(j{\psi}_{1})]*[{h}_{2}\text{\hspace{0.17em}}\mathrm{exp}(j{\psi}_{2})]\}|.$$Additionally, a decryption key ${\varphi}_{i,d}$ is generated as following:

## (20)

$${\varphi}_{i,d}=\mathrm{arg}[\mathrm{exp}(j\text{\hspace{0.17em}}\mathrm{arg}\{{F}^{{\alpha}_{3}}[{h}_{i}\text{\hspace{0.17em}}\mathrm{exp}(j{\psi}_{i})]\})\frac{|{F}^{{\alpha}_{3}}[{h}_{i}\text{\hspace{0.17em}}\mathrm{exp}(j{\psi}_{i})]|}{|H|}],$$The decryption process is depicted in Fig. 3, which is different from the encryption process and much simple. It should be paid attention to the following main steps

• When decrypting the plaintext image ${f}_{i}$, the complex matrix ${\widehat{H}}_{i}$ is first generated by multiplying the ciphertext ${C}_{\text{final}}$ with the phase function $\mathrm{exp}(j{\varphi}_{i,d})$ produced with the corresponding decryption key ${\varphi}_{i,d}$.

• The complex matrix ${\widehat{H}}_{i}$ is transformed to ${H}_{i}$ by using the inverse FrFT with the fractional order $-({\alpha}_{2}+{\alpha}_{3})$, and then ${h}_{i}$ is generated by multiplying ${H}_{i}$ with the phase matrix $\mathrm{exp}(-j{\varphi}_{i,2})$ produced with another corresponding decryption key ${\varphi}_{i,2}$.

• The complex matrix ${h}_{i}$ is transformed to ${\widehat{h}}_{i}$ by using the inverse FrFT with the fractional order $-{\alpha}_{1}$, and then the amplitude of the matrix ${\widehat{h}}_{i}$ is extracted as the decrypted image ${f}_{i}$, which is expressed as

From above description of the encryption and decryption processes, one can see that only three random phase functions denoted by ${\varphi}_{1}^{0}$, ${\varphi}_{2}^{0}$, and ${\xi}_{2}^{0}$ is used as the encryption keys, which have no relationship with decryption. Simultaneously, the phase functions ${\varphi}_{i,2}$ and ${\varphi}_{i,d}$ produced in the encryption process are used as the decryption keys according to each decrypted image ${f}_{i}$, which are directly related to the original plaintext images. Apparently, the keys for decryption are different from those for encryption, which means the entire cryptosystem is asymmetric. As we all know, some cryptosystems are vulnerable to the conventional attacks such as known plaintext attack and chosen plaintext attack because of the linearity and symmetry existed in these encryption schemes.^{13}14.^{–}^{15} The proposed asymmetric double-image encryption scheme can break the linearity of the cryptosystem and has high resistance against to these conventional attacks. In addition, the decryption keys ${\varphi}_{i,2}$ and ${\varphi}_{i,d}$ can be assigned to different valid users in order to enhance the security, in which each original plaintext image ${f}_{i}$ can be decrypted if all two phase masks $\mathrm{exp}(j{\varphi}_{i,d})$ and $\mathrm{exp}(-j{\varphi}_{i,2})$ are correctly placed in the verification system.

The proposed asymmetric double-image encryption scheme can be implemented with an electro-optical hybrid setup. It is worth noting that although the encryption process and the formation of decryption keys are complicated and can be realized digitally with the help of computer, the decryption process is much simple and can be implemented with some optoelectronic devices. A simple optical setup is depicted in Fig. 4, which is based on the $4f$ imaging system similar to DRPE. When decrypting the image ${f}_{i}$, the phase masks PM1 and PM2 are only placed with the phase masks $\mathrm{exp}(j{\varphi}_{i,d})$ and $\mathrm{exp}(-j{\varphi}_{i,2})$, respectively. Obviously, the decryption process is convenient and efficient.

## 3.

## Numerical Simulation and Security Analysis

Numerical simulations have been performed to verify the feasibility and effectiveness of the proposed asymmetric double-image encryption scheme. Two grayscale images “Zelda” and “Baboon” with $256\times 256\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{pixels}$ and 256 Gy levels, which are shown in Figs. 5(a) and 5(b), are used for encryption. The related fractional orders are set as ${\alpha}_{1}=0.2$, ${\alpha}_{2}={\alpha}_{1}+0.4$, ${\beta}_{1}={\alpha}_{1}+0.3$, ${\beta}_{2}={\alpha}_{2}+0.1$, and ${\alpha}_{3}={\alpha}_{1}+0.1$. The ciphertext image encrypted by using three random phase functions as encryption keys is shown in Fig. 5(c), which looks like white noise. The decryption keys generated in the encryption process and used for the correct decrypted image “Zelda” are shown in Figs. 6(a) and 6(b), whereas the keys for image “Peppers” are shown in Figs. 6(c) and 6(d). The corresponding decrypted images with the correct decryption keys are shown in Figs. 6(e) and 6(f).

## 3.1.

### Brute-Force Attack Analysis

The robustness against the brute-force attack is tested, in which an invalid user attempts to retrieve the original images with two possible ways, namely decode plaintext with (1) no keys, (2) two arbitrarily selected phase functions from the encryption keys. Figures 7(a) and 7(b) display the decrypted results by using no keys and arbitrarily selected phase functions, from which an invalid user cannot obtain any useful information. So, the proposed asymmetric has powerful ability to resist the brute-force attack.

## 3.2.

### Potential Attack Analysis

Usually, there are four conventional potential attacks, such as cipher-only attack, known plaintext attack, chosen plaintext attack, and chosen ciphertext attack, in which chosen plaintext attack is the most powerful attack. If a cryptosystem can resist chosen plaintext attack, it can resist other attacks. According to the proposed asymmetric double-image encryption, an illegal user can use the same encryption keys ${\varphi}_{1}^{0}$, ${\varphi}_{2}^{0}$, and ${\xi}_{2}^{0}$ to encrypt two fake plaintext images and obtain the phase functions ${\varphi}_{i,2}$, ${\varphi}_{i,d}$ to decrypt the original ciphertext in order to retrieve the corresponding plaintext ${f}_{i}$. Supposing images “Lena” and “Baboon” shown in Figs. 8(a) and 8(b) are chosen as fake plaintext images, the phase functions ${\varphi}_{i,2}$ and ${\varphi}_{i,d}$ are obtained in the encryption process and used to decrypt the original ciphertext of “Zelda” and “Peppers”. Figures 8(c) and 8(d) display the decrypted images of “Zelda” and “Peppers,” respectively. As it is seen from Figs. 8(c) and 8(d), the retrieved images provide no valuable information on the content of “Zelda” and “Peppers” though the fake plaintexts themselves can be seen faintly.

Similar to the ciphertext-only attack proposed in Ref. 26, the phase-retrieval algorithm shown in Fig. 9 is introduced into the decryption process as a test. Supposing the invalid user has known the phase function ${\varphi}_{i,d}$, he can recover the function ${\varphi}_{i,2}$ by use of FrFT. Thus, the original images ${f}_{i}$ can be decrypted by using Eq. (21). Initially, the phase function ${\varphi}_{i,2}^{0}$ is generated randomly. The process is simulated with 300 iterations. The decryption results are displayed in Fig. 10. Figure 10(a) shows that the values of the MSE curves are large, which means the phase function ${\varphi}_{i,2}$ cannot be retrieved. Figures 10(b) and 10(c) show the decrypted image “Zelda” and “Peppers,” respectively, which are noise-like images. The results have demonstrated that the proposed encryption scheme has high security under the ciphertext-only attack.

## 3.3.

### Occlusion Attack Analysis

The robustness against occlusion attack is analyzed. When considering the robustness against occlusion, the decryption process should be performed on the ciphertext of “Zelda” and “Peppers” with all correct decryption keys, in which the ciphertext image is occluded partly. Figure 11(a) shows the occluded ciphertext whose pixel values at the left-top corner are replaced with 0 in simulation, namely the ciphertext is cropped by 50% in the left side. Figures 11(b) and 11(c) display the corresponding recovered images from Fig. 11(a). Figure 12(a) shows the occluded ciphertext whose left-side pixel values are replaced with 0, and Figs. 12(b) and 12(c) display the recovered. Apparently, the main information of the original images can be recognized visually from the decrypted ones. Similar results can be obtained when the ciphertext is cropped by 50% or 100% in the right side. So, the proposed asymmetric double-image encryption has high robustness against occlusion attack.

## 3.4.

### Noise Attack Analysis

When considering the robustness against noise, a Gaussian random noise is added to the ciphertext of “Zelda” and “Peppers,” in which the noise interferes with the ciphertext image in the following way:

where $C$ and ${C}^{\prime}$ are the original ciphertext and the noise-affected ciphertext image, respectively, $k$ is a coefficient which denotes the noise strength, and $G$ is a Gaussian random noise with zero-mean and identity standard deviation. Figure 13 shows the decrypted images of “Zelda” when $k$ is set to 0.2, 0.4, 0.6, 0.8, and 1.0. Similar results can be obtained for image “Peppers.” From Fig. 13, it is obvious that the content of the decrypted images can be recognized despite of noise interference, and the proposed encryption scheme has high robustness against noise attack.## 3.5.

### Statistical Analysis

The contribution of fractional orders on the security of the proposed double-image encryption is researched. Figure 14 shows the relationship between MSE and the deviation of the fractional order ${\alpha}_{1}$. When ${\alpha}_{1}$ is correct, the MSE value between the original image “Zelda” with its decrypted one approximates to zero. When ${\alpha}_{1}$ slightly departs from the correct value, the MSE value sharply increases. Similar result is obtained according to image “Peppers.” In practical, if the deviation of the order ${\alpha}_{1}$ is larger than 0.006, the content of decryption images cannot be recognized totally. Figures 15(a) and 15(b) show the decrypted images “Zelda” and “Peppers,” respectively, while the deviation of the order ${\alpha}_{1}$ equals 0.006.

In order to test the correlations of adjacent pixels, the 2000 pairs of adjacent pixels are randomly selected in vertical, horizontal, and diagonal directions from the plaintext images “Zelda” and “Peppers” as well as from the ciphertext, and then the CCs of two adjacent pixels is calculated as follows:

## (23)

$$\mathrm{Cor}=\frac{\sum _{i=1}^{N}({x}_{i}-\overline{x})({y}_{i}-\overline{y})}{\sqrt{[\sum _{i=1}^{N}{({x}_{i}-\overline{x})}^{2}][\sum _{i=1}^{N}{({y}_{i}-\overline{y})}^{2}]}},$$## Table 1

Correlation results in the plaintext images and ciphertext.

Correlation coefficient | Plaintext image | Encrypted image | |
---|---|---|---|

Zelda | Peppers | Ciphertext | |

Horizontal direction | 0.9689 | 0.9677 | 0.0228 |

Vertical direction | 0.9842 | 0.9753 | 0.0211 |

Diagonal direction | 0.9528 | 0.9453 | 0.0400 |

Figure 16 displays the histograms of the ciphertext of two groups of original images, namely “Zelda” and “Peppers” shown in Figs. 5(a) and 5(b), “Lena” and “Baboon” shown in Figs. 8(a) and 8(b). Obviously, it can be concluded that the different original images have consistent statistical properties because the distributions of the histograms are similar. Thus, the histograms of ciphertext cannot provide any useful information for the invalid user to perform this kind of statistical analysis attack.

Similar to the analysis process proposed in Ref. 34, the key spaces of the phase function ${\varphi}_{i,2}$, ${\varphi}_{i,d}$ as the decryption keys are analyzed, respectively. When decrypting the image “Zelda,” the phase function ${\varphi}_{1,d}$ is considered to fluctuate in certain range, namely there is a pseudo-key ${\varphi}_{1,d}^{\prime}$ satisfying the following relation:

## (24)

$$\mathrm{exp}(j{\varphi}_{1,d}^{\prime})=\mathrm{exp}(j{\varphi}_{1,d})+\mathrm{exp}(jd\mathrm{\Delta}\varphi ),$$## 3.6.

### Specific Attack Analysis

The proposed asymmetric double-image encryption scheme has inherent immunity to the specific attack proposed in Ref. 28. The encryption process of the asymmetric cryptosystem based on PTFT proposed in Ref. 16 is shown in Fig. 18, in which an image $f(x)$ is encrypted to the ciphertext ${E}_{o}(x)$ by using following equations:

where $R(x)$ and ${R}^{\prime}(u)$ are two random phase functions as encryption keys. The decryption keys $P(u)$ and ${P}^{\prime}(x)$ are generated in the encryption process by following equations: where $\mathrm{PT}(\xb7)$ and $\mathrm{PR}(\xb7)$ denote the phase truncation and phase reservation operator, respectively. According to Fig. 18, the specific attack is divided into two steps.^{28}The first step is used to retrieve estimations of $g(u)$ and decryption by ${P}^{\prime}(x)$ using ${R}^{\prime}(u)$ and ${E}_{o}(x)$ with an iteration process, which is expressed as where the phase function ${P}_{0}^{\prime}(x)$ is arbitrarily chosen. The second step is to obtain the decrypted image $f(x)$ and decryption $P(u)$ by using the estimation of $g(u)$ and $R(x)$ with another iteration process, which is expressed as where the initial phase function ${g}_{0}(u)$ is the estimation of $g(u)$ in first step.

From above description of the specific attack, the encryption keys ${R}^{\prime}(u)$ and $R(x)$ is very important, which is used to retrieve the decryption keys ${P}^{\prime}(x)$ and $P(u)$ in two steps, respectively. The encryption mechanism of the proposed asymmetric scheme is different from the PTFT-based cryptosystem, where three random encryption keys ${\varphi}_{1}^{0}$, ${\varphi}_{2}^{0}$, and ${\xi}_{2}^{0}$ are only used for the POF retrieve of the plain image ${f}_{i}$. In addition, the generation of the decryption key ${\varphi}_{i,d}$ has no relation to these encryption keys. So, the encryption keys cannot afford any information to recover the decryption keys and plaintext images.

## 4.

## Conclusion

In conclusion, a double-image encryption scheme based on asymmetric technique is proposed, in which the encryption and decryption processes are different and the decryption keys are not identical to the encryption ones. Three random phase functions are employed as encryption keys and used to retrieve the POFs of plain images based on the iterative phase retrieval process. Meanwhile, two interim-encrypted images generated with the corresponding phase functions are combined into a complex matrix, which is transformed to the real-value ciphertext with stationary white noise distribution. Owing to applications of the asymmetric technique, the fundamental drawbacks resulted from the linearity can be avoided and therefore high robustness against existing attacks can be achieved. A set of numerical simulations have illustrated the feasibility and effectiveness of the proposed encryption scheme.

## Acknowledgments

This work was supported by Foundation of Shaanxi Education Department of Shaanxi Province under grant 11JK1032, Xi’an Science and Technology Bureau under grant CXY1120-1, the National Natural Science Foundation of China under grant number 61302135 and 61272284.

## References

## Biography

**Liansheng Sui** received his PhD degree in 2003, and now he is an associate professor at the School of Computer Science and Engineering, Xi’an University of Technology, China. His research interests include optics communications, image analysis, and pattern recognition.

**Haiwei Lu** received her BS degree in 2012, and now she is an MS candidate at the School of Computer Science and Engineering, Xi’an University of Technology, China. Her research interests include optics communications and image processing.

**Xiaojuan Ning** received her PhD degree in 2011, and she currently works in Xi’an University of Technology. Meanwhile, she has cooperated with Institute of LIAMA and National Laboratory of Pattern Recognition at Institute of Automation, Chinese Academy of Sciences. Her current research interests include scene modeling and shape analysis.

**Yinghui Wang** received his BS, MS, and PhD degrees in 1989, 1999, and 2002, respectively, and now he is a professor at the School of Computer Science and Engineering, Xi’an University of Technology, China, and Institute of Computer Science, Shaanxi Normal University, China. His research interests include software evolution, image analysis, and pattern recognition.