An Efficient Chaotic Map-Based Authentication Scheme with Mutual Anonymity

A chaotic map-based mutual authentication scheme with strong anonymity is proposed in this paper, in which the real identity of the user is encrypted with a shared key between the user and the trusted server. Only the trusted server can determine the real identity of a user during the authentication, and any other entities including other users of the system get nothing about the user’s real identity. In addition, the shared key of encryption can be easily computed by the user and trusted server using the Chebyshev map without additional burdensome key management. Once the partnered two users are authenticated by the trusted server, they can easily proceed with the agreement of the session key. Formal security analysis demonstrates that the proposed scheme is secure under the random oracle model.


Introduction
Due to its characteristic of sensibility of initial conditions and the chaotic parameter, a chaos system shows aperiodicity and pseudorandomness, and it has been widely used in many cryptographic constructions, such as chaotic system based hash functions [1][2][3], chaotic system based encryption [4][5][6][7][8], and chaotic based block cipher [9], and so forth.
Authentication and key agreement are the fundamental blocks used to achieve authenticity and confidentiality in cryptographic system.Much efforts on chaotic maps based authentication and key establishment have been made in recent years.In 2009, Han and Chang [10] proposed a chaotic map-based key agreement protocol, which removes the constraint of synchronization.However, Yoon and Yoo [11] pointed out that Han and Chang's [10] scheme cannot counter replay attack.Later, Tseng et al. [12] presented a chaotic map-based key agreement protocol for smart card-oriented application, which is vulnerable to internal attack and lacks perfect forward security as pointed out by Niu and Wang [13].Though Niu and Wang [13] improved Tseng et al. 's [12] scheme and proposed a new one, it is expensive and cannot resist DoS attack.In addition, other researchers investigated the improvement for key agreement of smart card [14,15].Wang and Zhao [16] first proposed trusted third party (TTP) based key agreement scheme using the Chebyshev chaotic maps, which is improved by Yoon and Jeon [17] for its vulnerability to tampering attack.In 2012, Lai et al. [18] developed a novel TTP based key agreement protocol using the extended Chebyshev map, but their scheme cannot counter internal attack and off-line key guessing attack [19].Later, Lee et al. [20] presented a mutual anonymous authentication scheme with the extended Chebyshev map, but it can incur the manin-the-middle attack.Tan [21] proposed a novel authentication and key agreement protocol with smart card, which can achieve user anonymity; however, the cost consumption is expensive.To cut the heavy computation cost due to the smart card, Gong et al. [22] proposed an improved chaotic map-based key management scheme without a smart card.However, Wang and Luan [23] pointed out that Gong et al. 's scheme exists key management issues and potential security problems and then proposed a new secure key agreement protocol.In addition, some chaotic maps based schemes [24][25][26][27][28] have been investigated for solving various security problems.
Although a lot of works on chaotic maps based authentication have been made, most of them cannot provide mutual authentication and are vulnerable to external attack.Only few schemes address this issue using encryption; however, the confidentiality of these schemes is not perfect, since internal users of the system can know the real identities of others during the execution of the authentication process.As the popularity of wireless communication enabled devices, the private information of users, such as identity and locations, can be easily illegally intercepted and then exploited to trace individuals by potential attackers [29].The privacy of the user has attracted increasing attention from both industry and academia nowadays.To the best of our knowledge, a scheme can that addresses this privacy requirement does not exist.Motived by this, a mutual chaotic map-based authentication scheme with mutual anonymity is proposed in this paper, which has the following properties.
(1) Mutual Strong Anonymity.When user, Alice, in the system interacts with another user, Bob, to fulfill the authentication process, no entity except the trusted server can learn some information about the real identity of Alice and Bob.Furthermore, Alice and Bob cannot determine the opposite side as well; that is, Alice does not know Bob's real identity and vice versa.
(2) Untraceability.Any internal user cannot connect any two authentication sessions; that is, to say, even if a system user Alice has established a session with the same user Bob who was once authenticated, Alice still cannot determine that the opposite side is Bob using the historic session.In addition, any external entities cannot determine whether users in one session are the similar to users in another session using the intercepted messages.
The rest of the paper is organized as follows; some related basics and definitions are introduced in Section 2. The concrete construction of the proposed scheme is illustrated in Section 3. Analysis and comparison are presented in Section 4. At last, the paper is concluded.

Preliminaries
This section introduces the common user requirements, the security requirements for mutual authentication, some basics about the Chebyshev chaotic map and its advantage, and the security definitions.

Requirements
2.1.1.User Requirements.Given that the authentication scheme to be constructed should be easy to use, the following user requirements need to be satisfied.
(1) Independency.The system should enable users to choose their seeds to produce the shared encryption/decryption keys independently, which means the user can encrypt the transferred messages with a distinctive key in a new authentication session without additional agreement with the trusted server in advance.
(2) Round-Optimization.When a user wants to authenticate another entity, the number of the interactive rounds should be minimized as much as possible, which is helpful to save computation and communication cost, meanwhile users' experiences will be enhanced as well.
(3) Anonymity.From the user perspective, his real identity needs protection and it should not be exposed to other entities except the trusted server.

Security Requirements.
Since the objective of our proposed protocol is to provide a reliable and robust authentication mechanism to counter all possible outside and inside attacks, based on previous studies [21-25, 32, 33], we give the following critical requirements to provide secure authentication.
(1) Mutual Authentication.After the involved partnered two users finish the process of authentication, they should be convinced that the opposite user is an authentic one, not a forged one.
(2) Efficiency.Since the process of mutual authentication is on-line and the trusted server is required to support all authentication processes, the communication and computation costs should be as low as possible.
(3) Integrity.This means the involved entities can verify the integrity of received messages, which aims to detect possible damage to those messages.
(4) Confidentiality.After the authentication process, a session key should be produced for both partnered users to provide a secure communication, and it ensures forward secrecy as well.
Next, a brief introduction of the Chebyshev map and some related preliminaries [25,31,33] are given.(

The Chebyshev Chaotic Maps
According to the definition, the Chebyshev polynomial map can also be defined recursively as follows: where  0 () = 1 and  2 () = ,  ≥ 2.
The Chebyshev polynomial map has the following two properties.
According to the periodicity of  = cos(), there exist multiple  associated with the same  to make the equation hold.To improve the security of classic Chebyshev polynomial map, Zhang [33] gave a proof that the Chebyshev polynomial map still keeps the semigroup property over the interval (−∞, ∞), which is called the extended Chebyshev chaotic maps with the following definition: where  ≥ 2,  ∈ [−1, 1], and  is a big prime number.It can be easily found the following equation holds as well: Definition 2 (discrete logarithm problem (DLP)).Given any two big integers , , find an integer  to make the equation   () ≡  hold.

The Advantages of Using Chebyshev Chaotic
Maps.As a chaotic system characterizes excellent properties of diffusion and confusion, it is widely used to design various cryptographic schemes.Our design aims to provide a secure efficient mutual authentication with strong anonymity, and this means encryption will be integrated to keep the confidentiality of the identities.However, the traditional public key cryptography schemes are not desirable to achieve it since the management of encryption key in these schemes produces heavy computational burden.Inspired by the excellent semigroup property, the extended Chebyshev chaotic map over the finite field is used to develop our protocol since the discrete logarithm problem and Diffie-Hellman problem are assumed to be intractable within polynomial time [21].However, there are no hardness assumptions of the discrete logarithm problems or the Diffie-Hellman problems about the Chebyshev chaotic maps over the interval [−1, 1] [34], so that it is still challenging to design a secure chaotic map-based key agreement protocol over the interval Meanwhile, with the Chebyshev chaotic map, our proposed based scheme enables the users and trusted server efficiently to generate the shared encryption key and agree session key without additional key management.Though there are some other types of chaos systems, only the extended Chebyshev chaotic map has the semigroup property and satisfies the requirements stated above.In addition, the Chebyshev map has good chaotic properties with mixture and ergodicity, and the chaotic sequences generated by the Chebyshev map have good statistical distribution characteristics as the mean is 0 [35].Wang et al. [7,8] pointed out that low dimension chaotic maps have degradation of dynamics in finite precision computations in computers; however, this issue can be addressed using appropriate implementation; for example, Liu et al. [36] proposed an analogue-digital mixed method to solve the dynamical degradation of digital chaotic system.Given the previous advantages, the extended Chebyshev chaotic map is used to construct mutual authentication with strong anonymity in this paper.

Security Definitions.
Based on the attack model in literatures [37,38], the security model of the proposed chaotic map based mutual authentication and key agreement with strong anonymity (CMASA) is defined in this section.In the model, the capability of the adversary A is defined by the following interactive game which consists of oracle queries and security assumptions.
A can join the game through issuing series of oracle queries to any participant from the entity set ∏   including the trusted server.During the interactive activities, A is assigned with some attacking capabilities to the authentication protocol.The communication channel is under the full control of A, which means A can intercept, block, inject, delete, and modify any message transferred via this channel.The queries that A can issue are as follows.

𝐸𝑥𝑐𝑢𝑡𝑒(∏ 𝑖 𝑈
).This query is designed to assign A with passive attacking capability.After the execution of this query, all the transferred messages produced by the honest parities will be output according to the definition of .

𝑆𝑒𝑛𝑑(∏ 𝑖
, ).This query is designed to simulate the situation that A has controlled the whole communication process.A can issue  query on  to ∏   , and the corresponding entity from ∏   will compute the results according to  and respond to A.

𝑅𝑒V𝑒𝑎𝑙(∏ 𝑖 𝑈
).This query is used to simulate the known key attacking.If it is a valid session, all the computed shared session keys by ∏   will be responded to and null will be responded to otherwise.

𝑇𝑒𝑠𝑡(∏ 𝑖 𝑈
).This query is used to measure the semantic security of the session key   .If the entity of this session key  has already computed   with his partnered peer, return   to A. Otherwise, null will be responded to.A can also issue a single  query to ∏   , and ∏   will make an unbiased toss  ∈ (0, 1) to demine the response.If  = 1, return   to A. Otherwise, return a random value.
Definition 4 (security of the session key (ASK-Secure)).In an adversary involved interactive game, the adversary A can arbitrarily issue Test query, where the response is the real session key or a random value.If A issued a Test query to an unauthorized entity, A would be responded with ⊥.If A issued a Test query to a dishonest entity or the entity whose peer is dishonest, the corresponding real session key will be responded to.Otherwise, a random  from an unbiased coin toss is used to determine that the response is the real session key or a random value.A would guess the uncovered  through analyzing the response.Let the event  = {A wins this game}, and let Adv ASK  (A) be the advantage that A wins the distinguishability of .If Adv ASK  (A) is negligible, then  is called ASK-Secure [37].
One-time security of symmetric encryption (OT-Secure) [39] means that the indistinguishability of symmetric encryption under the passive attack can also be called find-guess security.
Let  = (, ) be a symmetric encryption scheme and let A = (A 1 , A 2 ) be an adversary of , and then consider the following interactive game between  and A.
(4) Input ,  and run A 2 , and then The advantage of A represents how far it will guess the right  with the possibility bigger than 1/2; that is 2Pr[ =   ] − 1.During the whole process of the game, A is passive; in other words, it cannot access any encryption or decryption oracle.

Concrete Construction
The detailed construction of the proposed scheme is presented in this section.For convenience, the descriptions of all symbols to be used are listed in Description of Symbols.
Suppose there exist three entities in our scheme, two system users , , who need to authenticate each other, and a trusted third party Tread.During the authentication, Tread will authenticate  and  using their submitted messages.If Tread identifies that  or  has been revoked, the authentication process will be terminated.The whole process of authentication consists of two stages, that is, registration and authentication including key establishment.
At the beginning of registration, ,  generate their passwords, respectively.They precompute passwords using a hash function and then submit them to Tread together with identifications and other related information.Upon receiving the registration queries from  and , Tread will check the validity of the submitted information.If yes, the registering is successful and Tread would securely store the needed information locally.The authenticating can be launched by  or , and then the process will be conducted through the following interactive steps.

Registration.
A user can register using the following steps.

Mutual Authentication and Key
Establishment.Users  and  can finish the authentication and establishment by following the steps shown in Figure 1.
(2)  → .Upon receiving  1 from ,  first checks if |  −   | < Δ holds or not, where   is the timestamp of .If yes, it stores   temporarily.Then, it chooses   ,   randomly and computes   =    (),   =   ⊕ (  ), and   =    (  ) mod , where   denotes the temporary identification of  and   denotes the shared session key between  and Tread.After that,  encrypts   ,   , and Step 1. Search for (  ) and (  ) in the database.

Analysis
4.1.Security.The proof of the security consists of multiple interactive games, and it is based on the difference lemma [37], which is briefly reviewed as follows.
Lemma 6 (difference lemma).Let   ,   , and   be the events following some distribution.If   ∧ ¬  ⇔   ∧ ¬  , then the following equation holds: The proof of this lemma can be found in [37].

Security of Session Key.
The security of session key for our proposed scheme is given by Theorem 7.
Theorem 7. Let V  Γ be the advantage that an  adversary breaks the symmetric encryption within time  1 , and let    be the advantage that  adversary breaks  6 Applied Computational Intelligence and Soft Computing with time  2 .Then, the advantage that A breaks a -secure mutual authentication scheme is where Game  0 .This game depicts the attacking from A on MSAA in reality.According to the definition, the advantage should be as follows: Game  1 .This game can simulate all oracle queries; the only difference is that guessing attack on real identification will be simulated as well.Since   ,   will be encrypted by OT-Secure symmetric encryption, every value of     (  ‖   ‖ (  ‖   ‖    ())),     (  ‖   ‖ (  ‖   ‖    ())) should be distinctive.Therefore, A has no other auxiliary information to validate its guess on the real identification; that is to say, the success possibility is ( 1 +  2 )/.According to the difference lemma [37], we can have Game  2 .This game is the same as previous games except for the additional simulation of breaking symmetric encryption using .According to the difference lemma, we can have Game  3 .This game is same as the previous games, except for the additional simulation of collusion attack to Hash.Game  3 is indistinguishable against  2 except for the possible collision in   .According to the Birthday Paradox and difference lemma, we can have Game  4 .This game is same as the previous games except for the modification on the response of   () mod  and   () mod  on the  query.Assume (, , ) = (  (),   (),   ()) is a random extended chaotic CDH triple.The simulator  will serve all oracle queries from all honest entities using (, , ).To do so,  firstly sets passwords for  and  and then responds as follows: it computes the chaotic maps {( 0 ,   0 ()), ( 0 ,   0 ()),   0 (),   0 (), and  0 =   0  0 ()} and stores them in the list, where  0 ,  0 is random.For the Test query, it returns the stored  0 as the response.In terms of the definition, the response for Test query is valid.Meanwhile, the random variable set in  3 will be replaced by another identical distributed random variable set in  4 .Hence, the possibility that A wins  4 and  3 is the same, then we have Game  5 .This game simulates A breaking DDH.All the queries are same as the previous queries except that the response (, , ) is not a CDH triple, but a random triple (  (),  V (),   ()).
Assume that A DDH is a challenger who attempts to break the distinguishability of DDH over , then A ask is an adversary who is capable of breaking the security of session key.A DDH responds to  ∈ (0, 1) from the unbiased toss as follows.If  = 1, it returns the real session key to A ask ; else it returns a random number to A ask .After that, A ask outputs its guess,   .If   = , A ask wins this game.A DDH can respond for querying , , , and ; the process is the same as previous games except for the query on (, , ) as inputs.If A ask outputs , A DDH outputs 1; otherwise, it outputs 0. If (, , ) is exactly a real CDH triple, then A DDH runs A ask in  4 , so we have Pr Since the session key  0 is random, the information about  does not leak, so we have According to formulas ( 8)-( 14), the advantage can be evaluated as follows: 4.1.2.Strong Anonymity for Client.To prevent the exposure of real identification during the message exchange, one practical solution is employing pseudonym.In the proposed scheme, if the adversary A attempts to obtain the real identification of a system user, the first possible step is to obtain the key to decrypt the cihpertext   even if A can intercept all the For the entities who get involved in the authentication, they only get the temporary identification, which is generated by the XOR operation on the real identification and random number, so that they cannot know the real identification of the partnered peer.Even if he or she stores   for offline analysis in future,  *  in the next session is generated by another distinctive random number, so   and  *  are indistinguishable for the PPT adversary A. Furthermore, a system user entity even cannot determine whether the current partnered peer is the same with those in historic sessions or not.Thus, our proposed scheme achieves the strong anonymity successfully.

Resistance to
Man-in-the-Middle Attack.Suppose there exists an active attacker A over the communication channel, who attempts to intercept and tamper the messages transferred via this channel to conduct the man-in-the-middle attack.If A tries to carry out the attack by tampering  1 ,  2 , he or she will face the difficulty of solving DL problem.If A attempts to tamper or forge  3 ,  4 , and  5 , he or she will face the difficulty of breaking the secure one-way hash function according to the definition of the protocol.Above all, the proposed protocol is secure enough to prevent the man-in-the-middle attack.

Resistance to Replay Attack.
According to the construction of the presented protocol, all the transferred messages of , , and Tread use timestamps   ,   to provide freshness.Furthermore, the system users have independently chosen (  ,   ) and (  ,   ) randomly to ensure freshness at the beginning of every authentication session.So, the proposed scheme can counter replay attack effectively.4.1.5.Forward Secrecy.In our scheme, the forward secrecy means the previous used session key cannot be deduced even if adversary A is given the current session key and the password of the user.Actually, the establishment of the session key   (or   ) between  and  is based on   and   chosen by themselves independently, and A cannot get anything about   (or   ) because the randomness of   and   , and the success possibility will not increase even if   and   are given to the adversary.4.1.6.Backward Secrecy.The backward secrecy of our scheme refers to the fact that even if the adversary A has obtained a client's password, all historic session keys, and current session key, could not finish authentication and key agreement.However, all the messages are transferred in anonymous way; thus, A cannot generate a valid message without knowing the real user identification according to the protocol, even if he or she is given the password .So, our scheme achieves the backward secrecy.
The overall comparison of security between our proposed scheme and the existing similar schemes is listed in Table 1.
All the schemes listed in Table 1 have employed random number in the construction, so they all can achieve the forward secrecy.Since only our scheme and work in [20] uncover the real identification, both schemes can ensure the backward secrecy.Subsequently, all the schemes in [25,26,30,31] cannot provide mutual anonymity for the same reason.Although the scheme in [20] can uncover the real identification for the outside attacker, the authenticated peers can know the real identification of each other, so that it lacks the strong anonymity, and the scheme in [32] fails to protect the identity of the server because the identity of the user is transferred in plaintext during authentication, so it cannot provide strong anonymity.For the use of timestamp and random number, all the schemes in Table 1 can counter the replay attack.However, in the scheme of [20], the attacker can choose a random number   and compute    =    (), and then he or she can finish the authentication successfully by blocking and injecting operation; thus, it is vulnerable to the man-in-the-middle attack.

Comparison of Performance.
The overall performance comparison is listed in Table 2.
As the authentication is a sort of synchronized process, the total computational cost of the client and server in a whole authentication and key agreement should be investigated.Since the cost of XOR operation and module addition are much cheaper, these two operations are not included in comparison, and only symmetric encryption/decryption operation, chaotic map operation, and hash operations are evaluated.Although no much advantage of performance is won in the proposed scheme, its critical privacy preserving feature deserves it.
4.3.Application Prospects.Our proposed scheme can be applied to privacy-sensitive situations, such as VANETs [29].Consider an authentication scenario in VANETs as shown in Figure 2. Since the communication via wireless channel, the system is susceptible to attack from outside and inside adversaries.When the driver of vehicle  detects that another vehicle  nearby is sharing some resources, he becomes interested in using the application installed in his vehicle, he then issues a request of accessing the data.On one hand, for security,  is not allowed to access 's data directly, and  would firstly verify whether  is an authentic entity.However,  and  are unwilling to reveal their real identities to each other.Then,  and  have to proceed with a mutual anonymous authentication protocol.Meanwhile,  and  also want to keep themselves anonymous even if they authenticate each other again in the future, since few drivers like to expose their trace to other untrusted entities.
On the other hand, the real identities of  and  including the transferred messages should be kept confidential to any external entities, and any external attacker is not allowed to distinguish users from two different sessions using all intercepted messages.However, our proposed protocol can achieve all goals stated previously.Since the road side unit (RSU) is supposed to be trusted, then it can be regarded as the trusted server in our protocol, and then vehicle  and  can fulfill authentication via RSU by following the steps as defined in Section 3.

Conclusions
Of all the existing chaotic map based authentication schemes, most of them neglect the anonymity of the user.Since the privacy preservation in cryptographic systems has become a great concern nowadays, it is necessary to take the appropriate measures to address this problem.Thus, an extended Chebyshev chaotic map-based mutual authentication scheme with strong anonymity is investigated in this paper, in which the outside attacker, even the authenticated peers, cannot determine the real identity of others.The strong anonymity feature of the proposed scheme is suitable for the privacy sensible applications, such as mobile social networks, vehicle ad hoc networks.
).This query is used to simulate that A corrupts entities from ∏   .A can obtain the permanent password and real identification of ∏   with this query.{, , } in   .If yes, return  of the corresponding entry; otherwise, a random value   will be returned.Meanwhile, a new tuple {, ,   } will be added into   .Equivalently, for the decryption query (, , ), first check if there exists some entry {, , } in   , if yes, return  of the corresponding entry, and a random value   will be returned, otherwise.Meanwhile, the new tuple {,   , } will be added to   .ℎ().This query is utilized to simulate hashing for A. To respond to A effectively, a list  ℎ will be set up.Upon receiving the query on  from A, firstly check if there already exists some entry {, ℎ} in  ℎ .If yes, return the value ℎ of the existing entry to A. Otherwise, generate a random value ℎ  as the response and add {, ℎ  } to  ℎ at the same time.
({, }, , {, }).This query is designed to assign A with the capability of accessing the encryption oracle.In order to respond to A correctly, a list   is needed to setup and maintenance.Upon receiving the query (, , ), first check if there exists some entry and C 1  ‖   ‖   ), and  2 = (  ‖   ‖   ), then it decrypts   and   using     and     .After that, Tread checks if (  ‖   ‖   ) =  1 , (  ‖   ‖   ) =  2 hold or not.If yes, Tread validates   and   as follows.
Figure 1: Process of authentication and key establishing.( ‖   ‖   ) using   , that is    (  ‖   ‖ (  ‖   ‖   )), where   is the timestamp of .Next,  sends  1 ,  2 = { 2 ,   ,   ,   } to Tread.(3)  → .Upon receiving  1 ,  2 from , Tread checks if | −   | < Δ, | −   | < Δ holds or not, where  denotes the timestamp of Tread and Δ denotes the permissible time interval threshold.If so, Tread will compute the shared keys     =   (  ) mod ,     =   (  ) mod ,  1 = ( 0 is the times of Send queries,  1 ,  2 are the times of  queries of A to T and B to T respectively,  3 is the times of ℎ queries,  is the size of   space,  is the security parameter, and  1 ,  2 , and  3 are the running time of single symmetric cryptographic operation, chaotic map operation, and Hash operation respectively.Proof.To illustrate the proof, six interactive games   (0 ≤  ≤ 5) are introduced.In every game   , A can arbitrarily issue any oracle queries defined in Section 2.3.When every game   is done, the possibility of event   = {A wins   } can be captured.

Table 1 :
Comparison of security.Scheme Lee et al. 's [20] Xie et al. 's [26] Farash and Attari's [30] Li et al. 's [31] Lee et al. 's [25] Niu and Wang's [32] Ours Though A possesses    (),    (), and   , he or she still faces the difficulty of solving DL problem if A tries to deduce the secret value from   or   .Since A cannot decrypt   , he or she cannot get to know the real identification, and then the privacy of users is preserved.