Asymmetric double-image encryption method by using iterative phase retrieval algorithm in fractional Fourier transform domain

Abstract. A double-image encryption scheme is proposed based on an asymmetric technique, in which the encryption and decryption processes are different and the encryption keys are not identical to the decryption ones. First, a phase-only function (POF) of each plain image is retrieved by using an iterative process and then encoded into an interim matrix. Two interim matrices are directly modulated into a complex image by using the convolution operation in the fractional Fourier transform (FrFT) domain. Second, the complex image is encrypted into the gray scale ciphertext with stationary white-noise distribution by using the FrFT. In the encryption process, three random phase functions are used as encryption keys to retrieve the POFs of plain images. Simultaneously, two decryption keys are generated in the encryption process, which make the optical implementation of the decryption process convenient and efficient. The proposed encryption scheme has high robustness to various attacks, such as brute-force attack, known plaintext attack, cipher-only attack, and specific attack. Numerical simulations demonstrate the validity and security of the proposed method.


Introduction
With the rapid popularity of computer networks, images as an effective carrier of information have been widely used in various fields of modern society and image encryption issues have become an important field for information security.][4][5][6][7][8][9][10][11] Moreover, Alfalou and Brosseau 12 pointed out that these techniques can be used for compression operations simultaneously.Though most reported optical encryption techniques based on DRPE have the excellent parallel and multidimensional capability of signal processing, it should be pointed out that these schemes belong to the category of symmetric cryptosystems, where the keys in the encryption process are used for decryption.4][15] In order to resist these attacks, Qin and Peng 16 proposed an asymmetric encryption based on the phase-truncated Fourier transform (PTFT), where the decryption keys are different from the encryption keys and the linearity of the cryptosystem is broken by using the nonlinear operation of phase truncation.
Recently, multiple-image encryption based on multiplexing techniques has received increasing attention in the field of information security since Situ and Zhang 17 proposed the multiple-image encryption approaches using wavelength and position multiplexing with Gaussian low-pass filtering.Alfalou and Mansour 18 proposed an encryption scheme which is divided into two security layers, and target images are multiplexed and simultaneous encoded by using the iterative Fourier transformations in the first layer.In subsequent work, Alfalou et al. 19 implemented simultaneous fusion, compression, and encryption of multiple images based on the discrete cosine transform.Wang and Zhao 20 proposed a fully phase image encryption based on superposition principle and hologram, where a real-valued original image is encoded into a phase-only function (POF).Deng and Zhao 21 suggested a multiple-image encryption by using a phase retrieval algorithm and intermodulation in the Fourier domain, which avoids the cross-talk of decrypted images.Hwang et al. 22 proposed a multiple-image encryption and multiplexing approach based on a modified Gerchberg-Saxton algorithm (MGSA) in the FrT domain, which reduces the cross-talks significantly.Chang et al. 23,24 also suggested the position multiplexing encryption using cascaded phaseonly masks based on the MGSA.
As a special case, double-image encryption also has attracted much attention in optical cryptosystem.Li and Wang 25 proposed a double-image encryption algorithm based on phase-retrieval technique and GT, where two images can be simultaneously encrypted into a single one as the amplitudes of gyrator.Liu et al. 26 encrypted two original images into the real part and imaginary part of a complex function, respectively, which are exchanged randomly by using a random binary encoding data generated by chaotic map.Wang and Zhao 27 suggested an asymmetric algorithm to encrypt two covert images into an overt image based on phase retrieval and PTFT, in which the encryption keys are different from those in decryption process.However, Wang and Zhao 28 designed a specific attack by using a two-step iterative amplitude-retrieval approach according to PTFTbased cryptosystems.With this attack, the encrypted information would be revealed when the encryption keys are used as public keys.Subsequently, Wang and Zhao 29 suggested another asymmetric double-image encryption, which has a high level of robustness against this attack.Li and Wang 30 proposed a double-image encryption based on discrete fractional random transform and chaotic maps, which can raise the efficiency when encrypting, storing, or transmitting.Zhang and Xiao 31 designed a double-optical images encryption using discrete Chirikov standard map and chaos-based discrete fractional random transform, where Chirikov standard map is utilized to scramble the pixel positions and intensity values, respectively.
In this article, a double-image encryption scheme is proposed based on an asymmetric technique, in which the encryption and decryption processes are different and the encryption keys are not identical to the decryption ones.The encryption process can be performed digitally, in which the POFs of two plain images are obtained by using the iterative phase retrieval algorithm, and the interimencrypted matrices generated with POFs are modulated into a complex image with the convolution operation in FrFT domain.Finally, the complex image is transformed to the real-value ciphertext with stationary white-noise distribution.The decryption process can be implemented optically and only two decryption keys produced in the encryption process are used as phase masks, which is convenient and efficient by using the classical DRPE system.Simulation results and security analysis verify that the proposed double-image encryption has a high level of robustness against brute-force attack, known plaintext attack and specific attack.
The rest of this article is organized as follows.In Sec. 2, the basic principles and the processed of encryption and decryption are introduced in detail.In Sec. 3, numerical simulation results and security analysis are given.Finally, the conclusion is given in Sec. 4.

Phase-Retrieval Algorithm Based on Iterative FrFT
The Gerchberg-Saxton algorithm (GSA) is a powerful tool which is used in image encryption cryptosystems, which is usually employed to encode plaintext into a POF in the Fourier domain.Though it is sufficient to retrieve the phase function with the FTs back and forth between the object and the Fourier domains, it suffers from some drawbacks such as slow convergence speed in practical applications.In order to solve this problem, a POF-retrieval algorithm shown in Fig. 1 is implemented in Ref. 32.The FrFT at order α of a two-dimensional function fðx i ; y i Þ can be expressed as where ðx i ; y i Þ and ðx o ; y o Þ indicate the input and output coordinates, respectively, and the transform kernel is denoted as The A ϕ is a trivial phase parameter and ϕ α ¼ απ∕2 is the transform angle.The FrFT is linear and has the property that it is index additive In addition, the FrFT satisfies the Parseval energy conservation theorem The POF-retrieval algorithm is based on the iterative FrFT process between two grayscale images proposed firstly in Ref. 33.Images f and g are placed at the input and output planes, respectively, between which are three phase masks placed in three continuous FrFT planes.Let the function h denotes an interim-encrypted image and α 1 , α 2 , β 1 , β 2 denote two different groups of fractional orders.Giving five-phase functions, which are distributed in the interval ½0; 2π and denoted by ϕ 1 , ϕ 2 , ξ 1 , ξ 2 and ψ, respectively, the relationship between the images and phase functions is expressed as where F α denotes FrFT with the fractional order α.Initially, the functions h, ϕ 1 , ϕ 2 , ξ 1 , ξ 2 and ψ are unknown.Equation (6) indicates that the two images satisfy the following relationship: According to Eq. ( 7), the phase functions ϕ 1 , ϕ 2 , ξ 1 and ξ 2 are obtained with the iterative process, which consists of a number of cycling iterations.Suppose that in the k'th iteration the phase distributions ϕ k 1 , ϕ k 2 , ξ k 2 are known, then the output-complex image ĝk is expressed as Its phase and amplitude are expressed as follows Substituting the phase function ξ k 1 into Eq.( 6), the phase functions ξ kþ1 2 , ϕ kþ1 2 , ϕ kþ1 1 in next iteration are updated by In order to decide whether the iteration stops, the correlation coefficient (CC) or the mean square error (MSE) between the iterated image and the original one is used as convergent criterion.These criterions are expressed as where g and g k denote the original image and the iterated one, and E½• denotes the expected value operator.In the process of iteration, if CC is larger than a predefined threshold which is close to 1 or MSE is lower than a predefined threshold which is close to 0, the iterative process ends.Suppose the number of iteration is K, then the optimized phase functions are obtained as follows: In Fig. 1, fðx i ; y i Þ and gðx o ; y o Þ denote the input and output image, respectively.In order to compute the POF of the image fðx i ; When the convergent criterion between fðx i ; y i Þ and its approximation fðx i ; y i Þ is reached, the resultant pure phase functions ϕ 1 ðx i ; y i Þ and ξ 1 ðx o ; y o Þ are obtained, respectively, where the function ξ 1 ðx o ; y o Þ is finally used as the POF of image fðx i ; y i Þ.At the beginning of the iterative process, the initial phase masks ϕ 0 1 , ϕ 0 2 , ξ 0 2 are generated randomly.

Encryption and Decryption Processes
The proposed double-image encryption is based on the iterative phase-retrieval algorithm, which belongs to the category of asymmetric cryptosystem.The encryption process is shown in Fig. 2. Let f i ði ¼ 1; 2Þ denote two original plaintext images to be encoded, the encryption process is described as follows: • Given a three initial random phase function ϕ 0 1 , ϕ 0 2 , ξ 0 2 , the iterative phase-retrieval process is performed on the image f i in the POF-retrieval module.First, the relationship between f i and the unity amplitude image g is built by using Eq. ( 6), and then the iterative phase-retrieval process is performed by using Eqs.( 10)- (12).The convergent criterion is set to a MSE threshold.When the MSE between f i and its approximation fi is lower than the threshold, the iteration process ends and the optimized phase functions ϕ i;1 , ϕ i;2 , ξ i;1 , and ξ i;2 are obtained by using Eq.(15).In this process, the fractional orders α 1 , α 2 are used for the plaintext image f i and β 1 , β 2 for the unity amplitude image g.In addition, the phase function ϕ i;2 will be used as the decryption key.
• In the interim image generation module, a complex matrix is produced by using the unity amplitude image g and two corresponding phase functions ξ i;1 , ξ i;2 , which is expressed as • In the phase modulation, two matrices H i are combined into one complex matrix H by using convolution and the combined matrix H can be written as where the symbol * denotes the convolution operation.• The combined matrix H is transformed to Ĥ by using the FrFT with the fractional order α 3 , which is expressed as Fig. 2 Diagram of double-image encryption process.
In the same time, the amplitude of Ĥ is extracted as the real-value ciphertext C final by using following equation Additionally, a decryption key ϕ i;d is generated as following: where jHj denotes the amplitude of the combined matrix.The decryption process is depicted in Fig. 3, which is different from the encryption process and much simple.It should be paid attention to the following main steps • When decrypting the plaintext image f i , the complex matrix Ĥi is first generated by multiplying the ciphertext C final with the phase function expðjϕ i;d Þ produced with the corresponding decryption key ϕ i;d .• The complex matrix Ĥi is transformed to H i by using the inverse FrFT with the fractional order −ðα 2 þ α 3 Þ, and then h i is generated by multiplying H i with the phase matrix expð−jϕ i;2 Þ produced with another corresponding decryption key ϕ i;2 .• The complex matrix h i is transformed to ĥi by using the inverse FrFT with the fractional order −α 1 , and then the amplitude of the matrix ĥi is extracted as the decrypted image f i , which is expressed as From above description of the encryption and decryption processes, one can see that only three random phase functions denoted by ϕ 0 1 , ϕ 0 2 , and ξ 0 2 is used as the encryption keys, which have no relationship with decryption.Simultaneously, the phase functions ϕ i;2 and ϕ i;d produced in the encryption process are used as the decryption keys according to each decrypted image f i , which are directly related to the original plaintext images.Apparently, the keys for decryption are different from those for encryption, which means the entire cryptosystem is asymmetric.4][15] The proposed asymmetric double-image encryption scheme can break the linearity of the cryptosystem and has high resistance against to these conventional attacks.In addition, the decryption keys ϕ i;2 and ϕ i;d can be assigned to different valid users in order to enhance the security, in which each original plaintext image f i can be decrypted if all two phase masks expðjϕ i;d Þ and expð−jϕ i;2 Þ are correctly placed in the verification system.
The proposed asymmetric double-image encryption scheme can be implemented with an electro-optical hybrid setup.It is worth noting that although the encryption process and the formation of decryption keys are complicated and can be realized digitally with the help of computer, the decryption process is much simple and can be implemented with some optoelectronic devices.A simple optical setup is depicted in Fig. 4, which is based on the 4f imaging system similar to DRPE.When decrypting the image f i , the phase masks PM1 and PM2 are only placed with the phase masks expðjϕ i;d Þ and expð−jϕ i;2 Þ, respectively.Obviously, the decryption process is convenient and efficient.
3 Numerical Simulation and Security Analysis Numerical simulations have been performed to verify the feasibility and effectiveness of the proposed asymmetric double-image encryption scheme.Two grayscale images "Zelda" and "Baboon" with 256 × 256 pixels and 256 Gy levels, which are shown in Figs.5(a) and 5(b), are used for encryption.The related fractional orders are set as The ciphertext image encrypted by using three random phase functions as encryption keys is shown in Fig. 5(c), which looks like white noise.The decryption keys generated in the encryption process and used for the correct decrypted image "Zelda" are shown in Figs.6(a

Brute-Force Attack Analysis
The robustness against the brute-force attack is tested, in which an invalid user attempts to retrieve the original images with two possible ways, namely decode plaintext with (1) no keys, (2) two arbitrarily selected phase functions from the encryption keys.Figures 7(a) and 7(b) display the decrypted results by using no keys and arbitrarily selected phase functions, from which an invalid user cannot obtain any useful information.So, the proposed asymmetric has powerful ability to resist the brute-force attack.and "Peppers".Figures 8(c) and 8(d) display the decrypted images of "Zelda" and "Peppers," respectively.As it is seen from Figs. 8(c) and 8(d), the retrieved images provide no valuable information on the content of "Zelda" and "Peppers" though the fake plaintexts themselves can be seen faintly.Similar to the ciphertext-only attack proposed in Ref. 26, the phase-retrieval algorithm shown in Fig. 9 is introduced into the decryption process as a test.Supposing the invalid user has known the phase function ϕ i;d , he can recover the function ϕ i;2 by use of FrFT.Thus, the original images f i can be decrypted by using Eq. ( 21).Initially, the phase function ϕ 0 i;2 is generated randomly.The process is simulated with 300 iterations.The decryption results are displayed in Fig. 10. Figure 10(a) shows that the values of the MSE curves are large, which means the phase function ϕ i;2 cannot be retrieved.Figures 10(b) and 10(c) show the decrypted image "Zelda" and "Peppers," respectively, which are noise-like images.The results have demonstrated that the proposed encryption scheme has high security under the ciphertext-only attack.

Occlusion Attack Analysis
The robustness against occlusion attack is analyzed.When considering the robustness against occlusion, the decryption process should be performed on the ciphertext of "Zelda" and "Peppers" with all correct decryption keys, in which the ciphertext image is occluded partly.Figure 11(a) shows the occluded ciphertext whose pixel values at the left-top corner are replaced with 0 in simulation, namely the ciphertext is cropped by 50% in the left side.Figures 11(b) and 11(c) display the corresponding recovered images from Fig. 11(a).Figure 12(a) shows the occluded ciphertext whose left-side pixel values are replaced with 0, and Figs.12(b) and 12(c) display the recovered.Apparently, the main information of the original images can be recognized visually from the decrypted ones.Similar results can be obtained when the ciphertext is cropped by 50% or 100% in the right side.So, the proposed asymmetric double-image encryption has high robustness against occlusion attack.

Noise Attack Analysis
When considering the robustness against noise, a Gaussian random noise is added to the ciphertext of "Zelda" and "Peppers," in which the noise interferes with the ciphertext image in the following way: where C and C 0 are the original ciphertext and the noiseaffected ciphertext image, respectively, k is a coefficient  which denotes the noise strength, and G is a Gaussian random noise with zero-mean and identity standard deviation.
Figure 13 shows the decrypted images of "Zelda" when k is set to 0.2, 0.4, 0.6, 0.8, and 1.0.Similar results can be obtained for image "Peppers."From Fig. 13, it is obvious that the content of the decrypted images can be recognized despite of noise interference, and the proposed encryption scheme has high robustness against noise attack.

Statistical Analysis
The contribution of fractional orders on the security of the proposed double-image encryption is researched.Figure 14 shows the relationship between MSE and the deviation of the fractional order α 1 .When α 1 is correct, the MSE value between the original image "Zelda" with its decrypted one approximates to zero.When α 1 slightly departs from the correct value, the MSE value sharply increases.Similar result is obtained according to image "Peppers."In practical, if the deviation of the order α 1 is larger than 0.006, the content of decryption images cannot be recognized totally.Figures 15(a) and 15(b) show the decrypted images "Zelda" and "Peppers," respectively, while the deviation of the order α 1 equals 0.006.In order to test the correlations of adjacent pixels, the 2000 pairs of adjacent pixels are randomly selected in vertical, horizontal, and diagonal directions from the plaintext images "Zelda" and "Peppers" as well as from the ciphertext, and then the CCs of two adjacent pixels is calculated as follows: where x ¼ 1∕N P N i¼1 x i and ȳ ¼ 1∕N P N i¼1 y i .Table 1 shows the results of CCs of the plaintext images and ciphertext, which indicates that the correlations of two adjacent pixels of the plaintext image is significant while that of ciphertext are very low.So, illegal user also cannot obtain any valid information from this statistical data.
Figure 16 displays the histograms of the ciphertext of two groups of original images, namely "Zelda" and "Peppers" shown in Figs.5(a) and 5(b), "Lena" and "Baboon" shown in Figs.8(a) and 8(b).Obviously, it can be concluded that the different original images have consistent statistical properties because the distributions of the histograms are similar.Thus, the histograms of ciphertext cannot provide any useful information for the invalid user to perform this kind of statistical analysis attack.
Similar to the analysis process proposed in Ref. 34, the key spaces of the phase function ϕ i;2 , ϕ i;d as the decryption keys are analyzed, respectively.When decrypting the image "Zelda," the phase function ϕ 1;d is considered to fluctuate in certain range, namely there is a pseudo-key ϕ 0 1;d satisfying the following relation: where Δϕ is a random phase function whose value is located in the range ð−π; πÞ, and d is a coefficient whose value is  17(a).When the MSE is more than 50, any valid information cannot be obtained from the decrypted image in vision.From Fig. 10, it is obvious that the maximum value of Δd is 0.0538 while the normalized MSE is equal to 50, and the number of possible value for every pixel in the phase function is huge as ð2π∕0.0538Þ256×256 .So, the key space of ϕ 1;d is estimated to be S 1 ≈ 116 256×256 .Similarly, the normalized MSE curve of the phase function ϕ 1;2 is shown in Fig. 17(b), and the corresponding key space is estimated S 2 ≈ 6 256×256 .So, the entire key space of the cryptosystem almost equals S 1 × S 2 , which is enormous enough to resist brute-force attack.

Specific Attack Analysis
The proposed asymmetric double-image encryption scheme has inherent immunity to the specific attack proposed in Ref. 28.The encryption process of the asymmetric cryptosystem based on PTFT proposed in Ref. 16 is shown in Fig. 18, in which an image fðxÞ is encrypted to the ciphertext E o ðxÞ by using following equations: E o ðxÞ ¼ PTfIFT½gðuÞR 0 ðuÞg; where RðxÞ and R 0 ðuÞ are two random phase functions as encryption keys.The decryption keys PðuÞ and P 0 ðxÞ are generated in the encryption process by following equations: Fig. 14 The MSE versus the perturbation of the fractional order α 1 .
P 0 ðxÞ ¼ PRfIFT½gðuÞR 0 ðuÞg; where PTð•Þ and PRð•Þ denote the phase truncation and phase reservation operator, respectively.According to Fig. 18, the specific attack is divided into two steps. 28The first step is used to retrieve estimations of gðuÞ and decryption by P 0 ðxÞ using R 0 ðuÞ and E o ðxÞ with an iteration process, which is expressed as E kþ1 ðxÞ ¼ PTfIFT½g k ðuÞR 0 ðuÞg; where the phase function P 0 0 ðxÞ is arbitrarily chosen.The second step is to obtain the decrypted image fðxÞ and decryption PðuÞ by using the estimation of gðuÞ and RðxÞ with another iteration process, which is expressed as where the initial phase function g 0 ðuÞ is the estimation of gðuÞ in first step.
From above description of the specific attack, the encryption keys R 0 ðuÞ and RðxÞ is very important, which is used to retrieve the decryption keys P 0 ðxÞ and PðuÞ in two steps, respectively.The encryption mechanism of the proposed asymmetric scheme is different from the PTFT-based cryptosystem, where three random encryption keys ϕ 0 1 , ϕ 0 2 , and ξ 0 2 are only used for the POF retrieve of the plain image f i .In   addition, the generation of the decryption key ϕ i;d has no relation to these encryption keys.So, the encryption keys cannot afford any information to recover the decryption keys and plaintext images.

Conclusion
In conclusion, a double-image encryption scheme based on asymmetric technique is proposed, in which the encryption and decryption processes are different and the decryption keys are not identical to the encryption ones.Three random phase functions are employed as encryption keys and used to retrieve the POFs of plain images based on the iterative phase retrieval process.Meanwhile, two interim-encrypted images generated with the corresponding phase functions are combined into a complex matrix, which is transformed to the real-value ciphertext with stationary white noise distribution.
Owing to applications of the asymmetric technique, the fundamental drawbacks resulted from the linearity can be avoided and therefore high robustness against existing attacks can be achieved.A set of numerical simulations have illustrated the feasibility and effectiveness of the proposed encryption scheme.

Fig. 1
Fig. 1 Diagram of the iterative phase-retrieval process in the fractional Fourier transform domain.

) and 6
(b), whereas the keys for image "Peppers" are shown in Figs.6(c) and 6(d).The corresponding decrypted images with the correct decryption keys are shown in Figs.6(e) and 6(f).

Fig. 18
Fig. 17(a) The normalized MSE versus the perturbation of the phase function ϕ 1;d and (b) the normalized MSE versus the perturbation of the phase function ϕ 1;2 .

Table 1
Correlation results in the plaintext images and ciphertext.