Asymmetric cryptosystem based on optical scanning cryptography and elliptic curve algorithm

We propose an asymmetric cryptosystem based on optical scanning cryptography (OSC) and elliptic curve cryptography (ECC) algorithm. In the encryption stage of OSC, an object is encrypted to cosine and sine holograms by two pupil functions calculated via ECC algorithm from sender’s biometric image, which is sender’s private key. With the ECC algorithm, these holograms are encrypted to ciphertext, which is sent to the receiver. In the stage of decryption, the encrypted holograms can be decrypted by receiver’s biometric private key which is different from the sender’s private key. The approach is an asymmetric cryptosystem which solves the problem of the management and dispatch of keys in OSC and has more security strength than the conventional OSC. The feasibility of the proposed method has been convincingly verified by numerical and experiment results.


Scientific Reports
| (2022) 12:7722 | https://doi.org/10.1038/s41598-022-11861-x www.nature.com/scientificreports/ system. In addition, there are many other extended ECC methods [31][32][33] . However, most of those methods applied ECC algorithm by complicated encoding on the image. And some methods may be invalid by only encrypting parameters of optical cryptosystems with ECC algorithm because the optical system itself is vulnerable to ciphertext-only attack (COA). In other words, attackers can recover the plaintexts from the ciphertexts without encrypting parameters. For example, OSC is a linear encryption system which can be vulnerable to COA by using phase retrieval algorithm 34,35 . In this regard, it is necessary to develop asymmetric cryptosystems to enhance the security of the symmetric cryptosystems.
In this paper, we propose an asymmetric cryptosystem based on ECC algorithm and OSC system with biometric keys. Owing to the asymmetric operation of OSC system, high security could be achieved. And the proposed method also solves the problem of the management and dispatch of keys in the optical system. In addition, it is a simple system and does not need to encode image into numbers. The feasibility of the proposed method has been convincingly verified by numerical and experiment results. Our approach can provide an extra dimension for secure encryption, one which can leverage emerging technologies for multi-wavelength transmission and imaging.

Optical scanning cryptography (OSC)
Optical scanning holography (OSH) is a method developed by Poon and Korpel 16 for capturing holograms of physical objects with a single pixel sensor. Being different from other hologram acquisition methods that utilize digital cameras as the hologram recording devices, OSH is not restricted in the field of vision and the size of the hologram. Apart from hologram capturing, OSH can also be applied in optical encryption. In this section, we will give a brief introduction about optical scanning cryptography (OSC), an integration of OSH and encryption, as detailed description has been given in Ref. 16 . A 2-D array of data or function (e.g., a hologram) is denoted by a symbol in bold. For example, a 2-D array is represented by symbol A , and an entry at the y th row and the x th column is denoted as A x, y .
As shown in Fig. 1, both of the encryption and decryption systems are based on the architecture of Mach-Zehnder interferometer. After beam splitter (BS 1 ), the laser beam with temporal frequency ω 0 has been divided into two beams, and the frequency of one of the beams becomes ω 0 + � by using an acousto-optic modulator (AOM) operating with frequency . The two beams are collimated by beam expanders, BE 1 and BE 2 , and illuminate two pupil functions p 1 and p 2 , respectively. It should be noted that these two pupil functions can be utilized to perform processing on the hologram that is acquired by the OSC system. The pair of beams emerging through the two pupils pass through Fourier lens L 1 and L 2 , and are recombined into a scanning beam by a beam splitter (BS 2 ). Subsequently, the combined beam is steered in a zigzag manner with a mirror that is Figure 1. Architecture of the optical scanning cryptosystem. BS 1 and BS 2 : beam splitters; AOM: acousto-optical modulator; BE 1 and BE 2 : beam expanders; M 1 , M 2 and M 3 : silver mirrors; L 1 and L 2 : Fourier lens; L 1 and L 2 : light-collecting lens; PD 1 and PD 2 : photo-detectors; BPF: band-pass filter; ADC: analog-to-digital converter; PC: personal computer. www.nature.com/scientificreports/ driven by an x-y scanner. The combined field S , located at a distance z c away from the back focal plane of lens L 1 , can be given as where FT denotes the Fourier transform, j is the imaginary unit and symbol " * " is the 2-D convolution operation. h x, y; z c denotes the free impulse response in Fourier optics 16 . The specimen is a translucent object with intensity distribution g , and located at an axial distance z c away from the focal plane of lens L 1 . The scanning beam is impinged on the specimen, and at each scan point photo-detector (PD) is employed to receive all the light scattered from the object, giving an electrical signal current as output. After bandpass filtering (BPF) of the signal current, heterodyne current at frequency is obtained. The heterodyne current is then processed by a lock-in amplifier to give a couple of signal currents i c and i s , which represent the in-phase hologram H cos , which is also called as cosine hologram, and the quadrature hologram H sin , which is also called as sine hologram, respectively. Mathematically, a complex hologram acquired with the OSC system is given by where FT −1 denotes the inverse Fourier transforms and OTF is the optical transfer function (OTF) of the optical scanning system and expressed by where symbol " †" denotes the complex conjugation. k 0 is the wave number and f is the efficient focal length of lens L 1 and L 2 . k x and k y denote the spatial frequencies along the x and y directions, respectively. From Eq. (2), we can see that the object can be encrypted by OTF determined by pupil functions p 1 and p 2 . For decryption, we replace the object with a pinhole, δ(x, y) , located z d away from the back focal plane of lens L1. After the similar processing as in the encryption stage, we can obtain the pinhole hologram H pin expressed as If the two pupils are correct in the encryption and decryption stages, the decryption image H de is easy deduced by using the following calculation: subject to condition OTF � (k x , k y ; z c ) × OTF † � (k x , k y ; z d ) = 1 and for z c = z d . If the pupil functions p 1 and p 2 are derived from biometric signatures, such as fingerprints, the OSC and the captured hologram are referred as biometric encrypted optical scanning cryptography (BE-OSC), and biometric encrypted optical scanning hologram (BE-OSH), respectively.
The proposed biometric and asymmetric cryptosystem. The block diagram of our proposed method is shown in Fig. 2 and outlined as follows. To begin with, the parts on the left hand and the right hand sides of the vertical dotted line are the encryption side (operated by Alice), and the decryption side (operated by Bob), respectively. There are two shaded-shadow blocks showing different purposes. The gray blocks show the generation of secret and public keys and the blue blocks show the flow of encryption method. On the top blocks, Alice's (1) S x, y; z c = FT p 1 (x, y) * h x, y; z c exp jω 0 t + FT p 2 (x, y) * h x, y; z c exp j(ω 0 + �)t (2) H x, y = H cos x, y + jH sin x, y = FT −1 FT g x, y 2 OTF k x , k y ; z c www.nature.com/scientificreports/ and Bob's public key K A and K B are generated from their corresponding private keys k a and k b by ECC algorithm, respectively. Both sides share public keys, K A and K B . We shall describe how the pair of keys are generated later. On the bottom blocks, the object is scanned by the OSC system in Fig. 1, and encrypted with the pupil functions which are derived from public key K B and private key k a . k a is a biometric image of Alice, resulting in biometric encrypted optical scanning hologram (BE-OSH) H B . Subsequently, the hologram H B is embedded in H BM , which is represented as elliptic curve coordinates by Koblitz encoding technique 27 . And H BM is encrypted to ciphertext c by ECC using the same keys, K B and k a . On the decryption side, hologram H BM is obtained from the ciphertext with public key K A and secret key k b that is only known to Bob. The biometric hologram, H B , is obtained from H BM through using Koblitz decoding technique. Finally, the decryption image H de of the object is then obtained by decrypting H B with public key K A and secret key k b . In Koblitz encoding and decoding technique, plaintexts are assumed as an integer m . Then it is mapped to a curve point by multiplying a constant k and testing all the integers mk ≤ x < (m + 1)k . Obviously, m can be decoded by dividing the constant k . In the following subsections, we shall explain the biometric encrypted OSC and the ECC in details.
Biometric encrypted OSC. In "Optical scanning cryptography (OSC)", we have an overview of optical scanning cryptography. As for biometric encrypted OSC system, the pair of pupils are each replaced with a phase mask which is calculated from the user's biometric image, such as fingerprint, iris and so on. In Fig. 2, the pair of phase masks are represented by public key K B and private key k a . k a is Alice's biometric image. The result of the scanning is biometric encrypted hologram H B and the hologram is given by As such, the process will be equivalent to encrypting the holographic information with the pupil functions being the encryption keys, and hologram H B can be taken as the ciphertext of the source image g . From Eq. (3), we can infer that if functions p 1 and p 2 are not available to the public, the optical transfer function OTF � (k x , k y ; z c ) is unknown. Hence it is not possible to deduce the image of the specimen from biometric encrypted hologram H B through an inverse relation. However, OSC system is vulnerable to ciphertext-only attack because it is an inherent drawback in linear optical encryption systems 34,35 . Assume that attackers only get the ciphertext, the modulus of the Fourier transform of the ciphertext can be easily obtained as follows: Then the problem of recovering plaintext can be transformed into phase retrieval with a single intensity measurement. And it can be solved by using a phase retrieval algorithm, such as Gerchberg-Saxton (GS) algorithm, hybrid input-output algorithm (HIO) and so on 35 . In view of this, we have incorporated a second stage in elliptic curve cryptography (ECC) to encrypt hologram H B , so as to enhance the security level of the holographic data.
Elliptic curve cryptography. Elliptic curve cryptography (ECC) is an asymmetric encryption method that is resistant to COA, even known-plaintext attack (KPA) which knows more assumed information than COA. As ECC has been reported in numerous literature, only a brief outline is provided for the sake of completion. E p is an elliptic curve equation over a finite field and expressed by where a and b are two real constants, which are the parameters of the elliptic curve. Symbol " mod " denotes the modulo operation and p is a prime number. O is the identity element, a point at infinity. If a point P(x, y) on addition with infinity point O , the result is the point itself.
where " ⊕ " is point addition which is the basic operation in ECC. There are three cases in the point addition between two points, P(x 1 , y 1 ) and Q(x 2 , y 2 ) , which add up to generate a third point R(x 3 , y 3 ): where If x 1 = x 2 and y 1 = y 2 � = 0 , the coordinate of R is computed as where If x 1 = x 2 and y 1 = y 2 = 0 , the point will meet at infinity.
If x 1 = x 2 but y 1 = y 2 , the third point will be a point at infinity.
Otherwise, the point negation " ⊖ " is expressed as In scalar multiplication " ⊗ ", a point is multiplied with an integer k . The operation is realized by adding the point to itself by k times. For example, if P is multiplied by 3, it will be moved to a new point given by When parameters of elliptic curve a, b, p and base point P(x, y) are known, the following steps of ECC is given below.
Encryption Encrypting the BE-OSC with the ECC. Next, we describe how the ECC is applied to encrypt the biometric encrypted hologram H B . Without loss of generality, we assume that BE-OSC generates a square hologram of size M × M . For clarity of explanation, the following terminology is defined. The sender is Alice and the receiver is Bob. E p (a, b) denotes an elliptic curve that is characterized with Eq. (8). P(x, y) is the base point and P = P × I where I represents a M × M unit matrix. These parameters are known to Alice and Bob. k a and k b are two M × M arrays of integers within the range [1, n − 1] . The value of k a and k b is biometric image or randomly generated and taken to be the secret key of the user on the encryption side (i.e. Alice) and decryption side (i.e. Bob), respectively.
Referring to Fig. 3, a pair of public keys, K A and K B are generated by Alice with secret key k a , and Bob with secret key k b , respectively, as given by As explain previously, the scalar multiplication in Eq. (19) is an operation to move base point P(x, y) to a new position that is determined with its corresponding term in k a or k b . Hence each member of K A and K B is also a point on E p (a, b) , and its value is an ordered pair corresponding to the horizontal and vertical coordinates of the point.
After generation of the public keys, Bob's public key K B is published and sent to Alice. And the pair of phase masks of the pupils that are used in the encryption stage of OSC which can be derived from K B and k a as After optical encryption, source image g is encrypted to hologram H B = H Bc + jH Bs . As mentioned at last subsection, the source data of plaintext must belong to the elliptic curve so that ECC operators can be applied. To encrypt hologram H B obtained from BE-OSC, each pixel of the hologram is mapped to a point on the curve based on Koblitz encoding technique, resulting in hologram H BM = (H BMc , H BMs ) . Subsequently, H BM is encrypted into a ciphertext as (14)

Experimental results
We have employed experiment to demonstrate the feasibility and effectiveness of the proposed method. The schematic of the experimental setup is shown in Fig. 1. We have adopted a 15mW He-Ne laser with λ = 632.8 nm as the coherent light source, and the heterodyne frequency (Ω/2π) is set to 25 kHz. The focal length of Lens L 1 and L 2 is 300 mm, and the coding distance z c is 30 cm. In our experiment, we have two settings: (1) Alice's and Bob's private keys are their fingerprints. In reality, private keys can be any integer random matrices from interval [1, n − 1] .
(2) To obtain high-quality encrypted holograms in optical encryption system, one pupil function p 1 can consist of a fingerprint image FP(x, y) and a positive lens with focal length f 0 , i.e. p 1 = FP x, y exp jk 0 (x 2 + y 2 )/2f 0 . We use a lens with focal length of 75.6 mm to replace a random phase plate because it is a simple phase mask, albeit not random in phase distribution but easy to find in a laboratory. Another pupil is a delta function, i.e.p 2 (x, y) = δ(x, y) . In the optical decryption system, the pinhole hologram can be obtained by putting in a pin hole as an object. These preferences are convenient and enough to demonstrate our proposed method. Based on the use of MATLAB R2016a with a personal computer, it is easy to verify the feasibility of the proposed asymmetric system.
To reduce the computation time, we set a = 1, b = 1 in Eq. (8) with prime number p = 29989 and base point P(29142, 23400) . Alice and Bob use their fingerprint as their private keys shown in Fig. 4a,b, respectively. Bob uses the ECC algorithm to generate Bob's public key K B and publicizes it and K B has two parts, K Bx and K By , as shown in Fig. 4e,f. When Alice wants to send the image 'goat' g , as shown in Fig. 5a, Alice needs to obtain two pupils (p 1 , p 2 ) , as shown in Fig. 4g,h, by calculating k a ⊗ K B . Then, the digital holograms of plaintext are recorded by the OSC system shown in Fig. 1. The output of the OSC system is a cosine hologram H Bc and a sine hologram H Bs , as shown in Fig. 5c,d, respectively. Next, Alice encrypts the digital holograms into the ciphertext c by applying the proposed asymmetric method, which has two parts, c x and c y , as shown in Fig. 5e,f, respectively. Finally, Alice sends Bob {K A , c} where K A is Alice's public key whose two parts are shown in Fig. 4c,d. In the decryption stage, Bob uses k b and K A to calculate the two pupils (p 1 , p 2 ) , as shown in Fig. 4i,j. Then Bob  Fig. 5g,h. Simultaneously, Bob can obtain the pinhole hologram H pin , as shown in Fig. 5i,j. Finally, the decryption image H de is successful decrypted, as shown in Fig. 5b. The proposed cryptosystem has a simple structure and requires no encoding image into numbers. And it has strong secure strength because it encrypts holograms, not parameters, in ECC stage. On the other hand, if attacker uses the wrong fingerprint shown in Fig. 6a to decrypt the system, they will get wrong results. Figure 6b,c are the two pupils (p 1 , p 2 ) generated by w_k b ⊗ K A in decryption. And Fig. 6d,e show the recovered cosine hologram w_H Bc and sine hologram w_H Bs with wrong key. The corresponding decrypted image is shown in Fig. 6e. We observe that the decrypted image is completely different the original image, and the contents are completely unrecognizable.  Informed consent. In this study, we only used fingerprints, not involving other human participants. The fingerprint used in this study is taken from Aimin Yan. Aimin Yan performed the optical experiments in optical laboratory and provided informed consent for the same.

Further analysis and discussion
Next, we include a further analysis of the proposed method. First, the histogram of an image plots the pixel values against its frequency of occurrence. It is an important trait for ciphertext to distribute pixel values uniformly. Histogram of plaintext and its corresponding ciphertext using the proposed method are given in Fig. 7. Most of the pixel values of the "goat" are less than 0.1 in the histogram of Fig. 7a. After optical encryption, pixel values of the cosine and sine holograms distribute around 0.3 and 0.7, as shown in Fig. 7b,c, respectively. So, it may leak out information about plaintext. However, as shown in Fig. 7d,e, histograms of ciphertext are distributed equally and hence it is hard to obtain useful information from the ciphertext. These results demonstrate the proposed method works well. Second, it is necessary to analyze the correlation of adjacent pixels, which reflects the correlation of pixel values in adjacent positions. If the correlation is large, it means that the difference of gray value in the larger area of the image is small, which will affect the security of the image. Therefore, we analyze the correlation between 2000 adjacent pixels randomly selected in three directions of these images. The correlation of adjacent pixels of plaintext and its corresponding ciphertext using the proposed method are given in Fig. 8. After optical encryption, the correlation between the adjacent pixels of cosine holograms and the adjacent pixels of sine holograms are still very high, as shown in Fig. 8b1-b3 and c1-c3, respectively. However, as shown in Fig. 8d1-d3 and e1-e3, the correlation of adjacent pixels of ciphertext are very low and hence the security of ciphertext are relatively high. In addition, the correlation coefficients of these images in three directions are shown in Table 1. It is proved that the proposed method is very effective.
Third, image information entropy expresses the average amount of information in the image, which is defined by the following equation: where P(x i ) is the probability of a gray value appearing in the image. If an image is very safe, the probability of all gray values should be equal, then according to the Eq. (28), H(x) is equal to 8. And the information entropy  Table 2. The information entropy of ciphertext is extremely close to 8, which shows that our method is very safe. Fourth, let us consider that the ciphertext is transferred through a channel. It is possible that the receiver receives the cipher image with salt-and-pepper noise. When the receiver decrypts ciphertext with salt-andpepper noise of 0.01 density which is the percentage of noise point that is in the total number of pixels. The reconstruction cosine and sine holograms are shown in Fig. 9a,b, respectively, and the corresponding recovered plaintext is shown in Fig. 9c. Figure 9d-f are shown with noise of 0.05 density. Finally, Fig. 9g-i are shown with noise of 0.1 density. In addition, we draw the curve between salt-and-pepper noise with different densities and image reconstruction rate, as shown in Fig. 10. These results demonstrate that the proposed cryptosystem has fairly good robustness.
Fifth, we should discuss known plaintext attack to further prove the security of our cryptosystem. According to the Eq. (20), K B = K Bx , K By as shown in Fig. 4e,f determine the cryptosystem's ability to resist known plaintext attack. If the public and fixed K B is used, it will be vulnerable to known plaintext attack, but changing the value of K B frequently will make our cryptosystem more complicated. In order to solve this problem, Bob can randomly generate a secret key k b ′ and transmit k b ′ ⊗ P, (K B ⊕ k b ′ ⊗ K A ) to Alice, as shown in the Fig. 11. Then Alice calculates the following equation: where K A = k A ⊗ P . Therefore, K B will be hidden and our cryptosystem can resist known plaintext attack.

Conclusion
We have proposed a novel asymmetric cryptosystem that combines optical scanning cryptography (OSC) with the elliptic curve public-key cryptographic algorithm. Simulation and experimental results have verified the feasibility of this method. The proposed method has the following advantages. First, the system realizes asymmetric encryption because the ways to obtain the encryption and decryption keys are different and the dispatch of keys does not need to be considered. Second, the cosine and sine holograms are nonlinearly encrypted simultaneously, so its security level is better than the conventional OSC system. Third, the overall system has good robustness and its ciphertext will not leak information of the plaintext. The proposed asymmetric cryptosystem for enhancing the security of OSC is also applicable to other acquired digital holograms from conventional digital holography for optical imaging encryption.

Data availability
The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.