Secure Remote Multi-Factor Authentication Scheme Based on Chaotic Map Zero-Knowledge Proof for Crowdsourcing Internet of Things

Recently, application scenario of crowdsourcing IoT has covered to e-healthcare service, smart home, smart city, internet of vehicles due to the proliferation of smart devices such as smart mobile devices, smart wearable device, smart medical devices and smart furniture, etc. Patient’s data collected by the smart devices send to the various remote medical servers. A group of medical professionals remote access patient data stored at the medical server database. Smart home users want to remote real-time access information of smart devices at home. All these operations need via wireless remote communication, which is suffering from various kinds of threat and attacks. Hence, there are a large number of multi-factor remote authentication and key agreement schemes designed for the application of crowdsourcing IoT. However, in most existing related multi-factor schemes, all factors for identity authentication only act as a parameter for encrypting the local secret key. In this paper, we propose a new secure remote multi-factor authentication scheme that includes three factors: 1) user identity; 2) password; and 3) user biometrics, which are authenticated by the remote server, act as a part of the secret key and participate in the key agreement process. We choose the chaotic map since it has a smaller key size and lower computational overhead, and then achieve remote multi-factor authentication and key agreement by artfully employ it to zero-knowledge technology and the fuzzy extractor technology. Our scheme is more secure and robust since the user revealing nothing sensitive information, and the adversary cannot impersonate any user even if he gets the server’s master key. We have done security proof for our proposed scheme using the Random-Or-Real(ROR) model, Burrows-Abadi-Needham (BAN) logic, and ProVerif 2.00 to show that the presented scheme is secure. Also, we give an additional security analysis for other various attacks. Finally, according to the test and simulation result, the proposed scheme is very suitable for the power-constrained smart devices, and in the next generation 5G communication environment, its applicability and usability will be greatly enhanced.


I. INTRODUCTION
The Internet of Things is rapidly becoming one of the fastestgrowing areas due to the extensive range of equipment in both the research community and domestic markets. There are several open research issues within the field of IoT, such as device detection, schema alignment, access control, and data management [20]. Recently, crowdsourcing research has The associate editor coordinating the review of this manuscript and approving it for publication was Noor Zaman . as the e-healthcare systems, smart home, smart city, internet of vehicles, etc.
For e-healthcare system, it is necessary to collect patient sensitive information through smart devices and share with a group of medical professionals in a protected online environment, and for these types of treatments, where multiple professionals are involved, crowdsourcing Internet of Things (IoT) in e-healthcare services( Figure 1) is required. However, the growing use of the Internet provides opportunities for malicious users and attackers to gain unauthorized access to medical data through the use of various network and information attacks. In order to protect critical and private medical information, researchers need to pay more attention to designing appropriate security protocols for crowdsourcing in e-health services. This requires remote user authentication and key agreement schemes to provide access to the service to authorize only users.
The smart home is another application scenario for crowdsourcing IoT( Figure 2). Its network can be implemented with the help of smart device(such as smart doorbell, smart power control, smart sensors, surveillance cameras and so on), wherein all of these devices can communicate through a wireless channel by a home gateway node which acts as a bridge between smart device and the home user. To secure remote access information of smart devices, the home gateway node need remote authenticates the user's identity and establish a session key.
In addition, in other crowdsourcing IoT applications, remote authentication schemes for user access are also the focus of research.

A. RELATED WORK
In recent research, considering the power-constrained of most IoT smart devices, high access rate, and privacy protection for participants at wireless remote access communication, there are a large number of related scheme have been proposed.
Xu et al. [10] proposed a two-factor mutual authentication and key agreement scheme to reduce the computational cost based on the elliptic curve cryptography(ECC), which enables to provide anonymity by employing the dynamic identity. Yan et al. [12] proposed a biometric based user authentication scheme. But his scheme is vulnerable to the replay attack and can not ensure user anonymity. Mishra also pointed out that Yan's scheme [12] does not protect against the off-line password guessing attack. Therefore, Mishra et al. [13] further proposed an enhanced biometricbased authentication scheme using random numbers. In 2015, Tan and Zuowen [14] extended the security requirements of two-factor authentication schemes to three-factor authentication schemes, which are mutual authentication, server not knowing password and biometric, and three-factor security.
Compared to the traditional cryptographic schemes(such as RSA or ECC), schemes based on chaotic maps have shown better performance at low-power computing and have smaller security key size, which is suited for IoT smart devices. Guo et al. [31] first proposed a chaotic map based password authentication scheme for the e-healthcare information system, which avoids modular exponential computing or scalar multiplication on elliptic curve used in traditional authentication schemes. While Hao et al. pointed out Guo's scheme does not preserve user anonymity and inefficiency of double secret keys. Then Hao et al. proposed their improved scheme [7], which overcome Guo's weakness. In the same year, Lee and Fu [21] and Jiang et al. [32] modified Hao's scheme with higher security. Li et al. [22] finds both Lee's [21] and Jiang's [32] schemes are vulnerable to the service misuse attack and give a secure authentication scheme to cope with the security weaknesses. Lu et al. pointed out that Chun's improved scheme still has some weaknesses, such as a vulnerability to the user impersonation attack, a lack of local verification, and a violation of the session key security. They subsequently proposed a robust and efficient three-factor authentication scheme [33]. Moon et al. [6] found that Lu et al.'s scheme is not secure against the replay attack, the impersonation attack, and the outsider attack. To solve these security vulnerabilities, they propose a modified authentication scheme. In 2018, Roy et al. [1] found that the existing related scheme suffered from denial of server attack and did not provide a mechanism for revocation. VOLUME 8, 2020 Then Roy proposed a lightweight three factors remote authentication and can resist various know attacks.

B. MOTIVATION
The existing related schemes do not fully exploit the unique characteristics of multi-factor authentication (Fig 3). Most of proposed related schemes use multi-factor to encrypt the secret key issued by the registration service. During the authentication process, the user completes the multi-factor verification locally and use them to decrypt the secret key, and then using the secret key for server side authentication and key agreement. All the authentication factors neither authenticated by the server nor participate in key agreement. Therefore, In the case of secret key leaks, the adversary can impersonate as a user completes the authentication process, and do not need to complete either of authentication factor verification. Compared with the traditional PKI and IBE schemes, these schemes have no essential difference.
In this paper, we aim to design a new secure lightweight remote multi-factor authentication scheme for crowdsourcing IoT application, which all authentication factors are authenticated by the remote server, act as a part of the secret key and participate in the key agreement process. In this scheme, the server no longer authenticates the secret key stored at the user's smart device client, but directly authenticates the user's authentication factor. To confirm the real user who operates on the client side, the server can remote authenticates that whether the user can actually input a plurality of factors provided at the time of registration.
To achieve this target, we introduce technologies including chaotic map, zero-knowledge proof, and fuzzy extractor. But we are not just giving a simple combination of these technologies. Chaotic map has better performance at low-power computing and smaller security key size compared to traditional cryptographic schemes(such as RSA or ECC). A zeroknowledge proof enables the prover to make sure the verifier is certain that some statements are correct, but the verifier does not learn anything except the validity of the statement. Fuzzy extractor technology can symbolize user biometrics. We design a scheme based on chaotic map cryptography, and then artfully employ it to privacy-preserving remote multifactor authentication through fuzzy extractor technology and zero-knowledge technology by exploiting the mathematical properties of Chebyshev Polynomial.

C. OUR CONTRIBUTION
In this paper, we proposed a secure remote biometric-based authentication scheme based on chaotic map zero-knowledge for application of crowdsourcing Internet of Things. The main contributions are discussed as follows.
1) We first achieve a remote multi-factor authentication scheme based on chaotic map zero-knowledge proof. In our scheme, all authentication factors can be remotely authenticated by the server or gateway node and participate in the process of the key agreement (Fig 4). The server can  authenticate all authentication factors at once or authenticate them one by one after a slight improvement for the scheme.
2) To protect the user's privacy, our scheme does not transmit or store any sensitive information from the user. The server and user complete the mutual authentication and key agreement phase by revealing nothing sensitive information. Because we use the chaotic map zero-knowledge proof to verify the user's sensitive information, the user can prove that he knows or owns a secret without revealing what it is.
3) Compare to the existing related schemes, our scheme has low computation and communication overheads and very useful for resource-constrained and battery-powered devices.
4) The proposed scheme can resist various know attacks and provides more security properties. An adversary cannot impersonate any user even if he gets the server's secret key. We give the formal security proof through the Real-Or-Random(RoR) model, BAN logic, and ProVerif 2.00 as well as give the additional security analysis for other various attacks.

D. THREAT MODEL
The threat model used in the proposed scheme is the wellknow DolevYao [35] threat model (DY model), which accepts the following basic assumptions: • The user U i and S are communicated over a public insecure channel.
• The adversary A can execute eavesdropping, deletion, or modification of messages on public channels.
• Smart devices can be physically captured by A, and all the credentials stored in those smart devices can be extracted by A using the power analysis attacks. 8756 VOLUME 8, 2020

E. PAPER ORGANIZATION
Section II introduces the preliminary of zero-knowledge proof, fuzzy extractor, and Chebyshev polynomial chaotic maps briefly. Section III presents the procedure of our scheme in detail. In Section IV, the security of the proposed scheme is discussed. We compare the performance among our scheme and other related schemes in Section VI. Finally, Section VI concludes the paper and proposes the direction of future research.

II. MATHEMATICAL PRELIMINARIES
We apply zero-knowledge proof, fuzzy extractor, and Chebyshev polynomial chaotic maps for the proposed authentication scheme. For this purpose, we describe the fundamental concepts on zero-knowledge [37], fuzzy extractor on biometrics input [23], and Chebyshev polynomial chaotic maps [8], [9].
Theorem 3 [4]: Assume a = b + c, where b, c ∈ N and b, c ≥ 2, we have the following formula: (1) Definition 2: Chaotic map-based discrete logarithm problem (CMDLP): For any given x and y, it is computationally infeasible to find integer r such that T r (x) = y. The advantage probability of A to solve CMDLP is : Definition 3: Chaotic map-based computational Diffie-Hellman problem (CMCDHP): For any given x, T s , and T m , it is computationally infeasible to find integer r = ms such that T r (x) = T ms (x) = y. The advantage probability of A to solve CMCDHP is :

B. ZERO-KNOWLEDGE PROOF
A zero-knowledge proof enables the prover (P) to make sure the verifier (V ) is certain that some statements are correct, but the verifier (V ) does not learn anything except the validity of the statement. In our scheme, we refer to the zero-knowledge proof proposed by Schnorr [37]. For a large prime number p and the generate element g of Z * p , this zero-knowledge proof allows prover P to prove the knowledge of s ∈ Z * p such that y = g s for some y ∈ Z * p to verifier V . Commitment: Prover P selects a random number q ∈ Z * p , and computes T = g q and then sends T to verifier V .
Challenge: Verifier V generates a random c ∈ {0, 1} n and sends it back to P.
Response: Prover P computes z = q−cs(modp) and returns it to verifier V .
Verify: Verifier V accepts the Prover's proof if and only if T = y c g z .

C. BIOMETRICS AND FUZZY EXTRACTOR
Given biometric input B, such as fingerprint or face from the user, a fuzzy extractor could extract the random string θ and the auxiliary string σ . Once input a new biometric B * , which differs from the original input biometric B up to the threshold value, and the auxiliary string σ , the fuzzy extractor will recover θ [36].
• Rep: θ = Rep(B * , σ ). It takes a new biometrics B * and the helper string σ as inputs. The correctness property of fuzzy extractors guarantees that if dis(B, B * ) < t, Rep can recovers the original θ .
• The security property guarantees that for any distribution W on M of m, the string θ is nearly uniform even for those who observe σ . M = {0, 1} n is a metric space. m is the min-entropy of any distribution W on metric space M; l is the length of θ ; t is the error tolerance threshold; is the statistical distance between two given probability distributions.

III. PROPOSED SCHEME
In this section, we present the proposed scheme in detail. The proposed scheme has four phases, namely: 1) System setup; 2) registration; 3) login, authentication and key agreement; 4) Password, biometric change and smart card or device revocation phase. For describing and analyzing the proposed scheme, we use the notations listed in table 1.

A. SYSTEM SETUP
In this phase, Server S generates some parameters of the system.

B. REGISTRATION PHASE
Through the registration phase, the user U i registers with the server and gets a certificate via a secure channel. The following steps need to be executed.
Step 1: U i first chooses his own identity ID i , personal password PW i and imprints his biometric B i to the registered device (It can be a smart device that installs related applications); Step 2: The registered device produces (θ i , σ i ) = Generation(B i ) for U i by fuzzy extractor and generates a random number r i ∈ Z * p . Then it computes where T is a period of time(such as one week, one month and one year) and Step 3: The registered device generates T x i (X i ) and submits < T x i (X i ), T , X i , ID i > to S via a secure channel; Step 4: S receives the registration request and compute M = T x s (X i ). Then S sends < M > back to the registered device and stores < ID i , T x i (X i ), T , X i > at the database.
Step 5: The registered device receives the M from the S and stores < M , r i , σ i > at the smart card or the user's mobile device. Table 2 shows the registration phase involved in the proposed.

C. LOGIN, AUTHENTICATION AND KEY AGREEMENT
To access the services from S, U i must complete the login, authentication and key agreement phase. This phase are involved following steps.
Step 1: U i first inserts smart card to the authentication device or opens the application installed in the smart device (we called all these devices SC) and inputs his identity ID i , password PW i and biometrics B * i at the sensor. The device computes Step 2: The SC selects two random numbers p a , e a ∈ Z * p and computes TID = Step 3: S receives the user's message at time T * s 1 and then it verifies whether |T * the database and verifies whether T is out of date? S selects two random numbers p s , e s and computes e a = N i ⊕ T s 1 Step 4: The SC receives the message M 2 at time T s 2 and verifies whether |T * If not, the device terminates the phase. else, U i completes the authentication of the S's identity. Then it computes w a = p a + x i e s and SK = H 2 (T s 1 ||T * s 2 ||T s 3 ||w a ||w s ||T p a (M ))). Then SC sends the message Step 5: S receives the message M 3 at time T * s 3 and gets w a . Then S verifies if |T * If not, the device terminates the phase. else, S completes the authentication of the user's identity and computes SK = H 2 (T s 1 ||T * s 2 ||T s 3 ||w a ||w s ||T x s (PA))) as the session key. Table 3 shows the login, mutual authentication and key agreement phase involved in the proposed.

D. PASSWORD, BIOMETRIC CHANGE AND SMART CARD OR DEVICE REVOCATION PHASE
A valid user U can changes his old password PW i and old biometric B i to new password PW i and another biometric B i by using the following steps.
Step 1: U i sends the revocation quest to the Server.
Step 2: U i completes the Login, mutual authentication and key agreement phase.  Step 3: U i inputs his new password PW i , another biometrics B i at the sensor and chooses a new period of time T .
Step 4: SC selects a random number r i and pro- Step 5: S gets the message and stores < T x i (X i ), T , X i > instead of < T x i (X i ), T , X i >. Then S computes M = T x s (X i ) and sends K is ⊕ M back to the SC.
Step 6: SC stores < M , r i , σ i > at the smart card or the user's mobile device instead of < M , r i , σ i >.
Finally, the user's authenticates credential will not be available and automatic revocation after the time T expires.
If a legal user U i 's smart card or device is stolen or lost, it is required to revoke the lost SC and allow U i to login using new SC. The proposed scheme perform the following steps.
Step 1: the U i initiates revocation phase and chooses his own identity ID i , new password PW * i , and imprints his biometric B * i to the SC; Step 2: The SC produces (θ * i , σ * i ) = Generation(B * i ) for U i by fuzzy extractor and generates a random number r * i ∈ Z * p . VOLUME 8, 2020 Step 3: The SC generates T x * i (X * i ) and submits revocation quest < T x * i (X * i ), T * , X * i , ID i > to S via a secure channel; Step 4: S receives the revocation request and verifies authenticity of U by checking other credentials, such as date of registration and registered id number. Then it computes M * = T x s (X * i ), sends < M * > back to the SC, and stores Step 5: The SC receives the M * from the S and stores < M * , r * i , σ * i >.

IV. SECURITY ANALYSIS
In this section, we prove the semantic security of the proposed scheme by using the random-or-real model. And then, with the help of BAN logic [19], we provide the mutual authentication proof between the user and the server in our scheme.
In the end, we also have given additional security analysis for other known attacks.

A. FORMAL SECURITY ANALYSIS USING RANDOM-OR-REAL MODEL
In this section, we give the formal analysis for our proposed scheme through the random-or-real(ROR) model [1], [2], [16]. To remove ambiguity, we mention a common notation C for both participants U i and S. In order to break the security of scheme, we assure that an adversary A executes different attacks, which using various oracle queries as follows: Execute(C, S): This query models passive attacks in which A can eavesdrops or outputs a message m exchanged between U i and S in an actual execution of the scheme.
Send(C, m): An active attack that A sends a request message m to C, and C replies to A according to the rules of the scheme.
Revel(C): In this query, if the session key has been generated, C return it back to A. Otherwise, return a null value.
Corrupt(U i , a): This query simulate the capability of A to obtain sensitive information of the user U i : if a = 1, query returns U i 's password; if a = 2, query returns U i 's biometric secret string θ i if a = 3, query returns U i 's smart device stored parameters.

Test(C):
This query can be invoked only once. If there is no session key, a null value will be returned to A. Otherwise C takes decision based on the output of the coin b: if b = 1, C returns current session key SK ; if b = 0, C returns a random string. Definition 5: If upon receiving the last expected protocol message, an instance C is said to be in accepted, it goes into an accept state. The session identification(s_id) is formed by the ordered concatenation of all communicated message M 1 , M 2 , M 3 .
Definition 6: Two instances U t 1 i and S t 2 j are said to be partnered if they fulfilled following three conditions simultaneously: 1) both are in accept state; 2) both mutually authenticate each other and share the same s i d 3) they are mutual partners of each other. Definition 7 (Freshness): C is said to be fresh, when the following conditions are met simultaneously: 1) C is in the accept state; 2) C has never been received Reveal(C) query; 3) C has been received less than two Reveal(C) query. Definition 8 (Semantic Security): The advantage function of A in breaking the semantic security of the proposed authentication and key agreement (AKA) scheme by guessing the correct bit b : Adv AKA Definition 9: The advantage probability of CMDLP is negligible for adversary A with execution time t A , that is Adv CMDLP A (t A ) ≤ , for any sufficiently small > 0. Theorem 4: Let A be a polynomial time bounded attacker running in time A. To break the semantic security security of the proposed scheme, adversary A makes H 1 and H 2 hash oracle queries, Send queries and Execute queries at most q H 1 , q H 2 , q s , and q e times, respectively. Then where l H 1 and l H 2 are the string length of hash results, respectively, l r is the string length of random number, ε bm is the probability of false positive [17], D is a finite dictionary with size |D|, Adv AKA C is defined in Definition 8 and Adv CMDLP A (t A ) is defined in Definition 9.
Proof: Let Succ i refer to an event of successful guessing bit b in Test query by an adversary A in the game G i , i = 0, 1, 2, 3, 4, 5.
G 0 : The real scheme in random oracles and the initial game are assumed to be identical, we obtain G 1 : Oracle queries such as Reveal, Execute, Corrupt, Test, H 1 ,H 2 and Send queries are simulated in G 1 and working procedures of these queries are described in Table 4. G 1 create three lists: 1) L H 1 and L H 2 answer hash oracles of H 1 and H 2 , respectively; 2) L A stores outputs of random oracle queries; 3) list L T records transcripts between U i and S. Due to indistinguishability of games G 0 and G 1 , we have   4 2 l r +1 ).

(7)
G 3 : In this game, A obtains the correct message without active participation of hash oracles. Hence, we consider the following three cases. Considering three cases, we have G 4 : In this game, we consider mainly guessing attacks executed by A. 1) to guess PW . The probability of this case is q s |D| . C 2 : A executes Corrupt(U i , 2) to simulate the intentional or accidental guessing of user biometrics key θ i . The probability of this case is at most {q s ( 1 2 l b , ε bm )} C 3 : We consider that A guesses the session key without active involvement of oracle H 1 and H 2 . Due to the SK is computed with hash of two chaotic map T p a (M ) and T x s (PA). Hence, the probability for this case is at most 2q H 2 Adv CMDLP A (t A ). C 4 : A guesses the zero-knowledge proof parameters w s and w a in this case. From the perspective of A, w s and w a are like random number. So, for this case, the probability is at most 2 q s 2 l r . We can conclude that the games G 3 and G 4 are indistinguishable. So, we obtain G 5 : This game consider strong forward security. A executes Execute, Send, Hash oracle queries on old transcripts only to break forward security. To avoid termination of the game, the Test query should returns the real session key for instance of U i and S. Following the analysis of G 4 , we have Considering all above games G i , i = 0, 1, 2, 3, 4, 5, A gains no advantage to guess the correct bit b, we get, Using the triangular inequality, we have the following: According to the results of each game, we have: Here, we have the required result: Hence, the theorem is proved.

B. AUTHENTICATION PROOF USING BAN LOGIC
The BAN logic is widely used for mutual authentication analyzing between the user and server [19]. In this section, we use BAN logic to demonstrate how the proposed scheme achieves the authentication goals. Basic BAN logic notations are defined as follows: • P |≡ X : P believes X; • P X : P sees X; • #(X ) : X is fresh; • P ⇒ X : P has jurisdiction over X; • P |∼ X : P once said X; • X K : X is encrypted with the key K; • X Y : X combined with Y; • P ↔ []KQ : P and Q know the key K and use it to communicate.
• P X Q : P and Q use X to prove their identities to on another.
SK : The session key used in the current session. The main rules of the BAN logic are given below Rule 1 (Message-meaning rule): Rule 2 (Nonce-verification rule): Rule 3 (Jurisdiction rule): Rule 4 (Freshness-conjuncatenation rule): Rule 5 (Additional rule): 8762 VOLUME 8, 2020 According to the analytic procedure requirement of BAN logic, the proposed scheme must satisfy the following test goals: The generic form of all the messages are given below: The idealized forms are as follows: The basic assumptions are as follows:  S 5 : According to NVL, we have, S |≡ U i |≡ (T s 1 , PA, N i ). S 6 : Using 6 and JL, we get, S |≡ (T s 1 , PA, N i ) S 7 : From S 6 and AL, we obtain, S |≡ T s 1 , S |≡ PA, S |≡ N i . S 8 : According to 10,11, 12, we get, S |≡ x s , S |≡ e s , S |≡ T * s 2 . S 9 : Since K is = H (T s ||T * s 2 ||e a ||e s ||T x s (PA)) and the results in Steps S 7 and S 8 give From message 3, we obtain S 10 : S { w a , T s 3 K * is , T s 3 }. S 11 : From S 9 , K * is = K is and MML, we get, S |≡ U i |∼ (w a , T s 3 ).
S 12 : According to 5 and FCL, we obtain, S |≡ #(w a , T s 3 ). S 13 : According to NVL, we have, S |≡ U i |≡ (w a , T s 3 ). S 14 : Using 7 and JL, we get, S |≡ (w a , T s 3 ). S 15 : From S 14 and AL, we obtain, S |≡ w a , S |≡ T s 3 . S 16 : According S 7 , S 8 , S 15 and As a result, (G 1 ) and (G 2 ) ensure that both U i and S mutually authenticate each other.

C. SECURITY VERIFICATION BASED ON SIMULATION TOOL
We use a popular security verification simulation tool, ProVerif, to show several security properties. ProVerif [18] is an automatic cryptographic protocol verifier, in the formal model (so called Dolev-Yao model). This protocol verifier is based on a representation of the protocol by Horn clauses. VOLUME 8, 2020 By using Proverif 2.00 to simulate the login, authentication and key agreement phase for user U i and server S, we get the following results of mutual authentication and session key secrecy( Figure 5): • RESULT inj-event(Server_AuthEnd(sid)) ==> inj-event(Server_AuthStart(sid)) is true.

D. SECURITY ANALYSIS FOR OTHER VARIOUS ATTACKS
In this section, we give additional security analysis to show that our scheme can withstand the following various attacks.

1) REPLAY ATTACK
In the proposed scheme, S ignores the message if |T s − T * s | > T and stores the pair (ID i , T pa (X i )) to protect the scheme from strong replay attack.

2) PASSWORD GUESSING ATTACK
To get user U i 's identity factor, ID i , PW i , or biometric B i , an adversary needs to guess them all simultaneously. The property of the hash function makes it hard to execute a password guessing attack.

3) STOLEN VERIFIER ATTACK
By executing this attack, the adversary can access the user's verification information stored at the server database. In our scheme, the server only stores < ID i , T , T x i (X i ), X i > for each user U i . It does not store any sensitive information for authentication. Moreover, adversaries cannot pass the verification of zero-knowledge proof since they don't have the password PW i and biometric B i of user U i .

4) STOLEN SMART CARD OR MOBILE DEVICE ATTACK
If adversaries steal the smart card or the mobile device of users and extract the information stored in it, they still cannot pass the authentication. Because there has some important verified information need imprint from the user when the authentication begins, such as password PW i and biometric B i .

5) PRIVILEGED INSIDER ATTACK
In this attack, we assume that the registration information < T x i (X i ), T , X i , ID i > is known to an adversary. It is also assumed that A obtains the information stored in the smart device. It is also computationally difficult task for A to get PW and biometric key θ i from stored information < M , r i , σ i >. Hence, our scheme can resist privileged insider attack.

6) KNOWN SESSION KEY SECRECY
According to the login, authentication and key agreement phase, the session key is computed as SK = H 2 (T s 1 ||T * s 2 ||T s 3 ||w a ||w s ||T p a (M ))). Due to the use of T s 1 , T * s 2 , T s 3 , w a , w s , SK is generated in random. Hence, the adversary cannot obtains crucial information from the previous session key.

7) USER IMPERSONATION ATTACK
An adversary needs to input ID i , PW i , and B i to impersonate a legal user. It is computationally difficult task for A to guess these identity factors.

8) SERVER IMPERSONATION ATTACK
An adversary cannot impersonate a server unless he provide w s = p s + x s e a at a session, which need obtain the server master secret key x s and two random numbers p s and e s . As a consequence, our scheme free from server impersonation attack.

9) SERVER-INSIDER ATTACK
In this attack, the adversary is the server internal staff and he can obtains x s and user's verification information stored in the server. The adversary still cannot do whatever he wants in our scheme. Because the authentication process of our scheme needs to verify the zero-knowledge proof of user, while this secret is only can be obtained by the user himself. The adversary cannot impersonate any user even if he gets the server's master key.

10) MAN-IN-THE MIDDLE ATTACK
The adversary may try to modify message M 1 , M 2 ,M 3 or establish independent connection with U i and S. However,  an adversary cannot modify or regenerate any of the sent parameters as the message contains the hash value. Hence, our scheme can resist this attack.

11) STRONG SECURE SECRET KEY
In our scheme, authentication factors such as ID, PIN code, and biometric are part of the secret, and the server directly authenticates user's identity factors. In the login, authentication and key agreement phase, all the identity factors authenticated by the server and participate in key agreement. Hence, the proposed scheme has strong secure secret key.

V. PERFORMANCE COMPARISON
In this section, we discuss the efficiency of our proposed scheme and compare it with four proposed related existing schemes Xu [10] Moon [6] Chain [4] Roy [1] .

A. COMPARISON ON FUNCTIONALITY AND SECURITY
We make a table (Table 5) to show the detailed comparison of various security attacks and functions. Most of related schemes failed to provide biometric and password remote authenticate and suffer from server-insider attack. It is observed that our scheme not only gives the support of much more functionality but also overcomes more security weaknesses..

B. COMPARISON ON COMPUTATION AND COMMUNICATION COST
In this paper, we choose mobile phone Xiaomi 6 as a smart device for the user side and macbook pro 2014 15.4 with Intel i7 4770hq processor for the server side, respectively. Xiaomi 6 has maximum clock speed of 2.45 GHz, 64 GB flash memory and 6 GB RAM equipped, and Android 9.0 installed. The macbook pro 2014 15.4 has maximum clock speed of 3.4GHz, with MAC OS and 16 GB RAM. We use C language under specific IDE and C/C++ MIRACL Library to implement all the cryptographic operations.
We have not considered the costs of the registration and password, biometric change and smart card or device revocation process since it only runs a limited number of times. Therefore, we consider the communication, computation cost of the login, authentication, and key agreement phase. Table 6 compares the computational costs and communication rounds in login, authentication and key agreement phase of our proposed scheme and Xu [10] Moon [6] Chain [4] Roy [1]. Table 7) shows different notations. We study that the total user side computation overhead required for a user in our scheme is T Fe +4T ch +4T h . According to the experiment, the average executing time is approximately 7 ms. While the server S need 4T ch + 2T H , and the average executing time is approximately 3ms. Then we simulated a large number of crowdsourcing IoT users accessing server and recorded the time spent from 200 to 1000 users but without communication VOLUME 8, 2020   delay, which result shows in Figure 6. According to the experiment result, our scheme's executing time is nearly half of [10] and Chain [4] scheme, and for lightweight scheme Moon [6] and Roy [1], it also does not add much executing time.
For communication overhead, we did another experiment with the same experimental conditions, but this time we consider the communication delay, which result shows in Figure 7. Compare with the experiment without communication delay, we find that the time delay caused by communication delay is much higher than the time loss caused by the cryptographic calculation. In the next generation 5G communication environment, communication delay will be greatly improved. Therefore, we give a test of time consumption at simulated ideal 5G communication delay. From the Figure 8, we can see that the efficiency of our scheme has greatly increased and exceeded that of lightweight scheme [6].

VI. CONCLUSION
We have designed a secure, lightweight, and remote multifactor authentication based on chaotic map zero-knowledge proof for application of crowdsourcing IoT. In the proposed scheme, In this scheme, the server no longer authenticates the secret key stored at the user's smart device client, but directly authenticates the user's authentication factor. All authentication factors act as a part of the secret key and participate in the procedure of authentication and key agreement. By using the RoR mod and BAN logic for formal security analysis and give an additional security analysis for other various attacks, we show that our scheme is secure from various attacks. Finally, according to the test and simulation, we show that our scheme has low computational and communication overhead, which is suited for the users with power-constrained smart devices and will be greatly enhanced in the next-generation 5G communication environment.
Future works: We are working on promoting our authentication scheme in the multi-server environment.
WENZHENG LIU received the M.S. degree in applied math from Zhejiang University, in 2016. He is currently pursuing the Ph.D. degree with the College of Computer, National University of Defense Technology. His research interests include applied of identity-based cryptography, the Internet of Thing, stream cipher, financial cryptography, data security, and mobile cloud computing.
XIAOFENG WANG received the Ph.D. degree from the National University of Defense Technology. His current research interests include trusted networks, network security, and distributed intelligent data processing.