1 Introduction

An authenticated key agreement protocol allows communicating parties to authenticate each other via insecure network, and establishes a secure session key for their subsequent communications. With the rapid development of chaos theory related to cryptography [16], many chaotic maps based two-party password-authenticated key agreement schemes have been proposed [715]. In 2005, Xiao et al. [7] proposed a key agreement protocol using a chaotic public-key cryptosystem, but Alvarez [8] showed that their scheme cannot resist the man-in-the-middle attack. Then, based on the semi-group property of the Chebyshev chaotic map, Xiao et al. [9] proposed a novel key agreement protocol. However, Han [10] demonstrated that Xiao et al.’s protocol is still insecure. Xiang et al. [11] also pointed out that Xiao et al.’s protocol is vulnerable to a stolen-verifier attack and an offline guessing attack. After that, Xiao et al. [12] and Han–Chang [13] improved the security of a chaotic maps-based key agreement protocol using a timestamp. In 2010, Guo–Zhang [14] proposed a new chaotic maps-based key agreement protocol, but He [15] showed that their scheme is vulnerable to an offline guessing attack. In 2012, Gong et al. [16] proposed a maps-based key agreement protocol without using smart cards.

Based on the merits of password-authenticated key agreement protocol, in 2009, Tseng et al. [17] proposed a password and chaotic maps based key agreement protocol with anonymity. However, Niu and Wang [18] showed that Tseng et al.’s protocol cannot achieve user anonymity and perfect forward secrecy, and cannot resist an insider attack, and further proposed an improved scheme with a trusted third party (TTP). But Xue and Hong [19] demonstrated that the Niu and Wang’s scheme has some disadvantages and proposed a new one without TTP. The same year, Yoon [20] also showed that Niu and Wang’s anonymous key agreement protocol is vulnerable to a Denial-of-Service (DoS) attack based on illegal message modification. Tan [21] showed that Xue and Hong’s scheme cannot provide strong anonymity and is vulnerable to the man-in-the-middle attack. Very recently, Lee and Hsu [22] proposed a biometric-based remote user authentication with key agreement scheme using extended chaotic maps, and Guo and Chang [23] proposed the first chaotic maps-based password-authenticated key agreement using smart cards.

In 2010, Wang and Zhao [24] proposed a three-party key agreement protocol based on chaotic maps, but Yoon and Jeon [25] showed that their scheme needs timestamp information and is vulnerable to an illegal message modification attack, and then they proposed an improved scheme. In Wang and Zhao and Yoon and Jeon’s schemes, the server and the two users should share long-term secret keys to achieve mutual authentication. However, it is inconvenient that the users should protect the long-term secret keys. In 2012, Lai et al. [26] proposed a novel three-party key agreement protocol using the enhanced Chebyshev chaotic map, but Zhao et al. [27] showed that their protocol is vulnerable to the privileged insider attack and the off-line password guessing attack. Lee et al. [28] also proposed a three-party key agreement protocol using extended chaotic maps, but these schemes need the timestamp. In recent years, the three-party password-authenticated key agreement protocol using modular exponentiation or scalar multiplication on an elliptic curve has been addressed widely [29, 30]. However, these schemes need heavy computation costs.

To the best of our knowledge, no three-party password-authenticated key agreement (3PAKA) protocol without a timestamp, that utilizes chaotic maps has been proposed, yet. Generally speaking, a 3PAKA protocol with chaotic maps should achieve the following requirements:

  1. (i)

    It should allow two users establish a secure session key over an insecure communication channel with the help of a trusted server with the shared passwords.

  2. (ii)

    The protocol should be based on chaotic maps without using modular exponentiation and scalar multiplication on an elliptic curve.

  3. (iii)

    The protocol should be able to resist all attacks, such as password guessing attacks, impersonation attacks, man-in-the-middle attacks, etc.

  4. (iv)

    The protocol should achieve some well-known properties, such as perfect forward secrecy, no timestamp, and execution efficiency.

In this paper, based on Chebyshev chaotic maps, we propose a new three-party password-authenticated key agreement protocol which achieves the above requirements.

The rest of the paper is organized as follows. In Sect. 2, we review Chebyshev chaotic maps. A Chebyshev chaotic maps-based three-party password-authenticated key agreement protocol is described in Sect. 3. After that, security analysis and the performance comparison are presented in Sects. 4 and 5. The paper is concluded in Sect. 6.

2 Chebyshev chaotic maps

In this section, we briefly introduce the Chebyshev polynomial and Chebyshev chaotic map [24].

Definition 1

Let n be an integer, and let x be a variable belonging to the interval [−1,1]. The Chebyshev polynomial T n (x):[−1,1]→[−1,1] is defined as

$$T_{n}(x) = \cos \bigl(n\arccos (x) \bigr). $$

According to Definition 1, we can conclude the following recurrence relation of the Chebyshev polynomial:

$$\begin{aligned} &{T_{0}(x) = 1,\qquad T_{1}(x) = x,} \\ &{ T_{n}(x) = 2xT_{n - 1}(x) - T_{n - 2}(x),} \\ &{\quad \mbox{where }n \ge 2.} \end{aligned}$$

Definition 2

When n>1, the Chebyshev polynomial map T n (x):[−1,1]→[−1,1] of degree n is a chaotic map with its invariant density \(f^{*}(x) = 1/(\pi \sqrt{1 - x^{2}} )\), for a positive Lyapunov exponent lnn.

Definition 3

One of the most important properties of Chebyshev polynomials is called the semi-group property, namely

$$\begin{aligned} T_{r} \bigl(T_{s}(x) \bigr) =& \cos \bigl(r \cos^{ - 1} \bigl(s\cos^{ - 1}(x) \bigr) \bigr) \\ =& \cos \bigl(rs\cos^{ - 1}(x) \bigr) = T_{sr}(x) = T_{s} \bigl(T_{r}(x) \bigr). \end{aligned}$$

In 2008, Zhang [31] proved that the semi-group property defined on interval (−∞,+∞) hold, that is,

$$T_{n}(x) \equiv \bigl(2xT_{n - 1}(x) - T_{n - 2}(x) \bigr)\bmod p, $$

where n≥2, x∈(−∞,+∞), and p is a large prime number. Therefore,

$$T_{r} \bigl(T_{s}(x) \bigr) \equiv T_{sr}(x) \equiv T_{s}\bigl(T_{r}(x)\bigr)\bmod p. $$

The following problems about Chebyshev polynomials are assumed to be intractable within polynomial time.

Definition 4

Given x and y, it is intractable to find the integer s, such that T s (x)=y. It is called the Chaotic Maps-Based Discrete Logarithm problem.

Definition 5

Given x, T r (x) and T s (x), it is intractable to find T rs (x). It is called the Chaotic Maps-Based Diffie–Hellman problem.

3 The proposed scheme

In this section, we propose a chaotic maps-based three-party password authenticated key agreement scheme which consists of two phases: the setup phase and the authentication and key agreement phase.

3.1 Setup phase

In this phase, a server S chooses its public key (x,T k (x)) and a secret key k based on Chebyshev chaotic maps, a chaotic maps-based one-way hash function h() [32], secure symmetric encryption/decryption functions E K ()/D K () with key K. Additionally, the server S shares passwords pw A and pw B with users A and B; users A and B choose their identities ID A and ID B , respectively.

3.2 Authentication and key agreement phase

In this phase, users A and B can authenticate each other and establish a session key with the help of the trusted server S. Figure 1 illustrates this phase.

Fig. 1
figure 1

The proposed 3PAKA protocol

Full size image

Round 1

User A chooses a, computes K AS =T a T k (x), H A =h(T a (x)∥ID A ID B pw A ), and \(C_{1} = E_{K_{AS}}(\mathit{ID}_{A}\|\mathit{ID}_{B}\|H_{A})\). Then sends m 1={T a (x),ID A ,C 1} to B.

Round 2

Upon receiving m 1 from A, B chooses b, computes K BS =T b T k (x), H B =h(T b (x)∥ID B ID A pw B ), and \(C_{2} = E_{K_{BS}}(\mathit{ID}_{B}\|\mathit{ID}_{A}\|H_{B})\). Then, B sends m 2={m 1,T b (x),ID B ,C 2} to S.

Round 3

Upon receiving m 2 from B, S first computes

$$\begin{aligned} &{K_{SA} = T_{k}T_{a}(x),\qquad D_{K_{SA}}(C_{1}) = \{ \mathit{ID}_{A}, \mathit{ID}_{B},H_{A}\},} \\ &{K_{SB} = T_{k}T_{b}(x),\qquad D_{K_{SB}}(C_{2}) = \{ \mathit{ID}_{B}, \mathit{ID}_{A},H_{B}\}.} \end{aligned}$$

Then, S computes \(H_{A}' = h(T_{a}(x)\|\mathit{ID}_{A}\|\mathit{ID}_{B}\|\mathit{pw}_{A})\) and \(H_{B}' = h(T_{b}(x)\|\mathit{ID}_{B}\|\mathit{ID}_{A}\|\mathit{pw}_{B})\), and checks if \(H_{A} = H_{A}'\) and \(H_{B}' = H_{B}\). If so, S computes

$$\begin{aligned} &{H_{SB} = h\bigl(T_{a}(x)\|\mathit{pw}_{B} \bigr),} \\ &{ C_{3} = E_{K_{SB}}\bigl(\mathit{ID}_{B}\| \mathit{ID}_{A}\|T_{a}(x)\|H_{SB}\bigr),} \\ &{H_{SA} = h\bigl(T_{b}(x)\|\mathit{pw}_{A} \bigr),} \\ &{C_{4} = E_{K_{SA}}\bigl(\mathit{ID}_{A}\| \mathit{ID}_{B}\|T_{b}(x)\|H_{SA}\bigr),} \end{aligned}$$

and sends m 3={C 3,C 4} to B. Otherwise, S terminates this request.

Round 4

WhenB obtains m 3, he decrypts C 3 by K BS and obtains {ID B ,ID A ,T a (x),H SB }, then computes h(T a (x)∥pw B ) and checks if it equals H SB . If not, he terminates it. Otherwise, B computes SK=T b T a (x) and H BA =h(SKID B ID A C 4), and sends m 4={H BA ,C 4} to A.

Round 5

Upon receiving m 4, A decrypts C 4 by K AS and obtains {ID B ,ID A ,T b (x),H SA }, then computes h(T b (x)∥pw A ) and checks if it equals H SA . If not, he terminates it. Otherwise, A computes SK=T a T b (x) and verifies if h(SKID B ID A C 4) equals H BA . If not, he terminates it. Otherwise, A computes and sends m 5=h(SKAB) to B.

Round 6

When B obtains m 5, he verifies whether m 5=h(SKAB) or not. If it does not hold, B terminates it. Otherwise, A and Bshare the session key SK′=h(T a T b (x)).

4 Security analysis

In this section, we will show that the proposed scheme can resist various known attacks.

4.1 Off-line password guessing attack

An adversary may eavesdrop the communication among A, B and S, get all messages {m 1,m 2,m 3,m 4,m 5}, and launch an off-line password guessing attack. As we know, all messages except m 5 are related with A’s or B’s passwords. However, the adversary cannot verify whether his guessed password is right or not since these messages are all encrypted by K AS or K BS , and the adversary cannot compute K AS or K BS from T k (x), T a (x) and T b (x) due to the intractability of the Chaotic Maps-Based Computational Diffie–Hellman (CM-CDH) problem. On the other hand, if an adversary can know K AS or K BS , then he can decrypt C 1, C 2, C 3, or C 4, and obtain H A , H B , H SA , H SB , respectively, thus the adversary can guess the correct passwords pw A or pw B . However, it is impossible due to the CM-CDH problem. Therefore, our scheme can resist an off-line password guessing attack.

4.2 On-line password guessing attack

If an adversary wants to guess B’s password, he guesses a password pw, chooses b′, computes \(K_{BS}' = T_{b'}T_{k}(x)\), \(H_{B}' = h(T_{b'}(x)\|\mathit{ID}_{B}\|\mathit{ID}_{A}\|\mathit{pw})\), and \(C_{2}' = E_{K_{BS}'}(\mathit{ID}_{B}\|\mathit{ID}_{A}\|H_{B}')\). Then the adversary intercepts and sends \(m_{2}' = \{ m_{1},T_{b'}(x),\mathit{ID}_{B},C_{2}'\}\) to S. However, S can detect this attack if the adversary guessed a wrong password since S needs to check if \(H_{B}' = h(T_{b'}(x)\|\mathit{ID}_{B}\|\mathit{ID}_{A}\|\mathit{pw}_{B})\). Therefore, our scheme can resist an on-line password guessing attack.

4.3 Perfect forward secrecy

In the proposed scheme, the session key SK′=h(T a T b (x)) is related with nonces a and b, which were chosen by user A and user B, respectively. Because of the intractability of the CM-CDH problem, an adversary cannot compute the previously established session keys even if he knows the server’s secret key k, A’s and B’s passwords.

4.4 Known-key security

Since the session key SK′=h(T a T b (x)) is depended on the random nonces a and b, and the generation of nonces is independent in all sessions, an adversary cannot compute the previous and the future session keys when he knows one session key.

4.5 Denning–Sacco attack

If an adversary knows SK=T a T b (x) from SK′=h(SK)=h(T a T b (x)), than he can generate the correct H BA and m 5, thus he can impersonate one party to cheat another. However, it is impossible due to the intractability of the solving Hash function. Also, the adversary cannot get the server’s secret key k, A’s and B’s passwords from SK′=h(T a T b (x)).

4.6 Replay attack

Even if an adversary impersonates A and replays A’s message m 1={T a (x),ID A ,C 1} to B, he cannot verify H BA and respond the correct m 5 to B since the adversary cannot decrypt C 4, and cannot compute SK for the new nonce b. For the same reason, even if an adversary impersonates B and replays B’s message {T b (x),ID B ,C 2} to the server, he cannot succeed.

If an adversary replays the server’s messages C 3 and C 4, because a and b are new nonces chosen by A and B, the replayed C 3 and C 4 cannot pass the verification process of both A and B.

4.7 Forgery and impersonation attacks

If an adversary impersonates A (or B) and sends m 1={T a (x),ID A ,C 1} (or {T b (x),ID B ,C 2}) to B (or the server), the message cannot pass through the authentication of the server since he does not know the password.

4.8 Man-in-the-middle attack

From the above analysis, we can know that an adversary is unable to achieve success by impersonating and replaying. On the other hand, because C 1, C 2, C 3, and C 4 contain the users’ identities, a man-in-the-middle attack cannot succeed.

5 Performance comparison

In our proposed scheme, no time-consuming modular exponentiation and scalar multiplication on elliptic curves are needed, instead Chebyshev polynomial computations are needed. However, Xiao et al. [7] and Wang–Zhao [24] proposed several methods to solve the Chebyshev polynomial computation problem.

Let T, E, D, H, and M be the time for performing a Chebyshev polynomial computation, a modular exponentiation, a symmetric encryption/decryption, a one-way hash function, and a scalar multiplication on an elliptic curve, respectively. The performance comparison of authentication and key agreement phase between our scheme and other four recently proposed related schemes in [24, 25, 2730] is given in Table 1.

Table 1 Performance comparison of authentication and key agreement phase
Full size table

From Table 1, we can conclude that both Wang–Zhao and Yoon–Jeon’s protocols are more efficient than the rest, but their protocols are not password based schemes, and the users should protect long-term secret keys. For 3PAKA schemes, the computation cost among our scheme, Zhao et al.’s, and Lee et al.’s schemes are of the same level, but both Zhao et al.’s and Lee et al.’s schemes use a timestamp; also Yang–Cao and Wu et al.’s schemes use modular exponentiation and scalar multiplication on an elliptic curve, respectively.

As far as the same security level is concerned, the key sizes for the elliptic curve on the finite field GF(2160) and the composition modulo N are 160 bits and 1024 bits, respectively. From [33], we can conclude that the performances of the ECC and RSA do not differ until the larger key sizes (e.g., the composition modulo N is 7680 bits), where ECC outperforms RSA. On the other hand, the computation of T n (x) takes some iterations of the Chebyshev polynomial [24, 34], which consumes roughly similar time as when computing modular exponentiation. However, for the Chebyshev polynomial, r and s are of 900–1024 bits [24, 35], and p is less than 1024 bits, for example, p is 256 bits [36]. In this scenario, the Chebyshev polynomial computation is much faster than that of RSA exponentiation and ECC scalar multiplication, since the modulo for RSA is 1024 bits.

Let’s consider the other scenario, equation T n (x)≡(2xT n−1(x)−T n−2(x))modp can be rewritten as

$$\begin{aligned} \left [ \begin{array}{@{}c@{}} T_{n - 1}(x) \\ T_{n}(x) \end{array} \right ] =& \left [ \begin{array}{@{}c@{\quad}c@{}} 0 & 1 \\ - 1 & 2x \end{array} \right ] \left [\begin{array}{@{}c@{}} T_{n - 2}(x) \\ T_{n - 1}(x) \end{array} \right ] \\ =& A\left [ \begin{array}{@{}c@{}} T_{n - 2}(x) \\ T_{n - 1}(x) \end{array} \right ] = A^{n - 1}\left [ \begin{array}{@{}c@{}} T_{0}(x) \\ T_{1}(x) \end{array} \right ], \end{aligned}$$

matrix exponentiation can be performed effectively by the square and multiply algorithm, which is faster than that of the iteration algorithm [37]. It only takes 70 ms to compute T n (x)modp using the above equation with GNU multiple precision libraries on an Intel Pentium 1700 MHz processor with 512 MB RAM, where N and P are 1024 bits long [35].

Therefore, the proposed 3PAKA scheme not only achieves security requirements, but also enjoys acceptable efficiency.

6 Conclusion

In this paper, we proposed a chaotic maps-based three-party password-authenticated key agreement scheme. To the best of our knowledge, this is the first chaotic maps-based three-party password-authenticated key agreement scheme without a timestamp. The scheme has many advantages: it achieves perfect forward secrecy, does not use a timestamp, modular exponentiation and scalar multiplication on an elliptic curve, can resist all known attacks such as password guessing attacks, impersonation attacks, man-in-the-middle attacks, etc, and meets almost all requirements of a 3PAKA protocol.