Accepted Manuscript

Improved Chaotic Maps-Based Password-Authenticated Key Agreement Using

Smart Cards
Han-Yu Lin
PII:
DOI:
Reference:

S1007-5704(14)00245-7
http://dx.doi.org/10.1016/j.cnsns.2014.05.027
CNSNS 3210

To appear in:

Communications in Nonlinear Science and Numerical Simulation

Received Date:
Revised Date:
Accepted Date:

7 June 2013
20 May 2014
26 May 2014

Please cite this article as: Lin, H-Y., Improved Chaotic Maps-Based Password-Authenticated Key Agreement Using
Smart Cards, Communications in Nonlinear Science and Numerical Simulation (2014), doi: http://dx.doi.org/
10.1016/j.cnsns.2014.05.027

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers
we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and
review of the resulting proof before it is published in its final form. Please note that during the production process
errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Improved Chaotic Maps-Based Password-Authenticated Key Agreement Using

Smart Cards

Chaotic Maps-Based Password-Authenticated

Key Agreement Using Smart Cards
Han-Yu Lin
Department of Computer Science and Engineering
National Taiwan Ocean University
Keelung, 202, Taiwan

Correspondence to:
Assistant Professor Han-Yu Lin, Ph.D.
Department of Computer Science and Engineering
National Taiwan Ocean University
2, Beining Road, Keelung, 202
Taiwan, Republic of China
E-mail: lin.hanyu@msa.hinet.net
Tel: +886-2-2462-2192 ext 6656
Fax: +886-2-2462-3249

Abstract
Elaborating on the security of password-based authenticated key
agreement, in this paper, the author cryptanalyzes a chaotic mapsbased password-authenticated key agreement proposed by Guo and
Chang recently. Specifically, their protocol could not achieve strong
user anonymity due to a fixed parameter and a malicious adversary
is able to derive the shared session key by manipulating the property
of Chebyshev chaotic maps. Additionally, the author also presents an
improved scheme to eliminate the above weaknesses and still maintain
the efficiency.
Keywords: authentication, key agreement, chaotic map, smart card,
cryptanalysis.

Introduction

Key agreement protocols also known as key exchange ones aim at establishing a common session key between two communicating parties. The key
challenge of designing such a protocol is how to securely and efficiently derive a session key that is only known to the communicated parties. Based
on the famous discrete logarithm problem (DLP), in 1976, Diffie and Hellman [6] introduced the first key agreement protocol. In their scheme, each
party could contribute partial value to the final session key. However, later
analyses showed that a malicious adversary could easily plot the so-called
man-in-the-middle attack to fool both sides in their scheme. So far, many
related protocols have been proposed. According to their essential structures,
we classify these schemes into the following types:
(1). Pure password-based protocols:
In 1981, Lamport [14] proposed a password-based authentication scheme
in which a user is authenticated by his predefined password stored in the
server. That is, the server has to maintain a password table for verification.
Although a secure hash function was employed to protect users passwords
from being learned by any outsider directly, some security vulnerabilities were
still found out in their scheme. Since then, lots of studies based on passwords
[9, 17, 19, 20] have been proposed to either strengthen the security level or
improve the efficiency of existing schemes.

(2). Dynamic protocols:

In 2004, Das et al. [5] raised the importance of keeping users identity
secret during communication as any adversary might easily reveal the identity
of communicating user by eavesdropping the transmitted messages. Owing
to this concern, they introduced the notion of dynamic authentication (also
called anonymous authentication) in which a user will first transform his
static ID into a dynamic one and then use the dynamic ID to request access
of the server. Since the dynamic ID will change with different sessions and
it is difficult to derive the static ID from its dynamic one based on some
trapdoor one-way function, any adversary is impossible to obtain the real user
identity. However, some later researches [15, 24, 28] pointed out potential
security flaws of Das et al.s scheme and gave the corresponding amendments,
too. Inspired by Wang et al.s scheme [24], in 2010, Khan et al. [11] came
up with a new dynamic ID authentication protocol with better efficiency.
(3). Dynamic protocols with smart cards:
In 2010, Tsai et al. [22] utilized a smart card to assist with the user
login process and demonstrated that the user identity of previous works [24,
28] could be exposed. In 2011, Wen and Li [25] introduced a dynamic key
agreement scheme further supporting revocation and secret renewal for both
users and servers. Yet, in 2012, Tang and Liu [21] claimed that the Wen-Li
scheme cannot be deployed in practical applications due to several security
drawbacks. In addition to the above schemes, more related studies based on
dynamic ID could also be found out in [1, 4, 8, 10, 13, 16-18, 23, 26, 29].
(4). Chaotic map-based protocols with smart cards:
By the semi-group property of Chebyshev chaotic map [2, 12], Xiao et al.
[27] presented the first chaos-based authenticated key agreement protocol.
Such a scheme is unnecessary to choose large primes or perform complicated
modular exponentiation computation and hence receives much attention for
recent years. In 2013, Guo and Chang [7] proposed a chaotic maps-based
password-authenticated key agreement using smart cards. They claimed that
their scheme possesses necessary characteristics and achieves essential security requirements.
In this paper, the author pays his attention to the security of one recently
proposed chaotic map-based protocol with smart cards, i.e., the Guo-Chang
scheme. The first contribution of this paper is to cryptanalyze the GuoChang scheme. More precisely, the author will point out two drawbacks of
their schemes. One is that their protocol cannot provide full protection for
users identity. The other is that a malicious adversary is capable of deriving
2

the mutually shared session key by intercepting the transmitted messages

between the user and the server. The second contribution of this paper is
to further address an improved variant amending above security weaknesses
without increasing the computational complexity.
The rest of this paper is organized as follows. Section 2 states some
preliminaries. The formal model of authenticated key agreement protocol is
described in Section 3. Section 4 will briefly review the Guo-Chang scheme.
Cryptanalyses and improvement will be detailed in section 5. Finally, a
conclusion with the significance of this paper is presented in Section 6.

Preliminaries

We first state the properties of Chebyshev chaotic map and related computational problems which will be employed in the proposed scheme.
Let a be a random number and x R [1, 1]. The Chebyshev polynomial
of degree a is denoted as Ta (x) = cos(a arccos(x)). The recurrent formulas
of the Chebyshev polynomial is shown below:
T0 (x) = 1
T1 (x) = x
T2 (x) = 2x2 1
Ta+1 (x) = 2xTa (x) Ta1 (x), for a N .
Chebyshev polynomial exhibits two important properties described as
follows:
Semi-group property
Ta (Tb (x)) = cos(a arccos(cos(b arccos(x))))
= cos(ab arccos(x))
= Tba (x)
= Tb (Ta (x))
Chaotic property
When a > 1, Chebyshev polynomial map Ta : [1, 1] [1,
1] of degree a is a chaotic map with its invariant density f (x) = 1/( 1 x2 )
for Lyapunov exponent = ln a > 0.
Chaotic Maps Discrete Logarithm Problem (CMDLP)
3

Given two random variables x, y R [1, 1], it is computationally infeasible to find out an integer solution a such that y = Ta (x).
Computational Chaotic Maps Diffie-Hellman Problem (CCMDHP)
Given three parameters x, Ta (x) and Tb (x), it is computationally infeasible to compute Tab (x) such that Tab (x) = Ta (Tb (x)) = Tb (Ta (x)).

Formal Model of Authenticated Key Agreement (AKA) Protocol

In this section, we describe involved parties and composed algorithms of an

AKA protocol.

3.1

Involved Parties

An AKA protocol has two involved parties: a user (client) and a remote
server. Each party is a probabilistic polynomial-time Turing machine (PPTM).
The user will generate a login request and send it to the server. After the
mutual authentication has been achieved, a shared session key will be created
for subsequent secure communication.

3.2

Algorithms

An AKA protocol is composed of the following algorithms:

System initialization: This algorithm is used to generate the systems parameters.
User registration: A user has to run this algorithm for becoming a
legitimate member in the system.
Authenticated key exchange: This algorithm is performed by both
the user and the server to authenticate each other and create a shared
secret key.
Password change: A user can run this algorithm to change his password.
4

Brief Review of the Guo-Chang Scheme

We describe the detailed steps of the Guo-Chang scheme [7] as follows:

System initialization: the server Sv first computes a Chebyshev polynomial of degree r, i.e., Tr (x) where x [1, 1], and then selects a one-way
hash function h() and a symmetric encryption function Ek () under the key
k. Note that Sv has to keep r secret.
User registration: a user U with the identity ID and his password P W
first selects an integer t to run the following steps with Sv:
1. Send {ID, H = h(P W, t)} to Sv via a secure channel.
2. Sv verifies ID and computes R = Es (ID, H) where s is the master key.
3. A smart card SC containing (R, h(), Ek (), x, Tr (x)) is finally returned
to U.
4. U stores t into SC.
Authenticated key exchange: U first enters his (ID, P W ), and then SC
runs the following steps with Sv:
1. Choose j to compute v = Tj (Tr (x)), Q = h(ID, H) and send (R, Tj (x),
Ev (Q, R, T1 )) where T1 is the current timestamp to Sv.
2. Sv computes v = Tr (Tj (x)), decrypts Ev (Q, R, T1 )) and verifies whether
T1 is within a valid interval T .
3. Sv proceeds to decrypt R and compute Q0 = h(ID0 , H 0 ). If Q = Q0 , U
is authenticated; otherwise, the session is terminated.
4. Sv selects j 0 and sends Ev (Tj 0 (x), h(ID, T2 ), T2 ) where T2 is the timestamp
to SC.
5. SC decrypts the ciphertext, verifies if T2 is acceptable and computes
h0 (ID, T2 ).
6. If h0 (ID, T2 ) = h(ID, T2 ), SC also authenticates Sv.

7. The mutually shared session key = Tj (Tj 0 (x)) can therefore be derived
by each other.
Password change: U first inserts his old and new passwords (P W, P W )
and then SC runs the following steps with Sv:
1. Choose i, compute = Ti (Tr (x)), H 0 = h0 (P W, t), H = h(P W , t)
and send (Ti (x), E (H 0 , H , R)) to Sv.
2. Sv computes = Tr (Ti (x)), decrypts E (H 0 , H , R) and Es (ID, H),
and then compares whether H 0 = H.
3. If it holds, Sv returns R = Es (ID, H ) to SC which can hence update
R as R .

Security Weakness and Improvement

In this section, we point out two security weaknesses of the Guo-Chang

scheme [7] and then give some amendments to eliminate these drawbacks.

5.1

Security Weakness

The first security weakness of the Guo-Chang scheme is that user identity
cannot be fully protected. More precisely, their scheme only achieves partial anonymity. In the authenticated key agreement phase, the smart card
will send a login request (R, Tj (x), Ev (Q, R, T1 )) to the server. Although the
parameter R = Es (ID, H) is protected with the server master key s, the
smart card will always sending the same R for different sessions to the server
until the user password is updated. According to this parameter, any malicious adversary can easily distinguish whether two intercepted login requests
belong to the same user or not.
The second security weakness is that a malicious adversary can derive the
mutually shared session key between the user and the server after intercepting both transmitted messages. When first intercepting a login request (R,
Tj (x), Ev (Q, R, T1 )), the adversary can obtain Tj (x). Although it is computationally infeasible to derive j from known x and Tj (x), the adversary can

use the approach [3] to derive

arccos(Tj (x)) + 2k
j =
k Z
arccos(x)

such that Tj (x) = Tj (x). With the value j , the adversary can compute
Tj (Tr (x)) = Tj r (x)
= Tr (Tj (x))
= Tr (Tj (x))
=v
and decrypt the message Ev (Tj 0 (x), h(ID, T2 ), T2 ) transmitted from the server
and obtain Tj 0 (x). Now the adversary can derive the mutually shared session
key as
Tj (Tj 0 (x)) = Tj j 0 (x)
= Tj 0 (Tj (x))
= Tj 0 (Tj (x))
= Tj (Tj 0 (x))
= .

5.2

Improvement

We introduce an improved scheme to amend aforementioned security weaknesses in this subsection. Figures 1 to 3 separately illustrate the phases of
user registration, authenticated key exchange and password change in our
improved scheme. Details of the modification are stated below:
System initialization: the server selects all necessary parameters (r, x,
Tr (x), h(), Ek ()) as those defined in section 4. Note that the values (x,
Tr (x)) will be encapsulated in users smart card rather than made public.
User registration: a user first chooses his password P W and a random
integer t to perform the following steps with the server:
1. Compute H = h(P W, t) and then sends the message {ID, H = h(P W ,
t)} to the server via a secure channel.
2. On receiving it, the server verifies ID and uses his master key s to
compute
R = Es (ID, H),
D = H (xkTr (x)).
7

(1)
(2)

Fig. 1: The user registration phase of our improved scheme

3. A smart card containing (R, h(), Ek (), D) is finally returned to the
user via the same secure channel.
4. The user further stores the random number t into his smart card.
Authenticated key exchange: to obtain mutual authentication and create a common session key, a user first enters his (ID, P W ), and then the
smart card performs the following steps with the server:
1. Choose a random integer j to compute
(xkTr (x)) = h(P W, t) D,
v = Tj (Tr (x)),
Q = h(ID, H),

(3)
(4)
(5)

and delivers (Tj (x), Ev (Q, R, T1 )) where T1 is the current timestamp to

the server.
2. Upon receiving it, the server computes
v = Tr (Tj (x))

(6)

to decrypt Ev (Q, R, T1 )) and verifies whether the transmission time

from T1 is within a valid interval T .
3. Then the server proceeds to decrypt R with his master key s to obtain
(ID0 , H 0 ) and computes
Q0 = h(ID0 , H 0 ).
8

(7)

Fig. 2: Schematic of improved scheme

If Q = Q0 , the server authenticates the user; otherwise, the session is
terminated.
4. Then the server selects j 0 and sends the challenge Ev (Tj 0 (x), h(ID, T2 ), T2 )
where T2 is the timestamp to the smart card.
5. Upon receiving it, the smart card decrypts the ciphertext, verifies if
the transmission delay for T2 is acceptable and computes h0 (ID, T2 ).
6. If h0 (ID, T2 ) = h(ID, T2 ), the smart card also authenticates the server.
Otherwise, terminate the connection.
7. When both sides are authenticated, the mutually shared session key
= Tj (Tj 0 (x)) can therefore be derived by each other.
Password change: a user first inserts his old and new passwords (P W ,
P W ) and then the smart card performs the following steps with the server:
9

Fig. 3: The password change phase of our improved scheme

1. Choose a random integer i to compute
H 0 = h0 (P W, t),
(xkTr (x)) = H 0 D,
= Ti (Tr (x)),
H = h(P W , t),

(8)
(9)
(10)
(11)

and send (Ti (x), E (H 0 , H , R)) to the server.

2. After receiving it, the server computes
= Ts (Ti (x)),

(12)

decrypts E (H 0 , H , R) and R = Es (ID, H) with and his master key

s, respectively, and then compares whether H 0 = H.
3. If it holds, the server returns R = Es (ID, H ) to the smart card which
can hence update R as R .

5.3

Security Analyses

Since the improved scheme is extended from the Guo-Chang scheme, the essential security requirements of their scheme can also be applied to ours. We

10

further analyze the security of the improved scheme to withstand aforementioned attacks.
Theorem 1. The improved scheme provides full protection for users identity.
Proof: In the authenticated key exchange phase, it can be seen that the
smart card will send two parameters (Tj (x), Ev (Q, R, T1 )) to the server. Since
the variable j is randomly selected, the two transmitted parameters will vary
with different login sessions. More specifically, given only two intercepted
authenticated messages (Tj (x), Ev (Q, R, T1 )) and (Tj (x), Ev (Q, R, T1 )), it
is computationally infeasible for any adversary to distinguish whether they
correspond to the same user or not.
Theorem 2. Any malicious adversary cannot derive the mutually shared
session key by intercepting the transmitted messages from both sides.
Proof: By eavesdropping the communication messages between a user and
the server, a malicious adversary can obtain (Tj (x), Ev (Q, R, T1 )) and Ev
(Tj 0 (x), h(ID, T2 ), T2 ), respectively. According to Eq. (3), however, the adversary has no way to derive (xkTr (x)) without knowing the users password
and the random number t. Consequently, he cannot find out an integer solution j such that Tj (x) = Tj (x) since he lacks the information of value x.
Therefore, we claim that any adversary is impossible to compute the common
session key = Tj (Tj 0 (x)).

Conclusions

Two-factor authentication combining the password and smart cards is an

important technique for extending the security strength of two-party communication. In this paper, the author first showed that Guo and Changs
chaotic maps-based password-authenticated key agreement using smart cards
fails to provide strong user anonymity. Then a malicious adversary is able
to compute the common session key between both sides by manipulating the
property of Chebyshev chaotic maps. Without redesigning the original structure of the Guo-Chang scheme or incurring much computational complexity,
the author indicated how to eliminate these security vulnerabilities while still
preserve the efficiency and merits of original protocol.

11

Acknowledgment
The author would like to thank anonymous referees for their valuable suggestions. This work was supported in part by the National Science Council
of Republic of China under the contract number NSC 102-2221-E-019-041.

References
[1] A. K. Awasthi, Comment on a dynamic ID-based remote user authentication scheme. Transaction on Cryptology, Vol. 1, No. 2, 2004, pp.
15-16.
[2] M. S. Baptista, Cryptography with chaos, Physics Letters A, Vol. 240,
No. 1-2, 1998, pp. 50-54.
[3] P. Bergamo, P. DArco, A. D. Santis and L. Kocarev, Security of publickey cryptosystems based on Chebyshev polynomials, IEEE Transactions on Circuits and Systems, Vol. 52, No. 7, 2005, pp. 1382-1393.
[4] C. Chen, D. He, S. Chan S, J. Bu, Y. Gao and R. Fan, Lightweight
and provably secure user authentication with anonymity for the global
mobility network, International Journal of Communication Systems,
Vol. 24, No. 3, 2011, pp. 347-362.
[5] M. L. Das, A. Saxana, V. P. Gulati, A dynamic ID-based remote user
authentication scheme, IEEE Transactions on Consumer Electronics,
Vol. 50, No. 2, 2004, pp. 629-631.
[6] W. Diffie and M. Hellman, New directions in cryptography, IEEE
Transactions on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644654.
[7] C. Guo and C. C. Chang, Chaotic maps-based password-authenticated
key agreement using smart cards, Communications in Nonlinear Science and Numerical Simulation, Vol. 18, No. 6, 2013, pp. 1433-1440.
[8] D. He, J. Chen and R. Zhang, A more secure authentication scheme
for telecare medicine information systems, Journal of Medical Systems,
Vol. 36, No. 3, 2011, pp. 1989-1995.
12

[9] M. S. Hwang and L. H. Li, A new remote user authentication scheme

using smart cards, IEEE Transactions on Consumer Electron, Vol. 46,
No. 1, 2000, pp. 28-30.
[10] W. S. Juang and J. L. Wu, Two efficient two-factor authenticated key
exchange protocols in public wireless lans, Computers and Electrical
Engineering, Vol. 1, No. 35, 2009, pp. 33-40.
[11] M. K. Khan, S. K. Kim and K. Alghathbar, Cryptanalysis and security
enhancement of a more efficient and secure dynamic ID-based remote
user authentication scheme, Computer Communications, Vol. 34, No.
3, 2011, pp. 305-309.
[12] L. Kocarev, Chaos-based cryptography: a brief overview, IEEE Circuits and Systems Magazine, Vol. 1, No. 3, 2001, pp. 6-21.
[13] W. C. Ku and S. T. Chang, Impersonation attacks on a dynamic IDbased remote user authentication scheme using smart cards, IEICE
Transactions on Communications, Vol. E88-B, No. 5, 2005, pp. 21652167.
[14] L. Lamport, Password authentication with insecure communication,
Communications of the ACM, Vol. 24, No. 11, 1981, pp. 770-772.
[15] I. Liao, C. C. Lee and M. S. Hwang, Security enhancement for a dynamic ID-based remote user authentication scheme, Proceedings of 2005
International Conference on Next Generation Web Services Practices,
Seoul, Korea, 2005, pp. 437-440.
[16] H. Y. Lin, On the security of a dynamic ID-based authentication
scheme for telecare medical information systems, Journal of medical
systems, Vol. 37, No. 2, 2013, pp. 1-5.
[17] C. L. Lin, H. M. Sun and T. Hwang, Attacks and solutions on strongpassword authentication, IEICE Transactions on Communications,
Vol. E84-B, No. 9, 2001, pp. 2622-2627.
[18] M. Misbahuddin and C. S. Bindu, Cryptanalysis of Liao-Lee-Hwangs
dynamic ID scheme, International Journal of Network Security, Vol. 2,
No. 6, 2008, pp. 211-213.
13

[19] A. Shimizu, A dynamic password authentication method by one way

function, System and Computers in Japan, Vol. 22, No. 7, 1991, pp.
32-40.
[20] A. Shimizu, T. Horioka and H. Inagaki, A password authentication
method for contents communication on the Internet, IEICE Transactions on Communications, Vol. E81-B, No. 8, 1998, pp. 1666-1673.
[21] H. B. Tang and X. S. Liu, Cryptanalysis of a dynamic ID-based remote
user authentication with key agreement scheme, International Journal
of Communication Systems, to appear, 2012.
[22] J. L. Tsai, T. C. Wu and K. Y. Tsai, New dynamic ID authentication
scheme using smart cards, International Journal of Communication
Systems, Vol. 23, No. 12, 2010, pp. 1449-1462.
[23] R. C. Wang, W. S. Juang and C. L. Lei, Robust authentication and
key agreement scheme preserving the privacy of secret key, Computer
Communications, Vol. 34, No. 3, 2011, pp. 274-280.
[24] Y. Y. Wang, J. Y. Liu, F. X. and J. Dan, A more efficient and secure dynamic ID-based remote user authentication scheme, Computer
Communications, Vol. 32, No. 4, 2009, pp. 583-585.
[25] F. Wen and X. Li, An improved dynamic ID-based remote user authentication with key agreement scheme, Computers and Electrical Engineering, Vol. 38, No. 2, 2011, pp. 381-387.
[26] S. Wu, T. Zhu and Q. Pu, Robust smart-cards-based user authentication scheme with user anonymity, Security and Communication Networks, Vol. 5, No. 2, 2011, pp. 236-248.
[27] D. Xiao, X. Liao and S. Deng, A novel key agreement protocol based
on chaotic maps, Information Sciences, Vol. 177, No. 4, 2007, pp. 11361142.
[28] E. J. Yoon and K. Y. Yoo, Improving the dynamic ID-based remote
mutual authentication scheme, Proceedings of 2006 OTM Workshops,
Lecture Notes in Computer Science, Vol. 4277, Springer, Berlin, 2006,
pp. 499-507.
14

[29] E. J. Yoon, K. Y. Yoo and K. S. Ha, A user friendly authentication

scheme with anonymity for wireless communications, Computers and
Electrical Engineering, Vol. 3, No. 37, 2011, pp. 356-364.

15

This paper demonstrates some security flaws of the Guo-Chang chaotic

maps-based password-authenticated key agreement.

Specifically, some relation with user identities and the shared session key in their
scheme could be compromised.

An improved scheme eliminating these weaknesses is also addressed.