Advanced Photonics Nexus, Volume. 3, Issue 5, 056016(2024)

Multiuser computational imaging encryption and authentication with OFDM-assisted key management

Hongran Zeng1、†, Ping Lu1, Xiaowei Li1、*, Lingling Huang2, Chaoyun Song3, Dahai Li1, In-kwon Lee4, Seok-Tae Kim5, Qiong-Hua Wang6、*, and Yiguang Liu7、*
Author Affiliations
  • 1Sichuan University, School of Electronics and Information Engineering, Chengdu, China
  • 2Beijing Institute of Technology, School of Optics and Photonics, Beijing Engineering Research Center of Mixed Reality and Advanced Display, Beijing, China
  • 3King’s College London, Department of Engineering, London, United Kingdom
  • 4Yonsei University, Department of Computer Science, Seoul, Republic of Korea
  • 5Pukyong National University, Department of Information and Communications, Busan, Republic of Korea
  • 6Beihang University, School of Instrumentation and Optoelectronic Engineering, Beijing, China
  • 7Sichuan University, College of Computer Science, Chengdu, China
  • show less

    Single-pixel imaging (SPI) enables an invisible target to be imaged onto a photosensitive surface without a lens, emerging as a promising way for indirect optical encryption. However, due to its linear and broadcast imaging principles, SPI encryption has been confined to a single-user framework for the long term. We propose a multi-image SPI encryption method and combine it with orthogonal frequency division multiplexing-assisted key management, to achieve a multiuser SPI encryption and authentication framework. Multiple images are first encrypted as a composite intensity sequence containing the plaintexts and authentication information, simultaneously generating different sets of keys for users. Then, the SPI keys for encryption and authentication are asymmetrically isolated into independent frequency carriers and encapsulated into a Malus metasurface, so as to establish an individually private and content-independent channel for each user. Users can receive different plaintexts privately and verify the authenticity, eliminating the broadcast transparency of SPI encryption. The improved linear security is also verified by simulating attacks. By the combination of direct key management and indirect image encryption, our work achieves the encryption and authentication functionality under a multiuser computational imaging framework, facilitating its application in optical communication, imaging, and security.

    Keywords

    1 Introduction

    With the increasing demand for personal privacy and the growing scarcity of communication resources, multiuser encryption has become an important trend for the future development of optical cryptography. Among the optical cryptography methods, single-pixel imaging (SPI), as a typical type of indirect computational imaging technique, has revealed significant potential due to the non-visual and encryption-like imaging principle.14 Instead of depending on the direct encrypting quality, SPI encryption approaches rather are based on the correlation of a series of modulated patterns and an invisible target. The corresponding imaging principle can be described as Yk=xyM(x,y)×Pk(x,y),where Yk denotes the intensity value in the k’th detection, and M(x,y) and Pk(x,y) denote the spatial distribution of the plaintext and the k’th pattern projected, respectively. Since the series of patterns can be used to encrypt object specifics over non-line-of-sight range,57 various SPI encryption schemes have been developed to enhance the security, including spatial-multiplexed SPI encryption8 and algorithm-dependent image hiding.9 SPI encryption is also combined with other technologies, such as holography,10 visual encryption,11 and computer vision technologies,12 to expand the application schemes. By alternatively applying a photosensitive surface without a lens, human poses can be securely recovered in a sequence of modulated intensity.12 Also, by the combination of steganography and a Malus metasurface, the huge burden of transmitting patterns of SPI encryption can also be decreased.13 However, due to the linear imaging principle in Eq. (1) and broadcast behavior, the multiuser SPI framework has not been investigated well. Specifically, obvious linearity in the SPI ciphertext is caused by the convolutional process, therefore triggering the security vulnerability. Besides, receivers in different locations can only receive the same intensity sequence at one time.5,6 Thus, only the same plaintext can be recovered by users, limiting the channel transmitting capacity. It can be hard for the direct design on plaintext SPI encryption algorithms to solve these two issues based on Eq. (1).

    Fortunately, key management, playing as the upstream layer of plaintext encryption responsible for all the tasks of related keys,1417 can remarkably promote the security of multiuser services.1822 To protect the privacy in the internet of vehicles, certificateless-group-assisted,23 quantum-key-based,24 and artificial-intelligence-enabled18 key management methods are proposed. Encryption-based key management methods are also applied in other multiuser scenarios, such as elliptic-curve-cryptography-based key management in multi-sensor networks25 and Chebyshev chaotic map key management in blockchain authentication.26 Different from digital key management, optical key management requires an entity to carry keys, while the metasurface providing the information at the submillimeter level2730 and efficiency for multiplexing degrees of freedom of light3133 can decrease the exposure risk during physical key transmission. At the same time, orthogonal frequency division multiplexing (OFDM) is able to transmit parallel data streams on independent subcarriers while overlapping the sequential characteristic of signals,34 being viable for accommodating multiple cryptographical keys.

    Thus, in this paper, we provide a complete solution to multiuser SPI cryptography and authentication framework combined with OFDM-assisted key management. Within the framework, regional and global encryptions are first conducted to form a composite intensity sequence to be transmitted to different individuals, simultaneously generating the corresponding keys specially used by users. Then, keys are isolated into independent frequency points and asymmetrically encapsulated into a Malus metasurface by OFDM-assisted key management. By the key distribution of the metasurface in a polarized manner, users can eventually recover their designated SPI images and verify their authenticity. To verify the security of the multiuser SPI framework, five pioneering SPI encrypting works relying on direct plaintext encryption and our scheme are compared. The results show that the multiuser scheme can resist multiple types of attacks and can verify the authenticity even when one of the users is compromised to Eve. Our work facilitates the development of indirect computational imaging security into the multiuser framework, enhancing its application in secure optical communication, anticounterfeiting, and security.

    2 Principle and Methodology

    2.1 Multiuser SPI Encryption and Authentication Framework

    Figure 1 shows the procedure of N users. N plaintexts with an authentication image are first encrypted and transmitted by the Fourier SPI encryption. While in key space, a pair of private key sets Ψ and Φ dedicated to decryption and authentication, respectively, and a commonly used key set Ω for all users are generated. Enabled by OFDM-like and RSA asymmetric coding, Ψ and Φ are multiplexed and cross-encapsulated as Λ, sealed with Ω into the light envelope of a Malus metasurface. In the receiving end, two polarized channels of the metasurface are inversely extended into 2N+1 keys (i.e., three types of key sets) for N users. Receiving the bucket signal, users can retrieve plaintexts privately using their own keys and further collaboratively verify the authenticity of the decrypted images. In the following sections, we will quantify this process, taking N=8 as a case study, to demonstrate the detailed mechanism of our method.

    Concept of the multiuser SPI security framework. N plaintexts are compositely encrypted and transparently transmitted to all users by the composite SPI Fourier encryption. Simultaneously, three types of key sets Ψ, Φ, and Ω are encapsulated into the metasurface for key distribution. After receiving the bucket signal, users access the metasurface to acquire their own secret keys to decrypt different plaintexts. The private {Ψ} and {Φ} sets represent the 2N decomposed keys from Λ, a pair of which corresponds to the plaintext and authenticating information for each user. Ω denotes a common key set for authentication.

    Figure 1.Concept of the multiuser SPI security framework. N plaintexts are compositely encrypted and transparently transmitted to all users by the composite SPI Fourier encryption. Simultaneously, three types of key sets Ψ, Φ, and Ω are encapsulated into the metasurface for key distribution. After receiving the bucket signal, users access the metasurface to acquire their own secret keys to decrypt different plaintexts. The private {Ψ} and {Φ} sets represent the 2N decomposed keys from Λ, a pair of which corresponds to the plaintext and authenticating information for each user. Ω denotes a common key set for authentication.

    2.2 Composite Fourier SPI Encryption

    As shown in Fig. 2, the Fourier SPI encryption is composed of regional encryption, containing whitening and permutation, basically providing internal privacy among users, and global encryption, including diffusion and Fourier SPI, of all users for authentication and countering malicious attacks from Eve. In order to conduct the encryption, whitening, permutation, and diffusion keys {Wkm×n}, {Pku×v}, and {Dq3m×3n} are generated in terms of chaos and will be further processed in terms of key management.

    Schematic of the Fourier SPI encryption. The host digitally processes I1∼I9 and configures a Fourier SPI optical path, where a digital micromirror device (DMD) and Fourier structured light are presented. To improve the efficiency of the following key processing, the initial conditions of chaos instead of the generated masks are encapsulated.

    Figure 2.Schematic of the Fourier SPI encryption. The host digitally processes I1I9 and configures a Fourier SPI optical path, where a digital micromirror device (DMD) and Fourier structured light are presented. To improve the efficiency of the following key processing, the initial conditions of chaos instead of the generated masks are encapsulated.

    For regional encryption, as shown in Fig. 3(a), plaintexts Ik, k=1,2,,9, with the identical dimension of m×n pixels (i.e., here 96×96) are planarly concatenated into a triplex-grid image Iconcate, in which I1I8 are the private plaintexts for each user whereas the common I9 is attached in case of counterfeiting for authentication of all users. Because the direct super-pixel permutation of plaintexts without any alteration of image pixel values can still reveal the content information and are affected by ciphertext analysis, as shown in Fig. 3(b), the integrated image Iconcate should be whitened pixel-by-pixel in advance to cover the basic texture.

    Schematic of regional encryption. (a) Texture information and spacing distribution of pixels can be scrambled by whitening and permutation, whereas (b) permutation-only encryption still can reveal the content information.

    Figure 3.Schematic of regional encryption. (a) Texture information and spacing distribution of pixels can be scrambled by whitening and permutation, whereas (b) permutation-only encryption still can reveal the content information.

    Therefore, for each Ik, we define nine chaotic masks Wkm×n, k=1,2,,9, independently corresponding to different initial conditions of chaos, including the type index of generation functions ζkwhiten, the starting values of chaotic sequence αkwhiten, the sequence size εwhiten=m, and the initial number to start count βkwhiten. The generation of the whitening masks by the four chaos conditions is shown in Fig. 4. The type of generation functions is independently chosen among the Bernoulli map, piecewise linear chaotic map (PWLCM), and Lorenz map. Then, we integrate the following generated masks Wkm×n into triplex-grid form and XOR it with Iconcate: Iwhiten3m×3n=IconcateWconcate3m×3n.

    Flowchart for generating different whitening masks Wkm×n by chaos.

    Figure 4.Flowchart for generating different whitening masks Wkm×n by chaos.

    Subsequently, the adjacent i×j (i.e., here 12×12) regular pixels in Ik form a super-pixel, and 3u×3v super-pixels integrate the whole Iwhiten3m×3n, with the coordinate index ranging from 0 to 575. Note that u=m/i and v=n/j. Afterward, we re-utilize the PWLCM chaos to generate the corresponding permutation matrix Pconcate3u×3v to scramble the index 0 to 575, equivalent to switching the position of each super-pixel within the entire Iwhiten3m×3n: Ipermu3m×3n=π(Pconcate3u×3v,Iwhiten3m×3n). For the Ik of each user, the permutation key is noted as Pku×v and {Pku×v}, k=1,2,,9, constituting the whole Pconcate3u×3v.

    For global encryption, a series of masks {Dq3m×3n}, q=1,2,,Q, are sequentially generated in terms of the initial chaos conditions {αqdiffuse,ζqdiffuse,εqdiffuse,βqdiffuse}. The rows and columns of {Dq3m×3n} are applied as the basic unit to finish Q rounds of diffusion specific to Ipermu3m×3n. In general, Q2 should be satisfied to achieve an effective avalanche effect against cryptanalysis, particularly differential analysis. Thus, two-round diffusion is used in our design, and an instance flowchart of diffusion is shown in Fig. 5. XOR is used in the first diffusion, and MOD calculation is used in the second round so that only one mask D13m×3n can be used to realize the effective diffusing performance, declining the workload of further key processing.

    Schematic of diffusion encryption.

    Figure 5.Schematic of diffusion encryption.

    Eventually, the diffused image Idiffuse3m×3n is illuminated by Fourier structured light to be broadcasted to users. For the generation of structured light, four-step phase shifting is applied in SPI encryption. Four Fourier patterns are designed to be Jϕ=a+bcos(2πfxx+2πfyy+ϕ), ϕ=[0,π/2,π,3π/2], where (x,y) and fx,fy denote the two-dimensional (2D) Cartesian coordinates in the scene and spatial frequency distribution of images, respectively, while a and b denote the average image intensity and image contrast, respectively. After the illumination of each set of four-step phase shifted patterns, four intensities Oϕ can be acquired by each user. Following this process, a corresponding Fourier coefficient of the target can be further obtained by C(fx,fy)=[O0(fx,fy)Oπ(fx,fy)]+j·[Oπ/2(fx,fy)O3π/2(fx,fy)].35 Finally, after collecting all the Fourier coefficients, users only have to operate inverse fast Fourier transform (IFFT) to recover the image without correlating with any pattern. The complete code demonstration of composite Fourier encryption can be found in Sec. S1 in the Supplementary Material.

    Different encrypting steps generate keys with different functions. According to the functions, we divide the keys as two groups for separate management. Regional encryption is privately used for each user to independently protect their own plaintext. Thus, {Wkm×n,Pku×v}, k=1,2,,8, form Ψk and Ψ=[Ψ1,Ψ2,,Ψ8]T, is treated as the access of the metasurface to I1I8. Global encryption is commonly used for all users countering external attacks from Eve. Thus, {W9m×n,P9u×v} and {Dq3m×3n} are grouped as Ω, also publicly used to retrieve the authentication image I9. Simultaneously, to verify the authentication image, we also generate a synonym (i.e., dwelling) from I9 as an authentication key, namely token, for parallel OFDM-like modulation.

    2.3 OFDM-Assisted Key Management

    As shown in Fig. 6(a), after SPI encryption, key management is used to isolate and distribute corresponding keys to different users, addressing the contradiction between multiuser privacy and SPI broadcast transparency. Figure 6(b) shows the encapsulating flowchart of key management. The authenticating token generated from I9 is first divided into eight parallel components, which are further isolated onto separate OFDM carriers, producing Φ as the eight private keys for synergic authentication and a multiplexed ciphertext S. Then, Ψ and Φ are further cross-encapsulated by RSA to terminate the progressive dependency of key generation. Consequently, each user can use the asymmetric RSA pair to decrypt their keys coded in the OFDM sequence. Finally, nanobricks are used to modulate the polarization state of the cross-encapsulated keys pixel-by-pixel, forming a discrete and stable structure for key service.

    Design concept of OFDM-assisted key management. (a) Connecting role of key management between SPI encryption and multiple users. (b) Keys are separately processed by OFDM-like coding and RSA, zoned as the private channel and public channel, which are further physically confused by polarization and etched into the metasurface.

    Figure 6.Design concept of OFDM-assisted key management. (a) Connecting role of key management between SPI encryption and multiple users. (b) Keys are separately processed by OFDM-like coding and RSA, zoned as the private channel and public channel, which are further physically confused by polarization and etched into the metasurface.

    For OFDM-like coding, the complex Fourier bases in traditional OFDM algorithms are first replaced by trigonometric bases. Other modulating bases, such as Chebyshev polynomial and Hadamard sequences, are also considered as one of the encoding options (see Sec. S1 in the Supplementary Material) to enlarge the key space. In addition, to demodulate the coded sequence without distortion in user ends, the adjacent subcarriers are designed to secretly differ by one complete period in an OFDM symbol duration with a sampling rate Ns=32. The symbol rate is regarded as Rsymbol=1 symbol/s, equivalent to the bit rate. Moreover, to ensure separability when decrypting plaintexts, frequency interval Δf among subcarriers should be greater than the Rsymbol, whereas to handle more users, Δf is derived as unit 1 to be as less as possible. The modulating process of the token is shown in Fig. 7(a) and Fig. S1 in the Supplementary Material. The token is first compartmentalized into single letters as sub-tokens. Each sub-token (e.g., the initial “D” corresponding to user 1) is then transferred into an ACSII character as we regulate the metasurface to be monochrome in view of the error tolerance of keys and possible errors triggered by manual recognition of grayscale pixels, noted as a binary vector st=[st,1,st,2,,st,8]T, t=1,2,,8, (e.g., “D” → “01000100”). Then, eight frequency indices denoted as Φ=[Φ1,Φ2,,Φ8]T are randomly initialized and assigned to eight users as the first-level keys. The subcarrier of t’th user is written as yΦt=[yΦt,1,yΦt,2,,yΦt,Ns], and the orthogonality is expressed as Eq. (2), where tz and n=1,2,,Ns: yΦt·yΦz=Re[ej2π(fI+ΦtΔf)n]·Re[ej2π(fI+ΦzΔf)n]=0.

    Design principle of the OFDM-assisted key management. (a) Flowchart of OFDM-like coding. (b) Time-frequency diagram of S. (c) 2D parameter optimization of nanobricks, in which the upper region of the red dashed line represents the RPRE of long-polarized light and the lower region indicates that of the short-polarized light. (d) Simulated Rl and Tl. The Malus metasurface is designed to operate in the reflective mode. (e) Four states of the unit cell, where “1” and “0” denote the positive and negative states of the private (public) channel of the metasurface, respectively. (f) Top view of the prototype captured by a scanning electron microscopy with scale bar of 200 nm.

    Figure 7.Design principle of the OFDM-assisted key management. (a) Flowchart of OFDM-like coding. (b) Time-frequency diagram of S. (c) 2D parameter optimization of nanobricks, in which the upper region of the red dashed line represents the RPRE of long-polarized light and the lower region indicates that of the short-polarized light. (d) Simulated Rl and Tl. The Malus metasurface is designed to operate in the reflective mode. (e) Four states of the unit cell, where “1” and “0” denote the positive and negative states of the private (public) channel of the metasurface, respectively. (f) Top view of the prototype captured by a scanning electron microscopy with scale bar of 200 nm.

    Note that fI denotes the randomly chosen initial frequency. Based on this principle, each symbol of st is separately modulated by the assigned subcarrier in terms of Eq. (3): S=t=18st·yΦt,where S is an 8×Ns matrix. st and yΦt are vectors in size 8×1 and 1×Ns, respectively. From S, the p’th row represents the sum of the p’th character of each user modulated by their corresponding carrier: S(p,:)=s1,p·yΦ1+s2,p·yΦ2++s8,p·yΦ8. Thus, it can be seen that sub-tokens for all users are mixed into a unified temporal signal, characterized by extensive overlapping that precludes the disclosure of the individual key component, as shown in Fig. 7(b). However, in the frequency domain, S allows for distinct separation of each user’s keys. Finally, the continuous matrix S is reshaped into a one-dimensional (1D) sequence and transformed into the discrete binary form in terms of IEEE Standard 754 to be recorded in the metasurface.

    Symmetric encryption, such as OFDM-like coding, can trigger an extension of the trust chain, continuously requiring another cryptography to protect the keys in turn produced by the one before. Thereby, as a root of trust, OFDM-like coding needs to be further integrated with RSA asymmetric coding to terminate the progressive dependency. Through the process, t’th user produces a unique pair of keys, in which the public (n,e)t is broadcasted and the private (n,d)t is preserved. Receiving (n,e)t for each user, the host connects the private key set Ψt and Φt in serial and encapsulates them as a whole plaintext to acquire the binary ciphertext Λt. As a result, Λ=[Λ1,Λ2,,Λ8]T, which contains all information about Ψ and Φ recorded in the private channel, whereas S and Ω are publicly used for members generally with a lower security requirement, is arranged serially to form the public channel expression of the metasurface, as shown in Fig. S2 in the Supplementary Material (see S3 in the Supplementary Material).

    Finally, a Malus metasurface is used to record the processed keys to provide information entities, integrating the 17 subchannels of keys into a whole as well. A rectangular aluminous nanobrick is designed to be etched on a top of glass substrate, forming a unit nanobrick cell, where L=180  nm, W=100  nm, H=50  nm, and CS=360  nm. The size of the unit cell is optimized according to the relative polarized reflection efficiency (RPRE), as shown in Fig. 7(c), and the corresponding operating wavelength is set as λ=625  nm. Simultaneously, the simulated reflectivity Rl and transmissivity Tl of the incident light polarized along the long-axis (l) are shown in Fig. 7(d) (for more optimization details, see Sec. S3 in the Supplementary Material). According to the Jones derivation, the orientation angle is selected among the four: 0, 45, 90, and 135 deg, as shown in Fig. 7(e). Specifically, the private channel of Λ and public channel of S and Ω are set as α1=45  deg, α2=90  deg and α1=135  deg, α2=90  deg, respectively, where α1 and α2 denote the rotating angle of a polarizer and an analyzer, respectively. Note that as long as the metasurface can clearly display key information to achieve the security function of keys, the parameters of the nanobricks, including material or shape, are not strictly confined. Finally, the metasurface of 172.8  μm×172.8  μm with the size of 96  pixel×96  pixel is fabricated, as shown in Fig. 7(f). Each pixel is composed of a 5×5 nanobrick array.

    3 Results

    3.1 Experimental Decryption and Authentication

    The optical experimental configurations of the multiuser SPI encryption and authentication framework with the metasurface are shown in Fig. 8. The setup of the multiuser SPI encryption framework and decryption mechanism is shown in Fig. 8(a). The laser beam is emitted by a light source operating at the wavelength of 625 nm. Then, the laser beam is reflected by a DMD (Amphenol V-7001 VIS), and the modulated patterns are expanded by an expanding lens. Subsequently, the patterns are projected onto the object plane and gathered by a bucket detector (Thorlabs DET100A2 320 to 1100 nm) equipped with a photodiode amplifier (Thorlabs PDA200C) and a data acquisition (DAQ) board (NI USB-6343). During the experiment, since two bucket detectors are owned only, four repeated experiments were conducted, where the two intensity detectors were separately positioned in different locations in each experiment to imitate the original eight users.

    Optical setup of the proposed scheme. (a) Setup of the multiuser SPI encryption framework and decryption mechanism. (b) Configuration of key distribution.

    Figure 8.Optical setup of the proposed scheme. (a) Setup of the multiuser SPI encryption framework and decryption mechanism. (b) Configuration of key distribution.

    For decryption and receiving the bucket signals, eight users first need to operate the IFFT to acquire Idiffuse3m×3n. Then, each user accesses the metasurface to decode their keys. The experimental setup of acquiring keys by the metasurface is based on a BA310MET-T microscope, as shown in Fig. 8(b). First, they access the public channel of the metasurface and extract D13m×3n from Ω for global decryption. Sequentially, for RSA decryption, the t’th user accesses the private channel to decode Λt by (Φ3,Ψ3)=Λ3d3MODn3, obtaining the Ψt for regional decryption and Φt for OFDM demodulation. Note that when the t’th user accesses the private channel, all the Λt actually have been exposed to him. However, because the t’th user only owns the unpublished (n,d)t, only the ciphertext Λk can be decoded, whereas the other Λz,tz are still under protection of RSA. After acquiring Ψt and Φt, the user eventually can recover It of his own privately, as shown in Fig. 8(a), during which the decryption is symmetrically inverse to the regional encryption of the composite Fourier SPI encryption.

    For authentication, Ω is first reconstructed in the public channel to retrieve the common I9. Implementing the decrypted Φ by RSA decryption, users recover subcarriers afterward to demodulate S, acquiring their secret sub-token by st=S·yΦtT. During the calculation, the p’th symbol in st corresponding to the t’th user can be represented by the inner product of the p’th row in S and carrier yΦt: st,p=S(p,:),yΦt=(s1,p·yΦ1++s8,p·yΦ8),yΦt. After ACSII-to-character transforms, the eight letters are consociated in sequence, and it is evaluated whether the combined word matches I9, as shown in Fig. 9. The synergetic scheme is specially established for the multiuser scenario since a single letter can convey a multitude of implications, such as “D” revealing “document,” “paddle,” and “wood.” Unless a sufficient number of users cooperate with others, the splitting letter can reveal little information. Therefore, the authenticating credibility (i.e., house element in I9) can still be maintained even if one of the users is compromised to Eve.

    Synergetic authentication mechanism. The red dashed box shows the retrieving process of I9, whereas the blue dashed box displays the retrieving process of the token by the OFDM-assisted key management.

    Figure 9.Synergetic authentication mechanism. The red dashed box shows the retrieving process of I9, whereas the blue dashed box displays the retrieving process of the token by the OFDM-assisted key management.

    3.2 Security Assessment by Confrontation and Numerical Analysis

    3.2.1 Deep differential attack

    The essence of an encrypting scheme consists of confrontation. Thus, we develop a cracking model of SPI encryption, namely a deep differential attack (technical details are supplied in S5 in the Supplementary Material), to intuitively demonstrate the security and capacity of the proposed multiuser scheme. The security and capacity are assessed in terms of the external and internal attack, respectively (see Sec. S5.1 in the Supplementary Material). Five current works without key management, including single-user SPI-metasurface encryption,13 single-user SPI encryption,8,11,36 and multiuser SPI encryption,6 are also attacked for comparison. The numbers of encrypting steps are 3, 2, 1, 4, and 2, indicating different levels of attacking difficulty. Also, we carry on the confrontation on three different datasets including MINIST, USC-SIPI, and University-1652 to verify the security generalization of the multiuser SPI encryption framework.

    As shown in Fig. 10, the ciphertexts of the five current SPI encrypting schemes are approximately cracked. Intuitively, the sensitive profiles, particularly letters or foreground objects, can be roughly recognized though the recovered ones differ from the ground truths and legally decrypted versions. This inconsistency occurs mainly due to the different methods and depths of encryption, which means that the errors can gradually accumulate as the cryptanalysis progresses step by step. But for our method, the external attack turns out to be ineffective in seeking correlation between the SPI optical paths and key management, showing the effective security of the multiuser SPI cryptography framework. In addition, the imperceptible outcomes suggest that internal users also are unable to decipher the plaintexts of others. Thus, the independent encrypted transmission of each user and, consequently, the SPI encryption capacity under the multiuser scheme are available. Provided that the security and capacity of multiple users are satisfied, the multi-user SPI encryption and authentication framework is achieved.

    Attacking results from a deep differential attack. G. T., D. V., and C. V. denote ground truth, the legal decrypted version, and cracked version, respectively. Ex. Att. and In. Att. mean the external and internal attacking results from Eve and internal user, respectively. The attack mode is only directed toward the pertinent stages of SPI encryption. The measures unrelated to encryption, such as steganography and holography, are assumed to be prior-known by default. SCU is the abbreviation of Sichuan University and is used with the permission of Sichuan University.

    Figure 10.Attacking results from a deep differential attack. G. T., D. V., and C. V. denote ground truth, the legal decrypted version, and cracked version, respectively. Ex. Att. and In. Att. mean the external and internal attacking results from Eve and internal user, respectively. The attack mode is only directed toward the pertinent stages of SPI encryption. The measures unrelated to encryption, such as steganography and holography, are assumed to be prior-known by default. SCU is the abbreviation of Sichuan University and is used with the permission of Sichuan University.

    3.2.2 Brute force attack

    Further, a brute force attack is conducted for the SPI image encryption and key management. Technically, the brute force attack against OFDM-assisted key management refers to the attack against the authentication key S and ciphertext key Λ presented in the two meta-channels separately, whereas the attack against Fourier SPI encryption refers to the bucket signal o.

    For the attack against OFDM-assisted key management, authentication key S should be first considered. During the process, a set of candidates of OFDM modulation should be first determined, which is also the merit compared to the optical encryption inspired by code division multiplexing (CDM).5,37 Specifically, only one type of parameter (i.e., the index of orthogonal codes) pertains in CDM to encrypt plaintexts, whereas the type of the modulation bases, symbol modulating categories, Ns, fI, and Δf in OFDM, can supply more complex key space. For Λ, a 1024-bit key is needed for RSA encryption, and thus the key space is roughly on the order of 21024.

    For the brute force attack against SPI Fourier image encryption, the key length of chaos conditions {αkwhiten,ζkwhiten,εwhiten,βkwhiten} of whitening mask {Wkm×n} refers to 64-8-8-8-bit. The generating conditions of Pku×v and Ω are presented in bits in the same way. Thus, in total, the key space of the key management algorithm and image encryption is shown in Table 1. The results show that both the key spaces are larger than the minimal requirement 2100,38 showing the ability to resist the brute force attack.

    • Table 1. Key space of Fourier SPI image encryption and key management.

      Table 1. Key space of Fourier SPI image encryption and key management.

      ObjectiveKey categoryKey space>2100
      Key management on the metasurface710400Pass
      SPI Fourier encryption for images41080Pass

    3.2.3 Tampering attack

    Encryption attacks not only involve the illegal acquirement of plaintexts, such as the deep differential attack and brute force attack, but also include the destruction of ciphertexts, such as tampering, forgery, and noise disturbance. Hence, we study the resilience to errors of the OFDM-like encoded sequence S within the metasurface, in scenarios where tampering or defective pixels occur due to partial detachment of nanostructures or oxidation. White dots are assumed to be wrongly recognized with the error ratios from 0% to 25%, as shown in Fig. 11(a). To evaluate the general applicability of the error tolerance, we randomly select pixels to introduce errors.

    Error tolerance analysis. (a) Recovered token display under the recognition errors occurring with different ratios. (b) BER performance of OFDM-like coding and the raw token.

    Figure 11.Error tolerance analysis. (a) Recovered token display under the recognition errors occurring with different ratios. (b) BER performance of OFDM-like coding and the raw token.

    In Fig. 11(a), it is observed that the token can be completely recovered within the error ratio equaling to 10%. Besides, as the error ratio increases to 20%, the recovered “dwelling” begins to experience misspelling but still remains within the range of single letter error. When one-fourth of the metasurface is tampered with or rendered unrecognizable, errors in the spelling of the letters “e” and “l” in the token begin to appear. More intuitively, Fig. 11(b) compares the corresponding bit error rate (BER) performance of S and the direct recognition of string st without OFDM correction. The results show that our OFDM BER always remains lower than the BER of direct recognition. This is because, by the modulation of each sub-token, the effective authentication information is dispersed across the orthogonal carriers, thereby mitigating the sharp recognition offset of the sub-token, indicating our OFDM-metasurface is robust against tampering attacks.

    3.2.4 Numerical assessment

    Except for direct confrontation, we also conducted numerical analysis on the SPI ciphertext, including the light intensity sequence o and Idiffuse3m×3n. Figures 12(a) and 12(b) show an intensity sequence and three-dimensional randomness view of three local sequences sampled from the sequence. It is observed that the broadcasted o does not reveal any obvious characteristic and the kurtosis of o sequence equals 4.4×107, showing that there is no obvious intensity outlier for Eve to analyze.

    Numerical assessment of bucket signal o and Idiffuse3m×3n of SPI encryption. (a) Intensity sequence. (b) Visual randomness assessment of the sampled intensity sequence. (c) Histogram of Idiffuse3m×3n. (d) Correlation test of Idiffuse3m×3n.

    Figure 12.Numerical assessment of bucket signal o and Idiffuse3m×3n of SPI encryption. (a) Intensity sequence. (b) Visual randomness assessment of the sampled intensity sequence. (c) Histogram of Idiffuse3m×3n. (d) Correlation test of Idiffuse3m×3n.

    Figure 12(c) presents the histogram of Idiffuse3m×3n. From the results, the pixel distribution of I1I9 has been eliminated, and no statistical information is leaked. Simultaneously, the variance, chi-square, and flatness are adopted to quantitatively analyze the histogram. The variance of Idiffuse3m×3n is 339.61, and flatness equals 0.0031, indicating the uniform alteration of pixels in the ciphertext. Also, the chi-square is calculated as 268.49 lower than the threshold χ0.052=293.25, where the significant level is set as 0.05. Figure 12(d) shows the weak correlation of pixels in horizontal, vertical, and diagonal directions, and the quantitative correlation in the three directions are 0.00526, 0.00217, and 0.00283, respectively. The global entropy is calculated as 7.9977. Except for the global entropy, we also calculate the local Shannon entropy to test the indeterminacy of the regional area in Idiffuse3m×3n. Thirty blocks are randomly divided in Idiffuse3m×3n, and the size of each segmented block should be set as 44×44.39 Subsequently, the local Shannon entropy is derived as 7.9028, satisfying the effective interval ranging from hleftl×α=7.9015 to hrightl×α=7.9034. Finally, the NPCR and UACI are calculated as 99.63% and 33.16%, respectively, approximating the ideal performance of 99.6094% and 33.4635%40 and thus indicating the desirable sensitivity. (The parameter comparison of ciphertext Idiffuse3m×3n and other three plaintexts is shown in Table S1 in the Supplementary Material).

    4 Discussion and Conclusion

    For a cryptography, security and capacity are the most important concerns to be developed into multiuser framework. The limited two have been the inherent issues for SPI encryption due to the pattern-projection-depended principle in Eq. (1).111,36 It is worth noting that metasurfaces with (non-)orthogonal polarization pairs are first applied to enhance the overall security of an SPI cryptosystem and reduce the exposing risk of SPI patterns.13,41 However, the alternative patterns still need to be projected, so the vulnerability and limited capacity still exist. In contrast to our method, the capacity of the multiuser is expanded by eightfold. In fact, the number of users N is not limited to eight. The proposed framework theoretically supports an arbitrary number of clients as long as the individual keys can be coded in advance. For security, a deep differential attack is developed based on the most threatening cryptanalysis mode, a chosen plaintext attack (CPA). If the proposed framework can resist CPA, the other three cryptanalysis modes, including a cipher-only attack, known plaintext attack, and chosen cipher attack, can also be resisted.42,43

    To summarize, we have developed a multiuser SPI cryptography and authentication framework combined with OFDM-assisted key management. This approach allows multiple users to privately reconstruct different plaintexts, concurrently resisting multiple kinds of attacks and realizing authentication. The framework consists of four components, including a composite Fourier SPI encrypting method, key management, experimental decryption and authentication, and security assessment, recording the whole life of keys from generation to application. The realization of the proposed multiuser SPI framework, including security and capacity, is verified by simulation and numerical experiments. By the combination of direct key management and indirect image encryption, our work realizes the multiuser computational imaging encryption and authentication framework, facilitating its development toward more complicated application scenes.

    5 Appendix: Fabrication and Attack

    The main notations of this paper are listed as follows. The lowercase, uppercase, boldface lowercase, and boldface uppercase letter t, T, t, and T denote a scalar variable, constant, vector, and matrix, respectively. Re{·} denotes the real-part operation, TT denotes the transpose of matrix T, π(·) denotes position exchange, t denotes the norm of vector t, and · denotes the inner product.

    5.1 Sample Fabrication

    The metasurface was fabricated by electron beam lithography (EBL). A layer of photoresist was spin-coated on a clean JGS1 substrate, followed by the sample bake. After the process above repeated once, the conductive adhesive AR-PC 5090.02 was spin-coated, and then the baked sample was exposed in LC-40 EBL mode with 140 pA beam current. The AR 600-55 developer and subsequent IPA fixer were used. A 50-nm-thick layer of aluminum was then deposited by electron beam evaporation, and the sample was soaked in acetone to peel off the metal layer.

    5.2 Deep Differential Attack

    Equation (4) demonstrates the instance process of a typical sort of SPI cryptography, which is likely to encrypt patterns as keys and then scramble (i.e., or by other process) the intensity.6,13,36m=[m1,m2,,mN2]T denotes the N×N plaintext. P denotes the original pattern set, and P*=[p1*;p2*;;pN2*] denotes the patterns encrypted by key v, where pn*=[pn,1*,pn,2*,,pn,N2*] represents each encrypted one. n denotes noise, and {ui}, i=1,2,,I represents scrambling masks: c=[(P*m+n)u1]uI=H[F(m|P,v)|{ui}.]=H{u}Fv(m).

    For differential analysis, the equivalent mask u1u2uI is first derived by reflexivity: uequiv=H{u}Fv(z), where z denotes an all-zero matrix. Then, we artificially differentiate each pixel of m to observe the degree of change in c, representing the binary value of a pattern at the corresponding position. Mathematically, P^* (i.e., Jacobian matrix) can be acquired: P^*=mc=cm.

    Regardless of how complicated the cryptographer operates on patterns, we are only concerned with the P* containing all the information of both v and P. As long as P^* and intensity Huequi1(c) are obtained, the plaintext can be retrieved by the classic SPI correlation.

    When encryption algorithms are so complex that P^* greatly deviates from P* (i.e., recovering keys by analyzing encrypting steps is not viable), deep learning is required to further mitigate the distortion by directly analyzing the key set (i.e., OFDM-assisted key management), shown in Fig. S7 in the Supplementary Material. For encryptions without a key-management platform, correct key sets are directly employed as labels to train the network for key compensation. Here, the network Rζ defined by a set of weights and biases Θ with L1 regularization is applied: {ζ^=argminζΘRζ(P^*|η>0)P*2+L1P˜*=Rζ^(P^*),where η represents the correlation among pixels and P˜* implies the optimized pattern. Note that we cannot directly obtain the key set (i.e., always in confidential state by oracle) or improve pseudorandom P^* where η0 is highly ill-posed. Thus, as shown in Fig. S6 in the Supplementary Material, a training method based on signal width expansion is studied. P^* patterns are transformed into 1D pulse signals with the extended width being an on–off keying signal, which enables the network to be trained offline (i.e., polluted key sets can be simulated aforehand by Eve) and realize desired performance.

    Xiaowei Li received his MS and PhD degrees in information and communications engineering from Pukyong National University, Busan, South Korea, in 2011 and 2014, respectively. From 2014 to 2015, he was a researcher at the College of Computer Engineering, Yonsei University, Seoul, South Korea. He is currently a professor at the School of Electronics and Information Engineering, Sichuan University, Chengdu, China. He authored or co-authored approximately 80 papers cited by Science Citation Index (SCI). As first author, he has published approximately 50 SCI papers, and the impact factor of half of the papers is greater than 3. His research interests include three-dimensional integral imaging, holography, optical encryption, and image watermarking.

    Qiong-Hua Wang is a professor of optical engineering at the School of Instrumentation and Optoelectronic Engineering, Beihang University, Beijing, China. She was a professor at Sichuan University from 2004 to 2018. She was a post-doctoral research fellow at the School of Optics/CREOL, University of Central Florida, from 2001 to 2004. She worked at the University of Electronic Science and Technology of China (UESTC) from 1995 to 2001. She received BS, MS, and PhD degrees from UESTC in 1992, 1995, and 2001, respectively. She has published more than 300 papers cited by SCI and authored three books. She holds 5 U.S. patents and more than 150 Chinese patents. She is a fellow of the Society for Information Display and an associate editor of the Journal of the Society for Information Display, Journal of Information Display, and PhotoniX. Her research interests include display and imaging technologies.

    Yiguang Liu was a research fellow, visiting professor, and senior research scholar at the National University of Singapore, Singapore; Imperial College London, London, UK; and Michigan State University, East Lansing, Michigan, USA, respectively. He was chosen into the MOE program New Century Excellent Talents in 2008 and chosen as a scientific and technical leader in Sichuan Province in 2010. He is currently the director of the Vision and Image Processing Laboratory and a professor at the School of Computer Science, Sichuan University, Chengdu, China, and a reviewer for the Mathematical Reviews of the American Mathematical Society. He has co-authored more than 100 international journal and conference papers and a chapter of the book entitled Computational Intelligence and Its Applications (Imperial College Press, 2011). His research interests include computer vision and image processing, computational imaging, and computational intelligence.

    Biographies of the other authors are not available.

    [40] Y. Wu et al. NPCR and UACI randomness tests for image encryption. Cyber J.: Multidiscipl. J. Sci. Technol., J. Sel. Areas Telecommun., 3, 31-38(2011).

    Tools

    Get Citation

    Copy Citation Text

    Hongran Zeng, Ping Lu, Xiaowei Li, Lingling Huang, Chaoyun Song, Dahai Li, In-kwon Lee, Seok-Tae Kim, Qiong-Hua Wang, Yiguang Liu, "Multiuser computational imaging encryption and authentication with OFDM-assisted key management," Adv. Photon. Nexus 3, 056016 (2024)

    Download Citation

    EndNote(RIS)BibTexPlain Text
    Save article for my favorites
    Paper Information

    Category: Research Articles

    Received: Jun. 1, 2024

    Accepted: Aug. 1, 2024

    Published Online: Aug. 29, 2024

    The Author Email: Li Xiaowei (xwli@scu.edu.cn), Wang Qiong-Hua (qionghua@buaa.edu.cn), Liu Yiguang (liuyg@scu.edu.cn)

    DOI:10.1117/1.APN.3.5.056016

    Topics