Privacy-Preserving Two-Factor Key Agreement Protocol Based on Chebyshev Polynomials

Tan, Zuowen

doi:https://doi.org/10.1155/2021/6697898

Security and Communication Networks

On this page

Abstract Introduction Related Work Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Emerging Authentication, Identification, and Authorization Technologies

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6697898 | https://doi.org/10.1155/2021/6697898

Privacy-Preserving Two-Factor Key Agreement Protocol Based on Chebyshev Polynomials

Zuowen Tan¹

Academic Editor: Ahmad Samer Wazan

Received24 Dec 2020

Revised28 Apr 2021

Accepted24 May 2021

Published03 Jun 2021

Abstract

Two-factor authentication is one of the widely used approaches to allow a user to keep a weak password and establish a key shared with a server. Recently, a large number of chaotic maps-based authentication mechanisms have been proposed. However, since the Diffie–Hellman problem of the Chebyshev polynomials defined on the interval [−1,+1] can be solved by Bergamo et al.’s method, most of the secure chaotic maps-based key agreement protocols utilize the enhanced Chebyshev polynomials defined on the interval (−∞,+∞). Thus far, few authenticated key agreement protocols based on chaotic maps have been able to achieve user unlinkability. In this paper, we take the ﬁrst step in addressing this problem. More speciﬁcally, we propose the notions of privacy in authenticated key agreement protocols: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Then, we construct two two-factor authentication schemes with medium unlinkability based on Chebyshev polynomials defined on the interval [−1,1] and (−∞,+∞), respectively. We do the formal security analysis of the proposed schemes under the random oracle model. In addition, the proposed protocols satisfy all known security requirements in practical applications. By using Burrows-Abadi-Needham logic (BAN-logic) nonce verification, we demonstrate that the proposed schemes achieve secure authentication. In addition, the detailed comparative security and performance analysis shows that the proposed schemes enable the same functionality but improve the security level.

1. Introduction

User authentication is indispensable for many information systems. Authenticated key agreement enables users to establish a session key which two or more parties share over a public channel. The session keys are adopted in subsequent secure communications. Password, hard-ware, and biometrics are always utilized in authentication mechanisms [1–3]. Single-factor authentication only provides limited security; then, the combination of these methods together can achieve higher security. Due to the convenient portability of smart cards, two-factor authentication [4–6] has been intensively investigated.

In general, user privacy protection during authenticated key exchange is a big challenge. For two-factor authentication schemes, the important issues should be addressed carefully. Firstly, the authentication mechanism should hide the user’s identity from any eavesdroppers and foreign servers. In other words, mutual authentication cannot reveal the real identity of the user, which is the basic goal of privacy protection, called anonymity. Secondly, the other aspect of user privacy protection is unlinkability. In many applications, the authentication mechanism should hide the user’s movements from any eavesdroppers and other foreign servers. Any unauthorized entity cannot track the user’s movements. Even if any outside adversary has accessed the message transmitted between the user and the server, it still cannot link the user to different authentication sessions.

Since chaotic maps provide the semigroup property and have higher efficiency than modular exponential operations and scalar multiplications on an elliptic curve, many chaotic, map-based, two-factor authenticated key agreement protocols [7–12] have been developed in recent years. Thus far, the user privacy preserving chaotic maps-based authenticated key agreement protocols have been intensively investigated [13–17].

1.1. Motivation

In two-factor authenticated key agreement protocols, the user privacy must be considered carefully. The basic security requirement is to preserve the user anonymity, while the stricter requirement is unlinkability or untraceability. These concepts in two-factor authenticated key agreement protocols are seldom discussed in detail. Till date, few two-factor authenticated key agreement protocols can provide users with a strong unlinkability.

To the best knowledge, most of the two-factor authenticated key agreements based on the Chebyshev polynomial protocols (hereafter, called TAKACP protocols) utilize the enhanced Chebyshev polynomials defined on the interval (−∞, +∞). Now, few secure TAKACP protocols are based on the Chebyshev polynomials defined on the interval [−1, +1]. This is because those TAKACP protocols based on the Chebyshev polynomials over the interval [-1,+1] are vulnerable to Bergamo et al.‘s attacks [18].

1.2. Our Contributions

The main contribution of this paper is the two-factor authenticated key agreement protocol based on Chebyshev polynomials defined on the interval [−1,1] and (−∞,+∞), respectively, which solve all abovementioned issues for the ﬁrst time. They satisfy more security requirements than the existing TAKACP protocols.

In summary, we list the main contributions below: The user privacy in two-factor authenticated key agreement protocol is expounded. According to the extent of user identity protection, the user privacy preserving in entity authentication protocols is classified into four concepts: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Of the four levels, the strong unlinkability is the highest while the anonymity-alone is fundamental for entity authentication. In this paper, we elaborate them by the formal probability model. We analyze the Lin TAKACP protocol and reveal their weaknesses. Detailed analysis shows that it fails to provide session key security. And, it suffers from user impersonation attack. Next, it even cannot provide the weak unlinkability. Analysis of formal security under Random Oracle model and BAN logic nonce verification demonstrate that the proposed schemes provide secure authentication against the CPCDH assumption and integer factorization hardness assumption. The proposed schemes provide more security properties as compared to other TAKACP schemes. And the detailed comparative security analysis also shows that the proposed schemes avoid the weaknesses of the TAKACP protocols [19–21].

1.3. System Model

1.3.1. Network Model

The proposed two-factor authenticated key agreement protocols involve two entities, a user U and the server S. At the user registration phase, the server issues a smart card with secret information to U through a secure channel. When the user U logs in to the server, the server and the user authenticate each other over the public channels. In this paper, the two-factor authenticated key agreement protocol is required to provide users with privacy preserving. Any adversary cannot trace the user from the message transmitted over open channels.

1.3.2. Adversary Model

Consider an adversary A who gets the full control over the communication channel between the user U and the service provider S (except the registration phase). Thus, A could obtain the messages transmitted between the user and the server (except the registration message). Of the phases in a two-factor authenticated key agreement protocol, only the registration phase requires a secure channel between U and S. In other phases, there could be various kinds of passive and active adversaries in the communication channel between U and S_. The adversary A can eavesdrop and even block the message transmitted, modify messages, remove messages, or insert messages into the communication channel. Its objective is to compromise the mutual authentication between U and S. A even impersonates a user and attempts to access the server, or the adversary impersonates the server and provides the user with false services.

In the single-server environment, since users register on the same server with the same master key, the inside attacker A₀/A₁ is very powerful. Hereinafter, we refer to a malicious server which may try to recover the password of its client or track the client as an adversary A₀; a registered malicious user, or an adversary who has corrupted the user as an adversary A₁; and while other adversaries are called as outside adversary A₂. To simulate the inside attack, A₀ and A₁ can get the passwords and information stored in the smart cards of the users except those of a client under attack. If the server is the attack target, A₁ is assumed to obtain the passwords and the information stored in the smart cards of all the users.

For a two-factor authentication scheme, the basic security property is that the user is required to both have the smart card and know the password. Since the smart cards cannot prevent the information stored in them from being extracted, for example, by monitoring their power consumption, the security of a two-factor authentication scheme is always discussed in the case that the smart card is stolen. In other words, when a user is under attack, A is allowed to either compromise the password or the smart card of the client under attack, but not both.

1.4. Organization of the Paper

The remainder of this paper is organized as follows. Section 2 reviews the related work. Section 3 introduces some preliminaries. Section 4 shows the limitations of the Lin protocol. Section 5 then presents two novel TAKACP protocols. Next, Section 6 analyzes the security of the proposed schemes. Comparison with the related smart-card-based protocols in terms of security properties and performance will be given in Section 7 , and Section 8 is the conclusion.

In this section, we brieﬂy review some prior related works. Recent years have witnessed efforts on two-factor authentication [19–42]. We summarize some existing two-factor authentication schemes with their methodologies used, limitations, and drawbacks in Table 1.

2.1. Two-Factor Authentication Based on Enhanced Chebyshev Polynomials Defined on the Interval (−∞, +∞) and Their Limitations

Researchers have developed chaotic maps-based key agreement protocols which utilize the enhanced Chebyshev polynomials defined on the interval (−∞, +∞). Xiao et al. [31] first presented a chaotic map-based authenticated key agreement protocol by utilizing the semigroup property of Chebyshev chaotic maps [32, 33]. Guo and Zhang [34] showed that the Xiao et al.’s protocol [31] cannot provide the contributory property of key agreement. A malicious server can predetermine the session key. Guo and Zhang presented an improved version [34]. However, Lee demonstrated that the Guo-Zhang protocol [34] is insecure against off-line password guessing attacks [35]. In addition, it fails to provide the session key security. Tseng et al. [7] proposed anonymous key agreement protocol based on Chebyshev chaotic maps. Unfortunately, Niu et al. [8] demonstrate that Tseng et al.’s protocol [7] fails to protect the user anonymity and suffers from inside attacks. Yoon [9] found that the Niu-Wang protocol [8] is vulnerable to Denial of Service attacks. Xue et al. [36] also improved Tseng et al.’s protocol. However, Tan [37] pointed out that the Xue-Hong protocol [36] cannot still provide user anonymity. Moreover, the Xue-Hong protocol suffers from man-in-the-middle attacks. In 2012, Gong et al. [38] proposed password-based key agreement protocol by using extended chaotic maps. Unfortunately, Wang and Luan [39] showed that the key agreement protocol [38] suffers from potential security problems.

In 2014, Lin [40] developed an authentication scheme using dynamic identity and chaotic maps. Later, Islam et al. [41] state that Lin’s scheme suffers from user impersonation attack. Islam et al. also presented an improved provably secure scheme [41, 42] to solve the weaknesses of Lin’s scheme. Unluckily, Jiang et al. [10] show that Islam’s scheme is also vulnerable to some potential attacks. Based on the extended Chebyshev polynomials on the interval (−∞,+∞), Lee et al. [21] presented improvement on Lin’s scheme [20]. However, in the login phase of the improved scheme [21], the smart card fails to validate the input of the user. Moreover, in the password change phase, the server must participate in the whole updating process of each user. Hence, it is inconvenient for users to update the password in Lee et al.’s scheme [21].

2.2. Two-Factor Authentication Based on Enhanced Chebyshev Polynomials Defined on the Interval [−1,+1] and Their Limitations

Few secure TAKACP protocols [19–21, 35] based on the Chebyshev polynomials defined on the interval [−1,+1] have been presented.

In Lee’s TAKACP scheme [35], the user and the server must preshare a password. Hence, when users register with the server, the server must share one different password with every user. In 2013, Guo and Chang [19] have proposed a smart-card-based authenticated key agreement using chaotic maps over the interval [−1,+1]. Subsequently, Hao et al. [43] and Lin [20] pointed out that that there are some security pitfalls in the Guo-Chang scheme [19]. Any adversary can derive the session key only by using the messages transmitted between a user and the server. In addition, the Guo–Chang scheme fails to provide full protection for user identity due to a fixed parameter in every run of the protocol. To eliminate the above weaknesses, Lin presents an improved scheme [20] based on chaotic maps over the interval [−1,+1]. The Lin scheme is highly efficient since it is based on a simple symmetric cryptosystem. Unfortunately, Lee et al. [21] point out that the Lin scheme still fails to withstand denial-of-service and privileged insider attacks. In addition, the Lin scheme does not exhibit the contributory property of key agreements.

In this paper, we will show that the Lin scheme violates the session key security. The Lin scheme suffers from impersonation attacks. Specifically, it is still susceptible to Bergamo et al.’s attacks [44] from registered users of the same server. Furthermore, we will demonstrate that the Lin scheme cannot provide the strong privacy protection. We also have found that it is inconvenient for users to update passwords in the Lin scheme [20] and the Guo–Chang scheme [19].

3. Mathematical Preliminaries

This section briefly introduces Chebyshev polynomials and two problems related to the chaotic maps. Then, we will discuss the user privacy in TAKACP protocols and define the different notions of user privacy.

3.1. Mathematical Preliminaries

Let n be an integer and x be a variable taking values over the interval [−1,1]. The Chebyshev polynomial T_n: [−1,1] ⟶ [−1,1] of degree n is defined as

The recurrence relation of the Chebyshev polynomial is given by:

The cos(s) and arcos(s) are defined as cos: and arcos: . There are some examples of Chebyshev polynomials that are shown as follows:

The Chebyshev polynomials hold two important properties. Semigroup property: Assume that r and s are positive numbers. For , T_r(T_s(x)) = T_s(T_r(x)). Due to its semigroup property, the Chebyshev polynomials satisfy the commutative property under the composition T_r(T_s(x)) = T_s(T_r(x)). Chaotic property: Since the Chebyshev polynomial T_n(x) with the positive integer n has a unique continuous invariant measure with positive Lyapunov exponent lnn, it is a chaotic map with its invariant density . Specially, T₂(x) is the well-known logistic map.

In 2008, Zhang [45] extended the definition of variables from the interval [−1,1] to the interval as follows:where p is a large prime number. And, these enhanced Chebyshev polynomials still commute under the composition, T_r(T_s(x)) = T_s(T_r(x)) mod p.

The Chebyshev polynomials over the interval have the discrete logarithm problem and Diffie-Hellman problem, which are assumed to be difficult to solve within a probabilistic polynomial time:

Definition 1. Chebyshev polynomial-based Discrete Logarithm (CPDL) problem. Given two elements x and y, find an integer r, such that T_r (x) = y, where T_r (x) is the Chebyshev polynomial.

Definition 2. Chebyshev polynomial-based computational Diffie-Hellman (CPCDH) problem. Given three elements, x, Chebyshev polynomials T_r (x), and T_s(x), compute the value T_rs(x).
In contrast with the Chebyshev polynomials over the interval , the hardness assumption of CPCDH problems over the interval [−1,1] does not hold. Given three elements, x, T_r(x), and T_s(x), although it is computationally infeasible to derive r from the known x and T_r (x), one can apply the method mentioned in [18, 44] to derivesuch that . Thus, one can compute the Diffie-Hellman value .

Definition 3. The success probability of a probabilistic polynomial time Turing machine within time upper bound t in solving CPCDH problems is defined as:

Definition 4. The Chebyshev polynomial-based computational Diffie-Hellman assumption (CPCDH assumption) is the assumption that CPCDH problems are hard. In other words, for every probabilistic Turing machine , is negligible.

Definition 5. Integer factorization assumption (IF assumption) is the assumption that integer factorization is hard. In other words, the probability of integer factorization for any probabilistic polynomial time Turing machine within the time upper bound t’ is negligible.

3.2. Notions of Privacy in TAKACP Protocols

According to the extent of user identity protection, we divide user privacy preserving into four levels: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Among these concepts, the latter is stronger than the former, i.e., anonymity-alone ≤ weak unlinkability ≤ medium unlinkability ≤ strong unlinkability.

Let N be the number of members of any user group. Let be the event that A (that is, A₁ and A₂ but A₀) guesses the identity of the user correctly from the user group, be the event that A₂(A) decides whether any two executions of the protocol are from the same user, respectively.

Definition 6. (Anonymity-Alone). We define the advantage Adv^Anon−Alone(A) of any adversary A asThe advantage Adv^Anon−Alone(A) measures the sum of the probability of any adversary A₁ or any outside adversary A₂ obtaining the identity of the user and the probability of any outside adversary A₂ linking different sessions with a certain user.
An authenticated key agreement protocol is called to provide Anonymity-Alone if Adv^Anon-Alone(A) is negligible. In other words, for any group of N users, A cannot identify the actual user with the probability higher than the probability 1/N of guessing. Hence, the first addition item would approach 0. However, any outside adversary A₂ can link different sessions to a certain user.

Definition 7. (weak unlinkability). We define the advantage Adv^Weak−Unlin(A) of any adversary A asAn authenticated key agreement scheme achieves weak unlinkability if Adv^Weak-Unlin(A) is negligible. Specifically, any adversary A₁ or any outside adversary A₂ cannot obtain the identity of any other user. Besides, any outside adversary A₂ cannot link different sessions to a certain user with a probability larger than 1/2.

Definition 8. (medium unlinkability). We define the advantage Adv^{medium−Unlin}(A) of any adversary A (here, A₁ and A₂ but A₀) asAn authenticated key agreement scheme is called to satisfy medium unlinkability if Adv^Medium-Unlin(A) is negligible. In other words, any participant except the server cannot link different logins to the same user.

Definition 9. (strong unlinkability). We define the advantage Adv^{Strong−Unlin}(A) of any adversary A including A₀, A_1, and A₂ asAn authenticated key agreement scheme is called to satisfy strong unlinkability if Adv^{Strong−Unlin}(A) is negligible.

4. Cryptanalysis of the Lin Takacp Protocol

In this section, we first tabulate the important notations in Table 2. We then review Lin’s key agreement protocol [20].

4.1. Brief Review of Lin’s Takacp Protocol

The Lin’s TAKACP scheme [20] is composed of four algorithms: system initialization, user registration, authenticated key exchange, and password change. The notations used in [20] are listed in Table 2. Figures 1–3 separately illustrate the phases of user registration, authenticated key exchange, and password change.

4.1.1. System Initialization

The server S selects a master key s. Then, S computes a Chebyshev polynomial of degree r, i.e., T_r(x), where , and chooses a one-way hash function h() and a symmetric encryption function E_k() with the secret key k. S keeps r secret.

4.1.2. User Registration Phase

A user registration procedure consists of the following steps. Step 1. The user U selects an identity ID, a password PW, and a random integer t. U computes H = h(PW||t) and then sends the message {ID, H} to the server via a secure channel. Step 2. Upon receiving the registration request, the server S computes R = E_s(ID||H), D = H⊕(x||T_r(x)). Then, S writes {R, h(), E_k(), D} to a smart card and sends the smart card to U via a secure channel. Step 3. Upon receiving the smart card, U stores t into it.

4.1.3. Authenticated Key Exchange Phase

U first enters the identity ID and password PW. Then, the smart card runs the following steps on S: Step 1. It chooses a random integer j and computes Then, it issues the message to S. Step 2. S computes and decrypts . Then, S checks the validity of the time stamp T₁. Next, S decrypts R and verifies whether holds. If the equation holds, U is authenticated; otherwise, the session is terminated. Step 3. S chooses a random integer and returns the login response to the card. And, S computes session key . Step 4. The card first decrypts and then checks whether the delay time for T₂ is acceptable. Next, the card checks whether holds. If the equation holds, S is authenticated. And, the card computes the session key .

4.1.4. Password Change Phase

U first inserts the smart card into a terminal and inputs his or her identity ID, the old password PW, and a new password . Then, the smart card runs the following steps on S: Step 1. The smart card chooses randomly a positive integer i and calculates and delivers to S. Step 2. S computes , then decrypts and further R = E_s(ID||H). Next, S checks whether the received is equal to H. If the equation holds, the server returns to the card. Step 3. The smart card replaces R with .

4.2. Security Weaknesses of Lin’s TAKACP Protocol

Lin [20] demonstrates that the Guo-Chang TAKACP scheme [19] cannot provide full protection for the user’s identity. Any passive inside adversary A₁ (i.e., a malicious registered user) could derive the mutually shared session key between the user and the server only by intercepting the transmitted message. Lin claimed that their improvement eliminates the drawbacks. We show that the second security weakness of the Guo-Chang TAKACP scheme still exists in the Lin scheme [20]. In addition, the password change would not only bring inconvenience to the user but also lack the authentication of the server.

4.2.1. Violation of the Session Key Security

Assume that an inside adversary A₁ has intercepted the key exchange message transmitted between the user U and the server. In the Lin scheme, the adversary could derive the session key by performing the following steps.

Since A₁ is an inside adversary, A₁ can use his password to calculate x||T_r(x). After intercepting U’s login message , A₁ has obtained T_j(x). Although it is computationally infeasible to calculate j from x and T_j(x), the adversary can apply the method mentioned in [18, 44] to computesuch that . Then, the adversary could compute the key .

A₁ decrypts with the key and obtains . Finally, the adversary calculates the session key .

4.2.2. Suffering from User Impersonation Attack

Suppose that an inside adversary A₁ does not want to pay the server for the service provided by S. A₁ would try to impersonate a legitimate user U. After intercepting U’s login message, the adversary launches the user impersonation attack as described below:(1)With the login message , A₁ computes the key through the same technique as in the leakage attack of the session key in Section 3. Then, A₁ decrypts and obtains {Q, R, T₁}.(2)A₁ chooses a random integer j and computes . It transmits to the server S, where T is the current timestamp.(3)After receiving the login message, S computes and decrypts . S first checks the validity of the time stamp T. Next, S decrypts R to derive ID||H, and verifies the identity. Since Q = h(ID||H), the server believes that a legitimate user with ID has issued the login request. After that, S selects a Chebyshev polynomial , encrypts it with other messages, and transmits the cipher-text to A₁.(4)A₁ recovers the map with the key and computes the session key.

4.2.3. Linking Different Sessions to a Same User

The Lin’s TAKACP scheme enhances the protection of user identity. Although any adversary A₁ or A₂ cannot obtain the identity of any user, any inside adversary A₁ can link different sessions to a certain user. The Lin scheme only can provide weak unlinkablity (for details, see Definition 7 in Section 3), since A₁ may execute the linking of sessions to the user as follows.(1)Intercept the different login messages .(2)Compute the different keys through the approach described in Section 3.(3)Decrypt and obtain {Q, R, T₁}. For the user, although the parameters {R, T₁} change with different logins, Q will be unchanged. Thus, A₁ can decide whether the users are the same by comparing the parameter Q’s.

4.2.4. Defects of the Password Change

Firstly, the password change suffers from inside attacks. Consider that a registered user acts as an adversary A₁. Since is a registered user of the server S, can derive x||T_r(x) from his own by using his own password. Assume that has intercepted U’s password change request . As shown above, can calculate , which satisfies the equation . Thus, computes the key and further decrypts . Then, selects randomly a value of the same length of . And computes and sends to the server. Since the equation holds, the server will return to the smart card. The smart card stores instead of R. Thus, the password change has been fulfilled. However, the user U cannot login to the server any more with the new password . We describe the failure process as follows. When the user U tries to login to S, U computes where and then issues to the server. The server decrypts and acquires . S further decrypts R to obtain . S computes . Since , the server will refuse U’s login request.

Secondly, the Lin’s TAKACP scheme requires that the server participate during the whole password change phase. In many applications, registered users always need to update their passwords at intervals. Passwords should be freely updated by the smart card holder at will without any interaction with the server, while the server can be totally unaware of the password change. A TAKACP scheme should provide the users with free password changes. If the users’ password change requires the server online, it must be a bottleneck. The Lin scheme requires the server S to compute during the password change phase. Therefore, it is inconvenient to both the server and the users. For the Lin scheme, the password change is impractical.

Thirdly, during the password change phase, the server is not authenticated by the smart card. This would be a serious security drawback. Any adversary could impersonate the server and send an arbitrary value as . The smart card will replace R with . The real card holder cannot login to the server any longer since . If the password change proceeds through a secure channel as in the user registration phase, the above security drawbacks will be removed. However, this is also infeasible.

5. The Proposed Takacp Protocol

Lin [20] showed that the Guo-Chang scheme suffers from inside attacks. The analysis above demonstrates that the Lin’ TAKACP scheme [20] cannot still resist against inside attacks. The main cause is that an inside adversary A₁ has the common chaotic map T_r(x) with the registered users of the same server. After intercepting the chaotic map T_j(x) transmitted over the public channel, A₁ can derive an integer satisfying . The adversary computes the key to decrypt and derive . Thus, the adversary can determine the Diffie-Hellman-like session key .

To eliminate these weaknesses, we will seek cryptographic techniques to protect the functions and . In the following, we will use the quadratic residues to present two improved versions. We first describe an improved two-factor authentication scheme (hereafter called TAKACP-1) based on Chebyshev polynomials defined on the interval [−1,1] and then another two-factor authentication scheme (hereafter called TAKACP-2) based on Chebyshev polynomials defined on the interval (−∞,+∞).

5.1. Registration Phase

We adopt the same notations as those in the Lin scheme. The server S selects s as the symmetric encryption key, two distinct large primes p and q with (mod 4), and a one-way hash function h():{0,1}^∗ ⟶{0,1}^l where l is a security parameter. The parameters p, q, and s are kept secret. Before a user U gains access to the server S, U must register by performing the following steps as shown in Figure 4. Step R1. U selects a random integer with l bits, an identity ID, and password PW. Then, U computes and delivers {ID, d} to S through a secure channel. Step R2. S computes c = d⊕E_s(ID||n), where n = pq. S stores {c, n, h()} on a smart card and issues the smart card to U via a secure channel. Step R3. The card computes.

5.2. Authenticated Key Exchange PHASE

The user U and the server S cooperatively perform the following steps to generate a session key SK, which is also illustrated in Figure 5. Step A1. U inserts the smart card into the terminal and enters the identity ID and the password PW. The smart card checks whether d₂ is equal to h((ID⊕PW)||d₁||n). If ID and PW are valid, it computes c = d₁⊕h(ID||PW). It generates a nonce n₁ of the c’s binary length and randomly chooses a positive integer i and a real number x over [−1,1]. The card computes the Chebyshev polynomials T_i(x), mod n, , c₀ = h(ID||n₁), , where x||T_i(x) is of l-bits. The symbol means that the binary form of c interleaves the binary form of n₁ bit by bit. Then, the card transmits the message to the server S. Step A2. Once receiving the login request, S uses Chinese Remainder theorem with p and q to solve the square roots of e. S parses the four roots into two parts, ,, respectively. Then, S decrypts to obtain and determines the right root by checking if is equal to n. Finally, S obtains the right root and the identity . S computes , , and checks if the received equals . If the equation holds, the server believes that the login comes from a registered user with the identity . S generates a nonce n₂ such that n₂||T_j(x) is l-bit in length and randomly chooses a positive integer j. Then, S computes And, S sends back the message to U. Otherwise, S rejects the login request from U. Step A3. Upon receipt of the response message from S, the smart card computes , SK = h(ID||T_i(x)||T_j(x)||n₁||n₂||T_i(T_j(x))). Next, it checks whether equals h(c||(T_j(x)||x)⊕h(n₂)||SK). If they are equal, the card authenticates the server. It computes and forwards the message to the server S. Otherwise, U terminates the session. Step A4. After receiving the confirmation message from the card, S checks if equals . If they are equal, the user U with identity ID is authenticated. Moreover, S confirms the session key SK.

5.3. Password Change Phase

If the user U wants to update his password, U performs the following steps. Step C1. U inserts the smart card into the terminal and inputs the identity ID and the old password PW. Then, U issues the updating request. Step C2. The smart card checks whether d₂ = h((ID⊕PW)||d₁||n) holds. If the equation holds, it answers accepting updating. Step C3. U submits a new password PW_new. Step C4. The smart card computes

The card removes {d₁, d₂} and stores .

Now, we describe briefly the TAKACP-2 scheme. There is a little difference between the registration phase of the TAKACP-2 scheme and that of the TAKACP-1 scheme. We will give the detailed description of the registration phase of TAKACP-2 scheme. Another fundamental difference of the authenticated key exchange phase of TAKACP-2 scheme from TAKACP-1 scheme is that the real number x is drawn from the interval . The card/server computes the Chebyshev polynomial T_i(x)/T_j(x) mod p₀. By making similar modifications to the registration phase, we can have the password change phase. Here, we omit the description of the authenticated key exchange phase and the password change phase in the TAKACP-2 scheme.

5.4. Registration Phase of TAKACP-2

We adopt the same notations as those in the TAKACP-1 scheme. The server S selects a large prime p₀ besides the symmetric encryption key s, two large primes p, q, and a one-way hash function h():{0,1}^∗ ⟶{0,1}^l. S keeps p, q, and s secret. Then, U performs the following steps to execute the registration. Step R1’. U selects a random integer , an identity ID, and password PW. Then, U computes and delivers {ID, d} to S through a secure channel. Step R2’. S computes c = d⊕E_s(ID||n||p₀) where n = pq. S stores {c, n, p₀, h()} on a smart card and issues the smart card to U via a secure channel. Step R3’. The card computes

Then, U removes and stores {d₁, d₂} in the card.

6. Security Analyses

In this section, we will present the formal semantic security analysis of the proposed protocols under the random oracle model in Part A. Mutual authentication between a user and a server will be confirmed through the widely used BAN logic [46–48] in Part B. In Part C, we conduct the detailed informal security analysis of the proposed protocol. The formal security analysis and informal security analysis both show that our schemes provide stronger security attributes.

6.1. Formal Security Analysis in Random Oracle Model

In this subsection, we introduce a formal security model under the widely used Real Or-Random model [49], the authentication security model [50], and the sequence of game models [51].

Assume that the server is a trustworthy entity. The server can accept the registration of users and validate the real identity of the users to provide them with services. There exists a secure channel between the server and the user to protect the registration of the user. In the following, we will apply the Dolev-Yao threat model (DY model) [52] to analyze the security of the proposed schemes. According to DY model, any two communicating parties communicate over an insecure channel. Assume that a polynomial time adversary has the ability to control the communication channel, for example, modifying, injecting, monitoring, and deleting messages over the open channel. Any adversary A can make oracle queries, which model the adversary’s capabilities in a real attack. The goal of the adversary is to penetrate the anonymous authentication of a key agreement protocol by compromising requirements for the protocols described below. A malicious registered user may act as A to attempt to obtain the identity information of other users who have registered on the same server.

We will simulate various security attacks on the proposed schemes through all possible oracle queries listed below. Execute(Uⁱ, S^j): This query models eavesdropping attacks on honest execution among the user instance Uⁱ and the server instance S^j. The output of this query consists of the messages that were exchanged during the honest execution of the protocol. Send(Uⁱ/S^j,m): This query models an active attack. The oracle query enables A to receive an actual response from a participant Uⁱ/S^j. Specifically, the adversary A sends a message m to instance Uⁱ/S^j, and the participant instance Uⁱ/S^j follows the protocol to give a reply. Reveal(Uⁱ/S^j): This query models known session key attacks. If no session key is defined for an instance Uⁱ/S^j, or if either Uⁱ/S^j, or its partner is asked a Test query, the output of this query is the invalid symbol . Otherwise, it returns the current session key SK, which has been established between Uⁱ/S^j and its partner to A. Corrupt(U,a): The query models the capability of A to obtain the secret information of a user participant U, thereby corrupting the protocol. If a = 1, the query returns U’s password to A. If a = 2, the query returns the message stored in the user U’s smart card with A. The oracle simulates that when A gains the smart card of user U, it can extract the secret stored information. Test(Uⁱ/S^j): If no session key is defined, for instance, Uⁱ/S^j or if either Uⁱ/S^j or its partner is asked a Reveal query, the output of this query is the invalid symbol . Otherwise, the oracle flips a coin b. If b = 1, the output is the session key. Otherwise, the output is a random string drawn from the space of session keys. The Test query is invoked once by the adversary with a fresh oracle. The query is used to define the semantic security of the session key SK.

Definition 10. An instance Uⁱ/S^j is called to be accepted, if upon receiving the last expected protocol message, it goes into an accept state. The ordered concatenation of all sent and received messages by instance Uⁱ/S^j forms the session identification(sid) of Uⁱ/S^j for the current session.

Definition 11. Two instances Uⁱ and S^j are said to be partnered if the three conditions hold simultaneously: (1) both Uⁱ and S^j are accepted; (2) both Uⁱ and S^j share the same sid; and (3) Uⁱ and S^j are mutual partners of each other.

Definition 12. An instance Uⁱ/S^j is called to be fresh if the following conditions are fulfilled simultaneously: (1) Uⁱ/S^j is in the accepting state; (2) Reveal(Uⁱ/S^j) query has never been submitted to Uⁱ/S^j or its partner; and (3) strictly fewer than two Corrupt(Uⁱ,a) queries have been made to Uⁱ or strictly fewer than two Corrupt(Uⁱ,a) queries have been submitted to S^j’s partner Uⁱ.

Definition 13. For the semantic security, the security model is defined by a game, which consists of two phases. In the first phase, an adversary A is allowed to adaptively issue Send, Execute, Reveal, and Test queries. In the second phase, the adversary A executes a single Test (Uⁱ/S^j) query with the chosen bit b directed to a fresh instance and the query outputs a guess bit for b. If , then the adversary A wins the above game, i.e., A succeeds in breaking the semantic security of the game of a TAKACP protocol. Let Succ(A) be an event where the adversary A wins the above game. The advantage of the adversary A in breaking the semantic security of the TAKACP protocol is defined byA TAKACP protocol is said to be semantically secure if the advantage of any probabilistic polynomial time-bounded adversary A is negligible.

Theorem 1. Let D(W) be a uniformly distributed password (identity) dictionary of size |D|(|W|). Let A (including A₁ and A₂) be a polynomial time-bound adversary against the semantic security of the TAKACP-2 scheme. Suppose A makes at most q_s times Send queries, q_e times Execute queries, and q_h times hash oracle queries. Then, we havewhere l refers to the string length of hash results, is the success probability of any probabilistic polynomial time Turing machine within time upper bound t in solving CPCDH problems, and is the probability of integer factorization for any probabilistic polynomial time Turing machine within time upper bound t’.

Proof. We shall use the approach of sequent games to prove this theorem. We first define a sequence of modified attack games G_i (i = 0,1,2,3,4,5) starting from G₀ and terminating at G₅. Let Succ_i be an event defined as the successful guessing of the bit b in Test query corresponding to each game G_i by an adversary A. Game G₀: This starting game and the real protocol in random oracles are assumed to be identical. Hence, G₀ is the actual attack game. By definition, we have Game G₁: This game is the same as the game G₀ except that the game simulates all oracle queries including Send, Reveal, Corrupt, Execute, Test, and hash queries. The hash oracles and Reveal, Test, Corrupt, and Execute queries are simulated in Table 3. We simulate the Send queries in Table 4 as in the actual attack game. The simulations maintain three lists of queries: (1) list L_h records the answers to hash oracles, (2) list L_A records the answers to the queries which are initiated by A, and (3) list L_T records the transcripts between S and U. This game is perfectly indistinguishable from the real execution of the protocol. Hence, we have Game G₂: In this game, we consider collisions among the results of hash queries, random numbers, and Chebyshev polynomials in the transcripts of messages M₁, M₂, and M₃. We take the random value h from as the response of the hash queries. If this query is directly asked by the adversary and (∗, h)←L_h, we abort the game. Otherwise, h is returned. Following the birthday paradox, the probability of collisions of the oracle hash query is at most . Furthermore, the messages contain random numbers {n₁, n₂} and two Chebyshev polynomials {T_i(x), T_j(x)}. And, the probability of random numbers and polynomials collision is at most . Games G₂ and G₁ are perfectly indistinguishable except that the abovementioned collision causes the game to abort. Hence, we have Game G₃: This game would abort the execution in the situation where A obtains a valid authenticator without active participation of hash oracles. In the TAKACP-2 protocol, the authenticated key exchange phase involves three message communications, M_i, i = 1,2,3. We consider three cases, Send(U, M₁), Send(S, M₂), Send(U, M₃) in the game G₃. Case 1. Considering Send(U, M₁) oracle query, we must carefully analyze the elements of message M₁. The hash values h(c||x||T_i(x)||c₀)∈L_A must hold, otherwise the session will be terminated. The maximum calculated probability is up to . Again, it must be that h(ID||n₁) ∈L_A whose probability is at most . Finally, the message M₁ ∈L_T should hold, or the session will stop. For this, the probability is . Case 2. Considering Send(S, M₂) oracle query, M₂ consists of and. The hash values must hold; otherwise, the session will be terminated. The maximum probability is up to. The probability of value falling within the list L_A is at most . Finally, the message M₂ should fall within L_T, or the session will terminate. The maximum probability is . Case 3. To respond Send(U, M₃) oracle query, h(h(ID ||T_i(x)||T_j(x)||n₁||n₂||T_i(T_j(x)))||(n₁⊕n₂)||c₀)∈LA must hold with the total maximum probability . Finally, for a transcript M₃∈L_T, we have the maximum probability as . Considering the three cases, we have, Game G₄: In this game, when the session key SK is required to compute, we replace the random hash oracle H₁ with private oracle H’. That is, the session key is determined without querying the hash oracle. Moreover, we do not use T_j(T_i(x)) or T_i(T_j(x)) to compute SK=H′(ID||T_i(x)||T_j(x)||n₁||n₂). Thus, the session key is completely independent of hash oracle and T_j(T_i(x)) or T_i(T_j(x)). Games G₄ and G₃ are perfectly indistinguishable unless the following event AskH₁ occurs: the adversary A queries the hash function on ID||T_i(x)||T_j(x)||n₁||n₂||T_j(T_i(x)) or on the message ID||T_i(x)||T_j(x)||n₁||n₂||T_i(T_j(x)). Hence, we have Game G₅: In this game, we simulate the executions using the random self-reducibility of the CPCDH problem, given one CPCDH instance (T_i(x), T_j(x)). We choose randomly two integers and compute T_u(T_i(x)), . The event AskH₂ means that the adversary A had queried the random hash oracle H₁ on ID||T_i(x)||T_j(x)||n₁||n₂||Z, where . It is easy to know that the equation holds. We haveAccording to the definition of the event AskH, the accumulated probability is at least . Thus, we haveIn Game G₅, Diffie–Hellman keys SK are random and independent of passwords and ephemeral keys. So, there are two possible cases where the adversary distinguishes the real session key from the random key as follows: Case 1. The adversary queries the hash oracle on ID||T_i(x)|| T_j(x)||n₁||n₂||T_j(T_i(x)).The probability that this event occurs is . Case 2. The adversary asks the Send (Uⁱ, m) query and successfully impersonates a user. If the Corrupt(U, 1) has been made, it implies that the Corrupt (U, 2) has not been made. To impersonate the user, the adversary has to obtain the parameter c and the identity. The probability that the event happens is . On the contrary, if the Corrupt (U,2) has been made, it is not allowed to reveal the static key PW of the user. Thus, in order to impersonate the user, the adversary has to obtain some information on the password of the user. The success probability of the adversary in the q_s sessions is . If the adversary just makes an attempt at random to impersonate the user by computing and succeeds, it will make the difference; but, the probability for qs sessions is less than. Hence, we haveUsing the triangular inequality and equations (19)–(26), we have the following:Thus, we have completed the proof of the theorem.
The above theorem is about the security of the proposed TAKACP-2 scheme based on the extended Chebyshev polynomials defined on the interval [−∞, +∞]. To complete the security proof of the TAKACP-1 scheme based on Chebyshev polynomials over the interval [−1, 1], one only needs to delete the CPCDH simulation in Game G₅ of the proof of Theorem 1. We only state the results as Theorem 2 without detailed proof.

Theorem 2. Let D(W) be a uniformly distributed password (identity) dictionary of size |D|(|W|). Let A (including A₁ and A₂) be the polynomial time-bound adversary against the semantic security of the TAKACP-1 scheme. Suppose A makes Send queries q_s times, Executes queries q_e times, and hash oracle queries q_h times at most. Then, we havewhere l refers to the string length of hash results, is the success probability of any probabilistic polynomial-time Turing machine within the time upper bound t in solving CPCDH problems, and is the probability of any probabilistic polynomial-time Turing machine in solving the square root with composite number module within time upper bound t’.

Theorem 3. The proposed TAKACP-1(TAKACP-2)scheme achieves the property of the medium unlinkability.

Proof. Consider that the insider adversary A₁ would attempt to violate the user anonymity of the proposed schemes. Further suppose that the Corrupt (U, 2) has been made. The smart card of the user U is compromised. The adversary A has extracted the elements {d₁, d₂, n} for TAKACP-1({d₁, d₂,n,p₀} for TAKACP-2) in the smart card. Since d₁ = E_s(ID||n)⊕h(ID||PW), d₂ = h((ID⊕PW)||d₁||n) in TAKACP-1, or d₁ = E_s(ID||n||p₀)⊕h(ID||PW), d₂ = h((ID⊕PW)||d₁||(n⊕p₀)) in TAKACP-2, A cannot divide d₁ or d₂ into the exclusive-OR items E_s(ID||n) or E_s(ID||n||p₀), h(ID||PW), h(ID⊕PW) correctly. In essence, even if A has E_s(ID||n), A cannot still recover ID from it without the master key s. Since d₂ = h((ID⊕PW)||d₁||n) or h((ID⊕PW)||d₁|| (n⊕p₀)), owing to the one-way hash function, A₁ cannot derive ID or PW from d₂.
Now consider the authenticated key exchange phase. Assume that and are two requesting messages produced by one user in two different authentication sessions, whereDue to the usage of the random integers {n_0,1, n_1,1}, e_0,1 is independent of e_1,1. Likewise, owing to the randomness of {x, y, 0_i,1_i}, T_0i(x) is independent of T_1i(y). Thus, is independent of . As h() is a secure cryptographic hash function, the same is true for and . Therefore, A believes that M_0,1 and M_1,1 are independent of each other. We can make similar analysis of the response messages , , and the confirmation messages , . From the above analysis, we have . Thus, Adv^{Strong−Unlin}(A) = 0.
Therefore, our protocols achieve medium unlinkability. Any adversary (but A₀) is unable to link two different protocol sessions to the same user.

6.2. Authentication Proof Based on BAN-Logic

In this section, we introduce the well-popular Burrows-Abadi-Needham Logic (BAN-logic) to validate the authentication of the proposed protocols. By using BAN logic, we also try to find out flaws in the proposed schemes and deal with authentication issues among the participants. The formal verification of the BAN logic demonstrates that the proposed protocols achieve mutual authentication and allow the user and the server to establish session keys. It is well-known that BAN logic [46] is the widely used logical analysis method of reasoning the beliefs of participants in an authentication protocol [47, 48]. BAN logic uses a set of postulates to analyze and verify authentication schemes. BAN logic has three elementary items, i.e., formulas/statements, principals, and keys. Let X and Y be two statements, P and Q be principals, K be the symbol for a key. The basic expressions of BAN logic are described in Table 5. More details can be found in [46–48].

The main logical postulates of the BAN logic are listed as follows: Message-meaning rule: , : If P believes that it shares K with Q and sees X encrypted by K (or X combined with K), then P believes that Q once said X. The nonce-verification rule: If P believes that X could have been uttered only recently and Q once said X, then P believes that Q believes X. The freshness propagation rule: If P believes that X is fresh, then P also believes that (X, Y) is fresh. The jurisdiction rule: If P believes that Q has authority over X and Q believes X, then P trusts Q on the truth of X. The message decryption rule:

If P believes that it shares K with Q and sees encrypted X by K, then P sees X.

In the following, we apply BAN logic to analyze the TAKACP-1 scheme. Similar analysis can be applied to the TAKACP-2 scheme. According to the analytic procedures of the BAN logic, the proposed TAKACP-1 scheme must satisfy the following goals: Goal (1): , Goal (2): , Goal (3): , Goal (4): .

The generic form of the proposed TAKACP-1 scheme is described below. From message M₁, U⟶S: {c, n₁}_n, , < c₀, x,T_i(x)>_c. From message M₂, S⟶U: , . From message M₃, U⟶S: .

The idealized form of the proposed TAKACP-1 scheme in the language of formal logic is given below. Message M₁: : . Message M₂: : . Message M₃: US: .

We make the assumptions about the initial state to analyze the proposed TAKACP-1 scheme: H₁: , ; H₂: , ; H₃: ; H₄: ; H₅: ; H₆: ; H₇: .

According to the BAN logic and the assumptions, we give the main proof as follows:

From message M₁, we have S₁: . From S₁, H₃, and Rule (1), we have S₂: . From S₂, H₂, Rule (2) and Rule (3), we have S₃: . From S₃, H₅, and Rule (4), we have S₄: . From message M₂, we have S₅: . From S₅, H₄, and Rule (1), we have S₆: . From S₆, H₁, Rule (2), and Rule (3), we have S₇: (Goal (1)). From S₇, H₆, and Rule (4), we have S₈: (Goal (2)). From message M₃, we have S₉: . From S₉, S₄, and Rule (1), we have S₁₀: . From S₁₀, H₂, Rule (2), and Rule (3), we have S₁₁: (Goal (3)). From S₁₁, H₇, and Rule (4), we have S₁₂: (Goal (4)).

6.3. Informal Security Analysis

In this section, we analyze the security of the proposed protocols. We will show that the proposed protocols satisfy the essential security requirements, including the ability to provide medium unlinkability, the contributory property of key agreements, session key security, two-factor secrecy, and free updating of passwords. Furthermore, we confirm that the proposed schemes can withstand replay attacks and password-guessing attacks. In the following, we will not expound the two-factor security since its proof has been given in Part A and Part B of Section 4, respectively.

6.3.1. Medium Unlinkability

In Part A of Section 4, we have demonstrated that our protocols can provide medium unlinkability. Now, we compare the privacy-preserving of our protocols with that of the schemes of Guo-Chang [19], Lin [20], and Sun et al. [24].

In the Guo-Chang scheme, since the user identity is encrypted with the master key of the server into the login request R, any adversary A cannot reveal the user identity. So Pr[A^Guess] = 1/N. However, R is unchanged until the user updates the password. Thus, any outside adversary can distinguish whether the users in two authentication sessions are identical. That is, . Thus, we have Adv^Anon−Alone(A) = 0 and Adv^Weak−Unlin(A)≥1/2. Hence, the Guo-Chang scheme provides anonymity-alone but weak unlinkability. Similarly, since every request of the user contains the unchanged element IM, Sun et al.’s scheme [24] only achieves the property anonymity-alone.

The Lin scheme can provide weak unlinkability. Specifically, although the elements Q and R are kept unchanged, they are transmitted in the ciphertext . Since any outside adversary A₂ cannot calculate the key , they cannot obtain R. But any inside adversary A₁ can compute and acquire Q, R. For every login of the user, the parameters {Q, R} are static until the user changes its password or identity. Thus, A₁ can still decide whether different login requests are from the same user or not. Then, we have . Hence, Adv^Medium-Unlin(A) > 1/2. The Lin scheme cannot provide medium unlinkability.

In the proposed protocols, i and x are chosen randomly by every individual user. Therefore, no unchanged login message can be derived by the other registered users. Thus, we obtain that Adv^Medium-Unlin(A) = 0. However, each time the user logins to the server, the server validates his or her identity. So, the advantage Adv^Strong-Unlin(A) is nonnegligible. The proposed schemes cannot achieve the medium unlinkability.

6.3.2. Contributory Property of Key Agreement

In the proposed protocols, the session key SK is h(ID||T_i(x)||T_j(x)||n₁||n₂||T_i(T_j(x))). Only for the TAKACP-1 scheme, the server can use the method mentioned in [18, 44] to compute and , thus satisfying , , where represents a previous parameter. Since x, and n₁ are randomly selected by the user and SK contains and n₁, the server still fails to predetermine a session key. Likewise, since T_j(x) and n₂ are randomly selected by the server and SK contains T_j(x) and n₂, the user cannot predetermine a session key. Notably, neither the server nor the user can determine the specific session key alone in advance. Therefore, the proposed protocols satisfy the contributory property of key agreements.

6.3.3. Session Key Security

Firstly, since i, j, n₁ and n₂ are selected randomly in every run of the protocols, the session key SK = h(ID||T_i(x)|| T_j(x)||n₁||n₂||T_i(T_j(x))) is independent of the previously generated session keys. Thus, the proposed protocols can resist against known-key attacks.

Secondly, we demonstrate that the proposed protocols can prevent any inside adversary from computing the session keys. Consider that an inside adversary A₁ has eavesdropped the communication messages between the user and the server. Since A₁ is a legal user of the same server, A₁ knows n. However, n₁ cannot be derived from e without the server’s private keys p and q, where mod n, owing to the quadratic residue assumption. Thus, the adversary cannot still recover x||T_i(x) from without the knowledge of n₁, where . Moreover, A cannot work out h(ID||n₁). A₁ cannot obtain n₂||T_j(x) from , since . Since , , and , due to the one-way property of the hash function, A₁ cannot determine T_i(x), T_j(x), or SK. In a word, the session key cannot be derived from the messages transmitted over the public channel. The proposed schemes achieve session key security.

6.3.4. Free Updating of Password

As described in Part C of Section 5, a user can freely update password without any interaction with the server during the password change phase.

6.3.5. Resistance to Password Guessing Attacks

In the proposed TAKACP protocols, the login request message e is information that involves password PW. An inside adversary A₁ may guess the password through the equation c = d₁⊕h(ID||PW). However, an inside adversary A₁ cannot still obtain c from e since mod n. Therefore, the proposed protocols can resist password guessing attacks.

6.3.6. Resistance to Replay Attacks

The proposed schemes maintain freshness by using two nonces and two chaotic maps. Specifically, the proposed protocols guarantee the freshness of messages by using T_i(x) and n₁ in Step A1, T_j(x) and n₂ in Step A2, and {T_i(x), T_j(x), n₁, n₂} in Steps A3 and A4, respectively. Since n₁ is protected by the quadratic residues, only the server and the user itself know it. T_i(x), T_j(x), and n₂ are contained in and . They can be calculated only when one knows the nonce n₁. Therefore, the proposed schemes can prevent replaying attacks.

7. Security, Functionality, and Performance Comparison

In this section, we will make a comparison with the related TAKACP protocols in terms of security, functionality, and performance.

7.1. Security Comparison

We compare the security of our proposed TAKACP schemes with respect to the related authenticated key agreement schemes [19–25, 27–30]. Table 6 summarizes the security properties of the proposed schemes and illustrates the comparison result.

As is indicated in Table 6, the proposed schemes are highly secure as compared to the related authenticated key agreement schemes [19–25, 27–30]. Especially, the proposed schemes can deal with several imperative security issues which most of the authenticated key agreement protocols based on the Chebyshev polynomials defined on the interval [−1,+1] suffer from. For example, the proposed schemes eliminate their weaknesses of the Lin scheme and the Guo-Chang scheme. In contrast, the authentication protocols [22, 23, 25, 28, 29] cannot preserve user anonymity. The protocol in [27] cannot provide the contributory property of key agreement since the session key is determined by the user. The authentication protocols [19, 20, 23] even cannot provide the session key security. Those protocols presented in [19–21, 23] cannot provide free updating of passwords. The Guo-Chang scheme achieves the anonymity-alone, while the Lin scheme provides weak unlinkability. The proposed schemes achieve the property, medium unlinkability. Note that designing the two-factor authentication protocol with strong unlinkability is still challenging.

7.2. Performance Comparison

In this section, we evaluate the performance of the proposed schemes and make a comparison with the related authenticated key agreement schemes [19–25] in terms of the communication cost, storage, and computational overhead.

We suppose that the block size of secure symmetric cryptosystems is 128 bits, and the output size of a secure one-way hash function is 256 bits. In order to make the factoring problems infeasible in practical implementation, let the module n be an integer of 1024 bits. Since the registration of our schemes is based on a one-way hash function, the password length can be 128 bits. Suppose that the size of ID is 64 bits. In our proposed scheme, the cryptographic parameters {c, d} must be stored in the smart card. The length of this information is 1152 + 128 = 1280 bits, where d can be 128 bits and c must be encrypted in nine blocks. The size of the information stored in the smart card is 64 + 64 + 128 × 7 + 1024 = 2048 bits in Fan et al.’s scheme [22], 128 × 3 + 128 + 64 + 64+256 = 896 bits in Juang et al.’s scheme [23], 128 + 128 × 3 = 512 bits in Sun et al.’s scheme [24], 128 × 3 + 128 + 64 + 64 = 640 bits in Li et al.’s scheme [25], 128 × 3 + 256 + 256 = 896 bits in Guo et al.’s scheme [19], 128 × 3 + 256 + 128 + 128 = 896 bits in Lin’s scheme [20], and 128 × 2 + 128 + 128 = 512 bits in Lee’s scheme [21]. As is shown in Table 7, during the registration, the smart card needs a little larger storage space in the proposed schemes than those in other schemes [19–25, 28, 29]. However, it is practically insignificant considering the fact that most current mobile devices, including 4G cellular phones, personal digital assistants (PDAs), and notebook computers, have over a few hundred MB or a few GB of available memory.

In our proposed schemes, the messages transmitted in the registration phase are {ID, d}. The communication cost of the login protocol is 64 + 256 = 320 bits. The total size of messages transmitted during the authenticated key exchange phase for cryptographic parameters , , and {} is (1024 + 256 + 256) + (256 + 256) + 256 = 2294 bits. The authenticated key exchange phase requires three rounds of message transmission. During the password change, the proposed schemes require no message transmission between the user and the server since the server is not involved with the phase. Let the module number of the elliptic curve be an integer of 163 bits in Juang et al.’s scheme [23] and Sun et al.’s scheme [24]. Let the time stamp be a string of 32 bits in Guo et al.’s scheme [19], Lin’s scheme [20], and Lee’s scheme [21]. In Juang et al.’s scheme, the communication cost of the login phase about cryptographic parameters , {u, M_s}, and {M_U} is (384 + 384) + (256 + 256) + 256 = 1536 bits, where is the encryption of three blocks. The password change phase of Juang et al.’s scheme [23] requires that the user needs to agree on a session key with the server through the log-in phase in advance and then transmit the messages and , respectively. Hence, the size of the message transmitted in the password change phase of Juang et al.’s scheme is 2560 bits. By similar analysis, we can evaluate the communication cost of other related schemes [19–22, 24, 25, 27–30]. The communication cost and storage cost among our schemes and related schemes are shown in Table 7.

As can be seen from Table 7, during the authenticated key exchange phase, the size of the message transmitted between the user and the server in the proposed schemes is a little larger than the size of the message in the schemes [19–24,29]. However, the proposed schemes can provide the user with stronger privacy protection than the schemes in [22–24]. It also can achieve the session key confirmation, but the schemes [19–21,29] cannot provide the function. Moreover, the scheme in [29] cannot preserve the anonymity of the user. During the password change phase in the proposed schemes, no message transmission between the user and the serve is required. Compared with the proposed scheme, the server of the other schemes [19–23,25] is involved with the password change. Furthermore, quite a few messsages will be transmitted between the user and the server.

Now, we evaluate the computation cost of our protocols and related protocols. Let T_c denote the time to execute a Chebyshev polynomial computing. Let T_s represent the time to execute a symmetric encryption/decryption operation. We refer to T_h as the time to execute a one-way hash function operation. Let T_m denote the time to execute a scalar multiplication in the elliptic curve group. T_e represents the time to execute one exponentiation operation. We denote by T_sq the time to execute a squaring operation. T_crt represents the time to solve the square root through the CRT method. Since the XOR operations cost very little, we neglect it. Since a user is required to register with a server one time, the computational cost in the registration phase is not listed in Table 8.

The proposed protocols protect the random number n₁ and the shared secret c by using the quadratic residues. The user requires one modular squaring operation, and the server requires one square root solving operation through the CRT and one symmetric decryption. The proposed protocols require no symmetric encryption operation. It needs only one Chebyshev polynomial computing in the user, which is less than one (two) Chebyshev polynomial computing than those in the Lin scheme (the Guo-Chang scheme). The proposed protocol requires one symmetric encryption operation and one Chebyshev polynomial computing in the server, which is less than two (one) symmetric encryption operations and two (two) Chebyshev polynomial computing than those in the Lin scheme (the Guo-Chang scheme). In the proposed protocols, one modular squaring operation does not affect user efficiency since the implementation of one modular squaring [35] can be reduced to only a few hundred gate-equivalents. In practical implementation of the proposed protocols, to efficiently compute the square roots in , the server does the pre-computation [22]. To be specific, S pre-computes and stores the inverse p’ of p modular q and the inverse q’ of q modular p. In order to compute the square root of a, one first computes mod p and , then he or she can calculate rapidly the four square roots of a in , for example, (p’pa₂ + q’qa₁) mod n. Due to p ≡ q ≡ 3 (mod 4), the computation of (a₁, a₂) requires about the same time as performing a modular exponentiation computation in . Consequently, we have .

We have executed these operations by utilizing PyCrypto library in Python language in the computer with 16 GB RAM and a clock speed of 3.60 GHz. The time cost of all operations is as follows: T_h ≈ 0.0035 ms, T_c ≈ 0.1215 ms, T_s ≈ 0.0105 ms, T_m ≈ 0.109 ms, T_sq ≈ 0.0035 ms, and T_crt ≈ 0.0028 ms. Table 8 summarizes the computation cost of our scheme with those described in [19–25, 27–30]. As shown in Table 8 and Figure 6, during the authenticated key exchange phase, both the user and the server in the proposed protocols are required at the lowest computation cost among these two-factor authentication protocols [19–21, 29, 30] based on chaotic maps. In addition, the proposed schemes require no involvement of the server during the password change phase. Moreover, in comparison with the related schemes [19–25], the user is required at a very low computation cost during the password change phase of the proposed schemes.

8. Conclusion

In this paper, we examine the limitations of Lin’s chaotic map-based authenticated key agreement protocol. We have proposed two TAKACP protocols with key confirmation. Compared with the Lin protocol and the Guo-Chang protocol, the proposed protocols achieve the following additional merits: session key secrecy, medium unlinkability, and free updating of passwords. The proposed protocols with the enhanced security do not affect the user’s or the server’s efficiency. Therefore, the proposed protocols are highly feasible for practical implementation.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The author declares that there are no conflicts of interest.

Acknowledgments

This work was partially supported by the National Natural Science Foundation of China (Grant nos. 61862028 and 61702238), the Natural Science Foundation of Jiangxi Province (Grant no. 20181BAB202016), and the Science and Technology Project of Provincial Education Department of Jiangxi (Grant nos. GJJ160430 and GJJ180288).

References

Z. Tan, “Secure delegation-based authentication for telecare medicine information systems,” IEEE Access, vol. 6, no. 1, pp. 26091–26110, 2018.
View at: Publisher Site | Google Scholar
W. Ding and W. Ping, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure, vol. 15, no. 4, pp. 708–722, 2018.
View at: Google Scholar
M. Gupta and N. S. Chaudhari, “Anonymous two factor authentication protocol for roaming service in global mobility network with security beyond traditional limit,” Ad Hoc Networks, vol. 84, no. 1, pp. 56–67, 2019.
View at: Publisher Site | Google Scholar
Y. Cao, Q. Zhang, F. Li, S. Yang, and Y. Wang, “PPGPass: nonintrusive and secure mobile two-factor Authentication via wearables,” in Proceedings of the IEEE INFOCOM 2020 - IEEE Conference on Computer Communications, pp. 1917–1926, Toronto, Canada, April 2020.
View at: Publisher Site | Google Scholar
M. Fotouhi, M. Bayat, A. K. Das, H. A. N. Far, S. Morteza Pournaghi, and M.A. Doostari, “A lightweight and secure two-factor authentication scheme for wireless body area networks in health-care IoT,” Computer Network, vol. 177, Article ID 107333, 2020.
View at: Publisher Site | Google Scholar
M. F. Ayub, S. Shamshad, K. Mahmood, S. H. Islam, R. M. Parizi, and K.-K. R. Choo, “A provably secure two-factor Authentication scheme for USB storage devices,” IEEE Transactions on Consumer Electronics, vol. 66, no. 4, pp. 396–405, 2020.
View at: Publisher Site | Google Scholar
P. Gope and B. Sikdar, “Lightweight and privacy-preserving two-factor authentication scheme for IoT devices,” IEEE Internet of Things Journal, vol. 6, no. 1, pp. 580–589, 2019.
View at: Publisher Site | Google Scholar
Y. J. Niu and X. Y. Wang, “An anonymous key agreement protocol based on chaotic maps,” Communication Nonlinear Science Numerical Simulators, vol. 16, pp. 1986–1992, 2011.
View at: Google Scholar
E.-J. Yoon, “Efficiency and security problems of anonymous key agreement protocol based on chaotic maps,” Communications in Nonlinear Science and Numerical Simulation, vol. 17, no. 7, pp. 2735–2740, 2012.
View at: Publisher Site | Google Scholar
Q. Jiang, F. Wei, S. Fu, J. Ma, G. Li, and A. Alelaiwi, “Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy,” Nonlinear Dynamics, vol. 83, no. 4, pp. 2085–2101, 2016.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, S. Kumari et al., “A novel chaotic maps-based user authentication and key agreement protocol for multi-server environments with provable security,” Wireless Personal Communications, vol. 89, no. 2, pp. 569–597, 2016.
View at: Publisher Site | Google Scholar
S. Roy, S. Chatterjee, A. K. Das, S. Chattopadhyay, S. Kumari, and M. Jo, “Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing internet of things,” IEEE Internet of Things Journal, vol. 5, no. 4, pp. 2884–2895, 2018.
View at: Publisher Site | Google Scholar
Z. W. Tan, “A privacy-preserving multi-server authenticated key-agreement scheme based on Chebyshev chaotic maps,” Security Communication Networks., vol. 9, pp. 1384–1397, 2016.
View at: Google Scholar
V. Sureshkumar, R. Amin, M. S. Obaidat, and I. Karthikeyan, “An enhanced mutual authentication and key establishment protocol for TMIS using chaotic map,” Journal of Information Security and Applications, vol. 53, Article ID 102539, 2020.
View at: Publisher Site | Google Scholar
S. Kumari, X. Li, F. Wu, A. K. Das, H. Arshad, and M. K. Khan, “A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps,” Future Generation Computer Systems, vol. 63, pp. 56–75, 2016.
View at: Publisher Site | Google Scholar
J. Srinivas, A. K. Das, M. Wazid, and N. Kumar, “Anonymous lightweight chaotic map-based authenticated key agreement protocol for industrial internet of things,” IEEE Transactions on Dependable and Secure Computing, vol. 17, no. 6, pp. 1133–1146, 2020.
View at: Publisher Site | Google Scholar
S. Chatterjee, S. Roy, A. K. Das, S. Chattopadhyay, N. Kumar, and A. V. Vasilakos, “Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 824–839, 2018.
View at: Publisher Site | Google Scholar
K. Y. Cheong and T. Koshiba, “More on security of public-key cryptosystems based on chebyshev polynomials,” IEEE Transactions on Circuits & Systems II Express Briefs, vol. 54, no. 9, pp. 795–799, 2007.
View at: Google Scholar
C. Guo and C.-C. Chang, “Chaotic maps-based password-authenticated key agreement using smart cards,” Communications in Nonlinear Science and Numerical Simulation, vol. 18, no. 6, pp. 1433–1440, 2013.
View at: Publisher Site | Google Scholar
H.-Y. Lin, “Improved chaotic maps-based password-authenticated key agreement using smart cards,” Communications in Nonlinear Science and Numerical Simulation, vol. 20, no. 2, pp. 482–488, 2015.
View at: Publisher Site | Google Scholar
T.-F. Lee, C.-H. Hsiao, S.-H. Hwang, and T.-H. Lin, “Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps,” PLoS One, vol. 12, no. 7, Article ID e0181744, 2017.
View at: Publisher Site | Google Scholar
C.-I. Fan, Y.-C. Chan, and Z.-K. Zhang, “Robust remote authentication scheme with smart cards,” Computers & Security, vol. 24, no. 8, pp. 619–628, 2005.
View at: Publisher Site | Google Scholar
W.-S. Juang, S.-T. Chen, and H.-T. Liaw, “Robust and efficient password-authenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 55, no. 6, pp. 2551–2556, 2008.
View at: Publisher Site | Google Scholar
D. Z. Sun, J. P. Huai, J. Z. Sun, J. X. Li, J. W. Zhang, and Z. Y. Feng, “Improvements of Juang ‘s password-authenticated key agreement scheme using smart cards,” IEEE Transactions on Industrial Electronics, vol. 56, no. 6, pp. 2284–2291, 2009.
View at: Publisher Site | Google Scholar
X. X. Xiangxue Li, W. D. Weidong Qiu, D. Dong Zheng, K. F. Kefei Chen, and J. H. Jianhua Li, “Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 57, no. 2, pp. 793–800, 2010.
View at: Publisher Site | Google Scholar
Q. Xie, D. S. Wong, G. Wang, X. Tan, K. Chen, and L. Fang, “Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 6, pp. 1382–1392, 2017.
View at: Publisher Site | Google Scholar
T. Maitra, M. S. Obaidat, R. Amin, S. H. Islam, S. A. Chaudhry, and D. Giri, “A robust ElGamal based password authentication protocol using smart card for client-server communication,” International Journal of Communication Systems, vol. 30, no. 11, Article ID e3242, 2017.
View at: Publisher Site | Google Scholar
S. A. Chaudhry, I. L. Kim, S. Rho, M. S. Farash, and T. Shon, “An improved anonymous authentication scheme for distributed mobile cloud computing services,” Cluster Computing, vol. 22, no. S1, pp. 1595–1609, 2019.
View at: Publisher Site | Google Scholar
A. Irshad, M. Sher, S. A. Chaudhary, H. Naqvi, and M. S. Farash, “An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre,” The Journal of Supercomputing, vol. 72, no. 4, pp. 1623–1644, 2016.
View at: Publisher Site | Google Scholar
A. Irshad, S. A. Chaudhry, Q. Xie et al., “An enhanced and provably secure chaotic map-based authenticated key agreement in multi-server architecture,” Arabian Journal for Science and Engineering, vol. 43, no. 2, pp. 811–828, 2018.
View at: Publisher Site | Google Scholar
D. Xiao, X. Liao, and S. Deng, “A novel key agreement protocol based on chaotic maps,” Information Sciences, vol. 177, no. 4, pp. 1136–1142, 2007.
View at: Publisher Site | Google Scholar
M. S. Baptista, “Cryptography with chaos,” Physics Letter A, vol. 240, no. 1–2, pp. 50–54, 1998.
View at: Publisher Site | Google Scholar
L. Kocarev, “Chaos-based cryptography: a brief overview,” IEEE Circuits and Systems Magazine, vol. 1, no. 3, pp. 6–21, 2001.
View at: Publisher Site | Google Scholar
X. Guo and J. Zhang, “Secure group key agreement protocol based on chaotic hash,” Information Sciences, vol. 180, no. 20, pp. 4069–4074, 2010.
View at: Publisher Site | Google Scholar
T.-F. Lee, “Enhancing the security of password authenticated key agreement protocols based on chaotic maps,” Information Sciences, vol. 290, pp. 63–71, 2015.
View at: Publisher Site | Google Scholar
K. Xue and P. Hong, “Security improvement on an anonymous key agreement protocol based on chaotic maps,” Communications in Nonlinear Science and Numerical Simulation, vol. 17, no. 7, pp. 2969–2977, 2012.
View at: Publisher Site | Google Scholar
Z. Tan, “A chaotic maps-based authenticated key agreement protocol with strong anonymity,” Nonlinear Dynamics, vol. 72, no. 1-2, pp. 311–320, 2013.
View at: Publisher Site | Google Scholar
P. Gong, P. Li, and W. Shi, “A secure chaotic maps-based key agreement protocol without using smart cards,” Nonlinear Dynamics, vol. 70, no. 4, pp. 2401–2406, 2012.
View at: Publisher Site | Google Scholar
X.-Y. Wang and D.-P. Luan, “A secure key agreement protocol based on chaotic maps,” Chinese Physics B, vol. 22, no. 11, Article ID 110503, 2013.
View at: Publisher Site | Google Scholar
H.-Y. Lin, “Chaotic map based mobile dynamic ID authenticated key agreement scheme,” Wireless Personal Communications, vol. 78, no. 2, pp. 1487–1494, 2014.
View at: Publisher Site | Google Scholar
S. H. Islam, M. S. Obaidat, and R. Amin, “An anonymous and provably secure authentication scheme for mobile user,” International Journal of Communication Systems, vol. 29, no. 9, pp. 1529–1544, 2016.
View at: Publisher Site | Google Scholar
S. H. Islam, “Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps,” Nonlinear Dynamics, vol. 78, no. 3, pp. 2261–2276, 2014.
View at: Publisher Site | Google Scholar
X. Hao, J. Wang, Q. Yang, X. Yan, and P. Li, “A chaotic map-based authentication scheme for telecare medicine information systems,” Journal of Medical Systems, vol. 37, no. 2, pp. 9919–9927, 2013.
View at: Publisher Site | Google Scholar
P. Bergamo, P. D'Arco, A. De Santis, and L. Kocarev, “Security of public-key cryptosystems based on Chebyshev polynomials,” IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 52, no. 7, pp. 1382–1393, 2005.
View at: Publisher Site | Google Scholar
L. Zhang, “Cryptanalysis of the public key encryption based on multiple chaotic systems,” Chaos, Solitons & Fractals, vol. 37, no. 3, pp. 669–674, 2008.
View at: Publisher Site | Google Scholar
M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990.
View at: Publisher Site | Google Scholar
P. Syverson and I. Cervesato, “The logic of authentication protocols,” in FOSAD 2000, LNCS 2171, Springer, Berlin, Heidelberg, 2001.
View at: Google Scholar
K. Bicakci and N. Baykal, “One-time passwords: security analysis using BAN logic and integrating with smartcard authentication,” Computer and Information Sciences - ISCIS 2003, vol. 2869, pp. 794–801, 2003.
View at: Publisher Site | Google Scholar
M. Ballare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS’93), pp. 62–73, Fairfox, VA, USA, March 1993.
View at: Google Scholar
M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” Advances in Cryptology - EUROCRYPT 2000, vol. 18, pp. 139–155, 2000.
View at: Publisher Site | Google Scholar
V. Shoup, “Sequences of games: a tool for taming complexity in security proofs,” 2005, http://www.shoup.net.
View at: Google Scholar
D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Zuowen Tan. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

294

Downloads

596

Citations

Security and Communication Networks

Emerging Authentication, Identification, and Authorization Technologies

Privacy-Preserving Two-Factor Key Agreement Protocol Based on Chebyshev Polynomials

Abstract

1. Introduction

1.1. Motivation

1.2. Our Contributions

1.3. System Model

1.3.1. Network Model

1.3.2. Adversary Model

1.4. Organization of the Paper

2. Related Work

2.1. Two-Factor Authentication Based on Enhanced Chebyshev Polynomials Defined on the Interval (−∞, +∞) and Their Limitations

2.2. Two-Factor Authentication Based on Enhanced Chebyshev Polynomials Defined on the Interval [−1,+1] and Their Limitations

3. Mathematical Preliminaries

3.1. Mathematical Preliminaries

3.2. Notions of Privacy in TAKACP Protocols

4. Cryptanalysis of the Lin Takacp Protocol

4.1. Brief Review of Lin’s Takacp Protocol

4.1.1. System Initialization

4.1.2. User Registration Phase

4.1.3. Authenticated Key Exchange Phase

4.1.4. Password Change Phase

4.2. Security Weaknesses of Lin’s TAKACP Protocol

4.2.1. Violation of the Session Key Security

4.2.2. Suffering from User Impersonation Attack

4.2.3. Linking Different Sessions to a Same User

4.2.4. Defects of the Password Change

5. The Proposed Takacp Protocol

5.1. Registration Phase

5.2. Authenticated Key Exchange PHASE

5.3. Password Change Phase

5.4. Registration Phase of TAKACP-2

6. Security Analyses

6.1. Formal Security Analysis in Random Oracle Model

6.2. Authentication Proof Based on BAN-Logic

6.3. Informal Security Analysis

6.3.1. Medium Unlinkability

6.3.2. Contributory Property of Key Agreement

6.3.3. Session Key Security

6.3.4. Free Updating of Password

6.3.5. Resistance to Password Guessing Attacks

6.3.6. Resistance to Replay Attacks

7. Security, Functionality, and Performance Comparison

7.1. Security Comparison

7.2. Performance Comparison

8. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright