Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps.

A smartcard based password-authenticated key agreement scheme enables a legal user to log in to a remote authentication server and access remote services through public networks using a weak password and a smart card. Lin recently presented an improved chaotic maps-based password-authenticated key agreement scheme that used smartcards to eliminate the weaknesses of the scheme of Guo and Chang, which does not provide strong user anonymity and violates session key security. However, the improved scheme of Lin does not exhibit the freshness property and the validity of messages so it still fails to withstand denial-of-service and privileged-insider attacks. Additionally, a single malicious participant can predetermine the session key such that the improved scheme does not exhibit the contributory property of key agreements. This investigation discusses these weaknesses and proposes an enhanced smartcard-based password-authenticated key agreement scheme that utilizes extended chaotic maps. The session security of this enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem, and is proven in the real-or-random and the sequence of games models. Moreover, the enhanced scheme ensures the freshness of communicating messages by appending timestamps, and thereby avoids the weaknesses in previous schemes.

Introduction

Smartcard-based password-authenticated key agreement supports a communicating platform that enables legitimate users to log in to, and access, systems conveniently and securely over an open network. In a smartcard-based password-authenticated key agreement system, users register their identities and passwords with a trusted server. The trusted server is then responsible for generating authentication information and secrets of users and providing smartcards to legitimate users over a secure and authenticated channel. Finally, legitimate users conveniently and securely log in and enjoy remote services using their weak passwords and smartcards [1-8].

Recently, Chen et al. [9] developed a smartcard-based password authentication scheme based on the Discrete Logarithm problem and claimed that their scheme can withstand potential attacks. However, Jiang et al. [10] stated that their scheme is insecure against offline password guessing attacks, and presented an improved authentication scheme based on the Diffie-Hellman problem to solve the security flaw of the scheme of Chen et al. and to keep efficiency. In 2013, Wen [11] designed an enhanced user authentication scheme based on the quadratic residue problem [12, 13] to overcome the weaknesses of previous schemes [14, 7]. However, Islam et al. [15] pointed out the security weaknesses of Wen’s scheme, and showed that their scheme cannot resist some possible attacks, including impersonation and privileged-insider attacks. Islam et al. also presented a new user authentication scheme based on the quadratic residue problem for the application of integrated EPR information system. Additionally, Li [16] developed a two-factor authentication scheme with user anonymity based on elliptic curve cryptography. But, Wang et al. [17] showed that his scheme may suffer from smart-card loss and de-synchronization attacks, and provided a better understanding of the underlying evaluation metric for anonymous two-factor schemes. These schemes [9-16] are developed by using public-key cryptosystem to have higher security. Nevertheless, time-consuming modular exponential computations are required so that these schemes are inefficient in computation.

Since cryptography that uses chaotic maps was demonstrated to exhibit the semi-group property and cryptosystems that use chaotic map operations were shown to be more efficient than cryptosystems that use modular exponential computations and scalar multiplications on the elliptic curve [18-20], many chaotic map-based authentication approaches [21-29] have been developed. However, in 2005, Bergamo et al. [20] showed the security weakness of public-key cryptosystems that are based on Chebyshev polynomials, and that therefore some authentication schemes have security limitations and lack the contributory property of key agreements. In 2008, Zhang [30] enhanced the Chebyshev polynomials to eliminate this security weakness. Zhang also demonstrated that the enhanced Chebyshev polynomials support the semi-group property and the commutivity under composition on interval (−∞,+∞). Additionally, extended Chebyshev chaotic maps are utilized in solving the extended chaotic map-based discrete logarithm and Diffie-Hellman problems [30-32]. In 2013, Guo and Change [33] were the first to present a novel chaotic map-based password-authenticated key agreement scheme using smartcards to increase efficiency. In 2014, Lin [34] developed a mobile user authentication scheme using dynamic identity and chaotic map, and declared that their scheme offers mutual authentication, session key security and user anonymity, and resilience against possible attacks. Later, Islam et al. [35] stated that Lin’s scheme had some design flaws and limitations, and cannot resist user impersonation attack. Islam et al. also presented a provably secure scheme using extended chaotic map to solve the weaknesses of Lin’s scheme. Additionally, Islam [36] in 2014 proposed a dynamic identity-based three-factor scheme using extended chaotic maps three-factor authentication to offer more security properties. However, Jiang et al. [37] pointed out the processing flaws of Islam’s scheme, and showed that his scheme is also vulnerable to some potential attacks. To solve these limitations, Jiang et al. also presented a more secure robust three-factor authentication scheme. Subsequently, Hao et al. [38], Lee [39] and Lin [40] noted that the scheme developed by Guo and Chang had weaknesses that included an inability to ensure strong user anonymity, inefficiency in hiding double secrets, and violation of both the session key security and the contributory property of key agreements. Lin [41] also proposed an improved scheme to eliminate the weaknesses in the scheme of Guo and Chang. However, Lin’s scheme also failed to withstand some attacks and to meet all security requirements. In the password change phase of that scheme, the server does not confirm the freshness of the messages from the users, and the smartcard does not verify the updated data from the server, so the scheme fails efficiently to protect against replay and denial of service attacks. Additionally, in the authenticated key exchange phase, a malicious server can control the value of a session key by the method that was introduced by Bergamo et al. [20] so Lin’s scheme also the fails to provide the contributory property of key agreements. Moreover, in that scheme, every legitimate user can derive session key that is shared between another user and the server by the method of Bergamo et al. [20]. A malicious user can even forge validate request messages and to impersonate other users, so Lin’s scheme fails to withstand privileged-insider attacks.

To address the weaknesses of Lin’s scheme, this work develops a more secure and efficient smartcard-based password-authenticated key agreement scheme that is based on the schemes of both Guo and Chang [33] and Lin [40]. The enhanced scheme constructs the session key using extended chaotic maps, and so the session key of security is based on the extended chaotic map-based Diffie-Hellman problem. The enhanced scheme eliminates the security weakness that was identified by Bergamo et al.; ensures the contributory property of key agreements, and withstands attacks by privileged insiders. Moreover, in the password change phase of the enhanced scheme, the messages are guaranteed to exhibit freshness property owing to the appending of timestamps, so the enhanced scheme withstands replay and denial-of-service attacks. Therefore, the proposed scheme does not have any of the weaknesses of previous schemes.

The remainder of this article is organized as follows. Section 2 describes the notation and the definitions used in this paper. Section 3 reviews the authenticated key agreement scheme of Lin and elucidates its weaknesses. Section 4 presents the enhanced smartcard-based password-authenticated key agreement that uses extended chaotic maps. Section 5 analyzes the security and performance of the enhanced scheme. Finally, Section 6 draws conclusions.

Preliminaries

This section presents the notation and the definitions that are used herein this work.

Notation

The followings detail the notation that is utilized herein.

The user

The identity of U

The password of U

The remote server, which U is registered in

The user’s time stamp

The server’s time stamp

The time threshold

A secure symmetric en/decryption algorithm with the secret key k

The session key generated between U and S

The secure parameter size

A one-way hash function and h:{0,1}*→{0,1}

A one-way hash function and H:[−1,1]→{0,1}

A sends message M to B through a common channel.

Message M1 concatenates to message M2.

Definition

Session key security (AKE security)

This definition defines that an adversary fails to effectively distinguish between two messages from a challenger . One message is encrypted with the real session key λ and the other one is encrypted with a random string λ’ via an unbiased coin c. selects one message and sends it to . Then flips an unbiased coin c ∈ {0,1} and decides to return the message encrypted with λ if c = 1 or encrypted with λ′ if c = 0. intends to correctly guess the value of the hidden bit. The advantage that an adversary violates the indistinguishability of a scheme P is denoted as (). The scheme P is AKE-secure if () is negligible. [41-44]

Chebyshev chaotic maps

The Chebyshev polynomial T(x) is a polynomial in x of degree n and is defined by the following relation:

The recurrence relation of T(x) is defined as: for any n ≥ 2, with T0(x) = 1 and T1(x) = x.

The Chebyshev polynomial satisfies the semi-group property and satisfies: for s,r ∈ Z+.

The Chebyshev polynomial satisfies chaotic property: When n > 1, Chebyshev polynomial map T: [−1,1]→[−1,1] of degree n is a chaotic map with its invariant density for Lyaounov exponent ln n > 0.[29-32]

Zhang [30] in 2008 enhanced the Chebyshev polynomials for avoiding the security weakness showed by Bergamo et al. [20] in 2005, and also proved that the enhanced Chebyshev polynomials still satisfy the semi-group property and the commutative under composition on interval (−∞,+∞). That is, where n ≥ 2, x ∈ (−∞,+∞) and p is a large prime number. Then, holds.

The enhanced Chebyshev chaotic maps also exhibit the Discrete Logarithm and Diffie-Hellman problems [30-32], which are described as follows.

Extended chaotic map-based discrete logarithm problem (DLP)

Given x, y and p, finding the integer r satisfying y = T(x) mod p is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based DLP is denoted as Adv, and thus is negligible.

Extended chaotic map-based computational Diffie-Hellman problem (CDHP)

Given T(x), T(x), T(·), x and p, where r, s ≥ 2, x ∈ (−∞,+∞) and p is a large prime number, calculating is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based CDHP is denoted as Adv, and thus is negligible.

Extended chaotic map-based decisional Diffie-Hellman problem (DDHP)

Given T(x), T(x), T(x), T(·), x and p, deciding whether holds or not is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based DDHP is denoted as Adv, and thus is negligible.

The authenticated key agreement scheme of Lin and its limitations

The authenticated key agreement scheme of Lin

Lin [40] recently presented an improved chaotic maps-based password authenticated key agreement scheme using smartcards. The four phases of the improved scheme are system initialization, user registration, authenticated key exchange and password change phases, which are discussed further below.

System initialization phase

The remote server S setups the system’s parameters by performing the following steps:

S generates a random number r as the private key and a random number x ∈ [−1,+1].

S chooses a master key s, a secure symmetric en/decryption algorithm E(·)/D(·) and a one-way hash function h(·).

Registration phase

A user U registers his/her identity and password by performing the following steps.

U chooses his identity ID, password PW and a random number t and sends ID and H = h(PW ∥ t) to S via a secure channel.

S verifies ID and computes R = E(ID ∥ H) and D = H ⊕ (x ∥ T(x)) by using its master key s.

S stores (R,h(·),E(·),D) into a smartcard SC, and issue SC to U through a secure channel.

U inserts t into it and finishes the registration.

Authenticated key exchange phase

In this phase, as shown in Fig 1, U and S authenticate each other by performing the following steps.

Fig 1

The authenticated key exchange phase of the enhanced scheme.

U inserts his SC into a card reader and inputs PW. Then SC generates a random number j, computes T(x), (x ∥ T(x)) = h(PW ∥ t) ⊕ D, v = T(T(x)), Q = h(ID ∥ H), E(Q ∥ R ∥ T1), where T1 is the current timestamp, and sends M1 = {T(x),E(Q ∥ R ∥ T1)} to S.

On receiving M1, S computes v = T(T(x)), obtains (Q ∥ R ∥ T1) by decrypting E(Q ∥ R ∥ T1) with v, and checks T1. If unsuccessful, S rejects this service request. Otherwise, S obtains (ID′ ∥ H′) by decrypting R with its master key s and checks whether Q′ = ?h(ID′ ∥ H′). If unsuccessful, S rejects this service request. Otherwise, S generates a random number j′, and computes T(x) and E(T(x) ∥ h(ID ∥ T2) ∥ T2), where T2 is the current timestamp, and sends E(T(x) ∥ h(ID ∥ T2) ∥ T2) to SC.

On receiving E(T(x) ∥ h(ID ∥ T2) ∥ T2), SC obtains (T(x) ∥ h′(ID ∥ T2) ∥ T2) by decrypting E(T(x) ∥ h(ID ∥ T2) ∥ T2) with v and checks T2. If unsuccessful, the SC aborts this service request. Otherwise, SC checks whether h′(ID ∥ T2) = ?h(ID ∥ T2). If unsuccessful, SC aborts this service request. Finally, both U and S share a common session key λ = T(T(x)) = T(T(x)).

Password change phase

A legal user U inserts his SC into a card reader and inputs the old password PW and a new password PW* and changes his/her password by performing the following steps.

The SC generates a random number i, computes H′ = h(PW ∥ t), (x ∥ T(x)) = h(PW ∥ t) ⊕ D, η = T(T(x)), H* = h(PW* ∥ t), and sends (T(x),E(H′ ∥ H* ∥ R)) to S.

On receiving (T(x),E(H′ ∥ H* ∥ R)), S computes v = T(T(x)), obtains (H* ∥ Q ∥ R) by decrypting E(H′ ∥ H* ∥ R) with v and obtains (ID ∥ H) by decrypting R with s, respectively. Then S checks whether H′ = ?H holds or not. If successful, S computes R* = E(ID ∥ H*) and sends R* to SC.

After receiving R*, SC updates R as R*.

Weaknesses in the authenticated key agreement scheme of Lin

This subsection elucidates the weaknesses of the improved scheme of Lin, which suffers from denial-of-service attacks and privileged-insider attacks, and violation of the contributory property of key agreements.

Suffering from denial-of-service attacks

In the password change phase, the smartcard does not validate the updated data R so an attacker can easily perform a denial-of-service by the following steps.

On receiving message (T(x),E(H′,H*,R)) from a user, the server computes η = T(T(x)), decrypts E(H′,H*,R) and R = E(ID ∥ H) using η and the server’s master key s, respectively, and then checks whether H′ = ?H.

If H′ = H, then S returns R* = E(ID ∥ H*) to the smart card. At this time, an attacker intercepts R* and replaces it with a nonce .

On receiving message , the smartcard does not verify it but updates R as . Thereafter, when the user attempts to implement the steps of the authenticated key exchange phase or the password change phase, the failed request message or will be detected by the server because the user does not have the correct R. Thereafter, the server always rejects the service requests made by the user. Therefore, the scheme of Lin is insecure against denial-of-service attacks.

Moreover, in the password change phase, the server does not verify the freshness of messages from the users so an attacker can exhaust computational resources in the server by replaying previous request messages. Possible scenarios are as follows.

After the user sends the message (T(x), E(H′,H*,R)) to the server, an attacker can copy it and successively re-send it to the server.

Upon receiving each message (T(x), E(H′,H*,R)) from the attacker, the server computes η = T(T(x)), decrypts E(H′,H*,R) and R = E(ID ∥ H), and successfully checks whether H′ = H. Then, the server computes and returns R* = E(ID ∥ H*). The server may exhaust computational resources and cannot efficiently prevent denial-of-service attacks since the server does not verify the freshness of these request messages.

Suffering from privileged insider attacks

In Lin’s authentication scheme, every legitimate user can derive (x ∥ T(x)) from his/her smartcard. A malicious user U* still can derive the session key that is shared between another user U and the server using the method that was introduced by Bergamo et al. [20]. The details are as follows.

After the user U sends out the message (T(x),E(Q,R,T1)), U* receives T(x). By the method of Bergamo et al., U* possesses x, T(·), T(x) and T(x), and so can compute an integer solution j* that satisfies the equation :

U* can compute the secret key since . Then, U* receives R by decrypting E(Q,R,T1) using v, and can determine whether two request messages came from the same user.

After the server returns the message E(T(x), h(ID ∥ T2), T2), U* receives T(x) and so can compute the session key since . Furthermore, U* can impersonate another user U by forging a request message , where is an acceptable timestamp and , since U* has x, T(x), Q and R.

Therefore, Lin’s authentication scheme fails to withstand privileged insider attacks since every legitimate user has x and T(x), and can derive users’ hidden information concerning Q and R.

Lack of the contributory property of key agreements

In the authenticated key exchange phase of the authenticated key agreement scheme of Lin, the malicious server alone can control the value of the session key using the method proposed by Bergamo et al. [20]. The details are as follows.

Upon receiving the message from a user, the malicious server S receives T(x) and computes an integer solution j* to the equation :

S uses a predetermined value λ0 to find an integer j′, using

calculates E(T(x) ∥ h(ID ∥ T2) ∥ T2), and sends it to the smart card.

Upon receiving the message from S, the smartcard receives (T(x) ∥ h(ID ∥ T2) ∥ T2) by decrypting E(T(x) ∥ h(ID ∥ T2) ∥ T2); it then computes T(T(x)) as the session key. Therefore, U obtains the session key λ0 because .

Therefore, Lin’s scheme does not support the contributory property of key agreements because the malicious server can control the value of the session key.

Enhanced smartcard-based password-authenticated key agreement scheme

This section elucidates the enhanced smartcard-based password-authenticated key agreement scheme that uses extended chaotic maps. The session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem so one malicious participant cannot alone predetermine the value of the session key. Additionally, malicious users cannot derive the mutually session key that is shared between another user and the server, and they cannot forge validate request messages or impersonate other users. Thus, the enhanced scheme withstands privileged insider attacks. Moreover, in the password change phase of the enhanced scheme, the appending of timestamps guarantees the freshness of messages that are sent from users, and the smartcard can validate the updated data from the server, so the enhanced scheme withstands replay and denial-of-service attacks.

The enhanced scheme consists of five phases, which are system initialization, user registration, authenticated key exchange, password change, and smartcard revocation phases. The system initialization phase is similar to those of Lin’s scheme, except that it uses enhanced Chebyshev chaotic maps and the parameter x on interval (−∞,+∞), requires a large prime number p for the modular arithmetic, and maintains a smartcard revocation table in the system initialization phases. The registration, authenticated key exchange, password change and smartcard revocation phases are described further below.

Registration phase

A user U registers his/her identity and password to be a legal user by performing the following steps.

U chooses his identity ID, password PW and a random number t and sends ID and H = h(PW ∥ t) to S via a secure channel.

S verifies ID and computes R = E(ID ∥ H ∥ CNT) by using its master key s, where CNT = 0 and indicates the revocation times.

S stores (R ⊕ H,h(·),E(·),x,T(x)) into a smartcard SC, issue the SC to U through a secure channel.

After receiving SC, U inserts t into it and finishes the registration.

Authenticated key exchange phase

In this phase, as shown in Fig 1, the user U and the server S authenticate each other and negotiate a common session key by performing the following steps.

U inserts his SC, inputs PW, computes H = h(PW ∥ t) and R = (R ⊕ H) ⊕ H, generates a random number a, calculates X1 = T(x)mod p, K = T(T(x))mod p, Q = h(ID ∥ H ∥ T1), X2 = E(Q ∥ R), where T1 is the current timestamp, and sends M1 = {X1,X2,T1} to S.

On receiving M1, S checks whether T′−T1 ≤ ΔT holds or not, where T′ is the current timestamp. If unsuccessful, S aborts this service request; Otherwise S computes K = T(X) mod p, obtains (Q ∥ R) by decrypting X2with K and obtains (ID ∥ H ∥ CNT) by decrypting with s, respectively. Then S checks whether (ID, CNT) is recorded in its revocation table or not and verifies Q = ?h(ID ∥ H ∥ T1). If unsuccessful, S still rejects this service request; Otherwise S generates random numbers b, computes Y = T(x)modp, the session key λ = T(T(x))mod p and Y2 = h(λ ∥ ID ∥ Q ∥ T2), where T1 is the current timestamp, and sends M2 = {Y1,Y2,T2} to U.

On receiving M2, U checks whether T″−T2 ≤ ΔT holds or not, where T″ is the current timestamp. If unsuccessful, U omits this service request; Otherwise U computes the session key λ = T(Y1)modp and checks whether Y2 = ?h(λ ∥ ID ∥ Q ∥ T2) holds or not. If unsuccessful, U still omits this service request.

Password change phase

In this password change phase, as shown in Fig 2, a legal user inserts his/her smartcard SC and inputs the old password PW and a new password PW*, and then changes the password by performing the following steps.

Fig 2

The password change phase of the enhanced scheme.

SC computes H = h(PW ∥ t), H* = h(PW* ∥ t), generates a random number a, calculates X1 = T(x) mod p, K = T(T(x)) mod p, Q = h(ID ∥ H ∥ H* ∥ T), R = (R ⊕ H) ⊕ H and X2 = E(H* ∥ Q ∥ R), where T1 is the current timestamp, and sends M1 = {X1,X2,T1} to the server.

On receiving M1, S checks whether T′−T1 ≤ ΔT holds or not, where T′ is the current timestamp. If unsuccessful, S aborts this service request; Otherwise S computes K = T(X) mod p, obtains (H* ∥ Q ∥ R) by decrypting X2 with K and obtains (ID ∥ H ∥ CNT) by decrypting with s, respectively. Then S checks whether (ID, CNT) is recorded in its revocation table or not and verifies Q = ?h(ID ∥ H ∥ T1). If successful, S computes R* = E(ID ∥ H* ∥ CNT), Y1 = Q ⊕ R* and Y2 = h(K ∥ H* ∥ R* ∥T1), and sends M2 = {Y1,Y2} to the smartcard.

On receiving M2, SC computes R* = Q ⊕ Y1 and checks whether holds or not. If successful, the smartcard replaces R ⊕ H with R* ⊕ H*.

Smartcard revocation phase

This phase enables a legal user to revoke his/her old smartcard and to issue a new smartcard by performing the following steps.

U inputs his/her identity ID, password PW, selects a random number t, computes H = h(PW ∥ t), and sends {ID, H, Smartcard Revocation Request} to S via a secure channel.

S searches (ID,CNT) in its revocation table, computes CNT = CNT+1 and R = E(ID ∥ H ∥ CNT) by using its master key s, and stores (ID,CNT) in its revocation table.

S stores (R,h(·),E(·),x,T(x)) into a smartcard, and issue the smartcard to U through a secure channel.

After receiving the smartcard, U inserts t into it and finishes the smartcard revocation processes.

Security and performance analyses

Security analysis

This subsection analyzes the security of the enhanced scheme, with reference to session key security, the contributory property of key agreements, and the withstanding of replay, denial-of-service and privileged-insider attacks.

Since the enhanced scheme is based on the schemes of Guo and Chang and Lin, the analyses of security requirements and the withstanding of possible attacks closely resemble those for the schemes of Guo and Chang and Lin, and so are not presented here.

Providing session key security (AKE security)

The following descriptions reveal that the enhanced scheme provides session key security by adopting the real-or-random (ROR) and the sequence of games (SOG) models [41-45].

The Difference Lemma [45] is used for the sequence of games and is described as follows:

Lemma 1 (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that . Then

The following theorem shows that the proposed scheme has AKE security if the extended chaotic map-based DDHP holds.

Theorem 1. The probability that an adversary breaks the AKE security of the enhanced authenticated key agreement scheme P satisfies, where Adv is the advantage that an extended chaotic map-based DDH attacker can gain by solving the extended chaotic map-based DDHP, N is the size of password lists, and l is a secure parameter size.

Proof: Game defines the probability of the event E that the adversary wins this game. The start game is a real attack against the proposed scheme, and the final game ends a negligible advantage gained by an attacked by breaking the AKE security of the enhanced scheme.

Game : This game corresponds to the real attack. By definition,

Game : This game considers password-guessing attacks. Each X2 = E(Q ∥ R) is different, where Q = h(ID ∥ H ∥ T1), H = h(PW ∥ t) and K = T(T(x)) mod p, since t and a are random numbers selected by user U, and T1 is the timestamp. Thus, the adversary has no information for verifying his/her password guesses. This implies that the security against password attacks is measured by the probability that exists messages of the form X2 = E(Q ∥ R) such that the guessing password is correct. Then, we have

Game : This game transforms game into game , getting Q by choosing a random number, instead of computing a hash. Then, games and are undistinguishable except collisions of a hash function in . Thus, according to the birthday paradox [42] and Lemma 1, we have

Game : This game is transformed from game by using a triple (X,Y,Z) sample from a random distribution (T(x)mod p,T(x)mod p,T(x)mod p), rather than an extended chaotic map-based DDH triple. is therefore equivalent to , and

Let a challenger Addh attempt to violate the indistinguishability of the extended chaotic map-based DDHP, and let an adversary Aake be created to violate the session key security. Addh returns the real key λ to Aake if the flipping unbiased coin bit c = 1; otherwise, c = 0 and it returns a random string to Aake. Then Aake outputs its guess bit c' and wins if c' = c. Addh returns the output exactly as in the preceding experiment, except with (X, Y, Z) that was input to it. If Aake outputs c, then Addh outputs 1; otherwise, it outputs 0. If (X, Y, Z) is a real extended chaotic map-based Diffie-Hellman triple, then Addh executes Aake in and so Prob. [event that Addh outputs 1] equals the Prob.[E3]. If (X, Y, Z) is a random triple, then Addh runs Aake in and so Prob. [event that Addh outputs 1] equals Prob.[E4]. Therefore,

No information about flipping unbiased coin bit c is revealed, and all session keys are random and independent among all executions of the enhanced scheme. Thus,

Combining Eqs (1)–(6) and using Lemma 1, yields

The proof is thus concluded.

Providing the contributory property of key agreements

Theorem 2. The enhanced scheme provides the contributory property of key agreements.

Proof: By Theorem 1, the session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem. Therefore, the enhanced scheme avoids the security weakness that was proposed by Bergamo et al. [20] and neither a user nor the server alone can determine a session key. Thus, the enhanced scheme satisfies the contributory property of key agreements.

Withstanding replay attacks

Theorem 3. The password change phase of the enhanced scheme withstands replay attacks.

Proof: In the password change phase of the enhanced scheme, the smartcard sends the request message M1 = {X1,X2,T1} to the server, where T1 is the current timestamp, X1 = T(x) mod p, X2 = E(H* ∥ Q ∥ R), K = T(T(x)) mod p, H* = h(PW* ∥ t) and Q = h(ID ∥ H ∥ H* ∥ T1. By validating timestamp T1 and Q = ?h(ID ∥ H ∥ H* ∥ T1, the server can easily verify the freshness of the request messages that are received from the users, so the enhanced scheme withstands replay attacks.

Withstanding denial of service attacks

Theorem 4. The password change phase of the enhanced scheme withstands denial-of-service attacks.

Proof: Since the smartcard validates updated data R* by checking Y = h(K ∥ H* ∥ R* ∥ T1 and then replaces R with R*, where the timestamp T1 is generated by the smartcard and H* = h(PW* ∥ t), an attacker has difficulty in modifying the response message M2 = {Y1,Y2}. Therefore, the enhanced scheme withstands denial-of-service attacks.

Withstanding privileged insider attacks

Theorem 5. The password change phase of the enhanced scheme withstands privileged-insider attacks.

Proof: In the enhanced scheme, every legitimate user has (x,T(x)) in his/her smartcard. By Theorem 1, the session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem. Thus, a malicious user cannot derive the secret key K and the session key λ that is shared between another user and the server in the authenticated key exchange and the password change phases. Consequently, a malicious user cannot receive (Q ∥ R) and (ID ∥ H ∥ CNT) in the authenticated key exchange phase, and (H* ∥ Q ∥ R) and (ID ∥ H ∥ CNT) in the password change phases. Such a user has difficulty in forging valid request messages and impersonating other users. Thus, the enhanced scheme withstands privileged insider attacks.

Logical analyses

This subsection describes the logical analyses of the proposed scheme by using the logical tool, which was defined and presented by Burrows et al. [46] in 1990 and Buttyan et al. [47] in 1998.

Assume that P and Q range over principals. C denotes a communicating channel and X and Y are messages. Table 1 defines the notation used for logical analyses [46-48].

Table 1

The notation used for logical analyses.

Symbol	Description
C(X)	The message X is transited via channel C.
r(C)	The set of readers of channel C.
w(C)	The set of writers of channel C.
P|≡ X	P believes the statement X.
P |∼ X		P once said X.
P⊲C(X)		P sees C(X). The message X is transited via channel C and can be observed by P. P must be a reader of channel C to read message X.
P⊲ X|C		P sees X via C. The message X is transited via channel C and can be received by P.
(X)K		X is hashed with the key K.
PK←→Q		P and Q can establish a secure communication channel by using the shared key K.

Table 2 lists the used assumptions and Table 3 lists the used logical description [46-48], where A and B are S and U, but A ≠ B.

Table 2

The assumptions of the proposed scheme.

(A1) A ∈ r(CA,B): A can read from the channel CA,B.

(A2) A ≡ (w(CA,B) = {A,B}): A believes that A and B can write on CA,B.

(A3) A ≡ (B ∥∼Φ → Φ): A believes that B only says what it believes.

(A4) A ≡# (NA): A believes that NA is fresh.

(A5) A≡a→ECMDH(secret)A: A believes that a is its extended chaotic map-based Diffie–Hellman secret.

Table 3

The inference rules of the logic of the proposed scheme.

Seeing rules

(S1) P⊲C(X),P∈r(C)P≡(P⊲X|C),P⊲X: If P receives and reads X via C, then P believes that X has arrived on C and P sees X.

(S2) P⊲(X,Y)P⊲X,P⊲Y: If P sees a hybrid message (X, Y), then P sees X and Y separately.

Interpretation rules

(I1) P≡(w(C)={P,Q})P≡(P⊲X|C)→Q|~X: If P believes that C can only be written by P and Q, then P believes that if P receives X via C, then Q said X.

(I2) P≡(Q|~(X,Y))P≡(Q|~X),P≡(Q|~Y): If P believes that Q said a hybrid message (X, Y), then P believes that Q has said X and Y separately.

(I3) P≡(a→ECMDH(secret)P),P≡(T_b(x)modp→ECMDH(public)Q)P≡(PT_ab(x)modp←→Q): If P believes that a is its extended chaotic map-based Diffie–Hellman secret and that Ta(x) mod p is the extended chaotic map-based Diffie–Hellman component from Q, then P believes that Tab(x) mod p is the symmetric key shared between P and Q.

Freshness rules

(F1) P≡(Q|~X),P≡#(X)P≡(Q|~X): If P believes that another Q said X and P also believes that X is fresh, then P believes that Q has recently said X.

(F2) P≡#(X)P≡#(X,Y): If P believes that a part of a mixed message X is fresh, then it believes that the whole message (X,Y) is fresh.

Rationality rules

(R1) P≡(Φ_1→Φ_2),P≡Φ_1P≡Φ_2: If P believes that Φ1 implies Φ2 and P believes that Φ1 is true, then P believes that Φ2 is true.

Then, according to [46-48], the proposed scheme is described in logic as follows.

On the basis of to the assumptions and logical analyses, the proposed scheme must realize the following four goals of authentication and key agreement.

Goal 1: : User U believes that λ = T(x) mod p is a symmetric key shared between participants U and S.

Goal 2: : Server S believes that λ = T(x) mod p is a symmetric key shared between U and S.

Goal 3: : User U believes that S is convinced of λ = T(x) mod p is a symmetric key shared between U and S.

Goal 4: : Server S believes that U is convinced of λ = T(x) mod p is a symmetric key shared between U and S.

To accomplish the Goal 1, we have that and must hold because of the interpretation rule (I3) and assumption (A5).

Next, to accomplish Eq (8), we have that and must hold because of assumption (A3) and the rationality rule (R1). To accomplish Eq (10), we have that must hold because of the freshness rules (F1), (F2) and assumption (A4).

To accomplish Eq (11), we have that and must hold because of the interpretation rules (I1), the seeing rules (S1), (S2), assumptions (A1) and (A2). By using the interpretation rules (I3) and, we have the proposed scheme realizes

Similarly, we have that the proposed scheme realizes Goal 2: by using the same arguments of Goal 1.

To accomplish Goal 3, we have that and must hold because of the rationality rule (R1) and assumption (A3). To accomplish Eq (16), we have that and must hold because of the freshness rules (F1), (F2) and assumption (A4). To accomplish Eq (18), we have that and must hold because of the interpretation rule (I1), the assumptions (A1), (A2) and the seeing rules (S1) and (S2).

Thus, the proposed protocol realizes

Similarly, using the same arguments of Goal 3, the proposed scheme realizes Goal 4:

Therefore, the proposed scheme realizes Goals 1, 2, 3 and 4.

Performance analysis and comparisons

Table 4 compares the performance and security properties of the enhanced scheme with related approaches [7, 9, 10, 15, 36, 37, 40, 49–53], where T denotes the time of executing a hash function operation; T denotes the time of executing a chaotic map operation; T denotes the time of executing a symmetric encryption/decryption operation; T denotes the time of executing a squaring operation; T denotes the time of executing a squaring root solving operation; T denotes the time of executing a multiplication/division operation and T denotes the time of executing a modular exponential computation.

Table 4

Performance and security properties comparison.

Schemes	Computations	Transmissions		P1	P2	P3
Islam et al.’s scheme [15]	5TH+TSQ+TSR		2	Yes	Yes	Yes
Chen et al.’s scheme [9]	5TH+3TM+3TE		2	No	No	Yes
Jiang et al.’s scheme [10]	5TH+TM+5TE		2	No	Yes	Yes
Wang et al.’s scheme [49]	10TH		2	No	No	No
Lee et al.’s scheme [7]	16TH		3	No	No	No
Yan et al.’s scheme [50]	11TH		3	No	Yes	No
Das-Goswami’s scheme [51]	2TH+12TC		2	Yes	Yes	Yes
Lee et al.’s scheme [52]	12TH+4TC		2	No	No	Yes
He et al.’s scheme [53]	10TH+6TC		2	Yes	No	Yes
Islam et al.’s scheme [36]	18TH+10TC		2	Yes	No	Yes
Jiang et al.’s scheme [37]	21TH+6TC		2	Yes	Yes	Yes
Lin’s scheme [40]	5TH+5TS+6TC		2	Yes	No	Yes
Enhanced scheme	5TH+3TS+5TC		2	Yes	Yes	Yes

P1: Resisting possible attacks; P2: User anonymity; P3: Perfect forward secrecy.

The schemes proposed by Islam et al. [15], Chen et al. [9] and Jiang et al. [10] use the public key cryptosystem, require time-consuming modular exponential computations, and thus are inefficient. Although the schemes proposed by Wang et al. [49], Lee et al. [7] and Yan et al. [50] only employ the hash function operations and are more efficient than other schemes, these schemes fail to resist possible attacks and cannot provide perfect forward secrecy. The schemes proposed by Das and Goswami [51], Lee et al. [52], He et al. [53], Islam et al. [36], Jiang et al. [37] and Lin [40] and the enhanced scheme are based on chaotic maps and retain low computations and communications. Additionally, only the schemes proposed by Das and Goswami [51] and Jiang et al. [37] and the enhanced scheme resist potential attacks and provide more functions.

Conclusions

This study addresses the weaknesses of Lin’s improved scheme including its vulnerability to denial-of-service attacks and privileged-insider attacks, and its inability to support the contributory property of key agreements. An enhanced smartcard-based password-authenticated key agreement scheme that is based on extended chaotic maps is presented. The session key security of the enhanced scheme is proven secure using the real-or-random and the sequence-of-game models, and it is based on the extended chaotic map-based DDHP. Thus, malicious users cannot derive a session key between another user and the server, and they cannot forge valid request messages or impersonate other users. Accordingly, the enhanced scheme withstands privileged insider attacks. Additionally, in the enhanced scheme, the messages that are sent from users are guaranteed to be fresh by the appending of timestamps, and the smartcard validates updated data from the server so the enhanced scheme withstands replay and denial-of-service attacks. Therefore, the enhanced scheme eliminates the weaknesses in previous schemes.