Chebyshev Polynomial-Based Authentication Scheme in Multiserver Environment Polynomial-Based Authentication Scheme

Nowadays, communication technologies are more and more strongly advanced, such as 4G or 5G. ere are many useful online applications, and one of them is the telecare medical information system (TMIS). If the TMIS is widely deployed, patients and doctors will have more frequently connection. Clearly, this enhances our quality of life. One of the most important modules securely constructing this convenient TMIS is the user-authentication scheme. We should prevent user identity and related information from the adversary’s eavesdropping. erefore, the authentication scheme could provide user anonymity and concern some kinds of attacks, such as impersonation or password-guessing attacks. Common solutions are a combination of hash function and public-key cryptosystem (RSA or elliptic curve cryptosystem, ECC), but current schemes do not consider identity protection as one main task necessary for medical information environment. In this paper, our results consist of some important analyses of previous works and amultiserver user-authentication scheme suitable for TMIS using Chebyshev polynomial with two models: random oracle and BAN-logic.


Introduction
With evolutionary changes in technological fields, all aspects of modern life are influenced positively, especially in medical online-service systems. Internet gives us a chance of providing convenience to our customers. Instead of directly coming to the medical centre or hospital, many people like to experience anytime. Nowadays, people use wearable devices, such as smart watch or bracelet, and make connections with the online medical system to quickly receive some doctors' advises. It can be said that remote services are an inevitable trend to satisfy remote experiences. In such services, we need to protect the users' profiles from illegitimate accesses. All exchanged messages between the user and server in a working session need keeping secret. In any application, the user and server must know if their partner is real or fake. erefore, the authentication scheme is necessary to provide security and privacy for both sides.
Storing a password list to verify the user's identity is a popular method, and this is not a secure one (PAP/CHAP).
is list may be stolen, and then another adversary can launch a password dictionary attack. Furthermore, the information exchanged between the user and server must be kept secure. We need to propose an efficient scheme to overcome some existing limitations. To achieve this goal, we should design an authentication scheme combined with some cryptographic primitives and hard problems to resist some common kinds of attacks. However, many authors prefer the password-based approach to others because it is simple and easily deployed. Some schemes [1][2][3][4][5] can resist some kinds of attacks at this phase, such as stolen-verifier attack or replay attack. In 2010, Wu et al. [6] proposed a scheme with precomputing phase enhancing the security. e remarkable point of this idea is that a set of prestored random values provides a strong user's anonymity. Furthermore, authors also use some cryptographic primitives, such as hash function, symmetric encryption scheme, and logarithm problem. en, Debiao [7] pointed out that Wu's scheme did not combine the user's identity with secret information, and this results in impersonation attack. What Debiao claimed is true, but his improved scheme still has this pitfall. Next, Wei [8] discovered that both Debiao and Wu are vulnerable to offline password-guessing attack, and he also proposed improved version to overcome this attack. In 2012, Zhu claimed that Wei's scheme is still vulnerable to what Wei claimed. Zhu combined the password with a secret key to enhance the difficulty of password verification. Although Zhu's scheme [9] overcame previous limitations, his scheme transmitted identity information without protection. erefore, his scheme is not suitable for some privacy environments. Especially, Pu's plugin scheme [10] can plug any two-party password authentication protocol, 2PAKE with elliptic curve cryptography, to enhance security and save computational cost. However, this scheme also needs to be reconsidered because of unreasonable computation workloads with two session keys. In case of leaking the centre's master key and the users' authentication key, the scheme should protect previous exchanged messages between the user and server. at is why session-key perfect forward secrecy (PFS) is one of the standards evaluating a strong scheme. Known-key attack is also a popular one at the authentication phase that receives many attentions. In this kind of attack, leaking another session key may result in attacking another session key. In 2013, Li et al. [11] proposed a scheme in multiserver environment with many improvements, in which each server has its own key. However, leaking smart card's information may result in passwordguessing attack. In 2014, Qu and Tan [12] proposed a different ECC-based scheme. Although they used elliptic curve cryptosystem, leaking the user's identity may result in impersonation attack. Clearly, this decreases the scheme's reality because the identity's nature is public. In 2015, Amin and Biswas [13] proposed a scheme in telecare medicine environment.
eir scheme can resist three-factor attack, including password + smart card + biometrics. However, their scheme is still vulnerable to PFS. In 2018, Qiu et al. [14] and Xu et al. [15] proposed a scheme using ECC with untraceability property suitable for the medical services. Also, in 2019, Qiu et al. [16] proposed an ECC-based improved version using automated validation of Internet security protocol and application software. So, it can be said that this scheme has a high reliability.
Client-server authentication is simple and time-efficient, but in such medical or financial systems, we need continuous connections between their servers. Furthermore, in singleserver environment, the customer needs many credentials for various services. Recently, using Chebyshev polynomial receives attentions from many authors. In 2016, Li et al. [17] proposed a chaotic map-based authentication scheme in multiserver environment with provable security. eir work is truly impressive because it is based on BAN-logic and random oracle models, which are tools suitable for provable authentication schemes. eir design is a three-party participation in authentication process, so its time-consuming is high. In 2017, Jangirala et al. [18] proposed a multiserver environment scheme based on dynamic ID. Although the correctness of their scheme is correctly proved based BANlogic, it is not applied with any hard problems. erefore, it is hard to be a strong scheme. In the same year, Han et al. [19] and Irshad et al. [20] proposed a chaotic map-based scheme. Han et al.'s result is a combination between hard problem (chaotic map) and cryptographic primitives, such as hash function and symmetric encryption scheme. However, we see their scheme uses three-way challengeresponse handshake technique with timestamp. In our experience, we only need two three-way challenge-response handshake techniques needed if using timestamp. Irshad's scheme is similar to Li's because it is designed with threeparty architecture. erefore, it also takes much time to authenticate. In 2018, Alzahrani et al. [21] proposed a secure and efficient TMIS-based scheme.
eir scheme provides TMIS environment with chaotic map-based scheme, but they need to extend in multiserver environment. Especially, in the same year, Wang et al. [22] proposed a security model accurately capturing the adversary's practical capabilities. We hope their model will be favourable and common soon. In this paper, we will analyse typical works [11-13, 18, 20, 21] to have some information needed to propose a new Chebyshev polynomial-based scheme in multiserver environment. Also, we have a work [23] but in the client-server environment. e rest of our paper is organized as follows. In Section 2, we present the background of Chebyshev polynomial. Section 3 reviews some recently typical results and analyses them on security aspect. en, in Section 4, we propose an improved scheme in multiserver environment using Chebyshev polynomial [24] in the modular prime number field. In Section 5, we analyse our proposed scheme on two aspects, security and efficiency. Finally, the conclusion is presented in Section 6.

Background
Chebyshev polynomial [24] is a chaotic map in field R, T a : And it can be rewritten in recursion form as follows: In 2005, Bergamo et al. [25] analysed Chebyshev polynomial in real field and concluded that we can find r′ ≠ r, such that Tr′ (x) � Tr (x). In 2008, Zhang [24] extended 2 Security and Communication Networks Chebyshev polynomial to ∞ and proved that its property in real field is also right in modular prime number field Z p , p ∈ P. is result allows to construct public-key cryptography and related hard problems. Chebyshev polynomial in Z p can be rewritten in recursion form as in R: With properties in Chebyshev polynomial, a public-key cryptography is proposed. To construct this one, we need to choose p ∈ P and x ∈ [0, p − 1] and then compute with formula T n (x) mod p, ∀n ∈ N. Furthermore, there are also two related hard problems in this public-key cryptography [26], such as chaotic map discrete logarithm problem (CMDLP) and chaotic map Diffie-Hellman problem (CMDHP): (i) Chaotic map discrete logarithm problem (CMDLP): given p ∈ P and x, y ∈ [0, p − 1], it is hard to find r ∈ N such that T r (x) � y mod p (ii) Chaotic map Diffie-Hellman problem (CMDHP): given

Cryptanalysis of Some Typical Schemes
is section presents and analyses on some typical schemes.

Li et al.'s Scheme.
is scheme [11] uses hash function combined with random values, including four phases: registration, login, authentication, and password-update phases. Because designed for multiserver environment, the registration centre constructs the master key h (x || y) for itself and the submaster key h (SID j || h (y)) for each service provider. Table 1 presents some notations used in this scheme.

Registration
Phase. U i registers with RC as follows: , h (y)} into a smart card and sends to U i via a secure channel. (iv) U i inputs b into the smart card, and finally, U i has In the registration phase, we see that the author used common key h (y), and this is dangerous because the adversary can exploit this to launch an impersonation attack if the smart card's information is leaked or stolen. Figure 1 describes all steps in this phase.

Login
Phase. When logging into service, U i performs as follows: (i) U i provides his/her smart card and inputs ID i and PW i . en, the smart card computes At this phase, the random value N i can be easily computed because it is only protected by h (y). is decreases the challenge from the user and makes the scheme unbalanced.

Authentication Phase.
In this phase, the server also chooses the random value N j and only the valid user (who has A i ) can recompute this N j and send a correct response. Figure 2 describes all steps in this phase.
When S j receives {P ij , CID i , M 1 , M 2 } from U i , S j , and U i , it performs the following steps: and compares it with M 5 . If two where E i is extracted from the smart card. SID j , h (y), and N i are easily computed by U a because they are public information.
When receiving, S j will perform the following steps to verify.
Because E i is extracted from U i 's smart card, the values B i and D i also belong to U i . However, in Li's scheme, A i is separated from other values, so U a can exploit this limitation to insert his/her information. Furthermore, if U a captures previous transactions between U i and S j , he/she will launch 5 and use the password dictionary to search "guess" until success. Note that U i 's N i is easily found by computing N i � M 2 ⊕ h (SID j || h (y)), in which SID j and h (y) are those U a easily computes.

Qu and Tan's Scheme.
Qu and Tan's scheme [12] uses ECC, and it is secure against some popular kinds of attacks as they claimed. However, we will prove their scheme is vulnerable to impersonation attack. is scheme includes five phases: initialization, registration, login, authentication, and password-update phases. Table 2 presents some notations used in this scheme.

System Initialization.
In this phase, the system initializes some parameters: (i) S chooses the elliptic curve E P (a, b) and base point P with big prime order n (ii) S chooses q S ∈ [1, n − 1] and computes the public key Q S � q S × P (iii) S chooses three hash functions, H 1 (.), H 2 (.), and H 3 (.), described in Table 2 In this phase, we see that H 1 (.) is special because it receives any string and outputs a point belonging to the elliptic curve.

Registration
Phase. When registering, U must follow following steps:

into the smart card and then
sends to U via a secure channel (iv) When receiving, U inputs b U into the smart card. Finally At this phase, S attaches U's personal information with S's master key q S to create the user's authentication key by using H 1 (.). Figure 3 describes all steps in this phase.

Login Phase.
When U logins into S, U provides ID U , PW U , and his/her smart card into the terminal. en, the smart card performs the following steps: ) and checks if BID U ′ � BID U (BID U is stored in the smart card). If this holds, U provides correct information. Otherwise, the smart card will terminate the session. (ii) U randomly chooses r U ∈ [1, n − 1] and computes to S through a public channel.
In this phase, identity is not attached with U's authentication key, so this is a weak point that another adversary can exploit to launch an impersonation attack. Figure 4 describes all steps in this phase and authentication phase.

Authentication Phase.
When receiving the login message from U, S performs as follows: Table 2: Notations used in the scheme [12].
Notations Description S, U, (q S , Q S ) Server/user, key-pair of S ID U , PW U Identity and password of U H 1 Hash Base point P is a generator of G Security and Communication Networks

Password-Update Phase.
When receiving the login message from U, S performs as follows: (i) U provides ID U , PW U , and the smart card at the terminal.

e Scheme's Cryptanalysis.
If the user's identity is leaked, that user will be impersonated. Assuming another adversary is also a member. We call him/her U a with corresponding {AID A , BID A } in his/her smart card. If U a knows victim's ID U , U a performs the following steps to launch an impersonation attack: and see that H RS ′ � H RS .
If the user's identity is leaked, he/she will be impersonated. e reason is that the user's identity is not attached with their secret information, for example, the authentication key AID U is not attached with identity, or BID U is only used for verification of the smart-card owner and does not take part in the authentication phase.

Amin and Biswas's Scheme.
Amin and Biswas's scheme [13] uses ECC and biohashing, a special hash function overcoming the problem of sensitive input which exists in traditional hash function. In 2004, Jin et al. [27] proposed a remarkable improved biohashing function. Amin and Biswas's scheme includes four phases: registration, login, authentication, and password-update phases. Table 3 presents some notations used in this scheme.

Login Phase.
When U i successfully registers, U i performs as follows: (i) U i provides the smart card with T i , and then the smart card computes . If this condition holds, U i continues providing ID i and PW i ; otherwise, the scheme is terminated.
. If this condition holds, the phase continues; otherwise, it is terminated.
, and sends {C 2 , C 4 , CID i } to S through a public channel.
In this phase, U i needs to use biometrics + password + identity to prove the smart-card owner. is method protects the user from impersonation attacks. Figure 6 describes all steps in this phase and the authentication phase.

Authentication Phase.
When S receives {C 2 , C 4 , CID i } from U i , S and U i perform as follows: and checks if C * 4 � C 4 (C 4 is stored in the smart card). If this condition holds, S believes U i is the valid user.
(ii) S randomly chooses r j , computes D 1 � r j × P, Base point of G with prime order q aP Point multiplication P x Secret key of S (1024 bit) If this condition holds, U i believe S is valid and SK is a common session key of U i and S. After the successful authentication phase, U i replaces CID i with CID i ′ . Finally, U i computes Z i � h (ID i || SK) and sends to S through a public channel.
If this condition holds, the authentication phase successfully completes.
In this phase, replacing CID i after successfully authentication will enhance the user's privacy. Because each transaction has a different value, there is no way to know who is online, as well we cannot identify whether two transactions belong to one user.

Password-Update
Phase. U i needs to successfully login if he/she wants to change the password. U i needs to provide PW inew , and then his/her smart card computes

e Scheme's Cryptanalysis.
If the master key is leaked, all previous exchanged messages between the user and server are also leaked. For example, if the key x is leaked, the adversary stores previous message packages of the user and server, such as {C 2 , CID i , C 4 } or {L i , G 1 , CID i ′ }. e adversary will extract ID i by using x to decrypt CID i , computes W � h (ID S ||x || ID i ) and r i � C 2 ⊕ W. With r i , the adversary computes C 1 � r i × P and D 1 � G 1 − C 1 . From r i and D i , the adversary finally computes SK � r i × D 1 .   Security and Communication Networks

Jangirala et al.'s Scheme.
is scheme [18] uses hash function combined with random values, including four phases: registration, login, authentication, and passwordupdate phases. Because designed for multiserver environment, the registration centre constructs the master key h (x || y) for itself and the submaster key h (SID j || h (y)) for each service provider. Notations used in this scheme are in Table 1.

Registration
Phase. U i registers with RC as follows: , h (y)} into a smart card and sends to U i via a secure channel.
In the registration phase, we see that their scheme encrypts b with h (ID i || PW i ). is prevents some kinds of privileged insider attacks. Figure 7 describes all steps in this phase.

Login Phase.
is phase sends U i 's login request to S j as follows: (i) U i inserts his/her smart card and inputs ID i and PW i . en, the smart card computes At this phase, random value N i can be easily known by the adversary because it is only protected by h (y). Furthermore, if the user's smart card is leaked, the adversary can compute his/her D i and discover what the user did in previous session corresponding to N i .

Authentication Phase.
When S j receives {P ij , CID i , M 1 , M 2 } from U i , S j verifies U i 's login message as follows:  Figure 8 describes all steps in this phase.

Password-Update Phase.
is phase is performed when U i changes PW i into PW inew without interacting with RC: (i) U i provides his/her smart card at the terminal and inputs ID i and PW i .
and checks if C * i � C i . Is this does not hold, the smart card rejects and terminates the password-update-request session. Otherwise,

e Scheme's Cryptanalysis. If another U i 's smart card leaks information {C
, h (.)} and the adversary U a is another valid user, U a can launch an impersonation attack as follows: where N a is random value chosen by U a (ii) en, U a computes CID i � A a ⊕ h (D i || SID j || N a ), where A a belongs to U a (iii) Next, U a sends {P ij , CID i , M 1 , M 2 } to S j (iv) Once receiving these messages, S j computes N a � h (SID j ||h (y)) ⊕ M 2 , Security and Communication Networks Clearly, U a successfully authenticates with S j without knowing the user's identity and password.

Han et al.'s Scheme.
is scheme [19] uses the fuzzy extractor to process the user's biometrics, including four phases: registration, login, authentication, and passwordupdate phases. With symmetric encryption, this scheme truly has strong user anonymity because the adversary cannot know if two login sessions are belonged to the same user. Some notations used in this scheme are in Table 4.

Registration Phase.
In the registration phase, we see that their scheme generates <R, P> from the user's biometrics with the fuzzy extractor. Furthermore, the user's dynamic identity is made by the server by using the encryption scheme. Figure 9 describes all steps in this phase.
Firstly, the user chooses ID, PW, biometrics B, and random value r. en, the fuzzy extractor generates <R, P>

Login Phase.
e user sends inserts SC into the terminal and enters ID, PW, and B′ similar to B. en, SC performs as follows: . If this holds, go to next step (iii) SC generates a nonce u and computes X � T u (AID) and V 1 � h (ID || X || CID || T 1 ) (iv) SC transmits {CID, X, V 1 , T 1 } to the server At this phase, the user needs to recreate the R value by providing correct his/her biometrics.

Authentication Phase.
When receiving the login message from the user, S verifies the login message as follows: If this holds, S retrieves ID by computing Dec s (CID) with the private key s. (vii) Once receiving messages, the server checks T 3 and verifies if V 3 � h (SK || T 3 ). If this holds, the user and server successfully authenticate to each other and accept SK as a session key.
is scheme is completely dependent on random values u and v, and this is vulnerable to known session-specific temporary information attack. Figure 10 describes all steps in this phase.

Password-Update Phase.
is phase is performed when U changes PW into PW new without interacting with S: (v) Once receiving the message from U a , U checks T 2 ′ . If this holds, U computes SK′ � h (T u′ (Y)), where u′ is a random value chosen by U.
Clearly, the adversary can reuse this random value v to reattack the user many times. e main reason is that CID is what the user does not know.

Proposed Scheme.
In Section 3, we review some typical schemes using many approaches such as Chebyshev polynomial or elliptic curve cryptosystem in various environments. Although these schemes are well designed with some interesting primitives, such as fuzzy extractor or symmetric encryption scheme, they are still vulnerable to some typical kinds of attacks, such as password-guessing or impersonation. Indeed, there are still interesting schemes [17,20], but they are designed with three-party participation different with two-party participation of the proposed scheme. Table 4: Notations used in the scheme [19].

Notations
Description U, S User/patient, telecare server PW, ID, B Password/identity/biometrics of U s Private key of server SK Session key between U and S h (.) Cryptographic one-way hash function Enc x (.)/Dec x (.) Symmetric encryption scheme Gen Probabilistic generation algorithm Rep Probabilistic reproduction algorithm ⊕, ||, T n XOR, concatenation, Chebyshev operation erefore, we temporarily do not consider in this paper. Figure 11 shows our architecture of participation between registration centre (RC), servers (S j ), and users (U X ), where the keys of servers and users are created by RC.
With this architecture in Figure 11, we can deploy a RC to centralize all medical servers. Also, the users easily find the medical services suitable for them. is section presents the phases in our proposed scheme. Our scheme uses Chebyshev polynomial in multiserver environment with two-party participation, including five phases: initialization, registration (server + user), authentication, and passwordupdate phases. Some notations used in our scheme are in Table 5.

Server Registration Phase.
In this phase, S j provides SID j to RC through a secure channel. RC chooses r j and computes ASID j � T q RC (H 0 (SID j || r j )) mod p and then returns {r j , SID j , ASID j , H 0 (.)} to S j . Figure 12 shows the steps in this phase.
In this phase, each server S j has unique master key ASID j produced by RC. RC must keep the pair <r j , SID j > for subsequent retrieval and the user's registration.

User Registration Phase. U X provides biometrics B X
and UID X , using Gen (B X ) to generate <R X , P X >. en, U X sends {UID X , H 0 (R X || UID X )} to RC through a secure channel. Once receiving the messages, RC computes all submaster keys for all service providers. RC chooses r X and then computes s j X � T r X (UID X || H 0 (R X || UID X )) mod p + T ASID j (H 0 (r j + r X + UID X )) mod p and RPW X � H 0 (H 0 (R X || UID X ) || r X ). RC returns {s 1 X , s 2 X , . . ., s m X , RPW X , and H 0 (.), r X } to U X through a secure channel. Figure 13 shows the steps in this phase.
In this phase, RC computes s j X , which is an authentication key between U X and S j (1 ≤ j ≤ m, where m is a number of S j ). Similar to [19], our scheme uses the fuzzy extractor to deal with the problem of output-sensitive due to inputs' perturbations. Additionally, RC must notify S j about U X by sending pair <r X , UID X > for the subsequent user's authentication.

Authentication Phase.
When U X logins to S j , U X provides the smart card with UID X and B X ′ at the terminal. en, the smart card reproduces R X � Rep (P X , B X ′ ) and checks if RPW X � H 0 (H 0 (R X || UID X ) || r X ); if this does not hold, the session is terminated; otherwise, the smart card chooses r U and computes T ASID j (H 0 (r j + r X + UID X )) mod p � s j X − T r X (UID X || H 0 (R X || UID X )) mod p, R U � T r U (T ASID j (H 0 (r j + r X + UID X )) mod p) mod p, R′ � R U + T ASID j (H 0 (r j + r X + UID X )) mod p, CID � UID X ⊕ H 0 (R U ), and M U � H 0 (R U , T ASID j (H 0 (r j + r X + UID X )) mod p). en, the smart card sends {CID, R′, M U , r X } to S j . On receiving the message, S j computes T ASID j (H 0 (r j + r X + UID X )) mod p, R U ′ � R′ − T ASID j (H 0 (r j + r X + UID X )) mod p, and UID X � CID ⊕ H 0 (R U ′ ) and checks UID X ; then, S j checks if M U � H 0 (R U ′ , T ASID j (H 0 (r j + r X + UID X )) mod p), and if this does not hold, S j terminates the session; otherwise, S j chooses r S and computes R S � T r S (T ASID j (H 0 (r j + r X + UID X )) mod p) mod p, S′ � R S + R U ′ , SK � H 0 (T r S (R U ′ ) mod p), and M S � H 0 (R S , T ASID j (H 0 (r j + r X + UID X )) mod p). S j sends {M S , S′} to U X . On receiving the message, U X computes R S ′ � S′ − R U and SK � H 0 (T r U (R S ′ ) mod p) and checks if M S � H 0 (R S ′ , T ASID j (H 0 (r j + r X + UID X )) mod p); if this does not hold, U X terminates the session; otherwise, U X believes S j is valid and sends M US � H 0 (R S ′ , T r U (R S ′ ) mod p) to S j . On receiving the message, S j checks if M US � H 0 (R S , T r S (R U ′ ) mod p); if this does not hold, S j terminates the session; otherwise, S j believes U X is valid. Figure 14 shows the steps in this phase.

Password-Update Phase.
When U X changes B X , U X provides his/her smart card with UID X and similar B X ′ at the terminal.
en, the smart card checks if RPW X � H 0 (H 0 (R X || UID X ) || r X ), where R X � Rep (P X , B X ′ ). If this does not hold, the smart card terminates the session; otherwise, U X inputs B new and computes RPW new � H 0 (H 0 (R new || UID X ) || r X ), where <R new , P new > � Gen (B new ), en, the smart card updates RPW X � RPW new and P X � P new . Finally, the smart card updates all authentication keys s j X � s j X − T r X (UID X || H 0 (R X || UID X )) + T r X (UID X || H 0 (R new || UID X )), ∀j.

Security and Efficiency Analyses
In this section, we analyse our scheme on security and efficiency aspects.

Correctness
Analysis. Similar to previous schemes, we also prove our scheme's correctness using BAN-logic rules [28] and goals proposed in [29]. For simplicity, we let ⊗ denote the combination using Chebyshev operation. Table 6 shows some assumptions our scheme must satisfy. ese assumptions stand for initial beliefs of the user and server, for example, A 1 implies that users can share their identities with the server with the registration phase. Next, we will normalize all messages exchanged between the user and server.
(i) From the message {CID}, we have < U X ⟷ UID X S j , s k_1 s k_i s k_k Figure 11: Architecture of our proposed scheme.
Keep secret data Figure 12: Proposed scheme's server registration phase.
Choose UID X and B X Gen (B X ) = <R X , P X > RPW X = H 0 (H 0 (R X || UID X ) || r X ) Figure 13: Proposed scheme's user registration phase.
U X Input UID X and B′ X Rep (P X , B′ X ) = R X Check RPW X ?= H 0 (H 0 (R X || UID X )|| r X ) Choose r U and compute T ASID j (H 0 (r j + r X + UID X )) mod p = s j_X -T r X (UID X || H 0 (R X || UID X )) mod p R U = T r U (T ASID j (H 0 (r j + r X + UID X )) mod p) mod p , R′ = T ASID j (H 0 (r j + r X + UID X )) mod p + R U CID = UID X {CID, R′, M U , r X } Compute T ASID j (H 0 (r j + r X + UID X )) mod p R′ U = R′ -T ASID j (H 0 (r j + r X + UID X )) mod p Check M S = H 0 (R′ S , T ASID j (H 0 (r j + r X + UID X )) mod p) Choose r S and compute H 0 (R U ) and M U = H 0 (R U , T ASID j (H 0 (r j + r X + UID X )) mod p) Figure 14: Proposed scheme's authentication phase.
identity, challenge information r U ⊗ s j X , and long-term key s j X . Next, we demonstrate how our scheme satisfies seven lemmas reorganized from [29].

Lemma 1.
If S j believes the authentication key (the long-term key) is successfully shared with U X and U X 's messages encrypted with this key are fresh, S j will believe that U X believes U X 's UID X is successfully shared with S j : Proof. With A 6 and CID, we apply the message-meaning rule to have we apply the freshness rule to have S j | ≡ #(r U ⊗ s j X )/S j | ≡ #CID . Next, we apply the nonceverification rule to have S j | ≡ U X | ∼ CID, S j | ≡ # CID/S j | ≡ U X | ≡ CID. Finally, we apply the believe rule to and A 8 , we successfully demonstrate how our scheme satisfies Lemma 1.
□ Lemma 2. If S j believes U X also believes U X 's UID X is successfully shared with each other and U X totally controls this UID X 's sharing, S j also believes U X 's UID X is successfully shared with each other: Proof. With Lemma 1 and A 4 , we apply the jurisdiction rule □ Lemma 3. If U X believes s j X is successfully shared with S j and S j 's messages encrypted with s j X are fresh, U X will believe S j also believes U X 's UID X is successfully shared with each other.
Proof. With A 2 and M S , we apply the jurisdiction rule to en, with A 7 , we apply the freshness rule to have So, with A 2 and A 7 , we successfully prove how our scheme satisfies Lemma 3. In short, with three lemmas, we can say that both S j and U X believe and successfully share their identities with each other. Next, we need to prove the similar thing for the session key.

Lemma 4.
If U X believes that s j X is successfully shared with S j and S j 's messages encrypted with s j X are fresh, U X will believe S j also believes the session key SK is successfully shared with each other: Proof. With M US and A 2 , we apply the message-meaning rule to have and M US , we apply the freshness rule to have U X | ≡ #(r S ⊗ s j X ), U X ⊲ M US /U X | ≡ #M US . Next, we use the believe rule to have U X | ≡ S j | ∼ M US , U X | ≡ #M US /U X | ≡ S j | ≡ M US . Again, we apply the believe rule to and A 7 , we successfully prove how our scheme satisfies Lemma 4.

Lemma 5.
If U X believes S j totally controls SK's sharing and S j also believes SK is successfully shared with U X , U X will believe SK's sharing: Table 6: e assumptions in BAN-logic. Assumption ) − U X believes S j controls the sharing of the session key between U X and S j A 4 : S j | ≡ (U X ⇒ (U X ⟷ UID X S j )) − S j believes U X controls the sharing of UID X between U X and S j A 5 : S j | ≡ (U X ⇒ (U X ⟷ SK S j )) − S j believes U X controls the sharing of the session key between U X and S j A 6 : S j | ≡ (S j ⟷ s j X U X ) − S j believes S j can share s j X with U X A 7 : U X | ≡ # (r S ⊗ s j X ) − U X believes challenge messages from S j are fresh Proof. With A 3 and Lemma 4, we apply the jurisdiction rule So, with A 3 and Lemma 4, we successfully prove how our scheme satisfies Lemma 5. □ Lemma 6. If S j believes s j X is successfully shared with U X and the U X 's messages encrypted with s j X are fresh, S j will believe U X also believes SK's sharing: Proof. With A 6 and M US , we apply the message-meaning With A 8 and M US , we apply the freshness rule to have With two results and the nonce-verification rule, with A 6 and A 8 , we successfully prove how our scheme satisfies Lemma 6. □ Lemma 7. If S j believes U X totally controls SK's sharing, S j believes SK is successfully shared with U X : Proof. With S j |≡ U X |≡ M US and A 5 , we apply the message-  e proof of eorem 1. Now we assume that B wants to win in B's experiment, and it runs A as the procedure. Also, A wants to win in A's experiment and B must simulate the A's environment as the following algorithm Let l be the security length, for example, the size of the prime p and hash function's output. If A correctly guesses b′, then we must consider some following cases (Algorithm 1): (i) A issues q H queries to O Hash , and A has successful probability ≈ q 2 H /2 l due to the birthday paradox. (ii) A chooses q E pairs to execute and have all messages exchanged between them. Furthermore, A issues q C queries to some users to get the smart card or {UID, B}. So, A's successful probability of correctly guessing random values r or s is ≈ q E × q C /p. (iii) If A issues q S ′ queries to oracles simulated by B, there will be at least one Send query that helps A compute the session key. So, we have Adv CMDHP T (B) ≥ Adv AKE P (A)/q S ′ . When A issues the remaining q S − q S ′ queries to normal O i , A's successful probability of correctly guessing is ≈ q S − q S ′ /p. Finally, we have Adv AKE (r j + r X + UID X )) mod p) mod p) mod p because of facing CMDHP. Clearly, our scheme can resist this kind of attack.

User Impersonation Attack.
To impersonate as a valid user, the adversary needs R S � T r S (T ASID j (H 0 (r j + r X + UID X )) mod p) mod p. To have R S , he/she needs U X 's R U � T r U (T ASID j (H 0 (r j + r X + UID X )) mod p) mod p. Furthermore, the adversary must resend the session key to S j . erefore, he/she not only finds R U but also knows r U to impersonate as a valid user. Clearly, our scheme can resist this kind of attack.
4.11. Server Impersonation Attack. To impersonate as a valid server, the adversary needs R U � T r U (T ASID j (H 0 (r j + r X + UID X )) mod p) mod p. So, he/she also needs ASID j to compute R U . We see this is impossible because S j keeps ASID j secret. Clearly, our scheme can resist this kind of attack.

Man-in-the-Middle Attack.
In this kind of attack, the adversary can eavesdrop all messages exchanged between U X and S j and then edits the parameters in these packages. For example, the adversary can insert his/her own session key

Conclusions
is paper proposed a scheme using Chebyshev polynomial in multiserver environment. We survey and analysis current schemes to propose the solution overcoming the limitations in each approach. In the future, we will analyse many different approaches to apply with our scheme. Also, we design Table 9: e comparison of storage authentication cost.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.