An Extended Chaotic Maps-Based Three-Party Password-Authenticated Key Agreement with User Anonymity

Abstract

User anonymity is one of the key security features of an authenticated key agreement especially for communicating messages via an insecure network. Owing to the better properties and higher performance of chaotic theory, the chaotic maps have been introduced into the security schemes, and hence numerous key agreement schemes have been put forward under chaotic-maps. Recently, Xie et al. released an enhanced scheme under Farash et al.’s scheme and claimed their improvements could withstand the security loopholes pointed out in the scheme of Farash et al., i.e., resistance to the off-line password guessing and user impersonation attacks. Nevertheless, through our careful analysis, the improvements were released by Xie et al. still could not solve the problems troubled in Farash et al‥ Besides, Xie et al.’s improvements failed to achieve the user anonymity and the session key security. With the purpose of eliminating the security risks of the scheme of Xie et al., we design an anonymous password-based three-party authenticated key agreement under chaotic maps. Both the formal analysis and the formal security verification using AVISPA are presented. Also, BAN logic is used to show the correctness of the enhancements. Furthermore, we also demonstrate that the design thwarts most of the common attacks. We also make a comparison between the recent chaotic-maps based schemes and our enhancements in terms of performance.

1 Introduction

Authenticated key exchange protocols, are among the core cryptographic mechanisms for ensuring network security, which aims at establishing a common session key between the communicated participates. For authenticated key exchange through an open environment, both security and privacy are desired. Over the past few decades, many works on authenticated key-exchange have been done referring to kinds of cryptographic primitives (e.g., symmetric cryptography, public key cryptography, hash functions, etc.) applied for different applications [1–11].

With infiltration and mergence of many scientific branches, chaotic theory has entered the field of vision of the cryptography researchers. Chaotic theory possesses the properties of unpredictability and sensitivity to parameters and initial conditions, which meet some essential requirements of cryptography. Subsequently, cryptography based on chaos theory has been studied widely. The chaotic maps have been applied in the design of symmetric encryption [12–13], S-boxes [14], signature [15] and hash functions [16]. Additionally, chaotic systems have also been applied to design the key agreements, various chaotic maps-based key agreements and related approaches have been presented recently [17–20], owing to that chaotic maps operations offer the semi-group property, and have a better efficiency than point multiplications on an elliptic curve and modular exponential operations [21–22].

According to the numbers of participants for an authenticated key exchange scheme, there are two-party authenticated key exchange schemes, three-party authenticated key exchange schemes, and multi-party authenticated key exchange schemes. Two-party authenticated key exchange schemes are used to establish a session key under environment of client-server. In particular, the suggestion of three-party authenticated key exchange schemes are considered for solving the infeasibility of two-party schemes exchange session keys in large-scale communication environments. In 2011, Wang et al. [23] developed a three-party authenticated key agreement scheme using chaotic maps. However, Yoon et al. [24] declared that the scheme of Wang et al. violated an illegal message modification attack and then they presented an improvement. Next, Lee et al. [25] presented a chaotic maps based three-party authenticated key agreement scheme without using smart card. However, Hu et al. [26] proved that their scheme was not secure against the man-in-the-middle attack in condition that the identity was lost. After that, Farash et al. [27] proposed a three-party authenticated key agreement without applying symmetric cryptography and server’s public key. Nevertheless, Xie et al. [28] pointed out three-party authenticated key agreement proposed by Farash et al. could not withstand off-line password guessing attack, thus suffering user impersonation attack. In order to prevent the security threats, Xie et al. presented an enhancement without using server’s public key. Obviously, both of Farash et al. and Xie et al.’s schemes are efficient, but without using server’s public key is no guarantee of safety. The most important thing to consider that the identity of user is a key personal privacy. Generally, there is a growing requirement for protecting user privacy information from being leaked and abused, which outlines the needs for designing schemes that can attain user anonymity. The adoption of public key cryptography is essential needed to protect user anonymity, which has been verified by the excellent works [29]. Through our carefully analysis, we found that the proposed scheme by Xie et al. could not achieve user anonymity. In addition, their scheme could not resist off-line password guessing, thus notwithstanding user impersonation attack. Furthermore, the session key security could not provide in their scheme. Motivated by it, we design an extended chaotic maps-based three-party password-authenticated key agreement with user anonymity. Both the formal analysis and the formal security verification using AVISPA [30–31] are presented. Also, BAN logic [32] is used to show the correctness of the enhancements. Furthermore, we also demonstrate that the design thwarts most of the common attacks. We also make a comparison between the recent chaotic-maps based schemes and our enhancements in terms of performance.

The outline of the paper are arranged as follows. The Chebyshev chaotic maps and the related intractable problems are introduced in Section 2. The cryptanalysis of Xie et al.’s scheme is presented in Section 3. Section 4 proposes a chaotic maps-based three-party authenticated key agreement. The security analysis of our scheme and comparison with other works are described in Sections 5 and 6, respectively. We summarize the whole paper in Section 7.

2 Preliminaries

We will introduce the Chebyshev chaotic maps and the related intractable problems [33–34].

Chebyshev polynomial Let n be an integer and x ∈ [−1, 1]. The Chebyshev polynomial T_n(x):[−1, 1] → [−1, 1] can be defined as: T_n(x) = cos(n ⋅ arccos(x)). The recurrent formulas of the Chebyshev polynomial is shown as: T₀(x) = 1, T₁(x) = x, T₂(x) = 2x² − 1, T_n+1(x) = 2xT_n(x) − T_n−1(x).

Semi-group property For $p,q\in \mathcal{N},T_p\left(T_q\left(x\right)\right)=T_{pq}\left(x\right)=T_q\left(T_p\left(x\right)\right)\left(mod\mathcal{N}\right)$.

Discrete logarithm problem Known the parameters x and y, it is intractable to find an integer p such that T_p(x) = y.

Diffie-Hellman problem Known the parameters x, T_p(x), and T_q(x), it is intractable to compute the value T_pq(x).

3 Review of Xie et al.’s scheme

In this section, we shall review Xie et al.’s chaotic-maps based authenticated key agreement. Their scheme consists of four phases: system setup, registration, authentication and key exchange and password change. The registration and authentication and key exchange phases are shown in Fig 1. The notations used throughout this study are listed as follows.

Fig 1. Mutual authentication and key agreement of Xie et al.’s scheme.

S: a remote server.

A and B: two users.

ID_A and ID_B: users’ identities of A and B.

pw_A and pw_B: users’s passwords of A and B.

k and T_k(x): private and public keys of S.

s: a secret key of S.

r: shared secret key between A and S.

h₁(): a one-way hash function h₁: {0, 1}* → {0, 1}^l.

h(): a chaotic maps-based one-way hash function $h:{\{0,1\}}^{*}\to {\mathcal{Z}}_p$.

$\mathcal{Z}$: ring of integer.

p: a large prime number.

3.1 System setup

The server S performs the following steps:

Selects its secret key s;

Selects a large prime number p, $x\in {\mathcal{Z}}_p$;

Selects a secure one-way hash function h₁;

Selects a chaotic maps-based one-way hash function h().

At last, S maintains the secret key s and releases the parameters {p, x, h₁(), h()}.

3.2 Registration

The user A registers the server S as below:

Step 1: User A computes PW_A = T_pwA(x)modp and sends {ID_A, PW_A} to S through a secure channel, where ID_A and pw_A are the identity and password of A, respectively.

Step 2: The server S computes VPW_A = h₁(ID_A, s) + PW_A and stores {ID_A, VPW_A} in its database.

The user B also registers S as the above processes, we omit it.

3.3 Authentication and key exchange

The establishment of the session key among A, B and S are described in the following:

Step 1: User A computes R_A = T_a(x)modp and sends {ID_A, ID_B, R_A} to S, where a ∈ [1, p + 1].

Step 2: Once receiving the login message, S computes PW_A = VPW_A − h(ID_A, s), PW_B = VPW_B − h(ID_B, s), R_S1 = T_S1(x) − PW_A modp, R_S2 = T_S2(x) − PW_B modp and sends back {ID_A, R_S2} to B, sends {ID_B, R_S1} to A.

Step 3: Upon receiving {ID_A, R_S2} from S, B computes R_B = T_b(x)modp, K_BS = T_b(R_S2 + PW_B) = T_bS2(x)modp, Z_BS = h(0, ID_B, ID_A, R_B, R_S2, K_BS). Then, B sends {R_B, Z_BS} to S. After A receives {ID_B, R_S1} from S, he computes K_AS = T_a(R_S1 + PW_A) = T_aS1(x)modp, Z_AS = h(0, ID_A, ID_B, R_A, R_S1, K_AS). Then, A sends {Z_AS} to S.

Step 4: Upon receiving the messages from A and B, S computes K_SB = T_S2(R_B) = T_S2b(x)modp and checks whether $h(0,I{D}_B,I{D}_A,R_B,R_{S2},K_{SB})\stackrel{?}{=}{Z}_{BS}$. If it is true, S then computes K_SA = T_S1(R_A) = T_S1a(x)modp and checks whether $h(0,I{D}_A,I{D}_B,R_A,R_{S1},K_{SA})\stackrel{?}{=}{Z}_{AS}$. If holds, S computes Z_AB = h(1, ID_A, ID_B, R_A, R_B, K_SA), Z_BA = h(1, ID_B, ID_A, R_B, R_A, K_SB) and sends {R_B, Z_AB} and {R_A, Z_BA} to A and B, respectively.

Step 5: When A gets {R_B, Z_AB}, he verifies whether $h(1,I{D}_A,I{D}_B,R_A,R_B,K_{AS})\stackrel{?}{=}{Z}_{AB}$. If holds, A can compute K_AB = T_a(R_B) = T_ab(x)modp and the session key SK = h(2, ID_A, ID_B, R_A, R_B, K_AB). Similarly, once B gets {R_A, Z_BA}, he verifies whether $h(1,I{D}_B,I{D}_A,R_B,R_A,K_{BS})\stackrel{?}{=}{Z}_{BA}$. If it is valid, B can compute K_BA = T_b(R_A) = T_ba(x)modp and the session key SK = h(2, ID_A, ID_B, R_A, R_B, K_BA).

3.4 Password change

If user A attempts to update his password as a new one, he can perform the following steps:

Step 1: User A computes $P{W}_A^{new}=T_{p{w}_A^{new}}\left(x\right)modp,PWD=h(K_{AS},I{D}_A)+P{W}_{A}modp,V_A=h(K_{AS},P{W}_A),Z_{AS}=h(1,I{D}_A,R_A,S_1,K_{AS},V_A,M_A)$ and sends {ID_A, R_A, Z_AS, PWD, V_A, M_A} to S, where M_A = {Password update request}.

Step 2: S first checks whether $h(1,I{D}_A,R_A,R_{S1},K_{SA},V_A,M_A)\stackrel{?}{=}{Z}_{AS}$. If it holds, S computes PW_A = PWD − h(K_SA, ID_A)modp and checks whether $h(K_{SA},P{W}_A)\stackrel{?}{=}{V}_A$. If it holds, S computes R₁ = h(1, ID_A, PWD, V_A, K_SA), VPW_A = h(ID_A, s) + PW_A modp, replaces VPW_A with $VP{W}_A^{new}$ in its database, and sends {Accept, R₁} to A. Otherwise, S sends {Reject, R₂} to A, where R₂ = h(0, ID_A, PWD, V_A, K_SA).

Step 3: When A receives {Accept, R₁}, he verifies if $h(1,I{D}_A,PWD,V_A,K_{AS})\stackrel{?}{=}{R}_1$. If true, A accepts $p{w}_A^{new}$ as his new password. Otherwise, he verifies whether $h(0,I{D}_A,PWD,V_A,K_{AS})\stackrel{?}{=}{R}_2$ and returns Step 1 to execute the above steps again.

4 Cryptanalysis of Xie et al.’s scheme

Xie et al.’s scheme declared that their improvements could withstand the password off-line guessing attack and the user impersonation attack which Farash et al.’s scheme failed to resist. However, we will demonstrate their improvement cannot really resist the off-line password guessing attack, thus suffering the user impersonation attack. Besides, we also demonstrate their improvements cannot achieve the session key security as they stated. Furthermore, user anonymity is also not able to provide in their improvements. In order to launch the attacks, we adopt the attack model proposed by Xu et al. [35]. According to their assumption, an attacker $\mathbb{U}$ can completely monitor the open communication channel, thus inserting, deleting, and modifying any messages among correspondents.

4.1 Off-line password guessing attack

$\mathbb{U}$ can easily perform the attack by intercepting the transmitted messages {ID_A, ID_B, R_A} and Z_AS from A to S as below:

Step 1: $\mathbb{U}$ computes R_A = T_a(x)modp and sends {ID_A, ID_B, R_A} to S, where a ∈ [1, p + 1] is a random number.

Step 2: S computes PW_A = VPW_A − h(ID_A, s), PW_B = VPW_B − h(ID_B, s), R_S1 = T_S1(x) − PW_A modp, R_S2 = T_S2(x) − PW_B modp, where S1, S2 ∈ [1, p + 1]. Next, S sends {ID_B, R_S1} to A.

Step 3: $\mathbb{U}$ guesses a candidate password $P{W}_A^{\prime }$ and computes $K_{AS}=T_a(R_{S1}+P{W}_A^{\prime })=T_{aS1}\left(x\right)modp$. After that, $\mathbb{U}$ checks whether $Z_{AS}\stackrel{?}{=}h(0,I{D}_A,I{D}_B,R_A,R_{S1},K_{AS})$. If the equation is true, which means $\mathbb{U}$ gets the correct password. Otherwise, $\mathbb{U}$ performs the above steps again until he succeeds.

4.2 User impersonation attack

After obtaining the password of user A(or user B), $\mathbb{U}$ can masquerade as a legitimate user A (or user B) to cheat the server A and the user B (or user A). Following previous subsection, once $\mathbb{U}$ guesses correctly, he then sends {Z_AS} to S. Upon receiving the messages from $\mathbb{U}$, S executes the original scheme without any detection. Finally, S sends {R_B, Z_AB} to $\mathbb{U}$. After receiving the messages from S, $\mathbb{U}$ verifies whether Z_AB = h(1, ID_A, ID_B, R_A, R_B, K_AS). If it is true, $\mathbb{U}$ computes K_AB = T_a(R_B) = T_ab(x)modp and the session key SK_AB = h(2, ID_A, ID_B, R_A, R_B, K_AB). That is, $\mathbb{U}$ successfully wormed himself into S and Bs’ confidence.

4.3 Anonymity of users

The user identity is an important personal privacy. In many cases, $\mathbb{U}$ may exploit the user identity to link different login sessions together to trace user activities [29]. Moreover, the violation of user identity and activities may also facilitate an unauthorized entity to trace the user’s login history and even current location [36]. In Xie et al.’s scheme, the messages transmitted from A to S {ID_A, ID_B, R_A}, sent from S to A {ID_B, R_S1}, the message transmitted from S to B {ID_A, R_S2}, are all exposed the identity of A and B. It is a good chance for $\mathbb{U}$ to obtain the identity and know who is requiring the service and further trace the position. This means Xie et al.’s scheme fails to achieve user anonymity.

4.4 Violation of the session key security

After deriving password PW_A by performing the off-line password guessing attack, $\mathbb{U}$ can easily derive the mutually shared session key between A and B after intercepting the transmitted messages R_A and R_B. And thus, $\mathbb{U}$ can compute an integer solution a* (or b*) to satisfy the equation $T_a^{*}\left(x\right)=T_a\left(x\right)$(or $T_b^{*}\left(x\right)=T_b\left(x\right)$) by adopting the method of Bergamo et al. [22]:

$a^{*}=\frac{arccos\left(T_a\left(x\right)\right)+2k\pi }{arccos\left(x\right)}|k\in \mathcal{Z}(b^{*}=\frac{arccos\left(T_b\left(x\right)\right)+2k\pi }{arccos\left(x\right)}|k\in \mathcal{Z})$

With the value a* and b*, $\mathbb{U}$ can compute the session key: $T_a^{*}\left(T_b^{*}\left(x\right)\right)modp=T_a^{*}\left(T_b\left(x\right)\right)modp=T_b\left(T_a^{*}\left(x\right)\right)modp=T_b\left(T_a\left(x\right)\right)modp=T_{ba}\left(x\right)modp=K_{AB}$

In this regard, $\mathbb{U}$ can compute the session key SK = h(2, ID_A, ID_B, R_A, R_B, K_BA) since all the parameters contained in SK can be obtained only by intercepting the communication channel.

5 Proposed scheme

This section presents our enhanced scheme which inherits the advantages and avoids the disadvantages of the scheme proposed by Xie et al‥ The proposed scheme contains four phases: system initialization, registration, the session key establishment and password updating. The registration and the session key establishment phases are shown in Fig 2.

Fig 2. Mutual authentication and key agreement of our scheme.

5.1 System initialization

The server S performs the following steps:

Step 1: Selects a random number $x\in {\mathcal{Z}}_p$;

Step 2: Selects a private key k ∈ [1, p + 1] and computes T_k(x)modp as its public key;

Step 3: Selects a chaotic map hash function h(), S maintains the secret key k and releases the parameters {p, x, T_k(x)modp, h()}.

5.2 Registration

The registration phase of A/B as below:

Step 1: User A/B submits {ID_A, g_A = h₁(pw_A, r_A)}/{ID_B, g_B = h₁(pw_B, r_B)} to the server S, where r_A and r_B are the random numbers;

Step 2: Upon receiving the registration request, S computes VPW_A = h₁(ID_A, k) ⊕ g_A/ VPW_B = h₁(ID_B, k) ⊕ g_B. Next, S randomly chooses a secret key r for A and sends it to A via the private channel. Noth that r is kept securely by A and is different for each user A. Finally, S stores k ⊕ r and VPW_A/VPW_B into its memory.

5.3 Session key establishment

After registering the server S, users A and B establish the session key with the help of S in the following manner:

Step 1: Using the stored shared secret key r, user A computes his own version of C_A = E_KAS(ID_A, ID_B, T_a(x), F_A) and sends them to S, where K_AS = T_r(T_k(x)), F_A = h(ID_A, ID_B, T_a(x), g_A) and a ∈ [p + 1] is a random number.

Step 2: Once receiving the message, S first derives r by computing k ⊕ r ⊕ k and derives {ID_A, ID_B, T_a(x), F_A} by decrypting C_A with computed symmetric key K_AS = T_k(T_r(x)). Next, S checks whether $h(I{D}_A,I{D}_B,T_a\left(x\right),g_A)\stackrel{?}{=}{F}_A$, where g_A = VPW_A ⊕ h(ID_A, k). If the equation is true, S computes C_B = E_gB(T_a(x), F_B, ID_A, ID_B) and sends back it to user B, where F_B = h(T_a(x), ID_B).

Step 3: After receipt of the authentication message from S, user B first retrieves {T_a(x), ID_A, ID_B, F_B} by decrypting C_B and checks the validness of F_B. If it is correct, B computes P_B = E_gB(T_b(x), H_B) and sends back an authentication message via an unsecure channel to S with the following values {P_B}, where H_B = h(ID_B, T_b(x)) and b ∈ [1, p + 1] is a random number at B side.

Step 4: S decrypts P_B to get T_b(x) and H_B using g_B. After that, S examines whether $h(I{D}_B,T_b\left(x\right))\stackrel{?}{=}{H}_B$. If it is correct, S computes Z_AS = h(ID_A, ID_B, T_b(x), T_S1(x)), R_AS = E_KAS(T_S1(x), T_b(x), ID_A, Z_AS) and returns R_AS to A, where S1 is the random number and K_AS = T_k(T_r(x)) is a shared key between A and S. At the same time, S also computes Z_BS = h(ID_A, ID_B, T_a(x), T_S2(x)), R_BS = E_KBS(T_S2(x), T_a(x), ID_B, Z_BS) and returns R_BS to B, where S2 is the random number and K_BS = T_k(T_b(x)).

Step 5: When receiving the message from S, A checks whether $h(I{D}_A,I{D}_B,T_b\left(x\right),T_{S1}\left(x\right))\stackrel{?}{=}{Z}_{AS}$ which is decrypted from R_AS. If it holds, A computes the session key SK = T_a(T_b(x)) and V_A = h(ID_A, SK), and then sends V_A to B. Similarly, B verifies the validity of Z_BS = h(ID_A, ID_B, T_a(x), T_S2(x)) which is derived from R_BS. If it holds, B computes the session key SK = T_b(T_a(x)) and V_B = h(ID_B, SK), and then sends V_B to A.

Step 6: Upon receiving the message from B, A verifies whether h(ID_B, SK) is equal to the received V_B. If the verification holds, A negotiates SK as the shared session key to encrypt the following messages. Otherwise, A aborts the session. At the same time, B checks the correctness of V_B = h(ID_A, SK). Once the result is true, B agrees the session key SK with A.

5.4 Password update

When A intends to change his password after successful handshake between A and S, he can perform the following steps:

Step 1: A selects a new password $p{w}_A^{*}$ and computes $R_A=E_{T_r\left(x\right)}(I{D}_A,h_1(p{w}_A^{*},r_A),h_1(p{w}_A,r_A),Z_{AS})$ and Z_AS = h(ID_A, T_S1(x), K_AS) to S.

Step 2: S decrypts R_A to retrieve $\{I{D}_A,h_1(p{w}_A^{*},r_A),h_1(p{w}_A,r_A),Z_{AS}\}$ using the shared secret key r and verifies whether $h(I{D}_A,T_{S1}\left(x\right),K_{AS})\stackrel{?}{=}{Z}_{AS}$. If it is correct, S computes $VP{W}_A^{*}=h_1(p{w}_A,r_A)\oplus VP{W}_A\oplus h_1(p{w}_A^{*},r_A)$. Next, S updates VPW_A with $VP{W}_A^{*}$.

If B plans to change his password into a new one after successful authentication process between B and S, he performs the following steps:

Step 1: B selects a new password $p{w}_B^{*}$ and computes $R_B=E_{K_{BS}}(I{D}_B,h_1(p{w}_B^{*},r_B),h_1(p{w}_B,r_B),Z_{BS})$ and Z_BS = h(ID_B, T_S2(x), K_BS) to S.

Step 2: S decrypts R_B to retrieve $\{I{D}_B,h_1(p{w}_B^{*},r_B),h_1(p{w}_B,r_B),Z_{BS}\}$ by the shared key K_BS and verifies whether $h(I{D}_B,T_{S2}\left(x\right),K_{BS})\stackrel{?}{=}{Z}_{BS}$. If it is correct, S computes $VP{W}_B^{*}=h_1(p{w}_B,r_B)\oplus VP{W}_B\oplus h_1(p{w}_B^{*},r_B)$. Next, S updates VPW_B with $VP{W}_B^{*}$.

6 Security analysis of the proposed scheme

In this part, we first present a formal security analysis and then adopt the well-known formal tool for analyzing cryptographic protocol, i.e., BAN logic, to demonstrate the validness of the established session key between A and B in the help of the server S. After that, we conduct a security discussion for the proposed scheme according to the known kinds of security attributes. Next, we adopt the formal verification software to demonstrate our scheme is secure.

6.1 Formal security proof of the proposed scheme

Based on the one-way property of hash function [16] and ciphertext indistinguishability of symmetric cryptography algorithm [37], this part gives the formal analysis of the proposed scheme.

Symmetric cryptography algorithm Θ assumption: Denote the Θ advantage by $Ad{v}_P^{\Theta }$. Θ is secure if $Ad{v}_P^{\Theta }$ is negligible for any probabilistic, polynomial time adversary.

Theorem 1 Let Θ is secure. Assume that the one-way hash function h(⋅) behaves as a random oracle, then our proposed password-authentication key agreement defends against an adversary $\mathbb{U}$ for extracting the identity ID_A of the user A, and the session key SK between the user A and the user B.

Reveal 1: This oracle unconditionally outputs the cleartext m using symmetric cryptography algorithm Θ under the corresponding ciphertext C = Enc_k(m).

Reveal 2: This oracle unconditionally outputs the input x using hash function under the corresponding hash value y = h(x).

Proof. The adversary $\mathbb{U}$ executes the experiments $Exp{1}_{\mathbb{U},TPPPAKA}^{\Theta }$ (Table 1) and $Exp{2}_{\mathbb{U},TPPPAKA}^{Hash}$ (Table 2) for our three-party password-authentication key agreement. Suppose that the adversary $\mathbb{U}$ could get the identity ID_A of the user A, and the session key SK between the user A and the user B, which means $\mathbb{U}$ has an extremely high probability $Ma{x}_{\mathbb{U}}Suc{c}_1$ and $Ma{x}_{\mathbb{U}}Suc{c}_2$ to win the game within the running time t_i and the number of queries q_i(i = 1, 2), where $Suc{c}_1=|Pr(Exp{1}_{\mathbb{U},TPPPAKA}^{\Theta }=1)-1$ and $Suc{c}_2=|Pr(Exp{2}_{\mathbb{U},TPPPAKA}^{Hash}=1)-1$. However, they are both computationally infeasible problems under the symmetric cryptography algorithm Θ assumption without the knowledge of the secret key k and non-invertibility of hash function, i.e., $Ad{v}_{\mathbb{U},TPPPAKA}^{\Theta }\left(t_1\right)⩽{\epsilon }_1$, $Ad{v}_{\mathbb{U},TPPPAKA}^{hash}\left(t_2\right)⩽{\epsilon }_2$, for any sufficiently small ε_i > 0(i = 1, 2). That is, $Ma{x}_{\mathbb{U}}Suc{c}_1⩽{\epsilon }_1$ and $Ma{x}_{\mathbb{U}}Suc{c}_2⩽{\epsilon }_2$ since both they depend on the advantage $Ad{v}_{\mathbb{U},TPPPAKA}^{\Theta }$ and $Ad{v}_{\mathbb{U},TPPPAKA}^{hash}$, respectively. As a result, no adversary $\mathbb{U}$ has the ability to derive the identity ID_i of the A and the session key SK between the user A and the user B.

Table 1. Algorithm 1.

1. Intercept the login message {CA}, CA = EKAS(IDA, IDB, Ta(x), FA)

2. Call Reveal oracle 1. Let $(I{D}_A^{\prime },I{D}_B^{\prime },T_a{\left(x\right)}^{\prime },F_A^{\prime })\leftarrow Reveal\left(C_A\right)$

3. Intercept the authenticated message {CB}, where CB = EgB(IDA, IDB, Ta(x), FB)

4. Call Reveal oracle 1. Let $(I{D}_A^{\prime \prime },I{D}_B^{\prime \prime },T_a{\left(x\right)}^{\prime \prime },F_B^{\prime \prime })\leftarrow Reveal\left(C_B\right)$

5. If (Ta(x)′′ = Ta(x)′) then

6. Accept $I{D}_A^{\prime }$ as the true identity of the user A

7. return 1

8. else

9. return 0

10. end if

Table 2. Algorithm 2.

1. Intercept the login message {VA}, where VA = h(IDA, SK)

2. Call Reveal oracle 2. Let $(I{D}_A^{\prime },S{K}^{\prime })\leftarrow Reveal\left(V_A\right)$

3. Intercept the authenticated message Intercept the login message {VA},

where VB = h(IDB, SK)

4. Call Reveal oracle 1. Let $(I{D}_A^{\prime \prime },S{K}^{\prime \prime })\leftarrow Reveal\left(V_B\right)$

5. If ($I{D}_A^{\prime }=I{D}_A^{\prime \prime }$) then

6. Accept SK′ as the correct session key between A and B

7.  return 1

8. else

9.  return 0

10. end if

6.2 Authentication proof based on BAN logic

BAN logic is an important formal mean and is widely applied for the security analysis of authentication schemes. Verification process for the protocol using BAN logic is mainly composed of four parts: Goals, Idealisation, Assumptions and Analysis. Goals, as its name suggests, the objectives of the verification; Idealisation aims at formulating the protocol step in a way for each ciphertext communication; Assumptions state some essential information, such as, which principals have generated which fresh random numbers, what keys are originally shared between the principals, and which principals are trusted in special ways. Upon all the aforementioned basis, BAN logic analysis on the protocol step by step is a natural procedure. BAN logic defines some notations and rules to verify whether the mutual authentication is achieved between corresponds. We first introduce some common notations and rules related with our analysis in the following.

Notations

P ⊲ X: principal P sees a message containing X

P| ≡ X: P believes X is true

P| ∼ X: P is known to have sent a message including X

$P\stackrel{K}{\leftrightarrow }Q$: P and Q communicate with a shared key K

#X: formula X is fresh

P ⇒ X: P has jurisdiction over X

<X, Y>_K: X and Y are encrypted with the key K

{X, Y}: X or Y is a part of the message {X, Y}

$\frac{Statement1,Statement2}{Statement3}$: a conjunction of statements1 and 2 can infer statement3

Rules

$\frac{A|\equiv A\stackrel{K}{\leftrightarrow }B,A⊲{\left\{X\right\}}_K}{A|\equiv |B\sim X}$(Message-meaning rule): if A believes that the key K is shared with B and and receives a message containing X encrypted under K, then A believes that B once said X.

$\frac{A|\equiv \#X,A|\equiv B|\sim X}{A|\equiv B|\equiv X}$(Nonce-verification rule): if A once said X, and A believes that B once said X, then A believes that A believes X.

$\frac{A|\equiv \#X}{A|\equiv \#(X,Y)}$(Fresh conjuncatenation rule): if A believes a component of a formula (X, Y) is fresh, then A believes the formula is fresh.

$\frac{A|\equiv B\Rightarrow X,A|\equiv B|\equiv X}{A|\equiv X}$(Jurisdiction rule): if A believes that B has controlled over X, and A believes that B believes X, then A trusts B on the truth of X.

(1) We establish the following goals which the session key agreement protocol should achieve:

$goa{l}_1.A|\equiv A\stackrel{SK}{⟷}B$

$goa{l}_2.A|\equiv B|\equiv A\stackrel{SK}{⟷}B$

goal₃. A| ≡ B| ≡ ID_B

$goa{l}_4.B|\equiv A\stackrel{SK}{⟷}B$

goal₅. B| ≡ ID_A

goal₆. B| ≡ A| ≡ ID_A

$goa{l}_7.B|\equiv A|\equiv A\stackrel{SK}{⟷}B$

(2) We idealize the communication messages of the proposed scheme as below:

A → S:

$C_A:<I{D}_A,I{D}_B,F_A,T_a\left(x\right){>}_{A\stackrel{K_{AS}}{⟷}S}$,

$F_A:<I{D}_A,I{D}_B,T_a\left(x\right){>}_{A\stackrel{g_A}{⟷}S}$.

S → A:

$R_{AS}:<T_{S1}\left(x\right),T_b\left(x\right),Z_{AS},I{D}_A{>}_{A\stackrel{K_{AS}}{⟷}S}$,

Z_AS: (ID_A, ID_B, T_b(x), T_S1(x)).

S → B:

$C_B:{\{T_a\left(x\right),I{D}_A,I{D}_B,F_B\}}_{A\stackrel{g_B}{⟷}S}$,

F_B: h(T_a(x), ID_B),

$R_{BS}:<I{D}_B,T_{S2}\left(x\right),T_a\left(x\right),Z_{BS}{>}_{B\stackrel{K_{BS}}{⟷}S}$,

Z_BS: h(ID_A, ID_B, T_a(x), T_S2(x)).

B → S:

$P_B:<T_b\left(x\right),H_B{>}_{B\stackrel{g_B}{⟷}S}$,

H_B: (ID_B, T_b(x)).

A → B:

$V_A:<I{D}_A,SK{>}_{A\stackrel{SK}{⟷}B}$.

B → A:

$V_B:<I{D}_B,SK{>}_{A\stackrel{SK}{⟷}B}$.

(3) We make some initial assumptions for the proposed scheme as follows:

A₁. A| ≡ #a

A₂. B| ≡ #b

A₃. B| ≡ ID_B

A₄. A| ≡ ID_A

$A_5.A|\equiv A\stackrel{K_{AS}}{⟷}S$

$A_6.S|\equiv A\stackrel{K_{AS}}{⟷}S$

A₇. A| ≡ ID_B

$A_8.A|\equiv A\stackrel{T_r\left(x\right)}{⟷}S$

$A_9.S|\equiv A\stackrel{T_r\left(x\right)}{⟷}S$

$A_{10}.A|\equiv A\stackrel{T_{aS1}\left(x\right)}{⟷}S$

$A_{11}.S|\equiv A\stackrel{T_{aS1}\left(x\right)}{⟷}S$

$A_{12}.B|\equiv B\stackrel{T_{bS2}\left(x\right)}{⟷}S$

$A_{13}.S|\equiv B\stackrel{T_{bS2}\left(x\right)}{⟷}S$

$A_{14}.B|\equiv B\stackrel{K_{BS}}{⟷}S$

$A_{15}.B|\equiv B\stackrel{g_B}{⟷}S$

Now, using the rules of the BAN logic, we demonstrate the proposed scheme can attain the intended goals based on the above descriptions:

According to the message C_A, we derive:

D₁. $S⊲<I{D}_A,I{D}_B,F_A,T_a\left(x\right){>}_{A\stackrel{K_{AS}}{⟷}S}$

According to A₆, D₁ and message-meaning rule, we get:

D₂. $\frac{S⊲<I{D}_A,I{D}_B,F_A,T_a\left(x\right){>}_{A\stackrel{K_{AS}}{⟷}S},S|\equiv A\stackrel{K_{AS}}{⟷}S}{S|\equiv A|\sim \{I{D}_A,I{D}_B,F_A,T_a\left(x\right)\}}$

According to R_AS, we obtain:

D₃. $A⊲<T_{S1}\left(x\right),T_b\left(x\right),Z_{AS},I{D}_A{>}_{A\stackrel{K_{AS}}{⟷}S}$

According to A₅, D₃ and message-meaning rule, we get:

D₄. $\frac{A⊲<T_{S1}\left(x\right),T_b\left(x\right),Z_{AS},I{D}_A{>}_{A\stackrel{K_{AS}}{⟷}S},A|\equiv A\stackrel{K_{AS}}{⟷}S}{A|\equiv S|\sim \{T_{S1}\left(x\right),T_b\left(x\right),Z_{AS},I{D}_A\}}$

According to D₄, A₄ and fresh conjuncatenation rule, we obtain:

D₅. $\frac{A|\equiv I{D}_A,A|\equiv S|\sim \{T_{S1}\left(x\right),T_b\left(x\right),Z_{AS},I{D}_A\}}{A|\equiv \{T_b\left(x\right),T_{S1}\left(x\right),Z_{AS}\}}$

According to D₅, we immediately retrieve:

D₆. $\frac{A|\equiv \{T_{S1}\left(x\right),T_b\left(x\right),Z_{AS}\}}{A|\equiv T_{S1}\left(x\right),A|\equiv T_b\left(x\right),A|\equiv Z_{AS}}$

According to D₆, SK = T_a(T_b(x)) and A₁, we also eventually achieve:

goal₁. $\frac{A|\equiv T_b\left(x\right),SK=T_a\left(T_b\left(x\right)\right),A|\equiv \#a}{A|\equiv A\stackrel{SK}{⟷}B}$

According to the message V_B, we gain:

D₇. $A⊲{(I{D}_B,SK)}_{A\stackrel{SK}{⟷}B}$

According to D₇, goal₁ and message-meaning rule, we get:

D₈. $\frac{A⊲{(I{D}_B,A\stackrel{SK}{⟷}B)}_{SK},A|\equiv A\stackrel{SK}{⟷}B}{A|\equiv B|\sim \{I{D}_B,A\stackrel{SK}{⟷}B\}}$

According to goal₁, D₈ and nonce-verification rule, we attain:

goal₂. $\frac{A|\equiv A\stackrel{SK}{⟷}B,A|\equiv B|\sim A\stackrel{SK}{⟷}B}{A|\equiv B|\equiv A\stackrel{SK}{⟷}B}$

According to D₈, A₇ and nonce-verification rule, we achieve:

goal₃. $\frac{A|\equiv I{D}_B,A|\equiv B|\sim I{D}_B}{A|\equiv B|\equiv I{D}_B}$

According to the message R_BS, we extract:

D₉. $B⊲<I{D}_B,T_{S2}\left(x\right),T_a\left(x\right),Z_{BS}{>}_{B\stackrel{K_{BS}}{⟷}S}$

According to A₁₄, D₉ and message-meaning rule, we collect:

D₁₀. $\frac{B⊲<I{D}_B,T_{S2}\left(x\right),T_a\left(x\right),Z_{BS}{>}_{B\stackrel{K_{BS}}{⟷}S},B|\equiv B\stackrel{K_{BS}}{⟷}S}{B|\equiv S|\sim \{I{D}_B,T_{S2}\left(x\right),T_a\left(x\right),Z_{BS}\}}$

According to A₃, D₁₀ and fresh conjuncatenation rule, we acquire:

D₁₁. $\frac{B|\equiv I{D}_B,B|\equiv S|\sim \{I{D}_B,T_{S2}\left(x\right),T_a\left(x\right),Z_{BS}\}}{B|\equiv \{T_{S2}\left(x\right),T_a\left(x\right),Z_{BS}}$

According to D₁₁, we intuitively collect:

D₁₂. $\frac{B|\equiv \{T_{S2}\left(x\right),T_a\left(x\right),Z_{BS}\}}{B|\equiv T_{S2}\left(x\right),B|\equiv T_a\left(x\right),B|\equiv Z_{BS}}$

According to A₂, D₁₂ and SK = T_b(T_a(x)), we naturally receive:

goal₄. $\frac{B|\equiv T_a\left(x\right),SK=T_b\left(T_a\left(x\right)\right),B|\equiv \#b}{B|\equiv A\stackrel{SK}{⟷}B}$

According to the message C_B, we obtain:

D₁₃. $B⊲{\{T_a\left(x\right),I{D}_A,I{D}_B,F_B\}}_{A\stackrel{g_B}{⟷}S}$

According to A₁₅, D₁₃ and message-meaning rule, we attain:

D₁₄. $\frac{B⊲{\{T_a\left(x\right),I{D}_A,I{D}_B,F_B\}}_{A\stackrel{g_B}{⟷}S},B|\equiv B\stackrel{g_B}{⟷}S}{B|\equiv S|\sim \{T_a\left(x\right),I{D}_A,I{D}_B,F_B\}}$

According to A₃, D₁₄ and fresh conjuncatenation rule, we derive:

goal₅. $\frac{B|\equiv I{D}_B,B|\equiv S|\sim \{T_a\left(x\right),I{D}_A,I{D}_B,F_B\}}{B|\equiv \{I{D}_A\}}$

According to V_A, we collect:

D₁₅. $B⊲{(I{D}_A,SK)}_{A\stackrel{SK}{⟷}B}$

According to A₁₅, goal₄ and message-meaning rule, we attain:

D₁₆. $\frac{B⊲{(I{D}_A,A\stackrel{SK}{⟷}B)}_{SK},B|\equiv A\stackrel{SK}{⟷}B}{B|\equiv A|\sim \{A\stackrel{SK}{⟷}B,I{D}_A\}}$

According to goal₅, D₁₆ and nonce-verification rule, we get:

goal₆. $\frac{B|\equiv I{D}_A,B|\equiv A|\sim I{D}_A}{B|\equiv A|\equiv I{D}_A}$

According to goal₄, goal₅ and nonce-verification rule, we get:

goal₇. $\frac{B|\equiv A|\sim A\stackrel{SK}{⟷}B,B|\equiv A\stackrel{SK}{⟷}B}{B|\equiv A|\equiv A\stackrel{SK}{⟷}B}$

6.3 Informal security analysis

In this part, we demonstrate the strong ability of the proposed scheme. Specifically, we will show that the proposed scheme is secure against the loopholes which found in the scheme of Xie et al. Besides, the proposed scheme also provide other common security features. To facilitate the discussion, we also adopt the attack model proposed by Xu et al. [35], that is, an adversary can completely monitor the open communication channel, thus inserting, deleting, and modifying any messages among correspondents.

6.3.1 User anonymity

We employ symmetric cryptography to safeguard user identity. Specifically, the identities {ID_A, ID_B} are contained only in C_A, R_AS or C_B, G_B and R_BS in the form of ciphtertext, where C_A = E_KAS(ID_A, ID_B, F_A), R_AS = E_KAS(T_S1, T_b(x), Z_AS), Z_AS = h(ID_A, ID_B, T_b(x), T_S1(T_a(x))), C_B = E_gB(T_a(x), h(T_a(x), T_gB(ID_B)), G_B = E_KBS(ID_B, H_B), R_BS = E_KBS(T_S2, T_a(x), Z_BS), Z_BS = h(ID_A, ID_B, T_a(x)), K_AS = T_a(T_k(x)), g_A(B) = h₁(pw_A(B), r_A(B)). From the above we can see that both the identities of A and B are protected by the server’s public key, chaotic-maps, hash function and symmetric cryptographic operations. Besides, used parameters include secret keys and random numbers are not exposed in the public channel. For example, suppose an adversary $\mathbb{U}$ eavesdrops the message C_A and he plans to derive the identity of A. He first needs to know K_AS = T_a(T_k(x)). To obtain T_a(x) from intercepted H_A = T_a(x) ⊕ T_r(x), the shared secret key r is needed. In general, it is hard to derive from the transmitted messages. Our proposed scheme is therefore secure from trace attack.

6.3.2 Avoidance of insider attack

In the registration phase of our proposed scheme, A and B send g_A = h₁(pw_A, r_A) or g_B = h₁(pw_B, r_B) to the server S, respectively. When S receiving the registration request, he cannot retrieve the cleartext password pw_A or pw_B owing to the unawareness of the random numbers r_A and r_B. Therefore, the proposed scheme can protect against the insider attack.

6.3.3 Avoidance of off-line password guessing attack

$\mathbb{U}$ intercepts all the communicated messages {C_A, H_A, C_B, P_B, G_B, R_AS, R_BS}, he still cannot derive password of user B. Assume that $\mathbb{U}$ steals the stored information {VPW_A} or {VPW_B}, where VPW_A(B) = h₁(pw_A(B), r_A(B)) ⊕ h₁(ID_A(B), k). Even if the secret key k of S is compromised, $\mathbb{U}$ also requires the random number r_A(B). In addition, the identity of A or B is also needed. This point has been ensured by user anonymity. This means the off-line password guessing attack is not able to come true in our scheme.

6.3.4 Avoidance of user impersonation attack

By virtue of being discussed in the previous subsection, $\mathbb{U}$ is not possible to guess the correct password, let alone masquerade as a legal user to cheat the services provided by the server S. Once $\mathbb{U}$ fabricates the password and sends the forged message {C_A} or {P_B} to the server S. After receiving the message, S will decrypt C_A by using its own private key k. It is clear that S will detect the attack from user by checking the correctness of F_A or H_B by using its own computed values g_A = h₁(pw_A, r_A) = VPW_A ⊕ h₁(ID_A, k) or g_B = h₁(pw_B, r_B) = VPW_B ⊕ h₁(ID_B, k). Therefore, $\mathbb{U}$ is also impossible to launch the user impersonation attack.

6.3.5 Avoidance of man-in-the-middle attack

Assume that $\mathbb{U}$ intercepts the login message {C_A = E_KAS(ID_A, ID_B, T_a(x), F_A)} and attempts to modify it. However, he has no way to know the shared symmetric key K_AS between A and S. Without the important key, he is not possible to decrypt it. Similarly, if $\mathbb{U}$ eavesdrops the message C_B = E_gB(T_a(x), F_B, ID_A, ID_B) and plans to forge it. He also face an embarrassed reality without knowledge of the shared symmetric key g_B. Therefore, the proposed scheme protects against the man-in-the middle attack. This point will be verified by the simulation result later.

6.3.6 The session key perfect forward secrecy

The session key SK = T_a(T_b(x)), where T_a(x) and T_b(x) are not directly transmitted in the public channel. On the one side, T_a(x) and T_b(x) are encrypted with the symmetric cryptographic technology or the Chebyshev polynomials, where the symmetric key is g_B and chaotic map is T_r(x). The security of symmetric key has been demonstrated in the previous subsection. On the other side, assume that $\mathbb{U}$ has the secret key of S and the stored information {VPW_A} or {VPW_B}. In this case, it is an impossible task for $\mathbb{U}$ to attempt to derive g_A or g_B due to the unknown of the identity A or B. In order to know the identity, which goes back to this discussion about user anonymity. Therefore, the proposed scheme is able to provide the session key perfect forward secrecy.

6.3.7 Mutual authentication

A sent the message {C_A, H_A} to S, where C_A = E_KAS(ID_A, ID_B, F_A), F_A = h(ID_A, ID_B, T_a(x), g_A) and H_A = T_a(x) ⊕ T_r(x). Upon receiving the message, S derives T_a(x) using the shared secret key r and then decrypts C_A to get {ID_A, ID_B, F_A} using its private key k. Next, S computes h(ID_A, ID_B, T_a(x), VPW_A ⊕ h₁(ID_A, k)) and checks whether it is equal to the decrypted from C_A. If it is correct, A is authenticated. The validness of F_B which is decrypted from C_B to verify the legitimacy of S. And the correctness of H_B which is decrypted from G_B to validate the legalization of B. Similarly, A authenticates S by checking the verification of Z_AS decrypted from R_AS. Finally, the authentication between A and B are gone through the correctness of V_A and V_B.

6.4 Formal validation of the proposed scheme using AVISPA software

In this part, we simulate the proposed scheme using the commonly used AVISPA (Automated Validation of Internet Security Protocols and Applications) toolkit [30–31] to validate the passive and active attacks including man-in-the-middle and replay attacks that has been withstand. AVISPA integrates four backends: (i)OFMC; (ii)CL-AtSe; (iii)SATMC; (iv)TA4SP for the analysis of security schemes and implements in the role based HLPSL (High Level Protocol Specification Language). After execution through the OFMC and CL-AtSe backends, the results (Figs 3–4) clearly verify that the proposed scheme is secure under the Dolev-Yao model. The specifications for the roles for U_A(S1 Fig), U_B(S2 Fig), S(S3 Fig), the Session(S4 Fig) and the Environment(S5 Fig) in HLPSL are provided in Supporting Information.

Fig 3. Simulation result for the OFMC.

Fig 4. Simulation result for the CL-AtSe.

7 Performance comparisons

In this section, we evaluate the performance of our proposed scheme and make comparisons with the recent chaotic-maps based schemes [28, 2, 4, 9]. The following types of computation costs will be used to evaluate the feasibility of the attack in terms of its computational complexity.

T_cp: time for computing Chebyshev polynomial;

T_h: time for computing hash function;

T_S: time for performing symmetric cryptography;

T_pm: time for computing point multiplication;

T_m: time for performing MAC generation/verification.

Table 3 shows the computation overhead comparisons of our proposed scheme and some recent three-party schemes. We mainly address on the consumptions of authentication and session key agreement due to these are the principal parts of an authentication scheme and should be performed for each session. In Table 3, it is obvious that our improvements need a sight higher computational cost than Xie et al.’s scheme while consuming less than others, where the time for performing a point multiplication is much more expensive than the lightweight cryptographic operations, and a symmetric encryption/decryption operation is almost as many costs as a hash function [34]. However, it is worth an additional chaotic-maps and symmetric cryptographic operations to achieve strong security and better functionality attributes compared with Xie et al.’s scheme.

Table 3. Performance comparison.

	Ours	Xie et al. [28]	Chou et al. [2]	He-Wang [4]	Nam et al. [9]
User	3Tcp + 4Th + 4Th	3Tcp + 3Th	3Tpm + 2Th	3Tpm + 7Th	3Tpm + 1TS + 4Th + 1Tm
Second party	2Tcp + 3TS + 5Th	3Tcp + 3Th	3Tpm + 2Th	2Tpm + 5Th	1Tm + 1TS + 1Th
Third patry	5Tcp + 5TS + 7Th	4Tcp + 6Th	3Tpm + 8Th	2Tpm + 9Th	1Tm + 1TS + 2Th
Communication rounds	6	5	6	6	4

Table 4 lists the security comparisons among our proposed scheme and some recent three-party schemes. It demonstrates that our scheme has many excellent features and is more secure than other recent three-party schemes.

Table 4. Security properties comparison.

	Ours	Xie et al. [28]	Chou et al. [2]	He-Wang [4]	Nam et al. [9]
Session key perfect forward secrecy	Yes	No	Yes	Yes	Yes
Mutual authentication	Yes	Yes	Yes	Yes	Yes
User anonymity	Yes	No	No	Yes	Yes
Insider attack	Yes	Yes	-	Yes	No
Off-line password guessing attack	Yes	No	-	Yes	No
Impersonation attack	Yes	No	No	No	No

8 Conclusion and future work

This paper discussed the security of the recent scheme proposed by Xie et al. We showed that the recent scheme had several security pitfalls. Besides, we found that it was insecure only using hash function. To mend all the identified weaknesses, we then presented an enhancement which utilized asymmetric cryptography to conceal the user’s identity. We demonstrated that the improvements not only was immune to the loopholes found in Xie et al.’s scheme but also was secure other common attacks. We also performed the BAN logic test and confirmed the mutual authentication is achieved in our scheme. The formal security analysis also shows our scheme supports more security properties. The performance comparison between the recent schemes and the proposed scheme showed our improvements was more secure than other schemes. Actually, it is not negligible that based on chaotic maps has inevitable restrictions in some applications and an ID-based solution is a better one. Therefore, our near future work is to address to design a robust ID-based authenticated key agreement scheme.

Supporting Information

S1 Fig. Role specification of U_A.

(EPS)

S2 Fig. Role specification of U_B.

(EPS)

S3 Fig. Role specification of S.

(EPS)

S4 Fig. Role specification of the Session.

(EPS)

S5 Fig. Role specification of the Environment.

(EPS)

Data Availability

All relevant data are within the paper and its Supporting Information files.

Funding Statement

This paper is supported by the National Natural Science Foundation of China (Grant Nos. 61472045, 61573067), the Beijing Natural Science Foundation (Grant No. 4142016), the BUPT Excellent Ph.D. Students Foundation (Grant No. CX2015310), and the Asia Foresight Program under NSFC Grant (Grant No. 61411146001). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.