An Extended Chaotic Maps-Based Three-Party Password-Authenticated Key Agreement with User Anonymity

User anonymity is one of the key security features of an authenticated key agreement especially for communicating messages via an insecure network. Owing to the better properties and higher performance of chaotic theory, the chaotic maps have been introduced into the security schemes, and hence numerous key agreement schemes have been put forward under chaotic-maps. Recently, Xie et al. released an enhanced scheme under Farash et al.’s scheme and claimed their improvements could withstand the security loopholes pointed out in the scheme of Farash et al., i.e., resistance to the off-line password guessing and user impersonation attacks. Nevertheless, through our careful analysis, the improvements were released by Xie et al. still could not solve the problems troubled in Farash et al‥ Besides, Xie et al.’s improvements failed to achieve the user anonymity and the session key security. With the purpose of eliminating the security risks of the scheme of Xie et al., we design an anonymous password-based three-party authenticated key agreement under chaotic maps. Both the formal analysis and the formal security verification using AVISPA are presented. Also, BAN logic is used to show the correctness of the enhancements. Furthermore, we also demonstrate that the design thwarts most of the common attacks. We also make a comparison between the recent chaotic-maps based schemes and our enhancements in terms of performance.


Introduction
Authenticated key exchange protocols, are among the core cryptographic mechanisms for ensuring network security, which aims at establishing a common session key between the communicated participates. For authenticated key exchange through an open environment, both security and privacy are desired. Over the past few decades, many works on authenticated key-exchange have been done referring to kinds of cryptographic primitives (e.g., symmetric cryptography, public key cryptography, hash functions, etc.) applied for different applications [1][2][3][4][5][6][7][8][9][10][11].
With infiltration and mergence of many scientific branches, chaotic theory has entered the field of vision of the cryptography researchers. Chaotic theory possesses the properties of unpredictability and sensitivity to parameters and initial conditions, which meet some essential requirements of cryptography. Subsequently, cryptography based on chaos theory has been studied widely. The chaotic maps have been applied in the design of symmetric encryption [12][13], S-boxes [14], signature [15] and hash functions [16]. Additionally, chaotic systems have also been applied to design the key agreements, various chaotic maps-based key agreements and related approaches have been presented recently [17][18][19][20], owing to that chaotic maps operations offer the semi-group property, and have a better efficiency than point multiplications on an elliptic curve and modular exponential operations [21][22].
According to the numbers of participants for an authenticated key exchange scheme, there are two-party authenticated key exchange schemes, three-party authenticated key exchange schemes, and multi-party authenticated key exchange schemes. Two-party authenticated key exchange schemes are used to establish a session key under environment of client-server. In particular, the suggestion of three-party authenticated key exchange schemes are considered for solving the infeasibility of two-party schemes exchange session keys in large-scale communication environments. In 2011, Wang et al. [23] developed a three-party authenticated key agreement scheme using chaotic maps. However, Yoon et al. [24] declared that the scheme of Wang et al. violated an illegal message modification attack and then they presented an improvement. Next, Lee et al. [25] presented a chaotic maps based three-party authenticated key agreement scheme without using smart card. However, Hu et al. [26] proved that their scheme was not secure against the man-in-the-middle attack in condition that the identity was lost. After that, Farash et al. [27] proposed a threeparty authenticated key agreement without applying symmetric cryptography and server's public key. Nevertheless, Xie et al. [28] pointed out three-party authenticated key agreement proposed by Farash et al. could not withstand off-line password guessing attack, thus suffering user impersonation attack. In order to prevent the security threats, Xie et al. presented an enhancement without using server's public key. Obviously, both of Farash et al. and Xie et al.'s schemes are efficient, but without using server's public key is no guarantee of safety. The most important thing to consider that the identity of user is a key personal privacy. Generally, there is a growing requirement for protecting user privacy information from being leaked and abused, which outlines the needs for designing schemes that can attain user anonymity. The adoption of public key cryptography is essential needed to protect user anonymity, which has been verified by the excellent works [29]. Through our carefully analysis, we found that the proposed scheme by Xie et al. could not achieve user anonymity. In addition, their scheme could not resist off-line password guessing, thus notwithstanding user impersonation attack. Furthermore, the session key security could not provide in their scheme. Motivated by it, we design an extended chaotic maps-based threeparty password-authenticated key agreement with user anonymity. Both the formal analysis and the formal security verification using AVISPA [30][31] are presented. Also, BAN logic [32] is used to show the correctness of the enhancements. Furthermore, we also demonstrate that the design thwarts most of the common attacks. We also make a comparison between the recent chaotic-maps based schemes and our enhancements in terms of performance.
The outline of the paper are arranged as follows. The Chebyshev chaotic maps and the related intractable problems are introduced in Section 2. The cryptanalysis of Xie et al.'s scheme is presented in Section 3. Section 4 proposes a chaotic maps-based three-party authenticated key agreement. The security analysis of our scheme and comparison with other works are described in Sections 5 and 6, respectively. We summarize the whole paper in Section 7.

Preliminaries
We will introduce the Chebyshev chaotic maps and the related intractable problems [33][34].
Chebyshev polynomial Let n be an integer and x 2 [−1, 1]. The Chebyshev polynomial T n (x): 1] can be defined as: T n (x) = cos(n Á arccos(x)). The recurrent formulas of the Chebyshev polynomial is shown as: Semi-group property For p; q 2 N ; T p ðT q ðxÞÞ ¼ T pq ðxÞ ¼ T q ðT p ðxÞÞðmodN Þ. Discrete logarithm problem Known the parameters x and y, it is intractable to find an integer p such that T p (x) = y.
Diffie-Hellman problem Known the parameters x, T p (x), and T q (x), it is intractable to compute the value T pq (x).

System setup
The server S performs the following steps: Selects its secret key s; Selects a large prime number p, x 2 Z p ; Selects a secure one-way hash function h 1 ; Selects a chaotic maps-based one-way hash function h(). At last, S maintains the secret key s and releases the parameters {p, x, h 1 (), h()}.

Registration
The user A registers the server S as below: Step 1: User A computes PW A = T pw A (x)modp and sends {ID A , PW A } to S through a secure channel, where ID A and pw A are the identity and password of A, respectively.
Step 2: The server S computes VPW A = h 1 (ID A , s) + PW A and stores {ID A , VPW A } in its database.
The user B also registers S as the above processes, we omit it.

Authentication and key exchange
The establishment of the session key among A, B and S are described in the following: Step 1: User A computes R A = T a (x)modp and sends {ID A , ID B , R A } to S, where a 2 [1, p + 1].
Step 2: Once receiving the login message, S computes PW A = VPW A − h(ID A , s), PW B = VPW B − h(ID B , s), R S1 = T S1 (x) − PW A modp, R S2 = T S2 (x) − PW B modp and sends back {ID A , R S2 } to B, sends {ID B , R S1 } to A.
Step 3: Step 4: Upon receiving the messages from A and B, S computes K SB = T S2 (R B ) = T S2b (x) modp and checks whether hð0; ID B ; ID A ; R B ; R S2 ; K SB Þ≟Z BS . If it is true, S then computes K SA = T S1 (R A ) = T S1a (x)modp and checks whether hð0; ID A ; ID B ; R A ; R S1 ; K SA Þ≟Z AS . If holds, S com-

Password change
If user A attempts to update his password as a new one, he can perform the following steps: Step 1: Step 2: S first checks whether hð1; ID A ; R A ; R S1 ; K SA ; V A ; M A Þ≟Z AS . If it holds, S computes PW A = PWD − h(K SA , ID A )modp and checks whether hðK SA ; PW A Þ≟V A . If it holds, S computes Step 3: When A receives {Accept, R 1 }, he verifies if hð1; ID A ; PWD; V A ; K AS Þ≟R 1 . If true, A accepts pw new A as his new password. Otherwise, he verifies whether hð0; ID A ; PWD; V A ; K AS Þ≟R 2 and returns Step 1 to execute the above steps again.

Cryptanalysis of Xie et al.'s scheme
Xie et al.'s scheme declared that their improvements could withstand the password off-line guessing attack and the user impersonation attack which Farash et al.'s scheme failed to resist. However, we will demonstrate their improvement cannot really resist the off-line password guessing attack, thus suffering the user impersonation attack. Besides, we also demonstrate their improvements cannot achieve the session key security as they stated. Furthermore, user anonymity is also not able to provide in their improvements. In order to launch the attacks, we adopt the attack model proposed by Xu et al. [35]. According to their assumption, an attacker U can completely monitor the open communication channel, thus inserting, deleting, and modifying any messages among correspondents.

Off-line password guessing attack
U can easily perform the attack by intercepting the transmitted messages {ID A , ID B , R A } and Z AS from A to S as below: Step 1: U computes R A = T a (x)modp and sends {ID A , ID B , R A } to S, where a 2 [1, p + 1] is a random number.
Step 2: Step 3: U guesses a candidate password PW 0 A and computes After that, U checks whether Z AS ≟hð0; ID A ; ID B ; R A ; R S1 ; K AS Þ. If the equation is true, which means U gets the correct password. Otherwise, U performs the above steps again until he succeeds.

User impersonation attack
After obtaining the password of user A(or user B), U can masquerade as a legitimate user A (or user B) to cheat the server A and the user B (or user A). Following previous subsection, once U guesses correctly, he then sends {Z AS } to S. Upon receiving the messages from U, S executes the original scheme without any detection. Finally, S sends {R B , Z AB } to U. After receiving the messages from S, U verifies whether That is, U successfully wormed himself into S and Bs' confidence.

Anonymity of users
The user identity is an important personal privacy. In many cases, U may exploit the user identity to link different login sessions together to trace user activities [29]. Moreover, the violation of user identity and activities may also facilitate an unauthorized entity to trace the user's login history and even current location [36]. In Xie et al.'s scheme, the messages transmitted from A to S {ID A , ID B , R A }, sent from S to A {ID B , R S1 }, the message transmitted from S to B {ID A , R S2 }, are all exposed the identity of A and B. It is a good chance for U to obtain the identity and know who is requiring the service and further trace the position. This means Xie et al.'s scheme fails to achieve user anonymity.

Violation of the session key security
After deriving password PW A by performing the off-line password guessing attack, U can easily derive the mutually shared session key between A and B after intercepting the transmitted messages R A and R B . And thus, U can compute an integer solution a Ã (or b Ã ) to satisfy the equation by adopting the method of Bergamo et al. [22]: With the value a Ã and b Ã , U can compute the session key:

System initialization
The server S performs the following steps: Step 1: Selects a random number x 2 Z p ; Step 2: Selects a private key k 2 [1, p + 1] and computes T k (x)modp as its public key; Step 3: Selects a chaotic map hash function h(), S maintains the secret key k and releases the parameters {p, x, T k (x)modp, h()}.

Registration
The registration phase of A/B as below: Step 1: to the server S, where r A and r B are the random numbers; Step 2: Upon receiving the registration request, S computes Next, S randomly chooses a secret key r for A and sends it to A via the private channel. Noth that r is kept securely by A and is different for each user A. Finally, S stores k È r and VPW A /VPW B into its memory.

Session key establishment
After registering the server S, users A and B establish the session key with the help of S in the following manner: Step 1: Using the stored shared secret key r, user A computes his own version of Step 2: Once receiving the message, S first derives r by computing k È r È k and derives {ID A , ID B , T a (x), F A } by decrypting C A with computed symmetric key K AS = T k (T r (x)). Next, S checks whether hðID A ; ID B ; T a ðxÞ; Step 4: S decrypts P B to get T b (x) and H B using g B . After that, S examines whether , ID A , Z AS ) and returns R AS to A, where S1 is the random number and K AS = T k (T r (x)) is a shared key between A and S. At the same time, S also computes Z BS = h(ID A , ID B , T a (x), T S2 (x)), R BS = E K BS (T S2 (x), T a (x), ID B , Z BS ) and returns R BS to B, where S2 is the random number and K BS = T k (T b (x)).
Step 5: When receiving the message from S, A checks whether hðID A ; ID B ; T b ðxÞ; T S1 ðxÞÞ≟Z AS which is decrypted from R AS . If it holds, A computes the session key SK = T a (T b (x)) and V A = h(ID A , SK), and then sends V A to B. Similarly, B verifies the validity of Z BS = h(ID A , ID B , T a (x), T S2 (x)) which is derived from R BS . If it holds, B computes the session key SK = T b (T a (x)) and V B = h(ID B , SK), and then sends V B to A.
Step 6: Upon receiving the message from B, A verifies whether h(ID B , SK) is equal to the received V B . If the verification holds, A negotiates SK as the shared session key to encrypt the following messages. Otherwise, A aborts the session. At the same time, B checks the correctness of V B = h(ID A , SK). Once the result is true, B agrees the session key SK with A.

Password update
When A intends to change his password after successful handshake between A and S, he can perform the following steps: Step 1: A selects a new password pw Ã A and computes R A ¼ E T r ðxÞ ðID A ; h 1 ðpw Ã A ; r A Þ; h 1 ðpw A ; r A Þ; Z AS Þ and Z AS = h(ID A , T S1 (x), K AS ) to S.
Step 2: S decrypts R A to retrieve fID A ; h 1 ðpw Ã A ; r A Þ; h 1 ðpw A ; r A Þ; Z AS g using the shared secret key r and verifies whether hðID A ; T S1 ðxÞ; K AS Þ≟Z AS . If it is correct, S computes If B plans to change his password into a new one after successful authentication process between B and S, he performs the following steps: Step 1: B selects a new password pw Ã B and computes Step 2: S decrypts R B to retrieve fID B ; h 1 ðpw Ã B ; r B Þ; h 1 ðpw B ; r B Þ; Z BS g by the shared key K BS and verifies whether hðID B ; T S2 ðxÞ; 6 Security analysis of the proposed scheme In this part, we first present a formal security analysis and then adopt the well-known formal tool for analyzing cryptographic protocol, i.e., BAN logic, to demonstrate the validness of the established session key between A and B in the help of the server S. After that, we conduct a security discussion for the proposed scheme according to the known kinds of security attributes. Next, we adopt the formal verification software to demonstrate our scheme is secure.

Formal security proof of the proposed scheme
Based on the one-way property of hash function [16] and ciphertext indistinguishability of symmetric cryptography algorithm [37], this part gives the formal analysis of the proposed scheme. Symmetric cryptography algorithm Θ assumption: Denote the Θ advantage by Adv Y P . Θ is secure if Adv Y P is negligible for any probabilistic, polynomial time adversary. Theorem 1 Let Θ is secure. Assume that the one-way hash function h(Á) behaves as a random oracle, then our proposed password-authentication key agreement defends against an adversary U for extracting the identity ID A of the user A, and the session key SK between the user A and the user B.
Reveal 1: This oracle unconditionally outputs the cleartext m using symmetric cryptography algorithm Θ under the corresponding ciphertext C = Enc k (m).
Reveal 2: This oracle unconditionally outputs the input x using hash function under the corresponding hash value y = h(x).
Proof. The adversary U executes the experiments Exp1 Y U;TPPPAKA (Table 1) and Exp2 Hash U;TPPPAKA (Table 2) for our three-party password-authentication key agreement. Suppose that the adversary U could get the identity ID A of the user A, and the session key SK between the user A and the user B, which means U has an extremely high probability Max U Succ 1 and Max U Succ 2 to win the game within the running time t i and the number of queries q i (i = 1, 2), where Succ 1 ¼ jPrðExp1 Y U;TPPPAKA ¼ 1Þ À 1 and Succ 2 ¼ jPrðExp2 Hash U;TPPPAKA ¼ 1Þ À 1. However, they are both computationally infeasible problems under the symmetric cryptography algorithm Θ assumption without the knowledge of the secret key k and non-invertibility of hash function, i.e., Adv Y U;TPPPAKA ðt 1 Þ ⩽ ε 1 , Adv hash U;TPPPAKA ðt 2 Þ ⩽ ε 2 , for any sufficiently small ε i > 0(i = 1, 2). That is, Max U Succ 1 ⩽ ε 1 and Max U Succ 2 ⩽ ε 2 since both they depend on the advantage Adv Y U;TPPPAKA and Adv hash U;TPPPAKA , respectively. As a result, no adversary U has the ability to derive the identity ID i of the A and the session key SK between the user A and the user B.

Authentication proof based on BAN logic
BAN logic is an important formal mean and is widely applied for the security analysis of authentication schemes. Verification process for the protocol using BAN logic is mainly composed of four parts: Goals, Idealisation, Assumptions and Analysis. Goals, as its name suggests, the objectives of the verification; Idealisation aims at formulating the protocol step in a way for each ciphertext communication; Assumptions state some essential information, such as, which principals have generated which fresh random numbers, what keys are originally shared between the principals, and which principals are trusted in special ways. Upon all the aforementioned basis, BAN logic analysis on the protocol step by step is a natural procedure. BAN logic defines some notations and rules to verify whether the mutual authentication is achieved between corresponds. We first introduce some common notations and rules related with our analysis in the following.
Notations P ⊲ X: principal P sees a message containing X P| X: P believes X is true (1) We establish the following goals which the session key agreement protocol should achieve: (2) We idealize the communication messages of the proposed scheme as below: A ! S: (3) We make some initial assumptions for the proposed scheme as follows: Now, using the rules of the BAN logic, we demonstrate the proposed scheme can attain the intended goals based on the above descriptions: According to the message C A , we derive: According to V A , we collect: According to A 15 , goal 4 and message-meaning rule, we attain: According to goal 5 , D 16 and nonce-verification rule, we get: According to goal 4 , goal 5 and nonce-verification rule, we get:

Informal security analysis
In this part, we demonstrate the strong ability of the proposed scheme. Specifically, we will show that the proposed scheme is secure against the loopholes which found in the scheme of Xie et al. Besides, the proposed scheme also provide other common security features. To facilitate the discussion, we also adopt the attack model proposed by Xu et al. [35], that is, an adversary can completely monitor the open communication channel, thus inserting, deleting, and modifying any messages among correspondents. 6.3.1 User anonymity. We employ symmetric cryptography to safeguard user identity. Specifically, the identities {ID A , ID B } are contained only in C A , R AS or C B , G B and R BS in the form of ciphtertext, where r A(B) ). From the above we can see that both the identities of A and B are protected by the server's public key, chaoticmaps, hash function and symmetric cryptographic operations. Besides, used parameters include secret keys and random numbers are not exposed in the public channel. For example, suppose an adversary U eavesdrops the message C A and he plans to derive the identity of A. He first needs to know K AS = T a (T k (x)). To obtain T a (x) from intercepted H A = T a (x) È T r (x), the shared secret key r is needed. In general, it is hard to derive from the transmitted messages. Our proposed scheme is therefore secure from trace attack.
6.3.2 Avoidance of insider attack. In the registration phase of our proposed scheme, A and B send g A = h 1 (pw A , r A ) or g B = h 1 (pw B , r B ) to the server S, respectively. When S receiving the registration request, he cannot retrieve the cleartext password pw A or pw B owing to the unawareness of the random numbers r A and r B . Therefore, the proposed scheme can protect against the insider attack.  (ID A(B) , k). Even if the secret key k of S is compromised, U also requires the random number r A(B) . In addition, the identity of A or B is also needed. This point has been ensured by user anonymity. This means the off-line password guessing attack is not able to come true in our scheme.
6.3.4 Avoidance of user impersonation attack. By virtue of being discussed in the previous subsection, U is not possible to guess the correct password, let alone masquerade as a legal user to cheat the services provided by the server S. Once U fabricates the password and sends the forged message {C A } or {P B } to the server S. After receiving the message, S will decrypt C A by using its own private key k. It is clear that S will detect the attack from user by checking the correctness of F A or H B by using its own computed values k). Therefore, U is also impossible to launch the user impersonation attack.
6.3.5 Avoidance of man-in-the-middle attack. Assume that U intercepts the login message {C A = E K AS (ID A , ID B , T a (x), F A )} and attempts to modify it. However, he has no way to know the shared symmetric key K AS between A and S. Without the important key, he is not possible to decrypt it. Similarly, if U eavesdrops the message C B = E g B (T a (x), F B , ID A , ID B ) and plans to forge it. He also face an embarrassed reality without knowledge of the shared symmetric key g B . Therefore, the proposed scheme protects against the man-in-the middle attack. This point will be verified by the simulation result later.
6.3.6 The session key perfect forward secrecy. The session key SK = T a (T b (x)), where T a (x) and T b (x) are not directly transmitted in the public channel. On the one side, T a (x) and T b (x) are encrypted with the symmetric cryptographic technology or the Chebyshev polynomials, where the symmetric key is g B and chaotic map is T r (x). The security of symmetric key has been demonstrated in the previous subsection. On the other side, assume that U has the secret key of S and the stored information {VPW A } or {VPW B }. In this case, it is an impossible task for U to attempt to derive g A or g B due to the unknown of the identity A or B. In order to know the identity, which goes back to this discussion about user anonymity. Therefore, the proposed scheme is able to provide the session key perfect forward secrecy.

Mutual authentication. A sent the message {C
. Upon receiving the message, S derives T a (x) using the shared secret key r and then decrypts C A to get {ID A , ID B , F A } using its private key k. Next, S computes h(ID A , ID B , T a (x), VPW A È h 1 (ID A , k)) and checks whether it is equal to the decrypted from C A . If it is correct, A is authenticated. The validness of F B which is decrypted from C B to verify the legitimacy of S. And the correctness of H B which is decrypted from G B to validate the legalization of B. Similarly, A authenticates S by checking the verification of Z AS decrypted from R AS . Finally, the authentication between A and B are gone through the correctness of V A and V B .

Formal validation of the proposed scheme using AVISPA software
In this part, we simulate the proposed scheme using the commonly used AVISPA (Automated Validation of Internet Security Protocols and Applications) toolkit [30][31] to validate the

Performance comparisons
In this section, we evaluate the performance of our proposed scheme and make comparisons with the recent chaotic-maps based schemes [28,2,4,9]. The following types of computation costs will be used to evaluate the feasibility of the attack in terms of its computational complexity.
T cp : time for computing Chebyshev polynomial; T h : time for computing hash function; T S : time for performing symmetric cryptography; T pm : time for computing point multiplication; T m : time for performing MAC generation/verification. Table 3 shows the computation overhead comparisons of our proposed scheme and some recent three-party schemes. We mainly address on the consumptions of authentication and session key agreement due to these are the principal parts of an authentication scheme and should be performed for each session. In Table 3, it is obvious that our improvements need a sight higher computational cost than Xie et al.'s scheme while consuming less than others, where the time for performing a point multiplication is much more expensive than the lightweight cryptographic operations, and a symmetric encryption/decryption operation is almost as many costs as a hash function [34]. However, it is worth an additional chaotic-maps and symmetric cryptographic operations to achieve strong security and better functionality attributes compared with Xie et al.'s scheme. Table 4 lists the security comparisons among our proposed scheme and some recent threeparty schemes. It demonstrates that our scheme has many excellent features and is more secure than other recent three-party schemes.

Conclusion and future work
This paper discussed the security of the recent scheme proposed by Xie et al. We showed that the recent scheme had several security pitfalls. Besides, we found that it was insecure only using hash function. To mend all the identified weaknesses, we then presented an enhancement which utilized asymmetric cryptography to conceal the user's identity. We demonstrated that the improvements not only was immune to the loopholes found in Xie et al.'s scheme but also was secure other common attacks. We also performed the BAN logic test and confirmed the mutual authentication is achieved in our scheme. The formal security analysis also shows our scheme supports more security properties. The performance comparison between the recent schemes and the proposed scheme showed our improvements was more secure than other schemes. Actually, it is not negligible that based on chaotic maps has inevitable restrictions in some applications and an ID-based solution is a better one. Therefore, our near future work is to address to design a robust ID-based authenticated key agreement scheme.