Tilewise Domain-Separated Selective Encryption for Remote Sensing Imagery under Chosen-Plaintext Attacks

Selective image encryption is common in remote sensing systems because it protects sensitive regions of interest (ROI) while limiting computational cost. However, many selective designs enable cross-tile structural leakage under chosen-plaintext attacks when secret-dependent transformations are reused across spatial positions. This paper proposes Tilewise Domain-Separated Selective Encryption (TDS-SE), where per-tile (and optionally per-frame) keys are derived from a master secret via HKDF with explicit domain separation, and ROI masks are treated strictly as external side information. Structural leakage is evaluated using two reconstruction-based distinguishers -- a linear model and a lightweight convolutional neural network -- under multiple attack settings. Experiments on RESISC45 and SEN12MS cover ablation tests, cross-position transferability, cross-sample generalization, and ROI-knowledge asymmetry. Results show that per-tile domain separation reduces position-conditioned transfer for the linear probe, and that adding frame freshness improves robustness to imperfect ROI assumptions for the CNN probe. Cross-sample generalization exhibits mixed behavior across settings, consistent with an empirical evaluation perspective, while selective-encryption functionality is preserved under the same tiling and ROI policy. Beyond the method itself, the paper provides a structured protocol for evaluating selective encryption under realistic attacker capabilities.