Image encryption using spatial nonlinear optics

Optical technologies have been widely used in information security owing to its parallel and high-speed processing capability. However, the most critical problem with current optical encryption techniques is that the cyphertext is linearly related with the plaintext, leading to the possibility that one can crack the system by solving a set of linear equations with only two cyphertext from the same encryption machine. Many efforts have been taken in the last decade to resolve the linearity issue, but none of these offers a true nonlinear solution. Inspired by the recent advance in spatial nonlinear optics, here we demonstrate a true nonlinear optical encryption technique. We show that, owing to the self-phase modulation effect of the photorefractive crystal, the proposed nonlinear optical image encryption technique is robust against the known plaintext attack based on phase retrieval. This opens up a new avenue for optical encryption in the spatial nonlinear domain.


Introduction
Light, as a carrier of information, poccesses a number of unique features that can be processed to secure information. For example, the diffraction and temporal spectrum of light can be incooperated with optical variable devices, providing important security features for the anti-counterfeit of valuable documents and credit cards [1]. The scattering of light by a volumetric random material can form a unique fingerprint that may be used as a physical unclonable function [2,3]. On another level, one can engineer the phase of the light field in a random manner by using a random phase mask (or, key), scrambling the information it carries in both the spatial and the spatial frequency domains by using a coherent optical information system. With a proper way to compensate the scrambling introduced to the phase, one can recover the information carried by the light. Based on this principle and taking the advantage of the ultra-high bandwidth and capability of coherent optical systems [4], researchers have developed various optical systems for security verification authentication [5,6] and image encryption [7][8][9]. Owing to the ultra-large key space, it is unlikely to find the random phase mask using brute force attack within a reasonable time, making it promising for secure optical storage [10][11][12][13] and many others [14,15].
Under the framework of the classical double randomphase encoding, the cyphertext g(x, y) is related to the plaintext f(x, y) as g(x, y) = [f (x, y)R 1 (x, y)] ⊗ h(x, y) , where h(x, y) is the impulse response in the form of h(x, y) = F{R 2 (µ, ν)}(x, y) , where R 1 (x, y) and R 2 (µ, ν) stand for the random phase masks located at the input plane and the Fourier plane of the coherent 4f system, respectively, and F denotes the Fourier transform. It has been strictly proved [7] that the cyphertext g(x, y) is stationary white noise provided that R 1 (x, y) and R 2 (µ, ν) are statistically independent uniform distributions in [0, 2π ] . Therefore it is robust against blind deconvolution. However, recent studies have shown that such phaseencoding modality has certain security issues [16][17][18][19][20][21]. In particular, when someone manages to obtain information about the cyphertext and the corresponding plaintext, the cryptanalysis is reduced to nothing more than a phase retrieval problem, which can be solved by using, for example, projection-based optimization algorithms [22]. Although the presence of phase singularities prohibits the retrieval of the random phase key precisely, feasible solutions to the problem are sufficient to reveal information about the plaintext encrypted by the same set of keys [17][18][19][20][21]. It has been pointed out that this security issue stems from the linearity of the encryption modelity [18]. Thus, many efforts have been taken recently to resolve the linearity issue. Examples include the introduction of polarization encoding [23], photon-counting technique [24], computational ghost imaging (CGI) [25], coherence effect [26], and the bilinearity of phase-space distribution functions [27]. These methods rely on the increment of computation complexity, yet fail to offer a true nonlinear solution. As a consequence, they are also vulnerable to cryptanalysis. Indeed, recent studies have demonstrated the crypanalysis to the polarization [28] and CGI-based [29] encoding.
Thus, an essential revolution that is based on nonlinearlity should be called for in order to address the security issue from the ground. Indeed, nonlinear optical effects have great potential in information security applications. For example, in the temporal domain, it has been demonstrated that the intensity fluctuation from a chaotic semiconductor laser can be adopted to generate random numbers in ultra-high speed [30,31]. Unfortunately, this nonlinear technique cannot apply to image encryption in the spatial domain directly, although chaotic maps have been used for random phase encryption, mostly as keys to permuting [32] the plaintext. Thus it is both intuitively and practically important to develop spatialnonlinear-optics-based image encryption techniques.
Here we demonstrate one of such schemes. In the proposed scheme, the spatial nonlinearity is provided by using a Kerr-like crystal. Unlike security storage [10][11][12][13] where the nonlinear crystal is solely used to record the interference patterns, what it matters here is the screened photorefractive effect that offers a mechanism to mix the modes of the plaintext image when they propagate through the crystal. This is the most distinguishing feature of the proposed scheme in comparison to all the linear ones, in which the modes of the image propagate independently from the input to the output. As a consequence, the linear relation between the cyphertext and the plaintext is broken, making the proposed scheme resistant to all the existing optical cryptanalysis techniques in principle.

Experimental setup
The basic experimental set-up is schematically shown in Fig. 1a. The plaintext image, f (x 0 , y 0 ) , where (x 0 , y 0 ) denotes the coordinates of the input plane, was displayed on an amplitude-only spatial light modulator (SLM-A). A 4-f imaging system was then used to project the plaintext image displaced on SLM-A to the input of the proposed encryption engine, which is depicted in Fig. 1b. The engine has a cascaded structure, each of which is composed of a phase-only SLM (SLM-P) and a photorefractive crystal [which was a Sr 0.61 Ba 0.39 Nb 2 O 6 (SBN:61) in this study]. In our experiments, the first phase-only SLM (SLM-P 1 ) was placed on the conjugation plane of SLM-A so as to introduce a random phase, R 0 = exp[jφ(x 0 , y 0 )] , to the plaintext image, resulting in a random-phaseencoded image ψ 0 (x 0 , y 0 ) = f (x 0 , y 0 ) exp[jφ(x 0 , y 0 )] , where the subscript 0 in ψ stands for the axial position  = 0 . This random-phase-encoded image ψ 0 (x 0 , y 0 ) was then projected to the front surface of a SBN:61 crystal whose crystalline c-axis was perpendicular to the beam propagation direction. The complex wave field at the back surface of the SBN:61 crystal was then projected to SLM-P 2 , the other phase-only SLM that was used to random-phase encode the incoming light field by R 1 = exp[jϕ(x 1 , y 1 )] displaced on it. The resulting complex image is called the cyphertext image, written as g(x, y) for convenience. This complex cyphertext image was recorded holographically by interfering with an additional reference beam, usually a plane wave with a known carrier frequency, as shown in Fig. 1a. For the SBN crystal, we used the self-defocusing nonlinearity, which is evoked by applying an external negative electric field E along the c-axis. Technically, this responses to the change of refractive index of δn ∝ r 33 EĪ/(1 +Ī) , where Ī is the input intensity |ψ 0 (x, y)| 2 measured relative to a background (dark current) intensity [33], and r 33 = 255 pm/V is the electro-optic coefficient relative to the applied field E and the c-axis [34].

Theory and experimental results
In the experimental demonstration, we used a binary image shown in Fig. 2a as the plaintext for simplicity. The direct image of it through our experimental set-up is shown in Fig. 2b. It was taken by the camera when displaying the binary image shown in Fig. 2a on the SLM-A while the other two SLMs-P and the external electric field E switching off. The distortion exhibits in the image was mainly due to the imperfection of the crystal and the aberration of the imaging optic. More careful alignment of the optic did not make significant improvement in our experiments. Nevertheless, we take it as the ground truth plaintext image in our proof-of-principle demonstration. To encrypt the plaintext image, we displayed two statistically independent random phases on the two phase-only SLMs, and turned on the nonlinearity. Mathematically, this nonlinear encryption process can be written as where the transform T {·} is defined as the nonlinear Schrödinger transform whose integral form is given by [35] (1) where FST{ψ 0 (x 0 , y 0 ); z} denotes the linear propagation of ψ 0 (x 0 , y 0 ) within the crystal with the length of z, U(z) is the free Schrödinger operator given by U (z) ∝ exp[ik�/z] , where k is the wave vector and denotes the transverse Laplacian, and δn(|ψ is the index of refraction induced by the nonlinearity of the crystal at the plane z ′ . The nonlinear term in Eq. (2) suggests that the original changes to the beam will be accumulatively augmented upon propagation. As a consequence, the spatial modes of the beam evolve in a coupled manner even with the generation of new ones owing to the wave mixing process [36], rather than propagating independently as in a linear system [7,8] that all the current techniques for optical image encryption are operating on. It is in this way that the proposed scheme can break the linearity.
As mentioned above, the cyphertext obtained in this way is a complex-valued image [the intensity of which is shown in Fig. 2c]. It should be recorded using interferometry-based techniques like digital holography [37]. This allows the encryption as the process described by Eq. (1) to be reversible provided that the nonlinear medium is fully characterized and the amplitude and phase of the cyphertext image g(x, y) are known [36,38]. Thus the plaintext can be reconstructed from the digital hologram of the cyphertext numerically, with the conjugations of the two random phase keys presented in the first places, respectively, to demodulate the random phase The decrypted image with the correct keys is shown in Fig. 2d. This demonstrates that the numerical decryption can reverse the wave-mixing process and demodulate the random phase. Here the external voltage that applied across the c-axis of the SBN crystal was E = −500 Vcm −1 , and the geometric parameters z 1 = 9.7 mm and z 2 = 8 mm. We need to mention that only the first nonlinear transform was performed optically since only one SBN:61 crystal (with the size of 4.4 × 4.4 × 9.7 mm 3 ) was used in this experiment because there is only one such crystal at hand. The second nonlinear transform was performed numerically. Note that various algorithms have been proposed for the numerical solution of the nonlinear Schrödinger equation [39]. Here we simply employed the split-step Fourier propagation method, which has been intensively used in the studies in nonlinear optics [34,36,40].
In the extreme case that the nonlinearity reduces to zero (no applied voltage across the crystal), i.e., the second term in Eq. (2) is absent, the system becomes a Fresnel-based system [8], except that it propagates in the crystal other than in free space. The intensities of the cyphertext and the decrypted image are plotted in Fig. 2c and d, respectively. One can see that the plaintext image can be recovered in the linear case is comparable to that in the nonlinear case shown in Fig. 2f. Both these two images are lightly distorted in comparison to the ground truth as the optics were not perfectly aligned in our proof-of-principle experiments, or the numerical reconstruction algorithm did not take the imperfection of the crystal into account. Further calibration of the algorithmic with respect to the experimental setting will help improve the reconstructed results [36]. Comparing to the linear counterpart, the nonlinearly encrypted cyphertext image is more obliterated by virtue to the nonlinear selfdefocusing and light-induced scattering that arises from the augment of the beam scattered by the imperfection of the crystal [41]. Such difference in the intensity patterns has been observed in the case even without random phase modulation [36], and thus has the potential to add additional physical security features.
The plaintext image can be recovered even when the nonlinearity was further increased. However, it can be more seriously distorted because the light-induced scattering effect is stronger in this case. In Fig. 2h, we plot the reconstructed plaintext image when the external voltage was tuned to E = −1000 Vcm −1 . It is clearly seen that the noise is augmented as the nonlinearity increases, and thus the recovered image is distorted. It becomes severely when the external voltage goes up to −2000 Vcm −1 (Fig. 2j), even all the keys are correctly presented. It is quite challenging to get rid of the light-induced scattering effect in the numerical decryption algorithm because it can be invoked by the imperfection anywhere inside the crystal [42] or even on its surface [43]. In addition, the actual nonlinear effects can be even more intriguing [44]. For example, wave-mixing in the self-defocusing crystal can induce focusing as well [45,46]. But the numerical decryption algorithm at the current stage does not take them into account. Fortunately, these effects can be ignored when the nonliearity strength is not too strong as in our study. The experimental results confirms that the proposed encryption system works well at small nonlinearity as the light-induced scattering can be very weak in this case [47]. Indeed, in numerical simulation, the recovered plaintext images are perfectly identical with the ground truth regardless of the nonlinearity strength. Details can be found in the Appendix.

Toleration analysis
For an optical encryption system, it is important to analyze how the misalignment of the keys affects the performance of decryption since it explicitly relies on the reversibility of the system. It is expectable that the decryption is sensitive to the alignment as otherwise the modulation cannot be feasibly undone. However, a certain level of toleration against misalignment is desirable for the sake of practice.
As described in Eq. (1), there are several keys to the proposed system: the random phases R 0 and R 1 , their geometric positions in the system, and the nonlinearity. To perform the toleration analysis, we should make an assumption that the correct random phases R 0 and R 1 should be presented. Otherwise it is not possible to recover any meaningful image. This has been well studied in the linear counterpart [7]. One can expect that it will not become better in the nonlinear case. Thus we focus on the toleration to the misalignment of the random phases along the transverse and longitudinal directions and to the change of nonlinearity strength for decryption with respect to that for encryption. And we will examine these factors independently.
First, we analyze the toleration to the displacement of the random phase key along a transverse direction. To perform the analysis, one can first calculate the complex conjugation of a cyphertext image g * (x, y) , and then numerically reverse the second nonlinear transform in Eq. 1a. The resulting complex disturbance can be written as exp[−jϕ(x 1 , y 1 )]T {ψ * 0 (x 0 , y 0 ); −z 1 } . If R 1 is not placed at its original position, but transversely translated over a distance x 1 along the x-axis, the demodulated image can be written as exp[jϕ(x 1 − �x 1 , y 1 )] exp[−jϕ(x 1 , y 1 )]T {ψ * 0 (x 0 , y 0 ); −z 1 } . This means that the random phase cannot be demodulated completely in this case. The residual phase distortion exp{j[ϕ(x 1 − δx 1 , y 1 ) − ϕ(x 1 , y 1 )]} invokes speckle noise, which is accumulatively augmented upon the nonlinear propagation through the crystal [42,47]. As a result, the recovered plaintext image is corrupted by noise, the quaility of which can be evaluated by using some standard criterion indicator such as the normalized mean-squared error (NMSE). One can expect that the NMSE value monotonously increases along with x 1 from 0 to l x , the correlation length of R 1 . Indeed, we observed a linear relation between them as shown in Fig. 3a. In comparison with the linear counterpart [48], the proposed nonlinear encryption engine is more sensitive to the transverse translation of R 2 , as one can see from the inset in Fig. 3a that the position mismatch of l x /2 is sufficient to make the decrypted image totally corrupted.
The response to the axial translation of R 1 can be clearly seen by writing the decrypted image f (x 0 , . The noise comes from the mismatch z , and is further augmented by the second nonlinear transform in the decryption process. Thus it is expected that the level of noise increases as z increases either in the + or − direction, as evidenced by the experimental results shown in Fig. 3b. But the NMSE value increases quickly from 0 to about 0.5 as | z| increases from 0 to 4 mm, and then become steady as | z| increases further. One can clearly see that the proposed engine is more tolerant to the misalignment of R 1 in the longitudinal direction in comparison to the transverse one. This is reasonable because the latter one is due to an effectively wrong random phase key. The analysis of the toleration to the misalignment of R 0 is straightforward. The transverse misalignment of R 0 does not have any effect to the decrypted image when the plaintext image f (x 0 , y 0 ) is real, as in our study. However, if R 0 is misaligned in the longitudinal direction, there will be residual random phase and give rise to noise effect. Because of the absence of further amplification, the decryption is more tolerant to R 0 than R 1 , as depicted by Fig. 3b. Next we examine the robustness to additive noise of the decrypted image. This is done by adding zero-mean Gaussian white noise to the cyphertext image so that g ′ (x, y) = g * (x, y) + αn(x, y) , where α is a weighting factor that specifies the strength of the noise with respect to the signal, and n(x, y) ∼ N (0, σ ) , where σ is the standard deviation. Owing to the nonlinearity, the additive noise n(x, y) is coupled with the signal term g * (x, y) on the way that g ′ (x, y) is propagating back to the original input plane. The resulting noise on the recovered plaintext f ′ then is not additive anymore. The other immediate consequence of the nonlinear coupling is that the strength of the noise on f ′ is not linearly proportional to n(x, y). Indeed, it has been reported that a portion of the noise power can be transferred to the signal [49]. As a result, the proposed nonlinear encryption technique should be more robust to noise, although the PSNR of f ′ should be a nonlinear function of SNR = −10 log 10 |g * | 2 /(α|n|) 2 of g ′ . Indeed, we observed such a nonlinear dependence in our experiment (Fig. 4). The NMSE value decreases nonlinearly as the strength of n(x, y) linearly increases. As an example, we plot in Fig. 4a-d the recovered plaintext when the SNR of g ′ (x, y) is 10, 0, −10 , and −20 dB, respectively. It is clearly seen that the detail of the plaintext retains even the SNR of g ′ (x, y) is 0 dB. In contrast, linear dependence is expected in its linear counterpart [50] as additive noise on g * is transformed to additive noise on f ′ , and the power of noise conserved due to the canonical nature of this linear encryption system [51].
We also examined how the decrypted image is affected by the deviation of the strength of nonlinearity (denoted by Q) alone for decryption with respect to that for encryption (denoted by q). Specifically, this can be seen by the change of the NMSE value with respect to Q/q. The result is plotted in Fig. 5. It suggests that the decryption is quite robust to the change of nonlinearity. The NMSE value is less than 0.1 when Q/q = 2 , and is about 0.4 even when Q/q = 5 . Even when the decryption is carried out with Q = 0 , one can obtain a plaintext with acceptable quality ( NMSE ≈ 0.15 ) if the two random phase masks and the length of the crystals are known. This is reasonable because of the fact that the nonlinear refractive index δn is four orders of magnitude smaller than the linear one [34,36]. However, this does not mean the introduction of spatial nonlinearity is trivial. In fact, the nonlinearity does not mean to use in this way. It is used to protect the system from cryptalaysis when the random phase keys are unknown. We will show in Sect. that it has a significant impact to the enhancement of the security.

Security analysis
Most of the cryptanalysis techniques [17][18][19][20] rely on Kerckhoffs's principle [52] that an intruder is assumed to have full access to the cyphertext image g(x, y) and/or the corresponding plaintext image f (x 0 , y 0 ) . Thus, one more transform of g(x, y) does not add significant intrinsic security. This is in particular true for a linear system, in which one can easily calculate the Fourier spectrum of the cyphertext g(x, y) and subsequently recover the plaintext image by using phase retrieval algorithms owing to the memory effect [20]. Here we show that the proposed nonlinear encryption technique is immune to such phase-retrieval-based known-plaintext attack (KPA). According to Kerckhoffs's principle [52], we are assumed to know M pairs of cyphertext-plaintext images, i.e., [g m (x, y), f m (x 0 , y 0 )] , where m = 1, . . . , M . To examine the KPA, we also assume that the strength of nonlinearity and the length of the crystal z 1 and z 2 are known as well. It is straightforward to calculate ψ z 1 ,m (x 1 , y 1 ) exp[jϕ(x 1 , y 1 )] from g m (x, y) using nonlinear digital holography [36]. Since the random phase R 1 = exp[jϕ(x 1 , y 1 )] is unknown, it is not possible to directly use digital holography to reconstruct f m (x 0 , y 0 ) from ψ z 1 ,m (x 1 , y 1 ) exp[jϕ(x 1 , y 1 )] . Note that the random phase R 1 does not change the magnitude |ψ z 1 ,m (x 1 , y 1 )| . Thus an alternative approach is to retrieve the unknown phases ϕ(x 1 , y 1 ) and therefore, φ(x 0 , y 0 ) , from f m (x 0 , y 0 ) and |ψ z 1 ,m (x 1 , y 1 )| . In contrast to the linear counterpart, a nonlinear phase retrieval algorithm is needed in this case [53,54]. If such KPA successes, the retrieved phase, denoted as φ(x 1 , y 1 ) , should be used to decrypt any other cyphertext image, g t (x, y) , encrypted by the same system and the same set of keys. For the cryptanalysis of a linear double random-phase encoding [7,8], the multiple-phase retrieval algorithm [19] has been demonstrated to be implicitly feasible. Here we adopt the routine of this algorithm but replacing the linear canonical transform in [19] with the nonlinear Schrödinger transform to perform the attack.
Apparently, if nothing but a noise-like pattern is recovered, we can conclude that the proposed nonlinear encryption method is immune to the phase-retrievalbased KPA. This can be verified on experimental data. However, one may argue that this may attribute to the defect of the crystal or noise in the system as this may break the reversibility of the system [55]. Thus, we endeavor to examine the security via numerical experiments, which can be regarded as a fundamental baseline.
In the numerical study, we used M = 4 pairs of cyphertext-plaintext images to perform the aforementioned KPA. The 4 plaintext images are shown in Fig. 6a-d, and the corresponding cyphertext images are shown in Fig. 6e-h, respectively. The KPA algorithm attempts to recover the random phase ϕ(x 1 , y 1 ) and uses it to decode the cyphertext of an unknown plaintext image shown in Fig. 6i. The recovered random phase key φ(x 1 , y 1 ) is shown in Fig. 6j. The difference between it and the original phase ϕ(x 1 , y 1 ) is shown in Fig. 6k. Its randomlike distribution implies that the KPA algorithm [19], although has been demonstrated to be very efficient to attack a linear encryption system, is not able to retrieve the phase key of the proposed nonlinear encryption system. Indeed, nothing about the image to be analyzed (Fig. 6i) is revealed in the recovered image (Fig. 6l). Instead, it is some information about the known plaintext images that is revealed. In the specific case shown in Fig. 6l, it is a clear 'S' together with a dimmed 'M' against a noisy background that is recovered with φ(x 1 , y 1 ) . With a close look at the positions of S and M, it is not difficult to see that they appear at their original positions as in Fig. 6a, d as if they were memorized by the retrieved phase key φ(x 1 , y 1 ) . This exotic phenomenon is mainly due to the fact that phase evolution in a nonlinear optical system is significantly dependent on intensity-induced refractive index changes [36]. Although nonlinear refractive index is small comparing to the base one, it does have a significant impact to the enhancement of the security level, protecting it from the powerful KPA analysis. The appearance of which known plaintext image in the recovered image is determined by where the KPA algorithm stops. In the case of Fig. 6l, the KPA algorithm stops after the use of the known plaintext image 'S' (Fig. 6a) iteratively compute the phase key φ(x 1 , y 1 ) . And thus φ(x 1 , y 1 ) memorizes clearly the information of the image 'S' . One iteration previous to this is the use of the image 'M' . And thus φ(x 1 , y 1 ) still has a little memory of it. This phenomenon has never been observed in the linear counterparts [16][17][18][19][20] or in phase retrieval using nonlinear diversity [53,54].

Conclusion
In conclusion, we have experimentally demonstrated for the first time a true nonlinear optical encryption method. In comparison with the conventional linear counterpart [7,8] that relates the cyphertext and plaintext by using linear canonical transforms, the unique feature of the proposed method is the employment of the nonlinear Schrödinger transform. Thus it offers a way to resolve the security vulnerability mainly owing to the linearity [16][17][18][19][20]. Indeed, we have demonstrated that the proposed method is resistant to a phase-retrieval-based KPA, a class of cryptanalysis methods that has been shown to be powerful to crack the conventional linear optical encryption engines [16][17][18][19][20]. This opens up a new avenue for optical image encryption in the spatial nonlinear domain.
One may argue that with the growing power of machine learning, the proposed nonlinear encryption method should be vulnerable to it. Indeed, we have demonstrated that the conventional double random-phase encryption is vulnerable to a deep-learning-based attack [21]. However, we believe that the proposed nonlinear encryption method is robust to it. A deep neural net requires a large set of plaintext-ciphertext pairs from the same system to train. But owing to the self-defocusing effect, the potential induced inside the crystal is plaintext-dependent (as manifested in Fig. 6). As a result, even though the plaintext-ciphertext pairs in the training set might have been obtained through the same crystal, the induced potential was effectively different for different plaintext in the training set. Thus one can imagine that different pairs of plaintext-ciphertext are associated with a different setting of the crystal so that it is infeasible to learn a common mapping function among them.

Appendix
In the simulation, the virtual nonlinear image encryption system is composed of two SBN:75 crystals with the length of z 1 = 9.7 cm and z 2 = 8 cm, respectively, as in our experimental counterpart. A plaintext image (as the one shown in Fig. 2a) together with a random phase key (implemented as a 2D array, each element of which is a pure phase that obeys a uniformed distribution between 0 and 2 π ) is virtually placed at the front surface of the first crystal. At the back surface, we virtually place the other random phase key that obey the same distribution function, but is statistically independent with respect to the first one. Because it is a virtual system, the second crystal can be placed immediately behind the second random phase key. We assume that the system is illuminated by a coherent plane wave with the wavelength of = 532 nm. The size of the images is 256 × 256 pixels. The nonlinear propagation of the laser beam is implemented by the split-step Fourier propagation method [36,40]. The defects of the crystal and the noise of the image sensor are neglected in our simulation. The results are plotted in Fig. 7.   Fig. 6 Robustness against KPA. a-d The four known plaintext images and e-h the corresponding cyphertext images, i the plaintext image the KPA attempts to reveal, j the retrieved R 2 , k the difference between the retrieved R 2 and the original one, and l the result of the KPA. One can clearly seen that the recovered image does not resemble the original plaintext at all