Cryptanalysis and improvement of a chaotic map-based key agreement protocol using Chebyshev sequence...

1 23

Nonlinear DynamicsAn International Journal of NonlinearDynamics and Chaos in EngineeringSystems ISSN 0924-090XVolume 76Number 2 Nonlinear Dyn (2014) 76:1203-1213DOI 10.1007/s11071-013-1204-1

Cryptanalysis and improvement of achaotic map-based key agreement protocolusing Chebyshev sequence membershiptesting

Mohammad Sabzinejad Farash &Mahmoud Ahmadian Attari

1 23

Your article is protected by copyright and all

rights are held exclusively by Springer Science

+Business Media Dordrecht. This e-offprint

is for personal use only and shall not be self-

archived in electronic repositories. If you wish

to self-archive your article, please use the

accepted manuscript version for posting on

your own website. You may further deposit

the accepted manuscript version in any

repository, provided it is only made publicly

available 12 months after official publication

or later and provided acknowledgement is

given to the original source of publication

and a link is inserted to the published article

on Springer's website. The link must be

accompanied by the following text: "The final

publication is available at link.springer.com”.

Nonlinear Dyn (2014) 76:1203–1213DOI 10.1007/s11071-013-1204-1

ORIGINAL PAPER

Cryptanalysis and improvement of a chaotic map-based keyagreement protocol using Chebyshev sequence membershiptesting

Mohammad Sabzinejad Farash ·Mahmoud Ahmadian Attari

Received: 8 July 2013 / Accepted: 17 December 2013 / Published online: 28 February 2014© Springer Science+Business Media Dordrecht 2014

Abstract Recently, Gong et al. (Nonlinear Dyn,doi:10.1007/s11071-012-0628-3, 2012) proposed achaotic map-based key agreement protocol withoutusing smart cards. They claimed that the protocol issecure against password-guessing attacks. However,we show that Gong et al.’s protocol is vulnerable topartition attacks, whereby the adversary can guess thecorrect password off-line. We also demonstrate that theprotocol suffers from a a stolen-verifier attack alongwith password change pitfalls. Thereafter, we proposedan chaotic map-based key agreement protocol with-out using smart cards to conquer the mentioned weak-nesses. The security analysis of the proposed protocolshows that it is suitable for the applications with highersecurity requirement.

Keywords Cryptography · Chaos · Key agreementprotocol · Password-guessing attack

1 Introduction

Information systems and the information that they con-tain and process, which are considered to be major

M. S. Farash (B)Faculty of Mathematics Sciences and Computer,Kharazmi University, Tehran, Irane-mail: [email protected]

M. A. AttariFaculty of Electrical and Computer Engineering,K.N. Toosi University of Technology, Tehran, Iran

assets, should be protected from unauthorized disclo-sure, modification, and use. Cryptography is often usedto protect information from unauthorized disclosure, todetect modification, and to authenticate the identities ofsystem users. Cryptographic techniques use secret keysthat require to be managed and protected throughouttheir life cycle by a key management system. Cryptog-raphy can reduce the scope of the information manage-ment problem from protecting large amounts of infor-mation to protecting only secret keys. One of the sig-nificant components of managing cryptographic keysis how to exchange or distribute secret keys amongparticipants who want to establish a secure communi-cation over an insecure channel. For this purpose, keyagreement protocols [1–5] have been widely developedand used. These protocols allow two or more entities toestablish a shared secret key and agree upon a commonsession key for use in securing subsequent communi-cation over an insecure channel.

Chaos theory has been established since 1970s bymany different research areas, such as physics, mathe-matics, engineering, biology, etc. [6]. Chaos is the well-defined universal, random-like and robust phenomenonin nonlinear system. Chaotic systems are characterizedby the properties of unpredictability, and sensitivityto parameters and initial conditions. As these proper-ties meet some essential requirements of cryptography,chaos recently has become a promising candidate in thefield of cryptography. In recent years, various chaoticcryptosystems have been proposed. However, mostof them focus on the design of symmetric encryption

123

Author's personal copy

http://dx.doi.org/10.1007/s11071-012-0628-3

1204 M. S. Farash, M. A. Attari

schemes [7–14], S-boxes [15,16], and Hash functions[17,19,18]. Recently, chaotic systems have also beenused to design public key encryption protocols.

In 2003, Kocarev and Tasev [20] proposed firstpublic key encryption protocol using the semi-groupproperty of the Chebyshev chaotic map, which hasboth great originality and practicability. Shortly there-after, Bergamo et al. [21] pointed out that Kocarev andTasev’s [20] protocol is insecure to their developedattack, because of the periodicity of cosine function.Bose [22] also proposed a methodology to use mul-tiple chaotic systems and a set of linear functions forkey exchange over an insecure channel; however, Wanget al. [23] pointed out the fundamental weakness ofthe Bose’s cryptosystem and then proved a successfulattack. Zhang [24] also proved that Bose’s cryptosys-tem is insecure as well as inefficiently designed.

To improve the security of key agreement protocolbased on chaotic maps, Xiao et al. [25] further usedchaotic maps to propose a new key agreement proto-col. However, Alvarez [26] demonstrated that the Xiaoet al.’s protocol is vulnerable to a man-in-the-middleattack. To enhance the security weakness, Xiao et al.[27] proposed an improved key agreement protocol.However, Han [28] pointed out that Xiao et al.’s proto-col cannot resist the replay attack. Han et al. [29] andXiao et al. [30] used time-stamp or nonce to enhance thesecurity of Xiao et al.’s [27] protocol, respectively. Guoand Zhang [31] pointed out that none of [27,29,30] cansatisfy the contributory nature of key agreement proto-cols, that is, the malicious server can predetermine theshared secret key. To improve security, Tseng et al. [32]proposed a new chaotic map-based key agreement pro-tocol using smart cards. Unfortunately, Niu and Wang[33] pointed out that Tseng et al.’s protocol was vul-nerable to an insider attacker and cannot provide useranonymity and perfect forward secrecy. Recently, Niuet al. also proposed an improved protocol to over-come these weaknesses. However, Yoon [34] foundthat Niu et al.’s protocol is vulnerable to the denialof service (DoS) attack and has a computational effi-ciency problem. To overcome weaknesses in Niu et al.’s[38,36,35,37] protocol, several other chaos-based keyagreement protocols using smarts cards were proposed.However, tamper-resistant card readers are not avail-able everywhere; these chaos-based key agreement pro-tocols used are not practical for such environments.

Guo and Zhang [31] protocol is the first chaos-based key agreement protocol without using smart

cards. However, He and khan [39] pointed out thatGuo and Zhang protocol is venerable to the off-linepassword-guessing attack. To overcome weaknesses inGuo and Zhang protocol, Gong et al. [40] proposed anew chaos-based key agreement protocol without usingsmart cards. However, in this paper, we point out thatGong et al.’s protocol is vulnerable to partition attacks,a stolen-verifier attack and password change pitfalls.

The rest of the paper is organized as follows: In Sect.2, we introduce the definitions of Chebyshev chaoticmaps. Next, we propose an inventional method to testChebyshev sequence membership in Sect. 3. Then, wereview Gong et al.’s protocol in Sect. 4 and show theweaknesses of Gong et al.’s protocol in Sect. 5. Theimproved protocol is presented in Sect. 6. In Sect. 7,we analyze our protocol and show that it can resist sev-eral attacks. In Sect. 8, we will compare our protocolwith related protocols. Finally, the conclusion is givenin Sect. 9.

2 Preliminaries

In this section, we introduce some knowledge about theChebyshev chaotic map and review Gong et al.’s [40]protocol based on Chebyshev chaotic maps.

2.1 Chebyshev chaotic maps

Definition 1 (Chebyshev polynomial) Let n ∈ N, x ∈ZN and N be a positive integer, then Chebyshev poly-nomial Tn of degree n, Tn(x) : ZN → ZN is recur-sively defined as

Tn(x) = 2xTn−1(x) − Tn−2(x) (mod N ), (1)

with T0 = 1 and T1 = x .

Proposition 1 (Semi-group property) For n, m ∈ N

Tn(Tm(x))=Tnm(x)=Tmn(x)=Tm(Tn(x))(mod N ).

(2)

Proposition 2 ([41]) For a positive integer N , n, andx ∈ ZN :

Tn(x)= (x+√x2 − 1)n +(x − √

x2 − 1)n

2(mod N ).

(3)

123


Cryptanalysis and improvement of a chaotic map-based key agreement protocol 1205

Definition 2 (Chaotic-based Discrete Logarithm(CDL) problem) A CDL problem is that given the resulta, that is, Tk(x) = a mod N , finding k is infeasible.

Definition 3 (Chaotic-based Diffie-Hellman (CDH)problem) A CDH problem is that given two differentvalues Tr (x) and Ts(x)mod N , finding the combinationTrs(x)mod N without knowing r and s is infeasible.

Definition 4 (Chebyshev polynomial sequence) Let Nbe a prime, n ∈ N, and x ∈ ZN , then (Tnmod N )n≥0

is defined as the sequence generated by the Chebyshevpolynomial in Eq. 1, where Tn = Tn(x).

Definition 5 (Period of Chebyshev polynomial sequen-ce) Period of Chebyshev polynomial sequence(Tnmod N )n≥0, for n = 0, 1, 2, ..., is d, if Tn+d =Tnmod N .

Proposition 3 ([41]) The minimal period of Cheby-shev polynomial sequence (denoted by dmin) is a factorof its ordinary period. i.e. dmin|d.

Proposition 4 ([41]) For an odd prime N, the minimalperiod dmin is a divisor of ether N − 1 or N + 1.Therefore, for an odd prime N , dmin ≤ N + 1.

Proposition 5 ([41]) The elements of Chebyshev poly-nomial sequence distribute evenly symmetrically in aperiod. i.e. Tnd+i = T(n+1)d−i , where d is a period ofthe sequence, and i is an integer satisfying 0 ≤ i < d.

3 Distinct members and membership testing ofChebyshev sequence

3.1 The number of distinct members of Chebyshevsequence

Theorem 1 The number of different val ues in thesequence (Tnmod N )n≥0 is equal or less than � dmin

2 �+1.

Proof According to the Propositions 3 and 5, Tndmin+i

= T(n+1)dmin−i . Thus, in each minimal period with dmin

elements, two elements Ta and Tb, where a = b, areequal if a + b = 0mod dmin, then for an even dmin

the number of different elements is equal or less thandmin

2 +1 and for odd dmin it is equal or less than dmin+12 <

� dmin2 � + 1. Therefore, the number of different values

is equal or less than � dmin2 � + 1 for whole sequence

(Tnmod N )n≥0. �

Proposition 6 According to Proposition 4 and Theo-rem 1, for an odd prime N, The number of differentvalues in the sequence (Tnmod N )n≥0 is equal or lessthan N+1

2 + 1.

3.2 Chebyshev sequence membership testing

In some chaotic map-based key agreement protocols,an assumption is made that some values passed fromone party to another lie in the correct Chebyshevsequences. However, one needs to actually check thateither given message flows lie within the correct Cheby-shev sequence, or force the messages to lie in the groupvia additional computation, or by choosing parame-ters carefully so as the problem does not arise. Indeed,some attacks on chaotic map-based key agreement pro-tocols, such as the partition attack (see Sect. 5.1), arepossible because implementors do not test for Cheby-shev sequence membership. In this section, we proposean inventional method to test for Chebyshev sequencemembership.

Theorem 2 Let N be a large prim, x ∈ ZN , and n, m ∈Z

∗N , then the multiplication of Tn(x) and Tm(x) is as

follows:

Tn(x) · Tm(x) = Tn+m(x) + Tn−m(x)

2(mod N ). (4)

Proof Without losing generality, for n ≥ m, supposethat λ1 = x +√

x2 − 1, and λ2 = x −√x2 − 1. Then,

the Eq. 3 can be rewritten for Tn(x) and Tm(x) as fol-lows:

Tn(x) = λn1 + λn

2

2(mod N ),

Tm(x) = λm1 + λm

2

2(mod N ).

The multiplication of Tn(x) and Tm(x) can be calcu-lated as follows:

Tn(x) · Tm(x) =(

λn1 + λn

2

2

)·(

λm1 + λm

2

2

)(mod N )

= 1

4

(λn

1λm1 + λn

1λm2 + λn

2λm1 + λn

2λm2

)

= 1

4

{(λn+m

1 + λn+m2

) + (λn

1λm2 + λn

2λm1

)}

= 1

4

{(λn+m

1 + λn+m2

) + λm1 λm

2

(λn−m

1 + λn−m2

)}

= 1

4

{(λn+m

1 + λn+m2

) + (λn−m

1 + λn−m2

)}

123



= (Tn+m(x) + Tn−m(x))

2(mod N ).

�Proposition 7 Based on Theorem 2, the followingproperty of Chebyshev polynomial sequence can bederived:

Tn+m(x) · Tn−m(x) = T2n(x) + T2m(x)

2(mod N ),

(5)

when m = 1, the following equation can be drawn:

Tn+1(x) · Tn−1(x) = T2(Tn(x)) + T2(x)

2(mod N ).

(6)

Proposition 8 By using the Eqs. 1 and 6, the followingsimultaneous equations can be drawn:

2xTn(x) = Tn+1(x) + Tn−1(x) (mod N ), (7)

Tn+1(x) · Tn−1(x) = (Tn(x))2 + x2 − 1 (mod N ).

(8)

Equations 7 and 8 lead to the following quadratic equa-tion in respect to Tn+1(x) in modulus N:

T 2n+1(x)−(2xTn(x))Tn+1(x)+(T 2

n (x)+x2 − 1)=0.

(9)

Suppose that, the sequence (Tnmod N )n≥0 is a Cheby-shev polynomial sequence for a given x ∈ ZN .It is clear that, for a given Tn(x) in the sequence(Tnmod N )n≥0, the quadratic Eq. (9) is solvable in ZN ,then the value of Tn+1(x) can be obtained. However,for an arbitrary a ∈ ZN , if the quadratic Eq. (9) doesnot have any solution in ZN where Tn(x) = a, then ais not in the sequence (Tn)n≥0. Therefore, by using thequadratic Eq. (9), we can check if an arbitrary a ∈ ZN

is not in the sequence (Tn)n≥0.

Example 1 Let N = 11 and x = 3. Then, the Cheby-shev polynomial sequence (Tnmod N )n≥0 generated by(1) is 1, 3, 6, 0, 5, 8, 10, 8, 5, 0, 6, 3, 1, 3, .... Its minimalperiod is dmin = 12. The quadratic Eq. (9) for Tn(x) =5 is T 2

n+1(x)−8Tn+1(x) = 0 and leads to two values 0and 8 which confirms that 5 is contained in the Cheby-shev polynomial sequence (Tnmod N )n≥0. For the arbi-trary value 4 is not contained in the Chebyshev poly-nomial sequence (Tnmod N )n≥0, the quadratic Eq. (9)

for Tn(x) = 4 is T 2n+1(x)−2Tn+1(x)+2 = 0. Solving

the equation by delta method leads to the delta value 7which is a non-quadratic residue in modulus 11. Thus,it is not solvable in modulus 11. Therefore, it confirmsthat the value 4 is not contained in the Chebyshev poly-nomial sequence (Tnmod N )n≥0.

It should be noticed that, if the quadratic Eq. (9) foran arbitrary Tn(x) = a ∈ ZN was not solvable, thenthe value a certainly is not contained in the Chebyshevpolynomial sequence (Tnmod N )n≥0. However, if thequadratic Eq. (9) for an arbitrary Tn(x) = a ∈ ZN wassolvable, then it may be a is contained in the sequence.

4 Review of Gong et al.’s protocol

In this section, we briefly review the chaotic map-basedkey agreement protocol proposed by Gong et al. [40].

4.1 Notations

The notations used in their protocol are described inthe following:

• A : a user• I DA: the unique identity of the user A p, q : two

prime numbers E : an elliptic curve Fp : a finitefield E(Fp)

• H(.): a hash function which {0, 1}∗ → G1

• Zq : a finite field of order q• Z

∗q : the non-zero integers modulus q

Before performing the protocol, the server first pub-lishes system parameters. The server selects a largenumber N , and generates a random number α. Then,the server publishes the public parameter param ={α, N , H}.

4.2 Protocol description

The structure of the protocol is detailed as follows:where A → B : 〈m〉 means a message m is sent fromA to B.

Step 1. A → B : 〈I DA, X〉. A generates a randomnumber rA, computes X = TrA(α)mod N ,X = X ⊕ h pw, and sends M1 = {I DA, X}to B.

123



Step 2. B → A : 〈Y, V1〉. Upon receiving the messageM1, B generates a random number rB , com-putes X = X ⊕ h pw = TrA(α), Y = TrB (α)

mod N , K B = TrB (X)mod N , and V1 =H(Y, K B). At last, B sends M2 = {Y, V1} toA.

Step 3. A → B : 〈V2〉. When receiving M2, Acomputes K A = TrA (Y )mod N , and validateswhether V1 = H(Y, K A) or not. If it doesnot holds true, A stops the session. Otherwise,B is authenticated. Then A computes V2 =H(X, Y, K A), the session key skA = H(K A),and sends M3 = {V2} to B.

Step 4. Upon receiving the message M3, B validateswhether V2 = H(X, Y, K B) or not. If it doesnot hold, stop the session. Otherwise, A isauthenticated. B computes the session keyskB = H(K B).

5 Weaknesses of Gong et al.’s protocol

In this section, we will show that, Gong et al.’s [40]protocol unfortunately suffers from a partition attack,a stolen-verifier attack and password change pitfalls. Amore detailed description of attacks is as follows.

5.1 Partition attack

Through this attack, the adversary can guess the correctpassword off-line. In their scheme, the adversary justneeds to wiretap a valid session and he is able to use thegathered information to partition the password space(the dictionary) into feasible and infeasible passwords.Finally, the correct password will be recovered after anumber of valid sessions have been observed from theintersection of the feasible partition of the passwordsfor each session.

5.1.1 Attack scenario

In Gong et al.’s [40] protocol, the simple operation ⊕ isused to operate on elements of the sequence of Cheby-shev polynomial (Tnmod N )n≥0, which opens door toa partition attack. The attack scenario is as follows:

– Assume that the adversary has obtained X = X ⊕h pw by wiretapping an exchange between A andB, where X = TrA(α)mod N and h pw = H(I DA,

PWA).

– Then, the adversary can guess a password PW ∗A and

then uses it to compute h∗pw = H(I DA, PW ∗

A) and

X∗ = X ⊕ h∗pw = {X ⊕ h pw} ⊕ h∗

pw.– If the guessed password PW ∗

A is A’s correct pass-word, X∗ = X will be in the sequence of Chebyshevpolynomial (Tn)n≥0.

– Otherwise, if PW ∗A is not A’s correct password, it is

likely that the computation will result in a value X∗which is not in the sequence (Tnmod N )n≥0, includ-ing those values equal to or larger than N .

As mentioned in Proposition 8, for a value a ∈ ZN ,an attacker by taking Tn(x) = a in the Eq. 9 can checkif it is not in the sequence (Tnmod N )n≥0. According toTheorem 1, the number of the elements of the sequence(Tnmod N )n≥0 is equal to or less than dmin

2 + 1. Thus,it can be seen that the probability that the Eq. 9 besolvable, for an incorrect password, is at most dmin+2

2(N+c)where c is the number of possible values not in ZN (i.e.equal to or larger than N ) and thus should be less than2|N |−N . We say PW ∗

A is a feasible password only whenX∗ < N and for Tn(x) = X∗, the Eq. 9 be solvable inZN . Otherwise, it is marked as an infeasible password.Thus, the possible space of valid passwords is reducedby a factor of dmin+2

2(N+c) , on average, by observing oneexchange session. According to Proposition 6, for anodd prime N , dmin+2

2(N+c) ≤ N+32(N+c) ≈ 1

2 . Over a number ofsessions the space of valid passwords will be narroweddown to a single password at a logarithmic rate.

5.1.2 Attack description

Let D be a set of passwords. We denote by C D the setof candidate passwords, which is set as D initially. Theattack scenario can be described as follows:

The attacker chooses one session message and per-forms the partition operation: check every password inC D by doing sequence membership test and divide C Dinto two subsets: F D and F D, where F D is the set offeasible passwords and F D is the set of infeasible pass-words. Afterward, the attacker removes all the infeasi-ble passwords from C D, i.e., sets C D = F D, and thenperforms a partition operation using another differentsession message similarly. The attacker repeats it untilhe finds the correct password. Hence, after he performsnt partition operations, the number of remained pass-words is

|C D| =(

dmin + 2

2(N + c)

)nt

|D|.

123



Let nm be an integer such that

|C D| =(

dmin + 2

2(N + c)

)nm

|D| ≈ 1.

Then, the adversary can determine the correct passwordby performing nm partition operations which is

nm = log2 |D|log2

2(N+c)dmin+2

.

According to Proposition 6, for an odd prime N ,dmin+22(N+c) ≤ N+3

2(N+c) ≈ 12 . So, for an odd prime N ,

nm = log2 |D|log2

2(N+c)dmin+2

≤ log2 |D|log2 2

= log2 |D|.

The size of dictionary is 240 (or 250) in practice. There-fore, for an odd prime N , the adversary can determinethe correct password by performing 40 (or 50) partitionoperations.

Obviously, the above attack shows that Gong et al.’s[40] scheme cannot resist off-line dictionary attacks.

5.2 Stolen-verifier attack

Assume that an adversary stole the value h pw =H1(I DA||PWA) from the server S. The adversary caneasily obtain I DA by intercepting it in Step 1. There-fore, the adversary only needs to find a value PW ∗

A tomeet H1(I DA||PW ∗

A). In general, the password of auser is the low entropy human-memorable password.Thus, it is feasible that the adversary can use a simpledictionary attack or off-line guessing attack to find aPW ∗

A that is equal to PWA.

5.3 Pitfalls of Gong et al.’s scheme

In Gong et al.’s scheme, the user cannot change his/herpassword freely since the scheme does not provide anypassword change mechanism for him/her. The user hasto go to the register center and ask for changing his orher password himself/herself. Obviously, users wouldbe bored by such inconvenient operation.

6 The improved chaotic map-based key agreementprotocol

This section proposes an enhanced chaotic map-basedkey agreement protocol without using smart cards to

overcome the above mentioned problems with Gonget al.’s protocol. The proposed protocol contains fourphases: system setup phase, registration phase, loginand authentication phase, and password change phase.

6.1 System setup phase

In the system setup phase, the server B acts as follows:

– Select an prime number N ,– Select α ∈ ZN , such that the minimal period of

Chebichev polynomial sequence (Tn(α)mod N )n>0

be N + 1,– Select hash functions H1, H2 and H3,– Select an integer s ∈ [1, N + 1] as the long-live

secret key, and compute Q = Ts(α)mod N as thecorresponding public key.

Finally, B keeps the secret key s and publishes theparameters {N , α, H, Q} and.

6.2 Registration phase

Figure 1 shows the registration phase of our scheme.When an user wants to login into the remote server,he/she firstly should register to the remote server. In thisphase, the user communicates with the server through asecure channel. The details of this phase are as follows:

Step R1: The user freely chooses his/her I DA andpassword PWA, computes h pw = H1(I DA‖PWA), and interactively sends {I DA‖PWA}to the server B through a secure channel.

Step R2: The server computes V PWA = h(I DA‖s)⊕h(I DA ‖PWA), and stores (I DA, V PWA)

in its database.

6.3 Login and authentication phase

Figure 2 shows the login and authentication with keyagreement phase of our scheme. In this phase, the usercommunicates with the remote server through a publicchannel. When the user A wants to login into the remoteserver, he or she performs the following steps to executea session of the protocol:

Step A1: A → B: {I DA, X1, V1}A chooses a random integer rA ∈ [1, N +1], computes X1 = TrA (α)mod N , X2 =

123



Fig. 1 Registration phaseof the proposed protocol

Fig. 2 Login and authentication with key agreement phase of the proposed protocol

TrA (Q)mod N and V1 = H2 (I DA ||I DB

||X1 ||X2 ||h pw), and sends the request mes-sage REQUEST{I DA, X1, V1} to B.

Step A2: B → A: {Y, V2}Upon receiving the request message, B firstcomputes X ′

2 = Ts(X1)mod N and h pw =V PWA ⊕ H1(I DA||s), and checks if, V1 =H2(I DA ||I DB ||X1 ||X ′

2 ||h pw). If so, Brandomly chooses rB ∈ [1, N + 1] andcomputes Y = TrB (α) mod N , K B A =TrB (X1) mod N , and V2 = H2 (I DB ||I DA

||X1 ||X ′2 ||Y ||K B A ||h pw). Then, B sends

the challenge message {Y, V2} back to A.Finally, B computes the session key SK =H3 (I DA ||I DB ||X1 ||Y ||K B A).

Step A3: Upon receiving the challenge message, Acomputes K AB = TrA(Y )mod N and checks

if V2 = H2 (I DB ||I DA ||X1 ||X2 ||Y ||K AB

||h pw). If so, A computes the session keySK = H3 (I DA ||I DB ||X1 ||Y ||K AB). Oth-erwise, A rejects it.

Finally, the session key shared between A and B isset to

SK = H3(I DA||I DB ||X1||Y ||K AB)

= H3(I DA||I DB ||X1||Y ||K B A).

6.4 Password change phase

Figure 3 shows the password change phase of ourscheme. The user A can change the password freelyin this phase. To do so, he/she first needs to executethe login and authentication phase with his/her I DA

123



Fig. 3 Password change phase of the proposed protocol

and old password PWA. After receiving the successfulauthentication confirmation from the server and sharingthe session key SK , the user A inputs the new passwordPW ∗

A as follows:

Step C1. A → B: {PW D, V3} The user A ran-domly select a new password PW ∗

A and com-putes h∗

pw = H1(I DA‖PW ∗), PW D =H1(SK‖I DA)⊕h∗

pw and V3 = H2(SK‖h∗pw),

and sends {PW D, V3} to the server B.Step C2. B → A: {Accept, R1} or {Reject, R2}

Upon receiving the message, the server com-putes W = PW D ⊕ H1(SK ‖I DA) andchecks if, V3 = H1(SK‖W ). If so, the serveraccepts the password change request, com-putes R1 = h(Accept ‖I DA ‖PW D ‖V3

‖SK ) and V PW ∗ = h(I DA||s) ⊕ W ,replaces V PW with V PW ∗, and sends{Accept, R1} back to the user. Otherwise, theserver rejects the password change request,computes R2 = h(Reject ‖I DA ‖PW D ‖V3 ‖SK ) and sends {Reject, R2} back to theuser.

Step C3. If the receiving message is {Accept, R1}, Achecks if R1 = h(Accept‖I DA‖PW D‖V3‖SK ). If so, A accepts PW ∗

A as the newpassword. Otherwise, A returns to Step C1and selects another new password and fol-lows the process. If the receiving message isR2 = h(Reject ‖I DA ‖PW D ‖V3 ‖SK ),

A returns to Step C1 with another new pass-word and follows the process.

7 Security analysis

7.1 Replay attack

Suppose an attacker E intercepts {I DA, X1, V1} fromA in Step A1 and replays it to impersonate A. How-ever, E cannot compute a correct secret shared keyK AB = TrArB (α), unless he/she can correctly guessthe password PWA and guess rA from TrA (α) orrB from TrB (α). When E tries to guess rA fromTrA (α) or rB from TrB (α), he/she will face the CDLproblem which is untractable. On the other hand,suppose A intercepts {Y, V2} from B in Step A2and replays it to impersonate B. The replied mes-sage cannot pass the verification process V2 =H2 (I DB ||I DA ||X1 ||X2 ||Y ||K AB ||h pw), since rA,used to compute K AB , is a new nonce chosen by Ain each session and the adversary has no control of it.Therefore, the proposed scheme can resist the replayattack.

7.2 Stolen-verifier attack

When the attacker E steals verifier V PWA =h(I DA‖s)⊕ h pw from the database of the server, he/she cannot

123



obtain the correct password PWA from V PWA withoutknowing the secret key s of the server, which is a highentropy number and cannot be guessed by enumera-tion. Therefore, the proposed scheme is secure againststolen-verifier attack.

7.3 Denning-Sacco attack

Attacker E may obtain the session key SK = H3 (I DA

||I DB ||X1 ||Y ||K AB) for some reasons, but he/shecannot obtain user’s secret password PWA and server’ssecret key s because he/she will face to obtain K AB =TrArB (α) which is protected by a hash function.

7.4 Impersonation attack

An adversary E cannot masquerade as server, becausehe/she cannot compute X2 = TrA (Q)mod N withoutknowing the server’s secret key s. E also cannot imper-sonate the user to authenticate with the server, becausehe/she cannot compute V2 = H2 (I DB ||I DA ||X1

||X ′2 ||Y ||K B A ||h pw) without the knowledge of PWA

and the server’s secret key s. Therefore, the proposedscheme resists impersonation attack.

7.5 Mutual authentication

In the proposed protocol, A authenticates the serverby checking if V2 = H2 (I DB ||I DA ||X1 ||X2 ||Y ||K AB ||h pw) in Step A3 because only the server cancompute X2 by his/her private key s. Moreover, theserver can authenticate A by checking if V1 =H2(I DA ||I DB ||X1 ||X ′

2 ||h pw) in Step A2. Obvi-ously, the protocol can achieve mutual authentication.

7.6 Password-guessing attack

It is divided into online password-guessing attack andoff-line password-guessing attack. Online password-guessing attack can be preserved by limiting thelogin times. The attack E may intercept the messages{I DA, X1, V1} and {Y, V2}. Then, E could guess apassword PW ′

A. But E cannot verify the correctness ofthe guessed password if he/she does not know the ran-dom rA or rB , or server’s secret key s since he/she willface the CDH problem; therefore, the adversary cannotexecute any off-line-guessing attack on our scheme.

7.7 Man-in-the-middle attack

Password PWA of A and the secret key s of B areused to prevent the man-in-middle attack. Therefore,the active adversary E cannot intrude into the commu-nication between A and B to intercept the exchangeddata and inject false information.

7.8 Modification attack

An adversary E cannot modify the communicated mes-sages {I DA, X1, V1} in Step A1, {Y, V2} in Step A2,because the server and the user detect them by verifyingV1 and V2, respectively.

7.9 Known-key security

In this attack, the adversary who has some previous ses-sion keys is willing to compute the next session keys.Assuming that some previous session keys are knownfor the adversary E . It does not give him/her any use-ful information for computing the next session keysbecause short-term private keys rA and rB are changedin each session. Note that, E cannot obtain rA fromX1 = TrA (α) or rB from Y = TrB (α) because he/shewill face the CDL problem. Therefore, the proposedprotocol satisfies the known-key security.

7.10 Perfect forward secrecy

Perfect forward secrecy means that if long-term pri-vate keys of one or more entities are compromised,the secrecy of previous session keys established by thetrusted entities is not affected. In the proposed protocol,the adversary who knows PWA and s cannot determinethe previous session keys because long-term privatekeys are not utilized for computing the session keys.In addition, the adversary can compute neither rA nor

Table 1 Computation cost of login and authentication phase

User Server Total

No. of chaotic map 3 3 6

No. of hash function 3 4 7

No. of exclusive or 0 1 1

123



Table 2 Comparison ofcomputation costs

Xiao et al.’s [27] Guo and Zhang [31] Gong et al.’s [40] Ours

User Server User Server User Server User Server

No. of chaotic map 2 2 2 2 2 2 3 3

No. of hash function 1 1 4 5 3 3 3 4

No. of exclusive or 0 0 5 7 1 1 0 1

No. of symmetric keyencryption

1 1 0 0 0 0 0 0

No. of symmetric keydecryption

1 1 0 0 0 0 0 0

Table 3 Comparison ofsecurity attributes

Xiao et al.’s [27] Guo and Zhang [31] Gong et al.’s [40] Ours

Reply attack Secure Secure Secure Secure

Man-in-the-middle attack Secure Secure Secure Secure

Impersonation attack Insecure Secure Secure Secure

Password-guessing attack Insecure Insecure Insecure Secure

Stolen-verifier attack Secure Secure Insecure Secure

Mutual authentication Not Provided Provided Provided Provided

rB from TrA or TrA since he/she has to solve the CDHproblem. Therefore, the proposed protocol satisfies theperfect forward secrecy.

8 Security and performance comparison

In this section, we evaluate the performance and func-tionality of our proposed protocol and make compar-isons with some related protocols . Table 1 shows themain computation cost of our scheme. Table 2 showsthe performance comparisons of our proposed protocoland some other related protocols. We mainly considerthe computations of login and authentication phaseand session key agreement since these are the prin-cipal parts of an authentication protocol and should beimplemented for each session. In Table 2, it is obviousthat our improved protocol almost with the same com-putation cost with Gong et al.’s protocol. However, itis worth an additional hash operation and two chaoticmap operations to achieve the security and functional-ity properties.

Table 3 lists the security comparisons among ourproposed protocol and other related protocols. Itdemonstrates that our protocol has many excellent fea-tures and is more secure than other related protocols.

9 Conclusions

In this paper, we have demonstrated some weaknessesof Gong et al.’s protocol. To overcome the weak-nesses, we propose an improved protocol based onchaotic maps. Compared with Gong et al.’s protocol,our proposed protocol could overcome the weaknessesin Gong et al.’s protocol at the cost of increasing thecomputation costs slightly.

References

1. Boyd, C., Mathuria, A.: Protocol for Authentication and KeyEstablishment. Springer, Berlin (2003)

2. Farash, M.S., Bayat, M., Attari, M.A.: Vulnerability of twomultiple-key agreement protocols. Comput. Electr. Eng.37(2), 199–204 (2011)

3. Farash, M.S., Attari, M.A., Bayat, M.: A certificatelessmultiple-key agreement protocol without one-way Hashfunctions based on bilinear pairings. IACSIT Int. J. Eng.Technol. 4(3), 321–325 (2012)

4. Farash, M.S., Attari, M.A., Atani, R.E., Jami, M.: A newefficient authenticated multiple-key exchange protocol frombilinear pairings. Comput. Electr. Eng. 39(2), 530–541(2013)

5. Farash, M.S., Attari, M.A.: A pairing-free ID-based keyagreement protocol with different PKGs. Int. J. Netw. Secur.16(2), 143–148 (2014)

123



6. Mason, J.C., Handscomb, D.C.: Chebyshev Polynomials.Chapman and Hall/CRC, Boca Raton (2003)

7. Chen, G., Mao, Y., Chui, C.: A symmetric image encryp-tion scheme based on 3D chaotic cat maps. Chaos SolitonsFractals 21(3), 749–761 (2004)

8. Guan, Z.H., Huang, F., Guan, W.: Chaos-based imageencryption algorithm. Phys. Lett. A 346, 153–157 (2005)

9. Behnia, S., Akhshani, A., Ahadpour, S., Mahmodi, H.,Akhavan, A.: A fast chaotic encryption scheme based onpiecewise nonlinear chaotic maps. Phys. Lett. A 366, 391–396 (2007)

10. Gao, T., Chen, Z.: A new image encryption algorithm basedon hyper-chaos. Phys. Lett. A 372, 394–400 (2008)

11. Wong, K., Kwok, B., Law, W.: A fast image encryptionscheme based on chaotic standard map. Phys. Lett. A 372,2645–2652 (2008)

12. Wang, X., Yang, L., Liu, R.: A chaotic image encryptionalgorithm based on perceptron model. Nonlinear Dyn. 62,615–621 (2010)

13. Wang, X., Wang, X., Zhao, J., Zhang, Z.: Chaotic encryp-tion algorithm based on alternant of stream cipher and blockcipher. Nonlinear Dyn. 63(4), 587–597 (2011)

14. Sheu, L.J.: A speech encryption using fractional chaotic sys-tems. Nonlinear Dyn. 65(1–2), 103–108 (2011)

15. Chen, G., Chen, Y., Liao, X.: An extended method for obtain-ing S-boxes based on three-dimensional chaotic baker maps.Chaos Solitons Fractals 31(3), 571–579 (2007)

16. Wang, Y., Wong, K., Liao, X., Xiang, T.: A block cipher withdynamic S-boxes based on tent map. Commun. NonlinearSci. Numer. Simul. 14(7), 3089–3099 (2009)

17. Xiao, D., Liao, X., Deng, S.: One-way hash function con-struction based on the chaotic map with changeable para-meter. Chaos Solitons Fractals 24, 65–71 (2005)

18. Xiao, D., Shih, F., Liao, X.: A chaos-based hash functionwith both modification detection and localization capabili-ties. Commun. Nonlinear Sci. Numer. Simul. 15(9), 2254–2261 (2010)

19. Deng, S., Li, Y., Xiao, D.: Analysis and improvement of achaos-based hash function construction. Commun. Nonlin-ear Sci. Numer. Simul. 15(5), 1338–1347 (2010)

20. Kocarev, L., Tasev, Z.: Public key encryption based onChebyshev maps. In: Proceedings of the IEEE Symposiumon Circuits and Systems, pp. 28–31 (2003).

21. Bergamo, P., Arco, P., Santis, A., Kocarev, L.: Security ofpublic key cryptosystems based on Chebyshev polynomi-als. IEEE Trans. Circuits Syst. I Regul. Pap. 52, 1382–1393(2005)

22. Bose, R.: Novel public key encryption technique based onmultiple chaotic systems. Phys. Rev. Lett. 95(9), 098702(2005)

23. Wang, K., Pei, W., Zhou, L., Cheung, Y., He, Z.: Security ofpublic key encryption technique based on multiple chaoticsystem. Phys. Lett. A 360, 259–262 (2006)

24. Zhang, L.: Cryptanalysis of the public key encryption basedon multiple chaotic systems. Chaos Solitons Fractals 37,669–674 (2008)

25. Xiao, D., Liao, X., Wong, K.: An efficient entire chaos-based scheme for deniable authentication. Chaos SolitonsFractals 23(4), 1327–1331 (2005)

26. Alvarez, G.: Security problems with a chaos-based deni-able authentication scheme. Chaos Solitons Fractals 26, 7–11 (2005)

27. Xiao, D., Liao, X., Deng, S.: A novel key agreement protocolbased on chaotic maps. Inf. Sci. 177, 136–1142 (2007)

28. Han, S.: Security of a key agreement protocol based onchaotic maps. Chaos Solitons Fractals 38, 764–768 (2008)

29. Han, S., Chang, E.: Chaotic map based key agreementwith/out clock synchronization. Chaos Solitons Fractals 39,1283–1289 (2009)

30. Xiao, D., Liao, X., Deng, S.: Using time-stamp to improvethe security of a chaotic maps-based key agreement protocol.Inf. Sci. 178, 1598–11602 (2008)

31. Guo, X., Zhang, J.: Secure group key agreement protocolbased on chaotic hash. Inf. Sci. 180, 4069–4074 (2010)

32. Tseng, H., Jan, R., Yang, W.: A chaotic maps-based keyagreement protocol that preserves user anonymity. In: IEEEInternational Conference on Communications, ICC’09, Ger-many, pp. 1–6 (2009).

33. Niu, Y., Wang, X.: An anonymous key agreement protocolbased on chaotic maps. Commun. Nonlinear Sci. Numer.Simul. 16(4), 1986–1992 (2011)

34. Yoon, E.: Efficiency and security problems of anonymouskey agreement protocol based on chaotic maps. Commun.Nonlinear Sci. Numer. Simul. 17(7), 2735–2740 (2012)

35. Lee, C., Chen, C., Wu, C., Huang, S.: An extended chaoticmaps-based key agreement protocol with user anonymity.Nonlinear Dyn. 69(1–2), 79–87 (2012)

36. He, D., Chen, Y., Chen, Y.: Cryptanalysis and improvementof an extended chaotic maps-based key agreement protocol.Nonlinear Dyn. 69(3), 1149–1157 (2012)

37. Xue, K., Hong, P.: Security improvement on an anonymouskey agreement protocol based on chaotic maps. Commun.Nonlinear Sci. Numer. Simul. 17(7), 2969–2977 (2012)

38. Chen, T., Wang, B., Tu, T., Wang, C.: A security-enhancedkey agreement protocol based on chaotic maps. Secur. Com-mun. Netw. (2012). doi:10.1002/sec.537

39. He, D., Khan, M.K.: Cryptanalysis of a key agreement pro-tocol based on chaotic Hash. Int. J. Electron. Secur. Digit.Forensics 5(3/4), 172–177 (2013)

40. Gong, P., Li, P., Shi, W.: A secure chaotic maps-based keyagreement protocol without using smart cards. NonlinearDyn. (2012). doi:10.1007/s11071-012-0628-3

41. Li, Z., Cui, Y., Jin, Y., Xu, H.: Parameter Selection in PublicKey Cryptosystem based on Chebyshev Polynomials overFinite Field. J. Commun. 6(5), 400–408 (2011)

123


http://dx.doi.org/10.1002/sec.537

http://dx.doi.org/10.1007/s11071-012-0628-3

Cryptanalysis and improvement of a chaotic map-based key agreement protocol using Chebyshev sequence...

Documents

Transcript of Cryptanalysis and improvement of a chaotic map-based key agreement protocol using Chebyshev sequence...