In recent years, digital information has been widely transmitted through insecure public network  where the data is particularly easy to be wiretapped by others, thus the techniques for information security are of great importance. Many optical encryption methods have been developed. As far as we know, the double random phase encoding (DRPE) technique  proposed in 1995 may be the first successful example in optical encryption. Based on optical parallel characteristics, it generally uses double spatial light modulators for phase encoding and array charge-coupled devices (CCDs) for recording the intensities [3, 4, 5, 6]. Lately, the DRPE has been integrated with photon-counting to obtain better security and verification performance [7, 8, 9], but its sampling is still redundant. Fortunately, the newly developed theory of compressed sensing (CS) [10, 11, 12] provides a new technical solution for DRPE compression during the optical sampling , and allows one to accurately reconstruct the signal known a priori to be sparse or compressive from its linear projections, with a sampling rate far below the Nyquist rate [10, 11]. Given all these advantages of CS, many methods in optical security field, like Ptychography , quick response codes , have been recently combined with compressed DRPE to enhance their performance. On the other hand, CS has developed a single-pixel camera [16, 17] to acquire wider applications, like in remote sensing [18, 19], adaptive ghost imaging , biological imaging , phase retrieval , and so forth. Recent works have successfully combined single-pixel compressive imaging with optical encryption, where the signal and its compressed measurements are treated as the plaintext and the ciphertext. This technology is proven to be able to increase the security [23, 24] and thus becomes popular.
With the developments of information age, one important issue is how to improve the security of the information delivered by the public network, especially in financial transactions, secure video communication, Internet conferences, telemedicine, and the like. Our earlier works have proposed a protocol for high-speed secure key distribution over a public network [25, 26], in which the legitimate parties acquire the cryptographic keys from the images recovered by computational ghost imaging algorithms. Note that the watermarking [27, 28, 29] and data hiding [30, 31] are two representative choices for privacy protection  by embedding a label to a visible image, we find that they may be useful for improving the performance of the secure key distribution. However, to our knowledge, most of traditional watermarking techniques needed to embed the watermark into the non-overlapping blocks of original image [29, 30, 31], and failed to consider authentication and tampering identification aspects. Besides, the watermarked image transmission may incur the content leakage.
In this work, we propose a watermarking-based protocol for cryptographic key distribution over a public network, in which the watermark is regarded as the cryptographic key to be distributed. In the carrier generation process, based on a single-pixel compressive imaging system, the server uses a digital micromirror device (DMD) for random modulation and a photomultiplier tube (PMT) for photon counting. Then the server will embed the watermark in the rearranged compressed measurements which have no spatial correlation, rather than in the image or its non-overlapping divided blocks, thus increasing the confidentiality and imperceptibility of the cryptographic key, and without the content leakage. After that, the disordered sequence will be sent to the legitimate users through the public network. With the aid of the initial keys and the variance characteristic of measurements, the valid parties can exactly extracted the distributed cryptographic key. By utilizing CS algorithm, the users can reconstruct the images for simultaneous efficient authentication and tampering identification. Additionally, unlike traditional optical communication schemes that are mainly based on the two-dimensional encrypted images, our protocol also offers an alternative approach for embedding the watermark directly in the randomly-ordered one-dimensional sampled signal as well as taking full advantage of the variance characteristic of measurements, which will have a great impact on research in the broader fields of optical security, especially in cryptographic key distribution applications.
Our protocol applies CS for carrier generation and authentication. In CS, an image signal of pixel size
can be reshaped into a one-dimensional column vector of length. Every pattern encoded on the DMD has the same size as the object image, and is flattened accordingly into a row vector of length . There are random binary patterns that will be sequentially fed into the DMD, the row vectors reshaped from these patterns are rearranged into a measurement matrix . Rather than directly sampling the image pixel values, CS captures the linear projections of the signal at a rate that is significantly below the Nyquist rate, namely, it samples the inner product between modulating row vector and the signal . Thus the problem can be given by a set of linear equations: , where is the observed measurement vector, denotes the stochastic noise. Hence simultaneous compression and sampling of an image can be achieved. Generally, the natural signal
can be sparsely represented in a certain basis (e.g., discrete cosine transform basis, Fourier transform basis, wavelet basis), thus , or , where is the coefficient sequence of . Since the total variation (TV) regularization can ensure excellent reconstructed image quality by preserving the edges accurately , here we use TV solver as the sparse basis. In order to satisfy the restricted isometry property (RIP) , the column vectors taken from arbitrary subsets of the measurement matrix
should be approximately orthogonal and incoherent with the sparse basis. It is found that a completely random matrixworks well in general and is largely incoherent with any fixed basis. Therefore, the random measurement matrix is adopted here, and its randomness can render the measurement data unintelligible. The object image can be reconstructed precisely from the dimension reduction measurements via optimization algorithm.
This protocol is an extension of our previous work [25, 26]. Here, the measurement matrix is used as a key known by the legitimate parties in advance, and a watermark label is embedded to the measured signal for cryptographic key distribution. As depicted in figure 1, our protocol can be divided into four parts: carrier generation, watermark embedding, watermark extraction, and authentication. Figure 2 shows the detailed procedure for watermark embedding and extraction.
2.1 Carrier generation
In the carrier generation step, the server performs compressive sampling  via a single-pixel imaging system, which is simpler than DRPE setup. The object and the measurement matrix can be denoted as and , then the carrier can be acquired by the linear equations . For different legitimate parties, the object and the measurement matrix can be different. Therefore, our protocol can realize multiparty communication.
2.2 Watermark embedding
Here the watermark is treated as the cryptographic key to be distributed. In the watermark embedding process as shown in the left half of figure 2, will be disordered by the server via the random allocation key 1 to obtain , which is then divided into (the same as the length of the watermark) groups with each of size . For the th group, if the element value in the watermark equals to 1, then all the bits in the corresponding group (denoted as , ) of are exclusive-ORed (XOR), otherwise, leaving it as it is, i.e.,
Here using XOR for watermark embedding is a common operation . By this means, we will get the sequence , which will be disordered again according to the random allocation key 2 to obtain . After that, the signal will be transmitted through the public network to the legitimate users.
2.3 Watermark extraction
In the watermark extraction as shown in the right half of figure 2, the legitimate receiver restores via the random allocation key 2, and then carries out XOR operation on every bit of to obtain (this operation we call global XOR). The values of the watermark bits are extracted via
where var denotes the variance. According to the extracted watermark and the group assignment, the XOR operation of the whole bits in the divided groups of that correspond to the extracted watermark bit value 1 is performed, also via Eq. 1, to get . In theory, and equals to and , respectively. The correct sequence is then recovered following the random allocation key 1. Theoretically, equals to
with a great probability. Through the above operations, legitimate users will finally get the corresponding cryptographic keys distributed from the server. The cryptographic keys can be used to encrypt the plaintext and decrypt the ciphertext during the multiparty communication.
Finally, the receiving parties use the TVAL3 algorithm  to recover the image from and for identity authentication, as demonstrated in figure 1. The core TV norm minimization of TVAL3 can be described as:
where stands for norm. is the discrete gradient vector of at position , is the gradient operator, and is a penalty constant scalar used to balance these two terms. is the TV regularization term, which is isotropic for , and anisotropic for . Here we use the isotropic (the higher, 2nd-order) derivative to get better image quality for authentication.
To obtain a quantitative measure of the image quality, the peak signal-to-noise ratio (PSNR) is defined here as a figure of merit:
where . The MSE describes the squared distance between the recovered image and the original image for all pixels. Naturally, the larger the PSNR value, the better the quality of the image recovered.
Additionally, we introduce another unitless performance measure, the bit error rate (BER), which is defined as
Here, is the original watermark, is the extracted watermark, and is the length of . Therefore, the BER is the number of bit errors divided by the total length of the watermark bits during a time interval studied. The generation of error bits is mostly due to noise, randomness, or tampering.
To illustrate our strategy, the simulation procedure is presented in figure 3. After the sampling, the watermark embedding and extraction will be performed. According to the CS theory, the original image can be any complex gray-scale or colour-scale image, as long as it is sparse or compressive. Generally speaking, many natural images except pure noisy ones have sparse representations when they are expressed in a certain basis. It is worth noting that the watermark can be not only a binary vector but also a gray-scale image, because the image pixel values can be easily converted into a binary sequence and linked end-to-end to form a long one in watermark embedding, and vice versa during watermark extraction. After that, the CS image [figure 3(b) and (c)] can be recovered accurately if and only if the extracted watermark is exactly consistent with the original one. Although the poor quality of the recovered image is possibly caused by the measurement noise, we find that repeatedly using the same watermark can greatly improve the image quality. Here the watermark is reused five times in one set of measurements to reduce the negative effect of the measurement noise on the quality of the extracted watermark. The number five used here is an empirical parameter. Actually, for a 40-bit watermark with five repetitions, when the group (block) size is set to 11, the BER is already low enough; when is larger than 20, the watermark is extracted exactly with high immunity to noise, as illustrated in figure 4. Therefore, by applying this strategy, the quality of the CS image can be used for authentication to validate whether there exists an attacker or not. The demonstrating experiment is performed by increasing the measurement number. There is a tradeoff between the group size for the BER performance and the length of the watermark.
4 Experimental validation and results
The carrier generation process of our proposal is based on a photon-counting single-pixel camera, as presented in figure 5. The binary modulation patterns are provided by a DMD. In the experiment, the thermal light from a stabilized halogen tungsten light source with a wavelength range from 360 nm to 2600 nm passes through a beam expander and a neutral density filter (NDF) onto a black-and-white film (the object) with a printed transparent letter “S”. Here the NDF is used to attenuate the light to the ultra-weak light level. The object is then imaged directly onto the DMD which consists of micromirrors. Each micromirror is switched between two positions oriented at , which correspond to a bright pixel 1 and a dark pixel 0, determined by the pattern. The reflected light in one of the orientations is converged onto one spot by a focusing lens and is collected by a counter-type Hamamatsu H10682-210 PMT. Since the PMT counts the number of the photons that is proportional to the total light intensity for each pattern, it can be treated as a single-photon detector. Actually, the recorded photon sequence is a measured signal of the object. Following the procedures given in figure 2, it is simple for the receiver to obtain the signal from the public network, to extract the watermark, and to recover the signal according to the random allocation keys 1 and 2. It is worth noting that all the values of should be converted into a binary sequence for XOR operation, and should be turned back to a decimal sequence at last. Using the measurement matrix, the image is recovered by total variation minimization for identity authentication. Here the experimental setup is simple and the whole techniques reduce the complexity.
Each pattern corresponds to one row of the measurement matrix , and has pixels, of the same size as the CS image. There are binary patterns, thus the size of is with . The experimental results [figure 6] are in accord with figure 3. In the case of five-repetition usage of the same watermark, we get five sets of extracted results, compute their average, and then set the value to 0 if the mean is less than 0.5, and 1 otherwise. From figure 6(c), it can be seen that the calculated watermark is accurate with large probability. Here is generated by a random physical process. Since the photon fluctuations contain the stochastic intensity fluctuations of the light source, scattering noise along the light path, and shot noise, the signal has true randomness as well as good information imperceptibility. Here the matrix , the random allocation keys 1 and 2, and some other essential parameters (like the imaging area, the pixel size, the number of measurements, the allocation selection strategy) are all used as the initial keys, which are distributed to the legitimate parties through absolutely secure approaches (e.g., secure hash algorithm 3, quantum key distribution protocol) in advance. In the future, we can also make a difference between each adjacent frames to perform the “positive-negative” modulation and acquire a very satisfactory image quality . For full-colour imaging, one can use three spectral filters to restore the red, green, and blue sub-images, extending the dimension of the signal carrier.
5 Security analysis and discussion
Now let us discuss the security of our one-time-pad protocol against different attacks. Here, for simplicity and without loss of generality, we directly perform our security analysis on the experimentally recorded signal. Assume that the eavesdropper Eve possesses any advanced technique. In order to ensure information transmission security, further channel coding and decoding can be used. Even if Eve knows completefrom the public network, to recover the watermark she must guess the random allocation key 2 exactly, which costs a full permutation of . In the case of figure 7, we have , thus Eve must sweep through (when ) possible permutations. For example, from , we see that is thought to be extremely large. Assuming that each run costs a few milliseconds for a supercomputer, it will take many years to finish the exhaustion. Furthermore, if Eve wants to get the CS image, she must firstly spend another possible permutations to guess the random allocation key 1 and recover the signal , and secondly guess all the frames and secure parameters. For a binary measurement matrix, where , the probability of it being deciphered through exhaustive attack is . Actually, the size of the image and the measurement matrix can be much larger, and the measurement matrix owned by each user can also be different. So it is impossible for her to decipher the communication.
Additionally, Eve can also intercept the signal , falsify some bits in it and then send it to the legitimate users, as illustrated in figure 7. However, the legitimate party can easily discover Eve’s presence by checking the quality of recovered images, whether she completely disorders the signal , or only changes one fixed bit in each value, or takes some values away. If one user finds that the quality of CS image is poor, then he/she can conclude that there must exist an attack. Therefore, it is demonstrated that our method has a highly sensitivity to the intentional tampering and an outstanding performance for data tamper detection. It is worth mentioning that our protocol is robust against the attack because of its particular scheme, rather than the experiment. Thus we can regard this protocol as being greatly safe for practical applications in defense, communication, and financial market.
In conclusion, we propose a secure protocol for cryptographic key distribution over a public network, where a watermark is treated as the cryptographic key to be distributed from the server to the valid parties. The compressive sampling is experimentally performed via a single-pixel photon-counting imaging system, in which the photon-limited measurements contribute additional security of the protocol. The watermark is embedded directly in the randomly-rearranged compressive measurements, rather than in the image or its non-overlapping divided blocks, ensuring the confidentiality and imperceptibility of the cryptographic key and avoiding the content leakage. Thus the watermark embedding is actually performed between compressive sampling and authentication procedures. At the receiving terminal, based on the initial keys and the variance of disordered measurement sequence that is send through the public network, the legitimate users have full access to both the accurate watermark and the encrypted image, the latter can be used for efficient authentication and tampering identification. Both numerical simulation and experimental results show that our approach owns a good robustness against different eavesdropping attacks. This protocol may pave the way for applying the variance characteristic of the measurements in optical secure communication, and will have a great impact on many practical applications of optical security.
The author greatly appreciates Ning Wu for offering help in improving the manuscript. This work is supported by the National Natural Science Foundation of China [grant number 61801022], the Beijing Natural Science Foundation [grant number 4184098], the National Key Research and Development Program of China [grant number 2016YFE0131500], the International Science and Technology Cooperation Special Project of Beijing Institute of Technology [grant number GZ2018185101], and the Beijing Excellent Talents Cultivation Project - Youth Backbone Individual Project.
-  S. Lian, “Quasi-commutative watermarking and encryption for secure media content distribution,” Multimed. Tools. Appl. 43, 91–107 (2009).
-  P. Refregier and B. Javidi, “Optical image encryption based on input plane and Fourier plane random encoding,” Opt. Lett. 20, 767–769 (1995).
-  B. Hennelly and J. T. Sheridan, “Optical image encryption by random shifting in fractional Fourier domains,” Opt. Lett. 28, 269–271 (2003).
-  W. Chen, X. Chen, and C. J. R. Sheppard, “Optical image encryption based on diffractive imaging,” Opt. Lett. 35, 3817–3819 (2010) .
-  P. Clemente, V. Durán, E. Tajahuerce, and J. Lancis, “Optical encryption based on computational ghost imaging,” Opt. Lett. 35, 2391–2393 (2010).
-  G. Li, W. Yang, D. Li, and G. Situ, “Cyphertext-only attack on the double random-phase encryption: Experimental demonstration,” Opt. Express 25, 8690–8697 (2017).
-  E. Pérez-Cabré, M. Cho, and B. Javidi, “Information authentication using photon-counting double-random phase encrypted images,” Opt. Lett. 36, 22–24 (2011).
-  S. K. Rajput, D. Kumar, and N. K. Nishchal, “Photon counting imaging and polarized light encoding for secure image verification and hologam watermarking,” J. Opt. 16, 125406 (2014).
-  D. Maluenda, A. Carnicer, R. Martinez-Herrero, I. Juvells, and B. Javidi, “Optical encryption using photon-counting polarimetric imaging,” Opt. Express 23, 655–666 (2015).
-  D. Donoho, “Compressed sensing,” IEEE Trans. Inform. Theory 52, 1289–1306 (2006).
-  E. J. Candès, “Compressive sampling,” In Proc Int Cong Math, European Mathematical Society, Madrid, pp. 1433–1452 (2006).
-  E. J. Candès, “The restricted isometry property and its implications for compressed sensing,” C. R. Math. 346, 589–592 (2008).
-  J. Li, J. S. Li, Y. Y. Pan, and R. Li, “Compressive optical image encryption,” Sci. Rep. 5, 10374 (2015).
-  N. Rawat, I.-C. Hwang, Y. Shi, and B.-G. Lee, “Optical image encryption via photon-counting imaging and compressive sensing based ptychography,” J. Opt. 17, 065704 (2015).
-  X. Wang, W. Chen, and X. Chen, “Optical information authentication using compressed double-random-phase-encoded images and quick-response codes,” Opt. Express 23, 6239–6253 (2015).
-  M. F. Duarte, M. A. Davenport, D. Takhar, J. N. Laska, T. Sun, K. F. Kelly, et al., “Single-pixel imaging via compressive sampling,” IEEE Signal Process. Mag. 25, 83–91 (2008).
-  C. B. Li, “An efficient algorithm for total variation regularization with applications to the single pixel camera and compressive sensing,” Masters of Science thesis, Rice University, 2010.
-  C.-Q. Zhao, W.-L. Gong, M.-L. Chen, E.-R. Li, H. Wang, W.-D. Xu, et al., “Ghost imaging lidar via sparsity constraints,” Appl. Phys. Lett. 101, 141123 (2012).
-  W.-K. Yu, X.-F. Liu, X.-R. Yao, C. Wang, Y. Zhai, and G.-J. Zhai, “Complementary compressive imaging for the telescopic system,” Sci. Rep. 4, 5834 (2014).
-  W.-K. Yu, M.-F. Li, X.-R. Yao, X.-F. Liu, L.-A. Wu, and G.-J. Zhai, “Adaptive compressive ghost imaging based on wavelet trees and sparse representation,” Opt. Express 22, 7133–7144 (2014).
-  W.-K. Yu, X.-R. Yao, X.-F. Liu, R.-M. Lan, L.-A. Wu, G.-J. Zhai, et al., “Compressive microscopic imaging with “positive-negative” light modulation,” Opt. Commun. 371, 105–111 (2016).
-  W.-K. Yu, A.-D. Xiong, X.-R. Yao, G.-J. Zhai, and Q. Zhao, “Efficient phase retrieval based on dark fringe extraction and phase pattern construction with a good anti-noise capability,” Opt. Commun. 402, 413–421 (2017).
-  A. Orsdemir, H. O. Altun, G. Sharma, and M. F. Bocko, “On the security and robustness of encryption via compressed sensing,” In IEEE Military Commun. Conf., San Diego, (2008).
-  D. Xiao, M. Deng, and X. Zhu, “A reversible image authentication scheme based on compressive sensing,” Multimed. Tools Appl. 74, 7729–7752(2015).
-  S. Li, X.-R. Yao, W.-K. Yu, L.-A. Wu, and G.-J. Zhai, “High-speed secure key distribution over an optical network based on computational correlation imaging,” Opt. Lett. 38, 2144–2146 (2013).
-  W.-K. Yu, S. Li, X.-R. Yao, X.-F. Liu, L.-A. Wu, and G.-J. Zhai, “Protocol based on compressed sensing for high-speed authentication and cryptographic key distribution over a multiparty optical network,” Appl. Opt. 52, 7882–7888 (2013).
-  H.-C. Huang, and F.-C. Chang, “Robust image watermarking based on compressed sensing techniques,” J. Inf. Hid. Multimed. Signal Process. 5, 275–285 (2014).
-  H. Liu, D. Xiao, R. Zhang, Y. Zhang, and S. Bai, “Robust and hierarchical watermarking of encrypted images based on compressive sensing,” Signal Process. Image Commun. 45, 41–51 (2016).
-  S. Weng and J.-S. Pan, “Reversible watermarking based on two embedding schemes,” Multimed. Tools Appl. 75, 7129–7157 (2016).
-  X. Zhang, “Reversible data hiding in encrypted image,” IEEE Signal Process. Lett. 18, 255–258 (2011).
-  M. Li, D. Xiao, and Y. Zhang, “Reversible data hiding in block compressed sensing images,” ETRI J. 38, 159–163 (2016).
Z. Xia, X. Wang, L. Zhang, Z. Qin, X. Sun, and K. Ren, “A privacy-preserving and copy-deterrence content-based image retrieval scheme in cloud computing,” IEEE T. Inf. Foren. Sec.11, 2594–2608 (2016).