A Robust IoT-Based Three-Factor Authentication Scheme for Cloud Computing Resistant to Session Key Exposure

With the development of Internet of *ings (IoT) technologies, Internet-enabled devices have been widely used in our daily lives. As a new service paradigm, cloud computing aims at solving the resource-constrained problem of Internet-enabled devices. It is playing an increasingly important role in resource sharing. Due to the complexity and openness of wireless networks, the authentication protocol is crucial for secure communication and user privacy protection. In this paper, we discuss the limitations of a recently introduced IoT-based authentication scheme for cloud computing. Furthermore, we present an enhanced three-factor authentication scheme using chaotic maps.*e session key is established based on Chebyshev chaotic-based Diffie–Hellman key exchange. In addition, the session key involves a long-term secret. It ensures that our scheme is secure against all the possible session key exposure attacks. Besides, our scheme can effectively update user password locally. Burrows–Abadi–Needham logic proof confirms that our scheme provides mutual authentication and session key agreement. *e formal analysis under random oracle model proves the semantic security of our scheme. *e informal analysis shows that our scheme is immune to diverse attacks and has desired features such as three-factor secrecy. Finally, the performance comparisons demonstrate that our scheme provides optimal security features with an acceptable computation and communication overheads.


Introduction
With the rapid growth of Internet of ings (IoT) technologies, Internet-enabled devices have had a tremendous impact on people's works and lives [1][2][3]. However, the Internet-enabled devices have limited storage, computing power, and communication ability. To solve this limitation, cloud computing emerged as a new service paradigm [4]. It provides a new method with high efficiency and convenience to realize information and resource sharing. e users are able to access the resources, services, or applications that are deployed in distributed cloud servers by utilizing a handheld device anywhere and anytime. And the control server is in charge of authorizing the users and distributed servers.
As the communication channel is open and unprotected, there are diverse and severe security threats for stealing sensitive data and resource in cloud computing environment [5,6]. An authentication protocol is indispensable to prevent unauthorized access and protect the sensitive data and user privacy. From the first smart card-based authentication protocol [7] introduced by Yang and Shieh in 1999, there have been a large number of enhanced schemes proposed [2,[8][9][10][11][12][13]. Based on the authentication factors the user employs, the authentication schemes are divided into two-factor authentication schemes and three-factor authentication schemes. Based on the cryptosystem the authentication scheme adopts, the authentication schemes are divided into hash-based schemes, symmetric cryptosystem-based schemes, and public key cryptosystem-based schemes.

Related Works.
In terms of authentication schemes for cloud computing, some proposals have been presented one after another to improve the security and efficiency [14][15][16][17]. In 2015, Tsai and Lo [18] put forward an anonymous authentication protocol using bilinear pairing, in which the user can directly login the distributed server without the help of control server. Afterwards, He et al. [19] revealed that their scheme is not resistant to server impersonation attack and put forward an enhanced scheme. In 2017, Kumari et al. [20] presented a biometric-based authentication protocol employing elliptic curve cryptosystem (ECC). However, their scheme cannot withstand known session-specific temporary information attack and fails to preserve three-factor secrecy. In 2018, Amin et al. [21] pointed out that two anonymous authentication schemes [22,23] have weaknesses like forgery attack and session key disclosure attack and introduced a hash-based two-factor authentication scheme. Unfortunately, Wang et al. [24] revealed that their scheme still cannot resist session key disclosure attack. In 2019, Mo et al. [25] introduced an ECC-based single-server two-factor authentication protocol. But this protocol is not resistant to stolen-verifier attack. In the same year, Zhou et al. [26] put forward a twofactor authentication scheme employing hash function. But we observe that their scheme suffers from forgery attack and replay attack and does not preserve forward secrecy. For better understanding, we summarize these schemes in Table 1.
Among these schemes, the hash-based schemes [21][22][23]26] are highly efficient, but they have diverse vulnerabilities, such as desynchronization attack, forgery attack, and failure to achieve forward secrecy and user anonymity. Wang et al. [27,28] have demonstrated that public key technique is essential for achieving some security attributes such as user anonymity. However, the existing public key cryptosystem-based schemes [18,20,25] still have more or less security vulnerabilities due to design deficiencies. Besides, they have high computation overhead as time-consuming operations such as bilinear pairing and scalar multiplication are involved.
In addition, the security of the session key is a noteworthy issue. e existing schemes are not secure against various session key exposure attacks. A great many schemes such as the schemes in [20,21,25,26] cannot withstand known session-specific temporary information attack. And many schemes such as the schemes in [21][22][23]26] cannot provide forward secrecy. Besides, in some schemes like the scheme of Amin et al. [21], the attacker can even reveal the session key when he obtains the smart card [29].

Motivation and Contributions.
e existing schemes suffer from various security defects or involve high computation overhead. e security attributes or the efficiency needs to be improved. In particular, the great majority of schemes fail to guarantee the security of session key, as they are subjected to various session key exposure attacks. It motivates us to present an enhanced authentication scheme that can meet the security requirements at minimum cost and be secure against all the possible session key exposure attacks. We sum up the contributions of the paper as below: (1) We reveal that Zhou et al.'s scheme [26] does not consider impersonation attack, known session-specific temporary information attack, and forward secrecy. (2) We put forward an enhanced three-factor authentication scheme using chaotic maps. e session key comprises of a long-term secret value and the secret key generated by Chebyshev chaotic-based Diffie-Hellman key exchange. It can prevent all kinds of session key exposure attacks. e use of Chebyshev chaotic maps contributes to the establishment of secure session key and simultaneously reduces the computation cost. (3) e Burrows-Abadi-Needham logic proof confirms the completeness of our scheme. e formal analysis under the random oracle model proves the semantic security of session key. And the informal analysis shows that our scheme can resist all kinds of potential attacks and provide desired properties like three-factor secrecy. e performance comparisons demonstrate that our scheme has high security, and its computation and communication overheads are acceptable.

Organization of the Paper.
e rest of the paper is formed as below. We give some background materials in Section 2. We reveal the security defects of Zhou et al.'s scheme in Section 3. We present the enhanced threefactor authentication scheme in Section 4. We discuss the security of our scheme using several widely accepted security analysis methods in Section 5. We present the performance comparisons of our scheme and related schemes in Section 6. e conclusion is given in Section 7.

Chebyshev Chaotic
Maps. According to Zhang [30], the enhanced Chebyshev polynomial is defined as and p is a big prime. e Chebyshev polynomials satisfy commutative law, i.e., ere is a hard mathematical problem on Chebyshev polynomials: (i) Chebyshev chaotic Diffie-Hellman problem (CHDHP): for given T a (x), T b (x), and x, the

Adversary
Model. Based on [31], the abilities of adversary are summarized as below: (i) e adversary can eavesdrop, replay, block, or alter the transmitted messages in open channel (ii) When testing forward secrecy, the adversary can obtain control server's master key or cloud server's secret key (iii) e adversary can disclose the password or the parameters of smart card (iv) When testing three-factor secrecy, the adversary is capable of obtaining any two kinds of authentication factors 2.3. Notations. e notations of the paper are presented in Table 2.

Cryptanalysis of Zhou et al.'s Scheme
We briefly review Zhou et al.'s scheme [26] and point out its limitations in this section. In their scheme, the attacker can perform impersonation attack by replaying the intercepted message. Besides, their scheme is vulnerable to two kinds of session key exposure attacks.

Review of Zhou et al.'s Scheme
3.1.1. User Registration Phase. U i delivers an enrollment request to CS in this phase.
Step 1: U i picks his identity ID i , pseudoidentity PID i , and password PW i . en U i selects a random number r i and calculates P i � H 1 (PW i ‖r i ). Afterwards, U i delivers the registration request ID i , PID i to CS via the secure channel.
Step 2: after getting ID i , PID i , CS checks if ID i is valid. If it holds, CS computes A i � H 1 (PID i ‖ ID CS ‖ s) and B i � H 1 (ID i ‖ s). CS saves ID i in its database and returns A i , B i , ID CS to U i via the secure channel.  Step 3: after receiving A i , B i , ID CS , U i computes the memory of a smart card.

Cloud Server Registration
Phase. CS distributes the secret key to S j in this phase.
Step 1: S j chooses its identity SID j and pseudoidentity PSID j and delivers SID j , PSID j to CS via the secure channel.
Step 2: after getting SID j , PSID j , CS computes sm 1 � H 1 (PSID j ‖ ID CS ‖ s) and sm 2 � H 1 (SID j ‖ s). CS delivers sm 1 , sm 2 , ID CS to S j via the secure channel.
Step 3: S j keeps sm 1 , sm 2 , ID CS as secret.

Login and Authentication
Phase. U i and S j authenticate each other in the assistance of CS as shown in Figure 1.
Step 1: U i inputs ID * i and PW * i . e smart card picks a new pseudoidentity PID new , where α is a nonce. e smart card delivers the login request PID i , f 1 , f 2 , f 3 , f 4 } to S j via the public channel.
Step 3: after receiving PID i , f 1 , and verifies if f 8 ′ � f 8 . If it holds, proceed next step, otherwise, the protocol aborts. Step Step 5: after receiving f 9 , f 10 , f 11 as secret and removes sm 1 , PSID j . S j delivers f 12 , f 13 , f 14 to U i .
Step 6: after receiving {f 12 , f 13 , f 14 and checks if f 14 ′ � f 14 . If they are equal, the smart card calculates

Cryptanalysis of Zhou et al.'s Scheme.
In this section, we reveal that Zhou et al.'s scheme suffers from replay attack, user impersonation attack, server impersonation attack, and known session-specific temporary information attack and fails to provide forward secrecy.

Forward Secrecy.
Forward secrecy ensures that when the long-term secret is compromised, the attacker still cannot reveal the established session key. In Zhou et al.'s scheme, with the master key s, the attacker can reveal SK as follows: Step 1: the attacker intercepts PID i , f 1 , f 2 , f 3 , f 4 and f 12 , f 13 , f 14 from the public channel Step 2: the attacker computes When the long-term secret s is compromised, all the established session keys will be disclosed.

User Impersonation Attack.
User impersonation attack denotes that the attacker can masquerade as a valid user to login the cloud server. is attack is performed as follows: Step 1: the attacker intercepts PID i , f 1 , f 2 , f 3 , f 4 from the public channel and sends this message to S j .
Step 2: upon receiving PID i , f 1 , f 2 , f 3 , f 4 , S j handles this message and sends

Server Impersonation
Attack. Server impersonation attack denotes that the attacker can masquerade as a valid cloud server to deceive the user. is attack is performed as follows: 4 Wireless Communications and Mobile Computing Step 1: the attacker intercepts the message PID i , f 1 , Step 2: when intercepting a new login request  4 . CS verifies the validity of the two messages independently. It leads that the attacker can impersonate the cloud server by replaying PSID j , f 5 , f 6 , f 7 , f 8 }.

Known Session-Specific Temporary Information Attack.
is attack denotes that when the temporary secret such as random number is compromised, the attacker can reveal the established session key. With the random number α, the attacker reveals the session key as follows: Step 1: the attacker intercepts PID i , f 1 , f 2 , f 3 , f 4 and f 12 , f 13 , f 14 from the public channel.
Step 2: when U i generates a new login request using PID new i and sends PID new Step 3: the attacker computes (β ⊕ c) � f 13

The Proposed Scheme
A robust three-factor authentication scheme for cloud computing is put forward in this section. e proposed scheme is described as below.

System Setup Phase.
CS picks its master key s. CS also selects a nonce y as its secret value. CS picks a hash function H 1 () and a symmetric cryptosystem E k ()/D k (). In addition, CS publishes the Chebyshev polynomial's parameters x, p.

User Registration
Phase. U i transmits the enrollment request to CS in this phase, as shown in Figure 2.
Step 1: U i selects his identity ID i and password PW i as he wishes, imprints his biometric b i , and calculates Step 2: after receiving {ID i , A i }, CS picks two random numbers Moreover, CS stores parameters 〈D i , Z i , PID i , t i , H 1 (y‖r 1 ), μ〉 in a smart card and delivers it to U i .

Cloud Server Registration
Phase. CS issues the secret key to S j in this phase.
Step 1: S j delivers its identity SID j to CS through the secure channel.
Step 2: after receiving SID j , CS calculates sm j � H 1 (SID j ‖s). CS sends back sm j to S j through the secure channel.
Step 3: S j keeps sm j as secret.

Login and Authentication
Phase. U i and S j perform mutual authentication by the aide of CS in this phase, as shown in Figure 3.
Step 1: U i inputs his identity ID * i and password PW * i and imprints the biometric b * i . en, the smart card calculates where α is a nonce and T 1 is the current timestamp.
Step 2: after getting PID i , R i , L i , O i , T 1 , S j verifies whether T 1 is fresh. If it holds, S j generates a random number β and calculates Step 3: after receiving PID i , R i , L i , O i , T 1 , N i , T 2 , CS checks the freshness of T 2 and computes CS believes the authenticity of U i and performs the next step.
Step 4: CS computes sm j � H 1 (SID j ‖s), If it holds, CS believes the authenticity of S j . Otherwise, the protocol terminates.
Step 5: CS picks a nonce r 2 , computes PID new where T 3 is the current timestamp. CS transmits F i , M 1 , T 3 to S j through the open channel.
Step 6: after getting F i , M 1 , T 3 , S j checks the freshness of T 3 and computes M 1 ′ � H 1 (sm j ‖R i ‖F i ‖T 3 ), and verifies M 1 ′ � ? M 1 . If they are equal, S j authenticates the Step 7: upon receiving F i , M 2 , T 4 , the smart card checks the freshness of T 4 . en, the smart card  Figure 2: User registration phase. 6 Wireless Communications and Mobile Computing

Security Analysis
In this section, Burrows-Abadi-Needham (BAN) logic [32] proof demonstrates the completeness of our scheme. e formal analysis under the random oracle model shows that our scheme provides semantic security. Moreover, the informal analysis proves that our scheme is not susceptible to known attacks.

BAN Logic Proof.
We confirm the correctness of our scheme in this section. Table 3 lists the notations and rules of BAN logic. Our scheme ought to fulfil the goals as below.

Formal Security Analysis.
Based on the security model of two-factor authentication presented by Wang and Wang [33], we put forward a security model of three-factor authentication for cloud computing. Afterwards, we prove the semantic security of our scheme in this model. A statement P ⊲ X P see X, P gets a message that consists of X P| ∼ X P said X, P sent a message that consists of X P| ≡ X P is convinced that X is true P⟹X P has jurisdiction over X P⟷ K Q K is a secret shared by P and Q 〈X〉 K X is combined with a secret K Wireless Communications and Mobile Computing

Formal Security Model
(1) Participants. ere are multiple instances of the control server CS, the cloud server S j , and the user U i in the authentication scheme for cloud computing. We use CS a , S a j , and U a i to denote these instances.
(2) Queries. e attacker is capable of making the queries as follows: Execute (CS a /S a j n/U a i ): by making this query, the attacker can obtain the messages delivered via the open channel. Send (CS a /S a j n/U a i h, xm): by making this query, the attacker can impersonate the principal (U a i , S a j , GWN a ) to send a message m. If m is valid, a response is sent back to the attacker. Reveal (S a j /U a i ): by making this query, the attacker can get the session key of (S a j /U a i ), if the principal involves a session key. Corrupt (U a i , τ): by making this query, the attacker is capable of getting one or two types of user authentication information.
When τ � 1, the attacker acquires the password. When τ � 2, the attacker acquires the smart card. When τ � 3, the attacker acquires the biometric.
Corrupt (S a j /CS a ): by making this query, the attacker can obtain cloud server's secret key or CS's master key.
is oracle corresponds to the forward secrecy. Test (S a j /U a i ): if the principal is fresh (see below) and involves a session key SK, the oracle spins a coin b. When b � 1, it sends back SK to the attacker. When b � 0, it sends back a random string to the attacker. is oracle is used to simulate the semantic security of session key. e attacker is capable of asking this query only once.
(3) Freshness. We say (S a j /U a i ) is fresh, if the following conditions are met: (1) (S a j /U a i ) is accepted and involves a SK (2) e attacker never makes Corrupt (S a j /CS a ) or Reveal (S a j /U a i ) query (4) Semantic Security. After making the above queries, the attacker tries to reveal the value of b in test query. e advantage of the attacker in breaking the semantic security is defined as follows: If for all the attackers, Adv ake P (A) is negligible, the authentication scheme provides semantic security.

Formal Security Analysis
Theorem 1. Let the password space D PW be subject to Zipf distribution [34]. A polynomial-time attacker A runs against our scheme. We presume A can ask less than q e Execute queries, q s Send queries, q b Biohash queries, q h Hash queries, and q ε Encryption/Decryption queries. We have where l 1 , l 2 , l 3 are the length of hash output, bio-hash output, and symmetric encryption output, respectively. Adv CHDHP P is the advantage of A in solving CHDHP. When using the Tianya password distribution [34], we have |D PW | ≈ 13 million, C ′ � 0.062239, and s ′ � 0.155478.
Proof. In order to obtain Adv ake P (A), we define the games Φ i (0 ≤ i ≤ 6), where Φ 0 corresponds to the real attack. Pr[χ i ] is the advantage of A in revealing b in game G i . Φ 0 : as it simulates the real attack, we get, Φ 1 : in this game, a hash list Λ H is used to simulate the hash oracle. A biohash list Λ BH is used to simulate the biohash oracle. And an encryption/decryption list Λ ε is used to simulate the encryption/decryption oracle. For a hash query H 1 (α), if the hash value of α already exists in Λ H , the oracle sends back the hash value. Otherwise, the oracle selects a nonce β as the answer of H 1 (α) and stores (α, β) in Λ H . e biohash oracle is performed in the similar way. For an encryption query E k (φ), the oracle firstly uses φ and k to search Λ ε , If there exists an tuple (k, φ, ω), it answers ω. Otherwise, it sends back a random string ω to the adversary and stores (k, φ, ω) in Λ ε . For an decryption query D k (ω), the oracle uses ω and k to search Λ ε . If there exists a tuple (k, φ, ω), it answers φ. Otherwise, it sends back a random string φ to the adversary, and stores (k, φ, ω) in Λ ε . Φ 1 is indistinguishable from Φ 0 . We get Φ 2 : in this game, we terminate the execution when encountering some collisions.
(1) e collision occurs on the outputs of hash function or biohash function with the probability of (q 2 h /2 l 1 +1 ) + (q 2 b /2 l 2 +1 ) (2) e collision occurs on the outputs of symmetric encryption with the probability of (q 2 ε /2 l 3 +1 ) (3) e collision occurs on the transcripts of messages, with the probability of ((q s + q e ) 2 /2p)

We get
Pr Φ 3 : in this game, we terminate the execution when A guesses L i , G i , M 1 , M 2 . e probability is at most (q s /2 l 1 ). We get

Wireless Communications and Mobile Computing
Pr Φ 4 : in this game, we terminate the execution when A guesses user's authentication value C i . e probability is less than (q s /2 l 1 ). We obtain Φ 5 : in this game, we terminate the execution when A has computed C i with the help of Corrupt (U a i , z). (1) When Corrupt (U a i , z � 1, 2), A is able to guess the biometric with the probability of (q s /2 l 1 ) (2) When Corrupt (U a i , z � 2, 3), A is able to guess the password with the probability of C ′ * q s s′ . (3) When Corrupt (U a i , z � 1, 3), A is able to guess D i with the probability of (q s /2 l 1 ).

We obtain
Pr □ If the hash query H 1 (E i ‖Q i ) has been asked, by selecting randomly in Λ H , we can obtain E i � T α (R S ) � T β (R i ) with the probability of (1/q h ). We get From (3)-(11), we have

Informal Security Analysis.
In this section, we prove that our scheme is resistant to diverse attacks. Particularly, our scheme is secure against all kinds of session key exposure attacks, as the session key is generated based on the longterm secret and Chebyshev chaotic-based Diffie-Hellman key exchange. Besides, we demonstrate that the proposed scheme preserves desired properties such as user anonymity and three-factor secrecy.

User Anonymity.
In our scheme, only the control server who has the secret key y can retrieve ID i from PID i . In

5.3.2.
Resistance to Off-Line Guessing Attack. As the fuzzy verifier Z i is employed in our scheme as suggested in [33], even if the attacker obtains the smart card as well as biometric at the same time, he is unable to reveal the password. With the smart card and biometric, the attacker chooses one pair of identity and password from dictionary space and checks if Z * i � Z i . However, there are a great many candidates conforming to Z * i � Z i . In order to distinguish the correct one from so many candidates, there is no alternative but to launch online guessing attack. However, we employ the "honeywords" technique [33] to prevent this attack. When the number of online guessing attacks reaches the preset value, for example, 10, U i is suspended. Consequently, our scheme can resist off-line guessing attack.

Resistance to Session Key Disclosure Attack.
e session key SK is computed using E i and Q i . E i is the secret key generated by the Chebyshev chaotic-based Diffie-Hellman key exchange. Only U i and S j who know the random number α or β are able to compute E i . Q i is computed based on the long-term secret sm j . Only S j and CS who have sm j are able to compute Q i . Besides, Q i is transmitted to U i by means of symmetric encryption with the secret key H 1 (C i ‖R i ). Only U i and CS who have C i are able to reveal Q i . Both E i and Q i are unavailable to the attacker. erefore, our scheme can resist this attack.

Forward Secrecy.
Suppose that the attacker has acquired the master key s, he is able to compute Q i . However, E i is the secret key generated by the Chebyshev chaoticbased Diffie-Hellman key exchange. To reveal E i , there is no alternative but to solve the CHDHP. erefore, our scheme preserves forward secrecy.

Resistance to Session-Specific Temporary Information
Attack. Assume that the attacker has acquired the random number α. To compute E i � T α (R s ), R s is required. R S is encrypted using the secret key Q i or K i , where Q i � H 1 (sm j ‖R i ) and K i � H 1 (C i ‖R i ). To retrieve R S , the attacker needs to reveal C i or sm j . Assume that the attacker has acquired the random number β, the attacker can calculate E i � T β (R i ). Afterwards, to derive Q i , the attacker has to get C i or sm j . However, sm j is only known to S j and CS, C i is only known to U i and CS. erefore, the attacker cannot reveal the session key when the nonce is disclosed.

5.3.6.
Resistance to Forgery Attack. In our scheme, the hash values (L i , G i , M 1 , M 2 ) of the transmitted parameters and the secret value A i , sm j are used to ensure message integrity and verify the sender's identity. As C i and sm j are unavailable to the attacker, he cannot generate a message that is verified to be valid by the recipient.

Resistance to Desynchronization Attack.
In each message, the hash value (L i , G i , M 1 , M 2 ) is used to ensure that the transmitted parameters are not tampered with. If the attacker alters a parameter of a message, the receiver will find that the received hash value is not equal to the one he computes, and the protocol terminates. Besides, if the attacker blocks a message, as it does not change the long-term parameters the participants have, it does not affect the user's next login. For instance, if the attacker blocks the message F i , M 2 , T 4 , the user fails to update his pseudoidentity. But with PID i , the user still is able to access the cloud server.

Resistance to Replay Attack.
In the proposed scheme, every message contains a timestamp. And the timestamps are involved in the hash values (L i , G i , M 1 , M 2 ). Upon receiving a message, the receiver first verifies whether the timestamp is fresh. If it holds, the receiver continues to process the message. Otherwise, the protocol aborts.

Resistance to Privileged Insider Attack.
e user never submits his biometric or password to CS at registration. On the other hand, the user cannot masquerade as a cloud server or CS, as sm j is unavailable. e cloud server cannot masquerade as a user or CS, as C i is unavailable. erefore, our scheme is immune to such an attack.

Resistance to Man-in-the-Middle Attack.
In each message, the hash value (L i , G i , M 1 , M 2 ) of the transmitted parameters and the secret A i , sm j are computed to ensure message integrity and verify the sender's identity. As A i and sm j are unavailable, the attacker is unable to generate a valid message to replace the intercepted one. Consequently, the attacker is unable to launch man-in-the-middle attack.

Mutual Authentication.
In our scheme, based on the authentication value C i , CS verifies the authenticity of U i by checking L i ′ � ? L i . Based on the secret key sm j , CS verifies the

Resistance to Eavesdropping
Attack. e attacker can intercept messages from public channel. However, the secret parameters such as the user authentication value C i , the user identity, the cloud server's secret key sm j , and the session key SK are protected with hash function and symmetric encryption. e attacker cannot acquire any useful information from the intercepted messages and uses them to launch active attacks.

Resistance to All Kinds of Session Key Exposure.
e session key consists of two parts, E i and Q i . E i is generated by Chebyshev chaotic-based Diffie-Hellman key exchange. Q i is computed using the cloud server's secret key as well as a Chebyshev polynomial. e purpose of E i is to make sure that our scheme can be resistant to known key attack, as well as preserve forward secrecy. e purpose of Q i is to make sure that our scheme can withstand sessionspecific temporary information attack. e attacker can reveal neither E i nor Q i . Hence, our scheme is resistant to all kinds of session key exposure attacks.

ree-Factor Secrecy.
When the attacker reveals the biometric and smart card, he cannot retrieve the password as shown in 5.3.2. When the attacker reveals the smart card and password, he cannot retrieve the biometric from Z i as the hash function is irreversible. With the biometric and password, the attacker cannot retrieve the critical data of smart card. Hence, our scheme preserves three-factor secrecy.
Most of the existing three-factor authentication schemes fail to preserve three-factory secrecy, because when the biometric and smart card is disclosed, the attacker can guess user's password based on the verification value that is used to verify the validity of the inputted password and biometric in smart card. However, our scheme employs the fuzzy verifier and "honeywords" technique to prevent revealing of the password.

Performance Comparisons
We give the comparisons of our scheme and the recently proposed schemes [20,21,25,26,35,36] with regard to security attributes, communication, and computation costs in this section. e security comparison is given in Table 4. Note that, as Mo et al.'s scheme is designed for single-server environment, it only involves a single cloud server. Ghani et al.'s scheme does not establish session key. We summarize the security requirements of authentication protocol, and based on it, we analyzes the security properties of related schemes in Table 4. It indicates that only the proposed scheme meets all the security requirements, while the related schemes have diverse weaknesses. e security of our scheme is superior to the hash function-based schemes [21,26], the symmetric cryptosystem-based schemes [35,36], as well as ECC-based schemes [20,25].
In Table 5, we presents the computation cost, the communication overhead, and the smart card storage cost of the related schemes concerning the login and authentication phase. Furthermore, the computation cost comparison, communication overhead comparison, and smart card storage cost comparison are shown in Figure 4, Figure 5, and Figure 6, respectively. As shown in Figure 4, the computation overhead of our scheme is not as good as the hashbased schemes and the symmetric cryptosystem-based schemes, as public key operations are used to guarantee the security. But it is obviously better than the ECC-based schemes. As shown in Figure 5, the communication cost of our scheme is higher than Mo et al.'s scheme and Ghani et al.'s scheme, but it is lower than the other schemes. As shown in Figure 6, the storage cost of our scheme is inferior to Amin et al.'s scheme and Ghani et al.'s scheme, but it is superior to the other schemes.
T H , T BH , T S , and T C denote a hash function, a biohash function, a symmetric encryption/decryption, and a Chebyshev polynomial, respectively. T P and T A denote a point multiplication and a point addition on elliptic curve group. e computing time of lightweight operation "XOR" is negligible. In accordance with [3,37], when performed on a smart phone with a Hisilicon kirin 960 CPU, 6 GB RAM, and the storage of 64 GB, the computations of T H , T S , T P , T A , T C , and T BH take 0.5 ms, 8.7 ms, 63.075 ms, 0.262 ms, 21.02 ms, and 21.02 ms, respectively. Besides, we assume that the bit length of timestamp, random number, the user identity, the identity of cloud server, the hash value, Chebyshev polynomial, and the output of symmetric encryption are 128 bits. e point on elliptic curve group is 160 bits. e hash-based schemes and the symmetric cryptosystem-based schemes have obvious advantage in efficiency as they just involve lightweight cryptographic operations. However, they suffer from various security vulnerabilities. In Zhou et al.'s scheme, the attacker is capable of impersonating the user and the cloud server by replaying the intercepted message. In Amin et al.'s scheme, the attacker can retrieve user's password, disclose the session key, and impersonate the user when smart card is compromised. Martinez-Pelaez et al.'s scheme and Ghani et al.'s scheme are vulnerable to diverse and serious security weaknesses. ey are unable to provide the essential security protection.

Security properties
Zhou et al. [26] Amin et al. [21] Kumari et al. [20] Mo et al. [25] Ghani et al. [35] Martinez-Pelaez et al. [36] Our scheme User anonymity   e ECC-based schemes have low efficiency. ey have better security than the hash-based schemes and the symmetric cryptosystem-based schemes, but still have security flaws. In Mo et al.'s scheme, the attacker can impersonate the user when the verifier table is leaked. Kumari et al.'s scheme achieves many security features, but it does not provide three-factor secrecy.
In terms of the security of session key, only our scheme is resistant to all kinds of session key exposure attacks, as Chebyshev chaotic-based Diffie-Hellman key exchange and the long-term secret are used to establish the session key. None of the related schemes can withstand known sessionspecific temporary information attack. If one communication end uses unsecure random number generator, it will lead to the disclosure of the session key. e hash-based schemes and the symmetric cryptosystem-based schemes are unable to provide forward secrecy. e ECC-based schemes provide forward secrecy, as the elliptic curve-based Diffie-Hellman key exchange is employed. Furthermore, in Amin et al.'s scheme and Martinez-Pelaez et al.'s scheme, the attacker can retrieve the session key when the smart card is compromised.
To sum up, the security of our scheme is optimal. In addition, its computation and communication overheads are obviously lower than the ECC-based schemes. Hence, our scheme is more practical.

Conclusion
In this paper, we pointed out that Zhou et al.'s scheme is unable to provide the essential security protection for cloud computing, as it does not consider replay attack, known session-specific temporary information attack, and forward secrecy. Furthermore, we present a novel IoT-based threefactor authentication scheme for cloud computing using chaotic maps. e use of Chebyshev chaotic maps guarantees the security of session key and simultaneously reduces the computation cost. In addition, the BAN logic analysis demonstrates that our scheme achieves mutual authentication as well as session key negotiation. e formal analysis confirms the semantic security of session key. e informal analysis proves that our scheme can withstand known attacks and achieve desired attributes such as user anonymity and resistance to all kinds of session key exposure attacks. Finally, the performance comparisons show that our scheme has significant advantage compared with the related schemes. As our scheme has high security, it is especially applicable to the security-critical cloud applications such as cloud-based healthcare systems. Afterwards, on the basis of our current work, we plan to make further study on the authentication protocol for smart healthcare systems.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare no conflicts of interest.