Abstract

A chaotic map-based mutual authentication scheme with strong anonymity is proposed in this paper, in which the real identity of the user is encrypted with a shared key between the user and the trusted server. Only the trusted server can determine the real identity of a user during the authentication, and any other entities including other users of the system get nothing about the user’s real identity. In addition, the shared key of encryption can be easily computed by the user and trusted server using the Chebyshev map without additional burdensome key management. Once the partnered two users are authenticated by the trusted server, they can easily proceed with the agreement of the session key. Formal security analysis demonstrates that the proposed scheme is secure under the random oracle model.

1. Introduction

Due to its characteristic of sensibility of initial conditions and the chaotic parameter, a chaos system shows aperiodicity and pseudorandomness, and it has been widely used in many cryptographic constructions, such as chaotic system based hash functions [13], chaotic system based encryption [48], and chaotic based block cipher [9], and so forth.

Authentication and key agreement are the fundamental blocks used to achieve authenticity and confidentiality in cryptographic system. Much efforts on chaotic maps based authentication and key establishment have been made in recent years. In 2009, Han and Chang [10] proposed a chaotic map-based key agreement protocol, which removes the constraint of synchronization. However, Yoon and Yoo [11] pointed out that Han and Chang’s [10] scheme cannot counter replay attack. Later, Tseng et al. [12] presented a chaotic map-based key agreement protocol for smart card-oriented application, which is vulnerable to internal attack and lacks perfect forward security as pointed out by Niu and Wang [13]. Though Niu and Wang [13] improved Tseng et al.’s [12] scheme and proposed a new one, it is expensive and cannot resist DoS attack. In addition, other researchers investigated the improvement for key agreement of smart card [14, 15]. Wang and Zhao [16] first proposed trusted third party (TTP) based key agreement scheme using the Chebyshev chaotic maps, which is improved by Yoon and Jeon [17] for its vulnerability to tampering attack. In 2012, Lai et al. [18] developed a novel TTP based key agreement protocol using the extended Chebyshev map, but their scheme cannot counter internal attack and off-line key guessing attack [19]. Later, Lee et al. [20] presented a mutual anonymous authentication scheme with the extended Chebyshev map, but it can incur the man-in-the-middle attack. Tan [21] proposed a novel authentication and key agreement protocol with smart card, which can achieve user anonymity; however, the cost consumption is expensive. To cut the heavy computation cost due to the smart card, Gong et al. [22] proposed an improved chaotic map-based key management scheme without a smart card. However, Wang and Luan [23] pointed out that Gong et al.’s scheme exists key management issues and potential security problems and then proposed a new secure key agreement protocol. In addition, some chaotic maps based schemes [2428] have been investigated for solving various security problems.

Although a lot of works on chaotic maps based authentication have been made, most of them cannot provide mutual authentication and are vulnerable to external attack. Only few schemes address this issue using encryption; however, the confidentiality of these schemes is not perfect, since internal users of the system can know the real identities of others during the execution of the authentication process. As the popularity of wireless communication enabled devices, the private information of users, such as identity and locations, can be easily illegally intercepted and then exploited to trace individuals by potential attackers [29]. The privacy of the user has attracted increasing attention from both industry and academia nowadays. To the best of our knowledge, a scheme can that addresses this privacy requirement does not exist. Motived by this, a mutual chaotic map-based authentication scheme with mutual anonymity is proposed in this paper, which has the following properties.

(1) Mutual Strong Anonymity. When user, Alice, in the system interacts with another user, Bob, to fulfill the authentication process, no entity except the trusted server can learn some information about the real identity of Alice and Bob. Furthermore, Alice and Bob cannot determine the opposite side as well; that is, Alice does not know Bob’s real identity and vice versa.

(2) Untraceability. Any internal user cannot connect any two authentication sessions; that is, to say, even if a system user Alice has established a session with the same user Bob who was once authenticated, Alice still cannot determine that the opposite side is Bob using the historic session. In addition, any external entities cannot determine whether users in one session are the similar to users in another session using the intercepted messages.

The rest of the paper is organized as follows; some related basics and definitions are introduced in Section 2. The concrete construction of the proposed scheme is illustrated in Section 3. Analysis and comparison are presented in Section 4. At last, the paper is concluded.

2. Preliminaries

This section introduces the common user requirements, the security requirements for mutual authentication, some basics about the Chebyshev chaotic map and its advantage, and the security definitions.

2.1. Requirements
2.1.1. User Requirements

Given that the authentication scheme to be constructed should be easy to use, the following user requirements need to be satisfied.

(1) Independency. The system should enable users to choose their seeds to produce the shared encryption/decryption keys independently, which means the user can encrypt the transferred messages with a distinctive key in a new authentication session without additional agreement with the trusted server in advance.

(2) Round-Optimization. When a user wants to authenticate another entity, the number of the interactive rounds should be minimized as much as possible, which is helpful to save computation and communication cost, meanwhile users’ experiences will be enhanced as well.

(3) Anonymity. From the user perspective, his real identity needs protection and it should not be exposed to other entities except the trusted server.

2.1.2. Security Requirements

Since the objective of our proposed protocol is to provide a reliable and robust authentication mechanism to counter all possible outside and inside attacks, based on previous studies [2125, 32, 33], we give the following critical requirements to provide secure authentication.

(1) Mutual Authentication. After the involved partnered two users finish the process of authentication, they should be convinced that the opposite user is an authentic one, not a forged one.

(2) Efficiency. Since the process of mutual authentication is on-line and the trusted server is required to support all authentication processes, the communication and computation costs should be as low as possible.

(3) Integrity. This means the involved entities can verify the integrity of received messages, which aims to detect possible damage to those messages.

(4) Confidentiality. After the authentication process, a session key should be produced for both partnered users to provide a secure communication, and it ensures forward secrecy as well.

Next, a brief introduction of the Chebyshev map and some related preliminaries [25, 31, 33] are given.

2.2. The Chebyshev Chaotic Maps
2.2.1. Definitions of Chebyshev Chaotic Maps

Definition 1. Let be an integer, , and an -order Chebyshev polynomial map is defined as follows:

According to the definition, the Chebyshev polynomial map can also be defined recursively as follows:where and , .

The Chebyshev polynomial map has the following two properties.

(1) Semigroup property is as follows:where , are two integers, .

(2) Chaos property is as follows. When is bigger than 1, an -degree Chebyshev polynomial map has the constant measure and positive Lyapunov exponent .

According to the periodicity of , there exist multiple associated with the same to make the equation hold. To improve the security of classic Chebyshev polynomial map, Zhang [33] gave a proof that the Chebyshev polynomial map still keeps the semigroup property over the interval , which is called the extended Chebyshev chaotic maps with the following definition:where , , and is a big prime number. It can be easily found the following equation holds as well:

Definition 2 (discrete logarithm problem (DLP)). Given any two big integers , , find an integer to make the equation hold.

Definition 3 (decisional Diffie-Hellman problem (DDH)). Given , , and , where , , and are unknown, determine whether equation holds or not.

2.2.2. The Advantages of Using Chebyshev Chaotic Maps

As a chaotic system characterizes excellent properties of diffusion and confusion, it is widely used to design various cryptographic schemes. Our design aims to provide a secure efficient mutual authentication with strong anonymity, and this means encryption will be integrated to keep the confidentiality of the identities. However, the traditional public key cryptography schemes are not desirable to achieve it since the management of encryption key in these schemes produces heavy computational burden. Inspired by the excellent semigroup property, the extended Chebyshev chaotic map over the finite field is used to develop our protocol since the discrete logarithm problem and Diffie-Hellman problem are assumed to be intractable within polynomial time [21]. However, there are no hardness assumptions of the discrete logarithm problems or the Diffie-Hellman problems about the Chebyshev chaotic maps over the interval [34], so that it is still challenging to design a secure chaotic map-based key agreement protocol over the interval . Meanwhile, with the Chebyshev chaotic map, our proposed based scheme enables the users and trusted server efficiently to generate the shared encryption key and agree session key without additional key management. Though there are some other types of chaos systems, only the extended Chebyshev chaotic map has the semigroup property and satisfies the requirements stated above. In addition, the Chebyshev map has good chaotic properties with mixture and ergodicity, and the chaotic sequences generated by the Chebyshev map have good statistical distribution characteristics as the mean is 0 [35]. Wang et al. [7, 8] pointed out that low dimension chaotic maps have degradation of dynamics in finite precision computations in computers; however, this issue can be addressed using appropriate implementation; for example, Liu et al. [36] proposed an analogue-digital mixed method to solve the dynamical degradation of digital chaotic system. Given the previous advantages, the extended Chebyshev chaotic map is used to construct mutual authentication with strong anonymity in this paper.

2.3. Security Definitions

Based on the attack model in literatures [37, 38], the security model of the proposed chaotic map based mutual authentication and key agreement with strong anonymity is defined in this section. In the model, the capability of the adversary is defined by the following interactive game which consists of oracle queries and security assumptions.

can join the game through issuing series of oracle queries to any participant from the entity set including the trusted server. During the interactive activities, is assigned with some attacking capabilities to the authentication protocol. The communication channel is under the full control of , which means can intercept, block, inject, delete, and modify any message transferred via this channel. The queries that can issue are as follows.

. This query is designed to assign with passive attacking capability. After the execution of this query, all the transferred messages produced by the honest parities will be output according to the definition of .

. This query is designed to simulate the situation that has controlled the whole communication process. can issue query on to , and the corresponding entity from will compute the results according to and respond to .

. This query is used to simulate the known key attacking. If it is a valid session, all the computed shared session keys by will be responded to and null will be responded to otherwise.

. This query is used to simulate that corrupts entities from . can obtain the permanent password and real identification of with this query.

. This query is designed to assign with the capability of accessing the encryption oracle. In order to respond to correctly, a list is needed to setup and maintenance. Upon receiving the query , first check if there exists some entry in . If yes, return of the corresponding entry; otherwise, a random value will be returned. Meanwhile, a new tuple will be added into . Equivalently, for the decryption query , first check if there exists some entry in , if yes, return of the corresponding entry, and a random value will be returned, otherwise. Meanwhile, the new tuple will be added to .

. This query is utilized to simulate hashing for . To respond to effectively, a list will be set up. Upon receiving the query on from , firstly check if there already exists some entry in . If yes, return the value of the existing entry to . Otherwise, generate a random value as the response and add to at the same time.

. This query is used to measure the semantic security of the session key . If the entity of this session key has already computed with his partnered peer, return to . Otherwise, null will be responded to. can also issue a single query to , and will make an unbiased toss to demine the response. If , return to . Otherwise, return a random value.

Definition 4 (security of the session key (ASK-Secure)). In an adversary involved interactive game, the adversary can arbitrarily issue Test query, where the response is the real session key or a random value. If issued a Test query to an unauthorized entity, would be responded with . If issued a Test query to a dishonest entity or the entity whose peer is dishonest, the corresponding real session key will be responded to. Otherwise, a random from an unbiased coin toss is used to determine that the response is the real session key or a random value. would guess the uncovered through analyzing the response. Let the event , and let be the advantage that wins the distinguishability of . If is negligible, then is called ASK-Secure [37].

Definition 5 (security of symmetric encryption (OT-Secure)). One-time security of symmetric encryption (-Secure) [39] means that the indistinguishability of symmetric encryption under the passive attack can also be called find-guess security. Let be a symmetric encryption scheme and let be an adversary of , and then consider the following interactive game between and .(1)Choose .(2)Input to run . outputs two distinctive messages and the state .(3)Choose randomly and compute .(4)Input and run , and then outputs .

The advantage of represents how far it will guess the right with the possibility bigger than ; that is . During the whole process of the game, is passive; in other words, it cannot access any encryption or decryption oracle.

3. Concrete Construction

The detailed construction of the proposed scheme is presented in this section. For convenience, the descriptions of all symbols to be used are listed in Description of Symbols.

Suppose there exist three entities in our scheme, two system users , , who need to authenticate each other, and a trusted third party Tread. During the authentication, Tread will authenticate and using their submitted messages. If Tread identifies that or has been revoked, the authentication process will be terminated. The whole process of authentication consists of two stages, that is, registration and authentication including key establishment.

At the beginning of registration, , generate their passwords, respectively. They precompute passwords using a hash function and then submit them to Tread together with identifications and other related information. Upon receiving the registration queries from and , Tread will check the validity of the submitted information. If yes, the registering is successful and Tread would securely store the needed information locally. The authenticating can be launched by or , and then the process will be conducted through the following interactive steps.

3.1. Registration

A user can register using the following steps.

(1) Tread chooses two random numbers and a big prime number , then computes , and publishes .

(2) User chooses his and computes , and then sends to Tread.

(3) Tread checks the validity of and using . If yes, it stores . Otherwise, user fails to register in the system.

3.2. Mutual Authentication and Key Establishment

Users and can finish the authentication and establishment by following the steps shown in Figure 1.

(1) . first chooses two numbers , randomly, and then computes , , and , where denotes the temporary identification of and denotes the shared session key between and Tread. After that, encrypts , , and using ; that is , where is the timestamp of . Next, sends to .

(2) . Upon receiving from , first checks if holds or not, where is the timestamp of . If yes, it stores temporarily. Then, it chooses , randomly and computes , , and , where denotes the temporary identification of and denotes the shared session key between and Tread. After that, encrypts , , and using , that is , where is the timestamp of . Next, sends to Tread.

(3) . Upon receiving , from , Tread checks if , holds or not, where denotes the timestamp of Tread and denotes the permissible time interval threshold. If so, Tread will compute the shared keys , , , and , then it decrypts and using and . After that, Tread checks if , hold or not. If yes, Tread validates and as follows.

Step 1. Search for and in the database.

Step 2. Compute and . And then check if both and hold or not. If yes, go to Step 3; else it terminates.

Step 3. Compute and , and then sends to .

(4) . Upon receiving from , first computes and then checks if . If yes, checks the temporary identification of . After that, computes , , where is the session key between and , and then sends to .

(5) . Upon receiving from , first computes , , where is the session key between and and then checks if . If yes, confirms the temporary identification of and establishes the session key . Then computes the hash value and sends it to .

At last, checks from as follows: firstly, it computes and then it checks if . If it holds, the authentication is done.

4. Analysis

4.1. Security

The proof of the security consists of multiple interactive games, and it is based on the difference lemma [37], which is briefly reviewed as follows.

Lemma 6 (difference lemma). Let , and be the events following some distribution. If , then the following equation holds:

The proof of this lemma can be found in [37].

4.1.1. Security of Session Key

The security of session key for our proposed scheme is given by Theorem 7.

Theorem 7. Let be the advantage that an adversary breaks the symmetric encryption within time , and let be the advantage that adversary breaks with time . Then, the advantage that breaks a -secure mutual authentication scheme is where , is the times of Send queries, are the times of queries of A to T and B to T respectively, is the times of queries, is the size of space, is the security parameter, and , and are the running time of single symmetric cryptographic operation, chaotic map operation, and Hash operation respectively.

Proof. To illustrate the proof, six interactive games () are introduced. In every game , can arbitrarily issue any oracle queries defined in Section 2.3. When every game is done, the possibility of event wins can be captured.
Game . This game depicts the attacking from on in reality. According to the definition, the advantage should be as follows:Game . This game can simulate all oracle queries; the only difference is that guessing attack on real identification will be simulated as well. Since , will be encrypted by OT-Secure symmetric encryption, every value of , should be distinctive. Therefore, has no other auxiliary information to validate its guess on the real identification; that is to say, the success possibility is . According to the difference lemma [37], we can haveGame . This game is the same as previous games except for the additional simulation of breaking symmetric encryption using . According to the difference lemma, we can haveGame . This game is same as the previous games, except for the additional simulation of collusion attack to Hash. Game is indistinguishable against except for the possible collision in . According to the Birthday Paradox and difference lemma, we can haveGame . This game is same as the previous games except for the modification on the response of and on the query. Assume is a random extended chaotic CDH triple. The simulator will serve all oracle queries from all honest entities using . To do so, firstly sets passwords for and and then responds as follows: it computes the chaotic maps , and and stores them in the list, where is random. For the Test query, it returns the stored as the response. In terms of the definition, the response for Test query is valid. Meanwhile, the random variable set in will be replaced by another identical distributed random variable set in . Hence, the possibility that wins and is the same, then we haveGame . This game simulates breaking . All the queries are same as the previous queries except that the response is not a CDH triple, but a random triple .
Assume that is a challenger who attempts to break the distinguishability of DDH over , then is an adversary who is capable of breaking the security of session key. responds to from the unbiased toss as follows. If , it returns the real session key to ; else it returns a random number to . After that, outputs its guess, . If , wins this game. can respond for querying , and ; the process is the same as previous games except for the query on as inputs. If outputs , outputs 1; otherwise, it outputs 0. If is exactly a real CDH triple, then runs in , so we have outputs . If is a random triple, runs in , so we have . Thus,Since the session key is random, the information about does not leak, so we haveAccording to formulas (8)–(14), the advantage can be evaluated as follows:

4.1.2. Strong Anonymity for Client

To prevent the exposure of real identification during the message exchange, one practical solution is employing pseudonym. In the proposed scheme, if the adversary attempts to obtain the real identification of a system user, the first possible step is to obtain the key to decrypt the cihpertext even if can intercept all the transferred messages. Though possesses , , and , he or she still faces the difficulty of solving problem if tries to deduce the secret value from or . Since cannot decrypt , he or she cannot get to know the real identification, and then the privacy of users is preserved. For the entities who get involved in the authentication, they only get the temporary identification, which is generated by the XOR operation on the real identification and random number, so that they cannot know the real identification of the partnered peer. Even if he or she stores for off-line analysis in future, in the next session is generated by another distinctive random number, so and are indistinguishable for the PPT adversary . Furthermore, a system user entity even cannot determine whether the current partnered peer is the same with those in historic sessions or not. Thus, our proposed scheme achieves the strong anonymity successfully.

4.1.3. Resistance to Man-in-the-Middle Attack

Suppose there exists an active attacker over the communication channel, who attempts to intercept and tamper the messages transferred via this channel to conduct the man-in-the-middle attack. If tries to carry out the attack by tampering , , he or she will face the difficulty of solving problem. If attempts to tamper or forge , , and , he or she will face the difficulty of breaking the secure one-way hash function according to the definition of the protocol. Above all, the proposed protocol is secure enough to prevent the man-in-the-middle attack.

4.1.4. Resistance to Replay Attack

According to the construction of the presented protocol, all the transferred messages of , , and Tread use timestamps , to provide freshness. Furthermore, the system users have independently chosen () and () randomly to ensure freshness at the beginning of every authentication session. So, the proposed scheme can counter replay attack effectively.

4.1.5. Forward Secrecy

In our scheme, the forward secrecy means the previous used session key cannot be deduced even if adversary is given the current session key and the password of the user. Actually, the establishment of the session key (or ) between and is based on and chosen by themselves independently, and cannot get anything about (or ) because the randomness of and , and the success possibility will not increase even if and are given to the adversary.

4.1.6. Backward Secrecy

The backward secrecy of our scheme refers to the fact that even if the adversary has obtained a client’s password, all historic session keys, and current session key, could not finish authentication and key agreement. However, all the messages are transferred in anonymous way; thus, cannot generate a valid message without knowing the real user identification according to the protocol, even if he or she is given the password . So, our scheme achieves the backward secrecy.

The overall comparison of security between our proposed scheme and the existing similar schemes is listed in Table 1.

All the schemes listed in Table 1 have employed random number in the construction, so they all can achieve the forward secrecy. Since only our scheme and work in [20] uncover the real identification, both schemes can ensure the backward secrecy. Subsequently, all the schemes in [25, 26, 30, 31] cannot provide mutual anonymity for the same reason. Although the scheme in [20] can uncover the real identification for the outside attacker, the authenticated peers can know the real identification of each other, so that it lacks the strong anonymity, and the scheme in [32] fails to protect the identity of the server because the identity of the user is transferred in plaintext during authentication, so it cannot provide strong anonymity. For the use of timestamp and random number, all the schemes in Table 1 can counter the replay attack. However, in the scheme of [20], the attacker can choose a random number and compute , and then he or she can finish the authentication successfully by blocking and injecting operation; thus, it is vulnerable to the man-in-the-middle attack.

4.2. Comparison of Performance

The overall performance comparison is listed in Table 2.

As the authentication is a sort of synchronized process, the total computational cost of the client and server in a whole authentication and key agreement should be investigated. Since the cost of XOR operation and module addition are much cheaper, these two operations are not included in comparison, and only symmetric encryption/decryption operation, chaotic map operation, and hash operations are evaluated. Although no much advantage of performance is won in the proposed scheme, its critical privacy preserving feature deserves it.

4.3. Application Prospects

Our proposed scheme can be applied to privacy-sensitive situations, such as VANETs [29]. Consider an authentication scenario in VANETs as shown in Figure 2. Since the communication via wireless channel, the system is susceptible to attack from outside and inside adversaries. When the driver of vehicle detects that another vehicle nearby is sharing some resources, he becomes interested in using the application installed in his vehicle, he then issues a request of accessing the data. On one hand, for security, is not allowed to access ’s data directly, and would firstly verify whether is an authentic entity. However, and are unwilling to reveal their real identities to each other. Then, and have to proceed with a mutual anonymous authentication protocol. Meanwhile, and also want to keep themselves anonymous even if they authenticate each other again in the future, since few drivers like to expose their trace to other untrusted entities.

On the other hand, the real identities of and including the transferred messages should be kept confidential to any external entities, and any external attacker is not allowed to distinguish users from two different sessions using all intercepted messages. However, our proposed protocol can achieve all goals stated previously. Since the road side unit (RSU) is supposed to be trusted, then it can be regarded as the trusted server in our protocol, and then vehicle and can fulfill authentication via RSU by following the steps as defined in Section 3.

5. Conclusions

Of all the existing chaotic map based authentication schemes, most of them neglect the anonymity of the user. Since the privacy preservation in cryptographic systems has become a great concern nowadays, it is necessary to take the appropriate measures to address this problem. Thus, an extended Chebyshev chaotic map-based mutual authentication scheme with strong anonymity is investigated in this paper, in which the outside attacker, even the authenticated peers, cannot determine the real identity of others. The strong anonymity feature of the proposed scheme is suitable for the privacy sensible applications, such as mobile social networks, vehicle ad hoc networks.

Description of Symbols

: Identification of user
: Temporary identification of user
: The Chebyshev polynomial with degree
:
:
:The initial value of chaotic map
:Private key of the trusted server
:A big prime number
, :Random numbers chosen by users
, :Session key shared between , , and Tread
:Symmetric encryption/decryption algorithm
:Timestamp
:Threshold of interval
:A secure one-way hash function
:XOR operation
:Password of user
:Running time for hash operation
:Running time for encryption operation
:Running time for decryption operation
:Running time for chaotic map operation.

Competing Interests

No potential conflict of interests was reported by the authors.

Acknowledgments

Our work was jointly supported by the National Social Science Foundation of China (no. 14CTQ026), the National Natural Science Foundation of China (no. 61272400 and no. 61472464), the Chongqing Research Program of Application Foundation and Advanced Technology (no. cstc2014jcyjA-40028 and no. cstc2013jcyjA40017), and the Natural Science Foundation of Shandong Province, China (no. ZR2015FL024).