Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps

A smartcard based password-authenticated key agreement scheme enables a legal user to log in to a remote authentication server and access remote services through public networks using a weak password and a smart card. Lin recently presented an improved chaotic maps-based password-authenticated key agreement scheme that used smartcards to eliminate the weaknesses of the scheme of Guo and Chang, which does not provide strong user anonymity and violates session key security. However, the improved scheme of Lin does not exhibit the freshness property and the validity of messages so it still fails to withstand denial-of-service and privileged-insider attacks. Additionally, a single malicious participant can predetermine the session key such that the improved scheme does not exhibit the contributory property of key agreements. This investigation discusses these weaknesses and proposes an enhanced smartcard-based password-authenticated key agreement scheme that utilizes extended chaotic maps. The session security of this enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem, and is proven in the real-or-random and the sequence of games models. Moreover, the enhanced scheme ensures the freshness of communicating messages by appending timestamps, and thereby avoids the weaknesses in previous schemes.


Introduction
Smartcard-based password-authenticated key agreement supports a communicating platform that enables legitimate users to log in to, and access, systems conveniently and securely over an open network. In a smartcard-based password-authenticated key agreement system, users register their identities and passwords with a trusted server. The trusted server is then responsible for generating authentication information and secrets of users and providing smartcards to legitimate users over a secure and authenticated channel. Finally, legitimate users conveniently and securely log in and enjoy remote services using their weak passwords and smartcards [1][2][3][4][5][6][7][8]. PLOS  Recently, Chen et al. [9] developed a smartcard-based password authentication scheme based on the Discrete Logarithm problem and claimed that their scheme can withstand potential attacks. However, Jiang et al. [10] stated that their scheme is insecure against offline password guessing attacks, and presented an improved authentication scheme based on the Diffie-Hellman problem to solve the security flaw of the scheme of Chen et al. and to keep efficiency. In 2013, Wen [11] designed an enhanced user authentication scheme based on the quadratic residue problem [12,13] to overcome the weaknesses of previous schemes [14,7]. However, Islam et al. [15] pointed out the security weaknesses of Wen's scheme, and showed that their scheme cannot resist some possible attacks, including impersonation and privileged-insider attacks. Islam et al. also presented a new user authentication scheme based on the quadratic residue problem for the application of integrated EPR information system. Additionally, Li [16] developed a two-factor authentication scheme with user anonymity based on elliptic curve cryptography. But, Wang et al. [17] showed that his scheme may suffer from smart-card loss and de-synchronization attacks, and provided a better understanding of the underlying evaluation metric for anonymous two-factor schemes. These schemes [9][10][11][12][13][14][15][16] are developed by using public-key cryptosystem to have higher security. Nevertheless, time-consuming modular exponential computations are required so that these schemes are inefficient in computation.
Since cryptography that uses chaotic maps was demonstrated to exhibit the semi-group property and cryptosystems that use chaotic map operations were shown to be more efficient than cryptosystems that use modular exponential computations and scalar multiplications on the elliptic curve [18][19][20], many chaotic map-based authentication approaches [21][22][23][24][25][26][27][28][29] have been developed. However, in 2005, Bergamo et al. [20] showed the security weakness of public-key cryptosystems that are based on Chebyshev polynomials, and that therefore some authentication schemes have security limitations and lack the contributory property of key agreements. In 2008, Zhang [30] enhanced the Chebyshev polynomials to eliminate this security weakness. Zhang also demonstrated that the enhanced Chebyshev polynomials support the semi-group property and the commutivity under composition on interval (−1,+1). Additionally, extended Chebyshev chaotic maps are utilized in solving the extended chaotic map-based discrete logarithm and Diffie-Hellman problems [30][31][32]. In 2013, Guo and Change [33] were the first to present a novel chaotic map-based password-authenticated key agreement scheme using smartcards to increase efficiency. In 2014, Lin [34] developed a mobile user authentication scheme using dynamic identity and chaotic map, and declared that their scheme offers mutual authentication, session key security and user anonymity, and resilience against possible attacks. Later, Islam et al. [35] stated that Lin's scheme had some design flaws and limitations, and cannot resist user impersonation attack. Islam et al. also presented a provably secure scheme using extended chaotic map to solve the weaknesses of Lin's scheme. Additionally, Islam [36] in 2014 proposed a dynamic identity-based three-factor scheme using extended chaotic maps three-factor authentication to offer more security properties. However, Jiang et al. [37] pointed out the processing flaws of Islam's scheme, and showed that his scheme is also vulnerable to some potential attacks. To solve these limitations, Jiang et al. also presented a more secure robust three-factor authentication scheme. Subsequently, Hao et al. [38], Lee [39] and Lin [40] noted that the scheme developed by Guo and Chang had weaknesses that included an inability to ensure strong user anonymity, inefficiency in hiding double secrets, and violation of both the session key security and the contributory property of key agreements. Lin [41] also proposed an improved scheme to eliminate the weaknesses in the scheme of Guo and Chang. However, Lin's scheme also failed to withstand some attacks and to meet all security requirements. In the password change phase of that scheme, the server does not confirm the freshness of the messages from the users, and the smartcard does not verify the updated data from the server, so the scheme fails efficiently to protect against replay and denial of service attacks. Additionally, in the authenticated key exchange phase, a malicious server can control the value of a session key by the method that was introduced by Bergamo et al. [20] so Lin's scheme also the fails to provide the contributory property of key agreements. Moreover, in that scheme, every legitimate user can derive session key that is shared between another user and the server by the method of Bergamo et al. [20]. A malicious user can even forge validate request messages and to impersonate other users, so Lin's scheme fails to withstand privileged-insider attacks.
To address the weaknesses of Lin's scheme, this work develops a more secure and efficient smartcard-based password-authenticated key agreement scheme that is based on the schemes of both Guo and Chang [33] and Lin [40]. The enhanced scheme constructs the session key using extended chaotic maps, and so the session key of security is based on the extended chaotic map-based Diffie-Hellman problem. The enhanced scheme eliminates the security weakness that was identified by Bergamo et al.; ensures the contributory property of key agreements, and withstands attacks by privileged insiders. Moreover, in the password change phase of the enhanced scheme, the messages are guaranteed to exhibit freshness property owing to the appending of timestamps, so the enhanced scheme withstands replay and denial-of-service attacks. Therefore, the proposed scheme does not have any of the weaknesses of previous schemes.
The remainder of this article is organized as follows. Section 2 describes the notation and the definitions used in this paper. Section 3 reviews the authenticated key agreement scheme of Lin and elucidates its weaknesses. Section 4 presents the enhanced smartcard-based password-authenticated key agreement that uses extended chaotic maps. Section 5 analyzes the security and performance of the enhanced scheme. Finally, Section 6 draws conclusions.

Preliminaries
This section presents the notation and the definitions that are used herein this work.

Notation
The followings detail the notation that is utilized herein.

U,
The user;

ID,
The identity of U; PW, The password of U; S, The remote server, which U is registered in; The user's time stamp; The server's time stamp; ΔT, The time threshold; A secure symmetric en/decryption algorithm with the secret key k; λ, The session key generated between U and S; l, with the real session key λ and the other one is encrypted with a random string λ' via an unbiased coin c. A selects one message and sends it to C. Then C flips an unbiased coin c 2 {0,1} and decides to return the message encrypted with λ if c = 1 or encrypted with λ 0 if c = 0. A intends to correctly guess the value of the hidden bit. The advantage that an adversary A violates the indistinguishability of a scheme P is denoted as Adv ake P (A). The scheme P is AKEsecure if Adv ake P (A) is negligible. [41][42][43][44] Chebyshev chaotic maps. The Chebyshev polynomial T n (x) is a polynomial in x of degree n and is defined by the following relation: T n ðxÞ ¼ cosny; where x ¼ cosy: The recurrence relation of T n (x) is defined as: for any n ! 2, with T 0 (x) = 1 and T 1 (x) = x.
The enhanced Chebyshev chaotic maps also exhibit the Discrete Logarithm and Diffie-Hellman problems [30][31][32], which are described as follows.
Extended chaotic map-based discrete logarithm problem (DLP). Given x, y and p, finding the integer r satisfying y = T r (x) mod p is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based DLP is denoted as Adv dlp , and thus is negligible.

Extended chaotic map-based decisional Diffie-Hellman problem (DDHP). Given T r (x), T s (x), T z (x), T(Á), x and p, deciding whether
T rs ðxÞ T z ðxÞmod p holds or not is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based DDHP is denoted as Adv ddh , and thus is negligible.

The authenticated key agreement scheme of Lin and its limitations
The authenticated key agreement scheme of Lin Lin [40] recently presented an improved chaotic maps-based password authenticated key agreement scheme using smartcards. The four phases of the improved scheme are system initialization, user registration, authenticated key exchange and password change phases, which are discussed further below.
System initialization phase. The remote server S setups the system's parameters by performing the following steps: Password change phase. A legal user U inserts his SC into a card reader and inputs the old password PW and a new password PW Ã and changes his/her password by performing the following steps.

Weaknesses in the authenticated key agreement scheme of Lin
This subsection elucidates the weaknesses of the improved scheme of Lin, which suffers from denial-of-service attacks and privileged-insider attacks, and violation of the contributory property of key agreements.
Suffering from denial-of-service attacks. In the password change phase, the smartcard does not validate the updated data R so an attacker can easily perform a denial-of-service by the following steps. Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps 1. On receiving message (T i (x),E η (H 0 ,H Ã ,R)) from a user, the server computes η = T r (T i (x)), decrypts E η (H 0 ,H Ã ,R) and R = E s (ID k H) using η and the server's master key s, respectively, and then checks whether H 0 = ?H.

If
to the smart card. At this time, an attacker intercepts R Ã and replaces it with a nonceR.
3. On receiving messageR, the smartcard does not verify it but updates R asR. Thereafter, when the user attempts to implement the steps of the authenticated key exchange phase or the password change phase, the failed request message ðT j ðxÞ; E v ðQ;R; T 1 ÞÞ or ðT i ðxÞ; E Z ðH 0 ; H Ã ;RÞÞ will be detected by the server because the user does not have the correct R. Thereafter, the server always rejects the service requests made by the user. Therefore, the scheme of Lin is insecure against denial-of-service attacks.
Moreover, in the password change phase, the server does not verify the freshness of messages from the users so an attacker can exhaust computational resources in the server by replaying previous request messages. Possible scenarios are as follows.
1. After the user sends the message (T i (x), E η (H 0 ,H Ã ,R)) to the server, an attacker can copy it and successively re-send it to the server.

Upon receiving each message (T
, and successfully checks whether H 0 = H. Then, the server computes and returns R Ã = E s (ID k H Ã ). The server may exhaust computational resources and cannot efficiently prevent denial-of-service attacks since the server does not verify the freshness of these request messages.
Suffering from privileged insider attacks. In Lin's authentication scheme, every legitimate user can derive (x k T r (x)) from his/her smartcard. A malicious user U Ã still can derive the session key that is shared between another user U and the server using the method that was introduced by Bergamo et al. [20]. The details are as follows.
1. After the user U sends out the message (T j (x),E v (Q,R,T 1 )), U Ã receives T j (x). By the method of Bergamo et al., U Ã possesses x, T(Á), T r (x) and T j (x), and so can compute an integer solution j Ã that satisfies the equation T j Ã ðxÞ ¼ T j ðxÞ: using v, and can determine whether two request messages came from the same user.

After the server returns the message
Furthermore, U Ã can impersonate another user U by forging a request message Therefore, Lin's authentication scheme fails to withstand privileged insider attacks since every legitimate user has x and T r (x), and can derive users' hidden information concerning Q and R.
Lack of the contributory property of key agreements. In the authenticated key exchange phase of the authenticated key agreement scheme of Lin, the malicious server alone can control the value of the session key using the method proposed by Bergamo et al. [20]. The details are as follows.
1. Upon receiving the message from a user, the malicious server S receives T j (x) and computes an integer solution j Ã to the equation T j Ã ðxÞ ¼ T j ðxÞ: 2. S uses a predetermined value λ 0 to find an integer j 0 , using , and sends it to the smart card.
3. Upon receiving the message from S, the smartcard receives ( ; it then computes T j (T j 0 (x)) as the session key. Therefore, U obtains the session key λ 0 because T j ðT j 0 ðxÞÞ ¼ Therefore, Lin's scheme does not support the contributory property of key agreements because the malicious server can control the value of the session key.

Enhanced smartcard-based password-authenticated key agreement scheme
This section elucidates the enhanced smartcard-based password-authenticated key agreement scheme that uses extended chaotic maps. The session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem so one malicious participant cannot alone predetermine the value of the session key. Additionally, malicious users cannot derive the mutually session key that is shared between another user and the server, and they cannot forge validate request messages or impersonate other users. Thus, the enhanced scheme withstands privileged insider attacks. Moreover, in the password change phase of the enhanced scheme, the appending of timestamps guarantees the freshness of messages that are sent from users, and the smartcard can validate the updated data from the server, so the enhanced scheme withstands replay and denial-of-service attacks.
The enhanced scheme consists of five phases, which are system initialization, user registration, authenticated key exchange, password change, and smartcard revocation phases. The system initialization phase is similar to those of Lin's scheme, except that it uses enhanced Chebyshev chaotic maps and the parameter x on interval (−1,+1), requires a large prime number p for the modular arithmetic, and maintains a smartcard revocation table in the system initialization phases. The registration, authenticated key exchange, password change and smartcard revocation phases are described further below.

Registration phase
A user U registers his/her identity and password to be a legal user by performing the following steps.
1. U chooses his identity ID, password PW and a random number t and sends ID and H = h(PW k t) to S via a secure channel.
2. S verifies ID and computes R = E s (ID k H k CNT) by using its master key s, where CNT = 0 and indicates the revocation times.
3. S stores (R È H,h(Á),E k (Á),x,T r (x)) into a smartcard SC, issue the SC to U through a secure channel.
4. After receiving SC, U inserts t into it and finishes the registration.
Authenticated key exchange phase In this phase, as shown in Fig 1, the user U and the server S authenticate each other and negotiate a common session key by performing the following steps.

U inserts his SC, inputs PW, computes
where T 1 is the current timestamp, and sends M 1 = {X 1 ,X 2 ,T 1 } to S.

2.
On receiving M 1 , S checks whether T 0 −T 1 ΔT holds or not, where T 0 is the current timestamp. If unsuccessful, S aborts this service request; Otherwise S computes K = T r (X 1 ) mod p, obtains (Q k R) by decrypting X 2 with K and obtains (ID k H k CNT) by decrypting with s, respectively. Then S checks whether (ID, CNT) is recorded in its revocation table or not and verifies Q = ?h(ID k H k T 1 ). If unsuccessful, S still rejects this service request; Otherwise S generates random numbers b, computes Y 1 = T b (x)modp, the session key λ = T b (T a (x))mod p and Y 2 = h(λ k ID k Q k T 2 ), where T 1 is the current timestamp, and sends M 2 = {Y 1 ,Y 2 ,T 2 } to U.
3. On receiving M 2 , U checks whether T@−T 2 ΔT holds or not, where T@ is the current timestamp. If unsuccessful, U omits this service request; Otherwise U computes the session key λ = T a (Y 1 )modp and checks whether Y 2 = ?h(λ k ID k Q k T 2 ) holds or not. If unsuccessful, U still omits this service request.

Password change phase
In this password change phase, as shown in Fig 2, a legal user inserts his/her smartcard SC and inputs the old password PW and a new password PW Ã , and then changes the password by performing the following steps.

Smartcard revocation phase
This phase enables a legal user to revoke his/her old smartcard and to issue a new smartcard by performing the following steps. 3. S stores (R new ,h(Á),E k (Á),x,T r (x)) into a smartcard, and issue the smartcard to U through a secure channel.
4. After receiving the smartcard, U inserts t new into it and finishes the smartcard revocation processes. Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps

Security and performance analyses Security analysis
This subsection analyzes the security of the enhanced scheme, with reference to session key security, the contributory property of key agreements, and the withstanding of replay, denialof-service and privileged-insider attacks.
Since the enhanced scheme is based on the schemes of Guo and Chang and Lin, the analyses of security requirements and the withstanding of possible attacks closely resemble those for the schemes of Guo and Chang and Lin, and so are not presented here.
Providing session key security (AKE security). The following descriptions reveal that the enhanced scheme provides session key security by adopting the real-or-random (ROR) and the sequence of games (SOG) models [41][42][43][44][45].
The Difference Lemma [45] is used for the sequence of games and is described as follows: Lemma 1 (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that A^:F , B^:F. Then jPr½A À Pr½Bj Pr½F: The following theorem shows that the proposed scheme has AKE security if the extended chaotic map-based DDHP holds. Theorem 1. The probability that an adversary breaks the AKE security of the enhanced authenticated key agreement scheme P satisfies, where Adv ddh is the advantage that an extended chaotic map-based DDH attacker can gain by solving the extended chaotic map-based DDHP, N is the size of password lists, and l is a secure parameter size. Proof: Game G ake i defines the probability of the event E i that the adversary wins this game. The start game G ake 0 is a real attack against the proposed scheme, and the final game G ake 1 ends a negligible advantage gained by an attacked by breaking the AKE security of the enhanced scheme.
Game G ake 0 : This game corresponds to the real attack. By definition, Adv ake P ðAÞ ¼ j2Pr½E 0 À 1j: Game G ake 1 : This game considers password-guessing attacks. Each t) and K = T a (T r (x)) mod p, since t and a are random numbers selected by user U, and T 1 is the timestamp. Thus, the adversary has no information for verifying his/her password guesses. This implies that the security against password attacks is measured by the probability that exists messages of the form X 2 = E K (Q k R) such that the guessing password is correct. Then, we have Game G ake 2 : This game transforms game G ake 1 into game G ake 2 , getting Q by choosing a random number, instead of computing a hash. Then, games G ake 1 and G ake 2 are undistinguishable except collisions of a hash function in G ake 2 . Thus, according to the birthday paradox [42] and Lemma 1, we have Game G ake 3 : This game is transformed from game G ake 2 by using a triple (X,Y,Z) sample from a random distribution (T a (x)mod p,T b (x)mod p,T z (x)mod p), rather than an extended chaotic map-based DDH triple. G ake 2 is therefore equivalent to G ake 3 , and Let a challenger A ddh attempt to violate the indistinguishability of the extended chaotic map-based DDHP, and let an adversary A ake be created to violate the session key security. A ddh returns the real key λ to A ake if the flipping unbiased coin bit c = 1; otherwise, c = 0 and it returns a random string to A ake . Then A ake outputs its guess bit c' and wins if c' = c. A ddh returns the output exactly as in the preceding experiment, except with (X, Y, Z) that was input to it. If A ake outputs c, then A ddh outputs 1; otherwise, it outputs 0. If (X, Y, Z) is a real extended chaotic map-based Diffie-Hellman triple, then A ddh executes A ake in G ake 3 No information about flipping unbiased coin bit c is revealed, and all session keys are random and independent among all executions of the enhanced scheme. Thus, Combining Eqs (1)-(6) and using Lemma 1, yields Adv ake P ðA ake Þ 2 Á Adv ddh ðA ddh Þ þ The proof is thus concluded. Providing the contributory property of key agreements. Theorem 2. The enhanced scheme provides the contributory property of key agreements.
Proof: By Theorem 1, the session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem. Therefore, the enhanced scheme avoids the security weakness that was proposed by Bergamo et al. [20] and neither a user nor the server alone can determine a session key. Thus, the enhanced scheme satisfies the contributory property of key agreements.
Withstanding replay attacks. Theorem 3. The password change phase of the enhanced scheme withstands replay attacks.
Proof: In the password change phase of the enhanced scheme, the smartcard sends the request message M 1 = {X 1 ,X 2 ,T 1 } to the server, where T 1 is the current timestamp, By validating timestamp T 1 and Q = ?h(ID k H k H Ã k T 1 , the server can easily verify the freshness of the request messages that are received from the users, so the enhanced scheme withstands replay attacks.
Withstanding denial of service attacks. Theorem 4. The password change phase of the enhanced scheme withstands denial-of-service attacks.
Proof: Since the smartcard validates updated data R Ã by checking Y 2 = h(K k H Ã k R Ã k T 1 and then replaces R with R Ã , where the timestamp T 1 is generated by the smartcard and H Ã = h(PW Ã k t), an attacker has difficulty in modifying the response message M 2 = {Y 1 ,Y 2 }. Therefore, the enhanced scheme withstands denial-of-service attacks.
Withstanding privileged insider attacks. Theorem 5. The password change phase of the enhanced scheme withstands privileged-insider attacks.
Proof: In the enhanced scheme, every legitimate user has (x,T r (x)) in his/her smartcard. By Theorem 1, the session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem. Thus, a malicious user cannot derive the secret key K and the session key λ that is shared between another user and the server in the authenticated key exchange and the password change phases. Consequently, a malicious user cannot receive (Q k R) and (ID k H k CNT) in the authenticated key exchange phase, and (H Ã k Q k R) and (ID k H k CNT) in the password change phases. Such a user has difficulty in forging valid request messages and impersonating other users. Thus, the enhanced scheme withstands privileged insider attacks.

Logical analyses
This subsection describes the logical analyses of the proposed scheme by using the logical tool, which was defined and presented by Burrows et al. [46] in 1990 and Buttyan et al. [47] in 1998.
Assume that P and Q range over principals. C denotes a communicating channel and X and Y are messages. Table 1 defines the notation used for logical analyses [46][47][48]. Table 2 lists the used assumptions and Table 3 lists the used logical description [46][47][48], where A and B are S and U, but A 6 ¼ B.

C(X)
The message X is transited via channel C.

r(C)
The set of readers of channel C.

w(C)
The set of writers of channel C.
P | X P believes the statement X.
P |* X P once said X.
P ⊲ C(X) P sees C(X). The message X is transited via channel C and can be observed by P. P must be a reader of channel C to read message X.
P ⊲ X|C P sees X via C. The message X is transited via channel C and can be received by P.
(X) K X is hashed with the key K.
P K ! Q P and Q can establish a secure communication channel by using the shared key K. https://doi.org/10.1371/journal.pone.0181744.t001 Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps On the basis of to the assumptions and logical analyses, the proposed scheme must realize the following four goals of authentication and key agreement.   Table 3. The inference rules of the logic of the proposed scheme.
Seeing rules (S1) P ⊲ CðXÞ;P 2 rðCÞ P ðP ⊲ XjCÞ;P ⊲ X : If P receives and reads X via C, then P believes that X has arrived on C and P sees X. (S2) P ⊲ ðX;YÞ P ⊲ X;P ⊲ Y : If P sees a hybrid message (X, Y), then P sees X and Y separately. Interpretation rules (I1) P ðwðCÞ¼fP;QgÞ P ðP ⊲ XjCÞ!Qj$X : If P believes that C can only be written by P and Q, then P believes that if P receives X via C, then Q said X.
(I2) P ðQj$ðX;YÞÞ P ðQj$XÞ;P ðQj$YÞ : If P believes that Q said a hybrid message (X, Y), then P believes that Q has said X and Y separately. If P believes that a is its extended chaotic map-based Diffie-Hellman secret and that T a (x) mod p is the extended chaotic map-based Diffie-Hellman component from Q, then P believes that T ab (x) mod p is the symmetric key shared between P and Q.
Freshness rules (F1) P ðQj$XÞ;P # ðXÞ P ðQj$XÞ : If P believes that another Q said X and P also believes that X is fresh, then P believes that Q has recently said X.
(F2) P # ðXÞ P # ðX;YÞ : If P believes that a part of a mixed message X is fresh, then it believes that the whole message (X,Y) is fresh.
Rationality rules (R1) P ðF 1 !F 2 Þ;P F 1 P F 2 : If P believes that Φ 1 implies Φ 2 and P believes that Φ 1 is true, then P believes that Φ 2 is true. https://doi.org/10.1371/journal.pone.0181744.t003 Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps and must hold because of the interpretation rules (I1), the seeing rules (S1), (S2), assumptions (A1) and (A2). By using the interpretation rules (I3) and, we have the proposed scheme realizes must hold because of the interpretation rule (I1), the assumptions (A1), (A2) and the seeing rules (S1) and (S2). Thus, the proposed protocol realizes Therefore, the proposed scheme realizes Goals 1, 2, 3 and 4. Table 4 compares the performance and security properties of the enhanced scheme with related approaches [7,9,10,15,36,37,40,[49][50][51][52][53], where T H denotes the time of executing a hash function operation; T C denotes the time of executing a chaotic map operation; T S denotes the time of executing a symmetric encryption/decryption operation; T SQ denotes the time of executing a squaring operation; T SR denotes the time of executing a squaring root solving operation; T M denotes the time of executing a multiplication/division operation and T E denotes the time of executing a modular exponential computation. The schemes proposed by Islam et al. [15], Chen et al. [9] and Jiang et al. [10] use the public key cryptosystem, require time-consuming modular exponential computations, and thus are inefficient. Although the schemes proposed by Wang et al. [49], Lee et al. [7] and Yan et al. [50] only employ the hash function operations and are more efficient than other schemes, these schemes fail to resist possible attacks and cannot provide perfect forward secrecy. The schemes proposed by Das and Goswami [51], Lee et al. [52], He et al. [53], Islam et al. [36], Jiang et al. [37] and Lin [40] and the enhanced scheme are based on chaotic maps and retain low computations and communications. Additionally, only the schemes proposed by Das and Goswami [51] and Jiang et al. [37] and the enhanced scheme resist potential attacks and provide more functions.

Conclusions
This study addresses the weaknesses of Lin's improved scheme including its vulnerability to denial-of-service attacks and privileged-insider attacks, and its inability to support the contributory property of key agreements. An enhanced smartcard-based password-authenticated key agreement scheme that is based on extended chaotic maps is presented. The session key security of the enhanced scheme is proven secure using the real-or-random and the sequence-ofgame models, and it is based on the extended chaotic map-based DDHP. Thus, malicious users cannot derive a session key between another user and the server, and they cannot forge valid request messages or impersonate other users. Accordingly, the enhanced scheme withstands privileged insider attacks. Additionally, in the enhanced scheme, the messages that are sent from users are guaranteed to be fresh by the appending of timestamps, and the smartcard validates updated data from the server so the enhanced scheme withstands replay and denialof-service attacks. Therefore, the enhanced scheme eliminates the weaknesses in previous schemes.