An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre

Abstract

Multi-server authentication (MSA) enables the user to avail multiple services permitted from various servers out of a single registration through registration centre. Earlier, through single-server authentication, a user had to register all servers individually for availing the respective services. In the last few years, many MSA-based schemes have been presented; however, most of these suffer communication overhead cost due to the Registration Centre (RC) involvement in every mutual authentication session. In voice communication this round-trip latency becomes even more noticeable. Hence, the focus of the protocols design has been shifted towards light-weight cryptographic techniques such as Chebyshev chaotic map technique (CCM). We have reviewed few latest MSA-related schemes based on CCM and elliptic curve cryptography (ECC) as well. Based on these limitations and considerations, we have proposed a single-round trip MSA protocol based on CCM technique that foregoes the RC involvement during mutual authentication. Our study work is cost efficient in terms of communication delay and computation, and provides enhanced security by the use of public key cryptosystem. The proposed scheme is duly backed by formal security analysis and performance evaluation.

1 Introduction

Single-server user authentication has become unable to meet increasing application demand, as the service demands are expanding with the time. Multi-server authentication, in this regard, can never be underestimated, because a single registration from a Registration Centre (RC) enables the user to avail multiple services from a range of servers in a network. Earlier, through single-server authentication, a user had to seek and register all servers individually for availing the respective services. Majority of the single-server authentication schemes put a restriction on the number of services offered by a network. The multi-server concept relieves the user of more than one authentication with its corresponding server, as the subscriber needs to re-login with its related server using the same password and parameters. The remote internet authentication often entails such type of multi-server authentications, which further underscores the performance and robustness of these protocols. The multi-server scenario consists of three entities, i.e., user, server and Registration Centre. The user registers with RC and avails the services of available servers by getting authenticated from RC.

Generally, a user communicates over a public network, where an adversary finds an open field to intercept publicly available messages and can easily modify, delete or replay the message to launch an attack. This vulnerability of an insecure channel requires the authentication protocols to be technically robust in every security aspect, but still light-weight to be able to run on low-end devices. The authentication schemes are seen to be evolved from low computational techniques (hash, XOR, etc.) to high computational techniques (modular exponentiation, scalar multiplication, chaotic map, and symmetric cryptosystem, etc.) encompassing complex cryptography. The researchers have continuously focused to come up with light-weight cryptographic techniques catering low end devices as well. Beside these light-weight and robust cryptographic tools, the academia also needs to focus on minimizing the communication latency and round-trip delay, in view of the fact that, the messages destined for some destination, have to traverse various nodes in some physical network infrastructure, which adds to the transmission and propagation delay. Hence, we need to bring down the communication cost as well as making the authentication protocols computation-efficient.

Multi-server authentication protocols seek to register at the registration centre and ease out the requirement for recurring authentication [1–5]. We can also sort these protocols out into three sections described as under.

Creative phase This phase covers the early contribution as put forward by Li et al. [6]. Thereafter, Lin et al. [7] commented that Li et al. scheme is inefficient for taking long time for training neural networks. Lin et al. then presented its scheme based on ElGamal digital signature.

Development phase The research, being a continuous activity, makes its way through various developments. In this regard, Tsai [8] proposed a one-way hash function-based multi-server authentication scheme without a stored verification table. Although it was a low-cost scheme for its low-cost operations in the distributed network architecture, it was found susceptible to privileged insider, server-spoofing attacks, and the compromise of perfect forward secrecy.

Diversification phase Now, the focus of research, in almost every authentication domain including MSA, has been shifted to functionality-based techniques. Hence we can see identity-based MSA techniques, dynamic identity-based MSA protocols, bilinear pairing or elliptic curve cryptography (ECC) based MSA schemes [9, 10], chaotic map-based MSA schemes [11, 12], along with other protocols as well [13–15].

Lately, we can see many MSA schemes [16–21] based on smart card, biometrics and anonymity. In this context, Liao and Wang [16] proposed a dynamic-ID-based authentication protocol and was challenged by Hsiang and Shih [18] for being prone to insider attack, masquerading attacks, and also lacking mutual authentication. Hsiang and Shih then proposed an improved model. Following this, few more schemes were presented for MSA [22–24]. To overcome the weaknesses of these schemes, further schemes were presented based on biometric two-factor authentication [25–27]. However, these protocols also suffer weaknesses like lacking efficiency and anonymity. Thereafter, Chuang and Chen [28] presented a multi-server authentication protocol focusing on privacy. Then, Hao et al. [29] launched spoofing and impersonation attacks on [28], and the scheme could not maintain the perfect forward secrecy. In return, Hao et al. presented an improved model in the wake of above-mentioned flaws. However, Hao et al.’s scheme suffers replay attack, and also lack mutual authentication. All of these MSA schemes suffer various kinds of attacks in one form or another.

Recently, we have scrutinized few state-of-the-art MSA-based schemes [9–12], and to our observation, these schemes are designed in a manner that engages RC in each mutual authentication of a session, hence, increasing the number of round-trips, and communication delay ultimately. We propose a cost-efficient MSA protocol based on the Chebyshev chaotic map that enables the reduction of communication delay from 3–5 round-trips to 2, and also restrains the revoked users by maintaining a Certificate Revocation List (CRL) on the RC’s end.

As for the division of this paper, the Sect. 2 describes the preliminaries related to cryptographic techniques. The Sect. 3 provides the review of schemes incurring drawbacks. The Sect. 4 presents our proposed model. The Sect. 5 exhibits the security analysis and performance analysis. Lastly, Sect. 6 concludes the findings.

2 Preliminaries

This section covers the overview of Chebyshev chaotic map and elliptic curve cryptography that are utilized by most of the current schemes.

2.1 Chebyshev chaotic maps

The chaotic map-based authentication protocols can be seen in the research literature and these Chaotic-encryption-based techniques are still being adopted as a tradeoff between security and computational cost. We can see few chaotic map variants, i.e., symmetric, asymmetric, and one-way hash functions, as being used in cryptography; however, most of the chaotic map-based techniques are following symmetric cryptosystems [30]. For better understanding, some of the properties of Chebyshev polynomial and chaotic maps [31] are defined as under:

Definition 1

To describe the first property of Chebyshev polynomial, we assume n as an integer, and a variable x of the interval [\(-\)1, 1]. While, we define the Chebyshev polynomial \({T}_{n}\)(x): [\(-\)1, 1] \(\rightarrow \) [\(-\)1, 1] as \({T}_{n}\)(x) \(=\) cos(n arccos(x)).

The recurrent relation in the above definition can be used to define Chebyshev polynomial map \({T}_{n}\): R \(\rightarrow \) R of degree n, and the Chebyshev polynomial meets the recursive relationship in Eq (1), provided \({n} \ge 2, {T}_{0}({x})=1,\) and \({T}_{1}({x})={x}.\)

$$\begin{aligned} {T}_{{n}} \left( {x} \right) =2{x} {{T}}_{{n-1}} \left( {x} \right) -{T}_{{n-2}} \left( {x} \right) , \end{aligned}$$

(1)

The first few Chebyshev polynomials are listed as below:

$$\begin{aligned} {T}_{2} \left( {x} \right)= & {} 2{x}^{2}-1\nonumber \\ {T}_{3} \left( {x} \right)= & {} 4{x}^{3}-3{x}\nonumber \\ {T}_{4} \left( {x} \right)= & {} 8{x}^{4}-8{x}^{2}+1 \end{aligned}$$

(2)

Definition 2

(The chaotic feature) For the second property of Chebyshev polynomial, let say \({n} \ge 1\), the Chebyshev polynomial map \({T}_{n} \left( {x} \right) :\left[ {-1,1} \right] \rightarrow \left[ {-1,1} \right] \) of degree n indicates a chaotic map with an invariant density f*(x) \(=\) 1/(\(\pi \sqrt{1-{x}^{2}})\) for all positive Lyapunov exponent ln n.

Definition 3

(The semi-group feature [24]) For the third property, i.e., semi-group feature of Chebyshev polynomial can be defined on an interval [\(-\infty ,+\infty \)] as defined below:

$$\begin{aligned} {T}_{n} \left( {x} \right) =\left( {2{x T}_{\mathrm{n-1}} \left( {x} \right) - {T}_{{n-2}} \left( {x} \right) } \right) \hbox {mod p} \end{aligned}$$

(3)

Given that \(n \ge 2\), x \(\epsilon \) [\(-\infty , +\infty \)], and p be a large range prime number. In addition,

$$\begin{aligned} {T}_\mathrm{a} \left( {T}_\mathrm{b} \left( {x} \right) \right) \equiv {T}_{\mathrm{ab}} \left( {x} \right) \equiv {T}_{\mathrm{ba}} \left( {x} \right) \equiv {T}_\mathrm{b} \left( {T}_\mathrm{a} \left( {x} \right) \right) {mod p} \end{aligned}$$

(4)

Definition 4

[Chaotic map-based discrete logarithm problem (CMDLP)] It is a hard problem to locate s, such that \({T}_\mathrm{s} \left( \mathrm{a} \right) {=b}\).

Definition 5

[Chaotic map-based Diffie–Hellman problem (CMDHP)] It is hard problem to compute\({T}_{\mathrm{ab}}({x})\), given that \({T}_\mathrm{a} \left( {{T}_\mathrm{b} \left( {x} \right) } \right) {=T}_{\mathrm{ab}} \left( {x} \right) { or T}_\mathrm{b} \left( {{T}_\mathrm{a} \left( {x} \right) } \right) {=T}_{\mathrm{ba}} \left( {x} \right) .\)

2.2 Elliptic curve cryptography (ECC)

The ECC-based security, as introduced by Koblitz [32], provides an efficient cryptographic tool as compared to earlier conventional techniques like (Rivest–Shamir–Adleman) RSA, (Diffie–Hellman) DH and (Digital Signature Algorithm) DSA. This technique provides an equivalent level of security with far less key sizes, i.e., a key size of 160-bit provides an equivalent level of security in ECC as 1024-bit key size does in RSA-based cryptography. This light-weight cryptographic tool is one of the important candidates for the use in state-of-the-art authentication protocols, as it employs point multiplication and addition operations instead of using expensive exponentiation operations as employed in RSA.

Some mathematical operations are drawn over an elliptic curve equation as \({E}_\mathrm{p}({a,b}): {y}^{2 }= {x}^{3 }+ {{ax}} + {b} ({mod p})\) and \(4{a}^{3 }+ 27{b}^{3 }\ne 0 ({mod} p)\), Where \(a, b~\epsilon F_{p}\) and p is a large prime number. The values a, b defines the elliptic curve, and the points (x, y) that satisfies the former equation embracing a point at infinity lies on this elliptic curve. The scalar multiplication is implemented using repeated additions as vP = P + P + ... P \(_{v}\), given a point P and an integer \(v \epsilon F^{*}_{p}\). All other domain parameters like (p, a, b, G, h and n) belong to finite field, \(F^{*}_{p}\). E is an abelian group and the point at infinity serves as an identity element for this group. Here, we define some of the security terms needed to grasp this research work.

1. 1.

   Term1 A computational Diffie–Hellman Problem (CDHP) is defined as: given three points P, aP, bP where \(a, b \in F^{*}_{p}\), it is intractable to compute abP.

2. 2.

   Term2 The elliptic curve discrete logarithm problem (ECDLP) is defined as: given a point Q = aP on Elliptic Curve, it is intractable to compute \(a \in F^{*}_{p}\), assuming two points Q and P over E(a, b).

3. 3.

   Term3 The elliptic curve factorization problem (ECFP) is defined as: it is hard to find either of these values, i.e., aP or bP, assuming two points P and Q = aP + bP over E(a, b),  where \(a, b \in F^{*}_{p}\).

3 Review of MSA protocols

This section covers the reviews, working, and drawbacks of recently presented MSA techniques.

3.1 Review of Shen et al. protocol

The review of Shen et al. protocol elaborates the working and drawbacks for the scheme as defined under:

3.1.1 Working of Shen et al. protocol [9]

The Shen et al. scheme [9] consists of three phases: registration, login, and authentication phase. These phases are described as under:

1. (a)

   The server registration phase The Shen et al. scheme assumes one trusted RC and n number of trusted servers Sj, where \({j}=1{\ldots }n\). The Sj is already registered with RC by sharing a secret Xj between both of the entities (RC and Sj) using secure channel. Initially, the server Sj sends its identity SIDj to RC. RC, then, computes \(Xj= h(SIDj {\vert }{\vert } y)\), and sends it to Sj using a secure channel. Here, y acts as the RC master secret.

2. (b)

   The user registration phase In this phase, Ui registers with RC, while Sj has already been registered with RC. Thereafter, Ui can access all Sj servers. RC performs with Ui the following steps:

   1. 1.

      The Ui selects identity IDi and password PWi. Next, it generates a random number ni, imprints Bi biometric impression, and sends \(\{ {ID}_{i }{, Bi, h( PWi{\vert }{\vert } Bi {\vert }{\vert } ni)}\}\) to RC.

   2. 2.

      RC computes \(Xi=h(IDi {\vert }{\vert } x)\) \(\times \)P, Ui=Xi \(\oplus \) \(h( PWi{\vert }{\vert } Bi {\vert }{\vert } ni),\) and stores {Ui, Bi, d(),\(\upsilon \), h()} in smart card. Next, it sends the SC carrying \(\{{Ui}, {Bi}, {d}(),\upsilon , {h}\}\). While, P acts as the generator, \(\upsilon \) is the threshold, d() is the symmetric parametric function, and the symbol ‘\(\times \)’ represents the point multiplication.

   3. 3.

      Ui receives, and inserts ni additionally in smart card.

3. (c)

   The login and authentication phase

   1. 1.

      In this phase the Ui uses the SC for getting authenticated access to Sj. For this purpose the Ui inputs its Bi’, and verifies \(d(Bi, Bi') <\upsilon \). If the outcome of this function does not exceed the threshold, the SC authenticates affirmative, the biometricBi’ as input byUi. Next, it inputs IDi, PWi, and generates a random number a. Further, it computes \(Xi = Ui \oplus h( PWi{\vert }{\vert } Bi {\vert }{\vert } ni), A=a \times P, A' = a \times Xi, C_{1} = h(IDi {\vert }{\vert } A {\vert }{\vert } A')\). Finally, it sends the message \(m_{1} =\{ IDi, A, C_{1}\}\) towards Sj.

   2. 2.

      The Sj receives \(m_{1} =\{ IDi, A, C_{1}\}\) and generates a random number b and compute \(Z=b \times P, C_{2}= h(IDi {\vert }{\vert } A {\vert }{\vert } C_{1}{\vert }{\vert } Xj{\vert }{\vert } Z ).\) Sj sends the message \(m_{2}=\{ IDi, A, C_{1}, SIDj, Z, C_{2}\}\) to RC for further verification.

   3. 3.

      The RC receives the message \(m_{2}=\{ IDi, A, C_{1}, SIDj , Z, C_{2}\}\) and computes \(C_{1}'= h(IDi {\vert }{\vert } A {\vert }{\vert } h(IDi {\vert }{\vert }x) \times A)\) and \(C_{2}'= h(IDi {\vert }{\vert } A {\vert }{\vert } C_{1} {\vert }{\vert } h(SIDj{\vert }{\vert } y){\vert }{\vert } Z ).\) It compares the equations \(C_{1}' ?= C_{1 }\) and \(C_{2}' ?= C_{2}\) and checks the authentication of both user and Sj. If found positive, then further computes \(V=h( h( SIDj {\vert }{\vert } y) {\vert }{\vert } Z {\vert }{\vert } A), W=h( SIDj {\vert }{\vert } Z {\vert }{\vert } A {\vert }{\vert } h(IDi {\vert }{\vert }x) \times A), C_{3} = W \oplus V \), and \(C_{4} = h( W {\vert }{\vert } V {\vert }{\vert } IDi).\) Finally, it sends the message \(m_{3} = \{ C_{3}, C_{4} \}\) to Sj for verification.

   4. 4.

      The Sj receives the message \(m_{3} =\{ C_{3}, C_{4} \}\) and computes \(V' =h( Xj {\vert }{\vert } Z {\vert }{\vert } A), W' = C_{3}\oplus V', C_{4}' = h( W' {\vert }{\vert } V' {\vert }{\vert } IDi),\) and compares the equality \(C_{4}' ?= C_{4}\). On equality match, it further computes \(SKj=b \times A, V=h( h( SIDj {\vert }{\vert } y) {\vert }{\vert } Z {\vert }{\vert } A)\), and \(C_{5} = h( IDi {\vert }{\vert } SIDj{\vert }{\vert } SKj {\vert }{\vert }W')\). It then sends the message \(m_{4} =\{ Z, C_{5} \}\) to user.

   5. 5.

      The user Ui, receives the message \(m_{4} =\{ Z, C_{5} \}\), and computes \(W'' =h( SIDj {\vert }{\vert } Z {\vert }{\vert } A {\vert }{\vert } A'), Ski=a \times Z, C_{5} = h( IDi {\vert }{\vert } SIDj{\vert }{\vert } SKi {\vert }{\vert }W'')\). Next, it checks the equality \(C_{5}' ?= C_{5}\) and on positive verification, it computes \(C_{6} =h(W'' {\vert }{\vert } Ski {\vert }{\vert } Z)\), and sends the message \(m_{5} =\{ C_{6} \}\) to Sj finally.

   6. 6.

      The Sj receives \(m_{5} =\{ C_{6} \}\) and computes \(C_{6} ' =h(W'' {\vert }{\vert } Ski {\vert }{\vert } Z)\), and matches the equality \(C_{6}' ?= C_{6}\). If this comes true, then it establishes the final session key as \(SKi = SKj= a \times Z= b \times A=ab \times P\).

3.1.2 Inefficiencies and flaws of the Shen scheme

The Shen et al. protocol presents a multi-server authentication scheme based on ECC technique. However, this scheme does not provide anonymity to the user. Secondly, the scheme involves RC involvement in each mutual authentication of a session that renders the scheme too expensive for the extra round-trips it adds into the protocol. The computational resources have been becoming even more powerful with time, in comparison with the infrastructure responsible for the transportation of message; thus, there is a need to design such a scheme that ensures the RC’s involvement only up to the registration phase, and not for the later login and authentication procedures, this would significantly reduce the round-trip latency of authentication messages on insecure channel.

3.2 Review of Tsai et al. protocol

The review of Tsai et al. protocol elaborates the working and drawbacks for the scheme as defined under:

3.2.1 Working of Tsai et al. protocol [10]

The Tsai et al. scheme [10] consists of three phases: registration, login, and authentication phase. These phases are described as under:

1. (a)

   The server registration phase The Tsai et al. scheme consists of one trusted RC and n number of trusted servers Sj, where \({j}=1{\ldots }n\). The Sj is already registered with RC by sharing a secret Rj between both of the entities (RC and Sj) using secure channel. Initially, the server Sj sends its identity SIDj to RC. RC, then, computes Rj = h(s, SIDj), and sends it to Sj using a secure channel. Here, s acts as the master key of RC.

2. (b)

   The user registration phase In this phase Ui registers with RC, while Sj has already been registered with RC. Consequently, Ui can access all Sj servers. RC performs with Ui the following steps:

   1. 1.

      The Ui selects identity IDi and password PWi. Next, it generates a random number n and sends \(\{ ID_{i}, h( IDi , PWi, n)\}\) to RC.

   2. 2.

      RC computes \(CIDi = (IDi, r)\oplus h( s), Ri=h(IDi, s) \oplus h ( IDi, PWi, n)\) and stores \(\{CIDi, Ri, h()\}\) in smart card. Next, it sends the SC to Ui. Here, r acts as a random number generated by RC.

   3. 3.

      Ui receives, and stores n additionally in smart card.

3. (c)

   Login and authentication phase

   1. 1.

      In this phase the Ui computes \(h(IDi {\vert }{\vert } s)=Ri \oplus {h} ( IDi, PWi, n), q = h(h(ID, s), CIDi, SIDj), C_{1} = h(CIDi, SIDj, h(IDi, s)) \oplus T_{a}(q)\), and \(V_{1} = h(CIDi, SIDj, h(IDi, s), T_{a}(q))\). Next, it sends the message \(\{CIDi, SIDj, C_{1}, V_{1} \}\) to Sj.

   2. 2.

      The Sj receives \(\{CIDi, SIDj, C_{1}, V_{1} \}\) and compute \(V_{2} = h(CIDi, SIDj, C_{1},V_{1}, Rj )\), and sends the message \(\{CIDi, SIDj, C_{1}, V_{1}, V_{2} \}\) to RC for further verification.

   3. 3.

      The RC receives the message \(\{CIDi, SIDj, C_{1}, V_{1}, V_{2} \}\) and computes \((IDi, r)= CIDi \oplus h( s), h(IDi, s),q = h(h(ID, s), CIDi, SIDj), T_{a} (q)= h(CIDi, SIDj, h(IDi, s))~\oplus ~C_{1}, Rj = h(SIDj, s), V_{1} = h(CIDi, SIDj, h(IDi, s), T_{a}(q))\), and \(V_{2} = h(CIDi, SIDj, C_{1}, V_{1}, Rj )\). Next, it compares the equation equality \(V_{1} ' ?= V_{1}, V_{2} ' ?= V_{2}\). If true, then further computes \(CIDi ' = (IDi, r') \oplus h( s), V_{3} = (IDi, q, T_{a}(q)) \oplus h(SIDj, Rj, CIDi, V_{1}, V_{2}), V_{4} = CIDi ' \oplus h(h(ID, s), CIDi, IDi), V_{5}=h(SIDj, IDi, Rj, q, V_{3}, V_{4})\), and finally sends the message \(\{V_{3}, V_{4}, V_{5} \}\) to Sj for verification.

   4. 4.

      The Sj computes \((IDi, q, T_{a}(q)) = V_{3}~\oplus ~h(SIDj, Rj, CIDi, V_{1}, V_{2}), V_{5}'~=~h(SIDj, IDi, Rj, q, V_{3}, V_{4})\), and compares the values \(V_{5}' ?~=~ V_{5}\). If successful, then compute \(V_{6} ~=~q~\oplus ~T_{b} (q), SKj = h(T_{ba}(q)), V_{7}~=~h(SKj, q, T_{b}(q), V_{4}, V_{6} )\), and sends the message \(\{V_{4}, V_{6}, V_{7} \}\) to Ui for verification.

   5. 5.

      The user Ui, receives the message \(\{V_{4}, V_{6}, V_{7} \}\), and computes \(CIDi' = V_{4}~\oplus ~h(h(ID, s), CIDi, IDi), T_{b}(q)~=~q~\oplus ~V_{6}, SKi~=~ h(T_{ab}(q)), V_{7}'~= h(SKi, q, T_{b}(q), V_{4}, V_{6} )\). It then compares \(V_{7}' ?~=~ V_{7}\). If found true, computes \(V_{8} ~=~h(CIDi, Ski, q, V_{4}, T_{b}(q))\), and sends \(\{ V_{8}\}\) to Sj for final verification.

   6. 6.

      The Sj computes \(V_{8} '~=~h(CIDi, Skj, q, V_{4}, T_{b}(q))\), and matches the equality \(V_{8}' ?~=~ V_{8}\). If this comes true, then it establishes the final session key as \(Ski~=~ SKj~=~ h(T_{ab} (q))~=~ h(T_{ba}(q))\).

3.2.2 Inefficiencies and flaws of the Tsai et al. scheme

The Tsai et al. protocol presents a multi-server authentication scheme based on chaotic map technique. The Tsai scheme also engages RC in each mutual authentication of a session that adds communication delay for the extra round-trips. The scheme’s communication delay can be minimized if we eliminate the RC entity for the login and authentication phases in the protocol, however, with a bit extra computational cost, as shown in Table 3.

3.3 Review of Jiang et al. protocol

The review of Jiang et al. protocol elaborates the working and drawbacks for the scheme as defined under:

3.3.1 Working of Jiang et al. protocol [11]

The Jiang et al. scheme [11] consists of three phases: registration, login, and authentication phase. These phases are described as under:

(a) Server registration phase

The Jiang et al. scheme assumes one trusted RC and n number of trusted servers Sj, where \({j}~=~1{\ldots }n\) in a network. The Sj gets registered with RC by sharing two secret values between both of the entities (RC and Sj) using a secure channel. Initially, RC generates a master key s and random secret t. Next, the server Sj sends its identity SIDj to RC. RC, then, computes \(h(SIDj {\vert }{\vert } t)\) and \(h(s {\vert }{\vert } t)\). Now, RC sends both of these computed parameters to Sj using a secure channel.

(b) The user registration phase

In this phase Ui registers with RC, while Sj has already been registered with RC. Thus, Ui can access all Sj servers. RC performs with Ui the following steps:

1. 1.

   The Ui selects identity IDi and password PWi. Next, it generates a random number r, and Bi biometric impression, and compute \(TPWi~=~h(PWi {\vert }{\vert } h(IDi){\vert }{\vert } r)\). Next, it sends \(\{{ ID_{i }, TPWi, Bi}\}\) to RC.

2. 2.

   RC computes \(A~=~h(IDi {\vert }{\vert }s), B~=~A \oplus TPWi, C~=~B \oplus h(s), Gen(Bi)~=~(R, Q), D~=~h(IDi {\vert }{\vert } TPWi {\vert }{\vert } R), E~=~B \oplus h(t), M~=~A \oplus h(s), Temp~=~Enc_{H(IDi)} (template)\) and stores \(\{C, D, E, h(), Temp\}\) in smart card and sends it to Ui. Where, Gen, Rep functions are fuzzy extractors, and the template function is used for biometric verification.

3. 3.

   Ui receives the SC and stores random value r additionally.

(c) Login and authentication phase

1. 1.

   In this phase the Ui uses the SC for getting authenticated access to Sj. For this purpose the Ui inputs IDi, PWi, Bi and obtains the template. Then it computes \(TPWi~=~h(PWi {\vert }{\vert } h(IDi) {\vert }{\vert }r), R~=~Rep(Bi, Q)\), and \({D^*}~=~h(IDi {\vert }{\vert } TPWi {\vert }{\vert } R)\). Next, it checks the equality \({D^*} ?~=~ D\). If successful, then it generates a random number x and computesxP using point multiplication (ECC). Further, it computes \(M~=~TPWi \oplus C, N~=~TPWi \oplus E, P_{1}~=~M \oplus SIDj, P_{2}~=~N \oplus xP, P_{3}~=~h(P_{1} {\vert }{\vert } P_{2} ), T~=~h(M {\vert }{\vert } SIDj), CIDi~=~TPWi \oplus h(M{\vert }{\vert } xP)\) and \(Wij ~=~h(TPWi {\vert }{\vert } SIDj)\). Finally, it sends the message \(\{ CIDi, Wij, xP, P_{3}, T\}\) to Sj for verification.

2. 2.

   The Sj receives \(\{ CIDi, Wij, xP, P_{3}, T\}\) and compute \(V_{1} ~=~h(CIDi {\vert }{\vert } xP)\), and stores \((CIDi, V_{1})\)  to resist replay attack and Man-in-the-Middle attack, in future. Next, it generates a random number y and yP. Then it computes \(P_{4} = h(h(SIDj {\vert }{\vert } t) {\vert }{\vert } h(s {\vert }{\vert } t)) \oplus yP\), and sends the message \(\{T, xP, P_{3}, yP, P_{4} \}\) to RC for Ui’s verification.

3. 3.

   The RC receives the message \(\{T, xP, P_{3}, yP, P_{4}\}\) and computes \(M'~=~A \oplus h(s), P_{1}'~=~M' \oplus SIDj, P_{2}'~=~A \oplus h(t) \oplus xP, P_{3}'~=~h(P_{1}' {\vert }{\vert } P_{2}'), P_{4}'~=~h(h(SIDj {\vert }{\vert } t) {\vert }{\vert } h(s {\vert }{\vert } t)) \oplus yP\). Next, it checks the equality \(P_{3}' ?~=~ P_{3},\) and \(P_{4}' ?= P_{4}\) to authenticate user and server. If successful, then compute \(P_{5} ~=~h(h(SIDj {\vert }{\vert } t) {\vert }{\vert } yP \oplus xP, P_{6} = h(M' {\vert }{\vert } xP) \oplus yP, P_{7}~=~P_{5} ~\oplus P_{6}\) and \(P_{8}~=~h(P_{5} {\vert }{\vert } P_{6})\). Finally, it sends the message \(\{ P_{7}, P_{8} \}\) to Sj.

4. 4.

   The Sj receives the message \(\{P_{7}, P_{8} \}\) and computes \(P_{5} '~=~h(h(SIDj {\vert }{\vert } t) {\vert }{\vert } yP \oplus xP, P_{6} ' = h(M' {\vert }{\vert } xP) \oplus yP, P_{8}'~=~h(P_{5} ' {\vert }{\vert } P_{6}')\), and checks the equality \(P_{8}' ?= P_{8}\) for authenticating RC. If successful, then further compute \(RPWi' = P_{6}'~\oplus ~CIDi~\oplus ~yP, Wij' = h(TPWi {\vert }{\vert } SIDj)\), and checks again the equation \(Wij' ?~=~ Wij\). Then it computes \(SK = y(xP), P_{9} ~=~h(CIDi {\vert }{\vert } SIDj {\vert }{\vert } SK {\vert }{\vert } P_{6}')\), and sends the message \(\{P_{9}, yP\}\) to Ui for verification.

5. 5.

   The user Ui, receives the message \(\{P_{9}, yP\}\) and computes \(P_{6} '' = CIDi \oplus TPWi \oplus yP, SK = x(yP)\) and \(P9~=~h(CIDi {\vert }{\vert } SIDj {\vert }{\vert } SK {\vert }{\vert } P6'')\). Finally, it compares the equation \(P_{9}' ?~=~ P_{9}\). If matches the equality, then it establishes the session key as \(SK ~=~ x(yP)\).

3.3.2 Inefficiencies and flaws of the Jiang et al. scheme

The Jiang et al. protocol presents a multi-server authentication scheme based on chaotic map technique. The limitations of the scheme are given below.

1. (a)

   The Jiang scheme does not provide resistance to location traceability, as the two parameters T and Wij in login request \(\{CIDi, Wij, xP, P_{3}, T\}\), remains the same for all sessions.

2. (b)

   Secondly, it engages RC in each mutual authentication of a session that adds communication delay for the extra round-trips. The scheme’s communication latency can be minimized if we eliminate the RC entity for the login and authentication phase of mutual authentication.

3. (c)

   Lastly, the Jiang et al. scheme stores the verifiers in RC’s database. Assuming the attacker, being a malicious legal insider, could launch stolen-verifier attack on both ends, i.e., it could impersonate the user as well as server.

   1. 1.

      On the user side, if it steals the \(\{A,T\}\) verifiers from RC’s database, it could construct this login request message \(\{CIDi, Wij, xP, P_{3}, T\}\) successfully. For being a legal user, this adversary could construct M by using the stolen A. Then, it derives TPWi from previous CIDi and further computes \(P_{1}~=~M \oplus SIDj, N~=~TPWi \oplus E\). Next, it assumes random number x, computes \(P_{2}~=~N \oplus xP, P_{3}~=~h(P_{1} {\vert }{\vert } P_{2} ),T~=~h(M {\vert }{\vert } SIDj), CIDi~=~TPWi \oplus h(M{\vert }{\vert } xP)\) and \(Wij ~=~h(TPWi {\vert }{\vert } SIDj)\). Finally sends the \(\{CIDi, Wij, xP, P_{3}, T\}\) successfully.

   2. 2.

      On the server side, it could impersonate the user through sending the manufactured {P9, yP} message by constructing \(P_{9} ~=~h(CIDi {\vert }{\vert } SIDj {\vert }{\vert } SK {\vert }{\vert } P_{6}')\) after having calculated \(P_{6}' ~=~ h(M' {\vert }{\vert } xP) \oplus yP\) by assuming yP.

3.4 Review of Zhu protocol

The review of Zhu et al. protocol elaborates the working and drawbacks for the scheme as defined under:

3.4.1 Working of Zhu et al. protocol [12]

Zhu et al.’s scheme [12] consists of two phases: the server registration, and user login and authentication phase. These phases are described as under:

(a) Server registration phase

In server registration phase, each server \(\mathrm S_\mathrm{x}\) gets registered with RC by verifying its identity. For this, all of the servers meant to provide services, must have their identities verified by the RC. In this regard, the server \(\mathrm S_\mathrm{x}\) sends its identity \(ID_{S_\mathrm{x}}\) to RC. RC computes \(R~=~ H({ID}_{S_\mathrm{x}} {\vert }{\vert } K_{y})\) and sends R to \({S}_\mathrm{x}\) using a secure channel. Here, \(K_{y}\) acts as the server’s master key.

One thing must be noted here, that there is only server registration in this scheme and no user registration, as this scheme is meant for one-way authentication of server \(\mathrm S_\mathrm{x}\), and the \(\mathrm S_\mathrm{x}\) does not authenticate the user but just provides the services anonymously to the user without getting registered and authenticated.

(b) Login and authentication phase

1. 1.

   In the login and authentication phase, a random integer a as a user secret, is generated. Then user develops its public key as \(T_{a}(x)\), and shared key \(K_{U-RC} ~=~T_{a}T_{Ky}(x)\), using Chebyshev chaotic map, and further computes \(H_{U} ~=~H(SID_{U} {\vert }{\vert } ID_{S_{x}} {\vert }{\vert } T_{a}(x)), C_{1}~=~ E_{KU-RC} (SID_{U} {\vert }{\vert } ID_{S_{x}} {\vert }{\vert } H_{U})\). The user sends message \(m_{1} ~=~\{ SID_{U},T_{a}(x), C_{1} \}\) to \(S_\mathrm{x}\), finally. Here, \(ID_{S_{x}}\) and \(ID_{RC}\) act as the server \(\mathrm S_\mathrm{x}\) and RC’s identity, respectively.

2. 2.

   Next, \(\mathrm S_\mathrm{x}\) receives \(m_{1} ~=~\{ SID_{U},T_{a}(x), C_{1} \}\) and generates a random integer b, and compute \(T_{b}(x)\). Then computes \(C_{2}~=~H(m_{1} {\vert }{\vert } ID_{Sx} {\vert }{\vert } T_{b} (x){\vert }{\vert } R)\) using hash function H(.). Finally, \(S_\mathrm{x}\) sends \(m_{2} ~=~\{m_{1}, T_{b} (x), ID_{S_\mathrm{x}}, C_{2} \}\) to RC for verification.

3. 3.

   After receiving \(m_{2} \!=\!\{m_{1}, T_{b} (x), { ID}_{S_{x}}, C_{2} \}\) from \(S_{x}\), RC computes \(R'\!=\! H({ ID}_{Sx} {\vert }{\vert } K_{y}), C_{2}'~=~H(m_{1} {\vert }{\vert } { ID}_{S_{x}} {\vert }{\vert } T_{b} (x){\vert }{\vert } R')\), and checks the equation \(C_{2}' ? C_{2}\). If true, then it further computes \(K_{{ RC}-U }~=~T_{Ky}T_{a} (x)\), and decrypts using \(K_{RC-U }\) as \(D_{KRC-U} (C_{1} )\!=\! ({ SID}_{U} {\vert }{\vert } { ID}_{S_{x}} {\vert }{\vert } H_{U})\). Next, it computes \(H_{U} '\!=\!H({ SID}_{U} {\vert }{\vert } { ID}_{S_{x}} {\vert }{\vert } T_{a}(x))\) and confirms the equality \(H_{U}' ?~=~ H_{U}\), and check if \({ ID}_{S_{x}}\) in \(C_{1}\) equates the \({ ID}_{S_{x}}\) in plaintext. If true, then further computes \(C_{3}\! =\! H({ ID}_{{ RC}} {\vert }{\vert } { ID}_{S_{x}} {\vert }{\vert }m_{1} {\vert }{\vert } R' {\vert }{\vert } T_{b}(x)), H_{RC} = H({ SID}_{U} {\vert }{\vert }{} { ID}_{RC} {\vert }{\vert } { ID}_{S_{x}} {\vert }{\vert } T_{b}(x))\) and \(C_{4}~=~ E_{KRC-U} ({ ID}_{RC} {\vert }{\vert } { ID}_{S_{x}} {\vert }{\vert }m_{1} {\vert }{\vert } T_{b} (x){\vert }{\vert } H_{RC})\). Finally, it sends the message \(\{ { ID}_{S_{x}}, C_{4} \}\) to Ui, and \(\{ { ID}_{S_{x}}, C_{3} \}\) to \(S_{x}\). Here, \({E}_\mathrm{k}(.)\) acts as an encryption function.

4. 4.

   S\(_\mathrm{x}\), on the receipt of message \(\{ ID_{S_{x}},C_{3}\}\), computes \(C_{3}' ~=~ H(ID_{RC} {\vert }{\vert } ID_{Sx} {\vert }{\vert }m_{1} {\vert }{\vert } R' {\vert }{\vert } T_{b}(x))\) and compares the equality \(C_{3}' ?~=~ C_{3}\). After positive verification, it establishes the shared session key as \(SK ~=~T_{b}T_{a}(x)\),

5. 5.

   The user receives the message \(\{ID_{S_{x}}, C_{4}\}\) simultaneously in the same round trip as \(S_{x}\) receives \(\{ID_{S_{x}}, C_{3} \}\). Next, it uses \(K_{U-RC}\) to decrypt \(C_{4}\) and compute \(H_{RC}' = H(SID_{U} {\vert }{\vert }ID_{RC} {\vert }{\vert } ID_{S_{x}} {\vert }{\vert } T_{b}(x))\). Then it compares the equation \(H_{RC}' ?~=~ H_{RC}\). On positive verification check, it establishes the session key as \(SK = T_{a}T_{b}(x)\) shared with the \(S_{x}\).

3.4.2 Inefficiencies and flaws of the Zhu et al. scheme

The Zhu et al. protocol presents a multi-server authentication scheme based on chaotic map technique. The Zhu scheme, like earlier schemes also engages RC in each mutual authentication of a session that adds communication delay for the extra round-trips, similarly. The scheme’s communication delay can be minimized on the same lines, at a bit extra computational cost, if we eliminate the RC entity for the login and authentication phase of mutual authentication as shown in Table 3.

4 Proposed model

The proposed model has been presented with a motivation to come up with a novel protocol that may counter the identified threats and limitations of the schemes, as reviewed above [9–12]. The scheme makes a use of a few notations as mentioned in Table 1.

Table 1 Notations description

The proposed model consists of four phases, the server registration phase, user registration phase, login and authentication phase and password update phase.

4.1 Server registration phase

In this phase, the server Sj gets registered with RC by sending its identity SIDj. RC computes \(s~=~SK_{{S}_j} ~=~h (SIDj {\vert }{\vert } k)\) using its master key k. This s serves as the private key of Sj. Then RC, further computes the public key \(PK_{{S}_j}\) by computing \(T_{s}(x)\). Next, it sends the message \(\{s, PK_{{S}_j} \}\) securely to Sj as referred in Fig. 1. The Sj receives its private and public key, while publishes two parameters in public directory as SIDj and \(PK_{{S}_j}\), i.e., \(T_{s}(x)\).

4.2 User registration phase

1. 1.

   In this phase, the user also gets registered with RC using a secure channel, and employing Chebyshev chaotic map-based architecture. Initially, the user selects \(ID_{U}\), PWi, random number n and computes \(RPWi~=~h(ID_\mathrm{U} {\vert }{\vert } PWi {\vert }{\vert }n)\). Then it generates biometric value Bi, and sends \(\{ ID_{U}, RPWi, h(PWi {\vert }{\vert }Bi)\}\) to RC for registration.

2. 2.

   RC, then computes \(u ~=~SK_\mathrm{Ui}~=~h(ID_{U} {\vert }{\vert } k)\) and \(PK_\mathrm{Ui}~=~ T_{u}(x)\). Next, it computes \(Zi = u \oplus RPWi, Xi = h(u {\vert }{\vert } h(PWi {\vert }{\vert }Bi) {\vert }{\vert } ID_{U})\). It finally stores and sends SC \(\{Xi, Zi, PK_\mathrm{Ui}, h()\}\) to Ui. Then, it sends the \(\{PK_{U_{i}}, ID_{U}\}\) to all servers Sjs.

3. 3.

   The Ui receives the SC and stores n in SC to conclude the user registration phase.

Fig. 1

Proposed multi-server authentication protocol

Although transmitting those parameters to all servers might be a drawback for a large network domain; however, once transmitted safely, onwards, it will provide authenticated access of services to the intended users.

4.3 Login and authentication phase

1. 1.

   In the login and authentication phase the user inputs its identity, PWi and Bi. Then it computes \(RPWi~=~h(ID_\mathrm{U} {\vert }{\vert } PWi {\vert }{\vert }n), u~=~ Zi \oplus RPWi, Xi ' = h(u {\vert }{\vert } h(PWi {\vert }{\vert }Bi) {\vert }{\vert } ID_{U})\), and checks the equality for \(Xi ?~=~ Xi'\). If matches positively, then it generates a random number a,ad computes \(T_{a}(x), T_{a}T_{s} (x)\), and \(K_{US}~=~T_{u}T_{s} (x)\). Next, it computes \(Di = ID_{U } \oplus h (SIDj {\vert }{\vert } T_{a}T_{s} (x)), H_{U } ~= h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert } T_{1} {\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s} (x) {\vert }{\vert } T_{a}(x))\) and sends the message \(m_{1} ~=~\{Di, T_{a}(x), H_{U }, T_{1} \}\) to Sj for authentication as shown in Fig. 1.

2. 2.

   The Sj receives the message \(m_{1} =\{Di, T_{a}(x), H_{U}, T_{1} \}\) and checks the timestamp against the threshold \(\Delta T\), i.e., \(T_{2}- T_{1} ?> \Delta T\). If the difference is more than \(\Delta T\), then it aborts the session. Otherwise, it computes \(T_{s} T_{a} (x)\) using \(T_{a} (x), ID_{U} = Di \oplus h (SIDj {\vert }{\vert } T_{s}T_{a} (x))\) and \(K_{ SU}~=~ T_{s}T_{u} (x)\) using \(T_{u} (x)\). Then, it matches the recovered \(ID_{U}\) with the CRL list as published by the RC. If the equality check for this comparison fails, then it maintains the fact that the registered user \((ID_{U})\) still has a valid certificate and not yet revoked. (If the CRL check hits, it sends the negative acknowledgement to the user for an expired certificated). Next, it locates the public key \(T_{u} (x)\) against \(ID_{U}\) in the repository, maintained for registered users. Then, it computes and compares the equation \(H_{U} ?~=~ h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{s}T_{a} (x){\vert }{\vert } T_{s}T_{u} (x){\vert }{\vert } T_{a} (x))\). If it is true, then it generates a random number b, and computes \(T_{b} (x)\), and \(T_{b}T_{a} (x)\). Next, it computes \(SKji = h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{s}T_{a} (x){\vert }{\vert } T_{s}T_{u} (x){\vert }{\vert } T_{b}T_{a} (x))\) and \(H_{S } = h(ID_{U} {\vert }{\vert } SKji {\vert }{\vert }T_{3} {\vert }{\vert } T_{s}T_{u}(x){\vert }{\vert } T_{b}T_{a} (x){\vert }{\vert } T_{b} (x))\). After complete verification, it sends the message \(m_{2} = \{ T_{b} (x), H_{S }, T_{3} \}\) to Ui, finally.

3. 3.

   The Ui receives the message \(m_{2} = \{ T_{b} (x), H_{S }, T_{3} \}\), and checks the timestamp differenceas \(T_{4 }- T_{3 } ?> \Delta T\). If the difference exceeds the threshold, it aborts the session. Otherwise, computes \(T_{a}T_{b} (x)\) using \(T_{b} (x), SKij = h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s} (x){\vert }{\vert } T_{a}T_{b} (x))\). Then, it matches the equality for \(H_{S}{} { ' ?}~=~ h(ID_{U} {\vert }{\vert } SKij {\vert }{\vert }T_{3} {\vert }{\vert } T_{u}T_{s} (x){\vert }{\vert } T_{a}T_{b} (x){\vert }{\vert } T_{b} (x))\). If the equality holds true, then it authenticates the Sj positively by establishing the session key as \(SKij = h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s} (x){\vert }{\vert } T_{a}T_{b} (x))\). However, if it receives the negative acknowledgement, it will have to abort the session.

4.4 Password update phase

The user Ui may update its password PWi without consulting RC by initiating the following procedure.

1. 1.

   In password update phase the user inputs IDi, PWi and Bi. Then it computes \(RPWi~=~h(\hbox {ID}_\mathrm{U} {\vert }{\vert } PWi {\vert }{\vert }n), u~=~ Zi~\oplus ~RPWi, Xi ' = h(u {\vert }{\vert } h(PWi {\vert }{\vert }Bi) {\vert }{\vert } ID_{U})\), and checks the equality for \(Xi ?~=~ Xi'\).

2. 2.

   If matches positively, then it selects a password \(PWi^\mathrm{new}\) and computes \(RPWi~= h(ID_{U} {\vert }{\vert } PWi^\mathrm{new} {\vert }{\vert }n), Zi = u \oplus RPWi\), and \(Xi = h(u {\vert }{\vert } h(PWi^\mathrm{new} {\vert }{\vert }Bi) {\vert }{\vert } ID_{U})\).

3. 3.

   Next, it stores the updated contents \(\{Xi, Zi, PK_{Ui } , h()\}\) in SC.

5 Security analysis

This section shows the security proof, formal security analysis, and performance efficiency analysis.

5.1 Security proof

The proposed scheme is immune to various threats, as elaborated below:

1. 1.

   Mutual authentication The mutual authentication defines that both entities authenticate each other in the same authentication protocol. The proposed scheme provides mutual authentication, as the Sj authenticates Ui on the basis of \(K_{ SU}~=~ T_{s}T_{u} (x)\) which was constructed using \(T_{u} (x)\) of \(ID _{U}\), and the comparison of equality check \(H_{U } ?~=~ h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{s}T_{a}(x){\vert }{\vert } T_{s}T_{u} (x){\vert }{\vert } T_{a}(x))\). This way, the Sj authenticates the Ui, as the parameter \(T_{s}T_{u}(x)\) can only be constructed by the legitimate user, who got registered from RC. Likewise, the user Ui authenticates Sj on the basis of checking the equality for \(H_{S} ' ?~=~ h(ID_{U} {\vert }{\vert } SKij {\vert }{\vert }T_{3} {\vert }{\vert } T_{u}T_{s}(x){\vert }{\vert } T_{a}T_{b}(x){\vert }{\vert } T_{b} (x))\), while SKij is constructed by computing \(h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1}{\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s}(x){\vert }{\vert } T_{a}T_{b}(x))\). As, an attacker can never approach the private key s of Sj, and \(T_{u}T_{s}(x)\) in SKij and \(H_{S}'\) can only be generated by a legitimate server Sj, both entities authenticate mutually each other.

2. 2.

   Impersonation attack/man-in-the-middle attack This attack could be initiated by an attacker who acts as silent intermediary between the intended participants and let the other participant perceive it as the legitimate participant. The proposed scheme stands secure. An adversary cannot reproduce \(H_{U } = h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert } T_{1} {\vert }{\vert } T_{a}T_{s}(x){\vert }{\vert } T_{u}T_{s}(x) {\vert }{\vert } T_{a}(x))\) or \(H_{S } = h(ID_{U} {\vert }{\vert } SKji {\vert }{\vert }T_{3} {\vert }{\vert } T_{s}T_{u}(x){\vert }{\vert } T_{b}T_{a}(x){\vert }{\vert } T_{b}(\textit{x}))\) with updated timestamps \(T_{1}\) and \(T_{3}\), as, an attacker does not know about the secret keys u(user) and s (server) to disclose \(T_{u}T_{s}(\textit{x}),\) and construct the legitimate \(H_{U }\) and \(H_{S }\) values. The attacker may construct all other values in \(H_{U }\) and \(H_{S }\) except \(T_{s}T_{u}(\textit{x}),\) which requires the knowledge of either u or s to reconstruct it.

3. 3.

   Replay attack The replay attacks can be launched while an attacker replays the original message parameters at some other time to betray or impersonate any legal participant. In the proposed scheme the messages \(m_{1} = \{Di, T_{a}(x), H_{U }, T_{1} \}\) and \(m_{2} = \{T_{b} (x), H_{S }, T_{3} \}\) are publicly available on public channel. An attacker might try \(m_{1 }\) and \(m_{2 }\) to use to launch replay attacks. However, the replay attack in our proposed model can be easily thwarted as an adversary cannot reproduce \(H_{U } ~=~h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert } T_{1} {\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s} (x) {\vert }{\vert } T_{a}(x))\) with an updated \(T_{1}\) timestamp. The Sj on the receipt of message \({m}_{1}\), checks the timestamp against \(T_{2}\) or threshold i.e., \(T_{2}-T_{1} ?> \Delta T\). If the difference exceeds this threshold it shall abort the session. On the Ui’s end, the replay attack cannot be possible because, if an attacker replays \(m_{2}\), then it would not be able to meet the equality check \(H_{S}' ?~=~ h(ID_{U} {\vert }{\vert } SKij {\vert }{\vert }T_{3} {\vert }{\vert } T_{u}T_{s} (x){\vert }{\vert } T_{a}T_{b}(x){\vert }{\vert } T_{b} (x))\) on the user side, and would be easily thwarted, given that, an attacker cannot construct \(m_{2 }\) with an updated timestamp.

4. 4.

   Known-key security The known-key security means to guess the private secret keys of the involved participants, provided the session key has been compromised by an adversary. If the shared session key \(SKij = SKji = h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s} (x){\vert }{\vert } T_{a}T_{b} (x))\) is exposed, it will not lead to any extraction or guessing of Sj or Ui’s secrets, i.e., s, u or password PWi,as it is a hard problem to extract s or u from \(T_{s} (x)\) or \(T_{u} (x)\). If the SKij is leaked then the attacker cannot guess any of the secrets from the publicly available parameter \(H_{S } = h(ID_{U} {\vert }{\vert } SKji {\vert }{\vert }T_{3} {\vert }{\vert } T_{s}T_{u} (x){\vert }{\vert } T_{b}T_{a} (x){\vert }{\vert } T_{b} (x))\).

5. 5.

   Perfect forward secrecy The perfect forward secrecy means to ensure the secrecy of previous session keys, if the long-term private key of either a user or a server is compromised. The proposed scheme maintains perfect forward secrecy, as the disclosure of secret keys, u(user) and s (server) can only disclose \(T_{u}T_{s}(x),\) but not \(T_{a}T_{b}(x)\) in the session key \(SKij = h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s} (x){\vert }{\vert } T_{a}T_{b} (x))\).The reproduction of \(T_{a}T_{b} (x)\) requires the knowledge of a or b,which are random numbers generated randomly, and cannot be guessed in polynomial time or accessed easily. Hence, the proposed scheme provides complete forward secrecy.

6. 6.

   Resistance to password guessing/stolen smart card attack In guessing attacks, an adversary tries to approach all public messages available; which are exchanged on insecure channel among concerned parties, and derive information with the input of all possible combinations by applying brute force attack. In proposed scheme, the password PWi is used in the RPWi, Zi and Xi functions. If the smart card gets stolen, attacker may access Zi and Xi,but it may not extract PWi from \(Zi~=~u \oplus RPWi, Xi = h(u {\vert }{\vert } h(PWi {\vert }{\vert }Bi) {\vert }{\vert } ID_{U})\), as for extracting PWi it needs u, Bi and \(ID_{U}\) parameters.

7. 7.

   Session key security The session key security indicates that the established session key is only known among the legal participants, i.e., \({U}_{i}\) and Sj, and nobody else. In proposed scheme, an adversary cannot impersonate and masquerade with the session, as long as it does not have the knowledge of legitimate secrets and passwords. The legitimate session key \(SKij = SKji = h(ID_{U} {\vert }{\vert } SIDj {\vert }{\vert }T_{1} {\vert }{\vert } T_{a}T_{s} (x){\vert }{\vert } T_{u}T_{s} (x){\vert }{\vert } T_{a}T_{b} (x)) c\)annot be constructed without having the knowledge of at least a or b,and u or s secrets.Hence, our scheme provides session key security.

8. 8.

   Anonymity The anonymous authentication provides anonymity to \({U}_{i}\)s along with its authentication to Sj, and attacker cannot tell the identity of the communicating participants by approaching publicly open message parameters. The user and server exchange includes \(m_{1} ~=~\{Di, T_{a}(x), H_{U }, T_{1} \}\) and \( m_{2} ~=~ \{T_{b} (x), H_{S }, T_{3} \}\) messages anonymously, in proposed scheme. An attacker is not able to recover the \(ID_{U}\) of user from \(Di, H_{U}\) and \(H_{S}\) parameters. Hence the proposed scheme assures privacy to the user Ui.

9. 9.

   Service access to only privileged non-revoked users The proposed scheme maintains a certificate revocation list (CRL) on the RC’s end. The RC regularly updates and publishes this CRL list so that the corresponding service providers SPjs may consult the CRL list and validate the users’ status before authenticating these users. Whenever, an SPj receives a login request, it consults a CRL for verifying the user’s revocation status. In this manner, any of the revoked users having its identity listed in CRL, will not be able to avail the services of a server, and shall be negatively acknowledged upon login request.

5.2 Formal security analysis

This subsection describes the formal security analysis for the proposed model. Using random oracle model, we conduct a formal security analysis to prove that the proposed scheme has been secure [33]. For this objective, we use a reveal1 oracle as under:

Reveal1 The reveal1 oracle outputs x from the corresponding hash value \(y~=~h(x)\), unconditionally.

Theorem 1

By undertaking the chaotic map-based discrete logarithm problem (CMDLP) assumption, the proposed scheme stands secure, in case an attacker approaches the public messages \(\{m_{1}, m_{2}\}\) and tries to find the legitimate session key, if one-way hash function h(.) behaves closely as random oracle.

Proof

In this proof, an attacker having access to the public parameters like \(\{{m}_{1}, {m}_{2}\}\), employ random oracle Reveal1 for the implementation of algorithm \(EXP_{\mathbf{EAMSARC}}^{HASH} \). The success probability for \(EXP_{\mathbf{EAMSARC}}^{HASH} \) is Suc1 = Pr.2[\(EXP_{\mathbf{EAMSARC}}^{HASH} \) = 1] \(-\) 1, while Pr[E] suggests an event E probability. The advantage function for this experiment becomes as [\(Suc1_{\mathbf{EAMSARC}}^{HASH} \)], with the execution time t \(_{1}\) and random Reveal query \({q}_\mathrm{R1}\) maximized on . We call our proposed technique as provably secure against an attacker for deriving the valid session key SKij if \(Adv_{\mathbf{EAMSARC}}^{HASH} ({t}_{1},{q}_\mathrm{R1}) ~\le \varepsilon \) for any sufficiently small \(\varepsilon >\) 0. According to this experiment, if an attacker has the ability of inverting a one-way hash function h(.), and solving the hard problem CMDLP, then it can easily extract the legal user \(\hbox {ID}_\mathrm{U}\) and shared session key SKij between Ui and Sj, and wins the game. However, according to definition (1), this is computationally infeasible to invert hash function, as \(Adv_{\mathbf{EAMSARC}}^{HASH} ({t}_{1})\le \quad \varepsilon \) for any sufficiently small \(\varepsilon > 0\).

5.3 Performance efficiency analysis

As we have described earlier, the Chebyshev polynomial computation is almost three times efficient than elliptic curve cryptography (ECC) and even more efficient than RSA-based cryptography [1–9]. The Chebyshev polynomial computation provides fast computation with less key size, and requires less bandwidth and memory consumption [38]. Hence, in our scheme, there are no modular exponentiations, elliptic curve-based scalar multiplications. This section deals with the comparison for the cost of proposed model with Zhu et al., Shen et al., Tsai et al., and Jiang et al. protocols, which have also used Chebyshev polynomial map in their protocols except Shen and jiang et al. schemes, as described below. The following Table 2 presents the vulnerability and drawback analysis for five schemes [9–12].

Table 2 Comparison for Shen et al., Tsai et al., Jiang et al., Zhu et al. and the proposed protocol

A few notations used in the comparison are as follows.

\({T}_\mathrm{XOR}\) The time executing the XOR operation.

\({T}_\mathrm{H}\) The time taken for the hash operation;

\({T}_\mathrm{SYM}\) The time for symmetric key cryptography;

\({T}_\mathrm{ECM}\) The time for elliptic curve-based scalar multiplication;

\({T}_\mathrm{CCM}\) The time for executing the Chebyshev Chaotic polynomial mapping \(T_{n} (x) mod p\) following the algorithm [31].

In this section, we compare the schemes’ costs by estimating the running times for various cryptographic operations (based on the PBC library, Ubuntu 12.04.1 32 bit operating system, with 2.4 GHz CPU, and 2.0 GB RAM). Accordingly, the computational time of hash-based operation, symmetric encryption or decryption, elliptic curve scalar multiplication, and Chebyshev polynomial operations are 0.0006, 0.0088, 0.063073, and 0.02104s, respectively. The XOR operation cost is negligible as compared to other cryptographic operations, hence, could be ignored. The following Table 1 shows the result of cost estimation for these five protocols, i.e., Zhu et al. [12], Shen et al. [9], Tsai et al. [10] and Jiang et al. [11] and proposed scheme.

Hence, in the light of above performance analysis, for authentication phase, the proposed scheme bears less computation cost as compared to Shen and Jiang et al. schemes, while it incurs more cost than Zhu et al. and Tsai et al. schemes for the same phase as shown in Table 3. The less cost of Zhu et al. is also attributed to one-way authentication, as the two-way authentication bears an additional cost. The Tsai scheme, though less costly, is prone to server-spoofing attack as mentioned in previous section. The proposed scheme incurs an average cost regarding computational cost of authentication. Nonetheless, the proposed scheme is far efficient in terms of communication latency or the number of round-trips, and thwarts almost all of the known attacks in that average cost. With the ever-increasing power of computation, the focus needs to be put on minimizing the communication delay or latency for which the physical medium or infrastructure has been responsible. Hence, in proposed protocol, we have eliminated the RC involvement for the authentication phase that has helped in optimizing the communication latency. The role of RC is limited to user and server registration phase in our protocol, and not afterwards (mutual authentication phase). As we know that with the increase in the number of users in a system, a central entity becomes a bottleneck for the increasing load and service requests. Besides, the proposed protocol has been proven resistant to attacks as shown in Table 2 and is also proved in the random oracle model as elaborated above. Overall, we can say that the proposed scheme is not only an efficient scheme for less computational cost, but also provides additional security like anonymity.

Table 3 Cost comparison for Shen et al., Tsai et al., Jiang et al., Zhu et al. and proposed scheme

6 Conclusion

A multi-server authentication scheme provides the multiplicity of services of different servers to subscribers by one-time registration of an RC. The current study reviews few recent multi-server authentication techniques, i.e., Zhu et al., Shen et al., Tsai et al., and Jiang et al., schemes. These schemes are not only vulnerable to attacks, but also suffer communication latency due to the RC involvement in each mutual authentication. The RC involvement in each authentication phase might prove to be a bottleneck for a system that requires scalability. Hence, in such a system, the number of users cannot be added beyond a certain level, without making the system inefficient and overloaded. The proposed scheme employs Chebyshev chaotic map to optimize the scheme as compared to costly Shen et al. and Jiang et al. schemes based on elliptic cryptography. The proposed scheme is not only robust against attacks as identified in earlier schemes, but also efficient in terms of communication-latency as proved in above sections. Moreover, the findings in proposed model are backed by formal security analysis and performance evaluation.