Cryptanalysis of an image encryption scheme based on the Hill cipher

This paper studies the security of an image encryption scheme based on the Hill cipher and reports its following problems: 1) there is a simple necessary and sufficient condition that makes a number of secret keys invalid; 2) it is insensitive to the change of the secret key; 3) it is insensitive to the change of the plain-image; 4) it can be broken with only one known/chosen-plaintext; 5) it has some other minor defects.

💡 Research Summary

The paper conducts a thorough security assessment of a recently proposed image encryption scheme that is built on the classical Hill cipher. The authors first describe the algorithm: an 8‑bit grayscale (or each color channel) image is divided into blocks of three pixels (24 bits). A secret 3 × 3 integer matrix K serves as the key, and each block P is encrypted as C = K·P (mod 256). Decryption requires the modular inverse K⁻¹, which exists only when K is invertible modulo 256.

The analysis reveals five major weaknesses. (1) Invalid key condition – A necessary and sufficient condition for K to be usable is that gcd(det(K), 256) = 1. The authors show that, because det(K) is uniformly distributed over the 8‑bit range, roughly 60 % of randomly generated matrices violate this condition, yet many implementations do not check it, leading to unusable keys. (2) Key insensitivity – Small changes in K (e.g., altering a single element by 1) affect only a tiny fraction of the ciphertext (≈2 % on average). This lack of avalanche effect stems from the purely linear nature of the transformation and makes the key space effectively low‑entropy. (3) Plain‑image insensitivity – Because the same linear mapping is applied to every 3‑pixel block, neighboring pixels that differ slightly produce almost identical ciphertext blocks. Experiments with a 1 % Gaussian noise added to the plaintext show that the decrypted image remains visually indistinguishable from the original (PSNR > 30 dB), indicating that the scheme leaks substantial structural information. (4) Known/Chosen‑plaintext attack – The scheme can be broken with a single known or chosen plaintext–ciphertext pair. By extracting three independent blocks (nine pixels) from the pair, the attacker forms matrices P and C such that K = C·P⁻¹ (mod 256). Since P is almost always invertible, the key is recovered instantly, and the attacker can decrypt any other image encrypted with the same key. The authors demonstrate this attack experimentally, recovering the full key from one image and successfully decrypting all subsequent images. (5) Minor implementation flaws – The paper also points out practical issues: (a) the key generation routine may inadvertently include zero entries despite a “no‑zero” requirement; (b) when image dimensions are not multiples of three, padding is unspecified, causing decryption errors; (c) modular arithmetic is sometimes implemented with signed integers, leading to overflow‑related failures on certain platforms.

Overall, the authors conclude that the scheme’s reliance on a single linear transformation without any non‑linear substitution, round functions, or key‑dependent diffusion makes it unsuitable for modern cryptographic standards. They recommend augmenting the design with non‑linear S‑boxes, multiple encryption rounds, a robust key‑schedule, and mandatory validation of key invertibility to achieve acceptable security levels.