COPYRIGHT NOTICE
FedUni ResearchOnline
https://researchonline.federation.edu.au
Copyright © 2015 IEEE. Personal use of this material is permitted. Permission from IEEE
must be obtained for all other uses, in any current or future media, including
reprinting/republishing this material for advertising or promotional purposes, creating new
collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted
component of this work in other works.
This is the peer-reviewed version of the following article:
Jolfaei, A., Wu, X., Muthukkumarasamy, V. (2016) On the security of
permutation-only image encryption schemes.
IEEE Transactions on
Information Forensics and Security. Vol. 11, no. 2 (2016), p. 235-246.
Which has been published in final form at:
https://doi.org/10.1109/TIFS.2015.2489178
1556-6013 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2015.2489178, IEEE Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1
On the Security of Permutation-Only Image
Encryption Schemes
Alireza Jolfaei, Xin-Wen Wu, Senior Member, IEEE, and Vallipuram Muthukkumarasamy
Abstract—Permutation is a commonly used primitive in multi-
media (image/video) encryption schemes, and many permutation-
only algorithms have been proposed in recent years for protection
of multimedia data. In permutation-only image ciphers, the
entries of the image matrix are scrambled using a permutation
mapping matrix which is built by a pseudo-random number
generator (PRNG). The literature on the cryptanalysis of im-
age ciphers indicates that permutation-only image ciphers are
insecure against ciphertext-only attacks and/or known/chosen-
plaintext attacks. However, previous studies have not been able
to ensure the correct retrieval of the complete plaintext elements.
In this paper, we re-visited the previous works on cryptanalysis
of permutation-only image encryption schemes and made the
cryptanalysis work on chosen-plaintext attacks complete and
more efficient. We proved that in all permutation-only image
ciphers, regardless of the cipher structure, the correct permu-
tation mapping is recovered completely by a chosen-plaintext
attack. To the best of our knowledge, for the first time, this
paper gives a chosen-plaintext attack that completely determines
the correct plaintext elements using a deterministic method.
When the plain-images are of size M × N and with L different
color intensities, the number n of required chosen plain-images
to break the permutation-only image encryption algorithm is
n = dlog
L
(M N)e. The complexity of the proposed attack is
O (n· M N) which indicates its feasibility in a polynomial amount
of computation time. To validate the performance of the proposed
chosen-plaintext attack, numerous experiments were performed
on two recently proposed permutation-only image/video ciphers.
Both theoretical and experimental results showed that the pro-
posed attack outperforms the state of the art cryptanalytic
methods.
Index Terms—Chosen-plaintext attack, cryptanalysis, image
encryption, permutation.
I. INTRODUCTION
T
HE fast growing demand for digital multimedia applica-
tions has opened up a number of challenges regarding
the confidentiality of images and videos in many multimedia-
based services, such as Pay-TV, remote video conferencing,
and medical imaging. Reliable storage and secure transmis-
sion of visual content is a legitimate concern of Intellectual
Property (IP) owners. Thus, there is a strong need to protect
images and videos against unauthorized use or other security
Copyright (c) 2015 IEEE. Personal use of this material is permitted.
However, permission to use this material for any other purposes must be
obtained from the IEEE by sending a request to pubs-permissions@ieee.org.
The authors are with the School of Information and Communication
Technology, Griffith University, Gold Coast, QLD 4222, Australia (e-mail:
alireza.jolfaei@griffithuni.edu.au; x.wu, v.muthu@griffith.edu.au).
Manuscript received August 13, 2014; revised December 6, 2014, April 11,
2015 and July 23, 2015; accepted September 30, 2015. The associate editor
coordinating the review of this manuscript and approving it for publication
was Prof. Hitoshi Kiya.
Digital Object Identifier TIFS.2015
violations. Encryption is a solution to maintain confidentiality.
Multimedia encryption obfuscates the image/video datastream
to ensure secure transmission of image/video data between two
parties over a public channel. Given the fact that raw video
data is constructed by a sequence of still images (frames),
image encryption techniques can be applied to still images or
single frames in a video.
Since the 1970s, a large number of encryption schemes have
been proposed, some of which have been standardized and
widely adopted all over the world, such as Data Encryption
Standard (DES) [1] and Advanced Encryption Standard (AES)
[2]. However, the problem of image encryption is beyond the
application of established and well-known encryption algo-
rithms. This is primarily due to the constraints imposed by the
data structure and the application requirements, such as format
compliance [3], real-time performance [4], complexity [5],
compression efficiency [6], perceptibility [7] and the security
level [8]. To address these concerns, significant attempts have
been made to develop robust encryption schemes for the image
data [9]–[11].
Due to the grid structure of digital images, image encryption
methods utilize three different types of operations: position
permutation, value transformation, and the combination form.
Among different operations, permutation (transposition) is a
commonly used primitive in many image encryption schemes.
This is mainly due to the easy implementation and applica-
bility of permutation in both spatial and frequency domains.
In addition, by combining permutation with other simple
value transformation operations, such as XOR, a highly secure
multimedia encryption scheme can be achieved. In all the well-
known permutation-only ciphers, image entries (or bit-planes)
are permuted by a mapping matrix which is built by a pseudo-
random number generator. From the design point of view,
permutation dissipates the statistical structure of the plaintext
into long range statistics and it is suitable for fast processing
requirements of massive digital multimedia data [12], [13].
Despite the advantages of permutation, it has a number of
inherent limitations. Permutation-only ciphers disclose some
essential characteristics of the plaintext, such as the frequency
distribution of symbols in the plaintext. Also, when the size of
plaintext is small, that is, the number of possible arrangements
for the plaintext elements is less than the key space, the
number of effective keys can be reduced, and hence, the per-
mutation mapping can be disclosed. Moreover, permutation-
only encryption/decryption are not simple sequential opera-
tions that can be done dynamically. In general, permutation
may need a buffer with a size comparable to that of the
plaintext. Therefore, due to the limitations above, permutation-
1556-6013 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2015.2489178, IEEE Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 2
only ciphers are nowadays only used in applications where
substitution is technically infeasible and/or only a moderate
level of protection is required. Considering typical examples
of permutation-only image ciphers, in [14]–[16] image entries
are dislocated using pseudo-random permutations; in [17] and
[18] permutation operations are performed on the bit-planes of
the image entries; and in [19] and [20] permutation operations
are performed on DCT/wavelet coefficients.
The security of permutation-only image encryption schemes
has been studied for a long time, and it has been shown that
most of such schemes are insecure against ciphertext-only
attacks and/or known/chosen-plaintext attacks, which is due
to the high information redundancy in the multimedia data
and some specific weaknesses in the encryption algorithms
[21]–[23]. Despite the extensive cryptanalysis of permutation-
only multimedia ciphers, in recent years, many permutation-
only ciphers have been proposed for the protection of mul-
timedia data, including digital images [15], [17], [18] and
video [16], [19], [20]. This is mainly because the above-
mentioned cryptanalytic methods can only be applied to
specific encryption methods and cannot be generalized to a
wider class of permutation-only multimedia ciphers [24]–[27].
In addition, even the best known methods of known/chosen-
plaintext attacks ([28] and [29]) cannot ensure the complete
retrieval of the correct plaintext content, and hence, it is still
ambiguous as to whether the security of permutation-only
image ciphers can be effectively improved by designing new
methods to generate better pseudo-random permutations.
This paper presents a cryptanalysis which breaks most (if
not all) permutation-only multimedia ciphers. In fact, it is
shown that all permutation-only image ciphers are completely
broken by chosen-plaintext attacks and no better pseudo-
random permutation mapping can be realized to offer a higher
level of security against chosen-plaintext attacks. For a suc-
cessful attack, we derived a tight lower bound for the required
number n of chosen plain-images, that is, n = dlog
L
(MN)e,
comparing to the currently known results O (dlog
L
(MN)e)
[28], [29], where MN is the size of the image and L − 1
is the maximum color intensity, that is, a color intensity is
specified by l (0 ≤ l ≤ L − 1). The computational complexity
of the proposed attack is O (n · MN). To verify the feasibility
of the proposed attack, experiments were performed on the
recently proposed permutation-only image ciphers by Rahman
et al. [16] and Fu et al. [17]. Our experimental results support
the theoretical results that pseudo-random permutations alone
cannot provide sufficient security against chosen-plaintext at-
tacks. Compared to the state of the art cryptanalytic methods
of [28] and [29], which partially (quantitatively) determine
the permutation mapping, our chosen-plaintext attack gives a
precise procedure for the careful construction of the required
chosen plain-images, and therefore, completely discloses the
correct permutation mapping with less data and computational
complexity.
The rest of this paper is organized as follows. Section 2
reviews the related work in the cryptanalysis of permutation-
only image ciphers. In section 3, the procedure of the chosen-
plaintext attack is described. Section 4 overviews two typical
permutation-only image ciphers (case studies) proposed by
Rahman et al. [16] and Fu et al. [17]. Experimental results are
shown in Section 5 to support the theoretical cryptanalysis.
Section 6 discusses the advantages of the proposed chosen-
plaintext attack in comparison to the state of the art crypt-
analyses. Finally, the last section concludes the paper.
II. RELATED WORK
The security of permutation-only image ciphers has been
extensively studied. These cryptanalytic studies are briefly
described as follows. In [24], Matias and Shamir analyzed the
security of early permutation-only image encryption schemes
used in analog broadcasting systems. The prominent feature
of such ciphers were that they utilized fewer numbers of
permutations with shorter domains, with the intention of
keeping the bandwidth increase of the encryption process as
low as possible. This made the early permutation-only image
encryption schemes more vulnerable to correlation attacks,
implying that the high correlation properties remaining in the
permuted images could be employed to restore the image. To
address the correlation issues, Matias and Shamir proposed
a permutation-only scheme which scanned pixels in a highly
irregular scanning pattern using a pseudo-random space filling
curve. Bertilsson et al. [25] then showed that Matias and
Shamir’s permutation method is vulnerable to a ciphertext-
only attack. They showed that the pixel data could be reordered
according to a space-filling curve, and hence, the plain-image
could be partially recovered by exploiting the correlation
between subsequent frames.
Later, Kuhn [26] presented a more advanced approach
to break the video signal scramblers commercially em-
ployed within pay-TV conditional access encryption systems
[30], such as EuroCrypt, VideoCrypt and Nagravision, using
ciphertext-only attacks. Kuhn showed that the long portion of
the permuted lines/segments makes the correlation attacks on
the scrambling algorithm feasible by comparing and matching
lines/segment portions. Li et al. [27] then extended Kuhn’s
work by analyzing the permutation domain of particular image
encryption schemes with longer permutation domains, such
as the row-column permutation-only encryption scheme of
[14]. Despite the efforts made to improve the performance of
previous ciphertext-only attacks, these attacks are only appli-
cable to schemes whose permutation domains are considerably
smaller than the size of input images. Indeed, increasing the
permutation domain makes the correlation analysis, and hence
the ciphertext-only attacks, computationally cumbersome.
To reduce the complexity of the exhaustive key search
(a ciphertext-only attack), Li et al. [28] provided a gen-
eral cryptanalysis (a known-plaintext attack and a chosen-
plaintext attack) based on the quantitative relation be-
tween the breaking performance and the number of required
known/chosen plaintexts. They showed that the number n of
required known/chosen plain-images to perform a successful
known/chosen-plaintext attack on a permutation-only cipher
is O (dlog
L
(MN)e), where M N is the size of the image
and L is the number of color intensities. They also detailed
a procedure for the implementation of their attack which
has O
n (M N)
2
complexity, where n is the number of
1556-6013 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2015.2489178, IEEE Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 3
known/chosen plain-images. Further, Li and Lo [29] improved
the implementation performance of Li et al.’s cryptanalysis
by reducing its computational complexity to O (n (M N)).
As explained in [29], the improvement in computational
complexity is obtained by employing a multi-branch tree
instead of the complex intersection operations in Li et al.’s
attack. Despite the good recovering performance of the Li
et al.’s cryptanalysis, it is not complete and cannot precisely
identify the correct elements of the input plain-images with
regard to chosen-plaintext attacks. This is mainly because Li
et al.’s cryptanalysis is under the assumption of a uniform
distribution of all entries in the plain-image. The distribution
of color intensities in most natural images is not uniform.
More importantly, as explained in [28], Li et al.’s cryptanalysis
can only determine a portion of the correct elements, that is,
almost half of the elements, and predicts the other elements
either by using image processing techniques or by inputting
additional plain-images. Indeed, finding the exact value of
unknown elements of an image by its partially known elements
is hard.
III. PROPOSED CHOSEN-PLAINTEXT ATTACK
Before we elaborate the proposed chosen-plaintext attack,
the following definitions are given to describe a permutation-
only image cipher.
Definition 1: Let S = {s | s = 0, 1, . . . , MN − 1} denote
the set of entry locations for an image with size M × N.
Definition 2: Assume that locations of image entries are
scanned in a raster order and they are enumerated by non-
negative integers, which are chosen from the set of entry
locations. Let R denote the matrix of entry locations, that
is,
R =
0 1 · · · N − 1
N N + 1 · · · 2N − 1
.
.
.
.
.
.
.
.
.
.
.
.
(M − 1) N (M − 1) N + 1 · · · MN − 1
. (1)
Definition 3: Let P and C denote the plain-image and
cipher-image, respectively. Note that each plain-image or
cipher-image is represented by an M × N matrix, where the
entry of such a matrix at position s corresponds to color
intensity. For any s (0 ≤ s ≤ MN − 1), let p (s) and c (s)
be the color intensities at the position s of the plain-image
and cipher-image, respectively.
Definition 4: Let X be a finite set. Permutation Π
k
: X → X
is a bijection which maps the elements of X to itself. Each
secret key k ∈ K assigns a different permutation.
Definition 5: A permutation-only image cipher ρ is defined
by a permutation which, given a secret key k, maps any
entry location s (0 ≤ s ≤ MN − 1) of a plain-image to its
corresponding location ρ
k
(s) in the cipher-image, where ρ
k
is a permutation determined by k.
The permutation-only image cipher is pseudo-random if it
permutes the location of plain-image entries, with an approx-
imate uniform probability, from the set of all possible (#S)!
arrangements.
Let us now explain the procedure of the proposed chosen-
plaintext attack. Deducing the permutation mapping ρ
k
is
equivalent to finding the secret key k. Hence, the problem
of breaking the cipher is defined as an attempt to deduce the
permutation mapping without any prior knowledge of the key.
Consider the adversary as an oracle machine which has access
to the encryption and decryption functions, that is, ρ
k
and
ρ
−1
k
. The adversary asks n number of ρ
k
or ρ
−1
k
queries to
obtain a set of n plain-image and cipher-image pairs, that is,
∂ = {(P
i
, C
i
) | i = 1, 2, . . . , n}.
Proposition 1: For any i (1 ≤ i ≤ n) and j (1 ≤ j ≤ n),
if either P
i
= P
j
or C
i
= C
j
, then i = j and pairs (P
i
, C
i
)
and (P
j
, C
j
) are identical.
Proof: This proposition is an obvious result, because the
cipher is defined by a bijective permutation.
Definition 6: Given n pairs of plain-images and
cipher-images, namely, (P
1
, C
1
) , (P
2
, C
2
) , . . . , (P
n
, C
n
),
for any pair number r (1 ≤ r ≤ n), source location
s (0 ≤ s ≤ M N − 1), target location t (0 ≤ t ≤ MN − 1),
and color intensity l (0 ≤ l ≤ L − 1), where MN is the size
of the image and L − 1 is the maximum color intensity, the
equivalent set J
r
(s) is defined as a set of target locations
in the r-th cipher-image, whose values are equal to the color
intensity l of the s-th location in the r-th plain-image, that is,
J
r
(s) = {t | c
r
(t) = p
r
(s) , (0 ≤ t ≤ M N − 1)} . (2)
Obviously, by definition, the following condition holds for
the equivalent sets:
MN −1
[
s=0
J
r
(s) = {t | t = 0, 1, . . . , M N − 1} . (3)
For any r (1 ≤ r ≤ n), each pair of plain-images and
cipher-images, that is, (P
r
, C
r
), involves two matrices with
values assigned to entries. Consider the set S of entry locations
in the plain-image. As explained in the beginning of this
section, the permutation mapping ρ (see Definition 5) maps
the source locations in the plain-image to the target locations
in the cipher-image. To uniquely determine the permutation
mapping, it is sufficient to study the arrangement of distinct
entries in the pair of plain-images and cipher-images. In
the case that all entries are assigned distinct values, the
permutation is uniquely determined by a single pair. However,
the set of color intensities, that is, {0, 1, . . . , L − 1}, is finite
and the images under study may have more than L entries.
Therefore, for any r (1 ≤ r ≤ n) and s (0 ≤ s ≤ M N − 1),
by the pigeonhole principle the cardinality of some equivalent
sets #J
r
(s) may not equal 1, and it is thus difficult to
deduce a unique permutation mapping by knowing only one
pair of plain-images and cipher-images. Hence, we need to
have enough pairs of plain and cipher-images to determine
the target location where each source location is mapped into.
Therefore, the interest lies in using a collection of pairs,
all of which have repeated values, to uniquely determine
the underlying permutation. Clearly, the mapping of location
s is uniquely determined if for any s (0 ≤ s ≤ MN − 1)
and r (1 ≤ r ≤ n), the equivalent sets J
r
(s) intersect in a
singleton, that is,
T
n
r=1
J
r
(s) = {ρ (s)}, and hence it is
1556-6013 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2015.2489178, IEEE Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 4
sufficient to determine the permutation ρ if this is true for
all s. Two further questions then appear:
• Is this condition sufficient to determine unique ρ?
• With what accuracy and computational cost can the
mapping ρ be determined from sufficient pairs?
To answer these questions, we need to find a relationship
among the number of plain-image/cipher-image pairs n, the
number of locations M N and the number of assigned values
in the locations L. To perform a successful chosen-plaintext
attack, it is necessary to find a lower bound on the number
of required pairs. However, it is possible for two given pairs
to be related by a permutation on the color intensities, such
that both pairs give the same information regarding possible
plain-image and cipher-image locations. Thus, a useful bound
on the number of required pairs will entail some restriction
that avoids this possible redundancy.
A best case in connection with lower bounds on pairs can
be sharply stated as follows:
Lemma 1: Given L color intensities and MN locations,
for any permutation ρ, which is applied to get the respective
cipher-images, there exist n ≥ dlog
L
(MN )e, such that ρ is
uniquely determined by making use of n pairs of plain-images
and cipher-images.
Proof: Consider dlog
L
(MN )e plain-images constructed
by the dlog
L
(MN )e digit expansions in radix L for s =
0, 1, . . . , M N −1 in respective locations. Taken the positional
digits sequentially, these values uniquely label each of the
MN locations, and therefore ρ is uniquely determined by
finding the target locations which exactly match the source
labelling. For instance, if M = N = L = 2, then 2 plain-
images can be constructed by 2 digit expansions in radix 2
for s = 0, 1, 2, 3, that is, s
0
= 00, 01, 10, 11. The construction
procedure of the chosen plain-image/cipher-image pairs is
depicted in Figure 1.
Source image
0 1
2 3
2 digit expansion in radix 2
−−−−−−−−−−−−−−−−→ Expanded source image
00 01
10 11
,
Plain-image #1 from bit-plane 0
0 1
0 1
Encryption ρ
−−−−−−−→ Cipher-image #1
ρ (0) ρ (1)
ρ (0) ρ (1)
,
Plain-image #2 from bit-plane 1
0 0
1 1
Encryption ρ
−−−−−−−→ Cipher-image #2
ρ (0) ρ (0)
ρ (1) ρ (1)
.
Fig. 1. Construction procedure of the chosen plain-image/cipher-image pairs
for M = N = L = 2.
If fewer pairs are used, that is, n < dlog
L
(MN )e, then by
counting the possible sequences of L values for each location,
that is L
n
< MN , it is easy to verify that there would
be less numbers than MN available locations. Thus, by the
pigeonhole principle at least two locations would get the same
source values in all pairs. It follows for any permutation ρ that
we would be unable to distinguish between the mapped target
locations.
We can now prove the following result.
Theorem 1: The number of required chosen plain-
images n to perform a successful chosen-plaintext attack
on a permutation-only image encryption algorithm is n =
dlog
L
(MN )e.
Proof: This theorem is an obvious result of Lemma 1.
Theoretically, the permutation mapping can be easily deduced
using an input matrix of size M N whose entries are sequen-
tially labelled with distinct values 0, 1, . . . , M N. However,
this is not practical because the encryption/decryption machine
is only defined for entries of at most L−1, which is usually less
than the number of entries. Therefore, to make the attack fea-
sible, the entries are firstly expanded by dlog
L
(MN )e digits
with radix L. This matrix is then separated into dlog
L
(MN )e
numbers of plain-images based on the digit positions in radix
L. Once permutation ρ is applied to the plain-images, it
produces dlog
L
(MN )e cipher-images with entries in radix
L. A combination of cipher-images using the positional digits
reveals the mapped locations of the original locations.
To illustrate the attack procedure, consider a 5 × 5 matrix
case.
1) If L = 1, no further progress can be made toward deter-
mining the permutation, since the only plain-image/cipher-
image pair has all entries assigned equal values.
2) If L = 2, then the permutation can be determined by
dlog
2
(25)e = 5 pairs of plain-images/cipher-images. One
way to see this is to construct an input matrix P
1
with 5-bit
binary expansions for the 25 locations s = 0, 1, . . . , 24:
P
1
=
00000 00001 00010 00011 00100
00101 00110 00111 01000 01001
01010 01011 01100 01101 01110
01111 10000 10001 10010 10011
10100 10101 10110 10111 11000
. (4)
Splitting this matrix into five binary source matrices based
on bit positions, and application of the permutation ρ to
these, produces five binary target matrices. When these
matrices are recombined using positional bits, the mapped
locations of the original locations s = 0, 1, . . . , 24 will be
revealed.
3) If L = 3, then a similar treatment requires only
dlog
3
(25)e = 3 plain-image/cipher-image pairs. The origi-
nal locations s = 0, 1, . . . , 24, can be expanded to 3 digits
in ternary representation. Hence,
P
2
=
000 001 002 010 011
012 020 021 022 100
101 102 110 111 112
120 121 122 200 201
202 210 211 212 220
. (5)
Then, plain-images whose entries are 0, 1 and 2 are
generated by splitting this matrix into three. Cipher-images
are then generated by applying the permutation to all
three plain-images. Recombining target matrices as radix
3 values gives the permuted locations of s = 0, 1, . . . , 24,
as required to determine the permutation.
4) Until one gets L ≤ 24, more than one pair is necessary
to deduce the permutation, as per the pigeonhole principle,
some value has to be used more than once in a pair.
Next, we discuss whether it is possible to maximize the
attack performance by choosing fewer than dlog
L
(MN )e
pairs. This can only happen when the available pairs are well
chosen. However, finding the exact minimum number of pairs
