SECURITY AND COMMUNICATION NETWORKS

Security Comm. Networks 2015; 8:19711978

Published online 19 December 2014 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1145

RESEARCH ARTICLE

Secure chaotic maps-based authenticated key

agreement protocol without smartcard for multi-server
environments
Jia-Lun Tsai and Nai-Wei Lo*
Department of Information Management, National Taiwan University of Science and Technology, Taipei, 106, Taiwan

ABSTRACT
Modern individuals heavily rely on the support of information systems. Various applications and information processing
systems provide all kinds of assistance for peoples lives such as information search, work scheduling, entertainment,
and online shopping. For a user, in order to access an Internet-connected system or an internal system within an enterprise,
in general, a unique password is given to the user to log into the system. Therefore, how to conveniently maintain or re-
member multiple passwords has become a serious headache for people. In this study, a new chaotic maps-based authenti-
cated key agreement protocol is rst proposed for multi-server environments. A trusted third party, called the registration
center (RC), is introduced in our protocol. Once a legal user has registered with the RC, this user can log into any server
with only one memorable password in a multi-server environment as long as the user has been granted access rights in
advance. As security robustness of our protocol is built on randomly generated nonces and chaotic maps, there is no time
synchronization issue. Security analyses and comparisons on performance efciency and security features among existing
protocols show that our protocol is computationally efcient, and withstands password-guessing attacks and other well-
known security threats. Copyright 2014 John Wiley & Sons, Ltd.

KEYWORDS
multi-server environment; authenticated key agreement protocol; chaotic maps; password-guessing attack

*Correspondence
Nai-Wei Lo, Department of Information Management, National Taiwan University of Science and Technology.
E-mail: nwlo@cs.ntust.edu.tw

1. INTRODUCTION proposed to overcome these security weaknesses shown

How to design secure and efcient authenticated key
agreement protocols is an important topic for both network
security and system security. An authenticated key agree-
ment protocol is generally used for secure communication
between a remote user and a targeted server. This kind of
key agreement protocol rst provides mutual authentica-
tion for both parties and then helps both parties establish
a session key known only by the two communicating
parties. The generated session key will be used later to
encrypt and decrypt subsequent messages transmitted
between the user and the server. Recently, chaotic
maps [14] have been adopted to construct secure authenti-
cated key agreement protocols. In 2007, Xiao et al. [5] rst
developed a new key agreement protocol using memorable
passwords based on chaotic maps. However, Han [6]
discovered that the protocol of Xiao et al. is vulnerable to
several security threats. Since then, several enhanced
authenticated key agreement protocols [612] have been
in the protocol of Xiao et al.
In general, authenticated key agreement protocols are
divided into two categories: password-based authenticated
key agreement protocols [512] and smartcard-based
authenticated key agreement protocols [1324]. A
password-based authenticated key agreement protocol al-
lows a user to access services from a server with only
one memorable password. In other words, a user does not
need to possess any additional identity proof for authenti-
cation. Because only a memorable password is used for
user authentication, most password-based authenticated
key agreement protocols must defend against password-
guessing attacks. Contrarily, a smartcard-based authenti-
cated key agreement protocol requires a user to possess
one legitimate smartcard and one card reader in advance.
When a user wants to log into a server, this user rst uses
his or her smartcard reader to retrieve the secret key stored
in his or her smartcard, computes an authenticating
message, and sends this message to the server for

Copyright 2014 John Wiley & Sons, Ltd. 1971

A multi-server authenticated key agreement protocol without smartcard
authentication. Even though a smartcard provides storage
space for a longer secret key than a human-memorable
password, the inconvenience caused by the necessity of
carrying smartcards is always an issue for users.
Smartcard-based authenticated key agreement protocols
usually do not consider the security threat from
password-guessing attacks, because the secret key stored
in a smartcard is usually longer than 256 bits and it is gen-
erally more difcult for an adversary to take the smartcard
of a user and retrieve the corresponding secret key from the
smartcard in comparison with executing a series of
password-guessing attacks.
In modern countries, an individual usually needs to ac-
cess multiple information systems via the Internet or local
area networks. Consequently, a user has to remember mul-
tiple passwords or carry multiple smartcards to gain access
to all targeted systems when traditional authenticated key
agreement protocols are adopted. A multi-server authenti-
cated key agreement protocol allows a user to access mul-
tiple servers with only one password or one smartcard once
the user has registered with a trusted third party called a
registration center (RC). Figure 1 shows a multi-server en-
vironment in which different information systems are gath-
ered together with users having to authenticate themselves
to the registration center before permission to access these
systems is granted. The concept of a smartcard-based
multi-server authenticated key agreement protocol was
proposed by Li et al. in 2001 [25]. However, the protocols
proposed in [25] require heavy computing operations. In
order to enhance protocol performance, other protocols
based on different cryptosystems have been proposed re-
cently [2630]. However, none of these multi-server au-
thentication protocols were based on a password until
Lee et al. [31] rst proposed a password-based multi-
server authentication protocol without using a smartcard
in 2008. The security strength of their protocol is based
Figure 1. A multi-server environment.
1972 Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
T. Jia-Lun and N.-W. Lo
on the discrete logarithm problem; a symmetric cryptosys-
tem and a one-way hash function were adopted to realize
the design of their protocol. However, the protocol of
Lee et al. [31] suffers from undetectable online
password-guessing attack, server-spoong attack, and im-
personation attack plotted by legitimate users. Several en-
hanced protocols [32,33] have been proposed since then.
This paper rst proposes a new password-based multi-
server authenticated key agreement protocol based on cha-
otic maps. By adopting the trusted third party architecture,
a registration center is introduced in our protocol. With the
proposed authentication protocol, a user can access multi-
ple servers using only one memorable password. A session
key is constructed to encrypt and decrypt subsequent mes-
sages between the targeted server and a user after both
sides have mutually authenticated each other. Based on
the results of security analyses, the proposed protocol with-
stands well-known security threats such as password-
guessing attack, replay attack, impersonation attack, and
server-spoong attack. Our protocol also has better perfor-
mance efciency in terms of computation cost in compari-
son with existing protocols.
2. CHEBYSHEV CHAOTIC MAPS
Let n be an integer and x a variable ranging in the interval
[
1, 1]. The Chebyshev chaotic maps is dened as
T n x cosn arccosx (1)
Based on its denition, the Chebyshev polynomial has
the following recurrence relations.
T 0 x 1; T 1 x x;
(2)
T n1 x 2xT n x T n
1 x; for n N
DOI: 10.1002/sec
T. Jia-Lun and N.-W. Lo A multi-server authenticated key agreement protocol without smartcard

The Chebyshev polynomial possesses the following Detailed operation ows for each phase are described as
properties: follows.
User registration: The entire user registration phase is
(1) Semi-group property: mainly executed in the registration center RC. Before a
user Ui can access any server in the targeted multi-server
T r T s x cosr arccoscoss arccos x environment, the user rst has to register with the registra-
tion center RC and become a legal user. To register with the
cosrs arccosx
registration center RC, the user Ui must send the identity
cossr arccosx (3) IDi and the corresponding password PWi to RC via a secure
T sr x channel. Upon receiving (IDi, PWi) from the user Ui, the
T s T r x registration center RC computes h(PWi) and then stores
IDi and h(PWi) in its database.

(2) Chaotic property: Mutual authentication: Preventing user password leakage

from compromised servers or malicious servers is a very
When n > 1, the Chebyshev polynomial, Tn:[1,
1] important and serious security topic in a multi-server environ-
[1,
1] of degree n, is a chaotic maps with its invariant ment. In our authentication protocol, to prevent the server Sj
density from knowing the password h(PWi) of a user Ui, the registra-
tion center RC generates a shared credential C = Tkr(x) and
distributes it to the user Ui and the server Sj, respectively.
1
f *x p (4) The value of the generated credential C is different in each
1
x2 authentication session. Even if an adversary has stolen the
shared credential C for the current authentication session, this
for the Lyapunov exponent = ln n > 0. adversary cannot use it to be authenticated successfully in
another authentication session. The steps of our mutual
authentication phase are illustrated in detail in what follows
3. THE PROPOSED PROTOCOL with the corresponding step ow diagram shown in Figure 2.
Step 1. Ui RC: IDi, SIDj, x, h(h(PWi), IDi, SIDj) Tr(x)
This section introduces our proposed protocol. There are
three parties in our protocol: multiple users Ui (1 i l), The user Ui computes h(h(PWi), IDi , SIDj ) Tr(x),
multiple servers Sj (1 j m), and a registration center where r and x are two randomly selected large integers.
RC, where l, m N. We assume that the registration center Next, the user Ui sends the login request message {IDi, SIDj,
RC is a trusted third party for servers and users. The pro- x, h(h(PWi), IDi, SIDj) Tr(x)} to the registration center RC.
posed protocol consists of two phases: the user registra-
tion phase and the mutual authentication phase. Each Step 2. RC Ui: h(h(PWi), IDi, SIDj) Tk(x), h(IDi, SIDj, C)
user Ui and every server Sj must register with this regis-
Upon receiving the login request message {IDi, SIDj, x,
tration center RC. Let y be the primary secret key for
h(h(PWi), IDi, SIDj) Tr(x)} from a user Ui, the
servers maintained by the registration center. When the
registration center receives a registration request from
one server, the registration center RC uses the servers
identity SIDj and the primary secret key y to generate a
shared secret key Rj = h(SIDj, y) and then sends the gener-
ated key Rj to the targeted server Sj via a secure channel.
This shared key Rj is used to verify server legitimacy dur-
ing the authentication process. Before presenting our
password-based multi-server key agreement protocol,
we depict the symbol notation for the protocol expression
in Table I.

Table I. Symbol notation.

Notations Descriptions

h( ) One-way hash function

Exclusive OR operation
IDi, PWi The identity and password of user Ui
SIDj, Rj The identity and secret key of server Sj
Figure 2. The mutual authentication phase of the proposed
X Y: M X sends a message M to Y
protocol.

Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd. 1973
DOI: 10.1002/sec
A multi-server authenticated key agreement protocol without smartcard
registration center RC nds the corresponding hashed
user password h(PWi) from its database according to
the user identity IDi. Next, the registration center RC
computes the credential C = Tk(Tr(x)) = Tkr(x), the value
of h(h(PWi), IDi, SIDj) Tk(x), and the hashed value of
h(IDi, SIDj, C), where k is a randomly selected large in-
teger. Then RC sends the derived message {h(h(PWi),
IDi, SIDj) Tk(x), h(IDi, SIDj, C)} back to the user Ui.
Step 3. RC Sj: IDi, x, z, C h(Rj, x, IDi, z)
The registration center RC computes the shared key Rj = h
(SIDj, y) and the value of C h(Rj, IDi, z), and then sends
the message {IDi, x, z, C h(Rj, x, IDi, z)} to the server Sj,
where z is a randomly selected large integer. Notice that
the credential C is used to allow mutual authentication
between the user Ui and the server Sj instead of using the
user password h(PWi) directly between the user Ui and
the server Sj.
Step 4. Sj Ui: C Ts(x), h(IDi, SIDj, C, Ts(x))
Upon receiving the message {IDi, x, z, C h(Rj, x, IDi, z)}
from RC, the server Sj retrieves C by computing the value
of C h(Rj, x, IDi, z) h(Rj, x, IDi, z) and then computes
the values of Ts(x), C Ts(x) and h(IDi, SIDj, C, Ts(x)),
where s is a randomly selected large integer. Next, the
server Sj sends {C Ts(x), h(IDi, SIDj, C, Ts(x))} to the
user Ui.
Step 5. Ui Sj: C Tv(x), h(IDi, SIDj, C, Ts(x), Tv(x), SK)
Upon receiving the message {C Ts(x), h(IDi, SIDj, C, Ts
(x))} from the server Sj, the user Ui computes the creden-
tial C = Tr(Tk(x)) = Trk(x) and then retrieves Ts(x) by com-
puting the value of C C Ts(x). Next, the user Ui
computes h(IDi, SIDj, C, Ts(x)) and then checks whether
the computed value of h(IDi, SIDj, C, Ts(x)) is the same
as the received value of h(IDi, SIDj, C, Ts(x)). If the veri-
cation process holds, the server Sj is authenticated. After
that, the user computes the value of C Tv(x), the session
key SK = Tv(Ts(x)) = Tvs(x), and the hashed value of h(IDi,
SIDj, C, Ts(x), Tv(x), SK), where v is a randomly selected
large integer. Then the user Ui sends the message {C Tv
(x), h(IDi, SIDj, C, Ts(x), Tv(x), SK)} to the server Sj.
Step 6. Upon receiving the message {C Tv(x), h(IDi,
SIDj, C, Ts(x), Tv(x), SK)} from the user Ui, the server
Sj retrieves Tv(x) by computing the value of
C C Tv(x) and then computes the session key
SK = Ts(Tv(x)) = Tsv(x) and the value of h(IDi, SIDj, C,
Ts(x), Tv(x), SK). Next, the server Sj checks whether
the computed value of h(IDi, SIDj, C, Ts(x), Tv(x), SK)
is the same as the received value of h(IDi, SIDj, C, Ts
(x), Tv(x), SK). If the verication process holds, the user
Ui is authenticated. Notice that SK is the session key
used to encrypt and decrypt all subsequent data mes-
sages between the user Ui and the server Sj.
1974
T. Jia-Lun and N.-W. Lo
4. SECURITY ANALYSES
This section shows that the proposed protocol withstands
major security attacks and achieves essential security require-
ments. Two mathematical problems used to support the secu-
rity robustness of the proposed authentication protocol are
rst dened in terms of Chebyshev chaotic maps as follows.
Denition 1. Chaotic Maps Discrete Logarithm Problem:
Given x and y, it is unfeasible to nd the integer r, such as
y = Tr(x).
Denition 2. Computational Chaotic Maps DifeHellman
Problem (CCMDHP): Given x, Tr(x), and Ts(x), it is infeasi-
ble to nd the integer rs, such as Trs(x) = Tr(Ts(x)) = Ts(Tr
(x)).
The proposed protocol adopts Chebyshev chaotic
maps value Tn(x) to generate a session key for a commu-
nicating user and the corresponding backend server. From
[34], we know that the maximum possible number of ses-
sion keys to be generated in the proposed protocol is de-
pendent on the decimal precision d of x, the computed
value of cos(t) operation and the computed value of
arccos(t) operation, and the binary length of the session
key l, where 10d 2k. Therefore, the precision value of
x, the computed value of cos(t) operation, and the com-
puted value of arccos(t) operation should be the same
and carefully determined based on the requirement of
the session key length. For example, the decimal preci-
sion value should be set at least to 20 to generate all 64-
bit session keys. The details of our security analyses are
described as follows.
Theorem 1. Our protocol withstands replay attacks.
Proof. Our protocol utilizes nonces and the generated
credential C = Tkr(x) to withstand replay attacks. As-
sume that an adversary A resubmits a previously gener-
ated login request message {IDi, SIDj, x, h(h(PWi), IDi,
SIDj) Tr(x)} by a user Ui in order to log into the
targeted server Sj. Upon receiving the login request
message {IDi, SIDj, x, h(h(PWi), IDi, SIDj) Tr(x)},
the registration center RC sends messages {h(h(PWi),
IDi, SIDj) Tk(x), h(IDi, SIDj, C)} to the adversary
and {IDi, x, z, C h(Rj, x, IDi, z)} back to the server
Sj. Without knowledge of the user password h(PWi),
the adversary A cannot retrieve the value of Tk(x) to
compute the shared credential C = Tkr(x). Therefore,
the adversary A cannot retrieve the value of Ts(x) with-
out knowing the shared credential C = Tkr(x). In the end,
the adversary A cannot generate and send the correct re-
sponse message {C Tv(x), h(IDi, SIDj, C, Ts(x), Tv(x),
SK)} to the targeted server Sj. Hence, the adversary A
cannot successfully access the server Sj.
Theorem 2. Our protocol defends against off-line
password-guessing attacks.
Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Jia-Lun and N.-W. Lo A multi-server authenticated key agreement protocol without smartcard
Proof. In our protocol, only authentic messages {h(h(PWi),
IDi, SIDj) Tr(x)} and {h(h(PWi), IDi, SIDj) Tk(x), h(IDi,
SIDj, C)} can be used to guess the user password PWi. As-
sume that an adversary A tries to guess the user password
PWi from authentic messages generated by the user Ui using
the off-line attack mechanism. The adversary A rst randomly
selects a password PWi and then computes and retrieves the
guessed values of Tr (x) and Tk (x) from authentic messages
h(h(PWi), IDi, SIDj) Tr(x) and h(h(PWi), IDi, SIDj) Tk(x).
However, the adversary A cannot verify whether his or her
guessed password PWi is correct because the adversary A
cannot know the correct values of Tk(x), Tr(x), and C, because
CCMDHP. In addition, the generated credential C = Tkr(x) in
our protocol is based on the key agreement protocol of Dife
and Hellman, and therefore, the value of C cannot be success-
fully guessed. Therefore, the proposed protocol withstands
off-line password-guessing attacks.
Theorem 3. Our protocol defends against undetectable
password-guessing attacks from the server side [35].
Proof. In a multi-server environment, the security threat for
undetectable password-guessing attacks is more likely to
occur at the server side as servers usually possess crucial au-
thentication information such as user passwords. In our pro-
tocol, a generated credential C = Tkr(x) is used to prevent the
adversary from knowing user password PWi during an au-
thentication session. Assume that an adversary A compro-
mises a legal server Sj and the adversary A disguises itself
as a legal user Ui at the same time. The malicious server Sj
randomly selects a user password PWi and then computes
the value of h(h(PWi), IDi, SIDj) Tr(x). Next, the mali-
cious server Sj sends the message {IDi, SIDj, x, h(h(PWi),
IDi, SIDj) Tr(x)} to the registration center RC. Upon
receiving the message {IDi, SIDj, x, h(h(PWi), IDi,
SIDj) Tr(x)}, the registration center RC retrieves Tr (x)
from the received message and then computes the following
values: h(h(PWi), IDi, SIDj) Tk(x), h(IDi, SIDj, C), and
C h(Rj, x, IDi, z). Then, the registration center RC sends
the messages {h(h(PWi), IDi, SIDj) Tk(x), h(IDi, SIDj,
C)} and {IDi, x, z, C h(Rj, x, IDi, z)} to the user Ui
(i.e., the adversary A) and the malicious server Sj, respectively.
The adversary A retrieves the credential C = Tkr(x) from the
partial message C h(Rj, x, IDi, z). However, the adversary
A cannot successfully retrieve the user password PWi from
the messages h(h(PWi), IDi, SIDj) Tr(x), and h(h(PWi),
IDi, SIDj) Tk(x) by using only this credential C, because
the values of Tr(x) and Tk(x) cannot be derived from the
credential C = Tkr(x) because of Chaotic Maps Discrete
Logarithm Problem. Therefore, our protocol is secure
against undetectable password-guessing attacks from the
server side.
Theorem 4. Our protocol is secure against server-
spoong attacks.
Proof. A server-spoong attack means that an adversary A
masquerades as a legal server Sj and successfully cheats on
Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
a user Ui and the registration center RC. However, in our
protocol, the adversary A cannot plot this kind of attack
successfully. Without the shared secret key Rj = h(SIDj, y)
between the legal server Sj and the RC, the adversary A
cannot retrieve the generated credential C = Trk(x) from
the partial message C h(Rj, x, IDi, z). Hence, the user
Ui will detect that the communicating server, which is the
adversary A, is not a legitimate one. In consequence, the
user Ui will drop the current authentication session with
the adversary A. In summary, the proposed protocol with-
stands server-spoong attacks.
Theorem 5. Our protocol defends against registration-
center-spoong attacks.
Proof. Assume an adversary A masquerades as the registra-
tion center RC. Because the adversary A does not have the
primary secret key y and all hashed user passwords, the
false registration center cannot generate the correct se-
cret keys Rj shared among servers and the genuine
RC. Therefore, the adversary A cannot perform any
RC operations correctly. In consequence, a successful
communication session will not be established between
the RC and users or between the RC and servers.
Hence, no adversary can plot a registration-center-
spoong attack successfully.
Theorem 6. Our protocol withstands impersonation
attacks.
Proof. In our protocol, an adversary A must know a user
Uis correct password PWi to log into a targeted server Sj
as this legal user Ui. Without knowledge of the user pass-
word PWi, it is impossible for the adversary A to generate
the login request message {IDi, SIDj, x, h(h(PWi), IDi,
SIDj) Tr(x)} to RC and the nal response message
{C Tv(x), h(IDi, SIDj, C, Ts(x), Tv(x), SK)} to the targeted
server Sj. Therefore, the proposed protocol is secure
against impersonation attacks.
Theorem 7. Our protocol supports perfect forward
secrecy.
Proof. Perfect forward secrecy means that even if user
passwords PWi and the primary secret key y for all servers
are compromised by the adversary, session keys SKs still
cannot be compromised by the adversary. In the proposed
protocol, the session key SK = Tsv(x) is dynamically gener-
ated by two 1-time random numbers s and v in each au-
thentication session. These two 1-time generated random
numbers, v and s, are only held by the user Ui and the
server Sj, respectively. Because of CCMDHP, the adver-
sary cannot retrieve the values of v and s from the session
key SK = Tsv(x). In other words, knowledge of the user
passwords PWi and the primary secret key y for all servers
does not enable the session key SK to be derived.
Therefore, our protocol supports the property of perfect
forward secrecy.
1975
A multi-server authenticated key agreement protocol without smartcard T. Jia-Lun and N.-W. Lo

Table II. Comparison on performance efciency.

Lee et al. [31] Yeh and Lo [32] Tsai et al. [33] Ours

E1 2Te + 5TS + Th 2Te + 5TS + 4Th 3Te + 4TS + 2Th 4Tc + 4Th
1013.5Th 1016.5Th 1512Th 704Th
E2 2Te + 5TS + 2Th 2Te + 5TS + 2Th 2Te + 2TS + 3Th 2Tc + 3Th
1014.5Th 1014.5Th 1008Th 353Th
E3 2Te + 5TS + 2Th 2Te + 2TS + Th 4Te + 4TS + Th 2Tc + 3Th
1014.5Th 1006Th 2011Th 353Th
E4 6Te + 15TS + 5Th 6Te + 12TS + 7Th 9Te + 10TS + 6Th 8Tc + 10Th
3042.5Th 3037Th 4531Th 1410Th
E1: the user computation cost in the mutual authentication phase; E2: the server computation cost in the mutual authentication phase; E3: the registration
center computation cost in the mutual authentication phase; E4: the total computation cost in the mutual authentication phase.

Table III. Comparison on security features. spend 2Tc + 3Th computation time, and the registration
center needs to spend 2Tc + 3Th computation time. Next,
Lee et al. [29] Yeh and Lo [30] Tsai et al. [31] Ours we conduct the comparisons on performance efciency
S1 DLP DLP DLP CMDLP and security features among our protocol and other
S2 Yes Yes Yes Yes existing protocols as shown in Tables II and III.
S3 Yes No Yes Yes According to the authors of [19,23,3639], we can de-
S4 No No Yes Yes rive that the time spent for computing a Chebyshev poly-
S5 No Yes Yes Yes nomial operation Tc is approximately equivalent to
S6 Yes Yes Yes Yes executing a symmetric encryption/decryption operation
S7 No Yes Yes Yes TS 70 times. The time spent for computing a symmetric
S8 Yes Yes Yes Yes encryption/decryption operation TS is approximately
S9 No No No No equivalent to executing a one-way hash function Th 2.5
S1: security strength; S2: resistance to replay attack; S3: resistance to off- times, while the time spent for computing a modular expo-
line password-guessing attack; S4: resistance to undetectable password- nentiation operation Te is approximately equivalent to exe-
guessing attack; S5: resistance to server-spoong attack; S6: resistance cuting a one-way hash function Th 500 times. Therefore,
to the registration center spoong attack. S7: resistance to impersonation by using the consumed time of a one-way hash function
attack; S8: support of perfect forward secrecy; S9: implementation re- operation Th as a unit, we can obtain the following time
quirement for using verication table or verication database.
consumption estimations: Tc 70TS 175Th, TS 2.5Th,
CMDLP, Chaotic Maps Discrete Logarithm Problem.
and Te 500Th. From Table II, one can observe that our
protocol performs better than other existing protocols in
terms of computation cost. In addition, one can observe
5. COMPARISONS that only our protocol and the protocol of Tsai et al. [33]
support all of the security features as shown in Table III.
In this section, we evaluate the computation cost of our The other two password-based multi-server authentication
protocol and then compare our protocol with existing pro- protocols are vulnerable to several security threats. In sum-
tocols in terms of performance efciency and security fea- mary, our proposed protocol is secure and efcient.
tures. Because our protocol is the rst authenticated key
agreement protocol using chaotic maps for multi-server en-
vironments, we compare our protocol with other protocols 6. CONCLUSIONS
based on different cryptosystems. Let Tm be the time to
perform a modular multiplication computation, Te be the This paper proposes a new authenticated key agreement
time to perform a modular exponentiation computation, protocol based on chaotic maps for multi-server environ-
Tc be the time to perform a Chebyshev polynomial opera- ments. By adopting our protocol, a user can log in and access
tion, Th be the time to perform a one-way hash function op- multiple servers with only one memorable password if this
eration, and TS be the time to perform a symmetric user has registered with the registration center in advance.
encryption/decryption operation. The time to perform a After mutual authentication with each other, a user and the
modular addition operation and the time for an exclusive targeted server cooperatively determine a session key to en-
OR operation are both ignored during our time consump- crypt and decrypt all the subsequent messages transmitted
tion evaluation for the proposed protocol because both op- between the user and the server. Security analyses are
erations are very fast and their time consumptions are conducted to show that our protocol is able to defend against
negligible in comparison with other operation computa- well-known security threats such as password-guessing attack,
tions. The computation cost of our protocol is evaluated replay attack, and impersonation attack. In addition, the pro-
as follows. In the mutual authentication phase, a user needs posed protocol has better performance than existing protocols
to spend 4Tc + 4Th computation time, the server needs to for multi-server environments in terms of computation cost.

1976 Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Jia-Lun and N.-W. Lo
ACKNOWLEDGEMENTS
The authors would like to thank anonymous reviewers
that provide helpful suggestions for greatly improving
the presentation of the paper. Part of the work in the paper
is supported by the National Science Council, ROC, under
the grant number MOST 103-2221-E-011-091-MY2.
REFERENCES
1. Baptista MS. Cryptography with chaos. Physics
Letters A 1998; 240(12):5054.
2. Kocarev L. Chaos-based cryptography: a brief over-
view. IEEE Circuits and Systems Magazine 2001;
1(3):621.
3. Borujeni SE, Eshghi M. Chaotic image encryption
system using phase-magnitude transformation and
pixel substitution. Telecommunication Systems 2013;
52(2):525537.
4. Wang X, Guo W, Zhang W, Khan MK, Alghathbar K.
Cryptanalysis and Improvement on a Parallel Keyed
Hash Function based on Chaotic Neural Network.
Telecommunication Systems 2013; 52(2):515524.
5. Xiao D, Liao X, Deng S. A novel key agreement pro-
tocol based on chaotic maps. Information Sciences
2007; 177:11361142.
6. Han S. Security of a key agreement protocol based on
chaotic maps. Chaos, Solitons & Fractals 38: 764768.
7. Xiao D, Liao X, Deng S. Using time-stamp to improve
the security of a chaotic maps-based key agreement pro-
tocol. Information Sciences 2008; 178:159811602.
8. Yoon EJ, Yoo KY. A new key agreement protocol based
on chaotic maps. Agent and Multi-Agent Systems: Tech-
nologies and Applications 2008; 4953:897906.
9. Han S, Chang E. Chaotic map based key agreement
with/out clock synchronization. Chaos, Solitons &
Fractals 2009; 39:12831289.
10. Xiang T, Wong K, Liao X. On the security of a novel
key agreement protocol based on chaotic maps. Chao,
Solutions & Fractals 2009; 40(2):672675.
11. Guo X, Zhang J. Secure group key agreement protocol
based on chaotic hash. Information Sciences 2010;
180:40694074.
12. Gong P, Li P, Shi WB. A secure chaotic maps-based
key agreement protocol without using smart cards.
Nonlinear Dynamics 2012; 70(4):24012406.
13. Tseng H, Jan R, Yang W. A chaotic maps-based key
agreement protocol that preserves user anonymity,
IEEE international Conference on Communications
(ICC09), 2009; pp. 16.
14. Wang X, Zhao J. An improved key agreement protocol
based on chaos. Communications in Nonlinear Science
and Numerical Simulation 2010; 15(12):40524057.
Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
A multi-server authenticated key agreement protocol without smartcard
15. Niu Y, Wang X. An anonymous key agreement proto-
col based on chaotic maps. Communications in
Nonlinear Science and Numerical Simulation 2011;
16(4):19861992.
16. Yoon EJ, Jeon IIS. An efcient and secure Dife-
Hellman key agreement protocol based on Chebyshev
chaotic map. Communications in Nonlinear Science
and Numerical Simulation 2011; 16:23832389.
17. Lee CC, Chen CL, Wu CY, Huang SY. An extended
chaotic maps-based key agreement protocol with user
anonymity. Nonlinear Dynamics 2012; 69(1-2):7987.
18. He D, Chen Y, Chen JH. Cryptanalysis and impro-
vement of an extended chaotic maps-based key
agreement protocol. Nonlinear Dynamics 2012;
69(3):11491157.
19. Xue K, Hong P. Security improvement on an anony-
mous key agreement protocol based on chaotic maps.
Communications in Nonlinear Science and Numerical
Simulation 2012; 17(7):29692977.
20. Yoon EJ. Efciency and security problems of anony-
mous key agreement protocol based on chaotic maps.
Communications in Nonlinear Science and Numerical
Simulation Communications 2012; 17(7):27352740.
21. Guo C, Chang CC. Chaotic maps-based password-
authenticated key agreement using smart cards.
Communications in Nonlinear Science and Numerical
Simulation 2013; 18(6):14331440.
22. Khan MK, Kumari S. An authentication scheme for
secure access to healthcare services. Journal of Medical
Systems 2012; 37(4):112.
23. Khan MK, Kumari S. Cryptanalysis and improvement of
An Efcient and Secure Dynamic ID-based Authentica-
tion Scheme for Telecare Medical Information Systems.
Security and Communication Networks, Article rst pub-
lished online, 10 JUN 2013. DOI: 10.1002/sec.791
24. Tsai JL, Lo NW, Wu TC. Novel anonymous authenti-
cation scheme using smart cards. IEEE Transactions
on Industrial Informatics, Article rst published on-
line, 30 NOV 2012. DOI: 10.1109/TII.2012.2230639
25. Li LH, Lin IC, Hwang MS. A remote password
authentication scheme for multi-server architecture
using neural networks. IEEE Transactions on Neural
Network 2001; 12(6):1498504.
26. Chang CC, Lee JS. An efcient and secure multi-
server password authentication scheme using smart
card. Proc. of the International Conference on
Cyberworlds, 2004; pp. 417422.
27. Juang WS. Efcient multi-server password authenti-
cated key agreement using smart cards. IEEE Transac-
tion on Consumer Electronics 2004; 50(1):251255.
28. Tsai JL. Efcient multi-server authentication scheme
based on one-way hash function without verication
table. Computers & Security 2008; 27(3-4):115121.
1977
A multi-server authenticated key agreement protocol without smartcard
29. Khan MK, He D. A new dynamic identity-based au-
thentication protocol for multi-server environment
using elliptic curve cryptography. Security and
Communication Networks 2012; 5(11):12601266.
30. Yoon EJ, Yoo KY. Robust biometrics-based multi-
server authentication with key agreement scheme for
smart cards on elliptic curve cryptosystem. The
Journal of Supercomputing 2013; 63(1):235255.
31. Lee JS, Chang YF, Chang CC. A novel authentica-
tion protocol for multi-server architecture without
smart cards. International Journal of Innovative
Computing, Information and Control 2008; 4(6):
13571364.
32. Yeh KH, Lo NW. A novel remote user authentication
scheme for multi-server environment without using
smart cards. International Journal of Innovative
Computing. Information and Control 2010; 6(8):
34673478.
33. Tsai JL, Lo NW, Wu TC. A new password-based
multi-server authentication scheme robust to password
1978
T. Jia-Lun and N.-W. Lo
guessing attacks. Wireless Personal Communications,
Online First 2012. doi:10.1007/s11277-012-0918-6.
34. Pisarchik AN, Zanin M. Chaotic map cryptography
and security. Horizons in Computer Science Research
2012; 4:301332.
35. Ding Y, Horster P. Undetectable on-line password
guessing attacks. ACM Operating Systems Review
1995; 29(4):7786.
36. Menezes A, Van OPC, Vanstone S. Handbook of Ap-
plied Cryptography. CRC Press: Boca Raton, 1997.
37. Cheng TF, Lee JS, Chang CC. Security enhancement
of an IC-card-based remote login mechanism.
Computer Networks 2007; 51:22802287.
38. Tsai JL. Convertible multi-authenticated encryption
scheme with one-way hash function. Computer com-
munication 2009; 32(5):783786.
39. Fan CI, Sun WZ, Huang VSM. Provably secure ran-
domized blind signature scheme based on bilinear
pairing. Computers & Mathematics with Applications
2010; 60:285293.
Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec