1 Introduction

In order to guarantee the security of secret keys which are exchanged over the insecure public network, there are many related protocols [4, 5, 15, 16, 18, 24] which have been proposed by researchers, such as Password-Authenticated Key Exchange (PAKE) protocol. PAKE protocol allows two parties to keep one identical memorable password to agree on a common session key over the insecure public network [9, 19, 20, 26]. Generally, password-based authentication can resist both the brute force and the dictionary attacks if users choose strong passwords to provide enough entropy. Nevertheless, password-based authentication has one intrinsic problem: users are not adept in memorizing text strings. Hence, most users would select memorable passwords even if they know the passwords might be unsafe, so that it is not easy to protect the password information against various attacks. According to the protocol proposed by Lin et al. [17], we can divide the attacks into the following classes:

  • Off-line dictionary attacks: The adversary first guesses a password and then verifies its guess in an off-line mode only by using the eavesdropped information. No participation of the honest client or the server is required, so these attacks cannot be noticed.

  • Undetectable on-line dictionary attacks: The adversary attempts to verify a password guess in an on-line transaction. Nevertheless, a failed guess cannot be detected by the honest client or by the server, since one of them is not able to distinguish a malicious request from an honest one.

  • Detectable on-line dictionary attacks: Similar to above, the adversary tries to use a guessed password in an on-line transaction. The adversary verifies the correctness of its guess by using the response from the honest client or the server. But a failed guess can be detected by the honest client or the server.

Among these attacks, both off-line and undetectable on-line dictionary attacks can cause serious consequences against password-based authentication protocol. Hence, it is a crucial consideration to design a secure password-based authentication protocol, which can resist the mentioned above attacks.

In 1992, Bellovin and Merritt [2] proposed the first PAKE protocol. After a decade, many related protocols, such as both the two-party PAKE [4, 5, 18] and the three-party PAKE [11, 12, 15, 16, 24, 33] have been proposed. However, Hassan and Abdullah [8] pointed out that two-party PAKE protocols are not suitable in the large peer-to-peer architecture. Also, some of the three-party PAKE protocols are not secure or efficient enough to be used in practice. Recently, Abdalla et al. [1] and Lu et al. [22] proposed two efficient three-party password-based key exchange protocols in 2005 and 2007, respectively. Unfortunately, both of their protocols were still vulnerable to undetectable on-line dictionary attacks or off-line dictionary attacks. In 2009, Deng et al. [6] proposed a three party password-based key exchange protocol and declared that their protocol was secure under the universal composable framework (UC-SECURE). However, Yuan et al. [36] pointed out that Deng et al.’s protocol is insecure against offline dictionary attack by any other client. In 2011, Yoon and Yoo proposed a protocol [34] and pointed out that Huang’s protocol [10] could not resist undetectable on-line dictionary attacks and key-compromise impersonation attack. Subsequently, Yoon and Yoo also proposed another protocol [35] and showed that Lou and Huang’s protocol [21] was vulnerable to off-line password guessing attacks by an attacker. Later, Wu et al. [30] also found the security weaknesses of Huang’s protocol [10] and proposed a three-party password-based authenticated key exchange protocol to solve the problems in Huang’s protocol. However, Wu et al.’s protocol had many exponential computations, which required the highest computational complexity. Their protocol also could not provide user anonymity.

In order to enhance the efficiency and security, we propose a three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps. In the past decade, cryptography based on Chebyshev chaotic maps has been studied widely, such as symmetric encryption protocols [25, 27, 29], S-boxes [28], and hash functions [31, 32]. The proposed protocol uses the extended chaotic maps both to encrypt and to decrypt the information transmitted by the user or the server. The proposed protocol can also provide mutual authentication between user and server and user anonymity to guarantee the identity of users, which is transmitted in the insecure public network. The security and performance analysis show that the proposed protocol has low computation and communication cost and can also resist against various attacks.

The remainder of this paper is organized as follows. Section 2 briefly introduces the definitions of Chebyshev chaotic maps. The proposed protocol is presented in Sect. 3. Then we analyze the proposed protocol and show that the protocol can resist against several attacks in Sect. 4. In Sect. 5, we will compare the performance of our protocol with the previous protocols. Finally, our conclusion is presented in Sect. 6.

2 Preliminaries

In this section, we will introduce some concepts used in our protocol, such as the Chebyshev chaotic maps, the DLP and the DHP problems.

2.1 Chebyshev polynomials

We first briefly describe Chebyshev polynomials [23] as follows. The Chebyshev polynomial T n (x) is a polynomial in x of degree n. Let n be an integer, and x be a variable taking value over the interval [−1, 1]. The Chebyshev polynomial T n (x):[−1, 1]→[−1, 1] is defined as

$$T_{n}(x)=\cos\bigl(n\cdot\arccos(x)\bigr). $$

The recurrence relations of Chebyshev polynomials are given by

The cos(x) and arccos(x) are the trigonometric functions [3]. They are defined as cos: R→[−1, 1] and arccos: [−1, 1]→[0, π]. There are some examples of Chebyshev polynomials that are shown as follows:

The Chebyshev polynomials exhibit the following two important properties [7, 14]: the semigroup property and the chaotic property.

  1. (1)

    The semigroup property:

    r and s are positive integer numbers and x∈[−1, 1].

  2. (2)

    The chaotic property:

    When the degree n>1, the Chebyshev polynomial map T n (x):[−1, 1]→[−1, 1] of degree n is a chaotic map with its invariant density \(f^{*}(x)=1/(\pi\sqrt{1-x^{2}})\), for positive Lyapunov exponent λ=lnn>0.

In 2008, Zhang [37] proved that the semigroup property holds for Chebyshev polynomials defined on interval (−∞, +∞), which can enhance the property, as follows:

$$T_{n}(x)\equiv\bigl(2xT_{n-1}(x)-T_{n-2}(x)\bigr)\ \mathrm{mod}\ p, $$

where n≥2, x∈(−∞, +∞), and p is a large prime number. Evidently,

$$T_{r}\bigl(T_{s}(x)\bigr)\equiv T_{sr}(x)\equiv T_{s}\bigl(T_{r}(x)\bigr)\ \mathrm{mod}\ p, $$

so the semigroup property still holds and the enhanced Chebyshev polynomials also commute under composition.

2.2 The DLP and the DHP problems

The Chebyshev polynomials have the following two problems, which are assumed to be difficult to handle within a polynomial time algorithm:

  1. (1)

    The discrete logarithm problem (DLP) is described as follows: given two elements x and y, find the integer r, such that T r (x)=y.

  2. (2)

    The Diffie-Hellman problem (DHP) is described as follows: given three elements x, T r (x), and T s (x), compute the value T rs (x).

3 Our proposed protocol

In this section, the proposed protocol with user anonymity using extended chaotic maps is described in detail, which is based on Wu et al.’s protocol [30]. The notations used in our protocol are summarized in Table 1.

Table 1 The notations used in our protocol
Full size table

In the beginning, the remote server TS selects a random number r, a random integer s, and computes its public key QT s (r) mod p. The remote server TS keeps its private key s secretly. In our protocol, we assume the two users A and B have already established the common secret key share passwords PW A ,PW B with the remote server TS, respectively. The remote server TS distributes the public parameters (Q,r,h(⋅),p) to all parties in the network. The simplified description of the proposed protocol is shown in Fig. 1. From this point, the details of the proposed protocol are described in the following steps:

  1. (1)

    User A chooses a random integer x and computes the following:

    User A sends (AID i ,R A ,τ A,S ,t 1) to user B.

  2. (2)

    After receiving (AID i ,R A ,τ A,S ,t 1), user B chooses a random integer y and computes the following:

    Then user B sends (AID i , R A , τ A,S , BID i , R B , τ B,S ,t 1) to the remote server TS.

  3. (3)

    Upon receiving (AID i , R A , τ A,S , BID i , R B , τ B,S ,t 1), the server TS first checks the validity of t 1 by checking whether the equation t′−t 1t holds, where the t′ is the time when the server receives the messages from B. Δt denotes the predetermined legal time interval of transmission delay. If the equation does not hold, then the server TS calculates \(T_{A}'\equiv T_{s}(R_{A})\ \mathrm{mod}\ p\), \(T_{B}'\equiv T_{s}(R_{B})\ \mathrm{mod}\ p\), \(A'=\mathit{AID}_{i}\oplus h(T_{A}')\), and \(B'=\mathit{BID}_{i}\oplus h(T_{B}')\) and uses them to check τ A,S and τ B,S , respectively. If the values are invalid, TS terminates the protocol. Otherwise, TS computes \(\tau_{S,A}=h(A'\parallel B'\parallel \mathit{TS}\parallel \mathit{PW}_{A}\parallel T_{A}')\), \(\tau_{S,B}=h(A'\parallel B'\parallel \mathit{TS}\parallel \mathit{PW}_{B}\parallel T_{B}')\), and \(\mathit{AID}_{j}=A'\oplus h(T_{B}')\) and then sends (τ S,A ,τ S,B ,AID j ) to user B.

  4. (4)

    After receiving (τ S,A ,τ S,B ,AID j ), user B first computes A″=AID j h(T B ) and checks the validity of τ S,B using T B . If the value is invalid, B terminates the protocol. Otherwise, both server TS and user B are authenticated and user B computes the common session key SKT y (R A ) mod p and S AB =h(SKA″∥B). Finally, B sends (R B ,τ S,A ,S AB ) to user A.

  5. (5)

    Upon receiving (R B ,τ S,A ,S AB ), user A first checks the validity of τ S,A using T A . If the value is invalid, A terminates the protocol. Otherwise, user A computes the common session key SKT x (R B ) mod p and checks the validity of S AB =h(SKAB). If it does not hold, A terminates the protocol. Otherwise, both server TS and user A are authenticated and the common session key SK is agreed upon. Then, both user A and user B can use the common session key SK for secure communication. The common session key SK is only used for one session.

Fig. 1
figure 1

Our proposed protocol

Full size image

4 Security analysis

In this section, we analyze the security and performance of our protocol and show it could resist against various attacks. Here, we describe several security analyses in our proposed protocol.

A. Off-line dictionary attacks

The attacker may intercept the messages (AID i ,R A ,τ A,S ,t 1) or (AID i ,R A ,τ A,S ,BID i ,R B ,τ B,S ,t 1) and try to guess the password from the element τ A,S or τ B,S . However, the attacker cannot successfully verify the password without knowing T A or T B , which are generated by user A and B respectively based on the difficulty of the DLP problem. Hence, our protocol is secure against the off-line dictionary attacks.

B. Undetectable on-line dictionary attacks

The attacker may intercept the messages (AID i ,R A ,τ A,S ,t 1) or (AID i ,R A ,τ A,S ,BID i ,R B ,τ B,S ,t 1) and try to impersonate a legal user. But the attacker cannot send a new valid message (AID i ,R A ,τ A,S ,BID i ,R B ,τ B,S ,t 1) to the trusted server unless he/she has guessed the correct password. Moreover, if the attacker tries to guess the password, he/she will face the DLP problem. Therefore, our protocol can resist the undetectable on-line dictionary attacks.

C. Detectable on-line dictionary attacks

The attacker may intercept the messages (AID i ,R A ,τ A,S ,t 1) or (AID i ,R A ,τ A,S ,BID i ,R B ,τ B,S ,t 1) and try to impersonate a legal user. But the attacker cannot send a new valid message (AID i ,R A ,τ A,S ,BID i ,R B ,τ B,S ,t 1) to the trusted server unless he/she has guessed the correct password. Moreover, the server will check the correctness of τ A,S and τ B,S . Hence, the attacker will be detected if he/she sends an invalid message to the server. In that case our protocol is secure against the detectable on-line dictionary attacks.

D. Replay attack

The attacker may intercept the messages from a user and replay them to the server in the next run. Nevertheless, the server could find the attack by checking the validity of the time-stamp t 1. The attacker may also intercept the messages from the server and replay it to user. However, the users have generated the new random integers x and y. Then user A and B could find the attack by verifying the correctness of τ S,A and τ S,B , respectively. Hence, our protocol can resist the replay attack.

E. User anonymity

The attacker may eavesdrop the communication between the user and the trusted server, and try to trace the user’s real identity to find some security-sensitive information of the user. In our proposed protocol, the real identity of user A and B are protected by AID i =Ah(T A ) and BID i =Bh(T B ), respectively. In order to compute T A and T B , the attacker will face the DLP problem. Hence, our protocol can provide the user with a high degree of anonymity.

F. Mutual authentication

Our protocol can achieve mutual authentication between the user and the server. In step 3 of our protocol, the server TS must verify the validity of τ A,S and τ B,S in order to authenticate user A and B. User A and B also must verify the validity of τ S,A and τ S,B , respectively, in order to authenticate server TS. If there is an attacker who wants to forge messages, he/she will face not only the DLP but also the DHP problems. Therefore, as both the user and the trusted server can authenticate each other, the mutual authentication between them is achieved.

5 Performance discussion

In this section, we discuss the performance of our proposed protocol. We compare the security properties of our protocol with Huang’s protocol [10], Lou and Huang’s protocol [21], Lee et al.’s protocol [13], and Wu et al.’s protocol [30] in Table 2.

Table 2 Comparison of security properties
Full size table

In Table 2, we can see that our protocol is more secure than other protocols. We also compare the performance of our protocol with other protocols in Table 3. In Table 3, U denotes the user and S denotes the server. The computational complexity of modular exponential is higher than all other operations such as hash computation and Chebyshev chaotic maps, which can be done efficiently. Our protocol is more efficient than other protocols even if the costs of our protocol are slightly higher than Lou and Huang’s protocol. However, Lou and Huang’s protocol is vulnerable to the off-line dictionary attacks and also cannot provide user anonymity. As shown in Table 2, none of the other protocols can provide user anonymity. Hence, our protocol is more efficient and secure than others since our protocol only uses hash operation and XOR operation and also can provide user anonymity.

Table 3 Comparison of performance
Full size table

6 Conclusion

In this article, we propose a three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps, which is more efficient and secure than previously proposed schemes. In order to enhance the efficiency and security, we use the extended chaotic maps both to encrypt and to decrypt the information transmitted by either the user or the server. In security and performance analysis, we have shown that our protocol is more efficient and secure than others since our protocol only uses hash operation and XOR operation. Furthermore, our protocol can also provide user anonymity to guarantee the identity of users, which is transmitted in the insecure public network.