Applying Semigroup Property of Enhanced Chebyshev Polynomials to Anonymous Authentication Protocol

We apply semigroup property of enhanced Chebyshev polynomials to present an anonymous authentication protocol. This paper aims at improving security and reducing computational and storage overhead. The proposed scheme not only has much lower computational complexity and cost in the initialization phase but also allows the users to choose their passwords freely. Moreover, it can provide revocation of lost or stolen smart card, which can resist man-in-the-middle attack and off-line dictionary attack together with various known attacks.


Introduction
With rapid developments in limits and possibilities of communications and information transmissions, there is a growing demand of authentication protocol, which has greatly spurred research activities in authentication protocols' study.In general, the server authenticates the users by matching the user's identity and password after establishing a secure channel 1 .Since the server establishes a secure channel before asking identity/password information, an attacker can open a connection to a server that does not respond when identity/password information is inquired by the server, which results in the consumption of the resources of the server.Moreover, the attacker can set up many connections and consume all the resources of the server.However, this method is vulnerable to denial of service DoS attack and cannot discriminate an impostor who fraudulently obtains access privileges e.g., user's identity and password from the real user.Later, Li and Hwang 2 proposed a biometrics-based remote user authentication scheme using smart cards.Soon, Li et al. 3,4 improved Li and Hwang's scheme.There is no doubt that most existing authentication protocols only achieve "heuristic" security, that is, the underlying hardness assumptions of these protocols are not perfect.However, we discover the references 5-9 , which contain the detection of the DDOS attacks by consuming all, or mostly, the resources of the server can be assured, providing a more hopeful line of investigation for us to future study.
Later, Bellovin and Merritt 10 firstly presented a two-party password authenticated key exchange 2PAKE protocol which permits a user and a server to establish a session key over an insecure channel to address the problem mentioned above.In their protocol, each user just shares an easy-to-remember password with the trusted server.Regretfully, Patel 11 pointed out that it was easy for an adversary to guess the passwords used for authentication in Bellovin and Merritt's protocol.In order to avoid these attacks, many 2PAKE protocols with weak passwords for authentication have been presented by the researchers 12-18 .However, in these 2PAKE protocols, every user has to share a different password with his/her peer.It is usually rather inconvenient for applications in large-scale communication environments.To surmount this weakness, three-party PAKE 3PAKE protocols have been proposed in 19-22 .Unlike 2PAKE protocols, 3PAKE protocol is a very practical mechanism to establish secure session key through authenticating each other with a trusted server's help.There are two common weaknesses in these schemes as follows. 1 They needs more communications rounds to reduce computational load.However, as early as in 1995, Gong pointed out that the number of rounds is a key standard for weighing against the performance of a protocol.2 The sensitive table that stores the shared secret between the server and the designed users will be an attractive target leading to potential server compromise.In 2008, Chen et al. 23 proposed a round and computation-efficient three-party authenticated key exchange protocol, which addressed the above mentioned problems.However, we find that their scheme still exist following four drawbacks.1 It has computational efficiency problems in initialization phase. 2 User has no choice in choosing his password.3 It cannot protect user anonymity.4 There is no provision for revocation of lost or stolen smart card, which is susceptible to man-in-the-middle attack.
Therefore, in this paper, password-based anonymous authentication protocol defined over enhanced Chebyshev polynomials is proposed.A number of outstanding mathematicians and numerical analysts have said that Chebyshev polynomials are everywhere dense in numerical analysis.There is scarcely any area of numerical analysis where Chebyshev polynomials do not drop in like surprise visitors, and indeed there are now a number of subjects in which these polynomials take a significant position in modern developments 24 .One is taken on a journey which leads into all areas of numerical analysis by studying Chebyshev polynomials.Moreover, due to the semigroup property of enhanced Chebyshev polynomials, the well-known discrete logarithm problem and the Diffie-Hellman problem are proved to hold in enhanced Chebyshev polynomials 25 .Thus, we apply semigroup property of enhanced Chebyshev polynomials to present an anonymous authentication protocol.Moreover, our proposed protocol has the following features.
1 It has much lower computational complexity and cost in the initialization phase.
2 It allows the users to choose their passwords freely.
3 It can provide revocation of lost or stolen smart card, which can resist man-in-themiddle attack.
The rest of this paper is organized as follows.Section 2 gives description of enhanced Chebyshev polynomials and some hard problems based on them.Section 3 briefly reviews Chen et al.'s protocol and describes its disadvantages.In Section 4, we apply semigroup property of enhanced Chebyshev polynomials to design an anonymous authentication protocol.We analyze the security of proposed scheme in Section 5, and computational efficiency analysis is made in Section 6.Finally, we conclude this paper in Section 7.

Preliminaries
In this section, we review some basic definitions concerning enhanced Chebyshev polynomials and some hard problems based on the enhanced Chebyshev polynomials 26 .
Definition 2.1 Chebyshev polynomials .The Chebyshev polynomials of degree n are defined as The recurrent formulas are where n ≥ 2, T 0 x 1, and T 1 x x.The first few Chebyshev polynomials are

2.3
It can be identified that Chebyshev polynomial has the following properties: 1 semigroup property as T r T s x cos r * arc cos cos s * arc cos x cos rs * arc cos x T s T r x T rs x , 2.4 2 chaotic property, When n > 1, Chebyshev polynomials map T n x : −1, 1 → −1, 1 of degree n is a chaotic map with its invariant density as for Lyapunov exponent λ ln n > 0.

Review of Chen et al.'s Protocol
This section reviews Chen et al.'s protocol showed in Figure 1 .Some of the notations used in this protocol are defined in Table 1.

Initialization Phase
In this phase, A and B ought to register with S to be legal participants, and S should choose issue secret keys, which will be used in the subsequent phase.Through taking A for an example, S executes the following steps to authorize A: 2 Generate signature e A , s A as A's self-verified token, where r A g δ A mod p, e A h r A , ID A , and Round 3 3 Store the authentication information V A , e A , s A into a smart card and then deliver it to A in a secure way.
To test whether e A , s A is authorized by S, A retrieves r A as r A g s A • y e A mod p, and then verifies h r A , ID A ? e A .
Similarly, after B obtains the authorization information V B , e B , s B stored in the smart card from S, he can ensure that whether e B , s B is valid by using the method mentioned above.

Authentication key Exchange Phase
This phase aims to establish the session key SK with S's help.It just needs three rounds to achieve this goal.

1 Randomly choose an integer a and compute R A g a mod p, C AS h ID A , ID B , T A , R A , V A , then transmits ID A , ID B and W A C AS , T A , R
A , e A , s A to S; where T A is the time stamp obtained by A from the local clock to ensure the freshness of the message.
2 A transmits ID A , T A and R A to B.

3.2
After receiving the message from A, B does the following steps.Round 3:

3.3
In this round, S does the following steps.
1 Verify whether T A is fresher than the one received in the last request.If so, apply x to computing δ A s A xe A mod q and V A h ID A , δ A , and then compute

Disadvantages of Chen et al.'s Protocol
In this section, we argue that Chen et al.'s scheme still has four disadvantages.The detailed description of the weaknesses is as follows.

Computational Efficiency Problem
In the initialization phase of

Lack of User Friendliness
In Chen et al.'s scheme, the password is chosen by the server S without the consent of A/B, thus, A/B can only passively accept the password from S. It is not practical for real life applications, such as on-line banking and e-mail subscription.Moreover, δ A /δ B ∈ 1, q chosen by the server could be long and random e.g., 160 bits , which might be difficult for a registered user A/B to remember easily, and it is most likely that A/B may forget this long and random password if he is not frequently using the system.Hence, Chen et al.'s scheme has lack of user friendliness.

No Protecting User Anonymity
In authenticated key exchange phase of Chen et al.'s scheme, ID A , ID B are sent to S over insecure channel in the authentication message: ID A , ID B , W A , ID B , ID A , W B .In certain authentication scenarios, such as e-voting and secret online-order placement, it is fairly crucial to protect the privacy of a user.Once an attacker sniffs the communication parties involved in the authentication process, he can easily analyze the transaction being performed by users.Hence, Chen et al.'s scheme fails to provide the user anonymity in the authentication phase.

No Provision for Revocation of Lost or Stolen Smart Card
In case the smart card is lost or stolen, the attacker may impersonate the legal user using the lost or stolen smart card, so there should be a mechanism to ensure that the system can revoke the lost or stolen smart card to avoid the possible attacks.Providing for revocation is also one of the requirements of smart card-based authentication protocols.By keeping record of valid card identifier of every registered user, the authentication system can tell the valid card from the invalid one.Regretfully, Chen et al.'s scheme ignored this feature and there is no mechanism to revoke the lost smart card.Moreover, the drawback would become catastrophic if an attacker has got the lost smart card by accident and has revealed the authentication message of a legal user by any means to login into the system for performing secure transaction, such as on-line banking and e-commerce.Thus, Chen et al.'s scheme failed to provide the important feature of smart card-based authentication for revoking the lost smart cards without changing the user's identities.

Man-in-the-Middle Attack
Due to Section 3.3.4,unqualified users can easily launch a man-in-the-middle attack when the smart card is stolen.The steps of the attack is outlined in Figure 2 and explained as follows.
Suppose an adversary M had stolen the smart card from the legal user, then he can obtain the authenticated values V A and V B .Let R M g m mod p be M's ephemeral public key, and m ∈ z * p is chosen by M.Then, he replaces C SA and C SB with C SA and C SB in Round 3. The notation " " denotes the transmitted message that is manipulated by M. The purpose of M is to share a session key with A by posing as B and to share a session key with B by posing as A. The specific process is as follows.

3.5
When receiving the message from M A , B calculates the session key with M A , as SK MB g bm mod p, C BM h T A , R M , R B , SK MB , then M calculates the session key with A as SK AM g am mod p, C AM h T A , R M , R B , SK AM .

3.6
In this round, because M obtains the value V A , he can compute C SA h C AS , T B , R M , V A for mutual authentication with A; similarly, M can also use V B to calculate C SB h C BS , T A , R M , V B for mutual authentication with B.
When receiving the values C SA and C SB , A and B authenticate the server using their own parameters.Then A computes C MB h C BM , T B , SK AM for M B , it confirms if C MB is valid from its own knowledge.M calculates C MB h C MA , T B , SK MB and sends it to B to achieve session key agreement.
Finally, M has shared the session key SK AM g am p with A and SK BM g bm mod p with B. In this case, the authenticate mechanism of the Chen et al.'s protocol does not help.

An Anonymous Authentication Protocol Using Semiproperty of Enhanced Chebyshev Polynomials
To surmount serious latency security problems in the Chen et al.'s protocol, we apply semigroup property of enhanced Chebyshev polynomials to designing a new anonymous authentication protocol.

Notations
In the section, we describe some of the notations used in our protocol Table 2 .

Initialization Phase
In this phase, the users and the server need some intercommunication for user's registration.We take A for an example.To register with S to become a valid user A, A and S will do the following steps.

A → S: D A , ID A
A freely chooses an easy-to-remember password P A and identity ID A , then computes D A T P A x and sends D A , ID A to S. Of course, B registers with S in the same way.

Authentication Key Exchange Phase
This phase aims to establish a session key SK.To achieve this goal, A and B first compute V A H T P A y and V B H T P B y using their own passwords and the public key of S as their authentication information respectively.Note that V A , V B can be precomputed.This phase also includes three rounds shown phase in Figure 3 and the detailed descriptions are as follows.

Round 1:
Figure 3: Authenticated key exchange phase in our proposed protocol.

Calculates C AS H Δ A , T A , R A , V A and W A C AS , T A , R A , Δ
A , then transmits Δ A and W A to S; where the meaning of T A is the same as that in the Chen et al.'s protocol.

4.2
On receiving the request transmitted from A, B does the following steps.

4.3
In this round, S does the following steps.

Security Analysis
The enhanced scheme is a modified form of the Chen et al.'s scheme.Hence, we just discuss the enhanced and some important security features of the proposed scheme instead of discussing the security analysis that has been already shown in 23 .Before analyzing the security properties, we stress the following two facts to prove security that authenticated key agreement protocol should meet. 1 It is widely believed that there is no polynomialtime algorithm to solve DLP and DHP based on enhanced Chebyshev polynomials with nonnegligible probability.2 The chaotic hash function has collision-free and irreversible properties.

Securely Chosen and Update Password
In our proposed scheme, A/B is able to freely choose and change his password without any hassle of contacting the server S. Any users except A/B cannot change or update the password without knowing the corresponding valid ID A /ID B and P A /P B of the smart card holder.

Revocation of Smart Card
In our proposed scheme, if A/B 's smart card is stolen or lost, he can request the server S to revoke his smart card for future use.S can revoke the smart card directly.If an adversary who steals A/B 's smart card wants to derive P A from Δ A E n T P A x ID A , this will be impossible, because just S knows the secret key n, and he is faced with the discrete logarithm problem DLP too.Hence, the old smart card becomes useless for future use.

The Proposed Protocol Can Resist Man-in-the-Middle Attack
Due to V A H T P A y H T x 1 D A , if the adversary attempts to login to S, it needs to derive x 1 /P A from y/Δ A .However, it is widely believed that there is no polynomialtime algorithm to solve DLP based on enhanced Chebyshev polynomials with nonnegligible probability.Moreover, because just S knows the secret key n, he even cannot obtain D A .So the adversary cannot compute V A .Due to the same reason, the adversary cannot calculate V B either, that is, our protocol can resist man-in-the-middle attack.

Protection of User Anonymity
The anonymity feature of users is that the real identity of user should be protected from being revealed by any other entity except S. Our protocol can preserve the identity anonymity for any user which can be explained as follows.
ID A is hidden in Δ A E n T P A x ID A .Because just S knows the secret key n, even if adversary can obtain Δ A from the stolen smart card, he still cannot decrypt Δ A .

The Proposed Protocol Can Provide Mutual Authentication
Similarly to Chen et al.'s scheme, we analyze this property from three aspects: authentications among A, B, and S.

Case 1.
A and B To authenticate A, S needs to suppose that they own the same session key.In this protocol, S is responsible for confirming both the origin and integrity of the received message in step 2 to help them authenticate each other.S ensures that the received messages T A , R A , V A and T B , R B , V B are truly sent from A and B, respectively, and that no modification has occurred.Meanwhile, S sends the respective evidence C SA and C SB for the origin and the integrity of T A , R A and T B , R B .Based on the premise that S is trustworthy, A/B is convinced that the origin of T B , R B / T A , R A is B/A when the validity of C SA /C SB is verified.As only A/B knows the secret a/b of R A /R B , the common session key is generated by A/B as T a R B /T b R A .Because the session key is only known by A/B, no one can forge a valid C BA H T A , R A , R B , SK or C AB H C BA , T B , SK .Therefore, mutual authentication between A and B is achieved while the session key confirmation is guaranteed.

Case 2.
A and S To achieve the mutual authentication between A and S, on the one hand, S has to verify the validity of the evidence C AS H Δ A , T A , R A , V A .On the other hand, A must test the validity of C SA H C AS , T B , R B , V A to authenticate S.These evidences are computed with the common secret key.Because only A and S know the common secret key V A , where V A equals V A , no one can counterfeit the evidence.When validity of C AS and C SA is tested by S and A, respectively, the integrity of the transmitted message from S that contains T A , R A is confirmed by S and the integrity of evidence C SA from S is confirmed by A. Thus, mutual authentication between A and S is achieved.

The Proposed Protocol Can Resist Bergamo et al.'s Attack
In addition, because our protocol is based on semigroup property of enhanced Chebyshev polynomials, we should consider Bergamo et al.'s attack 20 .Bergamo et al.'s attack is based on the condition that an adversary can obtain the related elements x, N, T a x and T b x .In the proposed protocol, an attacker could get x and N easily, but they cannot obtain T a x and T b x , even though the attacker is a legal user.Besides, the proposed protocol utilizes the enhanced Chebyshev polynomials, in which the periodicity of the cosine function is avoided by extending the interval of x from −1, 1 to −∞, ∞ .Therefore, the attacker have no way to perform a successful attack using Bergamo et al.'s method.

The Proposed Protocol Can Resist Off-Line Dictionary Attack
In the off-line dictionary attack, the adversary can recode all transmitted messages in the initialization phase and attempt to guess using A s/B s identities ID A /ID B and passwords P A /P B from the recorded massages.An attacker tries to obtain identity and password verification information from Δ A , he must guess n, P A , ID A correctly at the same time.However, the probability of guessing the three numbers correctly in the same attempt is nearly zero.Furthermore, even if the attacker guesses one parameter correctly, he or she cannot verify it with any password verifier information.Hence, the proposed protocol is secure against off-line dictionary attack.
According to the above analysis, we list the security properties' comparison of Chen et al.'s protocol and our protocol in Table 3.

Computational Efficiency Analysis
The proposed protocol is achieved through DLP and DHP problems based on enhanced Chebyshev polynomials.It enjoys the following advantages. 1 In the initial phase, we take A for example, S only needs to test D A ? D I , where D I denotes the users' component of authentication information and computes Δ A .However, in Chen et al.'s protocol, S has to compute V A , r A , e A , s A .In a word, our protocol greatly reduces the computational complexity and computational cost.Hence, our scheme is more efficient and practical.2 V A , V B can be precomputed off-line in our protocol, which improves the computational

Conclusion
In this paper, we have applied semigroup property of enhanced Chebyshev polynomials to present a novel authenticated key exchange protocol.To the best of our knowledge, it is the first time to realize three-party authenticated key exchange protocol preserving user anonymity with semigroup property of enhanced Chebyshev polynomials.First, we argued that Chen et al.'s protocol has computational efficiency problem in initialization phase and cannot protect user anonymity, user has no choice in choosing his password, and there is no provision for revocation of lost or stolen smart card leading to man-in-the-middle attack.To surmount these identified drawbacks, we have proposed an enhanced protocol to reduce computational complexity and computational cost in initialization phase and improve security.Hence, our proposed protocol is more efficient and practical.Furthermore, analysis shows that our protocol can resist various kinds of attacks.

Figure 1 :
Figure 1: Authenticated key exchange phase in Chen et al.'s protocol.

3 Figure 2 :
Figure 2: Man-in-the-middle attack in Chen et al.'s protocol.

2
When receiving D A from A, S first tests if D A ? D I .If D A D I , S should ask A to submit a different password.3 S → A: Δ A , H • Then, S computes Δ A E n T P A x ID A , for convenience, S stores Δ A , H • into a smart card and then delivers it to A face to face.

1 B
calculates C BS H Δ B , T B , R B , V B and sends W B C BS , T B , R B , Δ B to S; the meaning of T B is the same as that in the Chen et al.'s protocol.

Case 3 .
B and S The analysis of the mutual authentication between B and S is done likewise.Except B and S, no one knows the secret key V B .Therefore, mutual authentication between B and S is achieved by verifying the validity of C BS H Δ B , T B , R B , V B and C SB H C BS , T A , R A , V B , respectively.

Table 1 :
Some of the notations used in Chen et al.'s protocol.

1
Randomly choose an integer b and compute R B g b mod p, C BS h ID B , ID A , T B , R B , V B , and send W B C BS , T B , R B , e B , s B to S, where T B is the time stamp obtained by B from the local clock to ensure the freshness of the message.
b mod p and then transmit C BA h T A , R A , R B , SK to A.
In the following, test C AS ?C AS to authenticate the identity of A; if it holds, S calculates C SA h C AS , T B , R B , V A and transmits it to A. 2 Test whether T B is fresher than the one received in the last request.If so, S calculates V B h ID B , δ B and computes C BS H ID A , ID B , T B , R B , V B .Then, After this round, A tests whether T − T A is in a valid period, where T is the time when C SA was received.If so, A calculates C SA h C AS , T B , R B , V A and tests C SA ?C SA to verify the correctness of C SA .If it holds, A finishes this protocol.Similarly, B tests if T − T B is in a valid period, where T is the time when C SB was received.If so, B calculates C SB h C BS , T A , R A , V B and tests C SB ?C SB to verify the correctness of C SB .If it holds, B completes this protocol.
A , R A , R B , SK and checks C BA ?C BA to authenticate B; if it holds, A computes C AB h C BA , T B , SK and sends it to B.

Table 2 :
Some of the notations used in our paper.

1
Verify if T A is in a valid time interval.If so, S decrypts Δ A , Δ B with his private key n to reveal T P A x ID A and T P B x ID B .Then, S calculates V A H T x 1 D A and computes C SA H Δ A , T A , R A , V A .Finally, test C AS ?C AS , if it holds, S calculates C SA H C AS , T B , R B , V A and transmits it to A. 2 Test whether T B is in a valid time interval.If so, S calculates V B H T x 1 D B and computes C BS H Δ B , T B , R B , V B .Then, he tests C BS ?C BS , if it holds, S calculates C SB H C BS , T A , R A , V B , and transmits it to B.
3 Independently, A tests if T − T A is in a valid period, where T is the time when B received the message from S. If so, A calculates SK T a R B and C BA H T A , R A , R B , SK ; then, tests C BA ?C BA ; if it holds, A calculates C AB H C BA , T B , SK and sends it to B. After this round, A tests if T − T A is in a valid period, where T is the time when C SA was received.If so, A calculates C SA H C AS , T B , R B , V A and tests C SA ?C SA to verify the correctness of C SA .If it holds, A finishes this protocol.Similarly, B tests if T − T B is in a valid period, where T is the time when C SB was received.If so, B calculates C SB H C BS , T A , R A , V B and tests C SB ?C SB to verify the correctness of C SB .If it holds, B finishes this protocol.

Table 3 :
Comparison of security properties.

Table 4 :
Comparison of computation overhead in initialization phase.
efficiency and saves communication bandwidth.The detailed comparison is shown in