Journal of Medical Systems (2018) 42:250

https://doi.org/10.1007/s10916-018-1099-y

MOBILE & WIRELESS HEALTH

Privacy Protection for Point-of-Care Using Chaotic Maps-Based

Authentication and Key Agreement
Liping Zhang 1 & He Luo 1 & Lanchao Zhao 1 & Yixin Zhang 1

Received: 2 July 2018 / Accepted: 9 October 2018

# Springer Science+Business Media, LLC, part of Springer Nature 2018

Abstract
Recently, remote points-of-care as a novel medical model has emerged and received considerable attention due to its convenient
medical services such as efficient real-time monitoring and prompt information feedback. Although the points-of-care has more
attractive advantages compared with traditional health care systems, some important issues still require a serious consideration
such as privacy protection and the security of the transmitted biomedical signals. In this study, we propose a novel authentication
and key agreement mechanism that ensures privacy preservation and provides biomedical signals protection during the commu-
nication process by negotiating a shared key to encrypt/decrypt sensitive information. Chaotic maps are employed in our design
to achieve mutual authentication and key agreement for resource-constrained points-of-care, which also increases the efficiency
in comparison with those schemes designed by Elliptic Curve Cryptography or RSA. Furthermore, dynamic identities are
adopted in the proposed scheme to achieve user anonymity and user untraceability for the high-privacy-required points-of-care.
The security of the proposed scheme is proven via Real-or-Random model. The performance analysis shows that the proposed
scheme reduces computational overhead in comparison with the state-of-the-art schemes.

Keywords Privacy protection . Point-of-care . Chaotic maps . Authentication . Key agreement

Introduction terminal users such as caregivers and physicians. Through the

Recently, the points-of-care (PoC) as a new medical model
has received a lot of attention for its convenient medical ser-
vices. Compared with traditional healthcare models, the PoC
has many advantages such as supporting a comfortable inde-
pendent living for elderly people, offering better flexibility in
personal healthcare and maximizing healthcare resources uti-
lization with fewer expenses and time [1]. Basically, applica-
tions of the PoC are developed on a series of interconnected
entities including a set of medical sensors and a smart home
gateway. Medical sensors are planted in, on, or around pa-
tients’ body to collect physical data including heart rate, blood
sugar value etc. Then these data are gathered to the smart
home gateway through wireless links and delivered to remote
This article is part of the Topical Collection on Mobile & Wireless Health
* Lanchao Zhao
healthcare applications of the PoC, remote healthcare moni-
toring in real-time is capable of providing many high-quality
services such as emergency response and continuous treat-
ment. Moreover, a PoC may offer a new approach towards
the diagnosis of rare illness based on patient’s health digits.
Due to its great potential, the PoC has attracted considerable
attention and some applications have come out of lab entering
market.
Since medical data is very sensitive, privacy protection
becomes a critical issue in the PoC. To preserve patients’
privacy on wireless channels, medical data should be well
protected in case of suffering malicious attacks [2]. Thus, a
well-designed authentication and key agreement scheme is
essential for the PoC which has high-security requirements
such as perfect forward secrecy, user anonymity and user
untraceability [3–6].
Several authenticated key agreement schemes [7–21] for
the resource-constrained healthcare applications environment

[email protected]

have recently been successively proposed. In order to protect
patients’ medical data, Elliptic Curve Cryptography (ECC)
1
was adopted in Lee et al.’s encryption scheme for healthcare
School of Computer Science, China University of Geosciences,
Wuhan 430074, China
systems [7], while the scalar multiplication operations of an
 250 Page 2 of 13
elliptic curve may consume large system resources. RSA
cryptosystem was employed by Hou et al. to construct an
authentication scheme for the Internet of Things (IoT) based
healthcare systems [8]. However, their scheme cannot achieve
user anonymity and the computational overhead is still high.
To enhance the performance, chaotic maps was introduced by
Li et al. to realize mutual authentication and key negotiation in
e-healthcare environments [9]. Although their scheme is more
efficient than RSA-based authentication schemes, it cannot
achieve perfect forward secrecy and suffers from off-line pass-
word guessing attacks. Afterward, Yeh presented an IoT-based
healthcare system using the keyed-hash message authentica-
tion code and ECC [10]. But, his scheme is vulnerable to
malicious multiple login requests and fails to provide user
anonymity. As the public-key cryptography-based schemes
mentioned above are involved in high computational over-
head and have some security weaknesses, these schemes are
not suitable for the resource-constrained PoC.
To reduce the computational costs and meet the low energy
requirements in PoC environments, He et al. presented a light-
weight authentication scheme using symmetric algorithms
and hash functions [11]. Since only lightweight operations
are required in the authentication process, their scheme re-
duces the computational costs significantly in comparison
with public-key cryptography-based authentication schemes.
However, their scheme cannot achieve user anonymity and
perfect forward secrecy. Gope et al. proposed an IoT-based
modern healthcare system only using one-way hash functions
to achieve low energy consumptions [12]. But their scheme
doesn’t provide key negotiation and session key security. In
order to enhance the security with low computational costs,
Chang et al. [13] employed dynamic identities to realize au-
thentication and key agreement with user anonymity. But,
perfect forward secrecy cannot be guaranteed in their scheme
[13]. Although the above schemes achieve good performance
by only using hash functions or symmetric encryption/
decryption algorithms, security pitfalls occur more frequently
without the protection of asymmetric cryptosystems.
In order to provide privacy protection with high efficiency,
chaotic maps as a lightweight public key technique are
employed in designing an authentication scheme for healthcare
application environments. Since the Chebyshev polynomial
computation is more efficient than the modular exponential
computation operation and the elliptic curve point multiplica-
tion operation, chaotic maps-based authentication schemes en-
hance the performance efficiently [14–17]. In 2012, Lai et al.
proposed an anonymous authentication scheme using enhanced
Chebyshev polynomials based on its semigroup property [18].
However, Zhao et al. demonstrated that Lai et al.’s scheme [18]
was suffered from privileged insider attacks and off-line pass-
word-guessing attacks [19]. Although an improvement is pro-
posed by Lai et al., their scheme and Zhao et al.’s scheme are
both vulnerable to attacks on smart cards. Very recently,
J Med Syst (2018) 42:250
Kumari et al. presented an authenticated key agreement scheme
for healthcare sensor systems using chaotic maps [20]. Their
scheme achieves mutual authentication and user anonymity
with low computational complexity. But, Kumari et al.’s
scheme [20] cannot resist known session specific temporary
information attacks and doesn’t take user untraceability into
consideration. For realizing user untraceability, Lee proposed
a temporal credential-based authenticated key agreement
scheme using extended chaotic maps [16]. Lee’s scheme en-
hances the efficiency and realizes user untraceability, but it
cannot withstand known session specific temporary informa-
tion attacks and denial-of-service (DoS) attacks.
Despite the fact that chaotic maps-based authentication
schemes enhance the performance efficiently, various security
flaws occur in the existing schemes. How to design a light-
weight authentication scheme with user privacy protection by
using chaotic maps is still a challenging task. In this paper, we
employ chaotic maps technology to construct a lightweight
privacy-preserving authentication scheme for a resource-
constrained PoC. To enhance the security, the Chebyshev cha-
otic map as a lightweight public key method is introduced in
our design. Based on the extended chaotic map-based discrete
logarithm problem and the extended chaotic map-based Diffie–
Hellman problem, we construct a secure authentication and key
agreement scheme with user anonymity and user untraceability.
Furthermore, we have proved that our scheme is semantically
secure under the Real-or-Radom Model. Security analysis dem-
onstrates that the proposed scheme can resist various attacks
and provides user privacy protection. On the other hand, the
usage of chaotic maps increases the efficiency of our proposed
scheme. The experimental results show that our authentication
scheme reduces the computational cost efficiently in compari-
son with other related schemes.
The rest of this paper is organized as follows:
Section BPreliminaries^ reviews some preliminaries. In
Section BThe proposed scheme^, the proposed scheme is de-
scribed in detail. The security of the proposed scheme is discussed
in Section BSecurity analysis^. In Section BPerformance
analysis^, the performance of the proposed scheme is analyzed
in contrast to existing schemes. And the paper is concluded in
Section BConclusions^.
Preliminaries
In this section, we review the basic concepts of Chebyshev
chaotic maps and the network model of PoC briefly.
Chebyshev chaotic maps
Chebyshev polynomial Tn (x): (−∞,+∞) → [−1, +1] defined as
Tn (x) = (2xTn − 1(x) − Tn − 2(x)) mod p, where x∈(−∞,+∞), n is
an integer, n ≥ 2, T0 (x) = 1, T1 (x) = x, and p is a large prime
J Med Syst (2018) 42:250
number. The Chebyshev polynomial satisfies the semigroup
property: Tuv (x) = Tv (Tu (x)) = Tu (Tv (x)), where u, v ∈ N and x
∈ (−∞ + ∞). For more details, please refer to [21, 22].
Property 1 (Semi-group property) For u, v ∈ N,Tu(Tv(x)) =
Tuv(x) = Tv(Tu(x))(mod N).
Property 2 (Chaotic map) When n > 1, Chebyshev polyno-
mial map Tn(x): [−1, 1] → [−1, 1] of degree n is a chaotic map
with its invariant density f ∗(x) = 1/(π(1 − x2)1/2), for positive
Lyapunov exponent ln n.
Property 3 (The minimal period of Chebyshev polynomial
sequence) Period of Chebyshev polynomial sequence
(Tn(x)mod N)n ≥ 0 (n = 0, 1, 2,. ..) is d, if Tn + d(x) = Tn(x)mod
N. The minimal period of Chebyshev polynomial sequence
dmin is a factor of its ordinary period d.
Definition 1 Extended Chaotic Map-based Discrete Logarithm
Problem (CMDLP): Given y and x, it is computationally in-
feasible to find an integer k such that Tk (x) = y within proba-
bilistic polynomial time. The probability of the adversary A
being able to solve the CMDLP is defined as Pr[A(x, y) = k: k ∈
Zn*, y = Tk(x) mod n).
Definition 2 Extended Chaotic Map-based Diffie–Hellman
Problem (CMDHP): Given x, Tu(x), Tv(x), it is computation-
ally infeasible to compute Tuv (x) = y within probabilistic poly-
nomial time. The probability of the adversary A being able to
solve the CMDHP is defined as Pr[A(x, Tu(x), Tv(x)) = Tuv (x)
mod n: u, v ∈ Zn*].
Network model
There are three parties in the PoC network, namely the user, the
trusted server and the medical server. The user could be doctors,
patient’s relatives or the patient herself/himself with a smart
terminal. The patient is equipped with many small biometrical
sensors that are deployed around, wore on or implanted in her/
his body to monitor some vital biomedical signals such as ECG,
EEG, and PPG. Then these data are transmitted through the
patient’s smart terminal to the medical server. After receiving
and processing the biomedical data, the doctor and the patient’s
relative are able to achieve her/his current health state and his-
torical healthcare records from the medical server. Since the
messages are transmitted in open channel, the PoC is more
vulnerable to various attacks, let alone the sensitivity of the
biomedical data. Therefore, the establishment of the session
key between the user and the medical server is essential to
protect the communication and the sensitive data.
The trusted server is of vital importance to ensure that the
authentication process takes place between multiple users and
multiple medical servers. As illustrated in Fig. 1, patients can
choose to visit more than one hospital remotely and get a com-
prehensive diagnosis. In order to provide the mutual authentica-
tion and key agreement between a user and any medical server, a
Page 3 of 13 250
trusted server is needed for securing the key negotiation process,
storing major authenticators and providing an accurate verifica-
tion. After the authentication through the trusted server, a shared
session key will be generated and issued to the user and the
medical server. Finally, the user and the targeted medical server
can realize secure communication by encrypting the transmitted
messages using the shared session key.
The proposed scheme
In this section, the proposed scheme is depicted in detail by the
following four phases: the initialization phase, the user registra-
tion phase, the login phase, the authentication and key agree-
ment phase. There are three participants in our proposed
scheme for the PoC, i.e. the user Ui, the trusted server TS and
the medical server MS. To clarify the proposed scheme, nota-
tions and their denotations are summarized in Table 1.
Initialization phase
In this phase, the trusted server TS calculates and publishes the
related parameters of Chebyshev polynomials {x, Tk(x), p, T(·
)}. And then the trusted server TS performs the following steps
with the medical server MS through a secure communication
channel as shown in Fig. 2.
(1) The trusted server TS assigns a diverse identity for each
medical server MS, say MSj for the j-th medical server.
Then each MS randomly selects a unique number r as its
secret key and computes MSr = Tr(x) mod p. After that,
the medical server sends the message {MSj, MSr} to the
trusted server TS.
(2) When the trusted server TS receives the transmitted mes-
sage {MSj, MSr}, it computes a temporal credential
TIDj = h(MSj||k) for the j-th medical server MSj. And then
the trusted server TS computes St = Tk(MSr) mod p and
sends {TIDj, St} to each medical server.
(3) After each medical server receives the message {TIDj,
St}, the medical server MSj stores the received message
in its memory. Meanwhile, the trusted server TS stores
the pair of identity MSj and MSr for each medical server
in its database.
User registration phase
When a user Ui wants to obtain the related information from
the medical server, she/he needs to be authorized by trusted
server TS by finishing the corresponding registration process.
Fig. 3 describes the detailed steps about registration.
 250 Page 4 of 13 J Med Syst (2018) 42:250

Doctor

Medical server possessed

by a hospital

Patient
Trusted server

Examples of secure communitation

using a shared session key Medical server possessed
Relatives by a community clinic
Establishing the session key via the
trusted server

Fig. 1 The network model of the proposed scheme

(1) A user Ui chooses her/his identity IDi, the password pwi
and then computes TPWi = Tpwi(x) mod p using the pub-
lic algorithm T(·). Afterward, she/he sends {IDi, TPWi}
to the trusted server TS through a secure channel.
(2) When the trusted server TS receives the message {IDi,
TPWi}, it firstly computes I0 = Tk(TPWi) mod p and
KPWi = ID i ⊕ I 0 using its long-term private key k.
Then, the trusted server TS chooses a random number
m and computes D1 = h(k||m), I1 = h(IDi||m), I2 = IDi ⊕
D1, I3 = Tk(I2) mod p. Finally, it stores {I0, I1, I3} in its
database and issues a smart card contained {KPWi, I1, h(·
)} to the corresponding user Ui.
(3) After the user Ui receives the issued smart card, she/he
keeps it secret and makes a preparation for the login
phase.
using the inputted identity and password. In the follow-
ing steps, the smart card SC chooses the current
timestamp T1 and computes Qi = Pi ⊕ h(T1) and I4 =
IDi ⊕ I’0 ⊕ h(T1). And then the user Ui selects a medical
server MSj that she/he wants to access and inputs the
identity MSj into the smart card. After that, the smart card
SC computes SIDj = MSj ⊕ h(IDi||T1) as the temporal
identity of MSj. Next, the user Ui chooses a random in-
teger a and computes I5 = Ta(h(IDi||Pi)||MSj) mod p and
Ia = I5 ⊕ I0. Finally, the user Ui sends the message {SIDj,
Qi, I1, I4, Ia, T1} to the trusted server TS via a public
channel.

Table 1 Notations and terminology

IDi The identity of the i-th user Ui

Login phase MSj The identity of the j-th medical server MS
pwi The password of the i-th user Ui
In order to enter into PoC and access the related information, a k The private key of the trusted server TS
registered user needs to make a login request. The login pro- r The secret key of medical server MS
cess is depicted in Fig. 4: p A large prime number
a, b, m, n Four high-entropy random integers
(1) A user Ui inserts her/his smart card into a card reader and T1~T6 The current timestamp
inputs the corresponding identity IDi and password pwi. h(·) A secure one-way hash function
Then, the smart card SC computes I0 = KPWi ⊕ IDi and ⊕ The exclusive-or operation
I0’ = Tpwi(Tk(x)) mod p using the public parameter Tk(x) || The concatenation operation
and algorithm T(·) and checks whether I0’ is equal to I0. If Tu(x) Chebyshev chaotic maps operation using the secret key u
successful, the smart card SC computes Pi = h(IDi||pwi)
J Med Syst (2018) 42:250
Fig. 2 Initialization phase of the
proposed scheme
Authentication and key agreement phase
After receiving a login request from a user, the trusted server
TS needs to transmit the related message to a medical server to
negotiate a shared session key, which is used for protecting the
following communications between the user and the corre-
sponding medical server. The following steps describe the
authentication and key agreement process shown in Fig. 5.
(1) When the trusted server TS receives the login request
{SIDj, Qi, I1, I4, Ia, T1}, it checks whether (T2-T1) ≤ ΔT
is legal, where T2 is the current timestamp. If valid, the
trusted server TS computes Pi’ = Qi ⊕ h(T1) and extracts
I0 from its database {I0, I1, I3} according to the received
I1. Then the trusted server TS computes IDi’ = I4 ⊕ I0 ⊕
h(T1), I5’ = Ia ⊕ I0, D1 = h(k||m) and I2’ = IDi’ ⊕ D1 by
using the matching random number m, which is stored
in the TS’s database in advance. Meanwhile, it examines
whether I3’ = Tk(I2’) mod p is equal to the I3 stored in its
database. If I3’ = I3, the trusted server TS considers the
user is legal and then computes MSj = SIDj ⊕ h(IDi’||T1)
to obtain the identity of the medical server. Next, the
trusted server TS uses the obtained identity MSj to extract
MSr from its database and computes TIDj = h(MSj||k),
Sg = Tk(MSr) mod p, I6 = TIDj ⊕ I5’ and I7 = I5’ ⊕ Pi’.
After that, the trusted server TS generates the current
timestamp T3 and calculates I8 = Pi’ ⊕ IDi’ ⊕ h(T3) and
I9 = h(Sg||h(MSj)||T3). And then, the trusted server TS
chooses a random integer n and replaces I 1 with
Fig. 3 Registration phase of the
proposed scheme
Page 5 of 13 250
I1new = h(IDi’||n). Finally, it computes I1new’ = h(IDi’) ⊕
I1new and sends the authentication message {I6, I7, I8, I9,
I1new’, T3} to the medical server MSj through a public
channel.
(2) After receiving the message {I6, I7, I8, I9, I1new’, T3}, the
medical server MSj firstly verifies whether the difference
between the current timestamp and T3 is beyond the time
threshold value ΔT. If the difference is within the thresh-
old value, the medical server MSj computes Sg′ =
Tr(Tk(x)) by using its secret key r and public parameter
Tk(x). And then it checks whether the computed I9’ =
h(Sg′||h(MSj)||T3) is equal to I9. If they are equal, the cor-
responding medical server MSj extracts TIDj according
to Sg′ and then computes I5^ = I6 ⊕ TIDj’, Pi^ = I7 ⊕ I5^
and IDi^ = I8 ⊕ Pi^ ⊕ h(T3). In the following procedure,
the medical server MSj chooses a random integer b and
calculates I10 = Tb(h(IDi^||Pi^)||MSj) mod p and Ib =
I10 ⊕ h(IDi^||MSj). Afterwards, the corresponding medi-
cal server MSj computes the session key SK = Tb(I5^) =
Tab(h(IDi^||Pi^)||MSj) mod p and the authentication mes-
sage I11 = h(SK||h(IDi^)||T5). Eventually, the medical
server MSj sends the message {Ib, I11, T5, I1new’} to the
user Ui in an open network environment.
(3) When receiving the message {Ib, I11, T5, I1new’}, the user
Ui checks the validity of T5. If illegal, the user Ui termi-
nates the session. Otherwise, the user Ui computes I10’ =
Ib ⊕ h(IDi||MSj) and the session key SK = Ta(I10’) =
Tab(h(IDi||h(IDi||pwi)||MSj) mod p. and then it verifies
whether I11’ = h(SK||h(IDi)||T5) is equal to I11. If not
 250 Page 6 of 13
Fig. 4 Login phase of the
proposed scheme
equal, Ui ends the session immediately. Otherwise, the
trusted server TS and medical server MS are authenticat-
ed and the session key SK will be used for the following
communication between a user Ui and a corresponding
medical server MS. In the end, the smart card SC replaces
I1 with I1new by computing I1new = I1new’ ⊕ h(IDi).
Security analysis
In this section, we proved our proposed scheme can meet the
security requirements of semantic security (i.e. Authentication
Key Exchange Security, AKE security) and mutual authenti-
cation under Real-or-Random model. Moreover, we show that
the proposed scheme can withstand various well-known and
meet a series of security demands.
Security model
The security model of authentication key exchange protocol
was first described by Bellare et al. [23], which includes the
usage of the Random Oracle model in formal analysis. Our
security model is based on one of its extended version called
Real-or-Random model [24] which has a provably stronger
definition towards semantic security. The main difference be-
tween it and the Random Oracle model lies in the queries pro-
vided for the adversaries. In Real-or-Random model, the adver-
saries are not allowed to ask a Corrupt query; instead, they can
ask many Test queries until they get a satisfying result. The
related definitions used in our proof are described as follows.
Participants There are three types of participants in the pro-
posed scheme: the users, the medical servers and the trusted
server. Let U and MS be the set of users and the medical
servers respectively. The notation ui represents the instance i
of a participant in U; and msj denotes the instance j of a par-
ticipant in MS. The notation TS denotes the trusted server
J Med Syst (2018) 42:250
since there’s only one trusted server in the scheme. The set
P contains all the participants, which is a union of U, MS and
TS. Any instance p in set P is an oracle.
Adversary In this security model, the adversary A is a simula-
tion of malicious adversaries in the real world who run in
polynomial time. The ability of the adversary A is defined
by the following queries.
Execute(u i , TS, ms j ) This query mainly models the
eavesdropping attacks. When the query Execute(ui, TS, msj)
is made, the adversary A will receive the transcript of the
transmitted messages among ui, TS, and msj.
Send(P, M) This query mainly models various active attacks.
When an adversary askes the Send query, he firstly sends a
message m to a participant instance p. Then, the instance p
generates the corresponding reply message and returns it to
the adversary according to our proposed scheme.
Corrupt(ui, pwi) When an adversary makes this query, ui’s
current password pwi is returned to the adversary. Therefore,
this query models the possibility of breaking the perfect for-
ward secrecy and ui’s freshness.
Test(ui/msj) This query models the attack on session key se-
curity. When an adversary sends this query to an instance, it
returns the session key or a random string to the adversary
based on the value of an unbiased coin c. The coin c is flipped
at the beginning of the Test(ui/msj) query. The instance returns
the invalid symbol ⊥ if no session key is defined. Otherwise, it
returns the session key if the hidden value c = 1 or returns a
random string if c = 0. If the adversary askes many Test
queries, the outputs should depend on the same value of c
and the random string should be consistent.
Hash(x, H(x)) This query is modeled by a random oracle, which
mainly conducts a matching and comparison of the input value
x. If x exists in the hash query list, the corresponding output
J Med Syst (2018) 42:250
Fig. 5 Authentication and key
agreement phase of the proposed
scheme
value h(x) is returned when queried. If not, a random string r is
returned and the tuple <x, r > is added to the hash query list.
Note that both of the participants and the adversary use the
same random oracle to simulate the hash function.
Security definitions
AKE security
AKE security [23, 24] mainly focuses on the session key se-
curity which means an adversary A cannot correctly distin-
guish the encrypted messages from a query oracle. In the
execution of the scheme, the adversary interacts with two
fresh oracles ui and msj, which means ui and msj have never
Page 7 of 13 250
been corrupted. The adversary A sends a series of queries to
these two fresh oracles and each oracle returns the correspond-
ing reply message to the adversary according to the queries
defined in our security model. In the end of each game, the
adversary A askes a Test query and provides a guessing the
value c’. If c’ equals to the hidden value c, the adversary wins
the game. Otherwise, the proposed scheme succeeds in pro-
viding AKE security. The advantage that an adversary correct-
ly guesses the hidden value c is denoted as Advake(A), and the
definition is as below:
Advake ðAÞ ¼ 2jPr½E −1=2j
where E denotes the event that an adversary wins the game.
 250 Page 8 of 13
The scheme is a secure authenticated key exchange scheme if
Advake(A) is negligible [13].
Mutual authentication
Mutual authentication [23, 24] requires all communication
entities are authenticated with each other in the same scheme.
If an adversary A correctly forges the authenticators I0, I3, I9
and I11, the proposed scheme fails to provide mutual authen-
tication. The probability that an adversary successfully fakes
those authenticator is denoted as Advma(A). If Advma(A) is
negligible, the proposed scheme provides mutual authentica-
tion [13].
The Difference Lemma [25] is used in our series of games,
and the definition is denoted as below:
Lemma 1 (Difference Lemma) Let M, N and Q be events
defined in some possible probability distribution and suppose
that . In general, the event Q is neg-
ligible. And then the Difference Lemma is described:
jPr½M −Pr½N j ≤ Pr½Q
Security proof
Session key security
Theorem 1 Based on the above definitions, we claim that the
advantage that an adversary violates the AKE security of the
proposed scheme is described as follows:


Advake ≤ qh 2 =2l−2 þ 4  AdvDLP þ 2  AdvDDH
where qh denotes the upper number of hash query list and l is a
secure parameter, AdvDLP denotes the advantage that an ad-
versary breaks the extended chaotic map-based discrete loga-
rithm problem and AdvDDH denotes the advantage that an
adversary solves the extended chaotic map-based Diffie-
Hellman problem.
Proof The security proof of the proposed scheme adopts the
method of the jurisdiction proof. The proof consists of a se-
quence of games Gi, which starts at the real attack environ-
ment (G0) and ends in the situation where the adversary has no
advantage (G3). In each game Gi, we define Ei as the event that
an adversary wins the game Gi, and then gradually allow the
adversary to ask more queries to increase the advantage of
winning this game. Let Adlp denotes the advantage that an
adversary breaks the extended chaotic map-based discrete log-
arithm problem of the public-key cryptosystem within proba-
bilistic polynomial time, Addh denotes the advantage that a
DDH attacker solves the DDH complexity problem within
J Med Syst (2018) 42:250
probabilistic polynomial time, and the adversary Aake is de-
signed to break the session key security. Then, the adversary
obtains many related or trashy messages by accessing the
queries (Execute query, Send query, Test query and Hash que-
ry) and then she/he will attempt to distinguish the session key
from various random strings. Before the start of the game,
each query sets up the related parameters and forms the cor-
responding syntax rules to determine what should be returned
to the adversary. At the end of the game, the adversary Aake
strives to guess the secret bit c’. If c’ is equal to the hidden
value c, the adversary Aake wins the game.
Game G0: This game is executed to simulate the real attack
environment. All instances and related parameters are simu-
lated. By the above definition, we get:
Advake ðAake Þ ¼ 2jPr½E0 −1=2j ð1Þ
Game G1 This game is simulated like the Game G0 except for
using a hash query to construct a session key between ui and
msj. Game G1 and Game G0 are indistinguishable except the
collisions of Hash query list in game G1. Therefore, due to the
birthday paradox and the Lemma 1, we have:


jPr½E 1 −Pr½E 0 j≤ 2  qh 2 =2l ð2Þ
Game G2 When the adversary intercepts the transmitted mes-
sage, she/he is capable of acquiring Ia = I0 ⊕ Ta(h(IDi||Pi)||Sj)
mod p and Ib = h(IDi||Sj) ⊕ Tb(h(IDi||Pi)||Sj) mod p. In this
game, the adversary attempts to obtain the session key SK =
Tab(h(IDi||Pi)||Sj) mod p with the intercepted messages Ia and
Ib. Hence, Game G2 and Game G1 are indistinguishable except
for solving the Chebyshev chaotic map-based Diffie-Hellman
problem. Based on the Lemma 1, we get:
jPr½E 3 −Pr½E 2 j≤ AdvDDH ðAddh Þ ð3Þ
Game G3 This game replaces a, b with two random integers
respectively. To obtain the two integers a, b, the adversary
needs to break the extended Chebyshev chaotic map-based
discrete logarithm problem. Thus, Game G3 is indistinguish-
able with Game G2 except for settling the Chebyshev chaotic
map-based discrete logarithm problem. According to the
Lemma 1, we obtain:


jPr½E 2 −Pr½E 1 j≤ 2  AdvDLP Adlp ð4Þ
After the Game G3, all secret information and random
numbers are independently generated and nothing about the
hidden value c is leaked. Therefore, we have:
Pr½E3  ¼ 1=2 ð5Þ
J Med Syst (2018) 42:250
Finally, combine (1)–(5), we get the advantage that the
adversary breaks the session key security of the proposed
scheme is:



Advake ðAake Þ≤ qh 2 =2l−2 þ 4  AdvDLP Adlp þ 2
 AdvDDH ðAddh Þ
Thus, the proposed scheme provides session key security.
Mutual authentication
Theorem 2 Based on the definition of mutual authentication,
we denote the advantage that an adversary violates the mutual
authentication as Advma. If Advma is negligible, then the pro-
posed scheme provides mutual authentication.
Proof The proof also consists of a series of games Gi, which
start at the simulation of an actual network environment in the
PoC (G0) and end in the circumstance that the adversary has
no advantage (G3). In each game Gi, we define Ei as the event
that the adversary wins the game Gi. Assume that the adver-
sary A1 attempts to compromise the long-term secret informa-
tion (k, r and pwi), and the adversary Ama is assumed to break
mutual authentication of the proposed scheme. In addition,
Advsk denotes the advantage that an adversary compromises
the long-term secret information and AdvDLP is constructed as
an adversary that breaks the extended chaotic map-based dis-
crete logarithm problem. Then, an adversary Ama obtains
many related or useless messages by accessing the queries
(Execute query, Send query, Test query and Hash query) and
attempts to distinguish the authenticators I0, I3, I9 and I11. If
the adversary successfully distinguishes these authenticators,
the adversary wins the game. Otherwise, the proposed scheme
provides mutual authentication security.
Game G0: This game is executed in the real attack environ-
ment, in which the adversary guesses the authenticators with-
out querying any oracles. By the above definition, we have:
Advma ðAma Þ ¼ 2jPr½E0 −1=2j ð6Þ
Game G1: This game is indistinguishable with Game G0
except replacing the long-term secret information (k, r and
pwi) with three random numbers respectively. The adversary
wins the game if she/he successfully guesses these substitutes,
thus, according to Lemma 1, we get:
jPr½E 1 −Pr½E 0 j≤ 3  Advsk ðA1 Þ ð7Þ
Game G2: To increase the chance of winning this game, the
adversary replace a, b with two random integers respectively.
To get the accurate value of a and b from I5 = Ta(h(IDi||Pi)||Sj)
mod p and I10 = Tb(h(IDi||Pi)||Sj) mod p, the adversary needs to
solve the extended Chebyshev chaotic map-based discrete
logarithm problem. Therefore, Game G2 and Game G1 are
Page 9 of 13 250
indistinguishable except for solving the extended chaotic
map-based discrete logarithm problem, from the Lemma 1,
we obtain:


jPr½E 2 −Pr½E 1 j≤ 2  AdvDLP Adlp ð8Þ
Game G3: This game transforms the previous game by
replacing the related authenticators I0, I3, I9, I11 with four
random integers respectively. Similarly, Game G3 and Game
G2 are indistinguishable except collisions of a hash function in
I9 and I11, and thus according to the birthday paradox and
Lemma 1, we have:


jPr½E 3 −Pr½E 2 j≤ 2  qh 2 =2l ð9Þ
After the Game G3, it is evident that the probability that the
adversary Ama successfully guesses the hidden value c is equal
to the probability that the adversary A1 guesses the value c
correctly. Therefore, the adversary cannot verify the validity
of the secret output information and distinguish whether the
real secret key or a random string is returned successfully.
That is, the adversary has no knowledge about the response
string’s authenticity. Hence, we deduce:
Pr½E3  ¼ 1=2 ð10Þ
Finally, combine (6)–(10), we get the probability that an
adversary violates the mutual authentication of our proposed
scheme is:


Advma ðAma Þ≤ 6  Advsk ðA1 Þ þ 4  AdvDLP Adlp þ qh 2 =2l−2
Consider that the complexity of the birthday paradox and
the Chebyshev chaotic map-based discrete logarithm problem,
l is a secure parameter, thus qh2/2l-2 and AdvDLP(Adlp) are
negligible. In addition, breaking the long-term secret informa-
tion in probabilistic polynomial time is also considered to be
ignorable. Therefore, Advma(Ama) is negligible, that is, our
proposed scheme provides mutual authentication.
User anonymity
In the proposed scheme, the user’s identity is protected by a
secure hash function and some related XOR (exclusive or)
encryption operations. In the registration phase, the user’s
identity is protected by a high entropy random integer m and
a secure hash function. In the login and authentication phase,
the user’s identity is protected either by XOR encryption op-
erations in I4 and I8, or by a secure hash function in Pi, SIDj,
I1new, I11 with some other additional information such as the
user’s password pwi, the current timestamp T1 and the random
integer n. Due to the one-way property of a secure hash func-
tion and XOR encryption operations, an adversary cannot ac-
curately extract the user’s real identity. Therefore, the pro-
posed scheme provides user anonymity.
 250 Page 10 of 13
Perfect forward secrecy
Perfect forward secrecy means that if long-term private keys
of one or more entities are compromised, the secrecy of pre-
vious session keys established by honest entities is not affect-
ed. In the proposed scheme, the generated session key is SK =
Tab(h(IDi||h(IDi||pwi)||MSj) = Tb(I5) = Ta(I10) mod p. To com-
promise the session key with the transmitted message, an ad-
versary needs to obtain all related components of the session
key, such as long-term private keys pwi, k and r of several
entities. However, the adversary fails to break the session
key since the proposed scheme provides user anonymity
based on the analysis in the subsection BUser anonymity^.
Meanwhile, the secret information I5 and I10 are protected
by a secure hash function, the users’ identities IDi and MSj.
Therefore, the adversary cannot extract correct messages to
compromise the session key. Furthermore, even if the adver-
sary illegally obtains the related information IDi and MSj or I5
and I10, she/he still cannot compute the legal session key since
she/he has no knowledge of the random integers a, b due to
the extended chaotic map-based discrete logarithm problem.
Thus, the proposed scheme provides perfect forward secrecy.
Resistance to stolen-verifier attacks
The stolen-verifier attack means an adversary who steals the
password-verifier from the server can use it directly to mas-
querade as a legitimate user in a user authentication process.
Assuming that the adversary obtains the verification list {(I0,
I1, I3)/(MSj, MSr)} and tries to pass the smart card’s verifica-
tion in the login phase. To pass the verification, she/he needs
to obtain the legal identity and corresponding password. But
the user’s real identity and password are protected by a secure
hash function with some random integers or an extended
Chebyshev chaotic map-based discrete logarithm problem.
Thus the adversary cannot pass the verification of the smart
card. Besides, even though the adversary passes the smart
card’s verification by chance, she/he still fails to pass the
TS’s verification since the proposed scheme adopts the dy-
namic verification information I1 = h(IDi||n), namely, dynamic
I1 prevents the adversary from accurately locate the related
information I0 and then fails to get the legal authentication
message I3. Therefore, the proposed scheme resists stolen-
verifier attacks.
Resistance to privileged-insider attacks
In the proposed scheme, the user’s password is protected ei-
ther by a secure hash function or by a complicated Chebyshev
chaotic map. Specifically speaking, in the registration phase,
the user’s password pwi is submitted to the trusted server in an
encrypted way TPWi = Tpwi(x). After the trusted server TS re-
ceives the registration request, it has no knowledge of the
J Med Syst (2018) 42:250
user’s password pwi. Therefore, even if an adversary is a
privileged-insider of the trusted server or a system manager,
she/he cannot obtain the user’s password unless she/he suc-
cessfully breaks the extended Chebyshev chaotic map-based
discrete logarithm problem. In the login and authentication
phase, the user’s password is protected by a secure hash func-
tion in Pi = h(IDi||pwi), which results in that the adversary
cannot extract the user’s password unless she/he violates the
irreversibility of hash function in probabilistic polynomial
time and obtains the user’s real identity IDi. Thus, the pro-
posed scheme resists privileged-insider attacks.
Resistance to known session specific temporary information
attacks
Known session specific temporary information attack means
that the compromise of short-term secret information should
obtain the generated session key. When the related temporary
integer a is leaked, an adversary cannot compute I5 = Ia ⊕ I0
because she/he has no information about I0 without the user’s
password. Furthermore, according to the analysis in subsection
BUser anonymity^, the adversary has no ability to compute
I10 = Ib ⊕ h(IDi||Sj) since she/he cannot obtain the user’s real
identity. Therefore, the adversary cannot calculate the accurate
session key SK = Tb(I5) = Ta(I10) mod p because she/he has no
knowledge of I5 and I10, namely, the proposed scheme resists
known session specific temporary information attacks.
Resistance to impersonation attacks
In the login phase, assume that an adversary sends the forged
message {SIDj’, Qi’, I1’, I4’, Ia’, T1’} to the trusted server TS to
impersonate a user Ui, where T1’ is the current timestamp.
After the trusted server TS receives the transmitted message,
it firstly checks the freshness of the timestamp T1’. If the
timestamp T1’ is illegal, TS stops the current session. Then
the trusted server TS extracts I0 according to the received
message I1’. Even if I1’ is equal to I1, the adversary still cannot
get the corresponding I0 since I1 = h(IDi||m) is a dynamic iden-
tity and is protected by a secure one-way hash function and a
varied random integer. Therefore, the adversary cannot pass
the verification of the trusted server because she/he cannot
obtain the valid verification message I3’ without the real iden-
tity and corresponding I0, namely, the adversary cannot im-
personate a user Ui to cheat the trusted server TS.
In the authentication and key agreement phase, suppose the
adversary sends a faked message {I6’, I7’, I8’, I9’, I1new^, T3’} to
the medical server MSj to impersonate the trusted server TS,
where I9’ = h(Sg′||h(MSj’)||T3’) and T3’ is the current timestamp.
After receiving the transmitted message, MSj firstly checks the
freshness of the timestamp T3’. If the timestamp T3’ is illegal,
MSj ends the current session immediately. Moreover, an ad-
versary cannot compute the actual authentication message Sg′
J Med Syst (2018) 42:250
without the knowledge of long-term secret key k and r unless
she/he breaks the extended chaotic map-based discrete loga-
rithm problem. Thus, an adversary cannot generate a legal I9
to pass the authentication of the medical server and success-
fully impersonates the trusted server TS to fool the medical
server MSj.
In order to impersonate the medical server MSj to cheat the
user Ui, an adversary generates a forged message {I6’, I11’, T5’,
I1new^} and sends it to the user Ui. Nevertheless, an adversary
cannot successfully construct the related local parameters of the
session key since the proposed scheme provides user anonym-
ity and the password pwi is protected by the complexity of the
extended chaotic map-based discrete logarithm problem.
Therefore, an adversary cannot successfully compute the accu-
rate session key SK, thereby fails to get the legal verification
message I11’, i.e., an adversary cannot successfully impersonate
the medical server MSj to cheat the user Ui. In a conclusion, the
proposed scheme withstands impersonation attacks.
Resistance to man-in-the-middle attacks
Based on the above analysis, we know that the mutual authen-
tication among Ui, TS and MSj has been satisfied. Thus the
proposed scheme withstands man-in-the-middle attacks.
Resistance to smart card theft attacks
If the smart card is stolen, an adversary can obtain all the
information {KPWi, I1, h(·)} stored in the smart card through
side-channel attacks, and then attempts to enter the system by
using the information stored in the smart card. However, in the
login process, the adversary has no ability to compute I0 =
IDi ⊕ KPWi correctly without the knowledge of user’s identity
IDi according to the analysis in 4.3.3. Even if the adversary
obtains the legal I0 and then tries to extract the user’s password
pwi from the message I0 = Tpwi(Tk(x)), she/he will face the
extended chaotic map-based discrete logarithm problem.
Thus the adversary cannot pass the validation of the smart
card. In addition, the adversary also cannot fabricate a legal
identity to match with the corresponding password since she/
he has no ability to extract the user’s real identity IDi from I1 =
h(IDi||m) according to the irreversibility of hash function.
Therefore, an adversary cannot impersonate a legitimate user
to login into the e-health systems and exercise the same rights
as a legal user, that is, the proposed scheme resists smart card
theft attacks.
Performance analysis
This section analyzes the proposed scheme and other related
schemes [16, 20, 26–28] in terms of functionality and compu-
tational overhead, which are respectively described in Table 2
Page 11 of 13 250
and Table 3. As shown in Table 2, the proposed scheme can
resist various known attacks and satisfy more security require-
ments compared with other authenticated key agreement
schemes [16, 20, 26–28].
Y: The scheme resists the attack or provides the security
property; N: The scheme does not resist the attack or does not
provide the security feature.
In certain circumstances of PoC, sensor nodes embedded in
the human body or placed in the body surface carry the vital
information of the user, such as the user’s identity, state and
physical index, thus it is quite critical to protecting the user’s
sensitive information from being leaked. In addition, the enti-
ties of PoC communicate with each other in an open channel,
which requires the design of an authentication scheme should
withstand various security threats and loopholes. Security
guarantee and privacy protection are the two quite important
points in the PoC. In Table 2, the aforementioned six schemes
except the proposed scheme and Xiong et al.’s scheme [26]
cannot resist known session specific temporary information
attacks, which pose a serious threat to the negotiated session
key between the user and corresponding server. Besides, the
related schemes [16, 26–28] are vulnerable to denial of service
attacks when many illegal users access the gateway node or
registration center simultaneously. Furthermore, Xiong et al.’s
scheme [26] and Li et al.’s scheme [27] fail to provide user
anonymity and user untraceability. Kumari et al.’s scheme
[20] cannot ensure user untraceability. These flaws will cause
a severe consequence that the user’s private information may
be illegally used by a malicious attacker. Finally, Xiong et al.’s
scheme [26] fails to provide session key security. Li et al.’s
scheme [27] and Lee et al.’s scheme [29] cannot withstand
replay attacks. Compared with other related works [16, 20,
26–28], the proposed scheme successfully avoids the afore-
mentioned security drawbacks and provides more security
attributions for the PoC.
In the following, the computational cost of our proposed
scheme and other related schemes [16, 20, 26–28] are com-
pared to evaluate the performance of our scheme. Note that the
time consuming of string concatenation and exclusive-or op-
erations are negligible during the evaluating process. For the
convenience of evaluating the computational cost, some nota-
tions are defined as follows:
Ts The time for executing a symmetric key encryption/ de-
cryption operation.
Th The time for executing a one-way hash function opera-
tion.
Tc The time for executing a Chebyshev polynomial
computation.
In particular, we only consider the login phase and the
authentication and key agreement phase because they are
dominant operations in the execution process of the related
schemes. In our proposed scheme, three entities communicate
 250 Page 12 of 13 J Med Syst (2018) 42:250

Table 2 The functionality comparisons of related schemes

Security threats & features Xiong et al. [26] Li et al. [27] Lee et al. [28] Kumari et al. [20] Lee et al. [16] Our’s

Replay attacks Y N N Y Y Y
Impersonation attacks Y Y Y Y Y Y
Man-in-the-middle attacks Y Y Y Y Y Y
Password guessing attacks Y Y Y Y Y Y
Stolen-verifier attacks Y Y Y Y Y Y
Denial of service attacks N N N Y N Y
Many Logged-in Users’ attacks Y Y Y Y Y Y
Known session specific temporary information attacks Y N N N N Y
Smart card theft attack Y Y Y Y Y Y
Privileged-insider attack Y Y Y Y Y Y
User anonymity N N Y Y Y Y
User untraceability N N Y N Y Y
Mutual authentication Y Y Y Y Y Y
Session key security N Y Y Y Y Y
Perfect forward secrecy Y Y Y Y Y Y

with each other by a series of encryption/decryption and ver-
ification operations. In the login and authentication process,
the user Ui executes 6 one-way hash function operations and 3
Chebyshev polynomial computations, which are primary to
the total computation cost at the user side. And the trusted
server TS performs the related operations to verify the legality
of the received message and sends an authentication message
to the corresponding medical server. To check the validity of
the transmitted message, the trusted server TS needs to com-
pute 3 one-way hash functions operations and 1 Chebyshev
polynomial computation. Besides, the trusted server TS still
needs to execute 6 one-way hash function operations and 1
Chebyshev polynomial computation to establish a reliable
connection with the corresponding medical server. Next, the
corresponding medical server carries out 2 one-way hash
function operations and 1 Chebyshev polynomial computa-
tion to authenticate the trusted server and then executes 5
one-way hash function operations and 2 Chebyshev polyno-
mial computations to negotiate a secure session key with the
user for the following communications.
According to the research [17, 29, 30], the time of execut-
ing a Chebyshev polynomial computation Tc and the time of
executing a one-way hash function operation Th are approxi-
mate. Moreover, the time of executing a symmetric
encryption/decryption operation Ts is as nearly 18 times as
that of executing a one-way hash function operation Th [31].
Table 3 shows the total computational complexity of the pro-
posed scheme is approximately 22Th + 8Tc. According to
Table 3, both Li et al.’s scheme [27] and Lee et al.’s scheme
[28] need to execute 6 symmetric encryption/decryption oper-
ations, and Kumari et al.’s scheme [20] is required to perform
4 symmetric computations. Compared with their schemes [20,
27, 28], the proposed scheme reduces the computational cost
efficiently by avoiding performing complex symmetric
encryption/decryption operations. As shown in Table 3, the
proposed scheme is as efficient as Xiong et al.’s scheme [26]
and Lee et al.’s scheme [16]. However, Xiong et al.’s scheme
[26] is suffered from denial of service attacks and cannot pro-
vide user anonymity and user untraceability. And Lee et al.’s
scheme [16] is vulnerable to denial of service attacks and
known session specific temporary information attacks.
Therefore, the proposed scheme is more suitable for the
resource-constrained PoC in terms of the computational com-
plexity and security requirements.

Table 3 The computation comparisons of related schemes

Entities & computation Related schemes

Xiong et al. [26] Li et al. [27] Lee et al. [28] Kumari et al. [20] Lee et al. [16] Ours

Ui /UA 8Th + 3Tc 5Th + 2Ts + 2Tc 5Th + Ts + 3Tc 5Th + 2Ts + 2Tc 3Th + 3Tc 6Th + 3Tc
SNj /UB 5Th + 2Tc 4Th + 2Ts + 2Tc 5Th + Ts + 3Tc 3Th + 2Tc 4Th + 2Tc 7Th + 3Tc
GWN/Server/RC 11Th + Tc 3Th + 2Ts 4Th + 4Ts + 2Tc 6Th + 2Ts 6Th + Tc 9Th + 2Tc
Total 24Th + 6Tc 12Th + 6Ts + 4Tc 14Th + 6Ts + 8Tc 14Th + 4Ts + 4Tc 13Th + 6Tc 22Th + 8Tc
J Med Syst (2018) 42:250
Conclusions
In this paper, we propose a secure chaotic maps-based authen-
tication and key agreement scheme with user privacy protection
for the PoC. In the proposed scheme, the Chebyshev polyno-
mial combined with one-way hash functions are adopted to
construct an authentication and key agreement scheme. The
proposed scheme realizes user anonymity and user
untraceability during the mutual authentication and key agree-
ment by encrypting the user’s identity and eliminating all re-
dundant variables. In addition, session key security and mutual
authentication of the proposed scheme are demonstrated via
Real-or-Random Oracle model. Performance analysis shows
that the proposed scheme is a lightweight authentication
scheme. Therefore, the proposed scheme achieves a delicate
balance between the efficiency and security and is more suitable
for the resource-constrained and high-privacy-required PoC.
Funding Information This work was supported by the National Natural
Science Foundation of China [grant numbers 61,303,237].
Compliance with Ethical Standards
Conflict of Interests The authors declare that we have no conflicts of
interest.
Ethical Approval This article does not contain any studies with human
participants or animals performed by any of the authors.
References
1. Abuadbba, A., and Khalil, I., Walsh-Hadamard-Based 3-D stega-
nography for protecting sensitive information in point-of-care.
IEEE Trans. Biomed. Eng. 64(9):2186–2195, 2017.
2. Movassaghi, S., Abolhasan, M., Lipman, J., Smith, D., and
Jamalipour, A., Wireless body area networks: A survey. IEEE
Commun. Surv. Tutor. 16(3):1658–1685, 2014.
3. Chatzigiannakis, I., Vitaletti, A., and Pyrgelis, A., A privacy-
preserving smart parking system using an IoT elliptic curve based
security platform. Comput. Commun. 89–90:165–177, 2016.
4. Das, M. L., Two-factor user authentication scheme in wireless sen-
sor networks. IEEE Trans. Wirel. Commun. 8:1086–1090, 2009.
5. Lee, C. I, and Chien, H. Y., An elliptic curve cryptography-based
RFID authentication securing E-health system. Taylor & Francis,
Inc. 2015.
6. Challa, S., et al., An efficient ECC-based provably secure three-
factor user authentication and key agreement protocol for wireless
healthcare sensor networks. Comput. Electr. Eng. 2017.
7. Lee, Y. S., Alasaarela, E., and Lee, H. J., An efficient encryption
scheme using elliptic curve cryptography (ECC) with symmetric
algorithm for healthcare system. Int. J. Sec. Appl. 8(3):63–70, 2014.
8. Hou, J. L., and Yeh, K. H., Novel authentication schemes for IoT based
healthcare systems. Int. J. Distrib. Sens. Netw. 2015(4):1–9, 2015.
9. Li, C. T., Lee, C. C., Weng, C. Y., and Chen, S. J., A secure dynamic
identity and chaotic maps based user authentication and key agree-
ment scheme for e-healthcare systems. J. Med. Syst. 40(11):233, 2016.
10. Yeh, K. H., A secure iot-based healthcare system with body sensor
networks. IEEE Access, 10288–10299, 2016.
Page 13 of 13 250
11. He, D., Kumar, N., Chen, J., Lee, C. C., Chilamkurti, N., and Yeo,
S. S., Robust anonymous authentication protocol for health-care
applications using wireless medical sensor networks. Multimed.
Syst. 21(1):49–60, 2015.
12. Gope, P., and Hwang, T., BSN-care: A secure IoT-based modern
healthcare system using body sensor network. IEEE Sens. J. 16(5):
1368–1376, 2016.
13. Chang, I. P., Lee, T. F., Lin, T. H., and Liu, C. M., Enhanced two-
factor authentication and key agreement using dynamic identities in
wireless sensor networks. Sensors. 15(12):29841–29854, 2015.
14. Kocarev, L., and Tasev, Z., Public-key encryption based on
Chebyshev maps. Proc. Int. Sym. Circ. Syst. 3: III-28-III-31 2003.
15. Mason, J. C., and Handscomb, D. C., Chebyshev polynomials.
Boca Raton: Chapman & Hall/CRC, 2003.
16. Bergamo, P., D’Arco, P., Santis, A., and Kocarev, L., Security of
public-key cryptosystems based on Chebyshev polynomials. IEEE
Trans. Circ. Syst. 52(7):1382–1393, 2004.
17. Lee, T., Provably secure anonymous single-sign-on authentication
mechanisms using extended Chebyshev chaotic maps for distribut-
ed Computer networks. IEEE Syst. J. 1–8, 2015.
18. Lai, H., Xiao, J., Li, L., and Yang, Y., Applying semigroup property
of enhanced Chebyshev polynomials to anonymous authentication
protocol, Math. Probl. Eng. 2012.
19. Zhao, F., Gong, P., Li, S., Li, M., and Li, P., Cryptanalysis and
improvement of a three-party key agreement protocol using en-
hanced Chebyshev polynomials. Nonlinear Dyn. 74(1–2):419–
427, 2013.
20. Kumari, S., Li, X., Wu, F., Das, A. K., Arshad, H., and Khan, M. K.,
A user friendly mutual authentication and key agreement scheme
for wireless sensor networks using chaotic maps. Future Gen.
Comput. Syst. 63(C):56–75, 2016.
21. Lee, T. F., Efficient and secure temporal credential-based authenti-
cated key agreement using extended chaotic maps for wireless sen-
sor networks. Sensors. 15(7):14960–14980, 2015.
22. Zhang, L., Cryptanalysis of the public key encryption based on
multiple chaotic systems. Chaos Soliton Fract. 37(3):669–674,
2008.
23. Bellare, M., Pointcheval, D., and Rogaway, P., Authenticated key
exchange secure against dictionary attacks. Lect. Notes Comput.
Sci. 1807:139–155, 2000.
24. Abdalla, M., Fouque, P. A., and Pointcheval, D., Password-based
authenticated key exchange in the three-party setting in public key
cryptography - PKC. Springer-Verlag Berlin 3386(2005):65–84,
2005.
25. Shoup, V., Sequences of games: A tool for taming complexity in
security proofs, Manuscript, 2004. http://www.shoup.net (Accessed
12 September 2016).
26. Xiong, H., Tao, J., and Chen, Y., A robust and anonymous two
factor authentication and key agreement protocol for telecare med-
icine information systems. J. Med. Syst. 40(11):228, 2016.
27. Li, X., Niu, J., Kumari, S., Khan, M. K., Liao, J., and Liang, W.,
Design and analysis of a chaotic maps-based three-party authenti-
cated key agreement protocol. Nonlinear Dyn. 80(3):1209–1220,
2015.
28. Lee, C. C., Li, C. T., Chiu, S. T., and Lai, Y. M., A new three-party-
authenticated key agreement scheme based on chaotic maps with-
out password table. Nonlinear Dyn. 79(4):2485–2495, 2014.
29. Xiao, D., Liao, X., and Deng, S., One-way hash function construc-
tion based on the chaotic map with changeable-parameter. Chaos
Solitons Fract. 24(1):65–71, 2005.
30. Cheng, Z. Y., Liu, Y., Chang, C. C., and Chang, S. C.,
Authenticated RFID security mechanism based on chaotic maps.
Sec. Commun. Netw. 6(2):247–256, 2013.
31. He, D., Zhang, Y., and Chen, J., Cryptanalysis and improvement of
an anonymous authentication protocol for wireless access networks.
Wirel. Personal Commun. 74(2):229–243, 2014.