### Transcription

1Image Encryption by Pixel Property SeparationKarthik Chandrashekar Iyer and Aravinda SubramanyaAbstract— Pixels in an image are essentially constituted of two properties, position and colour. Pixel Property Separation, a radically differentapproach for Symmetric-key image encryption, separates these properties to disturb the semantics of the image. The scheme operates in twoorthogonal stages each requiring an encryption key. The first stage creates the Position Vector, an ordered set of Pixel Position Information controlledby a set of plaintext dependent Random Permutations. A bitmap flagging the presence of all the 24 bit colours is generated. The second stagerandomly positions the image width and height within the ciphertext and finally applies a byte transposition on the ciphertext bytes. The complete setof image properties including width, height and pixel position-colour correlation are obscured, resulting in a practically unbreakable encryption. Theorthogonality of the stages acts as an anti-catalyst for cryptanalysis. The information retrieved from compromising a stage is totally independent andcannot be used to derive the other. Classical cryptanalytic techniques demand huge number of attempts, most failing to generate valid encryptioninformation. Plaintext attacks are rendered ineffective due to the dependency of the Random Permutations on the plaintext. Linear and Differentialcryptanalysis are highly inefficient due to high Diffusion and Confusion. Although the paper describes the algorithm as applied to images, itsapplicability is not limited to images only. The cryptographic strength is independent of the nature of the plaintext.Index Terms— Pixel Property Separation, Image Encryption, Cryptanalytic Error Avalanche Effect, random colour permutation, security,cryptography, pixel position, pixel colour, plaintext attack, confusion, diffusion.1I NTRODUCTIONIMAGE and data security is a major challenge in Storage and Transmission applications. Encryptionalgorithms for these applications are exposed to various threats and security breaches due to theavailability of immensely powerful and inexpensive computational resources. Brute Force and Statisticalattacks on the existing cryptographic algorithms is not only possible, but are becoming more practical inthe wake of technological advancements like Distributed and Grid Computing. Vast amounts of data canbe processed in parallel by agents distributed over the Internet and aid in revealing secure information.Several data encryption algorithms like DES [1], AES[1], IDEA[1] are being employed for protectingdigital information, chaos based [5][17], combinatorial permutation [13] and optical techniques [12] are alsoproposed for encrypting images. Along with these developments in the security domain, the vulnerabilityof the algorithms are also being exposed. It is possible to build a machine that can determine the keyused for DES encryption at a cost as low as US 10000 [16]. It is also vulnerable to Linear and Differentialcryptanalysis or a combination of both. Techniques like the Side Channel Attack and several Cache TimingAttacks have been developed to compromise AES algorithm and retrieve the encryption key in as less as65ms with 800 write operations [6]. Chaos based techniques like the CKBA are prone to plaintext attacks[7] and algorithms using combinatorial permutations are as strong as the permutation of the least sizedblock even if they apply multiple permutations over different sized image blocks.Applications in the Automobile, Medical, Construction and the Fashion industry require designs,scanned data, building plans and blue-prints to be safe-guarded against espionage. Considering thelong lifetime of images in the mentioned domains, it is imperative to develop and employ techniqueswhich protect the content throughout their lifetime.A novel image encryption technique based on Pixel Property Separation is proposed in this paper. Thepixel position and the colour are separated and encoded using a set of Random Permutations. Thealgorithm conceals the image colour-position correlation, the colour information and the image size.The concealment of the image size considerably enhances the cryptanalytic complexity. The Ciphertextonly attack is practically impossible while the plaintext and the differential attacks fail to reveal usefulencryption information. The algorithm is robust against Plaintext attacks due to the utilization of Plaintext Dependent Random Permutations ([18],[19]) to separate pixel properties. The time required for asuccessful Brute Force Attack is huge attributing to the high key lengths and orthogonality of encryptionstages. Hence it is not likely to be broken by brute force methods using any existing technology. K. C. Iyer and A. Subramanya are with the DSP Software Centre, Innovation Center, Business Unit Home, NXP Semiconductors (formerly PhilipsSemiconductors), Bangalore - 560 045, India.E-mail: [email protected], [email protected]@nxp.com, [email protected]

2The organization of the paper is as follows. Section 2 describes Pixel Property Separation, section 3explicates and illustrates the encryption scheme. Section 4 and 5 discuss in detail the various cryptanalyticattacks and the encryption strength. The last section presents the simulation results. A mathematicalmodel for the encryption algorithm has been presented in the appendix.2P IXEL P ROPERTY S EPARATIONPixels in an image are essentially constituted of two properties, pixel position and pixel colour. The pixelposition is defined by the (x, y) co-ordinates indicating the horizontal and vertical distance of the pixelfrom (0, 0) and the colour value can be a RGB colour or a greyscale value. Pixel Property Separation is anencoding technique that separates the pixel position and colour and represents them as distinct vectors.The separation process results in two ordered vectors, the Position Vector P os representing the pixelpositions and the Colour Bitmap Vector CBM that represents the colours. The vectors are defined asfollows.1) The Position Vector P os is an ordered set of pixel co-ordinate positions. This vector bears a positionentry for each pixel in the input image. For each (x, y) position entry, the P os vector also indicatesby a flag f lg whether an entry is the last entry for that colour. A flag value of 1 indicates that theentry is the last for that colour, a value of 0, otherwise.2) The Colour Bitmap CBM is an ordered set of bits(flags) that indicate the presence of a colour Cin the input image. The number of bits in CBM is equal to the number of colours in the coloursystem used by the image. For example, if the image uses a 24 bit RGB colour system, then theCBM would be composed of 224 flags indicating the presence of the 224 RGB values. A flag valueof 1 indicates the presence of a colour and a value 0, otherwise.These two vectors in combination, completely represent the image. The following illustration describesthe technique.Consider a system S of 6 colours C0 through C5 , S {C0 , C1 , C2 , C3 , C4 , C5 }. Let img be a colour imagewith width W 3 and height H 3 and be composed of a set of 4 colours, {C0 , C1 , C2 , C4 }. Figure 1depicts the image img. For a better understanding of the technique, we represent the input image imgas depicted in Figure 1b where pixels are grouped based on their colour. The input image is initiallyscanned to group pixels based on their colour. The Position Vector P os is created as follows. For eachFig. 1: Input image representation a. Original b. Colour based pixel groupingcolour C S , starting from C0 to C5 , the (x, y) positions of the pixels bearing C is augmented to P os.Flag f lg is also entered for each pixel considered. For example, there are 4 pixels bearing the colour C0 .The position of the first pixel bearing C0 is (0, 0) and it is not the last pixel bearing C0 . Hence the firstentry in P os is {(0, 0) , 0}. Considering the second and third pixels bearing C0 , the next two entries inP os are {(2, 1) , 0} and {(0, 2) , 0}. Pixel (1, 2) is the last pixel bearing colour C0 . Hence the P os entry forthat pixel is {(1, 2) , 1}. Hence, for the colour C0 , P os [{(0, 0) , 0} , {(2, 1) , 0} , {(0, 2) , 0} , {(1, 2) , 1}]. Similarly,1) Considering C1 , P os [{(0, 0) , 0} , {(2, 1) , 0} , {(0, 2) , 0} , {(1, 2) , 1} , {(2, 0) , 1}]2) Considering C2 , P os [{(0, 0) , 0} , {(2, 1) , 0} , {(0, 2) , 0} , {(1, 2) , 1} , {(2, 0) , 1} , {(0, 1) , 0} , {(1, 1) , 0} , {(2, 2) , 1}]3) Considering C3 . Since there are no pixels in img bearing C3 , no entries are made for C3 .4) Considering C4 , P os [{(0, 0) , 0} , {(2, 1) , 0} , {(0, 2) , 0} , {(1, 2) , 1} , {(2, 0) , 1} , {(0, 1) , 0} , {(1, 1) , 0} , {(2, 2) , 1} , {(1, 0) , 1}]5) Considering C5 . Since there are no pixels in img bearing C5 , no entries are made for C5 .The Position vector P os for the image img isP os [{(0, 0) , 0} , {(2, 1) , 0} , {(0, 2) , 0} , {(1, 2) , 1} , {(2, 0) , 1} , {(0, 1) , 0} , {(1, 1) , 0} , {(2, 2) , 1} , {(1, 0) , 1}]As stated earlier, the Colour Bitmap CBM enters a flag for each colour in the system S indicating thepresence of that colour in img. Since, the colour C0 is present in img, the first entry in CBM is a ’1’. Thenext two entries in CBM are ’1’s since both C1 and C2 are present. None of the pixels in img bear colour

3C3 and hence the CBM entry for C3 is a ’0’. Similarly, the CBM entries corresponding to C4 and C5 are’1’ and ’0’. Hence, CBM [1, 1, 1, 0, 1, 0]It can be noted that the vectors P os and CBM together, completely represent the input image img.This can be shown by reconstructing img using only P os and CBM . The decoding process is describedbelow.The first entry of CBM is a ’1’ and hence colour C0 is present in img. Since the same colour orderC0 through C5 is used to create both P os and CBM , the first entry {(0, 0) , 0} in P os corresponds to C0 .Hence, the pixel with position (0, 0) bears colour C0 . Hence, img (0, 0) C0 . Since, the first P os entrybears a f lg value of ’0’, it is not the last pixel bearing C0 . Hence, the pixel corresponding to the secondentry {(2, 1) , 0} in P os also bears colour C0 , img (2, 1) C0 . Similarly, corresponding to the third and thefourth entry in P os, img (0, 2) C0 and img (1, 2) C0 . But the f lg value of the fourth entry in P os is ’1’meaning that there are no more pixels bearing colour C0 . For the fifth entry in P os, the next colour inCBM is considered. The second entry in CBM corresponds to colour C1 and has a value ’1’. Hence, forthe the fifth entry in P os, colour C1 is considered. Similarly, img (2, 0) C1 , img (0, 1) C2 , img (1, 1) C2 , img (2, 2) C2 and img (1, 0) C4 .It can be noted that the pixel position information and the colour information are completely separatedand have been encoded as two distinct ordered vectors. Though it is straight forward to reconstruct theinput image using P os and CBM , the advantage of such a representation of images ( or any form ofdigital data ) is as follows:1) The P os vector is composed of numbers from 0 to W and 0 to H . This information is obvious ifthe image width and height is known.2) no information regarding the colours is revealed. CBM encodes the colours as a bit sequence3) the Pixel Position-Colour correlation that defines the semantics of an image, is completely disturbed.Digital Representation of P os and CBM : Each entry in the P os vector is composed of three elements.The ’x’ and the ’y’ co-ordinates of the pixel considered and the flag f lg indicating if the pixel is thelast entry for that colour. Since the flag f lg can take only two values ’0’ or ’1’, one digital memory bitis sufficient to represent it. The value of the ’x’ co-ordinate defines the relative horizontal distance of apixel from the origin (0, 0) and can not exceed the image width W . Hence the number of bits necessaryto represent the ’x’ co-ordinate of any pixel is given by bw.bw If (W 2), then 1, else, (dlog2 (W )e) bitsSimilarly, the number of bits necessary to represent the ’y’ co-ordinate of any pixel is given by bh.bh If (H 2), then 1, else, (dlog2 (H)e) bitsHence, the number of bits used to represent an entry in the P os vector is (bw bh 1) bits. Consideringall the W H entries in the P os vector, the number of bytes required to represent the P os vector isSize (P os) d((bw bh 1) (W H)) /8e bytesFor the image img, bw bh 2. Hence, each entry in P os vector is represented using 5 bits and theentire vector is represented using 45 bits. The P os vector can be represented as:P os [(00000) , (10010) , (00100) , (01101) , (10001) , (00010) , (01010) , (10101) , (01001)]Finally, the P os vector is represented as an ordered set of integers by packing 8 bits in sequence. Forexample, the first integer with value ’4’ is formed by packing 5 bits of the first P os entry and 3 bits ofthe second entry. The second integer with value ’136’ is formed by packing 2 bits from the second P osentry, 5 from the third and one bit from the fourth P os entry. Similarly, the encoding continues until thelast bit in P os. Since the P os vector is composed of 45 bits, the last 5 bits (last P os entry) are paddedwith three ’0’ bits. The final representation of the P os vector is given by P os [4, 136, 216, 137, 85, 72].The CBM vector, by definition is a set of 224 flags (considering 24 bit RGB colours), each of which canbe represented by a single bit. Since CBM is a sequence of ’1’s and ’0’s, it can be coded as a sequenceof bytes representing runs of subsequent ’1’s and ’0’s. It can be noted that the exact number of bytesrequired to represent CBM depends on the composition of CBM . The CBM vector for image img can becoded as CBM [1, 3, 1, 1, 1], indicating that the first 3 bits are ’1’s followed by ’0’, ’1’ and ’0’. The techniqueused in this example encodes the first byte with the value of the first bit in CBM . The second byteencodes the run of the bit type represented by the first byte. Subsequent bytes alternatively encode theruns of 1s and 0s (0s and 1s). It shall be noted that the encryption technique is independent of the codingtechnique used.

4This section has clearly described the concept of Pixel Property Separation and the representation ofimages using the vectors P os and CBM . The next section develops the encryption algorithm based onthis technique.3E NCRYPTIONBYP IXEL P ROPERTY S EPARATIONThe Encryption scheme is a Secret Key Algorithm requiring 2 keys . It operates on the input plain imageimg with width W and height H , the two encryption keys key1 and key2 and generates the encryptedimage img0 with width W 0 and height H 0 (representing the ciphertext as img 0 with W 0 H 0 pixels isoptional, the ciphertext can be represented as a byte sequence). The input plain image uses a coloursystem S composed of s colours, the number of distinct colours in img being s. For a 24 bit RGBcolour space, S is the set of all colour values from 0 to 224 1 and s 224 . The scheme uses theencryption keys to generate a set of Random Permutation RP s to separately encode the pixel positionand colour. The composition of the RP s cannot be determined by the keys alone. This is because, thegeneration of a permutation in any iteration not only depends on the key, but also depends on the resultsof the previous iteration. Hence, the RP s used in this encryption scheme depend both on the key andthe plaintext. This renders the technique robust against Plaintext Attacks.Encryption by Pixel Property Separation (EA) is completely based on the technique of separating pixelposition and colour. To achieve better encryption strength, the basic design (BD) of separating pixelproperties, explained in the previous section has been modified. The following enlists the modifications.1) EA uses N RP number of RP s (RP1 , RP2 , . . . , RPN RP ) to create the P os vector while BD used onlyone permutation with colour order [C0 , C1 .Cs ]2) EA uses one of the s! (224 ! for 24 bit RGB colours) random colour permutations composed of allthe colours in S as its first permutation. This is used as the first permutation RP1 in the creationof the P os vector and is also used to create the CBM . BD uses a known colour order [C0 , C1 .Cs ]which is not randomly picked.3) For any colour C S considered for processing in an RP , EA places exactly one pixel’s position(x, y) in the P os vector, while BD placed the positions of all the pixels bearing colour CAt any stage in the encryption scheme, the RP s are used to define a random colour order. The numberof elements in the first permutation RP1 is equal to that of the set S . RP1 needs to consider all the coloursin S as it is also used to generate the vector CBM . RP1 defines a random colour order for all the coloursin S . The size and the composition of the remaining (N RP 1) RP s, RP2 through RPN RP , depend onthe number of colours available for processing at the point of generation of the RP . In the illustrationof Section 2, the colour order [C0 , C1 , C2 , C3 , C4 , C5 ] can be regarded as RP1 and it defines an order forall the colours C0 through C5 . Hence, the size of RP1 is 6. Applying modification 3 to this illustrationwould result in the consideration of one pixel each of colours C0 , C1 , C2 and C4 in the first iterationusing RP1 . It can be noted that the order of colours considered is same as that in RP1 . For the seconditeration, colours C1 , C3 , C4 , and C5 can be discarded as there are no pixels bearing these colours. Hencefor RP2 , there remain only two colours C0 and C2 that need an order. RP2 would then be composed oftwo elements. After the second iteration, there remain three pixels for processing, bearing two distinctcolours C0 and C2 . Hence, the number of elements in RP3 is 2.It can be noted that each RP defines a colour order for the pixels considered for processing. However,after the third iteration, there remains only one pixel at position (1, 2) bearing C0 . Since there is onlyone colour available for processing, there cannot be a colour order defined. Hence, for the image imgin Figure 1, three permutations RP1 , RP2 and RP3 suffice to create the P os vector. Hence, the value ofN RP for img is 3. The value N RP (Number of Random Permutations) makes sure that there are enoughRP s available to define a colour order for pixels, processed at the rate of ’one pixel per colour per RP ’,until there are pixels to be processed in the plaintext bearing at least two colours. The key key1 is usedto generate the N RP permutations RP1 to RPN RP . The derivation of N RP for an image can be foundin the Appendix.It can be noted that the value of N RP , the number of elements and the composition of the permutationsRP2 through RPN RP depends on the number of colours available for processing at any point in theencryption process. This in turn depends on the number of pixels bearing each colour C S in theplaintext. Hence, the size and the composition of the random permutations used to create the P os vectordepends on both the key1 and the plaintext. This greatly increases the cryptanalytic complexity andrenders the technique robust against Plaintext Attacks.The vector CBM is created using the first permutation RP1 , coded and digitally represented asdescribed in the previous section. The ciphertext is formed by concatenating the P os and the CBMvectors. The ciphertext bytes are finally shuffled using a random permutation. However, before the finalshuffle, the encryption technique carries out two steps described below.

5If the ciphertext needs to be represented as an image img’, the ciphertext bytes needs to be padded torender img’ as a rectangular image with integral values for W 0 and H 0 and with each pixel composedof 3 bytes (considering 224 colours). The values for the padding bytes needs to be randomly chosen andshould not follow any pattern. The padding bytes are augmented to the ciphertext bytes before applyingthe final shuffle. Vector P [P0 , P1 , . . . , Pp 1 ] gives the padding bytes where p is the number of paddingbytes necessary. It shall be noted that this is an optional step and hence need not be carried out by animplementation. The determination of the number and the values for the padding bytes is not discussedin this paper.From the previous section, it can be noted that each entry in the P os vector can be digitally representedusing (bw bh 1) bits. To correctly decode such a bit-packed P os vector, the knowledge of bw and bhis necessary. Without these values, it is not possible to discern how many bits are to be considered forthe ’x’ and the ’y’ co-ordinate entries. Hence, the image width W and the height H values need toencoded as part of the ciphertext. The cryptanalytic complexity can be greatly increased if these valuesare randomly placed within the ciphertext. Since the values of W and H is not known, the cryptanalystneeds to attempt decryption considering all possible combination of bw and bh values to decode the P osvector. Section 4.2 derives an equation for the number of ciphertext byte combinations that need to beextracted from the ciphertext to list all possible candidates for W and H . Assuming a maximum value of65535 for W and H , the encryption technique uses two bytes each (W1 , W2 ) and (H1 , H2 ) to represent Wand H respectively, with W1 , H1 being the lower and W2 , H2 , the higher bytes. The technique randomlyplaces the four size bytes in the ciphertext after padding. It can be noted that the technique is not limitedto using two bytes to represent W and H . The following example illustrates the encryption technique.Fig. 2: Plaintext Dependent Random PermutationsThe example depicted in Figure 1 has been used to illustrate the technique. Figure 2 depicts the randompermutations used to encrypt img. For img, bw bh 2, N RP 3, W1 H1 0 and W2 H2 3.The first entry in RP1 is ’3’. But from the colour vector CV (Figure 1), it can be noted that no pixelbears C3 . Hence, there are no P os entries corresponding to C3 . Since no pixels bear C5 , there are no P osentries corresponding to the second entry ’5’. The third entry in RP1 corresponds to colour C0 and hencethe first entry in P os is {(0, 0) , 0}. Similarly, the P os entries corresponding to colours C4 , C2 and C1 (inthat order) are {(1, 0) , 1}, {(0, 1) , 1} and {(2, 0) , 1}. Let noc represent the number of distinct colours inimg (noc 4 in this example). It can be noted that in this technique, RP1 processes exactly noc pixels.For RP2 , only C0 and C2 remain for processing. The first entry in RP2 is ’1’, which picks the secondavailable colour for processing in CV , which is C2 . Hence, the fifth entry in P os is {(1, 1) , 0}. Similarly,after processing all pixels, the P os vector corresponding to img and the permutation set in Figure 2 isgiven byP os [{(0, 0) , 0} , {(1, 0) , 1} , {(0, 1) , 1} , {(2, 0) , 1} , {(1, 1) , 0} , {(2, 1) , 0} , {(0, 2) , 0} , {(2, 2) , 1} , {(1, 2) , 1}] [2, 71, 21, 72, 149, 104]Vector CBM is created using the colour order defined by RP1 . CBM [0, 0, 1, 1, 1, 1] [0, 2, 4].P os and CBM are concatenated to form the vector P B with pb elements.P B [P os, CBM ] [2, 71, 21, 72, 149, 104, 0, 2, 4], pb 9As mentioned earlier, the values W1 , H1 , W2 and H2 need to be placed at random positions within theciphertext. But the size of the ciphertext after placing these bytes would be pb 4 13, which is not amultiple of 3. P B needs to be padded with two bytes P0 and P1 to make the ciphertext size equal to 15.Let P0 157 and P1 43.P B 0 [P B, P0 , P1 ] [2, 71, 21, 72, 149, 104, 0, 2, 4, 157, 43]To determine the random positions for the 4 size bytes within P B 0 , the key key2 is used to generate aRandom Permutation SP composed of (pb p) numbers (11 in this example) with values ranging from 0to (pb p 1). The first four entries of SP are used as byte positions to place W1 , H1 , W2 and H2 withinP B 0 to create vector F 0 with f (pb p 4) elements. Considering SP in Figure 2,

6F 0 [H1, 2, 71, 21, W 2, 72, H2, 149, 104, 0, 2, 4, W 1, 157, 43] [0, 2, 71, 21, 3, 72, 3, 149, 104, 0, 2, 4, 0, 157, 43], f 15Finally, the vector F 0 is transposed using a random permutation T P with f elements with values rangingfrom 0 to (f 1). Key key2 is used to generate T P . F T P (F 0 ) F0 , F1 , . . . , Ff 1 [149, 2, 72, 21, 4, 157, 0, 71, 104, 3, 2, 3, 0, 0, 43]The ciphertext size is f 15 bytes and is composed of nop (f /3) 5 pixels. Starting from the set[F0 , F1 , F2 ], each set of 3 bytes in sequence represents a pixel. The values W 0 and H 0 are any two factorsof nop such that W 0 H 0 nop. Assuming W 0 5 and H 0 1, the cipher image img 0 is given by,9765448413774371828019712343C RYPTANALYSISThis section explicates the different techniques for cryptanalysis. The Brute Force and the Plaintext attackshave been analysed. Differential Cryptanalysis has been discussed as part of Section 5.4.1 Brute Force AttackIn a Brute Force Attack, the algorithm implementation is considered as a black box and all valid keycombinations are attempted until the correct key is discovered. The complexity of such an attack dependson the size of the keys used for encryption.Key Size key1: The maximum size of key1, N BK1 , for a given plain image depends on the valueof N RP and the number of elements in each of the N RP permutations. The first permutation RP1 iscomposed of 224 numbers that can be arranged in 224 ! ways. If noci represents the number of coloursavailable for processing for permutation RPi , then for a given plain image, the maximum number of key bits in key1 is N BK1 log2 224 ! (dnoc2 !e) (dnoc3 !e) . . . , (dnocN RP !e) . However, an implementation canchoose N BK1 independent of the plaintext. The permutation generator generates one of the 2N BK1possible combinations of N RP permutations.Key Size key2: Key key2 is used to generate SP and T P . Like key1, the size of key2, N BK2 , dependson the ciphertext size (f W 0 H 0 3), which is a variable entity. But, the size of key2 can be chosenindependent of the ciphertext size, because, though the value of (f ) is plaintext/ciphertext dependent,the Random Permutation Generator generates one of the 2N BK2 random permutations of composed of(f ) numbers.In the proposed scheme, it is not possible to individually determine key1 or key2 during decryption.This is because the correctness of the decryption attempts involving key1 or key2 cannot be determineduntil the entire decryption process is complete and the result is verified for correctness. Hence, on average, 2N BK1 N BK2 /2 attempts are required to successfully compromise the keys.Also, the presence of any colour in the plaintext is flagged as a bit in the tuple CBM and hence is notknown to the cryptanalyst. While decryption, as each element P osk is considered, if the pixel img (wk , hk )bearing the colour C is the last pixel of that colour (indicated by f lgk 1), then C is discarded for furtherprocessing, as there are no more pixels of colour C available. The information as to what colours haveto be discarded in RPn is known only after all the colours available for the previous permutation RPn 1have been considered for processing. Hence, for a given set of keys and a given ciphertext, decryption isa sequential process and can not be parallelized. This greatly increases the complexity of the Brute ForceAttack.4.2 Ciphertext only AttackThis method considers different stages in the decryption process and determines the candidates for eachstage without using the encryption keys. The right set of candidates will successfully decrypt the cipherimage. The method consists of the following stages.Reverse Transposition: This is the process of deriving F 0 from the transposed encoded byte vector F . Sincethe size of F is f bytes, there are (f !) possible arrangements, one of them being F itself. Therefore thereare (f )! 1 different possible candidates for F 0 . Since the values of the bytes in F are just numbers,there is no specific signature or references that can prove the validity of the reverse transposition resultas a valid candidate for F 0 . Hence, only after the entire decryption process that the validity of anyreverse transposition result be proved. The average number of complete decryptions to successfully getthe correct solution for this stage is ((f ! 1) /2).

7Derivation of W and H: This step involves the extraction of the randomly placed 4 size bytes W1 ,W2 , H1 and H2 in F 0 . Since W and H are unknown, all possible width and height values have to beconsidered for decryption. There are f P4 ways of choosing 4 out of a set of f bytes. Since 2 bytesrepresent W or H , the plaintext can have a maximum of 65536 65536 pixels, which is not the casealways. If the plaintext supports a maximum size of 4096 4096, then the most significant byte of thewidth and the height cannot exceed the threshold value of 16. All values that exceed this threshold inthe higher byte can be discarded. Also, the set of bytes which result in a value 0 for any of W or H canbe discarded. This knowledge assists in eliminating all invalid byte combinations as candidates for thisstage. Assuming that there are z bytes with value zero and u bytes with value greater than the thresholdand if, M is the no. of combinations such that W or H 0, T is the no. of combinations such that W2or H2 t and M T is the no. of combinations satisfying both M and T , the number of valid candidatesfor this stage is given byV f P4 M T M T 1(1)where, - M z P4 4 (f z) (z P3 ) 2 (z P2 ) (f z) P2 - T u P4 4 (f u) (u P3 ) 5 (u P2 ) (f u) P2 2 (u) (f u) P3- M T 2 (u) (f u) (z P2 ) 2 (z P2 ) (u P2 )M T is added to V because these combinations are internally eliminated twice in the equation, once inM and one more time in

Brute Force and Statistical . scanned data, building plans and blue-prints to be safe-guarded against espionage. Considering the . positions of the pixels bearing C is augmented to Pos. Flag flg is als