A construction of a conformal Chebyshev chaotic map based authentication protocol for healthcare telemedicine services

The outbreak of coronavirus has caused widespread global havoc, and the implementation of lockdown to contain the spread of the virus has caused increased levels of online healthcare services. Upgraded network technology gives birth to a new interface “telecare medicine information systems” in short TMIS. In this system, a user from a remote area and a server located at the hospital can establish a connection to share the necessary information between them. But, it is very clear that all the information is always being transmitted over a public channel. Chaotic map possesses a dynamic structure and it plays a very important role in the construction of a secure and efficient authentication protocols, but they are generally found vulnerable to identity-guess, password-guess, impersonation, and stolen smart-card. We have analyzed (Li et al. in Fut Gen Comput Syst 840:149–159, 2018; Madhusudhan and Nayak Chaitanya in A robust authentication scheme for telecare medical information systems, 2008; Zhang et al in Privacy protection for telecare medicine information systems using a chaotic map-based three-factor authenticated key agreement scheme, 2017; Dharminder and Gupta in Pratik security analysis and application of Chebyshev Chaotic map in the authentication protocols, 2019) and found that Bergamo’s attack (IEEE Trans Circ Syst 52(7):1382–1393, 2005) cannot be resisted by the protocol. Although few of the protocols ensures efficient computations but they cannot ensure an anonymous and secure communication. Therefore, we have proposed a secure and efficient chaotic map based authentication protocol that can be used in telecare medicine information system. This protocol supports verified session keys with only two messages of exchange. Moreover, we have analysed the performance of proposed protocol with relevant protocols and it is being implemented in “Automated Validation of Internet Security Protocols and Applications” respectively.

a secure authentication protocol. Security and privacy of "Telemedicne Information System" are the impressive components that are of great interest to the field of health care. Because the Internet is truly an open network with many potential security gaps, close consideration and measures must be required to ensure safe medical facilities and the safety of patient data. Both health care and treatment are two very important factors in the human's life (see data in Fig. 1). Upgraded technology in the field of online health care services such as variety of medical sensors, smart phones, and smart robotics helps the patients to facilitate the health care services in the remote areas. In these days, most of the doctors are employing robots and smart digital sensor in surgeries is an application of computer science in health care services [40,41]. There are other applications such as artificial intelligence and machine learning are used to detect the medical conditions of a patient. Nowadays, a patient possessing smart Patients can be benefited with online health care services via their smart phones, i-pads, and other smart sensors, but their security and privacy are two very important components during communication on public channel. In 2012, Wu et al. [10] designed a secure and anonymous authentication protocol to benefit the patients at their home. In the same year, Wei et al. [9] analyses the security of the protocol [10] and it is found vulnerable to two-factor authentication. In order to eradicate the two-factor authentication defect, a fresh design is needed for two-factor authentication. In the same year, Zhu [12] discussed the security attributes such as password guessing in the protocol [9] and invented a password-guess resistant protocol, although he didn't seem to think about communicating anonymously. In 2012, Chen et al. [4] designed an efficient and secure lightweight authentication protocol that preserves an anonymous communication in health care telemedicine services.
In 2013, Lin et al. [7] observed that identity can traced in [4] using both dictionary and password guess along with stolen smart card information. He tried to remove most of the existing attacks and he invented an anonymous authentication protocol. In the same year, Cao and Zhai [3] discussed both security and privacy of [4] and they found that the protocol is vulnerable against both identity guess and password guess along with the information stored in the smart card. Three protocols discussed [3,7,12] are found insecure to input ver-ification procedure due to which they cannot differentiate incorrect inputs with in short time interval. The anonymous communication is another important factor that is missing in [9,10,12,32] respectively. In 2013, Guo et al. [14] used the complex dynamic structure of chaotic maps to design a new secure authentication protocol, but Hao et al. [15] discussed the security of the protocol and he found that two important attributes traceability and anonymity are missing, and he tried to fill the gap with a new design [14]. In 2014, Jiang et al. [16] reviewed both security and privacy attributes in [15] and he found the protocol is vulnerable to stolen smart card attack.
In the year 2016, Li et al. [21] designed a secure and efficient chaotic map-based authentication protocol to secure the communication in health care services, but in the year 2018, Madhusudhan et al. [20] discussed the attacks in [21] such as password guess, and impersonations, and he tried to remove these attacks as discussed in [20]. In the year 2018, Jiang et al. [28] introduced a secure and efficient protocol to improve the telemedicine services in health care sector, but it is not much efficient and it requires to exchange three messages to establish secure and fresh session key. In the same year 2018, Wu et al. [29] introduced a secure and efficient authentication protocol based on RFID and Radhakrishnan et al. [19] also proposed a new design to secure the health care telemedicine services, but their protocols found susceptible to password guess, identity guess and also for stolen card information too. In the same year 2018, Zhang et al. [25] introduced a lightweight and secure authentication protocol for the mobile devices used in heath care telemedicine services, but it is also susceptible to identity guess, password guess and replay attacks. In 2018, Madhusudhan et al. [20] designed an efficient, and secure, and robust protocol for telecare services, but Dharminder et al. [35] discussed the security of the protocol [20] and they found it susceptible to identity guess, password guess, impersonations, and stolen smart card. In the same year 2020, Dharminder et al. [34] introduced a new design for authentication scheme based on RSA, but it uses the modulo operations that decreases the efficiency of the protocol due to costly modulo exponentiation.
In the Table 2, we have observed various security attributes achieved by the existing relevant chaotic map based authentication protocols used to secure TMIS system, where the symbol √ denotes "yes", and × denotes "not" respectively. In the Tables 1, 2 one can see that existing protocols in the TMIS environment suffers various vulnerabilities such as password-guess, identity-guess, impersonations, replaying of older messages, and stolen smart card attacks. In the proposed design, we have discussed two important components security and privacy in the form of security attributes such as identity guess, impersonations, password guess, anonymity, replaying of messages, and stolen smart card information in the protocols [1,20,25,35] respectively. In the design [35], we have analyzed that a user U i selects I D i , PW i and calculates A i = h(I D i ||PW i ), then he sends < I D i , A i > to the server. Next, the server chooses a random n i ∈ Z * p , and does the computation Similarly, in the design [1], we have analyzed a vulnerability in the session key established during the communication. In the design [1], an adversary A obtains the information from earlier transmitted information M 1 and M 2 . Moreover, A computes u with knowledge of x, Where k is a positive integer, then A computes T s T u (x) = T s T u (x) = Sk u = Sk s that plays the role of session key during communication.
Similarly, in the design [20], we have analyzed a vulnerability in the session key established during the communication. In the design [20], an adversary A obtains the information from earlier transmitted messages that plays the role of session key during communication.
To handle the issues in [1,20,25,35], we have an idea to compute x = h(I D i ||s), where I D i is the identity of i th user and "s" is the long term secret key of the server, in this way a user possesses x that results from different I D i concatenated with master key of the server to produce different secret keys x for each of the user. Now, the x will plays the role in place of master secret that is different for each of the user. Therefore, we have designed a new authentication protocol possessing both security and efficiency using the dynamic Chaos theory. The security of the presented scheme have been analyzed in random Oracle with this we also use the tool for authentication called "Automated Validation of Internet Security Protocols and Applications" respectively. Moreover, the presented protocol resists session key violation problem, that is proposed by Bergamo et al. [33] and establishes a session key with just two messages of exchange.

Preliminaries
In this section, we will discuss some of the basic notations, terminologies and basic properties of conformal Chaos maps used in the proposed protocol. A conformal map is an anglepreserving transformation that preserves local angles. A brief review of some of the useful notations are also given in Table  3.

Chebyshev chaotic mapping
As seen in Fig. 3, chaotic maps have a complex dynamic structure and it is well known for its pseudo randomness. In this subsection, we have discussed some of basic definitions and dynamic properties [17].
where the values y and x are known to the adversary. Then this problem is know as Discrete Logarithm Problem (DLP).

Definition 3 Computational Diffie-Hellman Problem (CDHP)
can be stated to find T uv (x), where the values x, T u (x) and T v (x) are known to the adversary.

Fuzzy extractor
A fuzzy extractor(E f ) [2] is an extraction mechanism that is used to extract a random uniform string from biometric imprints (bm i ). It consists of two algorithms I (.) and R(.). I (.) is a probabilistic algorithm that produced two strings b 1 , b 2 as output after taking bm i an input parameter, where b 1 is private key and b 2 is a helper string. R(.) is an algorithm that is used to regenerate the private key b 1 after taking noisy biometric parameter bm i and helper string b 2 as input, where

Proposed authentication protocol under chaotic mapping
We have proposed a secure and efficient chaotic map based authentication that can be divided into four phases, (1) registration-phase, (2) login-phase, (3) authentication-phase and (4) password-update-phase.

Registration-phase
U i registers to the concern server Sr j via a secure channel as written in the following lines.
-U i selects I D i , Ps i , and imprints his own biomet-

Login phase
If U i wants to login to Sr j then:

Password update phase
To update password U i , executes the following steps:

Formal security analysis
At first, we have to define a framework P to verify the security of the presented protocol and then, under random oracle, we will implement the presented protocol. Security-model Suppose the i th instance of a user U i is denoted by M i ∈ (U i , Sr j ), and A be an attacker that governs the connection between U i and Sr j . An illustration of A, is therefore stated as follows: Extract: With the help of extract query, A could get the private key of a user U i .

Send(m, M i ):
With the help of send query, A could be able to send arbitrary message m, to random oracle then in response of m, random oracle have to reply with a computational output.
Hash(m): In this query A sends random massage m to H (.), then oracle select s ∈ Z * p randomly and reply with s, after storing it into hash list H i j with m. Initially H i j assumed to be empty. Suppose a bit b is selected from corrupt query phase and Succ(A) correctly estimates the value of b, then the advantage Adv A,P (k), against the protocol retained by adversary is specified as: Mutual authentication is established by security analysis in Random Oracle for the suggested scheme.
Chaotic based assumption: Suppose x ∈ Z * p is a secret key of Sr j , p is a prime number with length n, then from generation algorithm Gen(1 n ) = p ∃ a negligible function neg(n) such that:

Send-queries:
In send query there are three phases discussed as below, first U i request for login to Sr j , then U i sends a message < (Ui 4 , N I D i , T 1 ) > to Sr j , and at last Sr j responds (Si 4 , T 2 ). We will describe this phase by a game between U i and Sr j respectively.

1.
A start it with sending a query, in response of that Mo is supposed to reply a login message to A.
where r is chosen arbitrarily, then check the equation So, we can observe that the algorithm M o has the advantage, so if A can breach the scheme, then M o can breach the suggested protocol, using subroutine A.

Theorem 3 The protocol is secured against chosen massage attack in RO model, if Chaotic discrete logarithm problem (CDLP) holds.
Proof By contradiction, let us prove this, let us say that there is A, who breaches proposed scheme against chosen massage attack, so we can model model an algorithm mo that violates the discrete logarithm presumption based on the Chaotic map (CDLP), which implies that A breaches the proposed system, then mo breaches the proposed system as well, which means A breaches the proposed scheme with non-negligible advantage. Since CDLP says challenger can obtain s, q ← Z n * by running Gen(.) algorithm and returns (1 n , T y (s) ) to Mo. Now Mo has to return s without having y. Game 3: To guess y correctly, A has three options:

Game 1: Suppose that
to oracle with a random z, then it calculates C 1 = T z (r ), else RO(z) = y, and reports y = y. However, A have non negligible chance of conducting such a query, so Mo will win with a non-negligible gain. However, it has been concluded that Mo violates the assumption with a marginal chance that implies A has a neg(n) gain.

Anonymous
If for any protocol, it is impossible for any adversary, to find user's real identity then we says that protocol follows the anonymous property. In our protocol, user's identity is not used over public channel, instead we use N I D i = (Ui 3 ||Ui 5 ||I D i ) ⊕ T y (Si 1 ). Adversary can intercept N I D i and Ui 4 but it is not possible for adversary to extract I D i from N I D i because for that A needs to compute T s (Ui 4 ) that requires long term secret key s of server.

Password guessing attack
Password guessing attack is not possible on proposed scheme because A needs Si 3 , Ui 2 , I D i , H i simultaneously to implement it successfully. Adversary might get Si 3 , Ui 2 by side channel attack or by power analysis attack but then he also need I D i and H i , which is not possible.

Privileged insider attack
Since in registration phase user U i send I D i , Ui 1 to the server Sr j , where Ui 1 = h(I D i ||Ps i ||H i ). So it is not possible for any insider to know the password and biometric of any user because these are protected by hash function h(.). It makes proposed scheme secure against privileged insider attack.

Impersonation attack
If A wants to act like a legitimate user, he needs to send N I D i correctly to the server, where N I Again if A wants to impersonate server then he need to create Si 4 correctly and for this A needs server's long term term secret key s. So above discussion suggest that proposed scheme is secure against impersonation attack.

Reply attack
Since we use different random number y for every session in proposed scheme where session key depends upon y, with this we also use time stamp, to avoid this type of attacks. For every session, the timestamp is uniquely chosen. The timestamp uniqueness property limits the duplication of log-in messages. This indicates that the proposed system is responsive to replay attacks.

Perfect forward secrecy
Even if long term secret key s is compromised, suggested scheme is secure. Because to create session key A needs to compute x and for this A need I D i which is not possible because we do not send I D i through public channel.

Man in the middle attack
If any adversary A wants to implement man in the middle attack then firstly A, intercept the massage Ui 4 , N I D i , T 1 , where Ui 4 = T y (I D i ) and N I D i = (Ui 3 ||Ui 5 ||I D i ) ⊕ T y (Si 1 ) = (Ui 3 ||Ui 5 ||I D i ⊕ T y T s (I D i ). Since I D i of U i is hidden in N I D i and it is not practically possible for any adversary to extract I D i from public channel information therefore adversary fails to forge Ui 4 . So proposed scheme is secure against man in the middle attack.

Stolen card attack
If adversary get access to the smart card of a user and extract P i , Si 3 and Ui 2 from smart card. Even then he could not able to get any meaningful information, that helps A to breach the security of proposed protocol because all of these are secured by hash function. A needs I D i , Ps i and H i simultaneously get useful information which is not possible.

Simulation and output using "Automated Validation of Internet Security Protocols and Applications"
In this subsection, we simulate the scheme using "Automated Validation of Internet Security Protocols and Applications" in short AVISPA tool to analyse formal security (man in the middle attack, replay attack) [36]. We have provided essential illustration on the basic output in OFMC and ATSE modes in Fig. [6].

Performance analysis
In this section, we have analyzed the performance of the proposed protocol and the performance of the proposed protocol has been compared with the related chaotic map based authentication scheme in the Table 4, where the cost of various operations are h t ≈ 0.0005s, s t ≈ 0.0087s, m t ≈ 0.06307s, and c t ≈ 0.02102s denote the time for hashing, message encryption under symmetric key, one ordinary multiplication in Z * p and chaotic based operation respectively.
We have analysed the performance of chaotic map based authentication protocols [1,15,16,20,22,24,25] with the proposed protocol. As we know our mobile phones has limited storage and random access memory, and internet connectivity is another problem, that all the telecare medicine services runs on limited bandwidth network that is why we need a secure and efficient authentication protocol. Both computation and communication efficiency are very important and these two costs of computations have been compared with existing protocols in the Table 4. The various operation cost estimated via executing an experiment on intel Pentiums−4 (1024 MB ram) processor as in [6,35] with this computation cost described in Fig. 7.
In addition, Liu et al. [22] runs with computation cost 4h t + 2c t at user side, 5h t + 2c t at server side, Jiang et al. [16], at user side runs with computation cost 2h t + s t + c t at server side use 2h t +2s t +3c t , Hao et al. [15] at user side runs  with computation cost 2c t + 3h t + 2s t , at sever computation cost is 2c t + 3s t + 2h t , Lee et al. [24], at the user side runs with computation cost 2c t + 7h t , at the server side it takes 2c t +8h t , Zhang et al. [25] runs with computation cost 6h t +2c t on the user side, and at server cost is 4h t +1c t +2s t , Madhusudhan et al. [20] at user side runs with computation cost 7h t + 2c t , at server side 3h t + 2c t , Li et al. [1] runs with computation cost 7h t + 2c t at the user side, and at server side cost is 7h t + 2c t , whereas the suggested protocol runs with computation cost 4c t + 4h t at the user side, 2c t + 4h t at the server side respectively. In this article, we have considered the cost of communication in the form of hashing, chaotic operation, and time-stamp as 160-bits, and symmetric encryption outputs standard 256 bits, whereas total cost of communication is given in the

Conclusion
This article provides a review on the security of recently proposed chaotic map based authentication protocol. The suggested design is free from most of the existing vulnerabilities such as password-guess, identity-guess, impersonations, replaying of messages, and stolen smart cards attacks and it also gives the idea how a poor verification results vulnerabilities. Furthermore, we have observed that the proposed design fulfills the requirement of session key verification in just two message exchange. In future, we can implement the protocol in vehicular communications, and digital rights management system etc.

Conflict of interests All the authors have no conflict of interests.
Research involving human participants/animals Research does not involve any human participant and/or animal performed by any of the authors.
Informed consent All the authors have agreed to this submission.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.