A Provably Secure Three-Factor Authentication Protocol Based on Chebyshev Chaotic Mapping for Wireless Sensor Network

Wireless sensor network has been widely used and plays a vital role in the Internet of Things, smart cities, military, and other fields, and its security has also attracted the attention of many researchers. In view of the security defects in Shin and Kwon’s scheme such as failure to provide three-factor security, lack of anonymity and untraceability, user impersonation attack, desynchronization attack and privileged insider attack, we suggest an improved provably secure three-factor user authentication scheme based on Chebyshev chaotic mapping for wireless sensor network, which employs fuzzy verifier technique to prevent attacker from offline guessing attack on user identity and password when the stolen/lost smartcard is acquired by the attacker. During the authentication phase, a dynamic identity mechanism is used to ensure the anonymity of the user and sensor to prevent desynchronization attack, and the Chebyshev chaotic mapping is introduced to improve security and reduce computation overhead. The rigorous security proof under the random oracle model and the formal verification via ProVerif show that our protocol overcomes the weaknesses in Shin and Kwon’s scheme. In addition, by comparing the performance of our proposed scheme with that of others, we demonstrate that our proposal not only solves the security risks of Shin and Kwon.’s protocol, but also achieves a better tradeoff between security and efficiency, therefore, it is more suitable for user authentication in wireless sensor network environments.


I. INTRODUCTION
With the rapid development of network communication technology, computer intelligence and embedded technology, wireless sensor network (WSN) have been widely used in military surveillance, smart homes, industrial automation, medical care and other important fields, which make information processing in related fields more efficient and intelligent [1]. Unlike traditional network, WSN contains a large number of sensor nodes with environmental awareness and communication capabilities, which are often deployed in unattended environments [2]. The sensor sends the collected data to the remote user for further processing through the gateway via wireless channel. Due to their limited energy and computing capability, deployment in unattended or The associate editor coordinating the review of this manuscript and approving it for publication was Tariq Umer . harsh environments, and data transmission through open wireless channels, wireless sensors face the potential risks of eavesdropping, interception and tampering of the sensitive transmitted information by attackers, resulting in serious consequences such as privacy disclosure. The key technology to solve this problem is to use a user authentication mechanism to make the user and sensor authenticate mutually and negotiate a session key encrypting the sensitive data transmitted between them to prevent unauthorized access from third parties. Because of the scanty resources of wireless sensors, the security technology in traditional networks is difficult to be directly applied to WSN. Devising a secure WSN remote authentication protocol under the condition of scanty resources has become one of the hotspots in the field of WSN. To address these issues, many researchers have presented a considerable number of WSN authentication protocols [3]- [7] to verify the identity of users and negotiate a VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ session key to encrypt the communication data between users and sensors to ensure the security of WSN. Although the multifactor based authentication protocol for WSN has become a research hotspot and has attracted the attention of industry and academia, it still faces many challenges, such as richer application scenarios, higher security requirements, cryptographic primitives and communication processes that are limited by computing capability and bandwidth, respectively. Thus, it is not easy to analyze the existing authenticated protocols thoroughly to find out their security weaknesses and design a new protocol that can not only overcome these defects but also maintain appropriate efficiency. Recently, Shin and Kwon [42] put forward a three-factor authentication protocol for WSN to overcome the security vulnerabilities in a previous scheme. Although Shin and Kwon claimed that their new protocol eliminated the security flaws in the previous scheme and provided security proof that it is capable of resisting active and passive attacks. Unfortunately, when cryptanalyzing their new three-factor authorization scheme, we still find some serious security flaws, which makes it unsuitable for practical applications.
To thwart the security risks in Shin and Kwon's protocol, we present an improved three-factor WSN authentication protocol. Meanwhile, because chaotic mapping based cryptography requires less computation time and provides higher security than other public key cryptography [43], the improved scheme proposed in this paper utilizes Chebyshev chaotic mapping to solve the problems in Shin and Kwon's scheme and improve its security and efficiency. Our contributions are as follows: First, we analyze Shin and Kwon's authentication protocol and find that it is unable to provide three-factor security, remains unprotected from user impersonation attack, desynchronization attack, sensor node capture attack, privileged insider attack, and lacks anonymity and untraceability. Second, we propose a secure three-factor authenticated protocol for WSN based on Chebyshev chaotic mapping to surmount the security defects of Shin and Kwon's scheme. Particularly, we make use of the fuzzy verifier technique [32] to thwart password guessing attack effectively. Third, we present the security proof under the random oracle model for our scheme and provide an informal security analysis to demonstrate that our improved protocol can defend against known attacks. In addition, we use the simulation tool ProVerif to rectify the proposal. All of these distinctions indicate that our proposal achieves mutual authentication and session key security. Finally, we assess the improved scheme by comparing with related schemes to show that our scheme acquires a better tradeoff between performance and security requirements.
The rest of our paper is organized as follows: Section II provides an overview of the recent related work. Section III introduces the preliminaries, and Shin and Kwon's protocol is reviewed and cryptanalyzed in Section IV. In Section V, we put forward our improved scheme, and the security analysis is presented in Section VI. Section VII summarizes the security and performance. Finally, the paper is concluded in Section VIII.

II. RELATED WORK
In 2009, Das [8] proposed an authentication scheme based on two factors (password and smartcard) for WSN. Their scheme does not need to maintain the data table of user information in the gateway node, nor does it need to save the information of a specific user on the sensor node. The scheme is mainly implemented by hash function, and claims to have the advantages of low computation cost and can prevent all kinds of network attacks. However, after analyzing Das's scheme, some scholars [9]- [11] find that it has some security vulnerabilities, such as offline password guessing attack, node capture attack, lack of user anonymity, insider attack, and user impersonation attack and so on, and they put forward their improved schemes. It is worth noting that although different authentication protocols have been proposed in the WSN environment as shown in the literatures [12]- [15], [63], Wang et al. [16] point out that these schemes and similar protocols based on password and smartcard basically cannot meet the security requirements of WSN and they suffer from smartcard loss attack, which may lead to unexpected serious consequences. In order to better assess the security of the authentication scheme in the WSN environment in the industrial field, Wang et al., also put forward some evaluation criteria [17].
With the development of biotechnology and pattern recognition technology, biometric characteristics (such as fingerprints, iris, face form, etc.) have attracted the attention of an increasing number of researchers because they are not easy to forge, lose or forget, difficult to guess, and so on. In recent years, to further enhance the security of authentication protocol and expand the high security level application of WSN, researchers [18]- [20] introduce biometrics as an additional security factor on the basis of two-factor authentication protocols, and propose threefactor-based authentication protocols in WSN environments. From 2014 to 2015, Das proposed three different WSN authentication schemes [19], [21], [22] based on three factors. However, after analyzing these three schemes, Wu et al. [20] find that they can neither resist offline password guessing attack or user impersonation attack, nor ensure forward secrecy. To fix these defects, they presented an enhanced scheme. Unfortunately, the improved scheme of Wu et al. does not verify the password's correctness, and the user is declined access to the system until the gateway finds that the user's password is wrong. This will undoubtedly lead to unnecessary consumption of computing resources on the gateway. Lu et al. [23] also studied Das et al.'s protocol and found that it fails to ensure three-factor security and fails to resist user impersonation attack, and devised an enhanced protocol employing elliptic curve cryptography (ECC). After analyzing Lu et al.'s improved protocol, Mo and Chen [24] found that the scheme is still unable to ensure three-factor security, lacks strong key security, and is prone to information disclosure attack; thus, it is not suitable for application in WSN, and they propose an improved protocol to overcome these defects. Unfortunately, Yu and Park [57] showed that Mo and Chen's scheme is susceptible to weaknesses like masquerade attack, session key exposure attack and does not provide anonymity and untraceability. They suggested a new scheme for WSN. Later, Amin et al. [25] presented a threefactor WSN authentication protocol based on hash function for temporary information disclosure attack, user counterfeiting attack, and other security threats in Farash et al.'s scheme [26]. Jiang et al. [27] criticize that Amin et al.'s protocol [25] is incapable of withstanding some security risks, such as temporary information disclosure attack, user counterfeiting attack, tracking attack, and further come up with an improved protocol. Because Jiang et al.'s improved scheme adopts Rabin public key cryptography, which needs heavy computation, their protocol requires more computation time on the whole.
Recently, Amin et al. [28] present an authentication scheme in medical WSN environment, using synchronous update technique to preserve user anonymity and untraceability. The work of their paper has attracted the attention of many scholars. Jiang et al. [29] believe that there are some potential security risks of mobile device loss attack, sensor key leakage and desynchronization attack in Amin et al.'s protocol [28], and put forward an enhanced scheme to eliminate these shortcomings. Although Jiang et al [29] improved the security of Amin et al.'s protocol, Mo et al.'s analysis [30] find that their scheme cannot resist some security vulnerabilities, like temporary information disclosure attack, privileged insider attack, and denial of service attack. As a remedy, Mo et al.
propose a corresponding enhanced version to eliminate these shortcomings. Li et al [31] also prove that Amin et al.'s scheme [28] suffers from security limitations such as denial of service attack and lack of forward secrecy. To solve these problems, they put forward an enhanced biometricsbased authentication scheme employing fuzzy verifier [32]. Unfortunately, their scheme cannot prevent replay attack because it does not use timestamps in the transmitted messages.
Independently, Wu et al. [61] and Kumar [62] suggested their hash-based authenticated protocol for WSN to secure the communication between user and sensors. However, we analyze Wu et al. [61]'s scheme and found that it is susceptible to failure of providing three-factor security, lack of anonymity and information leakage attack. Although Kumar's protocol [62] can effectively resist offline password guessing attack owing to fuzzy verifier technique, it still cannot prevent information leakage attack because there is a dependency between the three random numbers used to calculate session key.
Because public key cryptography techniques like RSA, bilinear pairings, ECC, and chaotic mapping are able to provide higher security, some new authentication protocols try to employ public key cryptography to guarantee the secrecy of session key and resist various attacks.
Moghadam et al. [33] presented an authentication protocol based on the elliptic curve Diffie-Hellman problem in WSN environment to cope with weaknesses of stolen verifier attack and lack of forward secrecy. Nevertheless, Kwon et al. [34] found that Moghadam et al.'s protocol is prone to insider attack, session-specific random number leakage attack, and fails to provide forward secrecy, and therefore eliminated these deficiencies with an improved one to eliminate these deficiencies. However, we observe that Kwon et al.'s scheme can neither withstand sensor node capture attack and nor ensure three-factor security. Rangwani et al. [58] also design an authentication protocol based on ECC for WSN in the industrial Internet of Things circumstances and claimed that their scheme is robust to withstand diverse attacks and surpasses others. In 2021, Xie et al. [64] and Jabbari et al. [65] suggest an improved lightweight threefactor authentication scheme for WSN using ECC to thwart the security vulnerability in previous scheme, respectively. Nevertheless, we observe that these schemes [58], [64], [65] cannot provide three-factor security, scheme [58] fails to overcome counterfeit attack and replay attack on both the user and the gateway, and the protocol in [65] is insecure against information leakage attack. Moreover, the network model of [64] is unreasonable, because the user communicates directly with the sensor remotely without going through the gateway, which means that the energy of the sensor will be exhausted quickly, as explained in [24]. In 2019, Wang et al. [35] proposed a three-factor authentication scheme by using chaotic mapping theory to address the defects in the previous scheme. In the following year, Xu et al. [36] put forward an authenticated scheme in medical WSN based on Chebyshev chaotic mapping to improve the efficacy and security and claim that their scheme is more applicable to WSN circumstances. However, our cryptanalysis demonstrates that both of these two protocols are skeptical to be unprotected from some security defects, for instance, neither of them can withstand GWN impersonation attack. Additionally, Xu et al.'s scheme cannot withstand user impersonation attack and insider attack.
Although many WSN authentication schemes have made continuous improvements in the previous scheme, they are still found to have some security problems themselves. In 2014, Kim et al. [37] designed a user authenticated protocol that claims to be able to defend against user counterfeit attack and gateway node bypass attack. Analysis by Chang et al. [38] shows that Kim's scheme cannot resist counterfeiting attack, smartcard lost attack, man-inthe-middle attack, and cannot preserve user privacy. Subsequently, they proposed an improved protocol with dynamic identity technology to overcome these shortcomings. However, their protocol is analyzed separately by Park et al. [39] and Jung et al. [40] and is found to have weaknesses including offline password guessing attacks, user impersonation attack, and lack of forward secrecy. To enhance the security of the original scheme, Park et al. and Jung et al. designed an enhanced protocol based on three factors, respectively.
Unfortunately, in 2017, after analyzing these two new protocols, Wang et al. [41] found that they are unable to withstand offline dictionary attack, user counterfeit attack, and lack user anonymity and forward secrecy. Afterwards, an enhanced version using ECC algorithm was presented by Wang et al. [41], in which its security was proved by BAN logic. Later, Shin and Kwon [42] studied the authenticated protocol presented by Jung et al. [40] and argued that it has the following security defects: tracking attack, insecurity of gateway node key, information leakage attack, and user impersonation attack. They correspondingly propose an improved authenticated scheme and remark that their proposal is sufficient to prevent various kinds of attacks, active or passive. However, Shin and Kwon's protocol suffers from some serious weaknesses as cryptanalyzed in Section IV.
According to the previous analysis, designing an authentication scheme with high security is a process that requires continuous in-depth research and analysis of the existing authentication protocols, with proposed reasonable solutions after discovering its security risks.

III. PRELIMINARIES A. CHEBYSHEV CHAOTIC MAPPING
According to [44], [45], the n degree Chebyshev polynomial is defined as By definition, the iterative relation of T n (x) can be written as 1] is called chaotic mapping for n > 1. To enhance the characteristics of Chebyshev chaotic mapping, Zhang [45] proposed an extended Chebyshev polynomial in 2008, which is defined as T n (x) = (2xT n−1 (x) − T n−2 (x)) mod P, where P refers to a large prime number and x ∈ (−∞, +∞). Furthermore, the extended Chebyshev polynomial still fulfills the semigroup property, i.e., T m (T n (x)) = T mn (x) = T nm (x) = T n (T m (x)), where m and n ∈ Z + .
The security of extended Chebyshev chaotic mapping depends on the following computational problems: Compared with other chaotic mapping, due to the difficulty of the CPDLP problem, CPCDHP problem, and the distinctive semigroup property, it is feasible to employ Chebyshev chaotic mapping to generate a secure session key in authentication protocols. More importantly, the computation cost of Chebyshev chaotic mapping is only 1/3 of the elliptic curve scalar multiplication [35], which makes it possible to greatly reduce the computational cost of resource-constrained devices such as wireless sensors. Because of these advantages, we use Chebyshev chaotic mapping to design an improved scheme over Shin and Kwon's protocol.

B. ADVERSARY MODEL
It is very important to understand the ability of an attacker in cryptanalyzing the security flaws of cryptographic protocols and designing new protocols. Therefore, we depict the adversary model in the WSN environment based on the Dolev-Yao model [46] as follows: (1) The attacker can eavesdrop, intercept, tamper and forward the messages transmitted on the wireless channel.
(2) If the attacker acquires the user's lost/stolen smartcard, he can extract the secret information on the card [47], [48]. (3) For the sake of memory, the ID and password chosen by the user are often low entropy. The attacker can enumerate the Cartesian product set on the space of identity and password of the user to make a successful offline guess attack [55], [56]. (4) When examining whether the protocol satisfies certain security properties, such as forward secrecy, an attacker can obtain the system's master key. (5) The random nonces in the protocol must be large enough to prevent the attacker from guessing them successfully within polynomial time [24]. The high-level view of adversary model in WSN architecture is shown in Figure 1.

C. SYMBOLS AND MEANING
The symbols and their meanings used in our cryptanalysis and the proposed protocol are listed in Table 1.

IV. REVIEW AND CRYPTANALYSIS OF SHIN AND KWON'S SCHEME A. REVIEW OF SHIN AND KWON'S SCHEME
This section briefs Shin and Kwon's protocol. Their scheme is composed of four phases: system setup, user registration, login and authentication, and password change. Since the last phase is not related to our analysis, we ignore it.

1) SYSTEM SETUP
(1) GWN randomly selects two secret keys K U and K S .
(2) GWN selects a unique SID j for each sensor S j and computes its private key X j = h(SID j ||K S ). (3) S j stores SID j and X j in memory and is deployed to the target area.

3) LOGIN AND AUTHENTICATION
If the condition is not valid, U i conceals the session; otherwise, it selects a random number w i and calculates PID 1 After receiving the message from U i , GWN first checks the freshness of the time stamp T 1 . If it is not fresh, GWN terminates the session; otherwise, it searches for TID i in the database according to PID 1 i , and then calculates , and verifies whether M * gs = M gs . If it is not true, S j terminates the session; otherwise, it selects a random number w j , calculates , and checks whether M * gu = M gu holds. If not, U i aborts the session; otherwise, it replaces C 1 i with C 2 i on the smartcard.

B. CRYPTANALYSIS ON SHIN AND KWON'S SCHEME
Although Shin and Kwon's scheme provides a formal security proof and claims their proposal can defend against a variety of passive and active attacks and meet various security requirements. However, our detailed cryptanalysis points out that their protocol is not as secure as they claim, and suffers from several serious security risks as follows.

1) FAILURE OF PROVIDING THREE-FACTOR SECURITY
Shin and Kwon's protocol is a three-factor scheme, which means that even if the attacker acquires two of the three factors, he is still not allowed to log on to the system. However, we find that when an attacker maliciously collects the biometric information of the user BIO i and acquires the stolen/lost smartcard of the user, he can launch an offline guessing attack on the protocol and obtain the user's identity and password, which means their protocol cannot provide real three-factor security. The attack procedure is as follows: (1) The attacker retrieves the secret data Rep()} from the smartcard via power analysis attack [47] as depicted in second item of the adversary model. (2) The attacker calculates Gen(BIO i ) = (θ i , τ i ).
(3) The attacker selects a candidate (ID * i , PW * i ) from the space of identity dictionary S ID and space S PW of password dictionary, and calculates If it matches, the correct ID i and PW i are successfully found by the attacker. Otherwise, he repeats steps (3) ∼ (5) until the correct ID i and PW i are found. We herein use |S ID | and |S PW | to represent the size of S ID and S PW , respectively, and T h to represent the execution time of the hash function. The time complexity of the above attack procedure is O(|S ID | * |S PW | * 5 * T h ). In practice, since |S ID | and |S PW | are relatively small and |S ID | ≤ |S PW | ≤ 10 6 [50], [51], and T h is negligible, the attacker can find the ID i and PW i of U i in polynomial time.
Thus, Shin and Kwon's scheme cannot ensure three-factor security.

2) USER IMPERSONATION ATTACK
According to the above analysis, an attacker can guess the user's identity and password based on the obtained biometrics and smartcard. With this information, an attacker can imitate the user to log on to the system as follows: (1) The attacker chooses a random number w i and calculates PID 1 , and verifies whether M ug matches h(TID i ||HID * i ||PID 1 i ||R * i ||T 1 ). Obviously, the result is true. In this way, the attacker passes the authentication of the GWN. Thus, the attacker can successfully perform user impersonation attack on Shin and Kwon's scheme.

3) LACK OF ANONYMITY AND UNTRACEABILITY
Referring to Section IV-B-1), an attacker can obtain the relevant secret information {TID i , HID i } to track the user as follows: (1) The attacker calculates Gen(BIO i ) = (θ i , τ i ).
(2) The attacker calculates  in P 2 i and sends it to U i . After verifying the authenticity of GWN, U i restores C 2 i from P 2 i and updates C 1 i with C 2 i in the smartcard. When U i logs in to the GWN again, C 1 i is used to restore PID 1 i and the user constructs a login message in which PID 1 i indicates the user's new pseudonym and sends it to the GWN. This synchronization mechanism forces users to change their pseudonym every time when they log in, preventing attackers from tracking users based on fixed parameters in the login request message to preserve user privacy. However, this mechanism is based on the ideal mode in which all the messages sent by all participants can be received correctly by the recipient during the authentication process. If an attacker intercepts the message {P 2 i , M G , M gu , T 4 } sent by GWN to U i , this synchronization mechanism will be broken, making it impossible for the user to log on to GWN again. This is because the message {P 2 i , M G , M gu , T 4 } is intercepted, and the entry {PID 1 i , TID i } in the database of GWN has been updated to {PID 2 i , TID i }, but C 1 i on the smartcard cannot be updated to C 2 i without receiving the newest P 2 i . Therefore, when the user logs in to the GWN again, GWN will reject the login of U i because the query with the keyword PID 1 i in the database returns nothing. An attacker can also break this synchronization mechanism by tampering with P 2 i . In this way, the attacker first intercepts message {P 2 i , M G , M gu , T 4 }, modifies P 2 i to P 2 i (P 2 i = P 2 i ), and then retransmits message , and verify whether M * gu = M gu holds or not. Obviously, this condition does not hold because C 2 i = C 2 i . In this way, the consequence is that the user rejects this session and gives up updating C 1 i in the smartcard, which will eventually cause the user to be rejected when they log in to the GWN the next time.
Therefore, Shin and Kwon's scheme is vulnerable to desynchronization attack.

5) SENSOR NODE CAPTURE ATTACK
Suppose the attacker has hijacked sensor node S j , he can extract {SID j , X j } from the memory of S j . With the eavesdropped messages {PID 1 i , M G , M gs , T 2 } and {M j , M sg , T 3 }, the attacker can reveal the session key shared between U i and S j as follows.
(3) The attacker computes R * j = h(SID j ||w j ). (4) The attacker computes SK ij = h(R * i ||R * j ). That is, the attacker can disclose the session key if the sensor node is captured. Thus, Shin and Kwon's protocol is unprotected from sensor node capture attack.

6) PRIVILEGED INSIDER ATTACK
Privileged insider attack is a security threat that has been ignored for a long time, and even protocol designers are not aware of the serious consequences of such attack [52], which has been mentioned in [52], [53]. When scrutinizing scheme [42], we find that neither Jung et al.'s scheme can resist the security risk of privileged insider attack, nor can Shin and Kwon's scheme, which is an improved version of Jung et al.'s scheme, defend against privileged insider attack. Assuming that the privileged insider has gained the user's registration request {TID i , RPW i }, as well as has obtained the user's smartcard for a short time, and extracts the secret Rep()} on the smartcard via side-channel analysis [48], he can reveal the secret data about U i stored in the memory of GWN.
(1) The attacker computes (2) The attacker computes PID 1 The attacker records the triple {PID 1 i , TID i , HID i }. Furthermore, the attacker can reveal the session key when U i logs into GWN to access S j as follows: (1) The attacker eavesdrops messages Using the triple {PID 1 i , TID i , HID i } in his hand, the attacker can continuously disclose U i 's the newest dynamic pseudonym PID 1 i by constantly eavesdropping messages {P 2 i , M G , M gu , T 4 } to continuously track user U i as described in Section IV-B-3) at any time.
From the above discussion, it is evident that Shin and Kwon's scheme is vulnerable to privileged insider attack.

V. THE PROPOSED SCHEME
In this section, we propose an improved three-factor user authentication and key agreement protocol using Chebyshev chaotic mapping for WSN to overcome the security threats found in Shin and Kwon's protocol. Concretely, we employ three countermeasures to enhance Shin and Kwon's protocol as follows: (1) We use the fuzzy verifier technique to thwart the failure of providing three-factor security and user impersonation attack. (2) The Chebyshev chaotic mapping is employed to avoid lack of anonymity and untraceability, desynchronization attack, and sensor node capture attack.
(3) We prevent the privileged insider attack by replacing the important parameters on the smartcard received by the user during the user registration phase. Similar to their scheme, our improved protocol consists of four phases as follows.
A. SYSTEM SETUP GWN chooses a master key X g , a large prime nonce q, a random nonce θ , a number y ∈ [+∞, −∞], and computes G = T θ (y), keeps {X g , θ } secretly and publishes {y, q}. Then, GWN computes K j = h(SID j ||X g ) for each sensor S j and stores it as the secret key in the memory of S j .

B. USER REGISTRATION
Step 1: U i inputs his ID i , PW i , BIO i , chooses a random nonce a i , computes RPW i = h(PW i ||a i ) and sends {ID i , RPW i } to GWN via a secure channel.
Step 2: GWN chooses a random nonce b i , and an integer number m ∈[2 4 , 2 8 A 2 , m, G, h(), H ()} in a smartcard and delivers the card to U i via a secure channel.
Step 3: Upon receipt of the smartcard, ) and saves C i in the smartcard.

C. AUTHENTICATION
U i logs into GWN to build a session key with S j using his ID i , PW i , smartcard, and BIO i as follows.
Step 1: U i inserts his card to the card reader, keys his ID i , PW i , and inputs his BIO i . Then, the smartcard computes a i = If not, the smartcard rejects the session. Otherwise, the card selects a random nonce u, computes D 1 = T u (y), and sends a login request Msg ug = {D 1 , D 2 , M UG , T 1 } to GWN via a public channel.
Step 2: Upon receiving Msg ug , GWN checks the freshness of T 1 and computes D 2 ⊕ T θ (D 1 ) to obtain h(ID i )||SID j , and retrieves b i in the database using h(ID i ), computes PID i = h((ID i )||b i ), K i = h(PID i ||X g ), and checks whether the received M UG is equal to h(h(ID i )||SID j ||K i ||D 1 ||T 1 ). If yes, GWN selects a random nonce r g , and computes Step 3: On receipt of the message, as T 2 is fresh, S j computes r g = D 3 ⊕ h(K j || SID j ||T 2 ), M GS = h(D 1 || SID j ||D 3 ||r g ||T 2 ), and checks whether M GS is equal to h(D 1 || SID j ||D 3 ||r g ||T 2 ). If the condition is false, S j aborts the session; otherwise, S j chooses a random nonce v, calculates Step 5: Upon receiving the message, as T 4 is fresh, U i computes r g = D 3 ⊕ h(K i ||T 4 ), SK ij = h(T u (D 1 )||r g )M GU = h(D 5 ||K i ||D 4 ||r g ||T 4 ), and checks whether M GU = M GU . If not, U i aborts the session, else U i accepts SK ij as the shared key with S j . VOLUME 10, 2022 For ease of understanding, this phase is illustrated in Table 2.

D. PASSWORD UPDATE PHASE
This phase is executed if U i intends to change his password to a new one.
Step 1: U i inputs ID i , PW i , and imprints BIO i .
Step 2: The card computes If not, the smartcard aborts the session.
Step 3: U i inputs his new password PW new i , calcu- Step 4:

VI. SECURITY ANALYSIS
In this section, a formal security proof using random oracle model, a simulation verification via ProVerif, and a heuristic security analysis are provided to demonstrate the security of our scheme.

A. FORMAL SECURITY PROOF
This section identifies the security of our improved scheme under random oracle model. For simplicity, the security model used in our security proof follows the work of [24], [30], [54]. Theorem 1: Assume that P denotes our improved threefactor authentication and key agreement protocol, A denotes an attacker, and Adv AKE P (A) represents the advantage of A in breaking the semantic security of P, Adv CDH A (t) represents the advantage for A to break the CPCDHP problem within polynomial time t. Suppose A asks Send queries no more than q h times. Then, we see that where l s , l b , n, ε, T c denotes the bit length of hash value, BIO i , Chebyshev polynomial, the probability of ''false positive'', the execution time of Chebyshev polynomial. Proof: We define a series of games from G 0 to G 5 to complete the proof that our improved three-factor protocol is secure against the attacker, and the probabilities of the events that A successfully surmises the coin z in game G i are denoted by Pr[S i ], respectively. (2) G 2 : Some collisions in protocol P are avoided in the game. If a collision happens on hash queries and transcripts Msg ug , Msg gs , Msg sg , Msg gu , we terminate the simulation and let A win according to the following three cases: (1) Collision on hash oracle, the probability is q 2 h 2 ls+1 ; (2) Collision on random nonces u and v, the probability is no more than (q s +q e ) 2 2(n−1) ; (3) Collision on r g , the probability is no more than (q s +q e ) 2 2 ls+1 . Thus, G 1 is indistinguishable from G 2 and we obtain G 3 : In this game, we take into account the simulation in which A impersonates {Msg ug , Msg gs , Msg sg , Msg gu } without simulating the hash query. Thus, G 3 is indistinguishable from G 2 and we obtain G 4 : This game considers that A encounters the CPCDHP problem in breaking the security of the session key. If A can read the session key negotiated by U i and S j , it suggests that A has asked Corrupt query and solves the CPCDHP problem and (T v (T u (y)) ||r g ) is stored in list L A . Since A is not allowed to obtain three factors at the same time, the attacker only can obtain at most two of three factors to break the third factor. This game includes four cases as follows: Case 1: A asks Corrupt(U a i , 1) and Corrupt(U a i , 2) to guess the password with no more than q s Send queries using the password dictionary S PW . The probability is q s |S PW | . Case 2: A asks Corrupt(U a i , 0) and Corrupt(U a i , 1) to break the biometric with q s chances. The probability to obtain Case 3: A asks Corrupt(U a i , 0) and Corrupt(U a i , 2). The probability that A guesses correct C i is ε at most.
Case 4: To break the session key h(T v (T u (y)) || r g ), it is necessary for A to compute T v (T u (y)) with D 1 and D 4 , where D 1 = T u (y) and D 4 = T v (y), T v (T u (y)) can be stored in L A and A can ask q h Hash query at most, then A has to ask Send queries to simulate Execute queries. The probability is q h Adv CDH G 5 : This game considers that A will try to break forward secrecy by simulating Hash, Send, Execute queries on transcripts {Msg ug , Msg gs , Msg sg , Msg gu }. A simulates Test queries and asks Corrupt(U a i \ GWN a \ Sa j) by choosing two indices from {1, 2,. . . , q s +q e }. Suppose (T v (T u (y)) ||r g ) ∈ L A , and the game will abort if the session key h(T v (T u (y)) ||r g ) cannot be returned. Thus, we obtain Therefore, all games considered, A has no superiority in surmising the coin z and we obtain From (1)∼(7), we obtain: is a widely accepted simulation tool in verifying the security of cryptography protocols. In this section, we convert the communication entities in our protocol into three processes under pi calculus and run them concurrently in ProVerif to prove that our proposal is capable of guaranteeing the secrecy and achieving mutual authentication as follows.  PWi, ai)) in out(sc1, (IDi, RPWi)); in(sc1, (A1': bitstring, A2': bitstring, m : bitstring, G : bitstring)); let Ci = mod(xor(ai, h(con(con(IDi, PWi), H (BIOi)))), m) in let A1'' = xor(A1', h(con(IDi, ai))) in let A2'' = xor(A1', h(con(IDi, ai))) in !( event evBeginUi(IDi); let ai' = mod(xor(Ci, h(con(con (IDi, PWi), H (BIOi)))), m) in let A2 = xor (A2'', h(xor(ai', PWi))) in let Ki = xor(h(con (RPWi, IDi)
From the first two lines of the output, because the attacker fails to query SKi_j and SKi_j, it can be deduced that he is incapable of breaching the secrecy of the session key generated by U i and S j , respectively. Furthermore, the last two lines indicate that mutual authentication has been successfully achieved between U i and S j . Thus, our proposal holds the desired security properties of secrecy of the session key and mutual authentication.

C. INFORMAL SECURITY ANALYSIS
In this section, we show that our improved scheme thwarts security defects in Shin and Kwon's scheme as well as achieves some desired security properties.

1) THREE-FACTOR SECURITY
Three-factor security denotes that although the attacker compromises two of the three factors, he is incapable of breaking the security of the authenticated scheme. We demonstrate that our proposal fulfills this security property in three cases.
Case 1: Assume that the user's password and smartcard are compromised by the attacker.
There is no doubt that the attacker can extract the secret data {A * 1 , A * 2 , C i , m, G, h(), H ()} from the smartcard according to item (2) of the adversary model. However, the attacker cannot pass the verification because he does not have the user's identity and biometrics in computing Case 2: Assume that the user's biometrics and smartcard are compromised by the attacker.
The attacker could also retrieve secrets {A * 1 , A * 2 , C i , m, G, h(), H ()} from the smartcard. To breach our proposal, the attacker would select a candidate pair (ID * i , PW * i ) from the Cartesian product S ID * S PW to launch an offline guessing attack on the identity and password via computing Obviously, there will be |S ID * S PW |/m candidates to prevent his guessing attack from being successful. As an example, we assume that the user's identity and password are numbers, thus we have |S ID | = |S PW | = 10 8 . Suppose m = 2 8 , correspondingly, there will be |S ID | * |S PW |/m = 10 8 * 10 8 /2 8 ≈ 2 45 candidates [55], [56]. Someone may suspect that the attacker can accidentally find a pair ( ) mod m holds. The possibility is 1/2 8 . According to [55], if the system requires both the new password and the old password when the user logs in, the probability will be reduced to (1/2 8 ) 2 . Thus, the fuzzy verifier makes it difficult for the attacker to succeed in an identity and password guessing attack in the proposal.
Case 3: Assume that the user's password and biometrics are compromised by the attacker.
Despite his knowledge of PW i and H (BIO i ) in computing a i = C i ⊕ h(ID i ||PW i ||H (BIO i )) mod m, the attackers will still fail when he tries to pass GWN's authentication because he knows nothing about the necessary parameters C i and ID i .

2) USER IMPERSONATION ATTACK
If the attacker intends to launch user impersonation attack successfully, he must first generate a valid login request message Msg ug = {D 1 , D 2 , M UG , T 1 }. However, because the attacker does not know ID i , SID j and K i , he cannot produce such an effective message Msg ug . Thus, our improved scheme is immune to user impersonation attack.

3) PRIVILEGED INSIDER ATTACK
If the attacker acquires the user's registration message {ID i , RPW i } and the smartcard that stores secret parameters , and selects an item PW * i from S PW to carry out offline password guessing attack via a i = C i ⊕ h(ID i || PW i ||H (BIO i )) mod m. Unfortunately, because the attacker VOLUME 10, 2022 knows nothing about the user's biometrics, there is no doubt that his attack will fail. Therefore, the improved scheme is able to withstand privileged insider attack.

4) DESYNCHRONIZATION ATTACK
As we analyzed in Section IV, Shin and Kwon's scheme suffers from desynchronization attack due to the need to update some secret information between the GWN side and the user side to maintain user anonymity. In the improved scheme, the user's smartcard does not need to update authentication data simultaneously after each authentication with GWN. Therefore, our improved protocol is immunized from desynchronization attack.

5) GWN IMPERSONATION ATTACK
To impersonate GWN, the attacker has to produce two effective messages {D 1 , D 3 , M GS , T 2 } and {D 4 , D 5 , M GU , T 4 }, and delivers them to the sensor S j and the user U i , respectively. In these two messages, . It is impossible for an attacker to generate these two valid messages to fool S j and U i because of the lack of knowledge about K j , SID j , and K i . Thus, our improved scheme can withstand GWN impersonation attack.

6) SENSOR IMPERSONATION ATTACK
To impersonate the sensor S j , the attacker must be able to forge a valid message {D 4 , M SG , T 3 } for deception. Nevertheless, without knowing GWN's secret key X g and S j 's identity SID j , the attacker cannot produce such a valid message at all.

7) SENSOR NODE CAPTURE ATTACK
Provided that the attacker has captured the sensor S j , he can extract the secret key K j from S j 's memory. With the message {D 1 , D 3 , M GS , T 2 } intercepted on the public channel, the attacker can acquire r g by computing D 3 ⊕ h(K j || SID j ||T 2 ). Although the attacker obtained D 1 and r g , which are required to negotiate a session key between S j and U i , he still cannot reveal the session key SK ij because of the CPDLP problem in solving the random nonce v according to D 4 . In other words, in our scheme, if one or more sensor nodes are captured, the attacker can neither obtain the session key generated by the sensor nodes and the user, nor influence the remaining sensor nodes. Therefore, our improved scheme is secure to resist sensor node capture attack.

8) FORWARD SECRECY
During the authentication process, with the assistance of GWN, U i and S j generate a shared session key SK ij = h(T v (D 1 )||r g ) = h(T u (D 4 )||r g ), where D 1 = T u (y), D 4 = T v (y), and r g = D 3 ⊕ h(K j || SID j ||T 2 ) are produced by U i , S j , and GWN, respectively. If the secret key {X g , θ} is disclosed to the attacker, he can reveal SID j by computing h(ID i )|| SID j = D 2 ⊕ T θ (D 1 ), and reveals r g by computing K j = h(SID j ||X g ) and r g = D 3 ⊕ h(K j || SID j ||T 2 ), where D 1 , D 2 , D 3 are transmitted over the public channel. However, even if the parameter y is public, it is not feasible for the attacker to determine u or v from D 1 = T u (y) and D 4 = T v (y) because he cannot breach the CPDLP and CPCDHP.

9) KNOWN SESSION-SPECIAL TEMPORARY INFORMATION (KSSTI) ATTACK
The random nonces u, v, and r g are needed to generate the session key. Suppose that the random nonces u and v are compromised. In the message Msg gs , a hash function using K j and SID j as parameters is used to mask r g in D 3 . Without knowing K j and SID j , the attacker still cannot calculate the session key because he cannot recover r g via D 3 . Thus, our scheme is able to resist KSSTI attack.

10) MANY LOGGED-IN USERS WITH THE SAME LOGIN-ID ATTACK
In our scheme, if there are two different users U a and U b with the same identity and password, they may both plan to log in to the system. Accordingly, they must enter their identity and password, and imprint biometrics. Because their biometrics are not the same, a ia = C ia ⊕ h(ID i || PW i ||H (BIO ia )) mod m generated by U a and a ib = C ib ⊕ h(ID i || PW i ||H (BIO ib )) mod m generated by U b are not equal due to the fuzzy verifier. Therefore, our scheme is secure from many logged-in users with the same login-ID attack.

11) MAN-IN-THE-MIDDLE ATTACK
The attacker can intercept the messages Msg ug , Msg gs , Msg sg , and Msg gu from the public channel. However, without the knowledge of θ , b i , K j , K i , it is impossible for him to forge the valid messages Msg ug , Msg gs , Msg sg , Msg gu to deceive any communication participant. Thus, our scheme can defend against man-in-the-middle attack.

12) DENIAL OF SERVICE ATTACK
In our scheme, for the sake of preventing duplicate registration and improving the security of the protocol, the user's secret information is stored in the gateway. However, the user's identity in the entries we save about users is not saved in plain text such as in [31], but in the form of h (ID i ), so that what the insiders see is a 160-bit binary string. It is impossible to determine whether it belongs to a specific user U i . Therefore, in our scheme, it is difficult for an attacker to launch a denial of service attack on a specific user U i .

13) COMPARISON OF SECURITY PROPERTIES
To better understand the security of our improved protocol, we compare it with related schemes [31], [33], [35], [36], [42], [57], [58] in terms of security properties, and the results are summarized in Table 3. From Table 3, it can be seen that our improved scheme has thwarted the security defects in [42], while other schemes suffer from some serious security risks to some extent. They can neither resist certain attacks nor provide some functionality features, e.g., protocols in [33], [42] cannot provide forward secrecy, which means that the loss cannot be minimized when the system is broken, and schemes [31], [36], [57] cannot defend against KSTTI attack, indicating that some temporary information leakage will provide disclosure of the session key between U i and S j . In particular, although schemes [42], [57], [58] employ three factors (password, smartcard, biometrics) to ensure the security of the authentication process, they actually fail to ensure three-factor security as revealed by the analysis method mentioned in Section IV.

A. COMPUTATION COST
We analyze the computation cost of our improved scheme and the related schemes [31], [33], [35], [36], [42], [57], [58] during the authentication phase. For the sake of analysis, we follow the execution time of various operations in [35], [36], [59] as the benchmark which is summarized in Table 4 to evaluate the computation cost. It is worth noting that we ignore the XOR operation since its execution time is negligible. We compare the computation cost in Table 5. Meanwhile, for ease of understanding, we illustrate Table 5 in Figure 2. Consequently, although our scheme's computation time is higher than that of protocols [42], [57] which are hash-based approaches, it is still more efficient than the other four schemes [31], [33], [35], [58].

B. COMMUNICATION COST
Referring to [35], [59], [60], we set the length of the Chebyshev polynomial, the points on the elliptic curve, hash value, random nonce, identity of user and sensor node, timestamp, and block of symmetric encryption/decryption are 128 bits, 320 bits, 160 bits, 128 bits, 32 bits, 32 bits, 128 bits, respectively. During the authentication process, the improved scheme transmits four messages  Table 6 and Figure 3. It can be observed that our scheme is obviously the most efficient one in communication cost among these schemes.

C. TRAFFIC OF SENSOR NODES
Because the wireless sensors are energy scant, and their throughput can measure the energy consumption to some extent [25], we compare the traffic of the sensor node of these VOLUME 10, 2022    schemes to understand the energy consumption of the sensor node. In our improved scheme, the received message {D 1 , D 3 , M GS , T 2 } and the sent message {D 4 , M SG , T 3 } of the sensor require 480 bits and 320 bits, respectively. Table 7 and   [31], [33], [35], [36], [42], [57], [58]. It is evident that the sensor of the improved scheme consumes the least traffic among the related protocols which indicates that our scheme can prolong the lifetime of the sensor node more than other protocols.
It is a remarkable fact that in user authentication protocols, security is one of the most valued factors among all aspects to be considered in the design process. Although our scheme is not the most efficient protocol in terms of computation cost and the communication overhead, the sensor traffic of our protocol is lower than those of others, and moreover, our proposal can thwart the security flaws of other protocols and fulfill more security properties. Therefore, our scheme outperforms other protocols in overall performance.

VIII. CONCLUSION
In this work, we cryptanalyze Shin and Kwon's three-factor authentication scheme and point out its security defects such as failure to provide three-factor security, user impersonation attack, desynchronization attack, sensor node capture attack, privileged insider attack. To eliminate these defects, we suggest an improved secure three-factor anonymous authentication protocol for WSN using Chebyshev chaotic mapping. Furthermore, we demonstrate that the improved scheme is secure against various known attacks among the communication participants during the authentication process by presenting a security proof under random oracle model and a security simulation verification via ProVerif. Finally, the comprehensive comparison with the competitive schemes in terms of security and performance shows that our scheme has advantages over them.