#### Abstract

Two-factor authentication is one of the widely used approaches to allow a user to keep a weak password and establish a key shared with a server. Recently, a large number of chaotic maps-based authentication mechanisms have been proposed. However, since the Diffie–Hellman problem of the Chebyshev polynomials defined on the interval [−1,+1] can be solved by Bergamo et al.’s method, most of the secure chaotic maps-based key agreement protocols utilize the enhanced Chebyshev polynomials defined on the interval (−∞,+∞). Thus far, few authenticated key agreement protocols based on chaotic maps have been able to achieve user unlinkability. In this paper, we take the ﬁrst step in addressing this problem. More speciﬁcally, we propose the notions of privacy in authenticated key agreement protocols: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Then, we construct two two-factor authentication schemes with medium unlinkability based on Chebyshev polynomials defined on the interval [−1,1] and (−∞,+∞), respectively. We do the formal security analysis of the proposed schemes under the random oracle model. In addition, the proposed protocols satisfy all known security requirements in practical applications. By using Burrows-Abadi-Needham logic (BAN-logic) nonce verification, we demonstrate that the proposed schemes achieve secure authentication. In addition, the detailed comparative security and performance analysis shows that the proposed schemes enable the same functionality but improve the security level.

#### 1. Introduction

User authentication is indispensable for many information systems. Authenticated key agreement enables users to establish a session key which two or more parties share over a public channel. The session keys are adopted in subsequent secure communications. Password, hard-ware, and biometrics are always utilized in authentication mechanisms [1–3]. Single-factor authentication only provides limited security; then, the combination of these methods together can achieve higher security. Due to the convenient portability of smart cards, two-factor authentication [4–6] has been intensively investigated.

In general, user privacy protection during authenticated key exchange is a big challenge. For two-factor authentication schemes, the important issues should be addressed carefully. Firstly, the authentication mechanism should hide the user’s identity from any eavesdroppers and foreign servers. In other words, mutual authentication cannot reveal the real identity of the user, which is the basic goal of privacy protection, called anonymity. Secondly, the other aspect of user privacy protection is unlinkability. In many applications, the authentication mechanism should hide the user’s movements from any eavesdroppers and other foreign servers. Any unauthorized entity cannot track the user’s movements. Even if any outside adversary has accessed the message transmitted between the user and the server, it still cannot link the user to different authentication sessions.

Since chaotic maps provide the semigroup property and have higher efficiency than modular exponential operations and scalar multiplications on an elliptic curve, many chaotic, map-based, two-factor authenticated key agreement protocols [7–12] have been developed in recent years. Thus far, the user privacy preserving chaotic maps-based authenticated key agreement protocols have been intensively investigated [13–17].

##### 1.1. Motivation

In two-factor authenticated key agreement protocols, the user privacy must be considered carefully. The basic security requirement is to preserve the user anonymity, while the stricter requirement is unlinkability or untraceability. These concepts in two-factor authenticated key agreement protocols are seldom discussed in detail. Till date, few two-factor authenticated key agreement protocols can provide users with a strong unlinkability.

To the best knowledge, most of the two-factor authenticated key agreements based on the Chebyshev polynomial protocols (hereafter, called TAKACP protocols) utilize the enhanced Chebyshev polynomials defined on the interval (−∞, +∞). Now, few secure TAKACP protocols are based on the Chebyshev polynomials defined on the interval [−1, +1]. This is because those TAKACP protocols based on the Chebyshev polynomials over the interval [-1,+1] are vulnerable to Bergamo et al.‘s attacks [18].

##### 1.2. Our Contributions

The main contribution of this paper is the two-factor authenticated key agreement protocol based on Chebyshev polynomials defined on the interval [−1,1] and (−∞,+∞), respectively, which solve all abovementioned issues for the ﬁrst time. They satisfy more security requirements than the existing TAKACP protocols.

In summary, we list the main contributions below: The user privacy in two-factor authenticated key agreement protocol is expounded. According to the extent of user identity protection, the user privacy preserving in entity authentication protocols is classified into four concepts: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Of the four levels, the strong unlinkability is the highest while the anonymity-alone is fundamental for entity authentication. In this paper, we elaborate them by the formal probability model. We analyze the Lin TAKACP protocol and reveal their weaknesses. Detailed analysis shows that it fails to provide session key security. And, it suffers from user impersonation attack. Next, it even cannot provide the weak unlinkability. Analysis of formal security under Random Oracle model and BAN logic nonce verification demonstrate that the proposed schemes provide secure authentication against the CPCDH assumption and integer factorization hardness assumption. The proposed schemes provide more security properties as compared to other TAKACP schemes. And the detailed comparative security analysis also shows that the proposed schemes avoid the weaknesses of the TAKACP protocols [19–21].

##### 1.3. System Model

###### 1.3.1. Network Model

The proposed two-factor authenticated key agreement protocols involve two entities, a user U and the server S. At the user registration phase, the server issues a smart card with secret information to U through a secure channel. When the user U logs in to the server, the server and the user authenticate each other over the public channels. In this paper, the two-factor authenticated key agreement protocol is required to provide users with privacy preserving. Any adversary cannot trace the user from the message transmitted over open channels.

###### 1.3.2. Adversary Model

Consider an adversary *A* who gets the full control over the communication channel between the user *U* and the service provider S (except the registration phase). Thus, *A* could obtain the messages transmitted between the user and the server (except the registration message). Of the phases in a two-factor authenticated key agreement protocol, only the registration phase requires a secure channel between *U* and *S*. In other phases, there could be various kinds of passive and active adversaries in the communication channel between *U* and *S*_{.} The adversary *A* can eavesdrop and even block the message transmitted, modify messages, remove messages, or insert messages into the communication channel. Its objective is to compromise the mutual authentication between *U* and *S*. *A* even impersonates *a user* and attempts to access the server, or the adversary impersonates *the server* and provides *the user* with false services.

In the single-server environment, since users register on the same server with the same master key, the inside attacker *A*_{0}**/ A**

_{1}is very powerful. Hereinafter, we refer to a malicious server which may try to recover the password of its client or track the client as an adversary

*A*_{0}; a registered malicious user, or an adversary who has corrupted the user as an adversary

*A*_{1}; and while other adversaries are called as outside adversary

*A*_{2}. To simulate the inside attack,

*A*_{0}and

*A*_{1}can get the passwords and information stored in the smart cards of the users except those of a client under attack. If the server is the attack target,

*A*_{1}is assumed to obtain the passwords and the information stored in the smart cards of all the users.

For a two-factor authentication scheme, the basic security property is that the user is required to both have the smart card and know the password. Since the smart cards cannot prevent the information stored in them from being extracted, for example, by monitoring their power consumption, the security of a two-factor authentication scheme is always discussed in the case that the smart card is stolen. In other words, when a user is under attack, *A* is allowed to either compromise the password or the smart card of the client under attack, but not both.

##### 1.4. Organization of the Paper

The remainder of this paper is organized as follows. Section 2 reviews the related work. Section 3 introduces some preliminaries. Section 4 shows the limitations of the Lin protocol. Section 5 then presents two novel TAKACP protocols. Next, Section 6 analyzes the security of the proposed schemes. Comparison with the related smart-card-based protocols in terms of security properties and performance will be given in Section 7 , and Section 8 is the conclusion.

#### 2. Related Work

In this section, we brieﬂy review some prior related works. Recent years have witnessed efforts on two-factor authentication [19–42]. We summarize some existing two-factor authentication schemes with their methodologies used, limitations, and drawbacks in Table 1.

##### 2.1. Two-Factor Authentication Based on Enhanced Chebyshev Polynomials Defined on the Interval (−∞, +∞) and Their Limitations

Researchers have developed chaotic maps-based key agreement protocols which utilize the enhanced Chebyshev polynomials defined on the interval (−∞, +∞). Xiao et al. [31] first presented a chaotic map-based authenticated key agreement protocol by utilizing the semigroup property of Chebyshev chaotic maps [32, 33]. Guo and Zhang [34] showed that the Xiao et al.’s protocol [31] cannot provide the contributory property of key agreement. A malicious server can predetermine the session key. Guo and Zhang presented an improved version [34]. However, Lee demonstrated that the Guo-Zhang protocol [34] is insecure against off-line password guessing attacks [35]. In addition, it fails to provide the session key security. Tseng et al. [7] proposed anonymous key agreement protocol based on Chebyshev chaotic maps. Unfortunately, Niu et al. [8] demonstrate that Tseng et al.’s protocol [7] fails to protect the user anonymity and suffers from inside attacks. Yoon [9] found that the Niu-Wang protocol [8] is vulnerable to Denial of Service attacks. Xue et al. [36] also improved Tseng et al.’s protocol. However, Tan [37] pointed out that the Xue-Hong protocol [36] cannot still provide user anonymity. Moreover, the Xue-Hong protocol suffers from man-in-the-middle attacks. In 2012, Gong et al. [38] proposed password-based key agreement protocol by using extended chaotic maps. Unfortunately, Wang and Luan [39] showed that the key agreement protocol [38] suffers from potential security problems.

In 2014, Lin [40] developed an authentication scheme using dynamic identity and chaotic maps. Later, Islam et al. [41] state that Lin’s scheme suffers from user impersonation attack. Islam et al. also presented an improved provably secure scheme [41, 42] to solve the weaknesses of Lin’s scheme. Unluckily, Jiang et al. [10] show that Islam’s scheme is also vulnerable to some potential attacks. Based on the extended Chebyshev polynomials on the interval (−∞,+∞), Lee et al. [21] presented improvement on Lin’s scheme [20]. However, in the login phase of the improved scheme [21], the smart card fails to validate the input of the user. Moreover, in the password change phase, the server must participate in the whole updating process of each user. Hence, it is inconvenient for users to update the password in Lee et al.’s scheme [21].

##### 2.2. Two-Factor Authentication Based on Enhanced Chebyshev Polynomials Defined on the Interval [−1,+1] and Their Limitations

Few secure TAKACP protocols [19–21, 35] based on the Chebyshev polynomials defined on the interval [−1,+1] have been presented.

In Lee’s TAKACP scheme [35], the user and the server must preshare a password. Hence, when users register with the server, the server must share one different password with every user. In 2013, Guo and Chang [19] have proposed a smart-card-based authenticated key agreement using chaotic maps over the interval [−1,+1]. Subsequently, Hao et al. [43] and Lin [20] pointed out that that there are some security pitfalls in the Guo-Chang scheme [19]. Any adversary can derive the session key only by using the messages transmitted between a user and the server. In addition, the Guo–Chang scheme fails to provide full protection for user identity due to a fixed parameter in every run of the protocol. To eliminate the above weaknesses, Lin presents an improved scheme [20] based on chaotic maps over the interval [−1,+1]. The Lin scheme is highly efficient since it is based on a simple symmetric cryptosystem. Unfortunately, Lee et al. [21] point out that the Lin scheme still fails to withstand denial-of-service and privileged insider attacks. In addition, the Lin scheme does not exhibit the contributory property of key agreements.

In this paper, we will show that the Lin scheme violates the session key security. The Lin scheme suffers from impersonation attacks. Specifically, it is still susceptible to Bergamo et al.’s attacks [44] from registered users of the same server. Furthermore, we will demonstrate that the Lin scheme cannot provide the strong privacy protection. We also have found that it is inconvenient for users to update passwords in the Lin scheme [20] and the Guo–Chang scheme [19].

#### 3. Mathematical Preliminaries

This section briefly introduces Chebyshev polynomials and two problems related to the chaotic maps. Then, we will discuss the user privacy in TAKACP protocols and define the different notions of user privacy.

##### 3.1. Mathematical Preliminaries

Let *n* be an integer and *x* be a variable taking values over the interval [−1,1]. The Chebyshev polynomial *T*_{n}: [−1,1] ⟶ [−1,1] of degree *n* is defined as

The recurrence relation of the Chebyshev polynomial is given by:

The cos(s) and arcos(s) are defined as cos: and arcos: . There are some examples of Chebyshev polynomials that are shown as follows:

The Chebyshev polynomials hold two important properties. Semigroup property: Assume that *r* and *s* are positive numbers. For , *T*_{r}(*T*_{s}(*x*)) = *T*_{s}(*T*_{r}(*x*)). Due to its semigroup property, the Chebyshev polynomials satisfy the commutative property under the composition *T*_{r}(*T*_{s}(*x*)) = *T*_{s}(*T*_{r}(*x*)). Chaotic property: Since the Chebyshev polynomial *T*_{n}(*x*) with the positive integer *n* has a unique continuous invariant measure with positive Lyapunov exponent *lnn*, it is a chaotic map with its invariant density . Specially, *T*_{2}(*x*) is the well-known logistic map.

In 2008, Zhang [45] extended the definition of variables from the interval [−1,1] to the interval as follows:where *p* is a large prime number. And, these enhanced Chebyshev polynomials still commute under the composition, *T*_{r}(*T*_{s}(*x*)) = *T*_{s}(*T*_{r}(*x*)) mod *p*.

The Chebyshev polynomials over the interval have the discrete logarithm problem and Diffie-Hellman problem, which are assumed to be difficult to solve within a probabilistic polynomial time:

*Definition 1. *Chebyshev polynomial-based Discrete Logarithm (*CPDL*) problem. Given two elements *x* and *y*, find an integer *r*, such that *T*_{r} (*x*) = *y*, where *T*_{r} (*x*) is the Chebyshev polynomial.

*Definition 2. *Chebyshev polynomial-based computational Diffie-Hellman (*CPCDH*) problem. Given three elements, *x*, Chebyshev polynomials *T*_{r} (*x*), and *T*_{s}(*x*), compute the value *T*_{rs}(*x*).

In contrast with the Chebyshev polynomials over the interval , the hardness assumption of *CPCDH* problems over the interval [−1,1] does not hold. Given three elements, *x*, *T*_{r}(*x*), and *T*_{s}(*x*), although it is computationally infeasible to derive *r* from the known *x* and *T*_{r} (*x*), one can apply the method mentioned in [18, 44] to derivesuch that . Thus, one can compute the Diffie-Hellman value .

*Definition 3. *The success probability of a probabilistic polynomial time Turing machine within time upper bound *t* in solving *CPCDH* problems is defined as:

*Definition 4. *The Chebyshev polynomial-based computational Diffie-Hellman assumption (*CPCDH assumption*) is the assumption that CPCDH problems are hard. In other words, for every probabilistic Turing machine , is negligible.

*Definition 5. *Integer factorization assumption (*IF assumption*) is the assumption that integer factorization is hard. In other words, the probability of integer factorization for any probabilistic polynomial time Turing machine within the time upper bound t’ is negligible.

##### 3.2. Notions of Privacy in TAKACP Protocols

According to the extent of user identity protection, we divide user privacy preserving into four levels: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Among these concepts, the latter is stronger than the former, i.e., anonymity-alone ≤ weak unlinkability ≤ medium unlinkability ≤ strong unlinkability.

Let *N* be the number of members of any user group. Let be the event that *A* (that is, *A*_{1} and *A*_{2} but *A*_{0}) guesses the identity of the user correctly from the user group, be the event that *A*_{2}**( A)** decides whether any two executions of the protocol are from the same user, respectively.

*Definition 6. *(Anonymity-Alone). We define the advantage Adv^{Anon−Alone}(A) of any adversary A asThe advantage Adv^{Anon−Alone}(A) measures the sum of the probability of any adversary **A**_{1} or any outside adversary **A**_{2} obtaining the identity of the user and the probability of any outside adversary **A**_{2} linking different sessions with a certain user.

An authenticated key agreement protocol is called to provide Anonymity-Alone if Adv^{Anon-Alone}*(A) is negligible*. In other words, for any group of *N* users, ** A** cannot identify the actual user with the probability higher than the probability 1/

*N*of guessing. Hence, the first addition item would approach 0. However, any outside adversary

*A*_{2}can link different sessions to a certain user.

*Definition 7. *(weak unlinkability). We define the advantage Adv^{Weak−Unlin}(A) of any adversary A asAn authenticated key agreement scheme achieves weak unlinkability if Adv^{Weak-Unlin}(A) is negligible. Specifically, any adversary **A**_{1} or any outside adversary *A*_{2} cannot obtain the identity of any other user. Besides, any outside adversary *A*_{2} cannot link different sessions to a certain user with a probability larger than 1/2.

*Definition 8. *(medium unlinkability). We define the advantage Adv^{medium−Unlin}(A) of any adversary A (here, *A*_{1} and *A*_{2} but *A*_{0}) as*An authenticated key agreement scheme is called to satisfy medium unlinkability if Adv*^{Medium-Unlin}*(A) is negligible*. In other words, any participant except the server cannot link different logins to the same user.

*Definition 9. *(strong unlinkability). We define the advantage Adv^{Strong−Unlin}(A) of any adversary A including *A*_{0}, *A*_{1,} and *A*_{2} asAn authenticated key agreement scheme is called to satisfy strong unlinkability if Adv^{Strong−Unlin}(A) is negligible.

#### 4. Cryptanalysis of the Lin Takacp Protocol

In this section, we first tabulate the important notations in Table 2. We then review Lin’s key agreement protocol [20].

##### 4.1. Brief Review of Lin’s Takacp Protocol

The Lin’s TAKACP scheme [20] is composed of four algorithms: system initialization, user registration, authenticated key exchange, and password change. The notations used in [20] are listed in Table 2. Figures 1–3 separately illustrate the phases of user registration, authenticated key exchange, and password change.

###### 4.1.1. System Initialization

The server S selects a master key *s*. Then, S computes a Chebyshev polynomial of degree *r*, i.e., *T*_{r}(*x*), where , and chooses a one-way hash function *h*() and a symmetric encryption function *E*_{k}() with the secret key *k*. S keeps *r* secret.

###### 4.1.2. User Registration Phase

A user registration procedure consists of the following steps. *Step 1*. The user *U* selects an identity *ID*, a password *PW*, and a random integer *t*. U computes *H* = *h*(*PW*||*t*) and then sends the message {*ID*, *H*} to the server via a secure channel. *Step 2*. Upon receiving the registration request, the server *S* computes *R* = *E*_{s}(*ID*||*H*), *D* = *H*⊕(*x*||*T*_{r}(*x*)). Then, S writes {*R*, *h*(), *E*_{k}(), *D*} to a smart card and sends the smart card to U via a secure channel. *Step 3*. Upon receiving the smart card, *U* stores *t* into it.

###### 4.1.3. Authenticated Key Exchange Phase

U first enters the identity *ID* and password *PW*. Then, the smart card runs the following steps on S: Step 1. It chooses a random integer *j* and computes Then, it issues the message to S. *Step 2*. S computes and decrypts . Then, S checks the validity of the time stamp *T*_{1}. Next, S decrypts *R* and verifies whether holds. If the equation holds, U is authenticated; otherwise, the session is terminated. *Step 3*. S chooses a random integer and returns the login response to the card. And, S computes session key . *Step 4*. The card first decrypts and then checks whether the delay time for *T*_{2} is acceptable. Next, the card checks whether holds. If the equation holds, S is authenticated. And, the card computes the session key .

###### 4.1.4. Password Change Phase

U first inserts the smart card into a terminal and inputs his or her identity *ID*, the old password *PW*, and a new password . Then, the smart card runs the following steps on S: *Step 1*. The smart card chooses randomly a positive integer *i* and calculates and delivers to S. *Step 2*. S computes , then decrypts and further *R* = *E*_{s}(*ID*||*H*). Next, S checks whether the received is equal to *H*. If the equation holds, the server returns to the card. *Step 3*. The smart card replaces *R* with .

##### 4.2. Security Weaknesses of Lin’s TAKACP Protocol

Lin [20] demonstrates that the Guo-Chang TAKACP scheme [19] cannot provide full protection for the user’s identity. Any passive inside adversary *A*_{1} (i.e., a malicious registered user) could derive the mutually shared session key between the user and the server only by intercepting the transmitted message. Lin claimed that their improvement eliminates the drawbacks. We show that the second security weakness of the Guo-Chang TAKACP scheme still exists in the Lin scheme [20]. In addition, the password change would not only bring inconvenience to the user but also lack the authentication of the server.

###### 4.2.1. Violation of the Session Key Security

Assume that an inside adversary *A*_{1} has intercepted the key exchange message transmitted between the user U and the server. In the Lin scheme, the adversary could derive the session key by performing the following steps.

Since *A*_{1} is an inside adversary, *A*_{1} can use his password to calculate *x*||*T*_{r}(*x*). After intercepting U’s login message , *A*_{1} has obtained *T*_{j}(*x*). Although it is computationally infeasible to calculate *j* from *x* and *T*_{j}(*x*), the adversary can apply the method mentioned in [18, 44] to computesuch that . Then, the adversary could compute the key .

*A*_{1} decrypts with the key and obtains . Finally, the adversary calculates the session key .

###### 4.2.2. Suffering from User Impersonation Attack

Suppose that an inside adversary *A*_{1} does not want to pay the server for the service provided by S. *A*_{1} would try to impersonate a legitimate user U. After intercepting U’s login message, the adversary launches the user impersonation attack as described below:(1)With the login message , *A*_{1} computes the key through the same technique as in the leakage attack of the session key in Section 3. Then, *A*_{1} decrypts and obtains {*Q*, *R*, *T*_{1}}.(2)*A*_{1} chooses a random integer *j* and computes . It transmits to the server *S*, where *T* is the current timestamp.(3)After receiving the login message, *S* computes and decrypts . *S* first checks the validity of the time stamp *T*. Next, S decrypts *R* to derive *ID*||*H*, and verifies the identity. Since *Q* = *h*(*ID*||*H*), the server believes that a legitimate user with *ID* has issued the login request. After that, S selects a Chebyshev polynomial , encrypts it with other messages, and transmits the cipher-text to *A*_{1}**.**(4)*A*_{1} recovers the map with the key and computes the session key.

###### 4.2.3. Linking Different Sessions to a Same User

The Lin’s TAKACP scheme enhances the protection of user identity. Although any adversary *A*_{1} or *A*_{2} cannot obtain the identity of any user, any inside adversary *A*_{1} can link different sessions to a certain user. The Lin scheme only can provide weak unlinkablity (for details, see Definition 7 in Section 3), since *A*_{1} may execute the linking of sessions to the user as follows.(1)Intercept the different login messages .(2)Compute the different keys through the approach described in Section 3.(3)Decrypt and obtain {*Q*, *R*, *T*_{1}}. For the user, although the parameters {*R*, *T*_{1}} change with different logins, *Q* will be unchanged. Thus, *A*_{1} can decide whether the users are the same by comparing the parameter *Q’s*.

###### 4.2.4. Defects of the Password Change

Firstly, the password change suffers from inside attacks. Consider that a registered user acts as an adversary *A*_{1}. Since is a registered user of the server S, can derive *x*||*T*_{r}(*x*) from his own by using his own password. Assume that has intercepted *U*’s password change request . As shown above, can calculate , which satisfies the equation . Thus, computes the key and further decrypts . Then, selects randomly a value of the same length of . And computes and sends to the server. Since the equation holds, the server will return to the smart card. The smart card stores instead of *R*. Thus, the password change has been fulfilled. However, the user U cannot login to the server any more with the new password . We describe the failure process as follows. When the user U tries to login to S, U computes where and then issues to the server. The server decrypts and acquires . *S* further decrypts *R* to obtain . S computes . Since , the server will refuse U’s login request.

Secondly, the Lin’s TAKACP scheme requires that the server participate during the whole password change phase. In many applications, registered users always need to update their passwords at intervals. Passwords should be freely updated by the smart card holder at will without any interaction with the server, while the server can be totally unaware of the password change. A TAKACP scheme should provide the users with free password changes. If the users’ password change requires the server online, it must be a bottleneck. The Lin scheme requires the server S to compute during the password change phase. Therefore, it is inconvenient to both the server and the users. For the Lin scheme, the password change is impractical.

Thirdly, during the password change phase, the server is not authenticated by the smart card. This would be a serious security drawback. Any adversary could impersonate the server and send an arbitrary value as . The smart card will replace *R* with . The real card holder cannot login to the server any longer since . If the password change proceeds through a secure channel as in the user registration phase, the above security drawbacks will be removed. However, this is also infeasible.

#### 5. The Proposed Takacp Protocol

Lin [20] showed that the Guo-Chang scheme suffers from inside attacks. The analysis above demonstrates that the Lin’ TAKACP scheme [20] cannot still resist against inside attacks. The main cause is that an inside adversary *A*_{1} has the common chaotic map *T*_{r}(*x*) with the registered users of the same server. After intercepting the chaotic map *T*_{j}(*x*) transmitted over the public channel, *A*_{1} can derive an integer satisfying . The adversary computes the key to decrypt and derive . Thus, the adversary can determine the Diffie-Hellman-like session key .

To eliminate these weaknesses, we will seek cryptographic techniques to protect the functions and . In the following, we will use the quadratic residues to present two improved versions. We first describe an improved two-factor authentication scheme (hereafter called TAKACP-1) based on Chebyshev polynomials defined on the interval [−1,1] and then another two-factor authentication scheme (hereafter called TAKACP-2) based on Chebyshev polynomials defined on the interval (−∞,+∞).

##### 5.1. Registration Phase

We adopt the same notations as those in the Lin scheme. The server S selects *s* as the symmetric encryption key, two distinct large primes *p* and *q* with (mod 4), and a one-way hash function *h*():{0,1}^{∗} ⟶{0,1}^{l} where *l* is a security parameter. The parameters *p*, *q*, and *s* are kept secret. Before a user *U* gains access to the server *S*, *U* must register by performing the following steps as shown in Figure 4. *Step R1*. *U* selects a random integer with *l* bits, an identity *ID*, and password *PW*. Then, U computes and delivers {*ID*, *d*} to *S* through a secure channel. *Step R2*. S computes *c* = *d*⊕*E*_{s}(*ID*||*n*), where *n* = *pq*. S stores {*c*, *n*, *h*()} on a smart card and issues the smart card to *U* via a secure channel. *Step R3*. The card computes.

##### 5.2. Authenticated Key Exchange PHASE

The user *U* and the server *S* cooperatively perform the following steps to generate a session key *SK*, which is also illustrated in Figure 5. *Step A1*. U inserts the smart card into the terminal and enters the identity *ID* and the password *PW*. The smart card checks whether *d*_{2} is equal to *h*((*ID*⊕*PW*)||*d*_{1}||*n*). If *ID* and *PW* are valid, it computes *c* = *d*_{1}⊕*h*(*ID||PW*). It generates a nonce *n*_{1} of the *c*’s binary length and randomly chooses a positive integer *i* and a real number *x* over [−1,1]. The card computes the Chebyshev polynomials *T*_{i}(*x*), mod *n*, , *c*_{0} = *h*(*ID*||*n*_{1}), , where *x*||*T*_{i}(*x*) *is of l-bits*. The symbol means that the binary form of *c* interleaves the binary form of *n*_{1} bit by bit. Then, the card transmits the message to the server S. *Step A2*. Once receiving the login request, S uses Chinese Remainder theorem with *p* and *q* to solve the square roots of *e*. S parses the four roots into two parts, ,, respectively. Then, S decrypts to obtain and determines the right root by checking if is equal to *n*. Finally, S obtains the right root and the identity . S computes , , and checks if the received equals . If the equation holds, the server believes that the login comes from a registered user with the identity . S generates a nonce *n*_{2} such that *n*_{2}||*T*_{j}(*x*) is *l*-bit in length and randomly chooses a positive integer *j*. Then, S computes And, *S* sends back the message to *U*. Otherwise, *S* rejects the login request from *U*. *Step A3*. Upon receipt of the response message from *S*, the smart card computes , *SK* = *h*(*ID*||*T*_{i}(*x*)||*T*_{j}(*x*)||*n*_{1}||*n*_{2}||*T*_{i}(*T*_{j}(*x*))). Next, it checks whether equals *h*(*c*||(*T*_{j}(*x*)||*x*)⊕*h*(*n*_{2})||*SK*). If they are equal, the card authenticates the server. It computes and forwards the message to the server *S*. Otherwise, *U* terminates the session. *Step A4*. After receiving the confirmation message from the card, S checks if equals . If they are equal, the user *U* with identity ID is authenticated. Moreover, *S* confirms the session key *SK*.

##### 5.3. Password Change Phase

If the user *U* wants to update his password, *U* performs the following steps. *Step C1*. *U* inserts the smart card into the terminal and inputs the identity *ID* and the old password *PW*. Then, *U* issues the *updating* request. *Step C2*. The smart card checks whether *d*_{2} = *h*((*ID*⊕*PW*)||*d*_{1}||*n*) holds. If the equation holds, it answers *accepting updating*. *Step C3*. *U* submits a new password *PW*_{new}. *Step C4*. The smart card computes

The card removes {*d*_{1}, *d*_{2}} and stores .

Now, we describe briefly the TAKACP-2 scheme. There is a little difference between the registration phase of the TAKACP-2 scheme and that of the TAKACP-1 scheme. We will give the detailed description of the registration phase of TAKACP-2 scheme. Another fundamental difference of the authenticated key exchange phase of *TAKACP-2* scheme from *TAKACP-1* scheme is that the real number *x* is drawn from the interval . The card/server computes the Chebyshev polynomial *T*_{i}(*x*)/*T*_{j}(*x*) mod *p*_{0}. By making similar modifications to the registration phase, we can have the password change phase. Here, we omit the description of the authenticated key exchange phase and the password change phase in the TAKACP-2 scheme.

##### 5.4. Registration Phase of TAKACP-2

We adopt the same notations as those in the *TAKACP-1* scheme. The server S selects a large prime *p*_{0} besides the symmetric encryption key *s*, two large primes *p*, *q*, and a one-way hash function *h*():{0,1}^{∗} ⟶{0,1}^{l}. *S* keeps *p*, *q*, and *s* secret. Then, *U* performs the following steps to execute the registration. *Step R1*’. U selects a random integer , an identity *ID*, and password *PW*. Then, U computes and delivers {*ID*, *d*} to S through a secure channel. *Step R2*’. S computes *c* = *d*⊕*E*_{s}(*ID*||*n*||*p*_{0}) where *n* = *pq*. S stores {*c*, *n*, *p*_{0}, *h*()} on a smart card and issues the smart card to U via a secure channel. *Step R3*’. The card computes

Then, U removes and stores {*d*_{1}, *d*_{2}} in the card.

#### 6. Security Analyses

In this section, we will present the formal semantic security analysis of the proposed protocols under the random oracle model in Part A. Mutual authentication between a user and a server will be confirmed through the widely used BAN logic [46–48] in Part B. In Part C, we conduct the detailed informal security analysis of the proposed protocol. The formal security analysis and informal security analysis both show that our schemes provide stronger security attributes.

##### 6.1. Formal Security Analysis in Random Oracle Model

In this subsection, we introduce a formal security model under the widely used Real Or-Random model [49], the authentication security model [50], and the sequence of game models [51].

Assume that the server is a trustworthy entity. The server can accept the registration of users and validate the real identity of the users to provide them with services. There exists a secure channel between the server and the user to protect the registration of the user. In the following, we will apply the Dolev-Yao threat model (DY model) [52] to analyze the security of the proposed schemes. According to DY model, any two communicating parties communicate over an insecure channel. Assume that a polynomial time adversary has the ability to control the communication channel, for example, modifying, injecting, monitoring, and deleting messages over the open channel. Any adversary ** A** can make oracle queries, which model the adversary’s capabilities in a real attack. The goal of the adversary is to penetrate the anonymous authentication of a key agreement protocol by compromising requirements for the protocols described below. A malicious registered user may act as

**to attempt to obtain the identity information of other users who have registered on the same server.**

*A*We will simulate various security attacks on the proposed schemes through all possible oracle queries listed below. *Execute*(*U*^{i}, *S*^{j}): This query models eavesdropping attacks on honest execution among the user instance *U*^{i} and the server instance *S*^{j}. The output of this query consists of the messages that were exchanged during the honest execution of the protocol. *Send*(*U*^{i}/*S*^{j},*m*): This query models an active attack. The oracle query enables ** A** to receive an actual response from a participant

*U*

^{i}/

*S*

^{j}. Specifically, the adversary

**sends a message**

*A**m*to instance

*U*

^{i}/

*S*

^{j}, and the participant instance

*U*

^{i}/

*S*

^{j}follows the protocol to give a reply.

*Reveal*(

*U*

^{i}/

*S*

^{j}): This query models known session key attacks. If no session key is defined for an instance

*U*

^{i}/

*S*

^{j}, or if either

*U*

^{i}/

*S*

^{j}, or its partner is asked a

*Test*query, the output of this query is the invalid symbol . Otherwise, it returns the current session key

*SK*, which has been established between

*U*

^{i}/

*S*

^{j}and its partner to

**.**

*A**Corrupt*(

*U*,

*a*): The query models the capability of

**to obtain the secret information of a user participant**

*A**U*, thereby corrupting the protocol. If

*a*= 1, the query returns

*U*’s password to

**. If**

*A**a*= 2, the query returns the message stored in the user

*U*’s smart card with

**. The oracle simulates that when**

*A***gains the smart card of user**

*A**U*, it can extract the secret stored information.

*Test*(

*U*

^{i}/

*S*

^{j}): If no session key is defined, for instance,

*U*

^{i}/

*S*

^{j}or if either

*U*

^{i}/

*S*

^{j}or its partner is asked a

*Reveal*query, the output of this query is the invalid symbol . Otherwise, the oracle flips a coin

*b*. If

*b*= 1, the output is the session key. Otherwise, the output is a random string drawn from the space of session keys. The

*Test*query is invoked once by the adversary with a fresh oracle. The query is used to define the semantic security of the session key

*SK*.

*Definition 10. *An instance *U*^{i}/*S*^{j} is called to *be accepted*, if upon receiving the last expected protocol message, it goes into an accept state. The ordered concatenation of all sent and received messages by instance *U*^{i}/*S*^{j} forms the session identification(sid) of *U*^{i}/*S*^{j} for the current session.

*Definition 11. *Two instances *U*^{i} and *S*^{j} are said to *be partnered* if the three conditions hold simultaneously: (1) both *U*^{i} and *S*^{j} are accepted; (2) both *U*^{i} and *S*^{j} share the same sid; and (3) *U*^{i} and *S*^{j} are mutual partners of each other.

*Definition 12. *An instance *U*^{i}/*S*^{j} is called to *be fresh* if the following conditions are fulfilled simultaneously: (1) *U*^{i}/*S*^{j} is in the accepting state; (2) Reveal(*U*^{i}/*S*^{j}) query has never been submitted to *U*^{i}/*S*^{j} or its partner; and (3) strictly fewer than two Corrupt(*U*^{i},*a*) queries have been made to *U*^{i} or strictly fewer than two Corrupt(*U*^{i},*a*) queries have been submitted to *S*^{j}’s partner *U*^{i}.

*Definition 13. *For the *semantic security*, the security model is defined by a game, which consists of two phases. In the first phase, an adversary A is allowed to adaptively issue Send, Execute, Reveal, and Test queries. In the second phase, the adversary A executes a single Test (*U*^{i}/*S*^{j}) query with the chosen bit *b* directed to a fresh instance and the query outputs a guess bit for *b*. If , then the adversary A wins the above game, i.e., A succeeds in breaking the semantic security of the game of a TAKACP protocol. Let Succ(A) be an event where the adversary A wins the above game. The advantage of the adversary A in breaking the semantic security of the TAKACP protocol is defined byA TAKACP protocol is said to be *semantically secure* if the advantage of any probabilistic polynomial time-bounded adversary A is negligible.

Theorem 1. *Let D(W) be a uniformly distributed password (identity) dictionary of size |D|(|W|). Let A (including A_{1} and A_{2}) be a polynomial time-bound adversary against the semantic security of the TAKACP-2 scheme. Suppose A makes at most q_{s} times Send queries, q_{e} times Execute queries, and q_{h} times hash oracle queries. Then, we havewhere l refers to the string length of hash results, is the success probability of any probabilistic polynomial time Turing machine within time upper bound t in solving CPCDH problems, and is the probability of integer factorization for any probabilistic polynomial time Turing machine within time upper bound t’.*

*Proof. *We shall use the approach of sequent games to prove this theorem. We first define a sequence of modified attack games *G*_{i} (*i* = 0,1,2,3,4,5) starting from *G*_{0} and terminating at *G*_{5}. Let *Succ*_{i} be an event defined as the successful guessing of the bit *b* in *Test* query corresponding to each game *G*_{i} by an adversary *A*. *Game G*_{0}: This starting game and the real protocol in random oracles are assumed to be identical. Hence, *G*_{0} is the actual attack game. By definition, we have *Game G*_{1}: This game is the same as the game *G*_{0} except that the game simulates all oracle queries including *Send*, *Reveal*, *Corrupt*, *Execute*, *Test*, and *hash* queries. The hash oracles and *Reveal*, *Test*, *Corrupt*, and *Execute* queries are simulated in Table 3. We simulate the *Send* queries in Table 4 as in the actual attack game. The simulations maintain three lists of queries: (1) list *L*_{h} records the answers to hash oracles, (2) list *L*_{A} records the answers to the queries which are initiated by *A*, and (3) list *L*_{T} records the transcripts between S and U. This game is perfectly indistinguishable from the real execution of the protocol. Hence, we have *Game G*_{2}: In this game, we consider collisions among the results of hash queries, random numbers, and Chebyshev polynomials in the transcripts of messages *M*_{1}, *M*_{2}, and *M*_{3}. We take the random value *h* from as the response of the hash queries. If this query is directly asked by the adversary and (∗, *h*)←*L*_{h}, we abort the game. Otherwise, *h* is returned. Following the birthday paradox, the probability of collisions of the oracle hash query is at most . Furthermore, the messages contain random numbers {*n*_{1}, *n*_{2}} and two Chebyshev polynomials {*T*_{i}*(x)*, *T*_{j}*(x)*}. And, the probability of random numbers and polynomials collision is at most . Games **G**_{2} and **G**_{1} are perfectly indistinguishable except that the abovementioned collision causes the game to abort. Hence, we have **Game G**

_{3}

**:**This game would abort the execution in the situation where

*A*obtains a valid authenticator without active participation of hash oracles. In the

*TAKACP-2*protocol, the authenticated key exchange phase involves three message communications,

*M*

_{i},

*i*= 1,2,3. We consider three cases,

*Send*(U,

*M*

_{1}),

*Send*(S,

*M*

_{2}),

*Send*(U,

*M*

_{3}) in the game

*G*_{3}.

*Case 1*. Considering

*Send*(U,

*M*

_{1}) oracle query, we must carefully analyze the elements of message

*M*

_{1}. The hash values

*h*(

*c*||

*x*||

*T*

_{i}(

*x*)||

*c*

_{0})∈

*L*

_{A}must hold, otherwise the session will be terminated. The maximum calculated probability is up to . Again, it must be that

*h*(

*ID*||

*n*

_{1}) ∈

*L*

_{A}whose probability is at most . Finally, the message

*M*

_{1}∈

*L*

_{T}should hold, or the session will stop. For this, the probability is .

*Case 2*. Considering

*Send*(S,

*M*

_{2}) oracle query,

*M*

_{2}consists of and. The hash values must hold; otherwise, the session will be terminated. The maximum probability is up to. The probability of value falling within the list

*L*

_{A}is at most . Finally, the message

*M*

_{2}should fall within

*L*

_{T}, or the session will terminate. The maximum probability is .

*Case 3*. To respond

*Send*(U,

*M*

_{3}) oracle query,

*h*(

*h*(

*ID*||

*T*

_{i}(

*x*)||

*T*

_{j}(

*x*)||

*n*

_{1}||

*n*

_{2}||

*T*

_{i}(

*T*

_{j}(

*x*)))||(

*n*

_{1}⊕

*n*

_{2})||

*c*

_{0})∈

*LA*must hold with the total maximum probability . Finally, for a transcript

*M*

_{3}∈

*L*

_{T}, we have the maximum probability as . Considering the three cases, we have,

**Game**

*G*_{4}: In this game, when the session key

*SK*is required to compute, we replace the random hash oracle H

_{1}with private oracle

*H*’. That is, the session key is determined without querying the hash oracle. Moreover, we do not use

*T*

_{j}(

*T*

_{i}(

*x*)) or

*T*

_{i}(

*T*

_{j}(

*x*)) to compute

*SK=H′*(

*ID*||

*T*

_{i}(

*x*)||

*T*

_{j}(

*x*)||

*n*

_{1}||

*n*

_{2}). Thus, the session key is completely independent of

*hash oracle*and

*T*

_{j}(

*T*

_{i}(

*x*)) or

*T*

_{i}(

*T*

_{j}(

*x*)). Games

**G**

_{4}and

**G**

_{3}are perfectly indistinguishable unless the following event AskH

_{1}occurs: the adversary

*A*queries the hash function on

*ID*||

*T*

_{i}(

*x*)||

*T*

_{j}(

*x*)||

*n*

_{1}||

*n*

_{2}||

*T*

_{j}(

*T*

_{i}(

*x*)) or on the message

*ID*||

*T*

_{i}(

*x*)||

*T*

_{j}(

*x*)||

*n*

_{1}||

*n*

_{2}||

*T*

_{i}(

*T*

_{j}(

*x*)). Hence, we have

**Game**

*G*_{5}: In this game, we simulate the executions using the random self-reducibility of the CPCDH problem, given one CPCDH instance (

*T*

_{i}(

*x*),

*T*

_{j}(

*x*)). We choose randomly two integers and compute

*T*

_{u}(

*T*

_{i}(

*x*)), . The event AskH

_{2}means that the adversary

*A*had queried the random hash oracle H

_{1}on

*ID*||

*T*

_{i}(

*x*)||

*T*

_{j}(

*x*)||

*n*

_{1}||

*n*

_{2}||

*Z*, where . It is easy to know that the equation holds. We haveAccording to the definition of the event AskH, the accumulated probability is at least . Thus, we haveIn Game

*G*

_{5}, Diffie–Hellman keys

*SK*are random and independent of passwords and ephemeral keys. So, there are two possible cases where the adversary distinguishes the real session key from the random key as follows:

*Case 1*. The adversary queries the hash oracle on

*ID*||

*T*

_{i}(

*x*)||

*T*

_{j}(

*x*)||

*n*

_{1}||

*n*

_{2}||

*T*

_{j}(

*T*

_{i}(

*x*)).The probability that this event occurs is .

*Case 2*. The adversary asks the

*Send*(

*U*

^{i},

*m*) query and successfully impersonates a user. If the Corrupt(

*U*, 1) has been made, it implies that the Corrupt (

*U*, 2) has not been made. To impersonate the user, the adversary has to obtain the parameter

*c*and the identity. The probability that the event happens is . On the contrary, if the Corrupt (

*U*,2) has been made, it is not allowed to reveal the static key

*PW*of the user. Thus, in order to impersonate the user, the adversary has to obtain some information on the password of the user. The success probability of the adversary in the

*q*

_{s}sessions is . If the adversary just makes an attempt at random to impersonate the user by computing and succeeds, it will make the difference; but, the probability for

*qs*sessions is less than. Hence, we haveUsing the triangular inequality and equations (19)–(26), we have the following:Thus, we have completed the proof of the theorem.

The above theorem is about the security of the proposed TAKACP-2 scheme based on the extended Chebyshev polynomials defined on the interval [−∞, +∞]. To complete the security proof of the TAKACP-1 scheme based on Chebyshev polynomials over the interval [−1, 1], one only needs to delete the CPCDH simulation in Game

*G*

_{5}of the proof of Theorem 1. We only state the results as Theorem 2 without detailed proof.

Theorem 2. *Let D(W) be a uniformly distributed password (identity) dictionary of size |D|(|W|). Let A (including A_{1} and A_{2}) be the polynomial time-bound adversary against the semantic security of the TAKACP-1 scheme. Suppose A makes Send queries q_{s} times, Executes queries q_{e} times, and hash oracle queries q_{h} times at most. Then, we havewhere l refers to the string length of hash results, is the success probability of any probabilistic polynomial-time Turing machine within the time upper bound t in solving CPCDH problems, and is the probability of any probabilistic polynomial-time Turing machine in solving the square root with composite number module within time upper bound t’.*

Theorem 3. *The proposed TAKACP-1(TAKACP-2)scheme achieves the property of the medium unlinkability.*

*Proof. *Consider that the insider adversary *A*_{1} would attempt to violate the user anonymity of the proposed schemes. Further suppose that the Corrupt (*U*, 2) has been made. The smart card of the user U is compromised. The adversary ** A** has extracted the elements {

*d*

_{1},

*d*

_{2},

*n*} for

*TAKACP-1*({

*d*

_{1},

*d*

_{2},

*n*,

*p*

_{0}} for

*TAKACP-2*) in the smart card. Since

*d*

_{1}=

*E*

_{s}(

*ID*||

*n*)⊕

*h*(

*ID*||

*PW*),

*d*

_{2}=

*h*((

*ID*⊕

*PW*)||

*d*

_{1}||

*n*) in

*TAKACP-1*, or

*d*

_{1}=

*E*

_{s}(

*ID*||

*n*||

*p*

_{0})⊕

*h*(

*ID*||

*PW*),

*d*

_{2}=

*h*((

*ID*⊕

*PW*)||

*d*

_{1}||(

*n*⊕

*p*

_{0})) in

*TAKACP-2*,

*A*cannot divide

*d*

_{1}or

*d*

_{2}into the exclusive-OR items

*E*

_{s}(

*ID*||

*n*) or

*E*

_{s}(

*ID*||

*n*||

*p*

_{0}),

*h*(

*ID*||

*PW*),

*h*(

*ID*⊕

*PW*) correctly. In essence, even if

**has**

*A**E*

_{s}(

*ID*||

*n*),

**cannot still recover**

*A**ID*from it without the master key

*s*. Since

*d*

_{2}=

*h*((

*ID*⊕

*PW*)||

*d*

_{1}||

*n*) or

*h*((

*ID*⊕

*PW*)||

*d*

_{1}|| (

*n*⊕

*p*

_{0})), owing to the one-way hash function,

*A*_{1}cannot derive

*ID*or

*PW*from

*d*

_{2}.

Now consider the authenticated key exchange phase. Assume that and are two requesting messages produced by one user in two different authentication sessions, whereDue to the usage of the random integers {

*n*

_{0,1},

*n*

_{1,1}},

*e*

_{0,1}is independent of

*e*

_{1,1}. Likewise, owing to the randomness of {

*x*,

*y*,

*0*

_{i},

*1*

_{i}},

*T*

_{0i}(

*x*) is independent of

*T*

_{1i}(

*y*). Thus, is independent of . As

*h()*is a secure cryptographic hash function, the same is true for and . Therefore,

**believes that**

*A**M*

_{0,1}and

*M*

_{1,1}are independent of each other. We can make similar analysis of the response messages , , and the confirmation messages , . From the above analysis, we have . Thus, Adv

^{Strong−Unlin}(

*A*) = 0.

Therefore, our protocols achieve medium unlinkability. Any adversary (but

*A*

_{0}) is unable to link two different protocol sessions to the same user.

##### 6.2. Authentication Proof Based on BAN-Logic

In this section, we introduce the well-popular Burrows-Abadi-Needham Logic (BAN-logic) to validate the authentication of the proposed protocols. By using BAN logic, we also try to find out flaws in the proposed schemes and deal with authentication issues among the participants. The formal verification of the BAN logic demonstrates that the proposed protocols achieve mutual authentication and allow the user and the server to establish session keys. It is well-known that BAN logic [46] is the widely used logical analysis method of reasoning the beliefs of participants in an authentication protocol [47, 48]. BAN logic uses a set of postulates to analyze and verify authentication schemes. BAN logic has three elementary items, i.e., formulas/statements, principals, and keys. Let *X* and *Y* be two statements, *P* and *Q* be principals, *K* be the symbol for a key. The basic expressions of BAN logic are described in Table 5. More details can be found in [46–48].

The main logical postulates of the *BAN* logic are listed as follows: Message-meaning rule: , : If *P* believes that it shares *K* with *Q* and sees *X* encrypted by *K* (or *X* combined with *K*), then *P* believes that *Q* once said *X*. The nonce-verification rule: If P believes that *X* could have been uttered only recently and *Q* once said *X*, then *P* believes that *Q* believes *X*. The freshness propagation rule: If P believes that *X* is fresh, then *P* also believes that (*X*, *Y*) is fresh. The jurisdiction rule: If P believes that *Q* has authority over *X* and *Q* believes *X*, then *P* trusts *Q* on the truth of *X*. The message decryption rule:

If *P* believes that it shares *K* with *Q* and sees encrypted *X* by *K*, then *P* sees *X*.

In the following, we apply BAN logic to analyze the TAKACP-1 scheme. Similar analysis can be applied to the TAKACP-2 scheme. According to the analytic procedures of the BAN logic, the proposed TAKACP-1 scheme must satisfy the following goals: *Goal (1)*: , *Goal (2)*: , *Goal (3)*: , *Goal (4)*: .

The generic form of the proposed TAKACP-1 scheme is described below. From message *M*_{1}, *U*⟶*S*: {*c*, *n*_{1}}_{n}, , *< c*_{0}, *x*,*T*_{i}(*x*)>_{c}. From message *M*_{2}, *S*⟶*U*: , . From message *M*_{3}, *U*⟶*S*: .

The idealized form of the proposed TAKACP-1 scheme in the language of formal logic is given below. Message *M*_{1}: : . Message *M*_{2}: : . Message *M*_{3}: US: .

We make the assumptions about the initial state to analyze the proposed TAKACP-1 scheme: *H*_{1}: , ; *H*_{2}: , ; *H*_{3}: ; *H*_{4}: ; *H*_{5}: ; *H*_{6}: ; *H*_{7}: .

According to the BAN logic and the assumptions, we give the main proof as follows:

From message *M*_{1}, we have *S*_{1}: . From *S*_{1}, *H*_{3}, and Rule (1), we have *S*_{2}: . From *S*_{2}, *H*_{2}, Rule (2) and Rule (3), we have *S*_{3}: . From *S*_{3}, *H*_{5}, and Rule (4), we have *S*_{4}: . From message *M*_{2}, we have *S*_{5}: . From *S*_{5}, *H*_{4}, and Rule (1), we have *S*_{6}: . From *S*_{6}, *H*_{1}, Rule (2), and Rule (3), we have *S*_{7}: (**Goal** (1)). From *S*_{7}, *H*_{6}, and Rule (4), we have *S*_{8}: (**Goal** (2)). From message *M*_{3}, we have *S*_{9}: . From *S*_{9}, *S*_{4}, and Rule (1), we have *S*_{10}: . From *S*_{10}, *H*_{2}, Rule (2), and Rule (3), we have *S*_{11}: (**Goal** (3)). From *S*_{11}, *H*_{7}, and Rule (4), we have *S*_{12}: (**Goal** (4)).

##### 6.3. Informal Security Analysis

In this section, we analyze the security of the proposed protocols. We will show that the proposed protocols satisfy the essential security requirements, including the ability to provide medium unlinkability, the contributory property of key agreements, session key security, two-factor secrecy, and free updating of passwords. Furthermore, we confirm that the proposed schemes can withstand replay attacks and password-guessing attacks. In the following, we will not expound the two-factor security since its proof has been given in Part A and Part B of Section 4, respectively.

###### 6.3.1. Medium Unlinkability

In Part A of Section 4, we have demonstrated that our protocols can provide medium unlinkability. Now, we compare the privacy-preserving of our protocols with that of the schemes of Guo-Chang [19], Lin [20], and Sun et al. [24].

In the Guo-Chang scheme, since the user identity is encrypted with the master key of the server into the login request *R*, any adversary *A* cannot reveal the user identity. So Pr[*A*^{Guess}] *=* *1/N*. However, *R* is unchanged until the user updates the password. Thus, any outside adversary can distinguish whether the users in two authentication sessions are identical. That is, . Thus, we have Adv^{Anon−Alone}(*A*) = 0 and Adv^{Weak−Unlin}(*A*)≥1/2. Hence, the Guo-Chang scheme provides *anonymity-alone* but *weak unlinkability*. Similarly, since every request of the user contains the unchanged element *IM*, Sun et al.’s scheme [24] only achieves the property *anonymity-alone*.

The Lin scheme can provide weak unlinkability. Specifically, although the elements *Q* and *R* are kept unchanged, they are transmitted in the ciphertext . Since any outside adversary *A*_{2} cannot calculate the key , they cannot obtain *R*. But any inside adversary *A*_{1} can compute and acquire *Q*, *R*. For every login of the user, the parameters {*Q*, *R*} are static until the user changes its password or identity. Thus, *A*_{1} can still decide whether different login requests are from the same user or not. Then, we have . Hence, *Adv*^{Medium-Unlin}*(A)* > 1/2. The Lin scheme cannot provide *medium unlinkability*.

In the proposed protocols, *i* and *x* are chosen randomly by every individual user. Therefore, no unchanged login message can be derived by the other registered users. Thus, we obtain that *Adv*^{Medium-Unlin}*(A)* *=* 0. However, each time the user logins to the server, the server validates his or her identity. So, the advantage *Adv*^{Strong-Unlin}*(A)* is nonnegligible. The proposed schemes cannot achieve *the medium unlinkability*.

###### 6.3.2. Contributory Property of Key Agreement

In the proposed protocols, the session key *SK* is *h*(*ID*||*T*_{i}(*x*)||*T*_{j}(*x*)||*n*_{1}||*n*_{2}||*T*_{i}(*T*_{j}(*x*))). Only for the *TAKACP-*1 scheme, the server can use the method mentioned in [18, 44] to compute and , thus satisfying , , where represents a previous parameter. Since *x*, and *n*_{1} are randomly selected by the user and *SK* contains and *n*_{1}, the server still fails to predetermine a session key. Likewise, since *T*_{j}(*x*) and *n*_{2} are randomly selected by the server and *SK* contains *T*_{j}(*x*) and *n*_{2}, the user cannot predetermine a session key. Notably, neither the server nor the user can determine the specific session key alone in advance. Therefore, the proposed protocols satisfy the contributory property of key agreements.

###### 6.3.3. Session Key Security

Firstly, since *i*, *j*, *n*_{1} and *n*_{2} are selected randomly in every run of the protocols, the session key *SK* = *h*(*ID*||*T*_{i}(*x*)|| *T*_{j}(*x*)||*n*_{1}||*n*_{2}||*T*_{i}(*T*_{j}(*x*))) is independent of the previously generated session keys. Thus, the proposed protocols can resist against known-key attacks.

Secondly, we demonstrate that the proposed protocols can prevent any inside adversary from computing the session keys. Consider that an inside adversary *A*_{1} has eavesdropped the communication messages between the user and the server. Since *A*_{1} is a legal user of the same server, *A*_{1} knows *n*. However, *n*_{1} cannot be derived from *e* without the server’s private keys *p* and *q*, where mod *n*, owing to the quadratic residue assumption. Thus, the adversary cannot still recover *x*||*T*_{i}(*x*) from without the knowledge of *n*_{1}, where . Moreover, ** A** cannot work out

*h*(

*ID*||

*n*

_{1}).

*A*_{1}cannot obtain

*n*

_{2}||

*T*

_{j}(

*x*) from , since . Since , , and , due to the one-way property of the hash function,

*A*_{1}cannot determine

*T*

_{i}(

*x*),

*T*

_{j}(

*x*), or

*SK*. In a word, the session key cannot be derived from the messages transmitted over the public channel. The proposed schemes achieve session key security.

###### 6.3.4. Free Updating of Password

As described in Part C of Section 5, a user can freely update password without any interaction with the server during the password change phase.

###### 6.3.5. Resistance to Password Guessing Attacks

In the proposed TAKACP protocols, the login request message *e* is information that involves password *PW*. An inside adversary *A*_{1} may guess the password through the equation *c* = *d*_{1}⊕*h*(*ID||PW*). However, an inside adversary *A*_{1} cannot still obtain *c* from *e* since mod *n*. Therefore, the proposed protocols can resist password guessing attacks.

###### 6.3.6. Resistance to Replay Attacks

The proposed schemes maintain freshness by using two nonces and two chaotic maps. Specifically, the proposed protocols guarantee the freshness of messages by using *T*_{i}(*x*) and *n*_{1} in Step A1, *T*_{j}(*x*) and *n*_{2} in Step A2, and {*T*_{i}(*x*), *T*_{j}(*x*), *n*_{1}, *n*_{2}} in Steps A3 and A4, respectively. Since *n*_{1} is protected by the quadratic residues, only the server and the user itself know it. *T*_{i}(*x*), *T*_{j}(*x*), and *n*_{2} are contained in and . They can be calculated only when one knows the nonce *n*_{1}. Therefore, the proposed schemes can prevent replaying attacks.

#### 7. Security, Functionality, and Performance Comparison

In this section, we will make a comparison with the related TAKACP protocols in terms of security, functionality, and performance.

##### 7.1. Security Comparison

We compare the security of our proposed TAKACP schemes with respect to the related authenticated key agreement schemes [19–25, 27–30]. Table 6 summarizes the security properties of the proposed schemes and illustrates the comparison result.

As is indicated in Table 6, the proposed schemes are highly secure as compared to the related authenticated key agreement schemes [19–25, 27–30]. Especially, the proposed schemes can deal with several imperative security issues which most of the authenticated key agreement protocols based on the Chebyshev polynomials defined on the interval [−1,+1] suffer from. For example, the proposed schemes eliminate their weaknesses of the Lin scheme and the Guo-Chang scheme. In contrast, the authentication protocols [22, 23, 25, 28, 29] cannot preserve user anonymity. The protocol in [27] cannot provide the contributory property of key agreement since the session key is determined by the user. The authentication protocols [19, 20, 23] even cannot provide the session key security. Those protocols presented in [19–21, 23] cannot provide free updating of passwords. The Guo-Chang scheme achieves the anonymity-alone, while the Lin scheme provides weak unlinkability. The proposed schemes achieve the property, medium unlinkability. Note that designing the two-factor authentication protocol with strong unlinkability is still challenging.

##### 7.2. Performance Comparison

In this section, we evaluate the performance of the proposed schemes and make a comparison with the related authenticated key agreement schemes [19–25] in terms of the communication cost, storage, and computational overhead.

We suppose that the block size of secure symmetric cryptosystems is 128 bits, and the output size of a secure one-way hash function is 256 bits. In order to make the factoring problems infeasible in practical implementation, let the module *n* be an integer of 1024 bits. Since the registration of our schemes is based on a one-way hash function, the password length can be 128 bits. Suppose that the size of ID is 64 bits. In our proposed scheme, the cryptographic parameters {*c*, *d*} must be stored in the smart card. The length of this information is 1152 + 128 = 1280 bits, where *d* can be 128 bits and *c* must be encrypted in nine blocks. The size of the information stored in the smart card is 64 + 64 + 128 × 7 + 1024 = 2048 bits in Fan et al.’s scheme [22], 128 × 3 + 128 + 64 + 64+256 = 896 bits in Juang et al.’s scheme [23], 128 + 128 × 3 = 512 bits in Sun et al.’s scheme [24], 128 × 3 + 128 + 64 + 64 = 640 bits in Li et al.’s scheme [25], 128 × 3 + 256 + 256 = 896 bits in Guo et al.’s scheme [19], 128 × 3 + 256 + 128 + 128 = 896 bits in Lin’s scheme [20], and 128 × 2 + 128 + 128 = 512 bits in Lee’s scheme [21]. As is shown in Table 7, during the registration, the smart card needs a little larger storage space in the proposed schemes than those in other schemes [19–25, 28, 29]. However, it is practically insignificant considering the fact that most current mobile devices, including 4G cellular phones, personal digital assistants (PDAs), and notebook computers, have over a few hundred MB or a few GB of available memory.

In our proposed schemes, the messages transmitted in the registration phase are {*ID*, *d*}. The communication cost of the login protocol is 64 + 256 = 320 bits. The total size of messages transmitted during the authenticated key exchange phase for cryptographic parameters , , and {} is (1024 + 256 + 256) + (256 + 256) + 256 = 2294 bits. The authenticated key exchange phase requires three rounds of message transmission. During the password change, the proposed schemes require no message transmission between the user and the server since the server is not involved with the phase. Let the module number of the elliptic curve be an integer of 163 bits in Juang et al.’s scheme [23] and Sun et al.’s scheme [24]. Let the time stamp be a string of 32 bits in Guo et al.’s scheme [19], Lin’s scheme [20], and Lee’s scheme [21]. In Juang et al.’s scheme, the communication cost of the login phase about cryptographic parameters , {*u*, *M*_{s}}, and {*M*_{U}} is (384 + 384) + (256 + 256) + 256 = 1536 bits, where is the encryption of three blocks. The password change phase of Juang et al.’s scheme [23] requires that the user needs to agree on a session key with the server through the log-in phase in advance and then transmit the messages and , respectively. Hence, the size of the message transmitted in the password change phase of Juang et al.’s scheme is 2560 bits. By similar analysis, we can evaluate the communication cost of other related schemes [19–22, 24, 25, 27–30]. The communication cost and storage cost among our schemes and related schemes are shown in Table 7.

As can be seen from Table 7, during the authenticated key exchange phase, the size of the message transmitted between the user and the server in the proposed schemes is a little larger than the size of the message in the schemes [19–24,29]. However, the proposed schemes can provide the user with stronger privacy protection than the schemes in [22–24]. It also can achieve the session key confirmation, but the schemes [19–21,29] cannot provide the function. Moreover, the scheme in [29] cannot preserve the anonymity of the user. During the password change phase in the proposed schemes, no message transmission between the user and the serve is required. Compared with the proposed scheme, the server of the other schemes [19–23,25] is involved with the password change. Furthermore, quite a few messsages will be transmitted between the user and the server.

Now, we evaluate the computation cost of our protocols and related protocols. Let *T*_{c} denote the time to execute a Chebyshev polynomial computing. Let *T*_{s} represent the time to execute a symmetric encryption/decryption operation. We refer to *T*_{h} as the time to execute a one-way hash function operation. Let *T*_{m} denote the time to execute a scalar multiplication in the elliptic curve group. *T*_{e} represents the time to execute one exponentiation operation. We denote by *T*_{sq} the time to execute a squaring operation. *T*_{crt} represents the time to solve the square root through the CRT method. Since the XOR operations cost very little, we neglect it. Since a user is required to register with a server one time, the computational cost in the registration phase is not listed in Table 8.

The proposed protocols protect the random number *n*_{1} and the shared secret *c* by using the quadratic residues. The user requires one modular squaring operation, and the server requires one square root solving operation through the CRT and one symmetric decryption. The proposed protocols require no symmetric encryption operation. It needs only one Chebyshev polynomial computing in the user, which is less than one (two) Chebyshev polynomial computing than those in the Lin scheme (the Guo-Chang scheme). The proposed protocol requires one symmetric encryption operation and one Chebyshev polynomial computing in the server, which is less than two (one) symmetric encryption operations and two (two) Chebyshev polynomial computing than those in the Lin scheme (the Guo-Chang scheme). In the proposed protocols, one modular squaring operation does not affect user efficiency since the implementation of one modular squaring [35] can be reduced to only a few hundred gate-equivalents. In practical implementation of the proposed protocols, to efficiently compute the square roots in , the server does the pre-computation [22]. To be specific, S pre-computes and stores the inverse *p*’ of *p* modular *q* and the inverse *q*’ of *q* modular *p*. In order to compute the square root of *a*, one first computes mod *p* and , then he or she can calculate rapidly the four square roots of *a* in , for example, (*p’pa*_{2} + *q*’*qa*_{1}) mod *n*. Due to *p* ≡ *q* ≡ 3 (mod 4), the computation of (*a*_{1}, *a*_{2}) requires about the same time as performing a modular exponentiation computation in . Consequently, we have .

We have executed these operations by utilizing PyCrypto library in Python language in the computer with 16 GB RAM and a clock speed of 3.60 GHz. The time cost of all operations is as follows: *T*_{h} ≈ 0.0035 ms, *T*_{c} ≈ 0.1215 ms, *T*_{s} ≈ 0.0105 ms, *T*_{m} ≈ 0.109 ms, *T*_{sq} ≈ 0.0035 ms, and *T*_{crt} ≈ 0.0028 ms. Table 8 summarizes the computation cost of our scheme with those described in [19–25, 27–30]. As shown in Table 8 and Figure 6, during the authenticated key exchange phase, both the user and the server in the proposed protocols are required at the lowest computation cost among these two-factor authentication protocols [19–21, 29, 30] based on chaotic maps. In addition, the proposed schemes require no involvement of the server during the password change phase. Moreover, in comparison with the related schemes [19–25], the user is required at a very low computation cost during the password change phase of the proposed schemes.

#### 8. Conclusion

In this paper, we examine the limitations of Lin’s chaotic map-based authenticated key agreement protocol. We have proposed two TAKACP protocols with key confirmation. Compared with the Lin protocol and the Guo-Chang protocol, the proposed protocols achieve the following additional merits: session key secrecy, medium unlinkability, and free updating of passwords. The proposed protocols with the enhanced security do not affect the user’s or the server’s efficiency. Therefore, the proposed protocols are highly feasible for practical implementation.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The author declares that there are no conflicts of interest.

#### Acknowledgments

This work was partially supported by the National Natural Science Foundation of China (Grant nos. 61862028 and 61702238), the Natural Science Foundation of Jiangxi Province (Grant no. 20181BAB202016), and the Science and Technology Project of Provincial Education Department of Jiangxi (Grant nos. GJJ160430 and GJJ180288).