Introduction

Recently, optical techniques1,2,3,4,5,6,7,8,9,10,11 in image encryption have been intensely studied, owing to their inherent superiority with respect to multiple parameters and parallel processing. The pioneering work of optical image encryption is on double-random phase encoding (DRPE)12, which is done on the Fourier transform domain. Several works that followed have reported the expansion of initial DRPE work into different transform domains13,14,15,16,17, comprising the domains such as fractional Fourier transform (FrFT), Fresnel transform (FrT), and fractional random transform. During the period, other optical encryption works18,19,20,21,22,23,24,25,26,27,28,29,30 that employ compressive sensing, optical interference, iterative phase retrieval, digital holography, photon counting, and polarized light, have also emerged to improve the image security in succession.

However, owing to intrinsic linearity, DRPE-based structures cannot withstand several types of attacks31,32,33,34. Various nonlinear encryption methods have been proposed to overcome these weaknesses, and the best illustrative work is on phase-truncated Fourier transform by Qin and Peng35. Subsequently, there are several works based on phase truncation (PT) in FrT and FrFT domains36,37,38,39. Wang et al.40 showed that there is an information leakage in the work35 if one of two private keys are utilized, and hence, proposed a solution. They also pointed out the works36,37,38,39 being susceptible to information-leakage issue. Chen et al.41 developed a multi-image encryption scheme through feature fusion, compressed sensing, and PT. Yi and Tan42 presented a binary-tree multiple image encryption scheme. Su et al.43 proposed an optical encryption strategy for multiple color images through a complete trinary tree structure. Besides, the specific attack (SA)44, which employs an amplitude-phase-retrieval method, indicates that it can break the traditional PT-based technique35. Unfortunately, these techniques41,42,43 cannot be also an alternative to SA44. Additionally, the work45 has utilized the coherent superposition and equal modulus decomposition (EMD) to fully address the silhouette problem. However, there is the same modulus (i.e. same amplitude information) of two masks in EMD. The complex-valued masks cannot directly display in optical system. Chen et al.46 presented an optical image cryptosystem via two-beam coherent superposition and unequal amplitude decomposition for security improvement. However, unequal amplitude decomposition requires an additional random phase distribution than EMD. Thus, constantly improving the security of encryption scheme based on PT, despite the progress in the field, is still inevitable.

This study presents a double-image crosstalk free encryption scheme. The scheme, which works by utilizing the equal modulus decomposition and random masks, generates a single ciphertext mask and two private key masks. The random masks have been introduced to bring the indirect mathematical relation between the plaintext pair and the ciphertext, where an illegal user has insufficient constraints utilized for SA. Compared with certain PT-based works35,36,37,38,39, the proposal eliminates information leakage. When compared with other existing PT-based work41,42,43, the proposal is still effective against SA. The additional keys, which comprise the three different diffraction distances and the illuminating wavelength, can strengthen the security. Simulation results and performance analysis demonstrate the reliability and validity of the proposal.

Principle of the method

The diagram of the proposed double-image cryptosystem is depicted as Fig. 1. The random amplitude mask (RAM) and a random phase mask (RPM) have been described with respect to the encryption (Fig. 1a) and decryption (Fig. 1b). The encryption keys have been generated from the random masks RAM and RPM by applying EMD in the Fresnel domain. Figure 2 shows the optical relationship between RAM, \(S_{1}\), and \(S_{2}\). In this setup, a collimated plane wave with the wavelength λ, perpendicularly illuminates RAM and the image which is subsequently Fresnel transformed with the diffraction distance d1. The first spatial light modulator (SLM1) were employed for amplitude modulation. SLM2 and SLM3 were utilized for phase modulation.

Figure 1
figure 1

Schematic diagram for the proposed (a) encryption and (b) decryption.

Full size image
Figure 2
figure 2

Optical relationship between RAM and S1, S2. M reflective mirrors.

Full size image

In the proposed double-image encryption process, \(R_{1} (x,y)\) and \(R_{2} \left( {u,v} \right)\) are the random functions, whose values fall in the interval [0, 1]. The following encryption steps have been depicted.

First, the RAM denoted as \(R_{1} \left( {x,y} \right)\) was Fresnel transformed given by Eq. (1).

$$ S{ = }FrT_{{\left( {d_{1} ,\lambda } \right)}} \left[ {RAM} \right] = FrT_{{\left( {d_{1} ,\lambda } \right)}} \left[ {R_{1} \left( {x,y} \right)} \right] $$
(1)

where \(FrT_{{(d_{1} ,\lambda )}} \left[ \cdot \right]\) is the FrT operator, and d1 and λ are the diffraction distance and the wavelength, respectively. The amplitude part and the phase part of S are represented as \(A{ = }\left| S \right|\) and \(\varphi = \arg \left[ S \right]\), respectively, and “\(\left| \cdot \right|\)” and “\(\arg \left[ \cdot \right]\)” are the modulus and argument operators, respectively.

Subsequently, the complex-valued function S was separated into two masks, viz, S1 and S2, with equal moduli, as illustrated in Fig. 3. Owing to the random phase distribution RPM (denoted as, \(\theta (u,v)\)) introduced, and the geometrical relationship, \(S_{1}\) and \(S_{2}\) can be deduced as

$$ \theta { = }RPM = 2\pi R_{2} \left( {u,v} \right) $$
(2)
$$ S_{1} { = }\frac{{{A \mathord{\left/ {\vphantom {A 2}} \right. \kern-0pt} 2}}}{\cos \left( \theta \right)}\exp [i\left( {\varphi - \theta } \right)] $$
(3)
$$ S_{2} { = }\frac{{{A \mathord{\left/ {\vphantom {A 2}} \right. \kern-0pt} 2}}}{\cos \left( \theta \right)}\exp [i\left( {\varphi + \theta } \right)] $$
(4)
Figure 3
figure 3

Principle of EMD.

Full size image

The phase parts of \(S_{1}\) and \(S_{2}\) serve as the encryption keys.

Next, a new complex-value function \(f(x,y)\) was constructed by the two original images, viz., (\(I_{1} (x,y)\) and \(I_{2} (x,y)\)), and RAM, as follows

$$ f\left( {x,y} \right){ = }k_{{1}} I_{1} (x,y)\exp [ik_{{2}} I_{2} (x,y)] + k_{{3}} RAM(x,y) $$
(5)

where \(k_{i} (i = 1,2,3)\) are the constants.

Then, by employing the encryption keys obtained in the above-mentioned step, the function \(f(x,y)\) was encrypted based on PT in the Fresnel domain. Thus, the ciphertext \(E\) can be expressed as

$$ E{ = }\left| {F{\text{rT}}_{{\left( { - d_{3} ,\lambda } \right)}} \left[ {\left| {F{\text{rT}}_{{\left( { - d_{2} ,\lambda } \right)}} \left[ {f\left( {x,y} \right)\exp \left[ {i(\varphi + \theta )} \right]} \right]} \right|\exp \left[ {i(\varphi - \theta )} \right]} \right]} \right| $$
(6)

where d2 and d3 are the diffraction distances. Meanwhile, two decryption keys, viz., \(DK_{1}\) and \(DK_{2}\), generated are given by

$$ DK_{1} {\text{ = conj}}\left\{ {\exp \left[ {i(\varphi - \theta )} \right]} \right\}PR\left[ {F{\text{rT}}_{{\left( { - d_{2} ,\lambda } \right)}} \left[ {f\left( {x,y} \right)\exp \left[ {i(\varphi + \theta )} \right]} \right]} \right] $$
(7)
$$ DK_{2} { = }PR\left[ {F{\text{rT}}_{{\left( { - d_{3} ,\lambda } \right)}} \left[ {\left| {F{\text{rT}}_{{\left( { - d_{2} ,\lambda } \right)}} \left[ {f\left( {x,y} \right)\exp \left[ {i(\varphi + \theta )} \right]} \right]} \right|\exp \left[ {i(\varphi - \theta )} \right]} \right]} \right] $$
(8)

where “\({\text{conj}}\left\{ \cdot \right\}\)” is the complex conjugate operator, \(PR\left[ \cdot \right]\) the phase reservation operator.

For the decryption, the retrieved function \(f{\prime} (x,y)\) by the authorized users can be derived as,

$$ f{\prime} \left( {x,y} \right){ = }\left| {F{\text{rT}}_{{\left( {d_{2} ,\lambda } \right)}} \left[ {F{\text{rT}}_{{\left( {d_{3} ,\lambda } \right)}} \left[ {DK_{2} E} \right]DK_{1} } \right]} \right|\exp \left[ {i\left[ {PR\left[ {F{\text{rT}}_{{\left( {d_{2} ,\lambda } \right)}} \left[ {F{\text{rT}}_{{\left( {d_{3} ,\lambda } \right)}} \left[ {DK_{2} E} \right]DK_{1} } \right]} \right] - \left( {\varphi + \theta } \right)} \right]} \right] $$
(9)

After obtaining the \(f{\prime} (x,y)\), two retrieved images, \(I_{1}{\prime} \left( {x,y} \right)\) and \(I_{2}{\prime} \left( {x,y} \right)\), are mathematically represented as,

$$ I_{1}{\prime} \left( {x,y} \right){ = }\frac{{1}}{{k_{{1}} }}\left| {f{\prime} \left( {x,y} \right) - k_{{3}} RAM(x,y)} \right| $$
(10)
$$ I_{2}{\prime} \left( {x,y} \right){ = }\frac{{1}}{{k_{{2}} }}PR\left[ {f{\prime} \left( {x,y} \right) - k_{{3}} RAM(x,y)} \right] $$
(11)

Figure 4 illustrates the optical schematic apparatus for decryption. A light beam carrying the information of ciphertext E was modulated by SLM1. SLM1 and SLM2 are being employed for phase modulation. CCD captures the intensity part of \(f{\prime} (x,y)\). The phase part of \(f{\prime} (x,y)\) is digitally acquired. Then two decrypted images, viz.,\(I_{1}{\prime} \left( {x,y} \right)\) and \(I_{2}{\prime} \left( {x,y} \right)\), are digitally acquired with the function \(f{\prime} \left( {x,y} \right)\).

Figure 4
figure 4

Optical schematic system for decryption.

Full size image

Numerical results and performance analysis

To demonstrate the validity and the advantages of the proposal, numerical simulations have been implemented. In those simulations, the illumination wavelength λ is 633 nm, and the three axial distances, viz., d1, d2, and d3, are 60, 50, and 70 mm, respectively, and the parameters k1, k2, and k3 are set as 0.6, 0.5, and 1.5, respectively. Furthermore, the correlation coefficient (CC) was utilized to objectively assess the similarity between the plaintext \(I_{k} (x,y)\) (k = 1, 2) and its corresponding decrypted image \(I_{k}{\prime} (x,y)\) as

$$ CC = \frac{{E\left\{ {\left[ {I_{k} (x,y) - E\left[ {I_{k} (x,y)} \right]} \right]} \right\}\left\{ {\left[ {I_{k}{\prime} (x,y) - E\left[ {I_{k}{\prime} (x,y)} \right]} \right]} \right\}}}{{E\sqrt {\left\{ {\left[ {I_{k} (x,y) - E\left[ {I_{k} (x,y)} \right]} \right]^{2} } \right\}} \sqrt {\left\{ {\left[ {I_{k}{\prime} (x,y) - E\left[ {I_{k}{\prime} (x,y)} \right]} \right]^{2} } \right\}} }} $$
(12)

For convenience of the analysis, the CC values were directly labelled in the recovered images.

Figure 5a, b show two original images having 512 × 512 pixels, which are employed as the two plaintexts. The two random masks, RAM and RPM, are shown in Fig. 5c, d. By employing RAM, RPM, and EMD, the encryption keys (Fig. 5e, f) are acquired. The ciphertext and decrypted keys, after conducting the proposed encryption process, are displayed in Fig. 5g–i, respectively. Finally, the decrypted images acquired by using all the correct keys are shown in Fig. 5j, k. These results signify that each decrypted image and its corresponding plaintext are completely equal, or the influence of crosstalk noise is non-existent. Thus, the proposal is feasible and effective, and can retrieve the high-quality images without the crosstalk noise.

Figure 5
figure 5

(a, b) The two plaintexts, (c) RAM, (d) RPM, (e, f) the two encryption keys, (g) the ciphertext E, (h) DK1, (i) DK2, (j, k) the two decrypted images.

Full size image

To evaluate the information-leakage-free of the proposal, Fig. 6a–f show the decrypted images with releasing of E, DK1, and DK2. Figure 7a–f illustrate the decrypted images when two of these masks are utilized. According to Figs. 6 and 7, each of all the decrypted images has the noise-like distribution, where no useful information of the two plaintexts appears. We illustrated that the information-leakage issue has been thoroughly settled in the proposal.

Figure 6
figure 6

Decrypted images with (a, b) E, (c, d) DK1, and (e, f) DK2.

Full size image
Figure 7
figure 7

Decrypted images with (a, b) E and DK1, (c, d) E and DK2, and (e, f) DK1 and DK2.

Full size image

We have further validated the sensitivity of the proposal for the additional keys, i.e., the three diffraction distances d1, d2, and d3, and the illuminating wavelength λ. Figures 8, 9, 10 and 11 illustrate the sensitive results of those keys, where the deviation ranges of those keys are [− 50 50]. These results invariably reveal that the CC values are one, only when the deviation is equal to zero. And for other values of the deviation, the CC values are below or equal to 0.0863. Moreover, when the deviations are − 1 and 1, all the decrypted images have no useful content of the two plaintexts. Therefore, the proposal has four sensitive additional keys, which can further reinforce the security of the proposal.

Figure 8
figure 8

Relation curves of the CC value versus Δd1, where the decrypted images using Δd1 of (a, b) − 1, and (c, d) 1.

Full size image
Figure 9
figure 9

Relation curves of the CC value versus Δd2, where the decrypted images using Δd2 of (a, b) − 1, and (c, d) 1.

Full size image
Figure 10
figure 10

Relation curves of the CC value versus Δd3, in which decrypted images using Δd3 of (a, b) − 1, and (c, d) 1.

Full size image
Figure 11
figure 11

Relation curves of the CC value versus Δλ, in which decrypted images using Δλ of (a, b) − 1, and (c, d) 1.

Full size image

To further demonstrate the robustness of the proposal against noise and occlusion attacks, Fig. 12 illustrates the decrypted results when the ciphertext is contaminated by the zero-mean white additive Gaussian noise with \(\sigma = 0.2\) and \(\sigma = 0.3\). Figure 13 represents the decrypted results acquired from the ciphertexts with 3% and 5% occlusion. According to Figs. 12 and 13, the quality of the decrypted images steadily worsens with the increase of the noise or occlusion strength. Although the content of those images becomes blurred for \(\sigma = 0.3\) noise or 5% occlusion, the main-structure information can be still distinguished. Hence, it is verified for these results that the proposal has the resistance to noise and occlusion attacks.

Figure 12
figure 12

Decrypted images with Gaussian noise with (a, b) \(\sigma = 0.2\), (c, d) \(\sigma = 0.3\).

Full size image
Figure 13
figure 13

(a) Ciphertext with 3% occlusion, (b, c) decrypted images of (a, d) ciphertext with 5% occlusion, (e, f) decrypted images of (d).

Full size image

Furthermore, we have proved the validity of the proposal against known-plaintext attack (KPA). The decryption keys of our scheme varies with the different plaintext pair. In the KPA simulation, Fig. 5a, b, g serve as a known plaintext pair and their corresponding ciphertext. Using the proposal, RAM (Fig. 5c) and RPM (Fig. 5d) encrypt the plaintext pair in Fig. 5a, b, and the private keys in Fig. 5h, i are generated. Figure 14a, b demonstrate the other plaintext pair. Figure 14c illustrates the ciphertext of Fig. 14a, b, which were produced by the proposal, RAM′ and RPM′. RAM and RPM are different from RAM′ and RPM′, respectively. When all the correct parameters, viz., RAM (Fig. 5c), RPM (Fig. 5d), and the private keys (Fig. 5h, i) are used, the two retrieved results of Fig. 14c are shown in Fig. 14d, e. For better explaining the security of this scheme, we have retrieved Fig. 14c in the other two cases in which we suppose that the attacker has known one out of RAM′ and RPM′. Figure 14f, g demonstrate the results of Fig. 14c with RPM′, \(DK_{1}^{{{\text{RPM}}^{\prime}}}\), \(DK_{2}^{{\text{RPM}}\prime }\), and for the other abovementioned conditions. Figure 14h, i illustrate the results of Fig. 14c using RAM′, \(DK_{1}^{{\text{RAM}}\prime }\), \(DK_{2}^{{\text{RAM}}\prime }\), and the other conditions mentioned above. The information of Fig. 14a, b cannot be deciphered from Fig. 14d–i. Hence, the proposal is immune to KPA.

Figure 14
figure 14

(a, b) the other plaintext pair, (c) ciphertext of (a, b) with RPM' and RAM', retrieved images of (c) using (d, e) RAM, RPM, DK1, DK2, (f, g) RAM, RPM', \(DK_{1}^{{{\text{RPM}}^{\prime}}}\), \(DK_{2}^{{{\text{RPM}}^{\prime}}}\), and (h, i) RAM', RPM, \(DK_{1}^{{{\text{RAM}}^{\prime}}}\), \(DK_{2}^{{{\text{RAM}}^{\prime}}}\).

Full size image

Finally, we have also demonstrated that the proposal can resist SA44. SA is a single iteration process, which stem from the modified amplitude-phase retrieval algorithm. The results of SA with two unknown masks, viz., RAM and RPM, are illustrated in Fig. 15a–c. Moreover, the results of SA, when the knowledge of one of RAM and RPM is lacking, are illustrated in Fig. 15d–i. Figure 16 shows the results of SA using Qin and Peng’s scheme35. It is shown in Fig. 15a, d, g, that the six curves are unstable and non-convergent. According to Fig. 15b, c, e, f, h, i, no information can be deciphered of the two plaintexts (Fig. 15a, b). Therefore, we have shown that the proposal can effectively resist SA.

Figure 15
figure 15

Results of SA using our proposal: the CC value versus number of iterations with (a) two unknown masks (RAM and RPM), (d) unknown RPM, and (g) unknown RAM, respectively; the recovered images after 200 iterations with (b, c) two unknown masks (RAM and RPM), (e, f) unknown RPM, and (h, i) unknown RAM, respectviely.

Full size image
Figure 16
figure 16

Results of SA using Qin and Peng’s scheme: (a) the CC value versus number of iterations, and (b, c) recovered images after 200 iterations.

Full size image

Concluding remarks

An optical phase-truncation-based double-image encryption was developed using the equal modulus decomposition and random masks. The proposal utilizes RAM and RPM to generate a single ciphertext and two private keys. This scheme is novel, and acquires the decrypted images immune to the crosstalk noise. Particularly, the random masks cause insufficient constraints to be utilized for SA. Our proposal, when compared with the reported techniques via PT, has no problem of information leakage, and can efficiently resist different types of attacks. Furthermore, the four parameters serve as additional keys for enhancing the security. Numerical simulation results validate the advantages of the proposal.