Improved anonymity preserving three-party mutual authentication key exchange protocol based on chaotic maps.

Three-party authentication key exchange is a protocol that allows two users to set up a session key for encrypted communication by the help of a trusted remote server. Providing user anonymity and mutual authentication in the authentication key exchange is important security requirements to protect users' privacy and enhance its security performance. Recently Li proposed a chaotic maps-based authentication key exchange protocol which attempts to provide mutual authentication and user anonymity, but we found that there were some faults in the key exchange phase and password change phase of his scheme. We prove that Li's scheme does not provide user anonymity and that the user's privacy information is disclosed, and propose enhanced three-party authentication key exchange protocol that provides user anonymity and we analyse its security properties and verify its validity based on BAN logic and AVISPA tool.

1. Introduction

Authentication key exchange is one of the important issues to ensure the confidentiality of network security as a way of sharing the session key to perform encryption communication between communication parties in public network.

Researchers have done a lot of work on the two-party authentication key exchange (2PAKE) scheme (only two parties participate in key exchange) [1-5] and three-party authentication key exchange (3PAKE) scheme (except two communicating parties, the trusted third party server participates in key exchange) [6-43]. The main focus in authentication key exchange is to propose a clear authentication and a secure key exchange between participants. Key exchange is a process of setting up a session key to encrypt a message exchanged between participants and only two parties must share the key and the security of the key must be guaranteed. Typical encryption methods used for key exchange include secret-key encryption [26-43] and public-key encryption. Public-key encryption methods include in detail modular exponential operation -based schemes [6-13], elliptic curve encryption-based schemes [14, 15, 30–33, 34], chaotic maps-based schemes [16-25] and bilinear pairing-based schemes [34, 36]. User authentication is a key issue in authentication key exchange as a process of verifying whether a user is legal or not, where it is important to use authentication factor. Authentication factors include knowledge-based factors (e.g., registered passwords), ownership-based factors (e.g., smart card), biometric infrastructures (fingerprints, irises, etc.) [33]. According to the number of authentication factors, it is classified into single factor authentication [6–13, 16, 20, 34], two-factor authentication [14, 15, 26, 29, 38–42, 44], three-factor authentication [1, 3, 4, 24, 25, 28, 30, 32, 33, 37].

Recently, with the introduction of technologies such as peer-to-peer, cloud computing, wireless sensor network, and Internet of Things (IoT), researchers are further investigating 3PAKE.

1.1 Related work

Password-based authentication key exchange is a traditional method, and many researchers have proposed password-based authentication key exchange methods [6–13, 16, 20, 34]. However, several security disadvantages have been revealed in the authentication key exchange scheme using only passwords.

Tallapally [6] proposed a simple 3PAKE protocol based on password in wireless communication networks, however, Farash [7] has revealed that Lu’s scheme cannot detect online and offline password guessing attacks, and he has improved their scheme, but his scheme was also found to be vulnerable to offline password guessing attacks by Lu [8]. Lu proposed an improved scheme, but his scheme was still vulnerable to offline password guessing attacks [9].

Youn [10] proposed a 3PAKE protocol based on password and exponential operation. However, Heydari [11] pointed out that Youn’s scheme is vulnerable to user impersonate attack. Heydari proposed a modified 3PAKE protocol that overcame the limitations of the Youn’s scheme. However, his scheme also does not provide user anonymity because user’s identity is disclosed in the key exchange phase. Lin et al. [12] proposed verifier-based 3PAKE with low computational cost and transfer cost based on password and modulator exponential operation. However, Chiou [13] pointed out that Lin’s scheme does not provide anonymity and untraceability and is not computationally efficient, and proposed 3PAKE that provides anonymity and untraceability by implementing message encryption with long term key. However, since his scheme also performs key exchange [45] based on modular exponential operation, the computation is still not efficient.

Researchers used the Elliptic Curve Cryptography (ECC) [46] and Chebyshev Chaotic Maps (CCM) [47, 48] much more efficient compared to modular exponential operations. ECC encryption is fast because of its much smaller key length at the same encryption intensity compared to modular exponential operations. Chebyshev Chaotic Maps has a lower public parameter for encryption compared to ECC and is simple to implement and is convenient to apply in portable terminal-system environments.

Wu [14] proposed a key agreement scheme for mobile user roaming service in global mobility networks based on ECC. In his scheme user’s dynamic identity is updated in each session. However, Gupta [15] pointed out that Wu’s scheme fails to support untraceability and it has inefficient typo-detection.

Xie [16] proposed a 3PAKE protocol based on chaotic maps with user password. However, Lee [17] found that Xie’s scheme is vulnerable to offline password guessing attacks and does not provide user anonymity, and proposed a 3PAKE protocol that does not use passwords that overcome their shortcomings. In Lee’s scheme, user privacy is generated by combining the server’s secret key and the user’s identification, it is used to authenticate the corresponding user. However, Xie [18] found that Lee’s scheme is vulnerable to user impersonate attacks, and Jabbari [19] showed that Lee’s scheme is vulnerable to internal user impersonate attacks and does not provide anonymity.

Farash [20] proposed 3PAKE based on Chebyshev chaotic maps with user password. In his scheme user authentication verifier is generated by combining server privacy with user’s identifier and user’s password. However, Xie [21] and Li [22] found that Farashi’s scheme is capable of user impersonate attacks and offline password guessing attacks. Xie proposed an updated scheme based on chaotic maps overcoming the disadvantages of Farashi’s scheme. However, his scheme was also found by Lu [23] that offline password guessing attacks and user impersonate attacks are possible and user anonymity is not provided. Lu’s scheme encrypts a message with a secret key generated from the server’s public key based on the chaotic map to provide anonymity. However, his scheme has defects in protocol design [24].

To overcome the disadvantages of user authentication using passwords, researchers proposed 3PAKE protocols that combine smart card and biometric with user’s password to authenticate user.

In 2014, Xue [26] analysed Li [27] scheme that proposed a dynamic identifier-based 3PAKE in a multi-server environment and demonstrated that his scheme is vulnerable to attacks such as denial-of-service, internal attack, smart card attack, eavesdropping attack, masquerade attack. He also proposed an authentication key exchange scheme between a client and a service provider based on pseudo dynamic user identity using smart cards and user’s passwords in a multi-server environment. However, Gupta [28] found that his scheme is vulnerable to known password attacks, stolen smart card attacks and user impersonate attacks. In addition, Amin [29] also pointed out that Xue’s scheme does not provide anonymity, is vulnerable to offline password guessing attacks, privileged insider attacks, session key disclose attacks, and user impersonate attacks and has some defects in the authentication phase. Gupta proposed a hash function-based 3PAKE in a multi-service environment with user passwords and smart cards, but Tomar [30] demonstrated that his scheme is vulnerable to DoS attack, stolen smart card attack, user impersonate attacks, and does not provide perfect forward security.

Challa [32] also proposed a signature-based 3PAKE in IoT with password, smart card and biometric. However, Jia [33] pointed out that Challa’s scheme does not provide anonymity and untraceability and is vulnerable to user impersonate attacks, stolen smart card attacks, offline password guessing attacks, and attacks in the password change phase. Jia proposed a signature-based 3PAKE protocol that provides anonymity by updating Challa’s scheme. To provide anonymity, Jia used XOR operations and applied signature based on elliptic curve cryptography. Jia [34] proposed a 3PAKE scheme in fog-driven IoT based on Bilinear Pairing, whose scheme indicated by Ma [35] that it is computationally expensive because of Bilinear Pairing, and proposed a scheme that does not use Bilinear Pairing. Reddicherla [36] also proposed authentication key exchange scheme in Heterogeneous network based on Bilinear Pairing, but it is also not efficient because of the high computational cost.

Researchers also proposed key exchange scheme based on secret-key encryption without public-key encryption to implement 3PAKE in a portable terminal environment with narrow bandwidth and limited storage capacity, such as wireless communication environment or IoT. Key exchange based on secret-key encryption is much more advantageous in terms of computational cost because it does not use high-computational public-key encryption.

Chuang [37] proposed a 3PAKE scheme that provides anonymity with password, smart card and biometric in a multi-service environment. He proposed an authentication key exchange scheme that provides anonymity without public-key encryption in protocol design. However, his scheme was found by Amin [29] to be vulnerable to user impersonate attacks and vulnerable to session key disclose attacks. Amin analysed the disadvantages of the scheme proposed by Xue [26] and Chuang [37] and proposed an improved lightweight authentication scheme. His scheme provided anonymity using smart cards and passwords without public key encryption.

In 2018, Wei [38] also proposed a 3PAKE protocol that provides anonymity without public-key cryptography to reduce computational cost. In 2019, Yang [39] proposed a lightweight 3PAKE protocol that provides perfect forward security using only XOR and hash functions in a WSN environment.

1.2 Motivation and our contribution

The authentication scheme with password, smart card and biometric is effective in systems that require high security performance. However, most schemes using smart cards are vulnerable to stolen smart card attacks [26, 28, 32], and most schemes are vulnerable to some known attacks.

It is still a challenge for researchers to design protocols that are secure against various attacks in various environments while providing anonymity and untraceability. Many schemes attempted to provide anonymity and traceability, but failed [12, 14, 17, 20, 23, 32, 43].

Recently, in 2018, Li [38] proposed a chaotic maps-based 3-PAKE that provides anonymity with password and smart cards. In his scheme, users share user’s credentials related to user’s identity, user’s password and server’s secret with the server, and chaotic maps is used for exchanging session key. He also used modulo square operations and square root operations based on Chinese Remainder Theorem to encrypt the message providing anonymity and untraceability. However, there are drawbacks in his protocol.

We have analysed the disadvantages of the Li’s scheme and demonstrated that the user’s authentication verifier is disclosed by an internal attacker, providing anonymity is failed and that the password modification is not successful by blocking attacks in the password change phase. We design an enhanced 3PAKE protocol that overcomes several security disadvantages of Li’s scheme, and is resistant to various attacks. In this paper, we propose a strong mutual authentication between server and users to overcome insider attacks, and a re-registration phase that allows users to re-register without altering their identity. Then, we analyse the security properties of our scheme and verify its validity using Ban-Logic [49] and AVISPA [50] tools and show the results of comparative analysis with previous works.

2. Preliminaries

This section describes Chebyshev chaotic maps and Bio-hashing functions.

2.1 Chebyshev polynomials

Chebyshev polynomial T(α) is defined as follows [47].

Chebyshev polynomials satisfy the following recursive relationship [47].

2.2 The property of Chebyshev polynomials

Chebyshev polynomials have the following two properties [47, 48].

Chaotic property: When n>1, Chebyshev polynomial map T(α):[-1,1]→[-1,1] of degree n is a chaotic map with its invariant density , for positive Lyapunov exponent ln(n) > 0.

Semi-group property: For u, v ∈N and any α∈ [-1,1], T (T(α)) = T(α) = T(T(α)).

2.3 Enhanced Chebyshev polynomials

The semi-group property holds for Chebyshev polynomials on the interval (-∞, +∞), which can enhance the property as follows [48]:

2.4 Computational problems based on Chebyshev polynomials

CDLP (Chaotic maps-based Discrete Logarithm problem): For given two real numbers α and β, it is infeasible to find the integer n by any polynomial time bounded algorithm, where β = T(α) mod p [48].

CDHP (Chaotic maps-based Diffie-Hellman problem): For given three elements α, T(α) mod p and T(α) mod p, it is infeasible to compute the value T(α) mod p by any polynomial time bounded algorithm [48].

2.5 Bio-hashing and Fuzzy Extractor function

Biometric indicators have an advantage over traditional user identification methods, because these have some inherent attributes that cannot be easily shared and every person has unique biometric-attributes [51]. Generally, imprint biometric characteristics (face, fingerprint, palm-print etc.) may not be exactly same at each time since it might be change at some environment. To solve this problem, Lumini et al. [52] proposed and updated Bio-hashing, which is used to map a user’s biometric features to a user-specific random vectors. Recently many researchers [3, 24] have proposed authentication key exchange schemes based on Bio-Hashing.

Dodis et al. [53] proposed a scheme based on Fuzzy Extractor, which consists of two functions (Rep, Gen). The function Gen extracts biometric input B and outputs a nearly random binary string R and an auxiliary binary string P. Then function Rep recovers R with the corresponding auxiliary string P and biometric B*. If dist (B, B*) ≦ t and Gen(B) -> , then we have Rep (B*, P) = R. Fuzzy Extractor is also used in many authentication schemes [1, 3, 4, 30, 32, 33].

2.6 Adversary model

For the security analysis of authentication protocols, several adversary models have been proposed, such as Dolev-Yao adversary model [54], side-channel technology [55], password guessing attack [56], and insider attacker model [4, 33].

The Dolev-Yao attacker model defines the ability of an attacker in the public channel, and the side-channel technology enables an attacker to extract data stored in a smart card based on reverse engineering and power analysis [57, 58]. Also, the password guessing attack enables an attacker to guess a password from the information related to the user’s password under the premise that the entropy of the password is low. An insider attacker is a legitimate user in the system and performs malicious actions.

In this subsection, the adversary model for security analysis of the previous work and the proposed scheme is described as follows.

An adversary can eavesdrop, modify, remove, block, and retransmit all messages sent on the public channel [54] and cannot access messages sent on the secure channel.

An adversary can extract all stored data from a lost or stolen smart card based on side channel technology [55, 57, 58].

An attacker can easily guess the user identity or password after obtaining information from an intelligent card or public channel according to [56].

An adversary can be a legitimate but malicious user or server in the system [4, 33].

3. Review of Li et al.’s scheme

This section shows that the scheme proposed by Li et al. [22] has some deficiencies. Li designed three-party password-based authentication key exchange protocol based on chaotic maps providing user anonymity. In his scheme, the information related to user’s password is registered with the server side. Also a modular squaring operation and a square root modulo based on the Chinese Remainder Theorem is used for user anonymity. However, his scheme has some faults in the session key exchange phase and the password change phase. Below is a brief description of the scheme proposed by Li et al. and its deficiencies.

3.1 Li et al.’s scheme

Notations used in his paper

Table 1 shows some notations used to describe Li et al.’s schemes.

Table 1

Notations in Li et al.’s scheme.

Notation	Description
S and A, B	Trusted remote server and two users
U i	Identifier of user i
pw i	Password of user i
k	Secret key of S
p	A large prime number chosen by S
u, v and N = u * v	Two large primes maintained by S
p	A large prime number chosen by S
Tn(∙)	Chebyshev polynomials of degree n
h(∙)	One-way hash function
SQR (∙), SQRT (∙)	Modular squaring operation and square root modulo operation
⊕	XOR operator

System initialization

The server selects one private key k and two secret large primes (u, v), and publishes {p, α, h(), N}.

Step 1: The user submits {U, h (rm, PW)} to S, where rm ∈ [1, p+1] is random number and PW = T(α).

Step 2: Upon receiving the message from the user, S computes VP = h (U, k) + h(rm, PW) mod p and stores (U, VP) in its database.

Step 3: The user stores rm into his end-user device.

Authentication and key exchange

Step 1 The user A chooses a random number r ∈ [1, p + 1] and computes R = T(α) mod p, PW = T(α) mod p and h(rm, PW), where rm is retrieved from his end-user device. Then A sends M1 = SQR (U, U, h(rm, PW), R) mod N to S.

Step 2 Upon receiving M1 from A, S obtains (U, U, h(rm, PW)*, R) = SQRT(M1) by using the Chinese Remainder Theorem with u and v. Next, S retrieves the stored VP = h(U, k) + h(rm, PW) corresponding to U. If VP—h(U, k) = h(rm, PW)*, then S continues next step. S chooses two random numbers r, r∈ [1, p + 1] and computes R = T(α)- h(rm, PW) mod p, R = T(α)—h(rm, PW) mod p and μ = U ⊕ T(α) mod p. Then S sends M2 = {μ, R, R} to B.

Step 3 Upon receiving M2 from S, B computes PW = T(α) mod p, h(rm, PW), T(α) = R + h(rm, PW) and U = μ ⊕ T(α). Then B chooses a random number r ∈ [1, p + 1] and computes R = T(α) mod p, K = T(T(α)) mod p = T(α) mod p, K = T(R) mod p = T(α) mod p, V = h(0, U, U, R, R, K) and V = h(0, U, U, R, R, V, K). Then B sends M3 = SQR(U, U, R, V, V) mod N to S.

Step 4 Upon receiving M3 from B, S obtains (U, U, R, V*, V) = SQRT(M3). S computes K = T(R) = T(α) mod p and V = h(0, U, U, R, R, V, K). If V* = V, B is authenticated by S and then S computes K = T(R) = T(α) mod p and V = h(0, U, U, R, R, R, V, K). Then S sends M4 = {R, R, V, V} to A.

Step A5: Upon receiving M4 from S, A computes K = T(R + h(rm, PW)) = T(α) mod p and V = h(0, U, U, R, R, R, V, K). If V equals received V*, S is authenticated by A. Next, A computes K = T(R) mod p = T(α) mod p and V = h(0, U, U, R, R, K). If V equals received V*, B is authenticated by A. A computes V = h(1, U, U, R, R, K) and V = h(1, U, U, R, R, V, K). Then A sends M5 = {V, V} to S.

Step A6 After receiving M5 from A, S verifies if computed h(1, U, U, R, R, V, K) equals received V. If it holds, A is authenticated by S. Then S computes V = h(1, U, U, R, R, V, K) and sends M6 = {V, V} to B.

Step A7 After receiving M6 from S, B verifies if computed h(1, U, U, R, R, V, K) and h(1, U, U, R, R, K) equal received V and V. If they are valid, A and S are authenticated by B. Finally, A computes the session key SK = h(2, U, U, R, R, K) and B computes the session key SK = h(2, U, U, R, R, K).

Password change phase

Step 1 The user A chooses a random number r ∈ [1, p + 1] and computes R = T(α) mod p, PW = T(α) mod p and h(rm, PW), Then A sends C1 = SQR(U, h(rm, PW), R) mod p to S.

Step 2 Upon receiving C1 from A, S obtains (U, h(rm, PW)*, R) = SQRT(C1) by using the Chinese Remainder Theorem with u and v. Next, S verifies the received h(rm, PW)* with the stored VP = h(U, k)+h(rm, PW) mod p corresponding to U. If VP—h(U, s) = h(rm, PW)*, S accepts A’s request message C1. Then S chooses a random number r ∈ [1, p + 1] and computes R = T(α)—h(rm, PW) mod p, K = T(R) = T(α) mod p and V = h(0, U, R, R, K). Then S sends C2 = {R, V} to A.

Step 3 Upon receiving C2 from S, A computes K = T(R + h(rm, PW)) = T(α) mod p and verifies if computed V = h(0, U, R, R, K) equals received V*. If it holds, S is authenticated by A. Next, A selects a new password pw* and a new random number rm* and computes V = h(1, U, R, R, K), PW* = T (α) mod p, and h(rm*, PW*). Then A sends C3 = SQR(V, U, h(rm*, PW*)) mod p to S.

Step 4 Upon receiving C3 from A, S verifies if computed V = h(1, U, R, R, K) equals received V*. If it holds, S accepts A’s password change request, computes R1 = h(1, U, h(rm*, PW*), K) and VP* = h(U, k) + h(rm*, PW*) mod p and replaces VP with VP*. Then S sends C4 = {Accept, R1} to A. Otherwise, S rejects A’s password change request, computes R2 = h(0, U, h(rm*, PW*), K) and sends C5 = {Reject, R2} to A. If the message is C4, A verifies if computed R1 = h(1, U, h(rm*, PW*), K) equals received R1*. If it holds, A confirms pw* as the new password and replaces rm with rm* in his end-user device. Otherwise, A returns to Step 1 and follows the process. If the message is C5, A returns to Step 1 with another new password and follows the process.

3.2 Faults of Li et al.’s scheme

Many attack models [54-58] have been proposed by researchers and based on them, cryptographic protocols [25, 33, 34, 38, 59, 60] have been analysed. Based on the adversary model presented in Section 2.6, we analyse Li et al.’ scheme. According to the adversary model, the adversary can eavesdrop and block all message sent on the public channel and he can be a legitimate user in the system. In this paper, we call such an adversary an insider adversary.

Verifier disclosure attacks

Li et al.’s scheme has a faults that user’s authentication verifier is disclosed to the insider adversary in the authentication and key exchange phase. In his scheme, h(rm, PW) is user’s authentication verifier, where rm is stored into user’s end-device, PW = T(α) mod p and pw is user’s password. However, h(rm, PW) is disclosed to the insider adversary.

The details of verifier disclosure attack in his scheme are described as follows.

Step 1. In order to exchange a session key with a legal user A, an inside adversary C chooses a random number r ∈ [1, p + 1] and computes R = T(α) mod p, PW = T(α) mod p and h(rm, PW), where rm is retrieved from his end-user device. Then C sends M1 = SQR (U, U, h(rm, PW), R) mod N to S.

Step 2. Upon receiving M1 from C, S obtains (U, U, h(rm, PW)*, R) = SQRT(M1). Next, S retrieves the stored VP = h(U, k) + h(rm, PW) corresponding to U. If VP—h(U, k) = h(rm, PW)*, then S continues next step. S chooses two random numbers r, r∈ [1, p + 1] and computes R = T(α)- h(rm, PW) mod p, R = T(α)—h(rm, PW) mod p and μ = U ⊕ T(α) mod p. Then S sends M2 = {μ, R, R} to A.

Step 3. At this time, C intercepts M2 = {μ*, R*, R*} and computes as follows:

U ⊕ μ* = U ⊕U ⊕ T(α) = T(α) (Because of U is C’s identifier, C knows it. Through checking for R* of M2, C can verify that M2 is a message generated at the server according to M1.)

As the result, C can obtain A’s authentication verifier h(rm, PW).

In this way, C can obtain all of legal users’ authentication verifier.

If an insider adversary wants to get an authentication verifier of user A, it is necessary to generate a message M1 for exchanging session key with user A according to the designed protocol, send it to the server, intercept the message M2 from the server, and then compute it according to the procedure shown above.

User impersonate attacks

As shown above, since an insider adversary C can obtain any of legal users’ authentication verifier through verifier disclosure attack, he can impersonate as any legal user.

If an insider adversary C wants to impersonate as a legal user A and communicate with B, he obtains the user A’s authentication verifier V = h(rm, PW) through the verifier disclosure attack as shown above before the authentication and key exchange phases.

In the authentication and key exchange phase, C works as follows

Step 1. C chooses a random number r ∈ [1, p + 1] and computes R = T(α) mod p. After that, he can sufficiently make the message M1 = SQR(U, U, h(rm, PW), R) mod N by using the user A’s authentication verifier V = h(rm, PW). Then C impersonates A to sends M1 to S.

The process in steps 2, 3 and 4 is performed according to the protocol, B computes K* = T(R) mod p = T(α) mod p and V* = h(0, U, U, R, R, K*), S computes K* = T(R) = T(α) mod p and V* = h(0, U, U, R, R, R, V*, K*).

Step 5: C intercepts M4 from S to A, C computes K* = T(R + h(rm, PW)) = T(α) mod p, K* = T(R) mod p = T(α) mod p and V* = h(1, U, U, R, R, K*) and V* = h(1, U, U, R, R, V*, K*). Then A sends M5 = {V*, V*} to S.

The process in steps 6 and 7 is performed according to the protocol, B computes SK* = h(2, U, U, R, R, K*) and C computes the session key SK* = h(2, U, U, R, R, K*).

As the result, C can successfully impersonate as the user A.

Failure of user anonymity

An insider adversary C can obtain all of legal users’ authentication verifier through verifier disclosure attack as shown above. That is, C knows the authentication identifier V of any user U. When a legal user A exchanges a session key with a legal user B, an insider adversary C can intercept M2 = {μ, R, R} that S sends to B and then computes as follows: For each authentication verifier V of user U, C repeat the following calculation until U* and U are equal.

If U* and U are equal, C can know that current user’s identifier is U.

As the result, C can know user A’s identifier U.

Weaknesses of password change phase

In the Li et al. ‘s scheme, the information related to the user’s password is registered with the remote server and users can change their password in the password change phase. In the registration phase, the information related to the user U’s password stored on the server is VP = h(U, k)+h(rm, PW) (where h(rm, PW) is user authentication verifier) and this information is replaced with VP* = h(U, k)+h(rm*, PW*) in the password change phase. However, an attacker can block the message C3(user’s request) and C4 or C5(server’s response) in Step 4 of the password change phase, then the user cannot know whether his password is successfully changed or not. In this case, if the scheme decides that does not change user’s password, the attacker blocks the message C4 or C5, if the scheme decides that changes user’s password, the attacker blocks the message C3. As the result, the user’s authentication verifier is different with the server’s one, the user cannot login to the server no more.

4. Proposed scheme

This section describes an enhanced 3PAKE protocol using smart card that overcomes the limitations of the Li et al.’s scheme. The proposed scheme has five phases: system initialization phase, registration phase, authentication and session key exchange phase, password change phase, and renew registration phase. Table 2 shows some notations used to describe the proposed schemes.

Table 2

Notations in the proposed scheme.

Notation	Description
S and A, B	Trusted remote server and two users
SC i	Smart card of user i
U i	Identifier of user i
pw i	Password of user i
bm i	Biometrics of user i
ks, Ps	Private and public key of S (Ps = Tks(α))
Na, Nb, Ns	Random numbers chosen by A, B and S
p	A large prime number chosen by S
Tn(α)	Chebyshev polynomials of degree n
H(∙)	One-way hash function (0,1)* → (0, 1)n
h(∙)	Bio-hashing function
EK(∙), DK(∙)	Symmetric encrypt and decrypt algorithm with secret key K
||	String concatenation operator
⊕	XOR operator

S selects his secret key k ∈ [1, p+1] and computes public key P = T(α).

S selects a large prime number p, α∈Z, H(∙) and E(∙)/D(∙).

4.1 System initialization phase

S publishes {p, α, P, T(∙), H(∙), E(∙), D(∙)} as system’s parameters.

4.2 User registration phase

Fig 1 shows user registration process.

Fig 1

User registration phase.

User A sends his identifier U to S via secure channel. S retrieves U in the user registration table to check whether user A has already been registered. If U does not exist in the user registration table, S chooses a random number N, computes X = H(U||N||k) and stores {p, α, P, X, T(∙), H(∙), E(∙), D(∙)} in SC and delivers it to user A via secure channel. S stores a tuple {U, N} into his user-register table.

User A, which receives SC from S, inputs password pw and biometric bm. The SC that receives the user input and computes G = H(U||pw||h(bm)) ⊕ X, F = H(U||pw|| h(bm)||X) and stores {p, α, P, G, F, T(∙), H(∙), E(∙), D(∙)} in his memory.

4.3 Authentication and session key exchange phase

Fig 2 shows the authentication and session key exchange steps of the proposed scheme.

Fig 2

Authentication and session key exchange phase of the proposed scheme.

Step 1. User A connects his smart card SC to the user end-device and inputs his identifier U, password pw and biometrics bm. SC computes

If F ≠ F*, SC aborts the process. Otherwise SC selects any a∈ [1, p+1] and computes

A sends M1 = {M, T} to S.

Step 2. After receiving M1 = {M, T} from A, S computes

S checks whether V and V* are same. If V ≠ V*, S aborts the process. S chooses a random number Ns ∈ [1, p+1] and computes V = H(N||U||U|| T||X).

S sends M2 = {V, N} to A.

Step 3. After receiving M2 = {V*, N*} from S, A computes V = H(N*||U||U|| T||X).

A checks whether V and V* are same. If V ≠ V*, A aborts the process. A computes V = H(U||U||T||N||X) and sends M3 = {V, N} to B.

Step 4. After receiving M3 = {V*, N*} from A, B connects his smart card SC to the user end-device and inputs his identifier U, password pw and biometrics bm. SC computes

If F ≠ F*, SC aborts the process. Otherwise SC computes

B sends M4 = {M, T, V} to S.

Step 5. After receiving M4 = {M, T*, V*} from B, S computes

If V ≠ V* or V ≠ V *, S aborts the process. Otherwise S authenticates A and B, and chooses a random number R, then computes

S sends M5 = {M, M} to B.

Step 6. After receiving M5 = {M, M} from S, B computes

If V ≠ V*, B aborts the process. Otherwise B authenticates S and A, and then computes

B sends M6 = {V, M} to A.

Step 7. After receiving M6 = {V*, M} from B, A computes

If V ≠ V* or V ≠ V*, A aborts the process. Otherwise A authenticates B and S. A sets K as a session key. Then A computes V = H(U*|| U|| T*|| T||R*||K)

A sends M7 = {V} to B.

Step 8. After receiving M7 = {V*} from A, B computes

If V≠ V*, B aborts the process. Otherwise B authenticates A and sets K as a session key.

4.4 Password change phase

User A connects his smart card SC to the user end-device and inputs his identifier U, password and biometrics bm. SC computes X* = G ⊕ H(U||pw||h(bm)) and F* = H(U||pw||h(bm)||X*), and checks whether F and F* are same. If F ≠ F*, SC aborts the process. Otherwise SC requests the user to input a new password npw. SC computes G = H(U||npw||h(bm)) ⊕ X, F = H(U||npw|| h(bm)||X) and replaces of his memory with .

4.5 Re-registration phase

When a user registered with the server has lost or stolen his smart card, he needs to re-register with the server. But, some schemes [19, 22, 23] have not the re-registration phase or cannot re-register without changing his identifier, because the user’s secret consists of user’s identifier and server’s secret.

In the proposed scheme, as the user’s secret X consists of user’s identifier, random number and server’s secret, users can re-register with the remote server without changing his identifier. If a user wants to re-register with the server, he should only send his identifier to the server and register with the server following the proposed registration phase scheme.

User A sends his identifier U to S via secure channel. S retrieves U in the user registration table to check whether user A has already been registered. If U exists in the user registration table, S chooses a random number N, computes X = H(U||N||k) and stores {p, α, P, X, T(∙), H(∙), E(∙), D(∙)} in SC and delivers it to user A via secure channel. S stores a tuple {U, N} into his user-register table.

User A, which receives SC from S, inputs password pw and biometric bm. The SC that receives the user input and computes G = H(U||pw||h(bm)) ⊕ X, F = H(U||pw|| h(bm)||X) and stores {p, α, P, GX, GK, F, T(∙), H(∙), E(∙), D(∙)} in his memory.

5. Security analysis of the proposed scheme

In this section, we present an informal analysis and formal verification of the proposed scheme.

For formal analysis, we first use the BAN logic [49] to verify the mutual authentication property and the validation of the established session key of the proposed scheme, and we next use AVISPA (Automated validation of internet security protocol and application) toolkit [50] to verify the resistance of the proposed scheme against the passive and active attacks including man-in-the-middle and replay attacks.

Last, we demonstrate the proposed scheme can resist various kinds of attacks and provides various security properties through informal security analysis.

5.1 Authentication proof based on BAN logic

Notations and rules

Table 3 shows some notations and rules defined in BAN logic [49].

Table 3

Shows some notations and rules of BAN logic.

Notation	Description
P |≡ X	P believes X
P ⊲ X	P sees X
P |∼ X	P once said X
P |⇒ X	P has jurisdiction over X
#(X)	X is fresh
P↔KQ	K is a shared secret key between P and Q
{X}K	Formula X are encrypted under the key K
<X>Y	X combined with the formula Y
R_1:P|≡Q⇔KP,P⊲<X>_KP|≡Q|~X,P|≡Q↔KP,P⊲{X}_KP|≡Q|~X	Message-meaning rule
R_2:P|≡#(X),P|≡Q|~XP|≡Q|≡X	Nonce-verification rule
R_3:P|≡Q|⇒X,P|≡Q|≡XP|≡X	Jurisdiction rule
R_4:P|≡#(X)P|≡#(X,Y)	Freshness rule
R_5:P|≡Q|≡(X,Y)P|≡Q|≡X,P|≡X,P|≡YP|≡(X,Y)	Belief rule
R_7:P|≡Q↔KP,P⊲{X}_KP⊲X	See rule
R_8:P|≡Q|~H(X),P⊲XP|≡Q|~X	Hash function rule

Goals

We establish the following goals to prove that our scheme provides strong mutual authentication and the established session key is secure.

Goal1:S|≡A|≡U

Goal2:S|≡B|≡U

Goal3:A|≡S|≡R

Goal4:B|≡S|≡R

Goal5:A|≡B|≡U

Goal6:B|≡U

Idealize

We idealize the messages of the proposed scheme as follows:

M6:B → A:V = H(U‖U‖T‖T‖R‖K)

M7:A → B:V = H(U‖U‖T‖T‖R‖K)

Assumptions

The initial assumptions of the proposed scheme are as follows:

A: A|≡a

A: A|≡#(a)

AA3: A|≡K

A: A|≡U

A: A|≡U

A: A|≡S|⇒T

A: A|≡S|⇒R

A: B|≡b

A: B|≡#(b)

AB3: B|≡K

A: B|≡U

A: B|≡S|⇒T

A: B|≡S|⇒R

A: S|≡N

A: S|≡#(N)

Analysis

According to M and A, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M2 and A, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M2, Freshness rule(R4) and A, we can obtain:

According to S2 and S3, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:

According to M3, A and S1, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M3, Freshness rule(R4) and A, we can obtain:

According to S5 and S6, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:

According to M and A, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M, Freshness rule(R4) and A, we can obtain:

According to S8 and S9, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:

According to M and A, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M, Freshness rule(R4) and A, we can obtain:

According to S11 and S12, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:

According to S13 and A, we apply the Jurisdiction rule (R3), we can obtain:

According to S13, A and A, we apply the Jurisdiction rule (R3), we can obtain:

According to S15, A and K = H(T || R), we apply the Belief rule(R5), we can obtain:

According to M and A, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M, Freshness rule(R4) and A, we can obtain:

According to S17 and S18, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:

According to S19, A and A, we apply the Jurisdiction rule (R3), we can obtain:

According to S20, A and K = H(T || R), we apply the Belief rule(R5), we can obtain:

According to M6 and S21, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M6, Freshness rule(R4) and A, we can obtain:

According to S22 and S23, we apply the Nonce-verification rule (R2), we can obtain:

According to M7 and S16, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:

According to M7, Freshness rule(R4) and A, we can obtain:

According to S25 and S26, we apply the Nonce-verification rule (R2), we can obtain:

5.2 Validation test based on AVISPA

In this section, we simulate the proposed scheme for the formal security analysis using AVISPA. The AVISPA tool provides the role based HLPSL (High-Level Protocol Specification Language) for specification of protocols and security properties and four back-ends: OFMC(On-the-fly Model-Checker), CL-AtSe(Constraint-Logic-based Attack Searcher), SATMC(SAT-based ModelChecker) and TA4SP(Tree Automata-based Protocol Analyzer), which are used to identify active and inactive attacks on the protocol such as Man-In-The-Middle attack and replay attack, and to analyse various security properties of the protocol, such as key security and authentication [25, 50].

In order to verify the security properties of the protocol using AVISPA, it needs to be specified in HLPSL (High Level Protocol Specification Language).

Specifying the proposed protocol

There are three participants in the proposed protocol: server S and two users A, B. Figs 3–5 shows the specifications in HLPSL for the role of users A, B, and server S.

Fig 3

Role specification in HLPSL for the user A.

Fig 5

Role specification in HLPSL for the server S.

In Fig 6, we show the HLPSL implementation for the role of the session, environment and goal.

Fig 6

Role specification in HLPSL for the session, environment and goal.

In our implementation, we verified the six secrecy goals containing the user anonymity and the user’s secret preserving and seven authentication properties for the mutual authentication.

Analysis of the results

We have simulated the proposed scheme using FMC and CL-AtSe back-ends of AVISPA. The simulation results of the security verification are shown in Figs 7 and 8.

Fig 7

The result of the analysis using OFMC back-end.

Fig 8

The result of the analysis using CL-AtSe back-end.

The results ensure that the proposed scheme is secure under the test of AVISPA using OFMC and CL-AtSe back-ends, and guarantees user anonymity and provides with mutual authentication, and it is also secure against the passive attacks and the active attacks, such as the replay attack and man-in-the-middle attack.

5.3 Informal security analysis

In this section, we demonstrate that the proposed scheme can resist various kinds of attacks and provides various security properties such as mutual authentication, user anonymity, untraceability and so on.

Mutual authentication

Mutual authentication is a key feature of the authenticated key agreement protocol. The proposed scheme achieves strong mutual authentication. In the proposed scheme, X is a shared secret between the server S and the user U in the registration phase. Also, N is a nonce of the server S, and a, b are secrets generated by user A and user B for generating a session key and these are also used as the nonce.

In the Step5 of the authentication and key exchange phase, the server S receives the message M4 from user B, which includes V* = H(U||T||N||X) generated by user B and the V* = H(U||U||T||N||X) generated by user A. S also computes V = H(U*||T*||N*||X), V = H(U||U||T||N*||X) and authenticates the user A and B through verifying whether V = V* and V = V*. Since X and X are the secrets shared between S and the user A, B and N is a nonce of S, V* can be generated only by user B, and V* can be generated only by user A. Thus, S can authenticate the user A and B through checking these values. In the Step6, the user B receives the message M5 from S, which includes V* = H(U||U||T||T||R||X) generated by the server S. Since T (= T(α) mod p) includes B’s nonce b and X is a secret shared with S, V* can be generated only by S. Therefore, B can authenticate S through checking V*. In the Step7, the user A also can authenticate S through verifying V* = H(U||U*||T (= T(α) mod p)||T*||R*|X). Likewise, User A authenticates User B through checking V = H(U||U*||T||T*||R*||K) at Stage7, and User B authenticates User A through checking V = H(U|| U|| T|| T||R||K) at Stage8.

User anonymity

The proposed scheme guarantees user anonymity. The messages (M, M, M and M) associated with the user’s identifier are encrypted with the secret key, which is only known for each participant. For example, M is encrypted with the secret key K, which is calculated as follows: K = T(T(x)) = T(T(x)), where the random number a is only known for the user A and the secret key s is only known for the server S.

Even if T(x) and T(x) is exposed, according to CDLP and CDHP assumptions, it is impossible for a third party to calculate K or a, s. Therefore, a third party except user and server cannot know the user’s identifier.

Untraceability

The proposed protocol provides untraceability.

As in the user anonymity proof, all messages (M, M, M and M) containing the user’s identity are encrypted as follows.

M = E(U, U, V), M = E(U, T, R, V), K = T(T) = T(α) mod p

M = E(U, N, V), M = E(U, T, R, V), K = T(T) = T(α) mod p

Then, the encryption keys K and K are all computed from the random numbers a and b generated by user A and B, so that different messages are exchanged in different sessions. Other messages also contain a random number in different sessions, so that they are presented random bit arrays in each sessions.

Therefore, the proposed protocol provides untraceability.

Off-line password guessing attack

The proposed scheme is secure against the password guessing attack.

In the proposed scheme, user’s password is used for accessing the smart card and the information related to it does not disclose in public channel.

The information stored in the user A’s smart card is {p, α, P, G, F, T(∙), H(∙), E(∙), D(∙)}, and the information related to the user’s password is G = H(U||pw||h(bm))⊕X and F = H(U||pw||h(bm) ||X). Suppose that an attacker steals user A’s smart card SC and knows his identifier U. In order to guess the user A’s password, the attacker must compute PR* = H(U||pw*||h(bm)), X* = G ⊕ PR* and F* = H(U||pw*||h(bm)||X*) with any password pw* to compare F* and F stored in SC. However, as the attacker cannot know h(bm), he cannot compute PR*. Therefore, the attacker cannot guess the user’s password.

Privileged insider attack

The proposed scheme is secure against the privileged-insider attack. In the proposed scheme, user’s password is not transmitted to the server S and the privilege insider of the server cannot know the user’s password. Therefore, the proposed scheme is secure against this attack.

Stolen verifier attack

The proposed scheme is secure against stolen verifier attack. In the registration phase of the proposed scheme, the server stores a tuple {U, N} into his user register-table, where U is user A’s identifier and N is a random number selected by the server. These are not sensitive to authenticate the user. Therefore, the proposed scheme is secure against stolen verifier attack.

User impersonate attack

The proposed scheme is secure against the user impersonate attack.

The user impersonate attack is only possible in the scheme which can’t provide a certain authentication. For example, if a participant X can’t authenticate a participant Y, an attacker can impersonate as Y. As shows the above, the proposed scheme achieves certain mutual authentication. In the Step5, the server S certainly authenticates A and B with his nonce N and the user’s secret X and X. If an attacker wants to impersonate as the user A, he must compute V = H(U||U||T||X) or V = H(U||U||T||N||X), but he doesn’t know the user A’s secret X = H(U||N||k) and could not compute it (Because k is the server’s secret key), so he cannot compute V or V and cannot impersonate as the user A. As the same, an attacker cannot impersonate as the user B.

Man-in-the-middle attack

As shows the above, the proposed scheme achieves certain mutual authentication, so an attacker cannot impersonate as the initiator A and the responder B, and cannot achieve the man-in-the-middle attack.

If an attacker wants to achieve a man-in-the-middle attack, he must exchange a session key K* = H(T ||R*) with users A and B.

Suppose that an attacker generates a random number b* and R* to exchange the session key with user A, computes T* = T(T) = T(α) mod p, and then computes K* = H(T ||R*). However, the attacker cannot generate V = H(U||U*||T||T*||R*||X) because he does not know the user A’s secret X. Therefore, in Step 7, user A can detect the attack via checking for V.

To exchange the session key with user B, an attacker has to compute K* by generating random numbers a* and R* and calculate V = H(U*||U||T*||T||R*||X). However, since the attacker does not know the user B’s secret X, it is impossible to compute the V, so in Step 6, user B can detect the attack via checking for the V.

That is, the proposed scheme is resistant to man-in-the-middle attack.

Replay attack

In the Step5 of the proposed scheme, the server S certainly authenticates A and B.

If an attacker C intercepts the previous message M1 = {M*, T*} of the user A and retransmits it to the server, the server responses M2 = {V, N}, where N is generated by the server. However, in the Step3, the attacker must compute M3 = {V, N}, but he does not know the user A’s secret X and he cannot compute V = H(U||U||T||N||X). Therefore, in the Step5, the server S can successfully detect the replay attack through checking for V. Likewise, if an attacker retransmits the user B’s message M4 to server S, in the Step5, the server can detect the replay attack through checking for V = H(U*||T*||N*||X) containing the user B’s secret X.

Known key security

In the proposed scheme, the session key K is calculated as K = H(T(α) mod p || R). It contains the random numbers a, b and R that are generated by each participant for each session. Even if an attacker knows the previous session key, he cannot calculate a new session key.

6. Performance comparisons

This section, we evaluate the computational cost, communication overhead and security performance of our proposed scheme and other recent 3PAKE schemes [19, 22, 23, 61]. For comparison of computational cost, we define some notations as follows.

tc: time needed for Chebyshev polynomial operation

th: time needed for one-way hash function operation

tm: time needed for a modular exponential operation

tr: time needed for a modular squaring operation

tq: time needed for a square root modulo N operation

ts: time needed for symmetric encryption/decryption operation

Table 4 shows the comparison of the computational cost of our proposed scheme and other 3PAKE schemes. As shown Table 4, the computational cost of our proposed scheme is lower than Jabbari et al.’s scheme, Li et al.’s scheme and Lu et al.’s scheme.

Table 4

Comparison of the computational cost between the proposed scheme and other 3PAKE schemes.

	Irshad et al. [61]	Jabbari et al. [19]	Li et al. [22]	Lu et al. [23]	proposed
A	3tc + 10th	4tc + 2ts + 4th	4tc + 1tr + 5th	3tc + 4ts + 4th	3tc + 2ts + 9th
B	3tc + 1ts + 10th	3tc + 2ts + 4th	4tc + 1tr + 5th	2tc + 3ts + 5th	3tc + 2ts + 7th
S	2tc + 1ts + 10th	4tc +4ts + 4th	4tc + 2tq + 5th	5tc + 5ts+ 7th	2tc + 4ts + 8th
Total	8tc + 2ts + 30th	11tc + 8ts + 12th	12tc+2tm+2tq+15th	10tc + 12ts+ 16th	8tc + 8ts + 24th
Round	5	5	6	6	7

In order to presume the communication overhead of our proposed scheme, we consider the bit size of identity, random number |N|, timestamp, hash(SHA-1) output and Chebyshev chaotic maps as |ID| = 160, |N| = 160, |Ts| = 32, |H| = 160, |CM| = 160 bits, respectively. Furthermore, the bit sizes used for modular exponentiation and modular square operations are considered as |ME| = 1024 bits [25]. Table 5 shows the communication overhead of our proposed scheme according to above assumption.

Table 5

Communication overhead of our proposed scheme.

	Expression	Length of message
M1	2|ID| + |H| + |T|	640
M2	|H| +|N|	320
M3	|H| +|N|	320
M4	|ID| + |N| + 2|H| + |T|	800
M5	2|ID| + 2|N| + 2|H| + 2|T|	1280
M6	|ID| + |N| + 2|H| + |T|	800
M7	|H|	160
Total	6|ID| + 6|N| + 10|H| + 5|T|	4320

Table 6 shows the comparison of the communication overhead of our proposed scheme and other 3PAKE schemes. As shown Table 6, our proposed scheme has many message rounds and its communication overhead is higher than other schemes.

Table 6

Comparison of the computational cost between the proposed scheme and other 3PAKE schemes.

	Irshad et al. [61]	Jabbari et al. [19]	Li et al. [22]	Lu et al. [23]	proposed
Expression	|Ts|+14|H| +6|T|	11|ID|+8|H| +9|T|	2|ME|+6|H|+5|T|	6|ID|+7|H|+7|T|	6|ID|+6|N|+ 10|H| + 5|T|
Bits	3232	4480	3808	3200	4320

Table 7 shows the comparative evaluation of the security function between the proposed scheme and other 3PAKE schemes.

Table 7

Comparative evaluation of the security function between the proposed scheme and other 3PAKE schemes.

	Irshad et al. [61]	Jabbari et al. [19]	Li et al. [22]	Lu et al. [23]	proposed
Mutual authentication	Yes	Yes	Yes	Yes	Yes
Provision of User anonymity	Yes	Yes	No	No	Yes
Provision of untraceability	No	Yes	No	No	Yes
Protection of Privileged insider attack	Yes	Yes	Yes	Yes	Yes
Protection of stolen verifier attack	Yes	Yes	No	Yes	Yes
Protection of User impersonate attack	Yes	Yes	No	Yes	Yes
Protection of verifier disclose attack	Yes	Yes	No	Yes	Yes
Provision of Password change phase	Yes	Yes	Yes	Yes	Yes
Provision of re-registration phase	No	No	No	No	Yes
Without timestamp	Yes	Yes	Yes	Yes	Yes
Using smart card	Yes	No	No	No	Yes

As shown in Table 7, the proposed scheme outperforms the other schemes in terms of the security functions presented.

Irshad’s scheme has lower communication overhead and computational cost than the proposed scheme, but it does not provide untraceability and re-registration phase.

Jabbari’s scheme has higher communication overhead and more expensive computational costs than ours and it does not provide re-registration phase.

Li’s scheme has lower communication overhead than ours, but it has more expensive computational costs and his scheme attempted to provide user anonymity, but did not achieve it. His scheme is also vulnerable to the verifier disclose attack, user impersonate attack and stolen verifier attack and it has faults in password change phase.

Lu’s scheme has lower communication overhead than ours, but it has more expensive computational costs and his scheme does not provide user anonymity, untraceability and re-registration phase.

7. Conclusion and future work

In this paper, we have analysed the Li et al.’s scheme and proved that his scheme has some faults, and proposed an enhanced three-party mutual authentication key exchange(3PMAKE) protocol based on chaotic maps using smart card to provide with user anonymity and untraceability in the environment for user-to-user communication. The proposed scheme provides strong mutual authentication between servers and users without using timestamp, can be re-registered to the system without changing the user’s identifier. The proposed scheme also provides anonymity and untraceability and is secure against several attacks such as user impersonate attacks, privileged insider attacks, stolen verifier attacks. In addition, we have formally analysed the security properties of proposed scheme and verified their validity based on BAN logic and AVISPA tool, and proved that the proposed scheme is secure against various attacks through informal security analysis.

The proposed scheme is designed to provide strong mutual authentication between communication participants without a timestamp, so the number of message exchanges and communication overhead are relatively high. In addition, since key exchange is performed based on chaotic-maps, the security performance of the proposed scheme is enhanced, but has the limitation of increasing computational cost compared to lightweight schemes that do not use public key encryption. The proposed method is suitable for systems that have to provide stronger security properties in environments where timestamp is not available and there is no restriction on communication overhead.

In the future, we will investigate more improved authentication key exchanges in IoT or WSN environments that requires lightweight scheme in terms of communication overhead or computational cost. That is, instead of public key encryption, we only use hash functions to reduce the computational cost of key exchange and reduce the communication overhead.

(DOCX)

Click here for additional data file.