Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Tilewise Domain-Separated Selective Encryption for Remote Sensing Imagery under Chosen-Plaintext Attacks

Jilei Sun, Dianhong Wu, Ying Su

TL;DR

This paper proposes Tilewise Domain-Separated Selective Encryption (TDS-SE), where per-tile (and optionally per-frame) keys are derived from a master secret via HKDF with explicit domain separation, and ROI masks are treated strictly as external side information.

Abstract

Selective image encryption is common in remote sensing systems because it protects sensitive regions of interest (ROI) while limiting computational cost. However, many selective designs enable cross-tile structural leakage under chosen-plaintext attacks when secret-dependent transformations are reused across spatial positions. This paper proposes Tilewise Domain-Separated Selective Encryption (TDS-SE), where per-tile (and optionally per-frame) keys are derived from a master secret via HKDF with explicit domain separation, and ROI masks are treated strictly as external side information. Structural leakage is evaluated using two reconstruction-based distinguishers -- a linear model and a lightweight convolutional neural network -- under multiple attack settings. Experiments on RESISC45 and SEN12MS cover ablation tests, cross-position transferability, cross-sample generalization, and ROI-knowledge asymmetry. Results show that per-tile domain separation reduces position-conditioned transfer for the linear probe, and that adding frame freshness improves robustness to imperfect ROI assumptions for the CNN probe. Cross-sample generalization exhibits mixed behavior across settings, consistent with an empirical evaluation perspective, while selective-encryption functionality is preserved under the same tiling and ROI policy. Beyond the method itself, the paper provides a structured protocol for evaluating selective encryption under realistic attacker capabilities.

Tilewise Domain-Separated Selective Encryption for Remote Sensing Imagery under Chosen-Plaintext Attacks

TL;DR

This paper proposes Tilewise Domain-Separated Selective Encryption (TDS-SE), where per-tile (and optionally per-frame) keys are derived from a master secret via HKDF with explicit domain separation, and ROI masks are treated strictly as external side information.

Abstract

Selective image encryption is common in remote sensing systems because it protects sensitive regions of interest (ROI) while limiting computational cost. However, many selective designs enable cross-tile structural leakage under chosen-plaintext attacks when secret-dependent transformations are reused across spatial positions. This paper proposes Tilewise Domain-Separated Selective Encryption (TDS-SE), where per-tile (and optionally per-frame) keys are derived from a master secret via HKDF with explicit domain separation, and ROI masks are treated strictly as external side information. Structural leakage is evaluated using two reconstruction-based distinguishers -- a linear model and a lightweight convolutional neural network -- under multiple attack settings. Experiments on RESISC45 and SEN12MS cover ablation tests, cross-position transferability, cross-sample generalization, and ROI-knowledge asymmetry. Results show that per-tile domain separation reduces position-conditioned transfer for the linear probe, and that adding frame freshness improves robustness to imperfect ROI assumptions for the CNN probe. Cross-sample generalization exhibits mixed behavior across settings, consistent with an empirical evaluation perspective, while selective-encryption functionality is preserved under the same tiling and ROI policy. Beyond the method itself, the paper provides a structured protocol for evaluating selective encryption under realistic attacker capabilities.
Paper Structure (32 sections, 2 equations, 5 figures, 10 tables, 2 algorithms)

This paper contains 32 sections, 2 equations, 5 figures, 10 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Threat Model and Security Objectives
  4. System and Trust Assumptions
  5. Adversary Model
  6. Threat--Metric--Experiment Mapping
  7. Proposed Method: TDS-SE
  8. System Model and Notation
  9. Tile Partitioning and ROI Handling
  10. Per-Frame Freshness and Per-Tile Domain Separation
  11. Tile-Local Encryption Primitive
  12. End-to-End Selective Encryption Procedure
  13. Instantiation and Reproducibility Parameters
  14. Design Rationale
  15. Variant Definitions
  16. ...and 17 more sections

Figures (5)

  • Figure 1: Chosen-plaintext (CPA) interface and information boundary for tilewise selective encryption. The attacker controls plaintext/ROI queries and observes the public transcript $(q_t,C_t,N_t)$, while $K_{\mathrm{master}}$ and derived per-tile keys remain hidden. The ROI mask is treated as external side information and does not derive secret state.
  • Figure 2: End-to-end architecture of TDS-SE. A fresh public nonce provides per-image freshness; HKDF derives independent per-tile keys to prevent cross-tile structural reuse.
  • Figure 3: Mechanism-and-evidence view of cross-tile transferability. Top: key-assignment schematics and conceptual transfer matrices for a structure-reusing baseline versus tilewise domain separation. Bottom: empirical E5 boxplots (source=center) for Att-LR and Att-CNN, showing bounded transfer and variant-dependent differences.
  • Figure 4: Experimental evaluation protocol under chosen-plaintext access. E2--E5 refer to the scenario definitions summarized in Table \ref{['tab:scenario_legend']} (see Section \ref{['sec:experiments']} for results).
  • Figure 5: Qualitative examples showing plaintext, ROI mask, and ciphertext appearance for representative variants.