Improved Secure and Efficient Chebyshev Chaotic Map-Based User Authentication Scheme

A Chebyshev chaotic map is a method for implementing efficient authentication. Recently, Chatterjee et al. proposed an authentication scheme for multi-server/multi-client environments using a Chebyshev chaotic map. However, we found four critical vulnerabilities in the proposed authentication method. To begin with, the method is open to user as well as server impersonation attacks. User revocation is also infeasible. Finally, there is a possibility of critical information leakage. We propose a new scheme that overcomes the four weaknesses listed previously using a symmetric Chebyshev chaotic map. We tested our proposed scheme using ProVerif and AVISPA, and compared its performance with that of the conventional authentication method. Results indicate that our scheme is 44.025 times more efficient than the conventional method.


I. INTRODUCTION
The Chebyshev chaotic map is a promising cryptographic primitive that can be used for encryption because it is efficient and provides a reasonable level of security and randomness owing to its chaotic property. However, in 2005, Bergamo et al. [1] claimed that the Chebyshev chaotic map is unsuitable for encryption purposes due to its vulnerability to key recovery attacks. Consequently, many researchers [2]- [4] have proposed alternate techniques, including the discrete Chebyshev chaotic map [4] and the Chebyshev chaotic map with symmetric encryption [3]. Unsurprisingly, however, these methods also introduce additional operations such as modular multiplication and symmetric encryption, which result in longer authentication times, thus reducing the Chebyshev chaotic map's efficiency.
This motivated us to design a new data encapsulation method that incorporates the Chebyshev chaotic map. Recently, Chatterjee et al. [2] proposed a Chebyshev chaotic map-based two-factor multi-server authentication scheme. We found that their scheme is susceptible to user and server impersonation attacks, critical information leakage, user traceability, and infeasibility of user revocation. To mitigate The associate editor coordinating the review of this manuscript and approving it for publication was Diana Gratiela Berbecaru . these issues, we developed an efficient authentication scheme using the symmetric Chebyshev chaotic map. To demonstrate the feasibility of our proposed scheme, we compared it to more conventional methods and found that our implementation is approximately 44.025 times more efficient than the average of the compared schemes.

A. OUR CONTRIBUTION
The key contributions of this paper are as follows: 1) We propose a new data encapsulation method, dubbed the ''symmetric Chebyshev chaotic map,'' and mathematically prove that it is theoretically secure under the computational model. 2) We present a multi-server/multi-client authentication scheme using the symmetric Chebyshev chaotic map. The proposed authentication scheme is resistant to well-known attacks, including impersonation and stolen smart card attacks. 3) By performing automated simulations, we prove that our new scheme is secure against identity/password guessing attacks, man-in-the-middle attacks, etc. 4) Our proposed authentication scheme is more costefficient than existing authentication schemes. When we run a comparison test, it is observed that our proposed scheme is approximately 44.025 times faster than the average of the compared schemes. Furthermore, our scheme exhibits the best performance compared to all existing methods we tested. All codes concerning the formal proof and performance test have been uploaded as https://doi.org/10.6084/m9. figshare.12 198834 [5].

B. ORGANIZATION OF THE PAPER
The remainder of this paper is organized as follows.
In Section II, we present an overview of related works and the history of this field. In Section III, we discuss some preliminaries, such as the Chebyshev polynomial and Bergamo attacks, which were used in this study. Chatterjee et al.'s scheme is discussed in detail in Section IV. In Section V, we detail several security issues present in the scheme of Chatterjee et al. In Section VI, we propose a symmetric Chebyshev chaotic map and authentication protocol, and describe them in detail. In Section VII, we mathematically prove the accuracy and time complexity of the symmetric Chebyshev chaotic map. Furthermore, we verify the secureness of our proposed authentication scheme by simulating it using the ProVerif and Automated Validation of Internet Security Protocols and Application (AVISPA) tools and by assessing its resistance to several common types of attacks. In Section VIII, we present the results of a performance test and compare them with those of other existing protocols. Finally, in Section IX, we provide further discussion and conclude this paper.

II. RELATED WORK
Ever since Lamport first invented the two-party (client/server) authentication scheme in 1981 [6], many researchers have proposed authentication schemes for a single-server environment [7], [8]. Unfortunately, these authentication schemes typically do not provide strong security because they are based on passwords or are prone to side-channel attacks [9]. In 2009, Das introduced the first two-factor authentication scheme [10], and since then, many researchers have started using two-and multi-factor authentication schemes to ensure a strong level of security.
The recent development of Internet-of-Things technologies and sensor networks has increased the need for a lightweight multi-server scheme. There are several ways to develop such a scheme. One such approach uses hashbased authentication. In 2006, Wong et al. [11] first proposed a lightweight user authentication protocol that uses only cryptographic hash functions and exclusive-OR (XOR) operations. Despite the efficiency of Wong et al.'s scheme, Das [10] found several vulnerabilities (same login-id threat and stolen-verifier attack) and proposed an enhanced version of the protocol. However, other researchers found further weaknesses (do not provide key agreement) in Das's scheme. Since then, many researchers have repeatedly improved upon the hash-based scheme by repeating break-fix procedures [12]- [15].
In addition to hash-based authentication, the RSA and Elgamal authentication schemes have also been studied by multiple researchers [16], [17]. These studies found that to improve the efficiency of computing systems, authentication protocols require a large key space (1024 bits and more) to guarantee security. To address the weakness of the RSA and Elgamal authentication schemes, researchers have proposed an elliptic curve cryptography (ECC)-based protocol [18], [19]. This scheme has been widely used in recent years because of its small key space.
In 2018, Chatterjee et al. introduced a Chebyshev chaotic map-based two-factor multi-server authentication scheme [2]. However, we observed that this scheme is vulnerable to several classes of attacks, such as user and server impersonation attacks, as well as critical information leakage. Moreover, users can be traced (user traceability), and a user revocation phase cannot be realized (infeasibility of user revocation).

A. CRYPTOGRAPHIC HASH FUNCTION
A hash function is used to convert an arbitrary-length message into a fixed-length message and check the integrity of the original message. Applications of hash functions include hash-based message authentication code and checksum. However, in cryptography, the hash function (often referred to as a cryptographic hash function) is used to verify the validity of a message by analyzing its properties. To be a cryptographic hash function, the function must satisfy the following properties: Definition

B. CHEBYSHEV POLYNOMIAL
The Chebyshev polynomial T n (x) is a general solution of the Chebyshev differential equation when n is an integer. Due to its simplicity, it is one of the most commonly used chaotic maps in authentication schemes [20]- [22]. The Chebyshev polynomial can be defined in two ways: Definition (Trigonometric Definition): A function T n (x): 1] is defined as in Eq 1: where n ∈ Z + and |x| ≤ 1. If x = cos(θ), where θ ∈ [0, π], then T n (x) = cos(nθ).
Here are some examples of the Chebyshev polynomial (Eq 3): The Chebyshev polynomial has several interesting properties. Among them, we introduce some crucial features that make this polynomial desirable as a cryptographic function.
Property (Semi-Group Property): With n ∈ Z + and m ∈ Z + , the following property holds: Property (Chaotic Property): The Lyapunov exponent (λ) is one of the most frequently used measurements for determining unpredictability in a chaotic system. When the Lyapunov exponent is positive, a system exhibits chaotic behavior. The Chebyshev chaotic map has a chaotic property when n > 2 because its Lyapunov exponent (T n (x) : 1]) is λ = ln(n) > 0 when n > 2. Therefore, in general (for n > 2), the Chebyshev map exhibits chaotic characteristics [23], [24].

C. BERGAMO ATTACKS ON THE CHEBYSHEV POLYNOMIAL
In 2005, Bergamo et al. introduced an attack on the Chebyshev chaotic map-based cryptography method [1]. On the basis of the public key, an attacker could easily find collision keys, for which the result of the Chebyshev polynomial is the same as that for the corresponding private key. A precise explanation is given below.
Definition (Chebyshev Chaotic Map Diffie-Hellman (DH) Problem): With the Chebyshev chaotic map, we can define the DH problem as follows:

where T n (x) is a Chebyshev polynomial (T n (x)
: Definition (Chebyshev Public Key Cryptosystem): A public key cryptosystem can be implemented using the Chebyshev chaotic map: 1) Alice selects a large random s ∈ Z + and a random x ∈ [−1, 1]. 2) She computes T s (x) and declares (x, T s (x)) and s as the public and private keys, respectively. 3) Bob obtains Alice's public key (x, T s (x)). 4) He selects a large random r ∈ Z + . 5) He computes T rs (x) = T r (T s (x)) and X = M · T rs (x). 6) Furthermore, he sends the ciphertext C = (T r (x), X ) to Alice.

7) Alice computes T rs
In addition, let b = 2π arccos(x) and b = (bmod1) · B L (where L is the maximum digit). Then, the number of collision keys s is gcd(b , B L ).
Definition (Discrete Chebyshev Chaotic Map): One of the alleviations of the Bergamo attack is the discrete Chebyshev chaotic map. This map has properties similar to those of the Chebyshev chaotic map (e.g., semi-group and chaotic properties). Moreover, a discrete Chebyshev chaotic map problem in Z p d has proven to be computationally equivalent to the discrete logarithm problem in Z p d . A DH problem along with the discrete Chebyshev chaotic map is described as follows: where, p is an odd prime, d ∈ Z + , T n (x) is a Chebyshev polynomial on Z p d (T n (x)(modp d ): (Z + , Z p d ) → Z p d ), and r, s ∈ Z + .

D. AUTHENTICATION PROCESS OF MULTI-SERVER/MULTI-CLIENT ENVIRONMENT
Much like the scheme presented by Chatterjee et al., our proposed scheme work in a multi-server/multi-client environment consisting of a user, server, and registration center. After the user and server are registered in the registration center, the user can request a login to all servers logged by the registration center. This environment provides the advantage VOLUME 10, 2022 that the user does not have to register separately for each server. The process comprises three major phases. 1) Registration phase: The server and user register themselves in the registration center, the server is issued public information, and the user is issued a smart card. 2) Login phase: The user requests login to the server that provides the service user wants. 3) Authentication phase: The server verifies the user's identity through the user table received from the Registration Center and generates a session key to be used in future communication with the user. The authentication process of a multi-server/multi-client environment is shown in Fig. 1.

E. THREAT MODEL AND AUTHENTICATION GOAL
In this study, we describe the threat model that we constructed under a set of generally applicable assumptions, including the abilities of an attacker in a multi-server/multiclient environment. An attacker is a Dolev-Yao intruder under the Dolev-Yao formal model in [25]. In addition, the attacker of a typical user authentication scheme is capable of the following [26]- [28].
• All devices are not tamper-resistant, so the attacker can extract sensitive information from devices by implementing side-channel attacks [29].
• Valid users can also be attackers.
• An attacker can eavesdrop all login and authentication messages transmitted through insecure public channels.
• An attacker can modify or resend the eavesdropped messages.
• An attacker can easily guess low-entropy passwords and identities off-line in polynomial time [30]. Under this threat model, the user authentication scheme must satisfy the following conditions and establish the session key.
1) Sensitive information pertaining to users and servers, such as identity, password, and secret key, should not be leaked to or derivable by an attacker.
2) Valid login and authentication messages should only be generated for registered users and servers.
3) The session key, an encryption key used for communication between the user and server, should not be leaked to or derivable by an attacker.

IV. REVIEW OF CHATTERJEE et al.'s SCHEME
In 2018, Chatterjee et al. proposed a multi-server/multiclient environment authentication scheme using the Chebyshev chaotic map, cryptographic hash function, and symmetric key cryptosystem [2]. By implementing this authentication scheme, an efficient and secure multi-server environment can be established. The scheme consists of five phases: registration, login and authentication, password and biometric change, dynamic server addition, and user revocation and re-registration.

A. REGISTRATION PHASE
In the registration phase, personal information cannot be leaked because all operations in this phase are performed offline. Therefore, Chatterjee et al. assumed that all communications are transmitted through a secure channel. The registration phase is split into two sub-phases: user registration and server registration.

1) SERVER REGISTRATION PHASE
When a server registers the multi-server environment, the following procedures are executed via secure channel in the following order: 1) First, a registration center (RC) selects random values K s and K u in the interval (−∞, ∞). K s and K u are secret parameters of the chaotic maps for all servers and all clients, respectively. 2) A server S j selects its identity SID j and transmits SID j to RC through a secure channel.
3) RC selects a server S j 's secret key x j and uses it to compute the Chebyshev polynomials T x j (K s ) and T x j (K u ).

2) USER REGISTRATION PHASE
When a client registers the multi-server environment, the following procedures are performed via a secure channel: 1) A user U i chooses their identity ID i and password PW i , and imprints their biometric information B i using a sensor or a mobile device. Then, U i generates a random secret number R i and computes the parame- using the current timestamp T i (which will be used as the registration timestamp). Consequently, U i sends 2) After receiving the parameters from U i , RC picks a random master key x i and Chebyshev parameter K u i . Furthermore, RC calculates the Chebyshev polynomi- and sends the smart card to U i securely.

4) When the registration of
, and transmits the result to every server. Each server stores {Uh i , Ur i , and HID i } for U i .

B. LOGIN AND AUTHENTICATION PHASE
In this phase, a user U i attempts to login to a server S j , and S j and U i try to authenticate each other. Chatterjee et al. assumed that an anonymous user can eavesdrop on those messages because all transmissions between them are sent through a public channel.

1) A user U i enters their identification ID i and pass-
word PW i , and imprints their biometric information B i . Using its stored parameters, U i 's smart card computes 2) The smart card checks whether A i matches the stored value A i . If the login is successful, U i may select a specific server S j to connect to. Furthermore, U i 's smart card computes K s = P ⊕ H (x i K i ) and where TS i is the current timestamp, and then calculates the Chebyshev polynomial T K 1 = T x i (T x j (K s )) and T x i (K s ). Finally, the smart card selects a random nonce RN i and transmits After receiving the message from U i , S j checks the freshness of the message by testing whether |TS i − TS * i | < TS i , where TS i is the maximum transmission delay and TS * i is the current timestamp of S j . If the freshness of the message is accepted, and compares it to the received hash value. 5) Upon completion of the authentication process, , and checks whether T K 3 = T K 3 . 7) When the final verification is completed, U i generates where SK ij will be used as the session key between U i and S j .

C. PASSWORD AND BIOMETRIC CHANGE PHASE
In this phase, a user U i can change their password PW i and biometric imprint B i without any involvement from the registration center RC. To update their information, U i must perform the following steps:

D. DYNAMIC SERVER ADDITION PHASE
In this phase, a new server S j requests to join an existing network. The following processes are carried out to add S j to the network: 1) The registration center RC assigns the unique identifier SID j and S j 's secret key x j to S j , and calculates the Chebyshev polynomial T x j (K s ). Furthermore, RC assigns the unique identifier SID j and S j 's secret key x j to S j , and calculates the Chebyshev polynomial T x j (K s ).
, and x j } to S j through a secure channel, and S j securely stores the received parameters. 2) After S j successfully joins the existing network, RC broadcasts the registration of S j to all registered users.

E. USER REVOCATION AND RE-REGISTRATION PHASE
Chatterjee et al. also assumed that a user U i could lose their smart card. In this case, the following procedures are performed to revoke U i 's identity, and U i can register again without changing their identity.
1) When U i loses their smart card, U i informs RC, which transmits a revocation message about U i with {HID i , Uh i , Ur i } to every server. 2) After receiving the revocation message from RC, all servers simply put a revocation flag on the corresponding data of U i in their database. In addition, they reject all authentication messages relating to U i with the revocation flag. 3) If an authentic user U i tries to register again using the same revoked identity ID i , RC first verifies U i by checking their authorized documents, and then finds and reactivates U i 's hashed identity HID i .

V. SECURITY ANALYSIS OF CHATTERJEE et al.'s SCHEME
In this section, we discuss several security weaknesses of Chatterjee et al.'s scheme. Overall, there are four major vulnerabilities: user impersonation attacks, server impersonation attacks, critical information leakage, and infeasibility of user revocation. The basic assumption regarding these attacks is that an attacker is a valid user within the existing network and can extract parameters from their own smart card using side-channel attacks. These attacks are described in detail in the following subsections. A detailed description of the process is as follows (the overall attack trace is described in Fig. 2): 1) An attacker A, who is a valid user, extracts the serverkey-plus-ID (SID j , T x j (K s )) from their own smart card. 2) Then, A chooses a victim user U i and waits for U i to send a login message. 3) Upon intercepting the login message M 1 , A produces a symmetric key When a server S j sends an authentication message M 2 to U i , A wiretaps M 2 and calculates the symmetric

B. SERVER IMPERSONATION ATTACK
The scheme presented by Chatterjee et al. is also susceptible to server impersonation attacks. Similar to user impersonation attacks, after eavesdropping on M 1 and M 2 , an attacker intercepts a new authentication message M 1 , and deceives U i into thinking that S j communicating with U i . This is explained in detail below (the overall attack trace is described in Fig. 3): 1) Like in a user impersonation attack, an attacker A intercepts the messages M 1 and M 2 between user U i and server S j . 2) A then creates a symmetric key SK 1 using an extracted server-key-plus-ID (SID j , T x j (K s )), and 3) Using the collected parameters, A generates a symmetric key SK 2 and decrypts E SK 2    the message. Then, T n (x) is an encapsulated message that no one can derive n from without knowing x.
Here, L denotes the precision length. To check the validity, one should prove that it is only possible to derive n by using x. This explanation is discussed in Section VII.

B. REGISTRATION PHASE
We now introduce a new authentication protocol that incorporates the Chebyshev chaotic map. This new scheme consists of four phases: registration, login and authentication, password change, and user revocation and re-registration. Furthermore, the registration phase is split into sub-phases of server and user registration.
The registration phase occurs in a secure channel. The server and user register their information by communicating 1:1 with the secure channel provided by the registration center. It is assumed that attackers cannot access this channel, so an attack is impossible.

1) SERVER REGISTRATION PHASE
The following steps are performed to register a server S j : 1) First, a server S j selects a unique server identifier SID j and transmits it to the registration center RC through a secure channel. 2) After receiving SID j from S j , RC selects a random x j in Z p , where p is a predefined large prime. x j is used as an element of a public key pair. Furthermore, RC chooses a large natural number s j (must be greater than two), which is used as the secret key of S j . 3) RC then computes the discrete Chebyshev polynomial modular p, T s j (x j ) (mod p). Then, RC broadcasts S j 's identifier SID j and public key pair (x j , T s j (x j )) (mod p) to all users. 4) Finally, RC transmits {SID j , x j , T s j (x j ), s j } to S j through a secure channel.
The overall phase is described in Fig. 4.

2) USER REGISTRATION PHASE
User U i takes the following steps to register with the registration center RC.
1) First, user U i selects their identification ID i and password PW i , and imprints their biometric information B i . Then, using biometric information, is a secure biohashing function. Then, U i selects a random number R i and computes If the last digit is 0, gcd(UID i · 2 L , 2 L ) = 1; thus, RC picks a new Ur i until gcd(UID i · 2 L , 2 L ) = 1. 3) If RC generates Ur i successfully, it also generates U i 's smart card, and inputs {V i , C i , UID i } into the smart card securely. RC then sends U i to the smart card through a reliable process, such as a secure channel. 4) If U i 's registration is complete, RC transmits U i 's information (HID i , UID i ) to all registered servers. 5) When a server S j receives U i 's information (HID i , UID i ), S j hashes the information with its secret key s j , and stores {H (H (HID i x j ) s j ), UID i } into its database. If this process is completed successfully, S j discards all information relating to HID i . 6) RC stores {HID i , UID i } in its secure database to be used if U i loses their smart card and revokes their identity.
the overall phase is described in Fig. 5.
After the registration phase is completed, the private and public information held by the user and server are presented in Table 3, where s j is the private server key and [x j , T s j (x j )] is the public key pair of the Chebyshev Public Key Cryptosystem. The server's public information is available to all users who  want to access the server, and through this information, the user can specify the server to access.

C. LOGIN AND AUTHENTICATION PHASE
When a user U i completes the registration process and wants to log in to a server S j , U i performs the following steps: 1) First, a user U i inputs their identity ID i , password PW i , and biometric information B i , and their smart card computes the following equations: If their values are equal, U i selects a server S j that they want to log on to. U i 's smart card then finds S j 's public information {SID j , x j , T s j (x j ) (mod p)}. Next, the smart card generates random natural numbers r i and RN 1 . With the parameter RN 1 , it calculates the Chebyshev polynomial T RN 1 (UID i ) and checks whether its last digit is odd or even. If the digit is even, the smart card chooses another RN 1 until the last digit of T RN 1 (UID i ) is odd. 3) In addition, the smart card computes the discrete Chebyshev polynomial T r i s j (x j )(mod p) = T r i (T s j (x j ))(mod p) and T r i (x j )(mod p), and multiplies H (HID i ||x j ) by T r i s j (x j )(mod p). Finally, the smart card transmits {SID j , T r i (x j )(mod p), H (HID i ||x j ) · T r i s j (x j )(mod p), T RN 1 (UID i ), and H (UID i RN 1 )} to S j via public channel. 4) Upon receiving the message from U i , S j computes T r i s j (x j ) = T s j (T r i (x j )) (mod p) and acquires H (HID i ||x j ) = (H (HID i ||x j ) · T r i s j (x j ))/ T s j (T r i (x j )) (mod p) 5) S j finds UID i from its database using the acquired H (HID i ||x j ) and S j 's private key s j . With UID i and T RN 1 (UID i ), S j obtains RN 1 using Bergamo's approach. Furthermore, S j verifies whether RN 1 RN 1 RN 2 )) using their received or generated parameters.
The summarized login and authentication process is displayed in Fig. 6.

D. PASSWORD CHANGE PHASE
A user can change their password without any involvement from the registration center RC. Unlike the scheme proposed by Chatterjee et al., our scheme does not include a biometric information change phase because the user's biometric information experiences minimal changes. This is explained in detail as follows: 1) First, a user U i enters their identity ID i , password PW old i , and biometric information B i into U i 's smart card.

E. USER REVOCATION AND RE-REGISTRATION PHASE
If a user U i loses their smart card, they should revoke their account by following the user revocation phase. Our scheme incorporates a procedure similar to that of Chatterjee et al.'s scheme. U i does not have to change their ID i during the re-registration phase because the identity ID i is not leaked. For revocation, U i may need to prove their identity by providing authorized documentation; however, this is not necessary as RC contains HID i = H (ID i b i ), which is hashed with biometric information. Consequently, U i only needs their hashed identity HID i using the identity ID i and hashed biometric information b i . Further information regarding this topic is detailed as follows: 1) For the revocation, a user U i needs to prove themselves by providing HID i to the registration center RC through a secure channel. Prior to the request, U i calculates b i = BH (B i ) and HID i = H (ID i b i ) using ID i and B i , respectively, and sends HID i to RC. Subsequently, RC finds UID i by searching for HID i in its database and transmits a revocation message of UID i to all servers through a secure channel. 2) After receiving the revocation message, all servers mark the revocation flag on UID i in their database. Thus, each server rejects all login requests with UID i . 3) When U i wants to re-register, U i transmits the re-registration message containing HID i . After receiving U i 's re-registration request, RC initiates the registration phase and sends the re-registration message with UID i to all servers, which then remove the revocation flag in their database.

VII. SECURITY ANALYSIS
In this section, we assess the security of our new scheme by performing several analyses. First, we present a mathematical proof of our new symmetric Chebyshev chaotic map. This proof is divided into two parts: correctness, which shows that there are at most two possible answers if the decryptor knows the private key, and time complexity, which shows that an attacker cannot find the correct answers within a reasonable timeframe. Furthermore, we simulated our new authentication scheme using automated tools such as ProVerif and AVISPA, both popular tools for providing formal proof of authentication. However, each tool has its own advantages and disadvantages. Although ProVerif allows users to define specific functions, it does not support associative functions; therefore, the user might be stuck when associative functions, such as XOR, are required. In contrast, AVISPA includes a predefined XOR function; however, the user cannot declare a custom function. Furthermore, these tools cannot simulate advanced features, such as weak authentication and infinite transmission. In addition, neither of the automated tools can assess the safety of a simulation. In particular, ProVerif cannot prove user authenticity in our scheme. Therefore, we use these tools to show a more rigid authentication scheme that can resist diverse attacks. Finally, we also include a security requirement analysis in which the formal proof cannot be determined. We list more than 10 attacks and check whether our authentication scheme is robust against them; thereafter, we can confirm that our scheme is secure.

A. FORMAL PROOF OF THE SYMMETRIC CHEBYSHEV MAP
To use a symmetric Chebyshev chaotic map in practice, a mathematical proof is required to show that this method is sufficiently safe. Such a mathematical proof is presented in this subsection. First, we prove that the number of results of the symmetric Chebyshev chaotic map is at most two, and then we evaluate the time complexity of the map. Theorem (Correctness of the Cryptosystem): Let x ∈ [−1, 1], arccos(x) | π, and 2π arccos(x) 's last digit be odd (mod 2 L ) or gcd( 2π arccos(x) · 2 L , 2 L ) = 1), where L is the number of digits; then, by knowing x, we can decrypt T n (x) and obtain a maximum of two possible users n .
VOLUME 10,2022 This shows that the number of users n is important. Let a = ±arccos(T n (x)) arccos (x) and b = 2kπ arccos(x) . Then, n = ±a + bk (5) In addition, a and b can be separated into integer and decimal parts. a = a + a , b = b + b (where 0 ≤ a ,  b < 1), and only the fractional part of Eq 5 is considered.
Now, Eq 6 can be considered with two cases: a real number case and a finite precision (mod 2) (for the real implementation) case. Case 1. (real number case) The following equation holds: We assume that arccos(x) is not divisible by π; thus, b is irrational. This means that 1 b is also irrational and k b cannot be an integer. Therefore, there are only two solutions to this equation.
Because one of the users n must be n, n = ±n. Moreover, n > 0 by definition; therefore, the only possible solution is n = n. Case 2 (Finite precision (mod 2 L ) case). Let us assume that the finite precision is 2 −L . Then, b k ≡ ∓a (mod1).

B. SIMULATION USING THE ProVerif TOOL
ProVerif is an automated analysis tool for cryptographic protocols based on the Dolev-Yao model. This tool can systematically prove cryptographic properties, such as reachability, secrecy, correspondence, and some observational equivalence properties.
ProVerif features two unique characteristics in its design. First, it uses an extension of the pi-calculus with cryptography; thus, it supports various types of cryptographic primitives. In addition, ProVerif analyzes protocols after translating them into Horn clauses; therefore, it can verify security features with an unbounded number of sessions. More information on ProVerif can be found in [28], [31], [32]. In this study, we only explain an important part of our ProVerif code. We have uploaded the complete code to the following figure: https://doi.org/10.6084/ m9.figshare.12198834 [5].
In our ProVerif code, there are three channels, as shown in Fig. 7 (i.e., ca, cb, and cc).
Channel ca is a registration channel between a user U i and the registration center RC, and channel cb is a registration channel between RC and a server S j . These channels are considered secure, and an attacker A cannot intercept the registration message from ca or cb. In contrast, cc is a public channel where anyone can access all authentication messages, and most authentications are done through this public channel. Fig. 8 shows the ProVerif user code. In regard to U i 's private key, we use three variables: ID i , PW i , and Bio i .
We first declared ID i and PW i as weak secrets because users want to remember their identities and passwords with ease; therefore, their identities and passwords have low entropies. Consequently, we designated ID i and PW i as weak secrets and performed an offline guessing attack to assess secrecy. In addition, we defined secretU and secretS to check whether an attacker can obtain the session key.
To verify the security level of the secret values (ID i , PW i , Bio i , secretU , and secretS), we included query attacker(·).    We also accounted for the correspondence assertion by adding a query event(·)− > event(·) (Fig. 9). Fig. 10 shows the definitions of the functions used in our code. As the proposed scheme is Chebyshev chaotic mapbased, we defined some related functions.
Finally, we included a verification table verif for use during the authentication process when a server S j authenticates a user U i with the stored {H (H (HID i x j )||s j ), UID i } in the verif table (Fig. 11).
The authentication process is divided among its participants: the user, server, registration center, registration server,    and main process. We briefly summarize the ProVerif code, as the complete authentication process has already been described in Section V.
The user process processU simulation code is shown in Fig. 12 and 13. processU has three parameters: identity (ID i ), password (PW i ), and biometric information (Bio i ).
processU is further divided into three parts: registration, login and authentication, and session key. The registration part is identical to the user registration phase (Fig. 5). In particular, all transmissions occur in a secure channel ca. Likewise, the login and authentication parts are identical to the login and authentication phases (Fig. 6). All messages are transmitted through the public channel cc. Finally, in the session key part, U i creates a session key sess and transmits a secret message secretU encrypted using sess to the public channel cc. This part does not exist in the proposed scheme, and was added to the simulation to verify that the session key is secure from an attacker. If the attacker can derive the session key, it is implied that secretU can be determined using the exclusive or operation, so the result of the query attacker (SecretU) is true.
The server process processS simulation code is shown in Fig. 14 and 15. processS has two parameters: the identity (SID j ) and the discrete Chebyshev secret key (s j ).
The server process processS checks U i 's identity and creates a session key. Because S j uses a database in the authentication phase, we implement the get command to collect the proper data from S j 's database.
The registration center process processRC simulation code is shown in Fig. 16. This process does not have any parameters. Furthermore, all transmissions are performed on a secure channel (ca and cb). Overall, the code of processRC is the same as that of the user registration phase (Fig. 5).   After user registration is complete, the server performs an additional process to store the user's information in the server's database matching table (verif). We define this process as processRCS, and the simulation code is shown in Fig. 17. During processRCS, there are three parameters: hashed ID with the server's public key (H (HID i ||x j )), server ID (SID j ), and server's secret key (ps j ). SID j and ps j are used to check the correct server S j , and HHID i is used to check whether a user's identification pair {HHID i , UID i } conflicts with an existing pair.
Finally, the main process generates an overall environment by creating a public-private key pair of the discrete Chebyshev chaotic map system and registering the user U i . Furthermore, it runs processU , processS, processRC, and processRCS. The main process simulation code is shown in Fig. 18.
After executing ProVerif, the main process prints three types of results, and each result is expressed as follows:

1) RESULT [Query] is true: The query is proven and there
is no feasible attack.

2) RESULT [Query] is false: The query is false and that
ProVerif has discovered a potential attack. 3) RESULT [Query] cannot be proven: Because verifying the protocols for an infinite number of sessions is infeasible, ProVerif cannot prove the query. The results of the ProVerif simulation are shown in Fig. 19. User U i 's private attributes ID i , PW i , and Bio i are secure under the ProVerif simulation. In particular, ID i and PW i , which we defined as weak secrets, are secure against offline guessing attacks. Moreover, an attacker cannot procure a session key from the server side and decrypt or obtain the server's secret message secretS and the user's secret message secretU . Regarding the correspondence assertion, ProVerif proves that server S j corresponds to the server U i wants to send to. However, ProVerif's attack trace includes a secure registration channel (ca) that should not be eavesdropped. Therefore, the proposed scheme passes the secrecy and correspondence tests, and no attacker can violate the authentication system by design.

C. SIMULATION USING THE AVISPA TOOL
In this subsection, we verify the security our proposed scheme by simulating it in AVISPA, another popular automated verification tool [33]. The advantage of AVISPA is that mathematical cryptographic primitives, such as XOR and exponential functions, are well-defined. However, a user cannot produce a new cryptographic function using this tool. Our scheme is written in a high-level protocol specification language (HLPSL). HLPSL is a role-based specification language; therefore, it is expressive enough to describe large-scale Internet protocols [34], [35]. The complete AVISPA code has been uploaded to https://doi.org/10.6084/m9.figshare.12198834 [5].
AVISPA provides four different analysis techniques: Onthe-Fly Model Checker (OFMC), Constraint-Logic-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree Automata based on automatic approximations for the analysis of security protocols (TA4SP). Among these techniques, we use CL-AtSe as an analytical tool, as it allows extensions pertaining to the algebraic properties of cryptographic functions and the associativity of message concatenation.
The user roles are presented in Table 4. Unlike Proverif, AVISPA cannot define a secure channel. Therefore, we used a symmetric key RPkeyi to create a secure channel between the user and RC. In addition, the hash function, biohash function, and channels that follow the Dolev-Yao model are defined.
Because we cannot construct a custom Chebyshev function using AVISPA, we used the encryption operation as a countermeasure for the Chebyshev polynomial or multiplication operation. For example, the user sends H (HID i ||x j ) · T r i s j (x j ) modp to the server in the login phase, and the server cannot derive H (HID i ||x j ) unless the value of T r i s j (x j ). For this reason, we assumed that T r i s j (x j ) was used as a cryptographic symmetric key and wrote a simulation code in which H (HID i ||x j ) is encrypted with T r i s j (x j ). Likewise, UID i is treated as a symmetric key to derive RN 1 in T RN 1 (UID i ). Moreover, a user U i obtains the server's identity and public key pair (SID j , x j , T s j (x j )) during the registration phase. However, AVISPA supports only private and symmetric keys on a one-to-one basis. Thus, we used an alternative method that stores all discrete Chebyshev public key pairs and server identifiers in the user's memory (Pubj). By doing so, we could perform cryptographic procedures similar to those in the discrete Chebyshev chaotic map. We then predefined the goal that the user has witnessed the value RN 1 , and now requests a check of the value RN 2 from the server.
Next, we describe the role of the server in Table 5. KeyRing implements H (H (HID i ||x j )||s j ) and the UID i matching table database. In State 0, the server selects its SID j value and sends it to the registration center. In State 1, the public key pair (PKeyj, TPKeyj) and private key pair (SKeyj) issued from the registration center are stored, and the public key pair is sent to the user along with their SID j . In State 2, the user's HID i and UID i values are received and stored in the matching table KeyRing. The remaining parameters and processes are defined in the same manner as those in Section V. Then, we predefined the goal that the server requests a check of the value of RN 1 , under the condition that the server witnessed the value of RN 2 .
In Table 6, we delineate the role of the registration center. During server registration, a secret was declared to confirm the security of ''SKj'' (S j in our scheme), which is the long term private key of the server. After user registration, the registration center sends UID i , V i , C i to the user, and HID i , UID i to the server, as stated in our proposed scheme.
We describe the session role in Table 7. In the session role, one usually declares all the channels used by the basic roles and a composition section in which the basic roles are instantiated. The /\operator indicates that the roles should be executed in parallel. attribute, in parentheses, which specifies the intruder model one assumes for that channel. Here, the type declaration channel (dy) represents the Dolev-Yao intruder model. Our session role is described as follows: Table 8 describes the overall environment and goal of the simulation. We establish two users (a1 and a2) and conduct sessions between these users, the server (b), and the registration center (r). All symmetric keys (kar1, kar2, and kbr) are used to build secure channels between each user and server. Intruder knowledge is limited by a set of constants and assigned variables, which are provided to the user in the role of an intruder. Suppose the intruder is playing the user a1;  then, the intruder's knowledge contains all the terms given as parameters of the corresponding instance of the role a1. In this case, the total intruder knowledge is intended to be the union of sets defined in those declarations. Finally, we conduct a confidentiality test of the user's identity, password, biometric information, and pseudo-identity (ID i , PW i , B i , HID i ), and the server's secret key SK j , to verify that sensitive information does not leak. We also perform an authentication test that is predefined in the user and server roles (rn1, rn2).
The results (Fig. 20) indicate that our scheme is secure against active attacks, such as replay and man-in-the-middle attacks, as well as passive attacks. The summary of the results under CL-AtSe (Constraint Logic-based Attack Searcher) also indicates that the protocol is safe.

D. SECURITY REQUIREMENT ANALYSIS
In this subsection, we demonstrate that our scheme can resist several known attacks. Table 9 presents the results of the overall comparison among the different authentication schemes.

1) PRIVILEGED INSIDER ATTACK
Although an attacker A has access to a server S j , A can only obtain H (H (HID i x j )||s j ) and UID i = H (HID i Ur i ). As a result, A cannot obtain any information relating to the user U i . Moreover, even if S j is vulnerable such that a private key s j is leaked, the attacker cannot find HID i because HID i = H (ID i b i ), where the hashed biometric information b i is considered to be robust against offline guessing attacks.

2) USER ANONYMITY AND UNTRACEABILITY
During the authentication phase, an attacker A might obtain a login and authentication message between user U i and server S j . However, A cannot acquire any partial information from the message. This is because all pieces of critical information (HID i and UID i ) are encrypted by Chebyshev and discrete Chebyshev polynomials. Moreover, nonces r i and RN 1 are changed for every login session; thus, the resulting ciphertexts of the Chebyshev and discrete Chebyshev polynomials also vary every time. Consequently, A cannot determine whether the query is from the same user U i or from another user U i .

3) MUTUAL AUTHENTICATION
A server S j can authenticate a user U i by verifying that where HHID i is stored in its database. Furthermore, U i can authenticate S j by checking whether RN 1 is equal to RN 1 , where U i is sent to S j . Therefore, the proposed scheme satisfies mutual authentication.

4) OFFLINE IDENTITY/PASSWORD GUESSING ATTACK
An attacker A cannot acquire any partial information about a user U i 's identity and password during the authentication phase. Let us assume that A obtains C i and V i using a stolen smart card or other attack. In this case, A can collect C i and V i ; however, they cannot guess U i 's identity and password because they are concatenated and hashed with the hashed biometric information b i , which cannot be derived. Consequently, A cannot succeed in offline identity and passwordguessing attacks.

5) USER IMPERSONATION ATTACK
An attacker A requires HID i and UID i to impersonate a user U i . However, these two parameters were encrypted during the authentication phase. Moreover, even if A acquires UID i via stolen card attack, they cannot produce HID i because the user's identity ID i and hashed biometric information b i are required to generate it. Therefore, A cannot successfully carry out a user impersonation attack. Furthermore, when the server tries to impersonate a user, the server also needs access to the user's HID i . However, the value of HID i in the login message that the user sends to the server is transmitted in the form of H (HID i ||x j ), and the server needs to guess HID i given this information. Even though the server's public key x j is public information, HID i = H (ID i b i ), where the hashed biometric information b i is considered to be robust against offline guessing attacks. For this reason, a user impersonation attack is also impossible on any server.

6) SERVER IMPERSONATION ATTACK
To impersonate a server S j , an attacker A requires S j 's secret key, which cannot be acquired. Therefore, it is infeasible for A to successfully impersonate S j .

7) STOLEN SMART CARD ATTACK
A user U i might lose their smart card, or have it stolen by an attacker. However, as mentioned earlier, even if A obtains C i , V i , and UID i , they can neither succeed in any attack nor access any piece of U i 's private information.

8) REPLAY ATTACK
An attacker A might resend a user U i 's previous login message to server S j . However, A cannot generate the session key SK ij because they do not have access to HID i and RN 1 . Therefore, it is impossible to carry out a replay attack.

9) SESSION KEY COMPROMISE
To compromise the session key SK ij within our protocol, an attacker A needs access to HID i , RN 1 , and RN 2 . However, access to this information requires either a server S j 's private key s j , or a user U i 's private information HID i and UID i , which are infeasible to obtain unless A is U i or S j . Therefore, A cannot compromise the session key SK ij between U i and S j .

10) NO TIME SYNCHRONIZATION
A timestamp-based authentication scheme suffers from synchronization problems. However, our proposed scheme does not used any timestamps; thus, it is free from time synchronization problems.

11) FAST AND CONVENIENT PASSWORD CHANGE
When a user U i wants to change their password, they can do so without communicating with the registration center RC and server S j . Upon changing their password, the user's smart card replaces C old i and V old i with C new i and V new i , respectively. This process occurs entirely within U i 's smart card, and the smart card does not have to transmit the changed password to RC and S j .

12) PROVISION FOR REVOCATION
A user U i may lose their smart card or have it stolen. In this case, U i needs to revoke their identity and create a new identity. Our proposed scheme includes a revocation phase, and the registration center RC can verify U i with HID i = H (ID i b i ); therefore, U i can revoke and register with their identity ID i .

13) KNOWN-KEY SECURITY (Forward Security)
Even if an earlier session key SK ij is leaked, an attacker cannot recover a new SK ij because the nonces RN 1 and RN 2 are changed for every session. Therefore, the proposed scheme guarantees forward privacy. VOLUME 10, 2022

VIII. PERFORMANCE ANALYZE
In this section, we analyze the performance of our proposed scheme and compare it with that other authentication schemes. We mainly measure the login and authentication phases because the other phases barely occur.
The simulation environment is presented in Table 10. We used Crypto++ Library 8.1 as a cryptographic library. This library supports many cryptographic algorithms such as SHA, AES, and ECC. In addition, it provides a benchmarking program for users to easily compare cryptographic algorithms. General Crypto++ algorithm benchmarks (5.6.0) are discussed in detail in [36]. However, in our case, there is no algorithm for Chebyshev cryptographic algorithms; thus, we performed the simulation experiments manually. We calculated the execution time of the algorithm by computing the average of one million operations (10 experiments with 100,000 operations each). We uploaded the complete code (C code) and relevant sources [5].
The results of the cryptographic algorithms are listed in Table 11. Chebyshev encryption and decryption require very little time because the encryption scheme has a simple structure whereas the decryption scheme uses trigonometric functions and a Euclidean algorithm. Moreover, discrete Chebyshev mapping takes less time because the recurrence relation can be converted into matrix form, as discussed in [37]. However, the security of the discrete Chebyshev method is the same as that of RSA. Therefore, to be safe, the bits in discrete Chebyshev should be more than 1024, which will require more time than the simulation.
Some studies on authentication use SHA-1 as a hash function; however, this function is considered unsafe. Therefore, we used SHA-256 in our simulation. Fortunately, SHA-256 is not significantly slower than SHA-1; therefore, we assumed that hash functions do not affect the overall authentication scheme time, as assumed by many researchers.
Finally, there is no algorithm for biohashing functions. Therefore, we assume that the time required for biohashing functions is comparable to that of hash functions. Moreover, in accordance with [19], [38], we assume that the time required for elliptic curve point multiplication (T ecpm ) is 2226µs (2.226 ms), and that required for elliptic curve point addition (T ecpa ) is 22.8µs (0.0228 ms).
Our proposed scheme is slower than the protocols presented by Xiao-Liao-Deng and Dharminder-Kumar-Gupta. However, Xiao-Liao-Deng's scheme requires five communication transmissions, which take more than 20µs, whereas Dharminder-Kumar-Gupta's scheme does not incorporate biometric information. Therefore, the security of our scheme is superior. The results suggest that our proposed scheme is more efficient than other authentication protocols.
Our scheme performs 44 times higher than the average value of 2300.24 for the other schemes. (44.025 = (2300.24 − 51.088)/51.088) Therefore, we propose the possibility of a user authentication scheme using a novel symmetric Chebyshev chaotic map. Our scheme exhibits the best performance among three factor authentica- tion schemes, and opens up new possibilities for Chebyshev chaotic maps.

IX. CONCLUSION
To create an encryption system that can be maintained for numerous data packets, we introduced a new method of high-speed symmetric encryption using the Chebyshev chaotic map, and proposed a secure and fast authentication protocol based on the map. We proved that our proposed scheme is secure by showing its resistance to well-known attacks and by using the automated authentication verification tools ProVerif and AVISPA. In addition, we have proven that our proposed scheme is fast and efficient by comparing its time and cost consumption with those of other authentication schemes. However, during the simulation, we observed that the decrypted results of the symmetric Chebyshev chaotic map did not match the original message, due to the size of the data type (long double) and the underflow effects. Therefore, it is necessary to create a new data type and its associated trigonometric functions for the symmetric Chebyshev encryption scheme, which we leave as a future discussion. If a library for symmetric Chebyshev encryption is implemented, our cryptographic function will require a very short operation time, and our authentication scheme would offer a robust and efficient environment.