An Improved Chosen Plaintext Attack on JPEG Encryption

Abstract

Format-compatible encryption can be used to ensure the security and privacy of JPEG images. Recently, a JPEG image encryption method proved to be secure against known plaintext attacks by employing an adaptive encryption key, which depends on the histogram of the number of non-zero alternating current coefficients (ACC) in Discrete Cosine Transform (DCT) blocks. However, this scheme has been demonstrated to be vulnerable to chosen-plaintext attacks (CPA) based on the run consistency of MCUs (RCM) between the original image and the encrypted image. In this paper, an improved CPA scheme is proposed. The method of incrementing run-length values instead of permutation is utilized to satisfy the uniqueness of run sequences of different minimum coded units (MCUs). The experimental results show that the proposed method can successfully recover the outlines of plaintext images from the encrypted images, even with lower-quality factors.

1. Introduction

With the rapid development of the Internet and multimedia technologies, images have become one of the most common media for information dissemination due to their intuitiveness. However, digital images often raise significant privacy and confidentiality concerns, as they frequently contain sensitive personal or confidential data—exemplified by applications like tele-medicine, cloud storage, and online identity verification. Consequently, ensuring image security and confidentiality during storage and transmission has emerged as a critical challenge in information security.

Among digital image formats, JPEG dominates due to its high compression ratio and acceptable perceptual quality at reduced file sizes; most online images are JPEG-encoded. While a variety of generic encryption techniques exist for images, the simplest approach treats the JPEG image as a bit-stream and directly applies conventional ciphers like Data Encryption Standard (DES) [1] or Advanced Encryption Standard (AES) [2]. However, this method destroys the image’s native file structure and format, rendering the encrypted output incompatible with the original image format. Therefore, recent years have seen a surge in research focused on format-compatible JPEG image encryption.

Joint compression–encryption designs, such as those in [3,4,5], embed encryption within the rate–distortion optimization loop to ensure the ciphertext remains size-preserving. Selective-encryption strategies, pioneered by [6,7], have since evolved and been applied to domain-specific data, such as medical images [8] and e-comics [9]. Chaos-based schemes remain popular due to their strong diffusion properties; examples range from the efficient approach in [10] to the chaotic S-box design of [11] and the block-adaptive method in [12]. Format-compliant scrambling of the quantized DCT coefficients was explored in [13], while bit-stream level protection achieving file size preservation was demonstrated in [14]. More recent work incorporates techniques such as secret sharing [15] and advanced entropy-coding manipulation [16]. Comprehensive overviews of these research directions are provided in surveys [17,18]. A notable JPEG encryption algorithm proposed by He et al. [19] incorporates several techniques: permutation of quantized direct current coefficient (DCC) differences grouped by sign, swapping of left and right halves within variable-length DC difference groups, random shuffling of non-zero ACC categorized by run-length, and scrambling of DCT blocks excluding DCC. This approach reduces key management overhead, avoids file size expansion, and demonstrates strong robustness against many common cryptanalytic attacks.

However, one inherent challenge in designing JPEG-compatible encryption schemes is addressing the intrinsic characteristics of JPEG encoding that may introduce vulnerabilities. For example, many JPEG encryption approaches preserve intra-block pixel correlation to ensure format compatibility and compression efficiency. This preservation, while beneficial for maintaining JPEG structure, has been shown to facilitate certain cryptanalytic attacks, as it allows adversaries to exploit statistical dependencies within pixel blocks. Recent studies, such as the work by Cardona-López et al. [20], highlight how transformations like the Negative–Positive Transformation (NPT) maintain pixel block correlation, which may compromise encryption strength if not complemented by additional security mechanisms.

In parallel with the development of stronger algorithms, the cryptanalysis of JPEG encryption has advanced rapidly. Universal attacks, which operate independently of the underlying cipher, have been proposed for permutation–substitution structures [21]. Adaptive-key mechanisms have proven particularly fragile: [22,23] developed effective CPA schemes by exploiting run-length information or invariant characteristics leaked through ACC. Beyond still images, insights drawn from multimedia security—such as the cryptanalysis of start-code and DCT-domain permutations in video streams [24,25]—further highlight potential vulnerabilities in analogous JPEG encryption schemes. Beyond static images, drawing on research from multimedia security—such as the cryptanalysis of start-codes or DCT-domain permutations in video streams [24,25]—further reveals potential vulnerabilities in JPEG encryption schemes. Although they exhibit favorable statistical characteristics, chaos-based ciphers have been proven to be insecure under rigorous cryptanalytic analysis [26,27,28]. To objectively quantify security risks, researchers have proposed dedicated security metrics, such as the perceptual-security index [29], local-entropy evaluation [30], and jigsaw-solver robustness tests [31]. Oezkaynak et al. [32] offer a concise, critical assessment of these collective findings.

Although the adaptive-key encryption algorithm proposed by He et al. [19] has been shown to be vulnerable to chosen plaintext attacks [22,23], its success rate degrades with low JPEG quality factors. To address this, we substitute run-length sequence permutation with run-length incrementation—thereby ensuring unique run sequences across all MCUs—which both increases the attack’s success probability and enhances its efficiency.

The remainder of this paper is organized as follows. Section 2 reviews the fundamentals of CPA against JPEG encryption algorithms. Section 3 details the proposed improvements to the attack methodology. Section 4 reports experimental results that compare baseline and improved CPA performance. Finally, Section 5 summarizes our findings and outlines future directions for strengthening the security of JPEG encryption schemes.

2. Current CPA Scheme

2.1. ACC Encryption in He et al.’s JPEG Encryption Algorithm

The CPA scheme proposed in [22] exploits vulnerabilities in the ACC encryption process of He et al.’s JPEG encryption algorithm. In JPEG images, the DCC only determines the average brightness of all pixels within an MCU, while the ACC governs the image details of the MCU [33]. This fundamental property implies that image content can be substantially reconstructed by recovering the ACCs while setting all DCCs to “00”. To establish the foundation for our discussion, we first analyze the ACC encryption mechanism in He et al.’s algorithm.

The ACC encryption process in He et al.’s algorithm consists of three sequential steps: (1) adaptive key generation, (2) permutation of ACCs with identical run values, and (3) inter-MCU permutation. These steps are elaborated below.

(1) Adaptive Key Generation: This process introduces the concept of the MCU histogram. For a given image O, let $O_i$ represent the i-th MCU of the image, and $p_i$ denote the count of non-zero ACCs in the i-th MCU. We define $h_w$ as the number of MCUs containing exactly w non-zero ACCs in the image:

$$\begin{array}{c}\hfill h_w=\#\left\{O_i\mid p_i=w,1\le i\le n\right\}\end{array}$$

(1)

where # denotes the cardinality of a set.

The MCU histogram $H^O$ of image O is then defined as

$$H^O=\left\{h_w\mid 0\le w\le 63\right\}$$

(2)

Both the initial key $ke{y}_{user}$ and MCU histogram $H^O$ participate in generating the adaptive key $ke{y}_A$. Based on $H^O$, a 512-bit hash code $\kappa$ is generated using a hash function:

$$\kappa =Fun{c}_{SHA3-512}\left(H^O\right)$$

(3)

The adaptive key $ke{y}_A$ is subsequently produced by combining the hash code $\kappa$ with the user key $ke{y}_{user}$. The detailed procedure can be found in [19].

(2) Permutation of ACCs with Identical Run Values: The term run refers to an attribute obtained during the entropy-coding process of JPEG encoding for each non-zero ACC. It represents the number of zero-valued ACCs between the current non-zero ACC and the previous non-zero ACC [33]. The permutation of ACCs with identical run values maintains a constant file size. The set of ACCs with a run size of k ($0\le k\le 63$) can be expressed as

$$S_k=\left\{a_{i,j}\right|r_{i,j}=k,1\le i\le n,1\le k\le p_i\}$$

(4)

For each set $S_k$, the secret key $ke{y}_A$ is used to generate a random permutation sequence ${\Pi }_k$:

$${\Pi }_k=\left\{{\Pi }_k\left(t\right)\right|1\le t\le \#\left\{S_k\right\}\}$$

(5)

For example, if there are 500 ACCs with a run value of 1, the algorithm generates a permutation sequence ${\Pi }_1$ with a length of 500 based on $ke{y}_A$. The system then sequentially scans all ACCs starting from the 0-th MCU, identifies these 500 ACCs, flattens them into a one-dimensional array, and applies ${\Pi }_1$ to permute them. After permutation, the set of ACCs with identical run values becomes

$$S_k^{\prime }\left(t\right)=S_k\left({\Pi }_k\left(t\right)\right)$$

(6)

Consequently, the original image O is transformed into $O^{\prime }$.

(3) Inter-MCU Permutation: The final encryption stage permutates the MCU without DCC to preserve the file size. The secret key $ke{y}_A$ generates a random permutation sequence $\Psi$:

$$\Psi =\{\Psi (i\left)\right|1\le i\le n\}$$

(7)

Applying $\Psi$ to the intermediate image $O^{\prime }$ yields the final ciphertext image E. The MCU set of E becomes

$$E_i={O^{\prime }}_{\Psi \left(i\right)}$$

(8)

Figure 1 demonstrates the complete encryption process for a plaintext image O containing three MCUs, using $\Psi =\{3,1,2\}$, ${\Pi }_0=\{5,2,4,1,3\}$, ${\Pi }_1=\{2,4,3,1\}$. The original 63 ACC values within each MCU are transformed into a run–value sequence composed of run–value pairs. Each run–value pair corresponds to a non-zero ACC, with the run and value components represented by separate rectangles. Among all ACCs, those with a run value of 0 are highlighted in red, while those with a run value of 1 are highlighted in blue. To transform image O into $O^{\prime }$, it is necessary to apply permutation sequences ${\Pi }_0$ and ${\Pi }_1$ to five ACCs with run = 0 and four ACCs with run = 1, respectively. Furthermore, to transform image $O^{\prime }$ into image E, the permutation sequence $\Psi$ must be applied to three MCUs. EOB markers following each MCU are omitted in the figure.

2.2. Security Vulnerabilities in He et al.’s ACC Encryption

The following section explains two security risks in He et al.’s ACC encryption: (1) RCM between plaintext and ciphertext, and (2) the immutability of the MCU histogram. By combining these two risks, the CPA scheme in [22] can be implemented to recover all ACCs of the ciphertext image.

(1) RCM between plaintext and ciphertext: First, we introduce the concepts of Run sequence and RCM. For an MCU $O_i$, let its j-th ACC be $a_{i,j}$ and the run of its j-th ACC be $r_{i,j}$; then, its run sequence $R_i$ is

$$R_i=\{r_{i,j}\mid 1\le j\le p_i\}$$

(9)

Among all MCUs in an image, there may exist two or more MCUs with identical run sequences. This phenomenon is called run consistency among MCUs, abbreviated as RCM.

Here, we specifically refer to the RCM phenomenon existing between plaintext and ciphertext images. The ACC encryption process in [19] involves two permutation steps: permutation among ACCs with identical runs, and permutation among MCUs. The first step only permutes other numerical values of ACCs with the same run, without modifying the run sequences in any MCU. The second step permutes all MCUs (excluding DCC) as whole units, which also does not change the run sequence within each MCU. Therefore, the ${\Psi }_i$ -th MCU in ciphertext image E and the i-th MCU in plaintext image O exhibit RCM.

The occurrence of RCM facilitates the reverse derivation of the inter-MCU permutation sequence $\Psi$, because these identical run sequences can serve as crucial clues for tracking the positional changes of MCUs before and after permutation. This is particularly critical for implementing the chosen plaintext attack.

(2) Immutability of MCU Histogram: The MCU histogram is defined as follows: the number of MCUs containing a specific count of non-zero ACCs for each possible count of non-zero ACCs. We now analyze the two steps in the ACC encryption process outlined in [19]—the permutation of ACCs with identical run values and permutation among MCUs. The first step exclusively permutes non-zero ACCs without converting zero ACCs to non-zero values or vice versa within any MCU. The second step permutes entire MCUs as atomic units, thereby preserving the count of MCUs corresponding to each specific non-zero ACC quantity. Consequently, the ciphertext image E maintains an identical MCU histogram to the plaintext image O.

The immutability of the MCU histogram is crucial for the execution of this JPEG encryption algorithm because it allows users to directly extract the same MCU histogram from ciphertext as from plaintext. By combining this with the user key, the complete key can be recovered, thereby reducing the key management overhead. However, this characteristic can be exploited to construct CPA-specific plaintext images that preserve key consistency with the original plaintext, thereby enabling the proposal of CPA schemes.

In the CPA scenario, the attacker possesses a “black box” capable of encrypting plaintext images into ciphertext images. The attacker’s objective is to extract information from multiple plaintext–ciphertext pairs (a set consisting of a plaintext image and its corresponding ciphertext image), thereby obtaining encryption-related information without knowledge of the secret key.

2.3. The Five Steps of the Current CPA Scheme

For the CPA scheme proposed in [22], the construction of plaintext images is crucial. This construction involves two key steps. First is eliminating the RCM phenomenon within the image using the single-permutation method to facilitate the prediction of the MCU permutation sequence $\Psi$. Second is assigning values to ACCs to facilitate the prediction of $\Pi$. After successfully constructing the plaintext images, the attacker must infer both the MCU permutation sequence $\Psi$ and the ACC permutation sequence $\Pi$ (for ACCs with identical run values) using information derived from the plaintext–ciphertext pairs. Ultimately, this enables the reconstruction of image details from the target plaintext image. The following sections will sequentially explain each of these steps in detail.

(1) Plaintext Image Construction—Eliminating RCM via Single Permutation: The initial step involves eliminating internal RCM phenomena in the ciphertext image to enhance the prediction accuracy of the MCU permutation sequence $\Psi$. As previously established, identical run sequences between ciphertext and plaintext images serve as crucial markers for tracking MCU positional changes during permutation. Consider a concrete example: when an MCU possesses a unique run sequence $R_1$ within the image (where pre-permutation index = $i_1$, post-permutation index = $j_1$), we can determine that in the MCU permutation sequence $\Psi$, the MCU originally at position $i_1$ has been permuted to position $j_1$. However, if two MCUs share identical run sequences $R_1$ (with pre-permutation indices $i_1$, $i_2$ and post-permutation indices $j_1$, $j_2$), the sequence $R_1$ alone cannot determine whether $i_1$ has been permuted to $j_1$ or $j_2$, since their run sequences are identical. It can be seen that the existence of the RCM phenomenon in the image will seriously affect the prediction of the MCU permutation sequence $\Psi$. A method must be proposed to eliminate the RCM phenomenon in the image as much as possible.

The current CPA scheme employs a “single permutation” to resolve RCM. For instance, when $R_1$ = $\{0,0,1,2,0\}$ appears in both MCU-$i_1$ and MCU-$i_2$, we modify one MCU’s run sequence (e.g., transforming MCU-$i_1$’s sequence to $R_1^{\prime }$ = $\{1,0,0,2,0\}$), thereby eliminating their RCM relationship. This process maintains constant non-zero ACC counts (5 in this case), preserving the MCU histogram and ensuring consistent key recovery. The methodology extends analogously to cases involving three or more duplicate MCUs, with detailed rules specified in [22].

(2) Plaintext Image Construction—Assigning Values to ACCs: In predicting $\Psi$, we leverage identical run sequences between plaintext and ciphertext images as clues to track the positional changes of MCUs before and after permutation. Similarly, for predicting $\Pi$, we require a method to track the positional changes of ACCs with identical run values. When the number of ACCs sharing the same run value in an image is relatively small, we can assign distinct values to each such ACC to enable $\Pi$ prediction. For most images, the number of ACCs with run = 0 far exceeds those with other run values. Thus, by satisfying the “demand” for run = 0 ACCs, we can construct the entire image in a $\Pi$-predictable form.

According to [22], for Quality Factor (QF) = 100, the ACC of JPEG images takes the value range of $[-924,924]$. If there are 1000 run = 0 ACCs with a value range of $[-924,924]$, we can assign each of them a unique value in the range of $[-500,-1]\cup [1,500]$ (note: 0 is excluded since we focus on non-zero ACCs). With correct $\Psi$ prediction, each unique ACC value serves as a clue to accurately infer $\Pi$. Thus, only one plaintext image is needed for complete $\Pi$ prediction.

If the number of run = 0 ACCs exceeds the non-zero value range size $\gamma$, a single plaintext image becomes insufficient, as it can provide only $\gamma$ distinct tracking clues. However, by using two plaintext images (A and B) with identical run sequences across all MCUs, we can combine the values of co-located ACCs in A and B to form composite clues. This is equivalent to taking the Cartesian product of the non-zero ACC value range with itself, now offering ${\gamma }^2$ distinct combinations. Similarly, if we use three images (A, B, and C), we can provide ${\gamma }^3$ distinct value combinations. Figure 2 demonstrates the constructed non-zero ACC of Image A and B for $\Pi$ prediction. ACC instances with run = 0 are marked in red, whereas those with run = 1 are marked in blue. For run = 0 ACCs, the composite clues (A and B value pairs) are $\{-2,-2\},\{-2,-1\},\{-2,1\},\{-2,2\},\{-1,-2\},$ etc. For other run values (e.g., run = 1), the pairs are $\{-2,-2\},\{-2,-1\},\{-2,1\},\{-2,2\},$ etc. Critically, all composite clues remain distinct, enabling unambiguous $\Pi$ inference. Detailed assignment methods are described in [23].

To ensure accurate prediction of the permutation sequence $\Pi$, a sufficient number of plaintext–ciphertext pairs x is required. According to [22], let $\#S_0$ denote the count of ACCs with run = 0 in an image, and $\gamma$ represent the size of the non-zero value range for ACC (e.g., for ACC in $[-924,924]$, $\gamma$ = 1848). The required number of plaintext–ciphertext pairs x for executing the CPA scheme on this image is given by

$$x=⌈{log}_{\gamma }\left(\#\left\{S_0\right\}\right)⌉$$

(10)

(3) Prediction of MCU Permutation Sequence $\Psi$: The prediction of the MCU permutation sequence $\Psi$ requires only one plaintext–ciphertext pair. Here, we use a plaintext image generated by the incremental value method and obtain its corresponding ciphertext image through the black box of the JPEG encryption algorithm. To predict the MCU permutation sequence $\Psi$, we simply need to identify the correspondence between identical run sequences in each ciphertext–plaintext image pair, from which the entire permutation sequence can be deduced. However, if RCM phenomena still exist, the prediction of $\Psi$ may become inaccurate.

(4) Prediction of ACC Permutation Sequence $\Pi$ for Identical Run Values: The prediction of ACC permutation sequence $\Pi$ requires x plaintext–ciphertext pairs. For a 512 × 512 image, x = 2, meaning two plaintext–ciphertext pairs are needed. As mentioned earlier, when constructing two plaintext images A and B, we ensure that the “combined values of ACCs at the same position in A and B” are unique for all ACCs with the same run value. Therefore, we can use these combined ACC value pairs as clues to track the positional changes of each ACC before and after permutation. If $\Psi$ is predicted correctly, the $\Pi$ predicted through this method is guaranteed to be completely accurate because the uniqueness of tracking clues is ensured.

However, if there are errors in $\Psi$ prediction, the impact on $\Pi$ prediction would be significant. The JPEG encryption algorithm described in [19] implements two sequential permutation stages: first executing permutation sequence $\Pi$ for each run value by sequentially traversing from MCU-0 and numbering each ACC as 0, 1, 2 through $\#S_k$, transforming plaintext image O into intermediate image $O^{\prime }$, then performing the permutation sequence $\Psi$ that rearranges MCUs while simultaneously causing secondary scrambling of internal ACCs, ultimately generating the final ciphertext image E. Consequently, accurate $\Pi$ prediction necessitates first correctly predicting $\Psi$, then applying $\Psi$’s inverse operation to ciphertext image E to recover intermediate state $O^{\prime }$ before finally predicting $\Pi$ from $O^{\prime }$. Incorrect $\Psi$ prediction prevents proper reversal of the secondary ACC scrambling induced by $\Psi$, potentially introducing compounded errors in $\Pi$ prediction, with [22] providing a comprehensive analysis of these error-propagation mechanisms and their detrimental effects.

(5) Recovery of Target Ciphertext Image: After successfully predicting the permutation sequences $\Psi$ and $\Pi$, we can recover the target ciphertext image by sequentially applying the inverse operations of $\Psi$ and $\Pi$. Finally, by setting all DCCs of the MCUs to “0”, we successfully restore the image details of the target ciphertext image.

2.4. The Overall Process of the Current CPA Scheme

When the test image size is 512 × 512, the calculation of x reaches its maximum value of 2 according to [22]. The overall process of the current CPA scheme when x = 2 is shown in Figure 3. The dashed red box represents the permutation of $\Psi$, while the dashed blue box represents the permutation of $\Pi$. In the original CPA scheme, two plaintext images, Image A and Image B, were constructed (with Image C being an “intermediate product”). To predict the permutation sequence $\Psi$, one of the images, either Image A or Image B, is required. To predict the permutation sequence $\Pi$, both Image A and Image B are necessary.

2.5. Current Limitations of the Single Permutation Method

The accuracy of the current CPA scheme primarily depends on the number of MCUs exhibiting RCM in the constructed plaintext images. As the number of MCUs in the plaintext image increases, the error rate in the recovered image also rises. The existing approach employs the “single permutation method” to reduce RCM during plaintext image construction. While this method can partially mitigate RCM, it suffers from two critical issues:

(1) Insufficient Permutation Variability for High-RCM Cases: If the number of MCUs involved in RCM exceeds all possible single-permutation variations, RCM cannot be fully eliminated. There exist certain run sequences for which the number of unique single permutation possibilities is extremely limited. For example, for run sequences that are all zeros, such as $\left\{0\right\}$, $\{0,0,0\}$, the single-permutation method cannot be performed because all permutations result in the same sequence. For shorter run sequences, such as $\{0,1\}$ and $\{0,0,1\}$, the permutation variability is inherently low due to the limited number of unique arrangements.

If a large number of MCUs share these run sequences, it becomes increasingly likely that the number of MCUs belonging to the RCM will surpass the total number of permutation possibilities. In such cases, the single-permutation method fails to fully resolve RCM, as the number of MCUs associated with the RCM exceeds the set of all possible unique variations that can result from reordering the sequence.

(2) Unintentional Introduction of New RCM: Even when applying single permutations, the resulting run sequences may coincidentally remain non-unique in the image. For instance, suppose an MCU with $R_1$ = $\{0,0,1,2,0\}$ is permuted to $R_1^{\prime }$ = $\{1,0,0,2,0\}$, but another MCU already has the same $R_1^{\prime }$ sequence. This means that while resolving one RCM instance, the method may inadvertently introduce new RCM cases.

These two problems lead to persistent RCM phenomena in the constructed plaintext images, ultimately reducing the success rate of the current CPA scheme.

3. Improved CPA Scheme

3.1. Plaintext Image Generation Using the Additive Value Method

To address the aforementioned two issues, we proposed an enhanced approach for eliminating RCM, termed the “Additive Value Method”, as its core operation involves adding a specific value to a run component within an ACC in an MCU. This method effectively mitigates RCM phenomena in the constructed plaintext images, thereby improving the overall success rate of the CPA scheme. The detailed procedure is as follows:

Variable Declaration: For a repeated run sequence R, let l denote its element count, and v represent the sum of all element values. Define $y=63-l-v$. Denote z as the number of MCUs containing run sequence R.

Case 1: If $z-1\le l$, select z-1 MCUs from those exhibiting RCM, indexed as i ($0\le i\le z-2$). For the i-th MCU, add y to the i-th value in its run sequence. Verify whether the modified run sequence has previously appeared in the image. If duplication is detected, decrease the added value by 1 and revalidate. If unique, implement this modification.

Case 2: If $l<z-1\le yl$, similarly select $z-1$ MCUs with indices $i(0\le i\le z-2)$. For MCUs satisfying $0\le i\le l-1$, add y to the i-th run value; for $l\le i\le 2l-$1, add ($y-1$); for $2l\le i\le 3l-1$, add ($y-2$). This pattern continues until all $z-1$ MCUs are processed. Throughout this process, each modification requires verification of run sequence uniqueness, with value decrementation and rechecking upon duplication detection.

Case 3: If $z-1>yl$, the method can process $yl$ MCUs following Case 2’s approach, while the remaining MCUs cannot be modified, thus preserving residual RCM phenomena.

The core concept of this method is to ensure that non-zero ACCs appear as late as possible within an MCU. The implemented approach randomly selects an ACC and adds a maximally permissible value y to its run value. Each MCU contains 63 ACCs. In the run sequence, each element represents a non-zero ACC, while each run value indicates the count of consecutive zero-valued ACCs. Consequently, the total number of ACCs preceding the current "EOB" marker equals $l+v$. To prevent exceeding the ACC count boundary, the maximum allowable value for y is set as $63-l-v$.

To better demonstrate how the additive value method works, a few examples are given below. Assume there are z MCUs sharing the run sequence $\{0,1,0,0,1\}$, and they are named MCU #1, MCU #2, …, MCU #z. It can be calculated that $l=5,v=2,y=56$.

When $z=6$, since $z-1\le l$, this case belongs to Case 1; when $z=8$, since $l<z-1\le yl$, this case belongs to Case 2; when $z=282$, since $z-1>yl$, this case belongs to Case 3. Figure 4a–c illustrates the run sequencesof MCU #1, MCU #2, …, MCU #z after the execution of the additive value method when $z=6$, $z=8$, and $z=282$, respectively. In Figure 4, it is assumed that all run sequences generated during the process are unique across the entire image.

Figure 5 illustrates the run sequences of eight MCUs after the execution of the additive value method under the same conditions as Figure 4b when $z=8$. However, it is assumed that the run sequence $\{56,1,0,0,1\}$ has already been generated in a previous execution of the additive value method aimed at eliminating the duplicate run sequence $\{1,1,0,0,1\}$. In this case, the run sequence of MCU #2 should be $\{55,1,0,0,1\}$. Correspondingly, the run sequence of MCU #7 should be $\{54,1,0,0,1\}$.

The following analysis examines how the additive value method addresses the two limitations inherent in the single-permutation approach.

Regarding the first issue, the new method yields $yl$ possible outcomes, which significantly exceeds the permutation possibilities of the original method when l is small. Taking $\left\{0\right\}$ as an example, the current approach provides $yl$ = 62 × 1 = 62 possible variations, a substantial improvement over the original method’s zero possible permutations. Since low-QF images typically contain numerous run sequences with small l values, this method demonstrates superior effectiveness for such compressed images.

For the second issue, the new RCM elimination method ensures that the generated run sequences are almost certainly unique among all MCUs in the original image. In JPEG encoding, the quantization table typically contains smaller values in the top-left corner and larger values in the bottom-right corner. Due to the human eye’s varying sensitivity to low-frequency and high-frequency information, we need to discard more high-frequency information concentrated in the bottom-right corner. This results in quantized MCUs having more non-zero values in the top-left region, while the bottom-right region is mostly filled with zeros. Consequently, the ZigZag scan order can quickly traverse all non-zero values before using the EOB marker to skip the remaining zero-valued ACC. Conversely, the probability of quantized MCUs still containing non-zero ACC in the bottom-right region is extremely low, as most images do not exhibit extremely high-frequency components within a single MCU. This explains why the added value y needs to be as large as possible. For any duplicate run sequences that may occur during the additive value process, the mechanism in Figure 5 can eliminate such duplication.

3.2. The Overall Process of the Improved CPA Scheme

Compared to the single-permutation method, the additive value method can more effectively eliminate RCM phenomena. However, implementing the additive value method requires generating one additional plaintext image when performing a complete CPA. In the original single-permutation method, the values in the run sequences are merely permuted without altering the count of ACCs for each run value. Consequently, the plaintext images generated via the single-permutation method can simultaneously participate in predicting both the MCU permutation sequence $\Psi$ and the ACC permutation sequence $\Pi$ for identical run values. In contrast, the additive value method modifies the distribution of ACC counts for each run value by incrementing certain run values. This prevents us from utilizing the plaintext images generated by the additive value method—along with their corresponding plaintext–ciphertext pairs—to predict the permutation sequence $\Pi$. For example, suppose the target ciphertext image contains 10,000 ACCs with a run value of 0. The encryption algorithm in [19] would generate a permutation sequence ${\Pi }_0$ with a length of 10,000 for these ACCs using the $ke{y}_A$. However, after applying the additive value method, the number of ACCs with a run value of 0 might decrease to 9900. In this case, predicting a permutation sequence ${\Pi }_0^{\prime }$ with a length of 9900 becomes meaningless, as it does not aid in restoring the target ciphertext image. Therefore, in addition to the x plaintext images constructed to predict $\Pi$, we must construct another plaintext image to predict $\Psi$.

The overall process of the improved CPA scheme when x = 2 is shown in Figure 6. The dashed red box represents the permutation of $\Psi$, while the dashed blue box represents the permutation of $\Pi$. In the improved CPA scheme, three plaintext images, Images A, B, and C were constructed. To predict the permutation sequence $\Psi$, Image C is required. To predict the permutation sequence $\Pi$, Image A and Image B are required.

4. Experimental Results and Analysis

The images used for the experiments are all $512\times 512$ gray-scale TIFF images. The TIFF images were compressed into baseline JPEG format with different QFs using the OpenCV library. In the command-line tool cjpeg provided by libjpeg (www.ijg.org), the default compression QF is set to 75, which provides a balance between image file size and image quality. Most applications that utilize the compression algorithm in libjpeg tend to use a QF of 75 for JPEG image compression. In scenarios such as social media and websites, where smaller file sizes are desired, QF values are typically chosen in the range of 60 to 75. For scenarios that require higher image quality, such as photography and printing, QF values in the range of 75 to 95 are commonly used. Therefore, the QFs used for compression were $95/90/85/\dots /65/60$.

It is worth noting that when QF decreases, the success rate of CPA also decreases. The reasons for this phenomenon are explained in Section 4.3.

According to [22], under the condition of QF = 100, the non-zero range size $\gamma$ of ACC is known to be 1848. In the worst-case scenario where all 63 ACC in each MCU of the target image are non-zero, the number of ACC with run = 0 would be 512 × 512 − 64 × 64 = 258,048. According to the previously derived formula for calculating x, this yields x = 2. This demonstrates that in the current experimental scenario, constructing a maximum of two plaintext images is sufficient for predicting the permutation sequence $\Pi$.

4.1. CPA Effectiveness Using Single-Permutation Method

For several target images, chosen plaintext attacks were performed using the attack algorithm described in [22], and experimental data were collected.

Table 1. The PSNR of ACC between original images and attacked images (single-permutation method).

QFs	Lake	Lena	Boat	Baboon
95	Inf	Inf	Inf	Inf
90	Inf	Inf	Inf	Inf
85	14.76	17.99	Inf	Inf
80	15.12	18.24	16.46	Inf
75	15.63	18.97	17.03	Inf
70	15.96	19.15	17.18	Inf
65	16.09	19.16	17.19	36.13
60	16.32	19.42	17.59	Inf

presents the PSNR values between the recovered images and the original plaintext images with DCC zeroed out under different QF settings. A PSNR value of “Inf” indicates that the recovered image is completely identical to the DC-zeroed plaintext image. In cases where PSNR is not “Inf”, only the baboon image at QF = 65 retains recoverable visual details, while the remaining images fail to reconstruct meaningful content.

Figure 7, Figure 8, Figure 9 and Figure 10 demonstrate the CPA-recovered images under varying QFs (95, 85, 80, 65, and 60).

The results reveal that for images compressed at QF = 95 and QF = 90, the JPEG-encryption scheme proposed in [19] is vulnerable to CPA schemes from [22], posing a security risk of original image detail leakage.

4.2. CPA Effectiveness Using the Additive Value Method

For the same target images, the RCM elimination approach was replaced from the single-permutation method to the additive value method while maintaining the CPA framework from [22].

Table 2. The number of MCUs with RCM in the constructed plaintext image before and after the additive value method is used.

QFs	Lake−	Lake+	Lena−	Lena+	Boat−	Boat+	Bab−	Bab+
95	4	0	0	0	0	0	0	0
90	20	0	48	0	2	0	0	0
85	152	0	287	0	45	0	0	0
80	384	4	867	2	207	0	6	0
75	597	34	1300	25	533	18	6	0
70	792	98	1697	162	856	93	20	0
65	949	189	2029	387	1140	187	40	0
60	1154	277	2223	602	1345	310	73	0

presents the number of RCM-afflicted MCUs before and after applying the additive value method across different QF values for each image. Columns marked with “−” and “+” denote pre- and post-processing data, respectively. A post-processing value of “0” indicates perfect recovery of the DC-zeroed plaintext image, as the permutation sequence $\Psi$ can be fully predicted. Single-digit post-processing values imply minor $\Psi$ prediction errors, allowing for approximate reconstruction of plaintext details, though substantial distortion persists due to cascading errors in predicting permutation sequence $\Psi$. Post-processing values exceeding 10 preclude meaningful plaintext recovery.

Table 3. The PSNR of ACC between original images and attacked images (additive value method).

QFs	Lake	Lena	Boat	Baboon
95	Inf	Inf	Inf	Inf
90	Inf	Inf	Inf	Inf
85	Inf	Inf	Inf	Inf
80	19.02	20.92	Inf	Inf
75	15.72	19.06	17.09	Inf
70	15.93	19.15	17.16	Inf
65	16.11	19.25	17.34	Inf
60	16.36	19.43	17.56	Inf

compares PSNR values between recovered and DC-zeroed plaintext images under varying QFs. Compared to Table 1, all QF = 85 cases now achieve PSNR = Inf (perfect recovery). For QF = 80, “lake” and “lena” show higher PSNR values, indicating partial detail recovery with residual errors, while “boat"” (QF = 80) and “baboon” (QF = 65) now reach PSNR = Inf. The remaining results align with Table 1.

Figure 11, Figure 12, Figure 13 and Figure 14 display recovered images at QFs spanning 95 to 60.

The improved CPA scheme enables complete DC-zeroed plaintext recovery for all four test images at QF = 95–85. Partial recovery occurs at QF = 80, with some images fully reconstructed and others retaining major features. No meaningful recovery emerges below QF = 80.

To further validate the improved CPA’s generalizability, 100 additional 512 × 512 images were compressed at QF = 95/85 and subjected to the modified attack. Figure 15 (QF = 95) and Figure 16 (QF = 85) plot each image’s PSNR against its RCM MCU count.

As evidenced in Figure 15 and Figure 16, the improved CPA scheme achieved a 79% complete recovery rate for the 100 test images at QF = 95, while the rate decreased to 41% at QF = 85. The results further demonstrate that even minimal prediction errors in permutation sequence $\Psi$, caused by a small number of residual RCM MCUs, can significantly degrade the information recovery quality of the reconstructed images.

Moreover, in the case of a color image, the three channels (Y, Cb, and Cr) are processed separately. Thus, during the attack, each channel is independently recovered. Successful recovery requires the correct permutation sequence for all three channels to match their original order. Consequently, the probability of a successful attack is significantly lower compared to a gray-scale image.

4.3. Factors Affecting the Effectiveness of the Improved CPA Scheme

The experimental results demonstrate that the effectiveness of the CPA scheme is strongly correlated with the prediction accuracy of $\Psi$. When $\Psi$ is predicted with complete accuracy, all plaintext image details can be fully recovered. If the prediction contains only a few errors (single-digit inaccuracies), partial plaintext details may still be obtained, and these errors can potentially be manually corrected through exhaustive search methods. However, if the prediction involves errors affecting more than 10 MCUs, the resulting image will essentially fail to reflect any meaningful plaintext details.

The key determinant of $\Psi$ prediction accuracy is the number of RCM-afflicted MCUs that remain unresolved after applying the additive value method. Statistical analysis reveals that these residual RCM MCUs primarily consist of two types:

(1) MCUs with All-Zero ACCs: These MCUs contain exclusively zero-valued ACCs, resulting in an empty run sequence ($R=\left\{\right\}$). To preserve the target image’s MCU histogram integrity, such MCUs cannot be modified. Consequently, all Type 1 MCUs retain their RCM status. Lower-QF images exhibit higher quantities of these MCUs because their larger quantization table values more frequently produce all-zero MCUs during the division process. This explains why the improved CPA scheme maintains poor performance for highly compressed (low-QF) images.

(2) MCUs with Single Non-Zero ACC: These MCUs contain exactly one non-zero ACC of arbitrary value. The additive value method can eliminate RCM for a maximum of only 62 such MCUs. In low-QF images, the count of these MCUs often exceeds 62, leaving residual RCM phenomena in the remainder.

These two types of MCUs have a higher probability under low-QF conditions because the values in the quantization table are generally larger. This, in turn, reduces the accuracy of $\Psi$ prediction, thereby increasing the difficulty of successfully chosen-plaintext attacks.

Figure 17 presents the composition of RCM MCUs across 100 test images at QF = 85. The blue segments represent “all-zero ACC” MCUs, orange segments denote “single non-zero ACC” MCUs, and gray segments indicate other MCU types. The visualization confirms that RCM MCUs in most images consist entirely of these two dominant types.

5. Conclusions

This study indicates that the JPEG encryption algorithm in [19] is vulnerable to chosen plaintext attacks due to the RCM phenomenon and MCU histogram invariance. Higher-QF images have a higher probability of successful chosen plaintext attacks. Moreover, the proposed CPA scheme, although primarily designed for gray-scale images, can be applied to color images as well, but with a lower attack success rate.

While the adaptive key generation in [19] reduces key management complexity, it also introduces potential security risks, as the retained image information can be exploited by attackers. This suggests that the studied JPEG encryption algorithm, while providing some level of protection against known-plaintext attacks, is not robust enough for scenarios where chosen-plaintext attacks are a concern. Future research could focus on optimizing the adaptive key generation strategy to balance key management cost and security.