Anonymity preserving and round effective three-party authentication key exchange protocol based on chaotic maps

Three-party authentication key exchange (3PAKE) is a protocol that allows two users to set up a common session key with the help of a trusted remote server, which is effective for secret communication between clients in a large-scale network environment. Since chaotic maps have superior characteristics, researchers have recently presented some of the studies that apply it to authentication key exchange and cryptography. Providing user anonymity in the authentication key exchange is one of the important security requirements to protect users' personal secrets. We analyse Lu et al.'s scheme which attempts to provide user anonymity and we prove that his scheme has errors in the key exchange phase and password change phase. We propose a round-effective three-party authentication key exchange (3PAKE) protocol that provides user anonymity and we analyse its security properties based on BAN logic and AVISPA tool.


Introduction
Along with the rapid development of the information technology and computer network, user authentication plays an important role in protecting resources, service and user's personal information in the computer network. The authentication key exchange protocol is one of the important mechanisms of network security aimed at setting a session key for secret communication between users via an open network. The authentication key exchange protocol is keys exchange for the secret communication based on authentication between the communicating parties in essence. The authentication key exchange protocol can be classified into Two-Party Authentication Key Exchange (2PAKE), Three-Party Authentication Key Exchange (3PAKE), and Multi-Party Authentication Key Exchange (MPAKE) depending on the number of participating in the key exchange. The key point of the 3PAKE protocol is that it does not need to remember various passwords for each user, and can establish secret communication between users with the help of a trusted remote server.
In 2008, in order to enhance the property of the Chebyshev chaotic maps, Zhang [42] proved that the semi-group property holds for Chebyshev polynomials [43] defined over the interval (−1, +1), and Chebyshev chaotic maps based key exchange schemes were widely used in the 3PAKE protocol. Chebyshev chaotic maps based scheme has advantages such as high safety, low computational cost, simple encryption, small storage capacity requirement, and low bandwidth [37,44,45]. Therefore, compared to DH and ECC based scheme, Chebyshev chaotic maps based scheme is more suitable for the wireless sensor network and the authentication system using smart card. In 2016, Kumari et al. [46] proposed mutual authentication and key agreement scheme for wireless sensor networks using Chebyshev chaotic maps, in which they described different chaotic maps that could be used in digital authentication and discussed a design methodology to present a robust authentication and key agreement for wireless sensor networks, and proposed a new authentication scheme for wireless sensor networks which provides user anonymity. However, his scheme is vulnerable to session-specific temporary information attack, sensor node impersonation attack, man-in-the-middle attack [47].
The user password scheme without public key and shared secret key is easily revealed by password guessing attack as the information entropy of the password is low [8]. For example, in 2009 Huang [7] designed a 3PAKE protocol based on user password. However, Yoon et al. [10] proved that Huang's scheme is vulnerable to off-line password guessing attack and undetectable on-line password guessing attack. Wu et al. [17] proved that Huang's scheme is vulnerable to key-compromise impersonate attack, and proposed an updated 3PAKE protocol using user password and server public key. On the other hand, Chang et al. [8] proposed efficient 3PAKE protocol based on user password using modular exponentiation, and Wu et al. [19] pointed out that his scheme is vulnerable to password guessing attack and designed a 3PAKE protocol based on user password, however Wu et al.'s scheme is vulnerable to keycompromise impersonate attack [18]. Tso [12] also pointed out that Chang et al.'s scheme is vulnerable to password guessing attack, and Tso's scheme is vulnerable to the off-line password guessing attack and the impersonate attack [14]. Youn et al. [13] also designed efficient 3PAKE protocol based on user password, but his scheme is vulnerable to impersonate attack [15]. Farash et al. [27] proposed 3PAKE protocol based on the user password and the chaotic maps, but Li et al. [38] pointed out that his scheme is vulnerable to password disclosure attack, user impersonate attack, and off-line password guessing attack, and proposed a 3PAKE protocol based on chaotic maps with shared secret key.
The server public key scheme has to construct key management mechanism, so the protocol design is relatively complex and computational complexity is increased. But, using this scheme in the 3PAKE can provide user anonymity by encrypting the message exchanged between the user and the server. In 2014, Xie et al. [23] proposed a 3PAKE protocol based on ECC and the server public key, which provides user anonymity. However, his scheme is vulnerable to privileged insider attack, because there is a table stored user's password in the server side. Lou and Huang [24] also proposed a 3PAKE protocol based on ECC and the server public key, in which there is no encryption message using the server public key, but his scheme is vulnerable to offline password guessing attack and key-compromise impersonate attack [26]. In 2013, Xie et al. [30] and Lee et al. [32] proposed a 3PAKE protocol based on the chaotic map and the server public key. However, Lee et al. [28] pointed out that Xie et al.'s scheme fails to provide user anonymity, is vulnerable to off-line password guessing attack, and has problems with password table management. Hu et al. [34] pointed out that Lee et al.'s scheme does not provide user anonymity and is vulnerable to MITM attack, and Farash et al. [33] pointed out that Lee et al.'s scheme is vulnerable to modification attack and impersonate attack.
In the shared secret key scheme, the server authenticates users by sharing his secret key with them. This scheme is safer than the password based scheme, because there is no user's private information in the server side. For example, it is resistant to privileged insider attack and stolen verifier attack. Tan [21] proposed a 3PAKE protocol based on ECC and the shared secret key, in which user keeps a private key combining with server secret key and user's identification. However his scheme is vulnerable to key-compromise impersonate attack [22]. Li [29] and Islam [50] proposed a 3PAKE protocol based on the chaotic map and the shared secret key, in which user encrypts the data for authentication with his private key derived by the server's private key, but user's identifier is exposed in the message, so their protocol does not provide user anonymity.
Meanwhile, in order to improve the effectiveness and safety of the authentication, there have been studies to implement the 3PAKE protocol by using devices such as smart cards [48][49][50][51][52][53][54]. In an authentication key exchange using a password that does not use a public key or shared secret key scheme, the user simply needs to remember the password. However, in an authentication key exchange that uses a public key or shared secret key scheme, the user must have a storage location for storing the server's shared secret key or his public key. The use of smart card not only allows users to carry their own authentication information, but also has the advantage of accessing service by using smart card reading devices anywhere. But in this scheme, there is a risk of losing the smart card. In 2012, Lai et al. [53] proposed the implementation of the 3PAKE protocol to use smart card based on chaotic maps. However, Zhao et al. [52] pointed out that Lai's scheme is vulnerable to privileged insider attack and off-line password guessing attack, and proposed an updated scheme to use smart card with server public key and shared secret key. Yang et al. [51] proposed a 3PAKE protocol that uses smart card with shared secret key, but Amin et al. [49] proved that Yang's scheme is vulnerable to off-line password attack, many logged-in user attack, privileged insider attack and has a security weakness in the password change phase, and proposed an updated scheme. In 2015, Xie et al. [48] proposed a 3PAKE protocol that uses smart card based on chaotic maps with user password, but his scheme had several weaknesses. In 2016, Lu et al. [31] pointed out that Xie's scheme is vulnerable to off-line password attack, user impersonate attack, does not provide user anonymity, and is deficient in session key security. He proposed an updated 3PAKE protocol that provides user anonymity using server public key and user password. However, Lu et al.'s scheme still has a series of weaknesses.

Our contribution
The user's identifier is a very important personal secret. If user anonymity is not provided, the attacker will know who is currently in the network conversation, and will be able to track the user's subscription history and current location. Chebyshev chaotic maps based authentication and key exchange scheme is suitable for the authentication system using smart card or the wireless sensor network, which requires low computational cost, simple encryption, small memory size, and low bandwidth. Based on such studies, we analyse the Lu et al.'s scheme [31] and point out its weakness, and propose a round-effective 3PAKE protocol based on chaotic maps using smart cards to provide user anonymity and protect against various attacks. In the proposed scheme, in order to provide the user anonymity the messages exchanged between the sender and the receiver is encrypted with the shared secret key based on the server's public key, and in order to authenticate the message, we use the user's private key derived by user's identifier and the server's secret key.
In Section 2, we describe the theory of chaotic maps, one-way function and Bio-hashing function, and In Section 3 we review Lu et al.'s scheme. Section 4 presents the proposed scheme, and Section 5 describes the security analysis of the proposed scheme. And Section 6 compares the proposed scheme with the previous schemes in terms of performance.

Preliminaries
This section describes Chebyshev chaotic maps and their computational problems, and Biohashing functions.

Chebyshev polynomials
Chebyshev polynomial T n (x) is defined as follows [43].

Enhanced Chebyshev polynomials
The semi-group property holds for Chebyshev polynomials on the interval (-1,+1), which can enhance the property as follows [42,43]:

Computational problems based on Chebyshev polynomials
CDLP(Chaotic map-based Discrete Logarithm problem): For given two real numbers x and y, it is infeasible to find the integer r by any polynomial time bounded algorithm, where y = T r (x) mod p [28,42,43].
CDHP(Chaotic map-based Diffie-Hellman problem): For given three elements x, T r (x) mod p and T s (x) mod p, it is infeasible to compute the value T rs (x) mod p by any polynomial time bounded algorithm [28,42,43].

Bio-hashing function
The biometric technique is very important for user authentication in the authentication system. Generally, imprint biometric characteristics (face, fingerprint, palm-print etc.) may not be exactly same at each time [49]. To solve this problem, Jina et al. [55] and Lumini et al. [56] proposed and updated Bio-hashing, which was used in many authentication schemes [45,49,57,58]. Bio-hashing is used to map a user's biometric features to a user-specific random vectors [45,57] and is useful for user authentication mechanisms that use small devices such as mobile devices, smart cards, and so on [57]. System initialization. The server selects random number x 2 Z p and private key k 2 [1, p+1], computes public key T k (x) mod p and publishes {p,

Review of Lu et al.'s scheme
Registration.

a. User A submits {ID
b. Upon receiving the registration request, S computes VPW A = h 1 (ID A , k)�g A . Next S randomly chooses a secret key q for A and sends it to A via the secure channel. Note that q is kept securely by A and is different for each user A. Finally, S stores k�q and VPW A into its memory.
Session key exchange.
Step 1: Using the stored shared secret key q, user A computes his own version of C A = E KA- ] is a random number.
Step 2: Once receiving the message, S first derives q by computing k�q�k and derives {ID A , ID B , T a (x), F A } by decrypting C A with computed symmetric key K AS = T k (T q (x)). The next steps are omitted here.
Password update.
Step 1: A selects a new password pwd A � and computes , K AS ) and sends them to S.
Step 2: , Z AS } using the shared secret key q. The next steps are omitted here.

Defects in the design of Lu et al.'s scheme
Session key exchange. In the registration phase, Lu et al. pointed that q is kept securely by A and is different for each user A, and S stores k�q into its memory. Therefore, S must keep k�q for each user and can obtain it by user identifier. In the step2 of session key exchange phase, Lu et al. pointed that S derives q by computing k�q�k and derives {ID A , ID B , T a (x), F A } by decrypting C A with computed symmetric key K AS = T k (T q (x)). In order for S to retrieve k�q of A, the A's identifier must be present, but A's message C A is encrypted for providing user anonymity and has not yet been decrypted. Therefore, S cannot know user A's identifier, and cannot compute q = (k�q)�k. If S stores a single k�q for all users, S can decrypt the A's message C A as in the protocol. But, in this case, other users can also decrypt A's message because they also have q, so user anonymity cannot be provided in his scheme.
Password update. In the password change step, the same defects exist as seen in the session key exchange step. That is, S does not obtain the key K SA = T k (T q (x)) to decrypt the message R A or cannot update password.

Proposed scheme
This section describes an improved 3PAKE protocol using smart card that overcomes the limitations of the Lu et al.'s scheme. The proposed scheme consists of four steps: system initialization phase, registration phase, authentication and session key exchange phase, and password change phase. The notation presented in Table 1 is used to describe the proposed schemes in this paper.

System initialization phase
1. S selects a large prime number p and x 2 Z p for Chebyshev polynomials T n (x).

User registration phase
All users who want to exchange session keys using the proposed scheme must register on S.

User A connects his smart card SC A to the terminal and inputs his identifier ID A , password and biometrics bm A . SC A computes
, SC A aborts the process. Otherwise SC A selects any a2 [1, p+1] and computes

After receiving {M AS , K A } from A, B connects his smart card SC B to the terminal and inputs
his identifier ID B , password and biometrics pw B . SC B computes

After receiving {M
. S checks whether Z AS and Z AS � are same. If Z AS 6 ¼ Z AS � , S aborts the process. S also computes

Security analysis of the proposed scheme
In this section, we analyse the security properties of the proposed scheme. First, we prove the correctness of the session key between users by using BAN logic [59]. Next, we simulate the proposed scheme for the formal security analysis by using AVISPA(Automated validation of internet security protocol and application) tool [60]. Last, we demonstrate the proposed scheme can resist various kinds of attacks.

Authentication proof based on BAN logic
Notations and Rules. We define P and Q as the specific participators, S is the trusted server, and X is the formula (statement). Some notations and rules of BAN logic are as follows [59].
P |� X: P believes X. P⊲X: P sees X. P |* X: P once said X. P |) X: P has jurisdiction over X.
#(X): X is fresh. P$ K Q: K is a shared secret key between P and Q.   if P believes that the key K is shared with Q and receives a message containing X encrypted under K, then P sees X.

Goals.
The session key exchange protocol should achieve the following goals: Idealize. We idealize the communication messages of the proposed scheme as follows: Assumptions. The initial assumptions of the proposed scheme are as follows: Analysis. According to M 3 and A 5 , we apply the message meaning rule (R 1 ) and the See

Validation test based on AVISPA
In this section, we simulate the proposed scheme for the formal security analysis using AVISPA, which is widely used to verify the security properties of designed protocol such as resistance against replay attack and man-in-the-middle attack. This tool implements four back-ends: On-the-Fly-Model-Check(OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based Model-Checker(SATMC) and Three Automata based on Automatic Approximations for the Analysis of Security Protocols(TA4SP), which are given in details in [60]. In order to verify the security properties of the protocol using AVISPA, it needs to be specified in HLPSL(High Level Protocol Specification Language), which is a role-based languages: basic roles for representing each participant role, and composition roles for representing scenarios of basic roles. Each role is independent from the other, communicating with the other roles by channels [60]. The output format is generated by using one of the four back-ends. Specifying the proposed protocol. In our HLPSL implementation, we define three basic roles for users A, B, and server S. Figs 3, 4 and 5 shows the specifications in HLPSL for the role of users A, B, and server S.
In Fig 6, we shows the HLPSL implementation for the role of the session, environment and goal.
In our implementation, we verified the following five secrecy goals and six authentication properties.
• secrecy_of sec_ida: It represents that user A's identifier ID A is kept secret to the user A, B and server S only.
• secrecy_of sec_idb: It represents that user B's identifier ID B is kept secret to the user A, B and server S only.
• secrecy_of sec_xa: It represents that user A's secret key X A is kept secret to the user A and server S only.
• secrecy_of sec_xb: It represents that user B's secret key X B is kept secret to the user B and server S only.
• secrecy_of sec_kab: It represents that session key K AB is kept secret to the user A and B only.
• authentication_on auth_a_s_kas: When user A receives the messages from server S and decrypts the message with K AS , A authenticates S based on K AS .
• authentication_on auth_a_b_zba: When user A receives Z BA from the messages from B, A authenticates B based on Z BA .
• authentication_on auth_b_s_kbs: When user B receives the messages from server S and decrypts the message with K BS , B authenticates S based on K BS .
• authentication_on auth_b_a_zab: When user B receives Z AB from the messages from A, B authenticates A based on Z AB .
• authentication_on auth_s_a_xa: When server S receives X A from the messages from A, S authenticates A based on X A .
• authentication_on auth_s_b_xb: When server S receives X B from the messages from B, S authenticates B based on X B .
Analysis of the results. We have simulated the proposed scheme using FMC and CL-AtSe back-ends of AVISPA. The simulation results for the security verification is shown in Figs 7 and 8.
The results ensure that the proposed scheme is secure under the test of AVISPA using OFMC and CL-AtSe back-ends, and guarantees user anonymity, and it is also secure against the passive attacks and the active attacks, such as the replay attack and man-in-the-middle attack.

Informal security analysis
In this part, we demonstrate the proposed scheme can resist various kinds of attacks.  Privileged insider attack. The proposed scheme is secure against the privileged-insider attack. In the registration phase of the proposed scheme, only the user's identifier is transmitted to the server through a secure channel and the user's password is not transmitted to the server. Therefore, the privilege insider of the server cannot know the user's password. Therefore, the proposed scheme is secure against this attack.
Stolen verifier attack. The proposed scheme is secure against stolen verifier attack. In the proposed scheme, there is no user registration table to authenticate user in the server. Therefore, the proposed scheme is secure against stolen verifier attack.
User impersonate attack. The proposed scheme is secure against the user impersonate attack and the forgery attack.
In order to impersonate as user A, the attacker C changes K A to K C, and sends a message {M AS � (= E KCS (ID A , ID B , Z AS � )), K C } to the server. The server receiving the message from attacker C computes K SC from K C and decrypts M AS � using K SC to obtain ID A , ID B and Z AS � . Next, server computes X A = H(ID A ||s) and Z AS = H(ID A ||ID B ||K A ||X A ), and compares it with Z AS � . Therefore, the attacker has to know X A = H(ID A ||s) or s. However, since s is a secret key of the server and X A is a secret data that only user A has, the attacker C cannot know it, and thus the impersonate attack is impossible. Also, even if an attacker attempts to impersonate as the user B, he does not know X B or s, so he cannot achieve the attack as before. Man-in-the-middle attack. As above, since an attacker C cannot know X A = H(ID A ||s), X B = H(ID B ||s) or s, so he cannot modify the sender's message or cannot change K A and K B , and cannot achieve the man-in-the-middle attack.
Replay attack. If an attacker C sends the previous message {M AS � , T a � (x)} of the user A, according to CDLP and CDHP assumptions, he cannot know a � , so he does not calculate Z AB in the fourth message of the proposed scheme.
If an attacker C sends the previous message {M BS Since Z BS is related to R A and the server verifies the correctness of Z BS , it is impossible for the attacker C to achieve the replay attack.
Perfect forward security of session key. In the proposed scheme, the session key K AB is calculated as K AB = T a (K B ) = T ab (x) mod p. It contains the random numbers a and b that are generated for each session.
Therefore, the proposed scheme provides the perfect forward secrecy of session key.
Known key security. In the proposed scheme, the session key K AB is calculated as K AB = T a (K B ) = T ab (x) mod p. It contains the random numbers a and b that are generated for

Performance comparisons
This section compares the computational cost and security performance of the proposed scheme with the recent similar 3PAKE techniques [23,31,38,49,50], of which three [23,31,38] attempted to provide user anonymity and others [49,50] use smart card. The notations used for comparison of computational cost are as follows.  Table 2 shows the comparison of the computational cost of the six schemes, including the proposed scheme. Table 3 shows the comparative evaluation of the security function between the proposed scheme and other 3PAKE schemes.
As shown in Table 2 and Table 3, the proposed scheme outperforms the other schemes in terms of the security functions presented. Xie's scheme provides user anonymity, but his scheme is vulnerable to the privileged insider attack. Lu et al.'s scheme attempted to provide user anonymity, but did not achieve it. There are weaknesses at the session key establishment phase and the password change phase of his scheme. Li's scheme provides user anonymity, but in his scheme there are more rounds, messages and computational cost than our proposed scheme. Amin's and Islam's scheme are superior to our proposed scheme in terms of computational cost, but do not provide user anonymity for key exchange.

Conclusion
In this paper, we analyse the Lu et al.'s scheme and point out its weakness, and propose a round-effective 3PAKE protocol based on chaotic maps using smart card to provide with user anonymity. In the proposed scheme, there is no information related to the user's password at the server side and users share the secret key with the server, which is derived by the server's secret key and his identifier. The proposed scheme is more efficient than other schemes in terms of number of rounds and computational cost, and it is formally analysed based on BAN logic and AVISPA tool, and can protect against various attacks as shown through informal security analysis. The proposed scheme is suitable for authentication and key agreement in a wireless network environment.