Abstract
Nowadays, communication technologies are more and more strongly advanced, such as 4G or 5G. There are many useful online applications, and one of them is the telecare medical information system (TMIS). If the TMIS is widely deployed, patients and doctors will have more frequently connection. Clearly, this enhances our quality of life. One of the most important modules securely constructing this convenient TMIS is the userauthentication scheme. We should prevent user identity and related information from the adversary’s eavesdropping. Therefore, the authentication scheme could provide user anonymity and concern some kinds of attacks, such as impersonation or passwordguessing attacks. Common solutions are a combination of hash function and publickey cryptosystem (RSA or elliptic curve cryptosystem, ECC), but current schemes do not consider identity protection as one main task necessary for medical information environment. In this paper, our results consist of some important analyses of previous works and a multiserver userauthentication scheme suitable for TMIS using Chebyshev polynomial with two models: random oracle and BANlogic.
1. Introduction
With evolutionary changes in technological fields, all aspects of modern life are influenced positively, especially in medical onlineservice systems. Internet gives us a chance of providing convenience to our customers. Instead of directly coming to the medical centre or hospital, many people like to experience anytime. Nowadays, people use wearable devices, such as smart watch or bracelet, and make connections with the online medical system to quickly receive some doctors’ advises. It can be said that remote services are an inevitable trend to satisfy remote experiences. In such services, we need to protect the users’ profiles from illegitimate accesses. All exchanged messages between the user and server in a working session need keeping secret. In any application, the user and server must know if their partner is real or fake. Therefore, the authentication scheme is necessary to provide security and privacy for both sides.
Storing a password list to verify the user’s identity is a popular method, and this is not a secure one (PAP/CHAP). This list may be stolen, and then another adversary can launch a password dictionary attack. Furthermore, the information exchanged between the user and server must be kept secure. We need to propose an efficient scheme to overcome some existing limitations. To achieve this goal, we should design an authentication scheme combined with some cryptographic primitives and hard problems to resist some common kinds of attacks. However, many authors prefer the passwordbased approach to others because it is simple and easily deployed. Some schemes [1–5] can resist some kinds of attacks at this phase, such as stolenverifier attack or replay attack. In 2010, Wu et al. [6] proposed a scheme with precomputing phase enhancing the security. The remarkable point of this idea is that a set of prestored random values provides a strong user’s anonymity. Furthermore, authors also use some cryptographic primitives, such as hash function, symmetric encryption scheme, and logarithm problem. Then, Debiao [7] pointed out that Wu’s scheme did not combine the user’s identity with secret information, and this results in impersonation attack. What Debiao claimed is true, but his improved scheme still has this pitfall. Next, Wei [8] discovered that both Debiao and Wu are vulnerable to offline passwordguessing attack, and he also proposed improved version to overcome this attack. In 2012, Zhu claimed that Wei’s scheme is still vulnerable to what Wei claimed. Zhu combined the password with a secret key to enhance the difficulty of password verification. Although Zhu’s scheme [9] overcame previous limitations, his scheme transmitted identity information without protection. Therefore, his scheme is not suitable for some privacy environments. Especially, Pu’s plugin scheme [10] can plug any twoparty password authentication protocol, 2PAKE with elliptic curve cryptography, to enhance security and save computational cost. However, this scheme also needs to be reconsidered because of unreasonable computation workloads with two session keys. In case of leaking the centre’s master key and the users’ authentication key, the scheme should protect previous exchanged messages between the user and server. That is why sessionkey perfect forward secrecy (PFS) is one of the standards evaluating a strong scheme. Knownkey attack is also a popular one at the authentication phase that receives many attentions. In this kind of attack, leaking another session key may result in attacking another session key. In 2013, Li et al. [11] proposed a scheme in multiserver environment with many improvements, in which each server has its own key. However, leaking smart card’s information may result in passwordguessing attack. In 2014, Qu and Tan [12] proposed a different ECCbased scheme. Although they used elliptic curve cryptosystem, leaking the user’s identity may result in impersonation attack. Clearly, this decreases the scheme’s reality because the identity’s nature is public. In 2015, Amin and Biswas [13] proposed a scheme in telecare medicine environment. Their scheme can resist threefactor attack, including password + smart card + biometrics. However, their scheme is still vulnerable to PFS. In 2018, Qiu et al. [14] and Xu et al. [15] proposed a scheme using ECC with untraceability property suitable for the medical services. Also, in 2019, Qiu et al. [16] proposed an ECCbased improved version using automated validation of Internet security protocol and application software. So, it can be said that this scheme has a high reliability.
Clientserver authentication is simple and timeefficient, but in such medical or financial systems, we need continuous connections between their servers. Furthermore, in singleserver environment, the customer needs many credentials for various services. Recently, using Chebyshev polynomial receives attentions from many authors. In 2016, Li et al. [17] proposed a chaotic mapbased authentication scheme in multiserver environment with provable security. Their work is truly impressive because it is based on BANlogic and random oracle models, which are tools suitable for provable authentication schemes. Their design is a threeparty participation in authentication process, so its timeconsuming is high. In 2017, Jangirala et al. [18] proposed a multiserver environment scheme based on dynamic ID. Although the correctness of their scheme is correctly proved based BANlogic, it is not applied with any hard problems. Therefore, it is hard to be a strong scheme. In the same year, Han et al. [19] and Irshad et al. [20] proposed a chaotic mapbased scheme. Han et al.’s result is a combination between hard problem (chaotic map) and cryptographic primitives, such as hash function and symmetric encryption scheme. However, we see their scheme uses threeway challengeresponse handshake technique with timestamp. In our experience, we only need two threeway challengeresponse handshake techniques needed if using timestamp. Irshad’s scheme is similar to Li’s because it is designed with threeparty architecture. Therefore, it also takes much time to authenticate. In 2018, Alzahrani et al. [21] proposed a secure and efficient TMISbased scheme. Their scheme provides TMIS environment with chaotic mapbased scheme, but they need to extend in multiserver environment. Especially, in the same year, Wang et al. [22] proposed a security model accurately capturing the adversary’s practical capabilities. We hope their model will be favourable and common soon. In this paper, we will analyse typical works [11–13, 18, 20, 21] to have some information needed to propose a new Chebyshev polynomialbased scheme in multiserver environment. Also, we have a work [23] but in the clientserver environment.
The rest of our paper is organized as follows. In Section 2, we present the background of Chebyshev polynomial. Section 3 reviews some recently typical results and analyses them on security aspect. Then, in Section 4, we propose an improved scheme in multiserver environment using Chebyshev polynomial [24] in the modular prime number field. In Section 5, we analyse our proposed scheme on two aspects, security and efficiency. Finally, the conclusion is presented in Section 6.
2. Background
Chebyshev polynomial [24] is a chaotic map in field ℝ, T_{a}: [−1, 1] ⟶ [−1, 1] (∀a ∈ ℕ): T_{a} (x) = cos (a × arcos (x)), ∀x ∈ [−1, 1].
And it can be rewritten in recursion form as follows:
In 2005, Bergamo et al. [25] analysed Chebyshev polynomial in real field and concluded that we can find r′ ≠ r, such that = . In 2008, Zhang [24] extended Chebyshev polynomial to ∞ and proved that its property in real field is also right in modular prime number field , p ∈ ℙ. This result allows to construct publickey cryptography and related hard problems. Chebyshev polynomial in can be rewritten in recursion form as in ℝ:With properties in Chebyshev polynomial, a publickey cryptography is proposed. To construct this one, we need to choose p ∈ ℙ and x ∈ [0, p − 1] and then compute with formula T_{n} (x) mod p, ∀n ∈ ℕ. Furthermore, there are also two related hard problems in this publickey cryptography [26], such as chaotic map discrete logarithm problem (CMDLP) and chaotic map Diffie–Hellman problem (CMDHP):(i)Chaotic map discrete logarithm problem (CMDLP): given p ∈ ℙ and x, y ∈ [0, p − 1], it is hard to find r ∈ ℕ such that T_{r} (x) = y mod p(ii)Chaotic map Diffie–Hellman problem (CMDHP): given p ∈ ℙ, x ∈ [0, p − 1], T_{a} (x) mod p and T_{b} (x) mod p, it is hard to find T_{a×b} (x) mod p, where a, b ∈ ℕ
3. Cryptanalysis of Some Typical Schemes
This section presents and analyses on some typical schemes.
3.1. Li et al.’s Scheme
This scheme [11] uses hash function combined with random values, including four phases: registration, login, authentication, and passwordupdate phases. Because designed for multiserver environment, the registration centre constructs the master key h (x  y) for itself and the submaster key h (SID_{j}  h (y)) for each service provider. Table 1 presents some notations used in this scheme.
3.1.1. Registration Phase
U_{i} registers with RC as follows:(i)U_{i} chooses ID_{i}, PW_{i}, and random value b and computes A_{i} = h (b ⊕ PW_{i}). Then, U_{i} sends ID_{i} and A_{i} to RC through a secure channel.(ii)On receiving {ID_{i}, A_{i}} from U_{i}, RC computes B_{i} = h (ID_{i}  x), C_{i} = h (ID_{i}  h (y)  A_{i}), D_{i} = h (B_{i}  h (x  y)), and E_{i} = B_{i} ⊕ h (x  y).(iii)RC saves {C_{i}, D_{i}, E_{i}, h (.), h (y)} into a smart card and sends to U_{i} via a secure channel.(iv)U_{i} inputs b into the smart card, and finally, U_{i} has {C_{i}, D_{i}, E_{i}, b, h (.), h (y)}.
In the registration phase, we see that the author used common key h (y), and this is dangerous because the adversary can exploit this to launch an impersonation attack if the smart card’s information is leaked or stolen. Figure 1 describes all steps in this phase.
3.1.2. Login Phase
When logging into service, U_{i} performs as follows:(i)U_{i} provides his/her smart card and inputs ID_{i} and PW_{i}. Then, the smart card computes A_{i} = h (b ⊕ PW_{i}) and = h (ID_{i}  h (y)  A_{i}) and checks if = C_{i}. If this holds, U_{i} continues. Otherwise, the smart card terminates the session.(ii)The smart card randomly chooses values N_{i} and computes P_{ij} = E_{i} ⊕ (h (h) (SID_{j}  h (y))  N_{i}), CID_{i} = A_{i} ⊕ (h (D)_{i}  SID_{j}  N_{i}), M_{1} = h (P)_{ij}  CID_{i}  D_{i}  N_{i}), and M_{2} = h (SID_{j} h (y)) ⊕ N_{i}.(iii)U_{i} sends {P_{ij}, CID_{i}, M_{1}, M_{2}} to S_{j} through a public channel.
At this phase, the random value N_{i} can be easily computed because it is only protected by h (y). This decreases the challenge from the user and makes the scheme unbalanced.
3.1.3. Authentication Phase
In this phase, the server also chooses the random value N_{j} and only the valid user (who has A_{i}) can recompute this N_{j} and send a correct response. Figure 2 describes all steps in this phase.
When S_{j} receives {P_{ij}, CID_{i}, M_{1}, M_{2}} from U_{i}, S_{j}, and U_{i}, it performs the following steps:(i)S_{j} computes N_{i} = h (SID_{j}  h (y)) ⊕ M_{2}, E_{i} = P_{ij} ⊕ h (h (SID_{j}  h (y))  N_{i}), B_{i} = E_{i} ⊕ h (x  y), D_{i} = h (B_{i}  h (x  y)), and A_{i} = CID_{i} ⊕ h (D_{i}  SID_{j}  N_{i}).(ii)S_{j} computes h (P_{ij}  CID_{i}  D_{i}  N_{i}) and compares it with M_{1}. If two values are unequal, S_{j} rejects the login message and terminates the session. Otherwise, S_{j} accepts login message. Then, S_{j} randomly chooses N_{j} and computes M_{3} = h (D_{i}  A_{i}  N_{j}  SID_{j}) and M_{4} = A_{i} ⊕ N_{i} ⊕ N_{j}. Finally, S_{j} sends {M_{3}, M_{4}} to U_{i} through a public channel.(iii)When receiving {M_{3}, M_{4}} from S_{j}, U_{i} computes N_{j} = A_{i} ⊕ N_{i} ⊕ M_{4} and h (D_{i}  A_{i}  N_{j}  SID_{j}) and then compares it with M_{3}. If two values are unequal, U_{i} rejects the message and terminates the session. Otherwise, U_{i} successfully authenticates with S_{j}. Then, U_{i} computes M_{5} = h (D_{i}  A_{i}  N_{i}  SID_{j}) and sends {M_{5}} to S_{j} through a public channel.(iv)S_{j} computes N_{i} = h (SID_{j}  h (y)) ⊕ M_{2}, E_{i} = P_{ij} ⊕ h (h (SID_{j}  h (y))  N_{i}), B_{i} = E_{i} ⊕ h (x  y), D_{i} = h (B_{i}  h (x  y)), and A_{i} = CID_{i} ⊕ h (D_{i}  SID_{j}  N_{i}).(v)When receiving {M_{5}} from U_{i}, S_{j} computes h (D_{i}  A_{i}  N_{i}  SID_{j}) and compares it with M_{5}. If two values are equal, S_{j} successfully authenticates with U_{i} and authentication phase completes.(vi)Next, U_{i} and S_{j} compute a common session key SK = h (D_{i}  A_{i}  N_{i}  N_{j}  SID_{j}) used to encrypt later transactions.
3.1.4. PasswordUpdate Phase
This phase is performed when U_{i} changes PW_{i} into PW_{inew} without interacting with RC:(i)U_{i} inputs ID_{i} and PW_{i} and provides his/her smart card at the terminal.(ii)The smart card computes A_{i} = h (b ⊕ PW_{i}) and = h (ID_{i}  h (y)  A_{i}) and checks if = C_{i}. Is this does not hold, the smart card rejects passwordupdate request. Otherwise, U_{i} inputs PW_{inew} and random number b_{new}.(iii)The smart card computes A_{inew} = h (b_{new} ⊕ PW_{inew}) and C_{inew} = h (ID_{i}  h (y)  A_{inew}).(iv)Finally, the smart card replaces C_{i} with C_{inew} and terminates the session.
3.1.5. The Scheme’s Cryptanalysis
If U_{i} loses his/her smart card, it can result in impersonation attack. Furthermore, another attacker U_{a} can exploit S_{j} to guess the password through session key. Therefore, Li’s scheme is also vulnerable to twofactor attack. Below are some steps to launch an impersonation and passwordguessing attacks:(i)U_{a} computes P_{ij} = E_{i} ⊕ h (h (SID_{j}  h (y))  N_{i}), where E_{i} is extracted from the smart card. SID_{j}, h (y), and N_{i} are easily computed by U_{a} because they are public information.(ii)Next U_{a} computes CID_{i} = A_{i} ⊕ h (D_{i}  SID_{j}  N_{i}), M_{1} = h (P_{ij}  CID_{i}  D_{i}  N_{i}), and M_{2} = h (SID_{j}  h (y)) ⊕ N_{i}, where A_{i} = h (b ⊕ PW_{i}) is U_{a}’s value and D_{i} is extracted from U_{i}’s smart card.(iii)U_{a} sends {P_{ij}, CID_{i}, M_{1}, M_{2}} to S_{j}. When receiving, S_{j} will perform the following steps to verify.(iv)S_{j} extracts N_{i} = h (SID_{j}  h (y)) ⊕ M_{2}, E_{i} = P_{ij} ⊕ h (h (SID_{j}  h (y))  N_{i}), B_{i} = E_{i} ⊕ h (x  y), D_{i} = h (B_{i}  h (x  y)), and A_{i} = CID_{i} ⊕ h (D_{i}  SID_{j}  N_{i}).(v)S_{j} sees M_{1} = h (P_{ij}  CID_{i}  D_{i}  N_{i}), so S_{j} randomly chooses N_{j} and computes M_{3} = h (D_{i}  A_{i}  N_{j}  SID_{j}) and M_{4} = A_{i} ⊕ N_{i} ⊕ N_{j}. S_{j} sends {M_{3}, M_{4}} to U_{a}.(vi)When receiving {M_{3}, M_{4}}, U_{a} computes M_{5} = h (D_{i}  A_{i}  N_{i}  SID_{j}) and sends to S_{j}.(vii)S_{j} sees M_{5} = h (D_{i}  A_{i}  N_{i}  SID_{j}) and accepts U_{a}.(viii)Finally, U_{a} and S_{j} compute a common session key SK = h (D_{i}  A_{i}  N_{i}  N_{j}  SID_{j}).
Because E_{i} is extracted from U_{i}’s smart card, the values B_{i} and D_{i} also belong to U_{i}. However, in Li’s scheme, A_{i} is separated from other values, so U_{a} can exploit this limitation to insert his/her information. Furthermore, if U_{a} captures previous transactions between U_{i} and S_{j}, he/she will launch U_{i}’s passwordguessing attack. Assuming U_{a} has U_{i}’s M_{5} = h (D_{i}  A_{i}  N_{i}  SID_{j}), so U_{a} can construct h (D_{i}  h (b ⊕ guess)  N_{i}  SID_{j}) = M_{5} and use the password dictionary to search “guess” until success. Note that U_{i}’s N_{i} is easily found by computing N_{i} = M_{2} ⊕ h (SID_{j}  h (y)), in which SID_{j} and h (y) are those U_{a} easily computes.
3.2. Qu and Tan’s Scheme
Qu and Tan’s scheme [12] uses ECC, and it is secure against some popular kinds of attacks as they claimed. However, we will prove their scheme is vulnerable to impersonation attack. This scheme includes five phases: initialization, registration, login, authentication, and passwordupdate phases. Table 2 presents some notations used in this scheme.
3.2.1. System Initialization
In this phase, the system initializes some parameters:(i)S chooses the elliptic curve E_{P} (a, b) and base point P with big prime order n(ii)S chooses q_{S} ∈ [1, n − 1] and computes the public key Q_{S} = q_{S} × P(iii)S chooses three hash functions, H_{1} (.), H_{2} (.), and H_{3} (.), described in Table 2(iv)S published {E_{P} (a, b), P, Q_{S}, H_{1} (.), H_{2} (.), H_{3} (.)}
In this phase, we see that H_{1} (.) is special because it receives any string and outputs a point belonging to the elliptic curve.
3.2.2. Registration Phase
When registering, U must follow following steps:(i)U chooses ID_{U}, PW_{U}, and random numbers b_{U} ∈ [1, n − 1] and then U provides ID_{U} and H_{1} (PW_{U}  b_{U}) × P to S through a secure channel(ii)When receiving {ID_{U}, H_{1} (PW_{U}  b_{U}) × P} from U, S computes AID_{U} = (q_{S} + 1) × H_{1} (PW_{U}  b_{U}) × P and BID_{U} = H_{2} (H_{1} (ID_{U})  H_{1} (PW_{U}  b_{U}) × P)(iii)S saves {AID_{U}, BID_{U}} into the smart card and then sends to U via a secure channel(iv)When receiving, U inputs b_{U} into the smart card. Finally, U has {AID_{U}, BID_{U}, b_{U}}
At this phase, S attaches U’s personal information with S’s master key q_{S} to create the user’s authentication key by using H_{1} (.). Figure 3 describes all steps in this phase.
3.2.3. Login Phase
When U logins into S, U provides ID_{U}, PW_{U}, and his/her smart card into the terminal. Then, the smart card performs the following steps:(i)The smart card computes BID_{U}′ = H_{2} (H_{1} (ID_{U})  (H_{1} (PW_{U}  b_{U}) × P)) and checks if = BID_{U} (BID_{U} is stored in the smart card). If this holds, U provides correct information. Otherwise, the smart card will terminate the session.(ii)U randomly chooses r_{U} ∈ [1, n − 1] and computes TID_{U} = AID_{U} − H_{1} (PW_{U}  b_{U}) × P, M = r_{U} × Q_{S}, CID_{U} = ID_{U} × H_{2} (M  TID_{U}), DID_{U} = M + H_{1} (PW_{U}  b_{U}) × P, and EID_{U} = H_{3} (ID_{U}  M  R), where R = r_{U} × P.(iii)The smart card sends M_{1} = {CID_{U}, DID_{U}, EID_{U}, R} to S through a public channel.
In this phase, identity is not attached with U’s authentication key, so this is a weak point that another adversary can exploit to launch an impersonation attack. Figure 4 describes all steps in this phase and authentication phase.
3.2.4. Authentication Phase
When receiving the login message from U, S performs as follows:(i)S computes M′ = q_{S} × R, H_{1} (PW_{U}  b_{U}) × P = DID_{U} − M′, = q_{S} × H_{1} (PW_{U}  b_{U}) × P, and ID_{U} = CID_{U} ⊕ H_{2} (M′  ). Then, S checks if H_{3} (ID_{U} M′  R) = EID_{U}. If this holds, S successfully authenticates with U. Otherwise, the session is terminated.(ii)S chooses r_{S} ∈ [1, n − 1] and then computes S = r_{S} × P, T = S + M′, and H_{S} = H_{2} (S  ).(iii)S sends M_{2} = {T, H_{S}} to U through a public channel.(iv)When receiving M_{2} = {T, H_{S}} from S, U computes S = T – M and = H_{2} (S  H_{1} (PW_{U}  b_{U}) × Q_{S}) and checks if = H_{S}. If this holds, U successfully authenticates with S and U sends M_{3} = {H_{RS}} to S, where H_{RS} = H_{2} (R  S). Otherwise, U terminates the session.(v)On receiving M_{3} = {H_{RS}}, S computes = H_{2} (R  S) and checks if = H_{RS}. If this holds, S and U successfully authenticate each other. Otherwise, S terminates the session.(vi)U and S compute common SK = H_{3} (ID_{U}  TID_{U}  r_{U} × S) = H_{3} (ID_{U}   r_{S} × R).
3.2.5. PasswordUpdate Phase
When receiving the login message from U, S performs as follows:(i)U provides ID_{U}, PW_{U}, and the smart card at the terminal. Then, it computes = H_{2} (H_{1} (ID_{U})  (H_{1} (PW_{U}  b_{U}) × P)) and checks if = BID_{U}. If this holds, U can choose . Otherwise, the session is terminated.(ii)The smart card computes = H_{1} (PW_{U}  b_{U})^{−1} × AID_{U} × H_{1} (  b_{U}) and = H_{2} (H_{1} (ID_{U})  H_{1} (  b_{U}) × P).(iii)The smart card replaces AID_{U} and BID_{U} with and .
3.2.6. The Scheme’s Cryptanalysis
If the user’s identity is leaked, that user will be impersonated. Assuming another adversary is also a member. We call him/her U_{a} with corresponding {AID_{A}, BID_{A}} in his/her smart card. If U_{a} knows victim’s ID_{U}, U_{a} performs the following steps to launch an impersonation attack:(i)U_{a} randomly chooses r_{A} ∈ [1, n − 1] and computes R = r_{A} × P.(ii)Next, U_{a} extracts TID_{A} = AID_{A} − H_{1} (PW_{A}  b_{A}) × P, where AID_{A}, PW_{A}, b_{A}, and TID_{A} are information in U_{a}’s smart card.(iii)U_{a} computes M = r_{A} × Q_{S}, CID_{A} = ID_{U} ⊕ H_{2} (M  TID_{A}), DID_{A} = M + H_{1} (PW_{A}  b_{A}) × P, and EID_{A} = H_{3} (ID_{U}  M  R). Then, U_{a} sends M_{1} = {CID_{A}, DID_{A}, EID_{A}, R} to S.(iv)When receiving M_{1}, S computes M′ = q_{S} × R = q_{S} × r_{A} × P = r_{A} × Q_{S}, H_{1} (PW_{U}  b_{U}) × P = DID_{A} − M′, = q_{S} × H_{1} (PW_{A}  b_{A}) × P, and ID_{U} = CID_{A} ⊕ H_{2} (M′  ).(v)S checks if H_{3} (ID_{U}  M′  R) = EID_{A}, and we see this condition holds.(vi)S randomly chooses r_{S} ∈ [1, n − 1], computes S = r_{S} × P, T = S + M′, and H_{S} = H_{2} (S  ), and sends M_{2} = {T, H_{S}} to U_{a}.(vii)On receiving M_{2}, U_{a} computes S = T − M and H_{RS} = H_{2} (R  S). Finally, U_{a} sends M_{3} = {H_{RS}} to S.(viii)When receiving M_{3}, S computes = H_{2} (R  S) and see that = H_{RS}.
If the user’s identity is leaked, he/she will be impersonated. The reason is that the user’s identity is not attached with their secret information, for example, the authentication key AID_{U} is not attached with identity, or BID_{U} is only used for verification of the smartcard owner and does not take part in the authentication phase.
3.3. Amin and Biswas’s Scheme
Amin and Biswas’s scheme [13] uses ECC and biohashing, a special hash function overcoming the problem of sensitive input which exists in traditional hash function. In 2004, Jin et al. [27] proposed a remarkable improved biohashing function. Amin and Biswas’s scheme includes four phases: registration, login, authentication, and passwordupdate phases. Table 3 presents some notations used in this scheme.
3.3.1. Registration Phase
In this phase, U_{i} chooses ID_{i}, PW_{i}, and biometrics T_{i}. Next, U_{i} computes A_{i} = h (ID_{i}  PW_{i}) and F_{i} = H (T_{i}) and sends {ID_{i}, A_{i}, F_{i}} to S through a secure channel. When receiving {ID_{i}, A_{i}, F_{i}} from U_{i}, S computes W = h (ID_{S} x  ID_{i}), B_{i} = h (ID_{i}  A_{i}) ⊕ W, and CID_{i} = ENC_{x} (ID_{i}  R_{ran}) and sends a smart card including {F_{i}, A_{i}, B_{i}, CID_{i}, h (.), H (.)} back to U_{i} through a secure channel, where ID_{S} is S’s identity and R_{ran} is the random number chosen by S. In this phase, U_{i} can choose ID_{i} and PW_{i} easily guessed by passwordguessing attack or identityguessing attack. Figure 5 describes all steps in this phase.
3.3.2. Login Phase
When U_{i} successfully registers, U_{i} performs as follows:(i)U_{i} provides the smart card with T_{i}, and then the smart card computes = H (T_{i}) and checks if = F_{i} (F_{i} is stored in the smart card). If this condition holds, U_{i} continues providing ID_{i} and PW_{i}; otherwise, the scheme is terminated.(ii)The smart card computes = h (ID_{i}  PW_{i}) and checks if = A_{i} (A_{i} is stored in the smart card). If this condition holds, the phase continues; otherwise, it is terminated.(iii)U_{i} randomly chooses r_{i}, computes C_{1} = r_{i} × P, W = B_{i} ⊕ h (ID_{i}  ), C_{2} = r_{i} ⊕ W, and C_{4} = h (ID_{i}  r_{i}  W), and sends {C_{2}, C_{4}, CID_{i}} to S through a public channel.
In this phase, U_{i} needs to use biometrics + password + identity to prove the smartcard owner. This method protects the user from impersonation attacks. Figure 6 describes all steps in this phase and the authentication phase.
3.3.3. Authentication Phase
When S receives {C_{2}, C_{4}, CID_{i}} from U_{i}, S and U_{i} perform as follows:(i)When receiving {C_{2}, C_{4}, CID_{i}} from U_{i}, S decrypts CID_{i} by using x and S obtains (  R_{ran}) = DEC_{x} (CID_{i}). Then, S computes W = h (ID_{S} x  ), = C_{2} ⊕ W, = × P, and = h (ID_{i}   W) and checks if = C_{4} (C_{4} is stored in the smart card). If this condition holds, S believes U_{i} is the valid user.(ii)S randomly chooses r_{j}, computes D_{1} = r_{j} × P, SK = r_{j} × = r_{j} × × P, G_{1} = D_{1} + , L_{i} = h (  h_{1} (D_{1})  W), and = ENC_{x} (  ), and sends {L_{i}, G_{1}, } to U_{i} through a public channel.(iii)When receiving {L_{i}, G_{1}, } from S, U_{i} computes = G_{1} − , = h (ID_{i}  h_{1} ()  W), and SK = r_{i} × = r_{i} × r_{j} × P and checks if = L_{i}. If this condition holds, U_{i} believe S is valid and SK is a common session key of U_{i} and S. After the successful authentication phase, U_{i} replaces CID_{i} with . Finally, U_{i} computes Z_{i} = h (ID_{i}  SK) and sends to S through a public channel.(iv)When receiving {Z_{i}} from U_{i}, S computes = h (  SK) and checks if = Z_{i}. If this condition holds, the authentication phase successfully completes.
In this phase, replacing CID_{i} after successfully authentication will enhance the user’s privacy. Because each transaction has a different value, there is no way to know who is online, as well we cannot identify whether two transactions belong to one user.
3.3.4. PasswordUpdate Phase
U_{i} needs to successfully login if he/she wants to change the password. U_{i} needs to provide PW_{inew}, and then his/her smart card computes A_{inew} = h (ID_{i}  PW_{inew}) and B_{inew} = h (ID_{i}  A_{inew}) ⊕ W, where W is the old value and replaces (A_{i}, B_{i}) with (A_{inew}, B_{inew}).
3.3.5. The Scheme’s Cryptanalysis
If the master key is leaked, all previous exchanged messages between the user and server are also leaked. For example, if the key x is leaked, the adversary stores previous message packages of the user and server, such as {C_{2}, CID_{i}, C_{4}} or {L_{i}, G_{1}, }. The adversary will extract ID_{i} by using x to decrypt CID_{i}, computes W = h (ID_{S} x  ID_{i}) and r_{i} = C_{2} ⊕ W. With r_{i}, the adversary computes C_{1} = r_{i} × P and D_{1} = G_{1} − C_{1}. From r_{i} and D_{i}, the adversary finally computes SK = r_{i} × D_{1}.
3.4. Jangirala et al.’s Scheme
This scheme [18] uses hash function combined with random values, including four phases: registration, login, authentication, and passwordupdate phases. Because designed for multiserver environment, the registration centre constructs the master key h (x  y) for itself and the submaster key h (SID_{j}  h (y)) for each service provider. Notations used in this scheme are in Table 1.
3.4.1. Registration Phase
U_{i} registers with RC as follows:(i)U_{i} chooses ID_{i}, PW_{i}, and random value b and computes A_{i} = h (ID_{i} ⊕ b ⊕ PW_{i}). Then, U_{i} sends ID_{i} and A_{i} to RC through a secure channel.(ii)On receiving {ID_{i}, A_{i}} from U_{i}, RC computes B_{i} = h (A_{i}  x), C_{i} = h (ID_{i}  h (y)  A_{i}), D_{i} = h (B_{i}  h (x  y)), and E_{i} = B_{i} ⊕ h (x  y).(iii)RC saves {C_{i}, D_{i}, E_{i}, h (.), h (y)} into a smart card and sends to U_{i} via a secure channel.(iv)U_{i} computes L_{i} = b ⊕ h (ID_{i}  PW_{i}). Then, U_{i} inserts L_{i} into the smart card, and finally, U_{i} has {C_{i}, D_{i}, E_{i}, L_{i}, h (.), h (y)}.
In the registration phase, we see that their scheme encrypts b with h (ID_{i}  PW_{i}). This prevents some kinds of privileged insider attacks. Figure 7 describes all steps in this phase.
3.4.2. Login Phase
This phase sends U_{i}’s login request to S_{j} as follows:(i)U_{i} inserts his/her smart card and inputs ID_{i} and PW_{i}. Then, the smart card computes b = L_{i} ⊕ h (ID_{i}  PW_{i}), A_{i} = h (ID_{i} ⊕ b ⊕ PW_{i}), and = h (ID_{i}  h (y)  A_{i}) and checks if = C_{i}. If this holds, U_{i} continues. Otherwise, the smart card terminates the session.(ii)The smart card randomly chooses values N_{i} and computes P_{ij} = E_{i} ⊕ h (h (SID_{j}  h (y))  N_{i}), CID_{i} = A_{i} ⊕ h (D_{i}  SID_{j}  N_{i}), M_{1} = h (P_{ij}  CID_{i}  A_{i}  N_{i}), and M_{2} = h (SID_{j}  h (y)) ⊕ N_{i}.(iii)U_{i} sends {P_{ij}, CID_{i}, M_{1}, M_{2}} to S_{j} through a public channel.
At this phase, random value N_{i} can be easily known by the adversary because it is only protected by h (y). Furthermore, if the user’s smart card is leaked, the adversary can compute his/her D_{i} and discover what the user did in previous session corresponding to N_{i}.
3.4.3. Authentication Phase
When S_{j} receives {P_{ij}, CID_{i}, M_{1}, M_{2}} from U_{i}, S_{j} verifies U_{i}’s login message as follows:(i)S_{j} computes N_{i} = h (SID_{j}  h (y)) ⊕ M_{2}, E_{i} = P_{ij} ⊕ h (h (SID_{j}  h (y))  N_{i}), B_{i} = E_{i} ⊕ h (x  y), D_{i} = h (B_{i}  h (x  y)), and A_{i} = CID_{i} ⊕ h (D_{i}  SID_{j}  N_{i}).(ii)S_{j} computes h (P_{ij}  CID_{i}  A_{i}  N_{i}) and compares it with M_{1}. If two values are not matched, S_{j} rejects the login message and terminates the session. Otherwise, S_{j} accepts the login message. Then, S_{j} randomly chooses N_{j} and computes SK_{ij} = h (h (B_{i}  h (x  y))  A_{i}), M_{3} = h (SK_{ij}  A_{i}  SID_{j}  N_{j}), and M_{4} = SK_{ij} ⊕ N_{j} ⊕ N_{j}. Finally, S_{j} sends {M_{3}, M_{4}} to U_{i} through a public channel.(iii)When receiving {M_{3}, M_{4}} from S_{j}, U_{i} computes SK_{ij} = h (D_{i}  A_{i}), N_{j} = SK_{ij} ⊕ M_{4}, and h (SK_{ij}  A_{i}  SID_{j}  SID_{j}) and then compares it with M_{3}. If two values are not matched, U_{i} rejects the message and terminates the session. Otherwise, U_{i} successfully authenticates with S_{j}. Then, U_{i} computes M_{5} = h (SK_{ij}  A_{i}  SID_{j}  N_{i}  N_{j}) and sends {M_{5}} to S_{j} through a public channel.(iv)When receiving {M_{5}} from U_{i}, S_{j} computes h (SK_{ij}  A_{i}  SID_{j}  N_{i}  N_{j}) and compares it with M_{5}. If two values are equal, S_{j} successfully authenticates with U_{i}.(v)Next, U_{i} and S_{j} compute a common session key SKey_{ij} = h (SK_{ij}  A_{i}  SID_{j}  N_{i}  D_{i}  N_{j}) used to encrypt later transactions. Also, S_{j} chooses the random value N_{j} and only the valid user (who has D_{i} and A_{i}) can extract this N_{j} and send correct response. Figure 8 describes all steps in this phase.
3.4.4. PasswordUpdate Phase
This phase is performed when U_{i} changes PW_{i} into PW_{inew} without interacting with RC:(i)U_{i} provides his/her smart card at the terminal and inputs ID_{i} and PW_{i}.(ii)The smart card computes b = L_{i} ⊕ h (ID_{i}  PW_{i}), = h (ID_{i} ⊕ b ⊕ PW_{i}), and = h (ID_{i}  h (y)  ) and checks if = C_{i}. Is this does not hold, the smart card rejects and terminates the passwordupdaterequest session. Otherwise, U_{i} inputs PW_{inew}.(iii)The smart card computes A_{i}^{new} = h (ID_{i} ⊕ b ⊕ PW_{i}^{new}) and C_{i}^{new} = h (ID_{i}  A_{i}^{new}  h (y)).(iv)Finally, the smart card replaces C_{i} with C_{i}^{new} and L_{i} with L_{i}^{new}, where L_{i}^{new} = b ⊕ h (ID_{i}  PW_{i}^{new}).
3.4.5. The Scheme’s Cryptanalysis
If another U_{i}’s smart card leaks information {C_{i}, D_{i}, E_{i}, h (y), h (.)} and the adversary U_{a} is another valid user, U_{a} can launch an impersonation attack as follows:(i)U_{a} computes P_{ij} = E_{i} ⊕ h (h (SID_{j}  h (y))  N_{a}), where N_{a} is random value chosen by U_{a}(ii)Then, U_{a} computes CID_{i} = A_{a} ⊕ h (D_{i}  SID_{j}  N_{a}), M_{1} = h (P_{ij}  CID_{i}  A_{a}  N_{a}), and M_{2} = h (SID_{j}  h (y)) ⊕ N_{a}, where A_{a} belongs to U_{a}(iii)Next, U_{a} sends {P_{ij}, CID_{i}, M_{1}, M_{2}} to S_{j}(iv)Once receiving these messages, S_{j} computes N_{a} = h (SID_{j} h (y)) ⊕ M_{2}, E_{i} = P_{ij} ⊕ h (h (SID_{j}  h (y))  N_{a}), B_{i} = E_{i} ⊕ h (x  y), and D_{i} = h (B_{i}  h (x  y))(v)Next S_{j} computes A_{a} = CID_{i} ⊕ h (D_{i}  SID_{j}  N_{a}) and sees that M_{1} = h (P_{ij}  CID_{i}  A_{a}  N_{a})(vi)S_{j} chooses N_{j} and computes SK_{ij} = h (h (B_{i}  h (x  y))  A_{a}), M_{3} = h (SK_{ij}  A_{a}  SID_{j}  N_{j}), and M_{4} = SK_{ij} ⊕ N_{j}(vii)Then, S_{j} sends {M_{3}, M_{4}} to U_{a}(viii)Once receiving these messages from S_{j}, U_{a} computes SK_{ij} = h (D_{i}  A_{a}) and N_{j} = SK_{ij} ⊕ M_{4} and sends M_{5} to S_{j}, where M_{5} = h (SK_{ij}  A_{a}  SID_{j}  N_{a}  N_{j}).(ix)Once receiving M_{5} from U_{a}, S_{j} sees that M_{5} = h (SK_{ij}  A_{a}  SID_{j}  N_{a}  N_{j}) and computes the session key SKey_{ij} = h (SK_{ij}  A_{a}  SID_{j}  N_{a}  D_{i}  N_{j})
Clearly, U_{a} successfully authenticates with S_{j} without knowing the user’s identity and password.
3.5. Han et al.’s Scheme
This scheme [19] uses the fuzzy extractor to process the user’s biometrics, including four phases: registration, login, authentication, and passwordupdate phases. With symmetric encryption, this scheme truly has strong user anonymity because the adversary cannot know if two login sessions are belonged to the same user. Some notations used in this scheme are in Table 4.
3.5.1. Registration Phase
In the registration phase, we see that their scheme generates <R, P> from the user’s biometrics with the fuzzy extractor. Furthermore, the user’s dynamic identity is made by the server by using the encryption scheme. Figure 9 describes all steps in this phase.
Firstly, the user chooses ID, PW, biometrics B, and random value r. Then, the fuzzy extractor generates <R, P> from B and the user computes A = h (PW  R) ⊕ r. Next, the user sends {ID, A}. Once receiving the user’s messages, the server computes AID = h (ID  s), K = h (AID), V′ = AID ⊕ A, and CID = Enc_{s} (ID  a), where a is chosen randomly by and s is private key of the server. Then, the server sends SC = {K, V′, CID, h (.)} to the user. Once receiving the server’s message, the user computes V = V′ ⊕ A ⊕ h (ID  PW  R) and replaces V′ by V. The user inserts P in SC and keeps it secret.
3.5.2. Login Phase
The user sends inserts SC into the terminal and enters ID, PW, and B′ similar to B. Then, SC performs as follows:(i)SC performs Rep (B′, P) to generate R and computes AID = V ⊕ h (ID  PW  R)(ii)SC checks if K = h (AID). If this holds, go to next step(iii)SC generates a nonce u and computes X = T_{u} (AID) and V_{1} = h (ID  X  CID  T_{1})(iv)SC transmits {CID, X, V_{1}, T_{1}} to the server
At this phase, the user needs to recreate the R value by providing correct his/her biometrics.
3.5.3. Authentication Phase
When receiving the login message from the user, S verifies the login message as follows:(i)S checks if T_{c} − T_{1} ≤ δT, where T_{c} is receiving time. If this holds, S retrieves ID by computing Dec_{s} (CID) with the private key s.(ii)Then, S computes AID = h (ID  s) and checks if V_{1} = h (ID  X  CID  T_{1}). If this holds, S generates random values a′ and v.(iii)Then, S computes CID′ = Enc_{s} (ID  a′), SK = h ( (X)), Y = (AID), and V_{2} = h (CID′  Y  SK  T_{2}), where T_{2} is current time.(iv)Then, S sends {CID′, Y, V_{2}, T_{2}} to the user.(v)Once receiving messages from the server, SC checks T_{2} and calculates SK = h (T_{u} (Y)).(vi)Then, SC checks if V_{2} = h (CID′  Y  SK  T_{2}). If this holds, SC replaces CID with CID′, computes V_{3} = h (SK  T_{3}), and sends {V_{3}, T_{3}} to S.(vii)Once receiving messages, the server checks T_{3} and verifies if V_{3} = h (SK  T_{3}). If this holds, the user and server successfully authenticate to each other and accept SK as a session key.
This scheme is completely dependent on random values u and , and this is vulnerable to known sessionspecific temporary information attack. Figure 10 describes all steps in this phase.
3.5.4. PasswordUpdate Phase
This phase is performed when U changes PW into PW^{new} without interacting with S:(i)U inserts his/her smart card into the terminal and inputs ID, PW, and B′. SC executes Rep (B′, P) = R and computes AID = V ⊕ h (ID  PW  R).(ii)SC checks if h (AID) = K. If this holds, SC allows the change request.(iii)U inputs PW^{new} and B^{new}, and then SC computes <R^{new}, P^{new}> = Gen (B^{new}) and V^{new} = V ⊕ h (ID  PW  R) ⊕ h (ID  PW^{new}  R^{new}).(iv)Finally, SC replaces V by V^{new}.
3.5.5. The Scheme’s Cryptanalysis
If another session leaks the random value , the adversary can exploit to reattack the user and know previous messages transmitted between the user and server. For example, the adversary U_{a} obtains {CID, X, V_{1}, T_{1}}, {CID′, Y, V_{2}, T_{2}}, and {V_{3}, T_{3}} with the random value leaked, and U_{a} can launch an impersonation attack as follows:(i)If U sends the new login message {CID′, X′, , } to S, U_{a} can block this message.(ii)U_{a} generates random CID^{ʺ}.(iii)Then, U_{a} computes SK′ = h ( (X′)) and V_{2}′ = h (CID^{ʺ}  Y  SK′  ), where is current time and Y is previous value of U and S.(iv)Then, U_{a} sends {CID^{ʺ}, Y, , } to U.(v)Once receiving the message from U_{a}, U checks . If this holds, U computes SK′ = h (T_{u′} (Y)), where u′ is a random value chosen by U.(vi)U checks if = h (CID^{ʺ}  Y  SK′ ). We see this holds and U sends = h (SK′  ) to U_{a}.
Clearly, the adversary can reuse this random value to reattack the user many times. The main reason is that CID is what the user does not know.
3.6. Proposed Scheme
In Section 3, we review some typical schemes using many approaches such as Chebyshev polynomial or elliptic curve cryptosystem in various environments. Although these schemes are well designed with some interesting primitives, such as fuzzy extractor or symmetric encryption scheme, they are still vulnerable to some typical kinds of attacks, such as passwordguessing or impersonation. Indeed, there are still interesting schemes [17, 20], but they are designed with threeparty participation different with twoparty participation of the proposed scheme. Therefore, we temporarily do not consider in this paper. Figure 11 shows our architecture of participation between registration centre (RC), servers (S_{j}), and users (U_{X}), where the keys of servers and users are created by RC.
With this architecture in Figure 11, we can deploy a RC to centralize all medical servers. Also, the users easily find the medical services suitable for them. This section presents the phases in our proposed scheme. Our scheme uses Chebyshev polynomial in multiserver environment with twoparty participation, including five phases: initialization, registration (server + user), authentication, and passwordupdate phases. Some notations used in our scheme are in Table 5.
3.6.1. System Initialization
RC chooses the big prime number p ∈ ℙ kbit and a q_{RC}. Then, RC chooses H_{0}: {0, 1} ⟶ {0, 1}^{k}. RC publishes {T (.), H_{0} (.), p} and keeps q_{RC} secret.
3.6.2. Server Registration Phase
In this phase, S_{j} provides SID_{j} to RC through a secure channel. RC chooses r_{j} and computes ASID_{j} = (H_{0} (SID_{j}  r_{j})) mod p and then returns {r_{j}, SID_{j}, ASID_{j}, H_{0} (.)} to S_{j}. Figure 12 shows the steps in this phase.
In this phase, each server S_{j} has unique master key ASID_{j} produced by RC. RC must keep the pair <r_{j}, SID_{j}> for subsequent retrieval and the user’s registration.
3.6.3. User Registration Phase
U_{X} provides biometrics B_{X} and UID_{X}, using Gen (B_{X}) to generate <R_{X}, P_{X}>. Then, U_{X} sends {UID_{X}, H_{0} (R_{X}  UID_{X})} to RC through a secure channel. Once receiving the messages, RC computes all submaster keys for all service providers. RC chooses r_{X} and then computes = (UID_{X}  H_{0} (R_{X}  UID_{X})) mod p + (H_{0} (r_{j} + r_{X} + UID_{X})) mod p and RPW_{X} = H_{0} (H_{0} (R_{X}  UID_{X})  r_{X}). RC returns {, , …, , RPW_{X}, and H_{0} (.), r_{X}} to U_{X} through a secure channel. Figure 13 shows the steps in this phase.
In this phase, RC computes , which is an authentication key between U_{X} and S_{j} (1 ≤ j ≤ m, where m is a number of S_{j}). Similar to [19], our scheme uses the fuzzy extractor to deal with the problem of outputsensitive due to inputs’ perturbations. Additionally, RC must notify S_{j} about U_{X} by sending pair <r_{X}, UID_{X}> for the subsequent user’s authentication.
3.6.4. Authentication Phase
When U_{X} logins to S_{j}, U_{X} provides the smart card with UID_{X} and at the terminal. Then, the smart card reproduces R_{X} = Rep (P_{X}, ) and checks if RPW_{X} = H_{0} (H_{0} (R_{X}  UID_{X})  r_{X}); if this does not hold, the session is terminated; otherwise, the smart card chooses r_{U} and computes (H_{0} (r_{j} + r_{X} + UID_{X})) mod p = − (UID_{X}  H_{0} (R_{X}  UID_{X})) mod p, R_{U} = ( (H_{0} (r_{j} + r_{X} + UID_{X})) mod p) mod p, R′ = R_{U} + (H_{0} (r_{j} + r_{X} + UID_{X})) mod p, CID = UID_{X} ⊕ H_{0} (R_{U}), and M_{U} = H_{0} (R_{U}, (H_{0} (r_{j} + r_{X} + UID_{X})) mod p). Then, the smart card sends {CID, R′, M_{U}, r_{X}} to S_{j}. On receiving the message, S_{j} computes (H_{0} (r_{j} + r_{X} + UID_{X})) mod p, = R′ − (H_{0} (r_{j} + r_{X} + UID_{X})) mod p, and UID_{X} = CID ⊕ H_{0} () and checks UID_{X}; then, S_{j} checks if M_{U} = H_{0} (, (H_{0} (r_{j} + r_{X} + UID_{X})) mod p), and if this does not hold, S_{j} terminates the session; otherwise, S_{j} chooses r_{S} and computes R_{S} = ( (H_{0} (r_{j} + r_{X} + UID_{X})) mod p) mod p, S′ = R_{S} + , SK = H_{0} ( () mod p), and M_{S} = H_{0} (R_{S}, (H_{0} (r_{j} + r_{X} + UID_{X})) mod p). S_{j} sends {M_{S}, S′} to U_{X}. On receiving the message, U_{X} computes = S′ − R_{U} and SK = H_{0} ( () mod p) and checks if M_{S} = H_{0} (, (H_{0} (r_{j} + r_{X} + UID_{X})) mod p); if this does not hold, U_{X} terminates the session; otherwise, U_{X} believes S_{j} is valid and sends M_{US} = H_{0} (, () mod p) to S_{j}. On receiving the message, S_{j} checks if M_{US} = H_{0} (R_{S}, () mod p); if this does not hold, S_{j} terminates the session; otherwise, S_{j} believes U_{X} is valid. Figure 14 shows the steps in this phase.
3.6.5. PasswordUpdate Phase
When U_{X} changes B_{X}, U_{X} provides his/her smart card with UID_{X} and similar at the terminal. Then, the smart card checks if RPW_{X} = H_{0} (H_{0} (R_{X}  UID_{X})  r_{X}), where R_{X} = Rep (P_{X}, ). If this does not hold, the smart card terminates the session; otherwise, U_{X} inputs B_{new} and computes RPW_{new} = H_{0} (H_{0} (R_{new}  UID_{X})  r_{X}), where <R_{new}, P_{new}> = Gen (B_{new}), Then, the smart card updates RPW_{X} = RPW_{new} and P_{X} = P_{new}. Finally, the smart card updates all authentication keys = − (UID_{X}  H_{0} (R_{X}  UID_{X})) + (UID_{X}  H_{0} (R_{new}  UID_{X})), ∀j.
4. Security and Efficiency Analyses
In this section, we analyse our scheme on security and efficiency aspects.
4.1. Correctness Analysis
Similar to previous schemes, we also prove our scheme’s correctness using BANlogic rules [28] and goals proposed in [29]. For simplicity, we let ⊗ denote the combination using Chebyshev operation. Table 6 shows some assumptions our scheme must satisfy.
These assumptions stand for initial beliefs of the user and server, for example, A_{1} implies that users can share their identities with the server with the registration phase. Next, we will normalize all messages exchanged between the user and server.(i)From the message {CID}, we have < U_{X} S_{j}, U_{X} S_{j}, r_{U} ⊗ >(ii)From the message {M_{U}}, we have < r_{U} ⊗ , U_{X} S_{j}>(iii)From the third messages {M_{S}}, we have < r_{S} ⊗ , U_{X} S_{j}>(iv)From the fourth message {M_{US}}, we have < U_{X} S_{j}, U_{X} S_{j}>
The normalization helps to clearly show information exchanged between U_{X} and S_{j}, for example, CID containing identity, challenge information r_{U} ⊗ , and longterm key . Next, we demonstrate how our scheme satisfies seven lemmas reorganized from [29].
Lemma 1. If S_{j} believes the authentication key (the longterm key) is successfully shared with U_{X} and U_{X}’s messages encrypted with this key are fresh, S_{j} will believe that U_{X} believes U_{X}’s UID_{X} is successfully shared with S_{j}:
Proof. With A_{6} and CID, we apply the messagemeaning rule to have . With A_{8}, we apply the freshness rule to have . Next, we apply the nonceverification rule to have . Finally, we apply the believe rule to have . So, with A_{6} and A_{8}, we successfully demonstrate how our scheme satisfies Lemma 1.
Lemma 2. If S_{j} believes U_{X} also believes U_{X}’s UID_{X} is successfully shared with each other and U_{X} totally controls this UID_{X}’s sharing, S_{j} also believes U_{X}’s UID_{X} is successfully shared with each other:
Proof. With Lemma 1 and A_{4}, we apply the jurisdiction rule to have . So, with Lemma 1 and A_{4}, we prove how our scheme satisfies Lemma 2.
Lemma 3. If U_{X} believes is successfully shared with S_{j} and S_{j}’s messages encrypted with are fresh, U_{X} will believe S_{j} also believes U_{X}’s UID_{X} is successfully shared with each other.
Proof. With A_{2} and M_{S}, we apply the jurisdiction rule to have . Then, with A_{7}, we apply the freshness rule to have . So, combining two results with the nonceverification rule, we have . Finally, we apply the believe rule to have . So, with A_{2} and A_{7}, we successfully prove how our scheme satisfies Lemma 3. In short, with three lemmas, we can say that both S_{j} and U_{X} believe and successfully share their identities with each other. Next, we need to prove the similar thing for the session key.
Lemma 4. If U_{X} believes that is successfully shared with S_{j} and S_{j}’s messages encrypted with are fresh, U_{X} will believe S_{j} also believes the session key SK is successfully shared with each other:
Proof. With M_{US} and A_{2}, we apply the messagemeaning rule to have . With A_{7} and M_{US}, we apply the freshness rule to have . Next, we use the believe rule to have . Again, we apply the believe rule to have . So, with A_{2} and A_{7}, we successfully prove how our scheme satisfies Lemma 4.
Lemma 5. If U_{X} believes S_{j} totally controls SK’s sharing and S_{j} also believes SK is successfully shared with U_{X}, U_{X} will believe SK’s sharing:
Proof. With A_{3} and Lemma 4, we apply the jurisdiction rule to have . So, with A_{3} and Lemma 4, we successfully prove how our scheme satisfies Lemma 5.
Lemma 6. If S_{j} believes is successfully shared with U_{X} and the U_{X}’s messages encrypted with are fresh, S_{j} will believe U_{X} also believes SK’s sharing:
Proof. With A_{6} and M_{US}, we apply the messagemeaning rule to have . With A_{8} and M_{US}, we apply the freshness rule to have . With two results and the nonceverification rule, we have . Finally, with A_{6} and the believe rule, we have . So, with A_{6} and A_{8}, we successfully prove how our scheme satisfies Lemma 6.
Lemma 7. If S_{j} believes U_{X} totally controls SK’s sharing, S_{j} believes SK is successfully shared with U_{X}:
Proof. With S_{j} ≡ U_{X}≡ M_{US} and A_{5}, we apply the messagemeaning rule to have . Finally, we apply the believe rule to have . So, with A_{5}, we completely prove how our scheme satisfies Lemma 7. Finally, we can say that both S_{j} and U_{X} believe the common SK in our scheme.
4.2. Authenticated Key Exchange Security Analysis (AKESecurity)
The adversarial model is presented in this section, and some definitions can be found in [17, 30]. At first, we use some notations standing for the instances of our scheme’s participants:(i)RC^{k}: the k^{th} registration centre holding secret q_{RC}(ii): the i^{th} server holding {r_{j}, ASID_{j}}(iii): the i^{th} user holding the smart card and {UID_{X}, B_{X}}(iv)O_{Hash}: the hash oracle can be viewed as random functions(v) and : the all messages exchanged between and (vi) = and = : the partner identity of is and vice versa
Next, there are some security properties:(i) and are accepted if they can compute the valid session key and receive expected messages(ii) and are partnered if (1) both of them are accepted, (2) = ( = ), and (3) = (iii) are fresh if (1) they are partnered, (2) no secret information of is leaked before it is accepted, (3) no ’s session key is leaked before it is accepted
Next, there are some adversary’s capabilities. Let A be probabilistic polynomial time adversary attacking authentication scheme in AKEsecurity:(i)Execution query helps A to execute passive attacks against our scheme. We let q_{E} be the sum of the number of execute queries and ← Execute (, ) be the symbol standing for the output of this query.(ii)Send query helps A to actively interact with or . We let q_{S} be the sum of the number of send queries and m_{out} ← Send (O^{i}, m_{in}) be the symbol standing for the output and input of this query, where O^{i} is or .(iii)Reveal query helps A to know the session key (sk) of and in another session. We let q_{R} be the sum of the number of reveal queries and sk^{i} ← Reveal (O^{i}) be the symbol standing for the output of this query, where O^{i} is or . Note that to perform this query, O^{i} must be fresh.(iv)Corrupt query helps A to know secret information of . We let q_{C} be the sum of the number of corrupt queries and {UID_{X}, B_{X}} ← Corrupt (, 1) and {smart card} ← Corrupt (, 0) be the symbol standing for the output of this query. Note that A only knows the smart card or {UID_{X}, B_{X}}.(v)Hash query helps A to query a value m and receive corresponding r. If m is not queried before, O_{Hash} returns the random number r to the adversary. Otherwise, it returns the previously generated result. We let q_{H} be the sum of the number of hash queries and r ← Hash (O_{Hash}, m) be the symbol standing for the output of this query.
Theorem 1. Our scheme P is AKEsecurity against A within a time t_{A} if A cannot guess the correct session key of another fresh O^{i}. Formally, let (A, t_{A}) be the A’s chance of breaking P in AKEsecurity within in reasonable time t_{A}, and we need (A, t_{A}) is negligible. In summary, we need (A, t_{A}) ≤ ε ().
4.3. The Definition of Experiments
We set (B) be experiment, where the adversary B wins if it successfully breaks CMDHPsecurity of the Chebyshev polynomial T’s problem within a time t_{B}, and let (B) = Pr[ (B) = 1] be the B’s winning chance. Note that we give O_{Hash} to B.
Experiment 1. (B). {s, r} {0, 1}, X [0, p − 1] M ⟵ T_{r} (X) mod p N ⟵ T_{s} (X) mod p K ⟵ T_{r} (T_{s} (X)) mod p Z ⟵ (M, N, Hash (O_{Hash}, K)) if Hash (O_{Hash}, Z) = Hash (O_{Hash}, K) then return 1 else return 0Also, we set (A) be experiment, where the adversary A wins if it successfully breaks AKEsecurity of our P within a time t_{A}, and let (A) = Pr [ (A) = 1] be the A’s winning chance. Note that we also give O_{Hash} to A.
Experiment 2. (A). b {0, 1}, L_{U} ⟵ {U_{1}, …, U_{n}}, L_{S} ⟵ {S_{1}, …, S_{n}} U_{i} L_{U}, S_{j} L_{S} ⟵ Execute (U_{i}, S_{j}) if b = 0 then sk {0, 1} else sk ⟵ Reveal (U_{i}) {b^{′}, Z} ⟵ (L_{U}, L_{S}, sk) if b^{′} = b then return 1 else return 0Note that if b = b^{′} = 1, then we must have Hash (O_{Hash}, Z) = sk.
The proof of Theorem 1.
Now we assume that B wants to win in B’s experiment, and it runs A as the procedure. Also, A wants to win in A’s experiment and B must simulate the A’s environment as the following algorithm Let l be the security length, for example, the size of the prime p and hash function’s output. If A correctly guesses b^{′}, then we must consider some following cases (Algorithm 1):(i)A issues q_{H} queries to O_{Hash}, and A has successful probability ≈ due to the birthday paradox.(ii)A chooses q_{E} pairs to execute and have all messages exchanged between them. Furthermore, A issues q_{C} queries to some users to get the smart card or {UID, B}. So, A’s successful probability of correctly guessing random values r or s is ≈ .(iii)If A issues queries to oracles simulated by B, there will be at least one Send query that helps A compute the session key. So, we have (B) ≥ . When A issues the remaining queries to normal O^{i}, A’s successful probability of correctly guessing is ≈ .Finally, we have (A) ≤ + + (B) × + . Clearly, the righthand side of this inequality is negligible, so we complete the proof.

4.4. Security Analysis
In this section, we will analyse our scheme in some popular kinds of attacks. The comparison of the security feature with previous works is shown in Table 7. Before coming into this section, we want to discuss the privileged insider attacks. In our scheme, we use biometrics rather than the password. Therefore, the privileged insider attacker cannot find it and exploit into different servers. Furthermore, all servers in our scheme use different longterm keys provided from RC, so the attacker cannot use the users’ information in another server to exploit in others. It can be said that it is hard to launch a privileged insider attack in our scheme.
4.5. PasswordGuessing Attack
In this kind of attack, the adversary can guess the user’s password by exploiting leaking information from the smart card. The adversary will have RPW_{X} = H_{0} (H_{0} (R_{X}  UID_{X})  r_{X}). Because R_{U} is produced by the user’s biometrics, it is hard to guess. Clearly, the adversary cannot use the dictionary method to find biometrics and our scheme can resist this kind of attack.
4.6. User’s Anonymity
In this kind of attack, the adversary eavesdrops {r_{X}, CID, M_{U}, R^{′}}, {S^{′}, M_{S}}, and {M_{US}} from U_{X}. All messages are different at each login session because we use random values. So, the adversary cannot trace who is online. In other words, our scheme resists this attack.
4.7. TwoFactor Attack
Although U_{X} loses his/her smart card, the adversary cannot exploit because of needing B_{X} to pass RPW_{X} = H_{0} (H_{0} (R_{X}  UID_{X})  r_{X}). Even if U_{X}’s biometrics is fake, the adversary cannot exploit all information in the login message because he/she does not other supporting values. Clearly, our scheme resists this attack.
4.8. Known SessionSpecific Information Attack
When r_{U} and r_{S} are leaked, the adversary cannot compute the session key (SK). He needs ( ( (H_{0} (r_{j} + r_{X} + UID_{X})) mod p) mod p) mod p to compute the SK. If he does not have the smart card’s information, all important keys cannot be successfully computed. Clearly, our scheme can resist this kind of attack.
4.9. SessionKey Perfect Forward Secrecy
If all important keys are leaked, the adversary cannot compute previous transactions between U_{X} and S_{j}. With ASID_{j} and all messages U_{X} sent to S_{j}, the adversary extracts R_{U} = R^{′} − (H_{0} (r_{j} + r_{X} + UID_{X})) mod p and R_{S} = S^{′} − R_{U}. Finally, the adversary cannot compute ( ( (H_{0} (r_{j} + r_{X} + UID_{X})) mod p) mod p) mod p because of facing CMDHP. Clearly, our scheme can resist this kind of attack.
4.10. User Impersonation Attack
To impersonate as a valid user, the adversary needs R_{S} = ( (H_{0} (r_{j} + r_{X} + UID_{X})) mod p) mod p. To have R_{S}, he/she needs U_{X}’s R_{U} = ( (H_{0} (r_{j} + r_{X} + UID_{X})) mod p) mod p. Furthermore, the adversary must resend the session key to S_{j}. Therefore, he/she not only finds R_{U} but also knows r_{U} to impersonate as a valid user. Clearly, our scheme can resist this kind of attack.
4.11. Server Impersonation Attack
To impersonate as a valid server, the adversary needs R_{U} = ( (H_{0} (r_{j} + r_{X} + UID_{X})) mod p) mod p. So, he/she also needs ASID_{j} to compute R_{U}. We see this is impossible because S_{j} keeps ASID_{j} secret. Clearly, our scheme can resist this kind of attack.
4.12. ManintheMiddle Attack
In this kind of attack, the adversary can eavesdrop all messages exchanged between U_{X} and S_{j} and then edits the parameters in these packages. For example, the adversary can insert his/her own session key with randomly chosen r_{U} and r_{S}. However, this is impossible because U_{X}’s random value combined with ASID_{j}. Therefore, the adversary needs to compute this key to achieve the goal, but this is impossible because this is U_{X}’s secret key. Clearly, our scheme resists this attack.
4.13. Replay Attack
In this kind of attack, the adversary can eavesdrop all messages exchanged between U_{X} and S_{j}. At any time, he/she can replay to cheat U_{X} or S_{j}. We consider if the adversary resends {CID, R^{′}, M_{U}, r_{X}} to S_{j}, and this is the valid message. However, S_{j} requests U_{X} respond {M_{US}} for confirmation, and the adversary cannot compute M_{US}. Furthermore, the adversary can resend S_{j}’s {M_{S}, S^{′}} to cheat U_{X}, but this is impossible because U_{X} and S_{j} use random values. So {M_{S}, S^{′}} is only valid if U_{X} rechooses random values. Clearly, our scheme can resist this kind of attack.
4.14. Parallel Session Attack
In this kind of attack, the adversary will use {M_{S}, S^{′}} to create {CID, R^{′}, M_{U}, r_{X}}, and cheat S_{j}. As aforementioned in replay and impersonation attacks, the adversary cannot achieve the goal because he/she needs key U_{X}’s (H_{0} (r_{j} + r_{X} + UID_{X})) mod p and S_{j}’s ASID_{j}. Clearly, our scheme resists this attack.
4.15. Efficiency Analysis
Now, this section presents the cost of our scheme compared with previous schemes. Before coming to detail comparison, we will unify some notations and the bit size of some cryptographic primitives. If the scheme does not mention, we assume as follows: the sizes of identity, password, biometrics, timestamp, and random values are 128 bits. The size of hash function’s output and encryption scheme is 128 bits. The prime number in modular is 1024 bits (≈309 decimal digits) and 233 bits (≈70 decimal digits) in ECC. We let the notations denote the time to compute some cryptographic operations:(i)t_{H}: time to compute hash function (≈0.0004 ms)(ii)t_{PA}: time to compute point addition (≈0.36 ms)(iii)t_{PM}: time to compute point multiplication (≈12.4 ms)(iv)t_{E/D}: time to encrypt/decrypt (≈0.09 ms)(v)t_{T}: time to compute Chebyshev polynomial (≈127 ms)
All the amount of time is results we measure on the real Android device with the Bouncy Castle library. Next, we evaluate the computation quantity of previous schemes and ours in Table 8. In Li et al.’s scheme [11], registration needs 4 × t_{H} and authentication needs 15 × t_{H}. In Qu and Tan’s scheme [12], registration needs 4 × t_{H}, 2 × t_{PM} and authentication needs 11 × t_{H}, 5 × t_{PM} and 5 × t_{PA}. In Amin and Biswas’s scheme [13], registration needs 5 × t_{H}, 1 × t_{E/D} and authentication needs 10 × t_{H}, 5 × t_{PM}, 2 × t_{PA} and 1 × t_{E/D}. In Jangirala et al.’s scheme [18], registration needs 5 × t_{H}, 1 × t_{E/D} and authentication needs 10 × t_{H}, 5 × t_{PM}, 2 × t_{PA} and 1 × t_{E/D}. In Han et al.’s scheme [19], registration needs 5 × t_{H}, 1 × t_{E/D} and authentication needs 10 × t_{H}, 5 × t_{PM}, 2 × t_{PA} and 1 × t_{E/D}. In the proposed scheme, registration needs 2 × t_{T}, 4 × t_{H} and authentication needs 11 × t_{H}, 6 × t_{T}.
Next, we evaluate the store and authentication costs of previous schemes and ours in Table 9. In Li et al.’s scheme [11], the user stores {C_{i}, D_{i}, E_{i}, h (.), h (y), b} with 640 bits. And the authentication in this scheme needs {P_{ij}, CID_{i}, M_{1}, M_{2}}, {M_{3}, M_{4}}, and {M_{5}} with 896 bits. In Qu and Tan’s scheme [12], the user stores {AID_{U}, BID_{U}, b_{U}} with 1618 bits. And the authentication in this scheme needs {CID_{U}, DID_{U}, EID_{U}, R}, {T, H_{S}}, and {H_{RS}} with 3702 bits. In Amin and Biswas’s scheme [13], the user needs {F_{i}, A_{i}, B_{i}, CID_{i}, h (.), H (.)} with 2304 bits. And authentication in this scheme needs {C_{2}, C_{4}, CID_{i}}, {L_{i}, G_{1}, }, and {Z_{i}} with 4818 bits. In Jangirala et al.’s scheme [18], the user needs {C_{i}, D_{i}, E_{i}, h (y), h (.)} with 768 bits. And authentication in this scheme needs {P_{ij}, CID_{i}, M_{1}, M_{2}}, {M_{3}, M_{4}}, and {M_{5}} with 896 bits. In Han et al.’s scheme [19], the user needs {P, K, V, CID, h (.)} with 640 bits. And authentication in this scheme needs {CID, X, V_{1}, T_{1}}, {CID^{′}, Y, T_{2}, V_{2}}, and {V_{3}, T_{3}} with 3072 bits. In our proposed scheme, the user stores {, , …, , RPW_{X}, H_{0} (.), r_{X}}, but we assume that the smart card stores only one for convenient comparison with other schemes in singleserver environment, so the cost is 722 bits. And authentication in our scheme needs {CID, R^{′}, M_{U}, r_{X}}, {M_{S}, S^{′}}, and {M_{US}} with 2688 bits.
5. Conclusions
This paper proposed a scheme using Chebyshev polynomial in multiserver environment. We survey and analysis current schemes to propose the solution overcoming the limitations in each approach. In the future, we will analyse many different approaches to apply with our scheme. Also, we design some new architectures which have average overall cost even if using highcost computational operation. Finally, we try to minimize the size of message package exchanged between the user and server to enhance timeefficiency.
Data Availability
No data were used to support this study.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
The authors would like to say a special thanks to the University of Science, Vietnam National University, Ho Chi Minh City, Vietnam. This research was funded by the University of Science, Vietnam National University, Ho Chi Minh City, Vietnam, under the grant number T201801.