Are there any cryptographic methods $f,g,h$ with $f(g(h(x)))=h(g(f(x)))=g(h(f(x)))$ and finding $x$ for given $c=f^ig^jh^k(x)$ harder than $O(i+j+k)$?

Question

Are there any cryptographic methods $f,g,h$ which can be applied in any order to an input $x$ while still resulting in the same result $r$: $$f(g(h(x)))=h(g(f(x)))=ghf(x)=fhg(x)=hfg(x)=gfh(x) = r$$ Same for their inverse function: $$f^{-1}(g^{-1}(h^{-1}(r)))=h^{-1}(g^{-1}(f^{-1}(r)))=g^{-1}(h^{-1}(f^{-1}(r))) =...= x$$ If now $f,g,h,$ is applied $i,j,k$-times to an input $x$ finding/computing $x$ for given $c$ $$c=f^i(g^j(h^k(x)))$$ should be as hard as possible and with this taking more than $O(|i|+|j|+|k|)$ steps.
Computing $f,g,h$ and their inverses need to take a similar time for each input (independent of $i,j,k$).

Furthermore $f,g,h$ produce a cycle like $f(f(....f(x)...)) = x$ with size $F,G,H$ with $F\approx G \approx H \gg 1$

And random $x$ can be generated without the knowledge of secret parameter from $f,g,h$.

---

Target: Given two random $x_1,x_2$ with $x_2=f^ig^jh^k(x_1)$ computing/finding $i,j,k$ should be as hard as possible while the number of different $x$ should be as small as possible.
Not preferable but some combinations of $x_1,x_2$ may not have any $i,j,k$

Answer 1

Let $N$ be the product of two large strong primes i.e. $N=pq$, $p=2r+1$, $q=2s+1$ with $p$, $q$, $r$ and $s$ all prime. We also require require 3 numbers that are primitive roots for both $r$ and $s$ (given primitive roots mod $r$ ad $s$ we can do this with the Chinese remainder theorem). We'll take these three numbers to be 3, 5 and 7 below. We assume that $N$ is hard to factor and to solve discrete logarithms modulo $N$ is also hard.

Let $x$ be any square in $\mathbb Z/N\mathbb Z$ (e.g. choose a random element and square it). Now let $f(x)=x^3\mod N$, $g(x)=x^5\mod N$ and $h(x)=x^7\mod N$. Note $f(g(h(x)))=x^{105}\mod N$ and the same for the other orderings. There's a similar relationship of the inverses (though computing the inverse is as hard as RSA decryption).

Fast computation of $f^ig^jh^k(x)$ would allow us to giant step RSA encryption which is believed to be hard unless we know the factors of $N$.

Finally iterated applications $f$, $g$ and $h$ produce a cycle of length $\mathrm{lcm}((r-1),(s-1))$ unless $x$ is either a $r$th or $s$th power modulo $N$ (which is vanishingly unlikely).