Presentation of a Two-Party Key Agreement Protocol based on Chaos

One of the most important cryptography protocols is the key agreement protocol in which used to build a shared secret key between two participants through an insecure channel. To increase the security and efficiency of these protocols, many researches have been performed. Recently, in 2012, Lee et al. proposed a key agreement protocol using smart cards and claimed their protocol is secure and efficient. However, He et al. proved that the Lee et al.'s protocol vulnerable to the privileged insider attack and the denial of service attack, and also the protocol cannot protect the user's true identity. We also point out the protocol requires timestamp information and the cost of card and reader makes this protocol costly. To overcome these weaknesses, we propose a key agreement protocol based on Chebyshev chaotic map without using smart card. Our protocol allows users to anonymously interact with the server. Moreover, analysis shows that the proposed protocol can successfully resist the current attacks.


Introduction
A key agreement protocol is a protocol that used to build secret session keys by two or more communication parties, but no party can predetermine the resulting session key.Users can transmit information securely over an open channel by using these keys to encrypt/ decrypt information.In 1976, Whitfield Diffie and Martin Hellman [2] developed the first key agreement protocol and registered it in their name.However, their protocol does not provide mutual authentication between the communication parties, and so is vulnerable to the man-inthe-middle attack.
Over the past decades, cryptography based on chaos has been studied vastly.Because of Chebyshev map's manifest feature as sensitive dependence on initial conditions/parameters and likeness to random behavior, this map is a chaotic map which has been used for symmetric encryption schemes, hash functions, public key encryption schemes and key agreement protocols.In 2003, Kocarev and Tasev [6] proposed a public-key encryption algorithm using chaotic maps.In 2005, Bergamo et al. [1] pointed out that the Kocarev-Tasev's protocol is insecure because an adversary can recover the plaintext from a given ciphertext without any private key.In 2007, Xiao et al. [12] designed a novel key agreement protocol, which utilizes the semi-group property of the Chebyshev chaotic map.However, in 2008, Han [3] pointed out that Xiao et al.'s protocol is insecure and presented two attacks on this protocol, which in these attacks, an adversary can prevent communication parties from establishing a shared secret session key.Beside, in 2009, Xiang et al. [11] pointed out that the Xiao et al.'s protocol is vulnerable to the stolen-verifier attack and the offline password guessing attack.In 2009, Han and Chang [4] proposed a key agreement protocol based on a chaotic map which works with/ out clock synchronization.In 2010, Wang and Zhao [10] proposed an improved key agreement protocol based on chaos.However, in 2011, Yoon and Jeon [14] proved that Wang-Zhao's protocol still requires timestamp information, and is vulnerable to illegal message modification attacks and then proposed an efficient and secure key agreement protocol.In various scenarios such as e-commerce, e-banking and telecare information systems, users want to obtain services anonymously.In 2009, Tseng et al. [9] presented the first key agreement protocol based on chaotic maps with user anonymity.In 2011, Niu and Wang [8] pointed out that Tseng et al.'s protocol can not provide user anonymity, perfect forward secrecy, and also insecure against an insider attacker.Thus proposed a new anonymous key agreement protocol.Soon, Yoon [13] proved that Niu-Wang's protocol is vulnerable to denial of service attack, and also the protocol has a computational problem.In 2012, Lee et al. [7] presented an efficient key agreement protocol with smart cards.In this paper, we will point out that Lee et al.'s protocol suffers from insufficiency of resisting the privileged insider attack and denial of service attack, insufficiency of providing anonymity, the high cost due to the using of smart cards and requiring synchronization.To overcome these problems, we introduce an improved key agreement protocol based on chaotic maps.
This paper is organized as follows: Section 2 gives descriptions of the Chebyshev chaotic map and Logistic chaotic map.In section 3, we review Lee et al.'s key agreement protocol.In section 4, we introduce a secure new key agreement protocol and then analyze the security of our proposed protocol in section 5. Finally, our conclusion is given in section 6.

Preliminaries
In this section, we introduce concepts used in our protocol, such as Chebyshev chaotic map and Logistic chaotic map. of degree n are defined using the recurrent relation 1:

Chebyshev Chaotic Map
. Some examples of Chebyshev polynomials are shown as: (2) Definition 2. Let n be an integer and let x be a variable over the interval [-1,1].The polynomial is defined as: In fact, definition 1 and definition 2 are equivalent.Chebyshev polynomials have two important properties: the semi-group property and the chaotic property.Definition 3. The semi-group property: One of the most important properties of Chebyshev polynomials is the semi-group property which is defined using the relation 4: for positive lyapunov exponent n ln   .Definition 5. Enhanced Chebyshev polynomials: For enhance the property of the Chebyshev chaotic map, Zhang [15] proved that the semi-group property holds for Chebyshev polynomials on the interval      , .Enhanced Chebyshev polynomials are defined as: and N is a large prime number.Definition 6.The Diffie-Hellman problem (DHP): DHP is explained by the following : Given two different degree polynomials  

Logistic Chaotic Map
One of the simple chaotic maps called simple logistic function or SLF for short.It can be expressed as follows: .

Analysis of Lee et al.'s Protocol
In this section, we describe Lee et al.'s protocol and show its problems.

Lee et al.'s Key Agreement Protocol
In this subsection, we describe Lee et al.'s protocol [7].There are three phases in Lee et al.'s protocol including registration phase, login phase, and authentication phase.Ui and the server are two participants of the key agreement process, where Ui is user i.
i. Registration phase 1: Ui chooses his/her random password pwi and inputs his/her personal biometrics BTi by a special device and computes H(BTi), then sends IDi, pwi, and H(BTi) to the server over a secure channel, where IDi is his/her identity and H(.) is the one-way hash function.

2:
The server selects a random number N and computes   , where Xs is a private key of the server and  is XOR operation.
, where Tx(r) is Chebyshev polynomial in r of degree x and tu is a timestamp of the user.Ui sends If so, the server is authenticated and i sk is used as a secret session key.

Problems of Lee et al.'s Key Agreement Protocol
Lee et al. claimed that their protocol is secure and efficient.Unfortunately, Lee et al.'s protocol has some problems.
(a) Privileged insider attack [5] In the first step of the registration phase of Lee et al.'s protocol, Ui sends IDi and pwi to the server.If user uses the same password to access other servers for their relief of remembering different passwords; the server knows the password of the user, he/she may try to impersonate Ui.Therefore, this protocol is vulnerable to the privileged insider attack, although the probability of this type of attack is low.
(b) Denial-of-service attack [5] Ui inputs his/her personal biometrics ' i BT by a special device in step 1 of the login phase to confirm the correct claim of a registered.The smart card checks relation     One of the properties of hash functions is that its outputs will change even only one bit of the inputs changes; so if   , the smart card will reject user's request, since may be a few differences between the input biometrics each time.For example, one of the biological characteristics is the iris recognition.In this method, the features associated with the random texture of the eye colored part are measured and 266 unique features are identifiable ; problem with this approach is that it may be affected some eye diseases such as cataract.Thus, this protocol is vulnerable to the denial of service attack.
(c) Failure of user anonymity [5] Assume an adversary steal the user smart card and extract (IDi,H(BTi),Qi,N) stored in it.Because the adversary monitoring the communication channel between the user and the server, he/she can intercept C1=(AIDi,M1,M2,M3,tu).Thus, he/she gets the real user's identity by computing (d) Clock synchronization problem In Lee et al.'s protocol, the user and the server should be synchronized.In step 1 of the authentication phase, the server must check whether the timestamp tu is valid.If the timestamp is expired, the server stop there.Therefore, this protocol can only work in the clock synchronization environment.
(e) Problem of smart card Recently, some key agreement protocols based on smart cards have been proposed [5,7].Although these cards provide tamper resistance, but the cost of cards and readers makes these protocols costly.Also these cards can be physically disassembled.

Our protocol
In this section, we introduce our proposed protocol.There are two phases in our protocol including registration phase and authentication-key agreement phase.The detailed steps of these phases are described in the following subsection.i. Registration phase Ui chooses a large integer n, a random parameter µ over the interval [3.57,4] and an initial value x0 over the interval [0,1], and then, uses Logistic mapping to produce the chaotic sequence . He/ she also selects his/ her random password pwi.Now, he/ she sends IDi, a and to the server over a secure channel, where IDi is his/ her identity and a is the sum of all the elements in A.

 
The server randomly chooses a large integer k and a large prime number N ' and then computes , where a is the seed of the Chebyshev polynomial.He/she also selects two random number Mi and v. Now, he/ she sends IDs, Mi, v and   a T k to Ui over a secure channel, where IDs is his/ her identity.


Ui selects a large integer r, a large prime number i N , and a random number , and He/ she transmits Mi, AIDi, M1, T1, xi and Ni to the server.2.


After receiving the message, the server finds the registered user Ui from his/ her user account database and computes . Then, the server checks whethre IDi is valid identity and whether IDs is his/ her identity.If not, the server stops here; otherwise, he/ she computes     and also chooses a large integer s and computes and the authentication value . Finally, the server sends M2, T2 and AUs to Ui. 3.
, and checks whether AUs and AUs ' are equal.If so, the identity of server is authenticated.Next, Ui computes the authentication value and sends it to the server.4. The server computes the same authentication value

and checks whether
AUi is equal to AUi ' .If so, the identity of Ui is authenticated.
After mutual authentication and session key agreement between Ui and server, are used as a shared secret session keys.

Security Analysis of Our Protocol
In security analysis of key agreement protocols, the protocol security against existing attacks is evaluated.The most important security features include: , which a and Tk(a) exchanged between the user and the server before the key agreement protocol over a secure channel.As a result, a and Tk(a) are unknown to attackers and Bergamo et al.'s attack does not work.
(b) Man-in-the-middle attack In our protocol, an attacker cannot forge a legal message because the server and Ui could judge whether the received message is modified or substituted by checking messages and the authentication values.In step 3 of authentication-key agreement phase, Ui checks M2 * and AUs and in steps 2 and 4 of authentication-key agreement phase, the server checks IDi * , IDs * and AUi.Thus, the proposed protocol prevents this kind of attack.

(c) Mutual authentication
In proposed protocol, Ui authenticates the server in step 3 of the authentication-key agreement phase by checking whether AUs equals to AUs ' .Moreover, in step 4 of the authentication-key agreement phase, the server authenticates the Ui by checking whether AUi equals to AUi ' .Thus, the server and Ui are valid participants and our protocol supports mutual authentication between the server and the user.(f) User anonymity In our protocol, the attacker cannot get the user's true identity because it is protected in which Tk(a) and random number v is unknown to the attacker.Hence, it is difficult for the attacker to obtain a user's identity IDi.

Conclusion
The purpose of key agreement protocol's designers is designing a secure and efficient key agreement protocol.In this paper, Lee et al.'s protocol and its problems are addressed.Then to solve these problems, an improved key agreement protocol proposed.Analysis shows that the new scheme is more secure than the investigated scheme.

Definition 1 .
Let n be an integer and let x be a variable over the interval [-1 without knowing r and s is impossible.Definition 7. The discrete logarithm problem (DLP): DLP is explained by the following : Given an element a, finding the integer r such that   xn is the n th value in the sequence, xn+1 is the n+1 th value in the same sequence and 4 0   is the logistic map parameter.For chaotic behavior,

1 :.
Upon receiving C1, the server checks whether the equation t ' is the time when the server receives the message and t  is the predetermined time interval of transmission delay.If the equation holds, the server stops the session; otherwise, the server computes The server chooses a random integer y, and computes session key (a) Bergamo et al.'s attackIn the proposed protocol, although attackers could obtain xi easily, they cannot obtain   (d) Known-key secrecy Suppose that attackers obtain a past shared secret key between the server and the user; however, they cannot compute other session keys for current session, because of the Diffie-Hellman problem (DHP) and the discrete logarithm problem (DLP).Clearly, our protocol achieves known-key secrecy.(e)Off-line password guessing attack In the registration phase, the user uses n and  when computing secretly; in the authentication-key agreement phase, only user to the server, consists of the user's password.Without knowing n and  , infeasible for an adversary or the server to guess a user's password.