Privacy-Preserving Two-Factor Key Agreement Protocol Based on Chebyshev Polynomials

Two-factor authentication is one of the widely used approaches to allow a user to keep a weak password and establish a key shared with a server. Recently, a large number of chaotic maps-based authenticationmechanisms have been proposed. However, since the Diffie–Hellman problem of the Chebyshev polynomials defined on the interval [−1,+1] can be solved by Bergamo et al.’s method, most of the secure chaotic maps-based key agreement protocols utilize the enhanced Chebyshev polynomials defined on the interval (−∞,+∞). ,us far, few authenticated key agreement protocols based on chaotic maps have been able to achieve user unlinkability. In this paper, we take the first step in addressing this problem. More specifically, we propose the notions of privacy in authenticated key agreement protocols: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. ,en, we construct two two-factor authentication schemes with medium unlinkability based on Chebyshev polynomials defined on the interval [−1,1] and (−∞,+∞), respectively. We do the formal security analysis of the proposed schemes under the random oracle model. In addition, the proposed protocols satisfy all known security requirements in practical applications. By using Burrows-Abadi-Needham logic (BAN-logic) nonce verification, we demonstrate that the proposed schemes achieve secure authentication. In addition, the detailed comparative security and performance analysis shows that the proposed schemes enable the same functionality but improve the security level.


Introduction
User authentication is indispensable for many information systems. Authenticated key agreement enables users to establish a session key which two or more parties share over a public channel. e session keys are adopted in subsequent secure communications. Password, hard-ware, and biometrics are always utilized in authentication mechanisms [1][2][3]. Single-factor authentication only provides limited security; then, the combination of these methods together can achieve higher security. Due to the convenient portability of smart cards, two-factor authentication [4][5][6] has been intensively investigated.
In general, user privacy protection during authenticated key exchange is a big challenge. For two-factor authentication schemes, the important issues should be addressed carefully. Firstly, the authentication mechanism should hide the user's identity from any eavesdroppers and foreign servers. In other words, mutual authentication cannot reveal the real identity of the user, which is the basic goal of privacy protection, called anonymity. Secondly, the other aspect of user privacy protection is unlinkability. In many applications, the authentication mechanism should hide the user's movements from any eavesdroppers and other foreign servers. Any unauthorized entity cannot track the user's movements. Even if any outside adversary has accessed the message transmitted between the user and the server, it still cannot link the user to different authentication sessions.

Motivation.
In two-factor authenticated key agreement protocols, the user privacy must be considered carefully. e basic security requirement is to preserve the user anonymity, while the stricter requirement is unlinkability or untraceability.
ese concepts in two-factor authenticated key agreement protocols are seldom discussed in detail. Till date, few two-factor authenticated key agreement protocols can provide users with a strong unlinkability.
To the best knowledge, most of the two-factor authenticated key agreements based on the Chebyshev polynomial protocols (hereafter, called TAKACP protocols) utilize the enhanced Chebyshev polynomials defined on the interval (−∞, +∞). Now, few secure TAKACP protocols are based on the Chebyshev polynomials defined on the interval [−1, +1]. is is because those TAKACP protocols based on the Chebyshev polynomials over the interval [-1,+1] are vulnerable to Bergamo et al.'s attacks [18].

Our Contributions.
e main contribution of this paper is the two-factor authenticated key agreement protocol based on Chebyshev polynomials defined on the interval [−1,1] and (−∞,+∞), respectively, which solve all abovementioned issues for the first time. ey satisfy more security requirements than the existing TAKACP protocols.
In summary, we list the main contributions below: e user privacy in two-factor authenticated key agreement protocol is expounded. According to the extent of user identity protection, the user privacy preserving in entity authentication protocols is classified into four concepts: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Of the four levels, the strong unlinkability is the highest while the anonymity-alone is fundamental for entity authentication. In this paper, we elaborate them by the formal probability model. We analyze the Lin TAKACP protocol and reveal their weaknesses. Detailed analysis shows that it fails to provide session key security. And, it suffers from user impersonation attack. Next, it even cannot provide the weak unlinkability. Analysis of formal security under Random Oracle model and BAN logic nonce verification demonstrate that the proposed schemes provide secure authentication against the CPCDH assumption and integer factorization hardness assumption. e proposed schemes provide more security properties as compared to other TAKACP schemes. And the detailed comparative security analysis also shows that the proposed schemes avoid the weaknesses of the TAKACP protocols [19][20][21].

Network Model.
e proposed two-factor authenticated key agreement protocols involve two entities, a user U and the server S. At the user registration phase, the server issues a smart card with secret information to U through a secure channel. When the user U logs in to the server, the server and the user authenticate each other over the public channels. In this paper, the two-factor authenticated key agreement protocol is required to provide users with privacy preserving. Any adversary cannot trace the user from the message transmitted over open channels.

Adversary Model.
Consider an adversary A who gets the full control over the communication channel between the user U and the service provider S (except the registration phase).
us, A could obtain the messages transmitted between the user and the server (except the registration message). Of the phases in a two-factor authenticated key agreement protocol, only the registration phase requires a secure channel between U and S. In other phases, there could be various kinds of passive and active adversaries in the communication channel between U and S . e adversary A can eavesdrop and even block the message transmitted, modify messages, remove messages, or insert messages into the communication channel. Its objective is to compromise the mutual authentication between U and S. A even impersonates a user and attempts to access the server, or the adversary impersonates the server and provides the user with false services.
In the single-server environment, since users register on the same server with the same master key, the inside attacker A 0 /A 1 is very powerful. Hereinafter, we refer to a malicious server which may try to recover the password of its client or track the client as an adversary A 0 ; a registered malicious user, or an adversary who has corrupted the user as an adversary A 1 ; and while other adversaries are called as outside adversary A 2 . To simulate the inside attack, A 0 and A 1 can get the passwords and information stored in the smart cards of the users except those of a client under attack. If the server is the attack target, A 1 is assumed to obtain the passwords and the information stored in the smart cards of all the users.
For a two-factor authentication scheme, the basic security property is that the user is required to both have the smart card and know the password. Since the smart cards cannot prevent the information stored in them from being extracted, for example, by monitoring their power consumption, the security of a two-factor authentication scheme is always discussed in the case that the smart card is stolen. In other words, when a user is under attack, A is allowed to either compromise the password or the smart card of the client under attack, but not both.

Organization of the Paper.
e remainder of this paper is organized as follows. Section 2 reviews the related work. Section 3 introduces some preliminaries. Section 4 shows the limitations of the Lin protocol. Section 5 then presents two novel TAKACP protocols. Next, Section 6 analyzes the security of the proposed schemes. Comparison with the related smart-card-based protocols in terms of security properties and performance will be given in Section 7 , and Section 8 is the conclusion.

Related Work
In this section, we briefly review some prior related works. Recent years have witnessed efforts on two-factor authentication . We summarize some existing two-factor authentication schemes with their methodologies used, limitations, and drawbacks in Table 1.

Two-Factor Authentication Based on Enhanced Chebyshev
Polynomials Defined on the Interval (−∞, +∞) and eir Limitations. Researchers have developed chaotic maps-based key agreement protocols which utilize the enhanced Chebyshev polynomials defined on the interval (−∞, +∞). Xiao et al. [31] first presented a chaotic map-based authenticated key agreement protocol by utilizing the semigroup property of Chebyshev chaotic maps [32,33]. Guo and Zhang [34] showed that the Xiao et al.'s protocol [31] cannot provide the contributory property of key agreement. A malicious server can predetermine the session key. Guo and Zhang presented an improved version [34]. However, Lee demonstrated that the Guo-Zhang protocol [34] is insecure against off-line password guessing attacks [35]. In addition, it fails to provide the session key security. Tseng et al. [7] proposed anonymous key agreement protocol based on Chebyshev chaotic maps. Unfortunately, Niu et al. [8] demonstrate that Tseng et al.'s protocol [7] fails to protect the user anonymity and suffers from inside attacks. Yoon [9] found that the Niu-Wang protocol [8] is vulnerable to Denial of Service attacks. Xue et al. [36] also improved Tseng et al.'s protocol. However, Tan [37] pointed out that the Xue-Hong protocol [36] cannot still provide user anonymity. Moreover, the Xue-Hong protocol suffers from man-in-the-middle attacks. In 2012, Gong et al. [38] proposed password-based key agreement protocol by using extended chaotic maps. Unfortunately, Wang and Luan [39] showed that the key agreement protocol [38] suffers from potential security problems.
In 2014, Lin [40] developed an authentication scheme using dynamic identity and chaotic maps. Later, Islam et al. [41] state that Lin's scheme suffers from user impersonation attack. Islam et al. also presented an improved provably secure scheme [41,42] to solve the weaknesses of Lin's scheme. Unluckily, Jiang et al. [10] show that Islam's scheme is also vulnerable to some potential attacks. Based on the extended Chebyshev polynomials on the interval (−∞,+∞), Lee et al. [21] presented improvement on Lin's scheme [20]. However, in the login phase of the improved scheme [21], the smart card fails to validate the input of the user. Moreover, in the password change phase, the server must participate in the whole updating process of each user. Hence, it is inconvenient for users to update the password in Lee et al.'s scheme [21]. In Lee's TAKACP scheme [35], the user and the server must preshare a password. Hence, when users register with the server, the server must share one different password with every user. In 2013, Guo and Chang [19] have proposed a smart-card-based authenticated key agreement using chaotic maps over the interval [−1,+1]. Subsequently, Hao et al. [43] and Lin [20] pointed out that that there are some security pitfalls in the Guo-Chang scheme [19]. Any adversary can derive the session key only by using the messages transmitted between a user and the server. In addition, the Guo-Chang scheme fails to provide full protection for user identity due to a fixed parameter in every run of the protocol. To eliminate the above weaknesses, Lin presents an improved scheme [20] based on chaotic maps over the interval [−1,+1]. e Lin scheme is highly efficient since it is based on a simple symmetric cryptosystem. Unfortunately, Lee et al. [21] point out that the Lin scheme still fails to withstand denial-of-service and privileged insider attacks. In addition, the Lin scheme does not exhibit the contributory property of key agreements.

Two-Factor Authentication Based on Enhanced Chebyshev
In this paper, we will show that the Lin scheme violates the session key security. e Lin scheme suffers from impersonation attacks. Specifically, it is still susceptible to Bergamo et al.'s attacks [44] from registered users of the Table 1: Cryptographic methodologies and drawbacks of the existing schemes and the proposed schemes.
Fan et al. [22] Juang et al. [23] Sun et al. [24] Li et al. [25] Guo et al. [19] Lin [20] Lee [21] Proposed same server. Furthermore, we will demonstrate that the Lin scheme cannot provide the strong privacy protection. We also have found that it is inconvenient for users to update passwords in the Lin scheme [20] and the Guo-Chang scheme [19].

Mathematical Preliminaries
is section briefly introduces Chebyshev polynomials and two problems related to the chaotic maps.
en, we will discuss the user privacy in TAKACP protocols and define the different notions of user privacy.
(1) e recurrence relation of the Chebyshev polynomial is given by: e Chebyshev polynomials hold two important properties.
Semigroup property: Assume that r and s are positive numbers. For x ∈ [−1, 1], T r (T s (x)) � T s (T r (x)). Due to its semigroup property, the Chebyshev polynomials satisfy the commutative property under the composition T r (T s (x)) � T s (T r (x)). Chaotic property: Since the Chebyshev polynomial T n (x) with the positive integer n has a unique continuous invariant measure with positive Lyapunov exponent lnn, it is a chaotic map with its invariant density f * (x) � 1/(π ). Specially, T 2 (x) is the well-known logistic map.
In 2008, Zhang [45] extended the definition of variables from the interval [−1,1] to the interval (−∞, +∞) as follows: where p is a large prime number. And, these enhanced Chebyshev polynomials still commute under the composition, T r (T s (x)) � T s (T r (x)) mod p. e Chebyshev polynomials over the interval (−∞, +∞) have the discrete logarithm problem and Diffie-Hellman problem, which are assumed to be difficult to solve within a probabilistic polynomial time: Definition 1. Chebyshev polynomial-based Discrete Logarithm (CPDL) problem. Given two elements x and y, find an integer r, such that T r (x) � y, where T r (x) is the Chebyshev polynomial.
In contrast with the Chebyshev polynomials over the interval (−∞, +∞), the hardness assumption of CPCDH problems over the interval [−1,1] does not hold. Given three elements, x, T r (x), and T s (x), although it is computationally infeasible to derive r from the known x and T r (x), one can apply the method mentioned in [18,44] to derive such that T r (x) � T r * (x). us, one can compute the Diffie-

Definition 3.
e success probability of a probabilistic polynomial time Turing machine Δ within time upper bound t in solving CPCDH problems is defined as: Definition 4. e Chebyshev polynomial-based computational Diffie-Hellman assumption (CPCDH assumption) is the assumption that CPCDH problems are hard. In other words, for every probabilistic Turing machine Δ, Adv CPCDH (t) is negligible.
Definition 5. Integer factorization assumption (IF assumption) is the assumption that integer factorization is hard. In other words, the probability Adv IF (t ′ ) of integer factorization for any probabilistic polynomial time Turing machine within the time upper bound t' is negligible.

Notions of Privacy in TAKACP Protocols.
According to the extent of user identity protection, we divide user privacy preserving into four levels: anonymity-alone, weak unlinkability, medium unlinkability, and strong unlinkability. Among these concepts, the latter is stronger than the former, i.e., anonymity-alone ≤ weak unlinkability ≤ medium unlinkability ≤ strong unlinkability.
Let N be the number of members of any user group. Let A Guess 1,2 be the event that A (that is, A 1 and A 2 but A 0 ) guesses the identity of the user correctly from the user group, A Decide 2 (A Decide ) be the event that A 2 (A) decides whether any two executions of the protocol are from the same user, respectively. Definition 6. (Anonymity-Alone). We define the advantage Adv Anon−Alone (A) of any adversary A as e advantage Adv Anon−Alone (A) measures the sum of the probability of any adversary A 1 or any outside adversary A 2 obtaining the identity of the user and the probability of any outside adversary A 2 linking different sessions with a certain user.
An authenticated key agreement protocol is called to provide Anonymity-Alone if Adv Anon-Alone (A) is negligible. In other words, for any group of N users, A cannot identify the actual user with the probability higher than the probability 1/N of guessing. Hence, the first addition item would approach 0. However, any outside adversary A 2 can link different sessions to a certain user.
Definition 7. (weak unlinkability). We define the advantage Adv Weak−Unlin (A) of any adversary A as An authenticated key agreement scheme achieves weak unlinkability if Adv Weak-Unlin (A) is negligible. Specifically, any adversary A 1 or any outside adversary A 2 cannot obtain the identity of any other user. Besides, any outside adversary A 2 cannot link different sessions to a certain user with a probability larger than 1/2.
An authenticated key agreement scheme is called to satisfy medium unlinkability if Adv Medium-Unlin (A) is negligible. In other words, any participant except the server cannot link different logins to the same user.
Definition 9. (strong unlinkability). We define the advantage Adv Strong−Unlin (A) of any adversary A including A 0 , A 1, and A 2 as An authenticated key agreement scheme is called to satisfy strong unlinkability if Adv Strong−Unlin (A) is negligible.

Cryptanalysis of the Lin Takacp Protocol
In this section, we first tabulate the important notations in Table 2. We then review Lin's key agreement protocol [20].

Brief Review of Lin's Takacp Protocol.
e Lin's TAKACP scheme [20] is composed of four algorithms: system initialization, user registration, authenticated key exchange, and password change. e notations used in [20] are listed in Table 2. Figures 1-3 separately illustrate the phases of user registration, authenticated key exchange, and password change.

System Initialization.
e server S selects a master key s. en, S computes a Chebyshev polynomial of degree r, i.e., T r (x), where x ∈ [−1, 1], and chooses a one-way hash function h() and a symmetric encryption function E k () with the secret key k. S keeps r secret.

User Registration Phase.
A user registration procedure consists of the following steps.
Step 1. e user U selects an identity ID, a password PW, and a random integer t. U computes H � h(PW||t) and then sends the message {ID, H} to the server via a secure channel.
Step 2. Upon receiving the registration request, the server S computes R � E s (ID||H), D � H⊕(x||T r (x)). en, S writes {R, h(), E k (), D} to a smart card and sends the smart card to U via a secure channel.
Step 3. Upon receiving the smart card, U stores t into it.

Authenticated Key Exchange
Phase. U first enters the identity ID and password PW. en, the smart card runs the following steps on S: Step 1. It chooses a random integer j and computes en, it issues the message T j (x), E v (Q, R, T 1 ) to S.
Step 2. S computes v � T r (T j (x)) and decrypts E v (Q, R, T 1 ). en, S checks the validity of the time Session key E k () Symmetric encryption algorithm with k D k () Symmetric decryption algorithm with k Security and Communication Networks stamp T 1 . Next, S decrypts R and verifies whether Q � h(ID ′ ‖H ′ )) holds. If the equation holds, U is authenticated; otherwise, the session is terminated.
Step 3. S chooses a random integer j ′ and returns the login response E v (T j′ (x), h(ID ′ ‖T 2 ))) to the card. And, S computes session key T j′ (T j (x)).
Step 4. e card first decrypts E v (T j′ (x), h(ID ′ ‖T 2 ))) and then checks whether the delay time for T 2 is acceptable. Next, the card checks whether h(ID‖T 2 ) � h(ID ′ ‖T 2 )) holds. If the equation holds, S is authenticated. And, the card computes the session key T j (T j′ (x)).

Password Change
Phase. U first inserts the smart card into a terminal and inputs his or her identity ID, the old password PW, and a new password PW * . en, the smart card runs the following steps on S: Step 1. e smart card chooses randomly a positive integer i and calculates Store t in the smart card Step 2. S computes η � (T r (T i (x))), then decrypts E η (H ′ , H * , R) and further R � E s (ID||H). Next, S checks whether the received H ′ is equal to H. If the equation holds, the server returns R * � E s (ID‖H * ) to the card.
Step 3. e smart card replaces R with R * .

Security Weaknesses of Lin's TAKACP Protocol.
Lin [20] demonstrates that the Guo-Chang TAKACP scheme [19] cannot provide full protection for the user's identity. Any passive inside adversary A 1 (i.e., a malicious registered user) could derive the mutually shared session key between the user and the server only by intercepting the transmitted message. Lin claimed that their improvement eliminates the drawbacks. We show that the second security weakness of the Guo-Chang TAKACP scheme still exists in the Lin scheme [20]. In addition, the password change would not only bring inconvenience to the user but also lack the authentication of the server.

Violation of the Session Key Security.
Assume that an inside adversary A 1 has intercepted the key exchange message transmitted between the user U and the server. In the Lin scheme, the adversary could derive the session key by performing the following steps.
Since A 1 is an inside adversary, A 1 can use his password to calculate x||T r (x). After intercepting U's login message Although it is computationally infeasible to calculate j from x and T j (x), the adversary can apply the method mentioned in [18,44] to compute such that T j (x) � T j * (x). en, the adversary could com- )) with the key v and obtains T j′ (x). Finally, the adversary calculates the session

Suffering from User Impersonation Attack.
Suppose that an inside adversary A 1 does not want to pay the server for the service provided by S. A 1 would try to impersonate a legitimate user U. After intercepting U's login message, the adversary launches the user impersonation attack as described below: computes the key v through the same technique as in the leakage attack of the session key in Section 3. en, A 1 decrypts E v (Q, R, T 1 ) and obtains {Q, R, (3) After receiving the login message, S computes v � T r (T j (x)) and decrypts E v (Q, R, T). S first checks the validity of the time stamp T. Next, S decrypts R to derive ID||H, and verifies the identity. Since Q � h(ID||H), the server believes that a legitimate user with ID has issued the login request. After that, S selects a Chebyshev polynomial T j′ (x), encrypts it with other messages, and transmits the cipher-text to A 1 . (4) A 1 recovers the map T j′ (x) with the key v and computes the session key.

Linking Different Sessions to a Same
User. e Lin's TAKACP scheme enhances the protection of user identity. Although any adversary A 1 or A 2 cannot obtain the identity of any user, any inside adversary A 1 can link different sessions to a certain user. e Lin scheme only can provide weak unlinkablity (for details, see Definition 7 in Section 3), since A 1 may execute the linking of sessions to the user as follows.
. us, U ′ computes the key η and further decrypts to the server. Since the equation H ′ � H holds, the server will return R * � E s (ID‖H ″ ) to the smart card. e smart card stores R * instead of R. us, the password change has been fulfilled. However, the user U cannot login to the server any more with the new password PW * . We describe the failure process as follows.
When the user U tries to login to S, U computes Q � h(ID‖ H * ) where H * � h(PW * ‖t) and then issues (T j (x), E v (Q, R * , T 1 )) to the server. e server decrypts E v (Q, R * , T 1 ) and acquires R * . S further decrypts R * to obtain ID, H ″ . S computes Q ′ � h(ID‖H ″ ). Since Q ′ ≠ Q, the server will refuse U's login request. Secondly, the Lin's TAKACP scheme requires that the server participate during the whole password change phase. In many applications, registered users always need to update Security and Communication Networks their passwords at intervals. Passwords should be freely updated by the smart card holder at will without any interaction with the server, while the server can be totally unaware of the password change. A TAKACP scheme should provide the users with free password changes. If the users' password change requires the server online, it must be a bottleneck. e Lin scheme requires the server S to compute R * during the password change phase. erefore, it is inconvenient to both the server and the users. For the Lin scheme, the password change is impractical.
irdly, during the password change phase, the server is not authenticated by the smart card. is would be a serious security drawback. Any adversary could impersonate the server and send an arbitrary value as R * . e smart card will replace R with R * . e real card holder cannot login to the server any longer since R * ≠ E s (ID‖H * ). If the password change proceeds through a secure channel as in the user registration phase, the above security drawbacks will be removed. However, this is also infeasible.

The Proposed Takacp Protocol
Lin [20] showed that the Guo-Chang scheme suffers from inside attacks. e analysis above demonstrates that the Lin' TAKACP scheme [20] cannot still resist against inside attacks. e main cause is that an inside adversary A 1 has the common chaotic map T r (x) with the registered users of the same server. After intercepting the chaotic map T j (x) transmitted over the public channel, A 1 can derive an integer j * satisfying T j (x) � T j * (x). e adversary computes the us, the adversary can determine the Diffie-Hellman-like session key T j * (T j ′ (x)). To eliminate these weaknesses, we will seek cryptographic techniques to protect the functions T j (x) and T j′ (x). In the following, we will use the quadratic residues to present two improved versions. We first describe an improved two-factor authentication scheme (hereafter called TAKACP-1) based on Chebyshev polynomials defined on the interval [−1,1] and then another two-factor authentication scheme (hereafter called TAKACP-2) based on Chebyshev polynomials defined on the interval (−∞,+∞).

Registration Phase.
We adopt the same notations as those in the Lin scheme.
e server S selects s as the symmetric encryption key, two distinct large primes p and q with p ≡ q ≡ 3 (mod 4), and a one-way hash function h(): {0,1} * ⟶{0,1} l where l is a security parameter. e parameters p, q, and s are kept secret. Before a user U gains access to the server S, U must register by performing the following steps as shown in Figure 4.
Step R1. U selects a random integer n ′ with l bits, an identity ID, and password PW. en, U computes d � h(ID‖PW)n ′ and delivers {ID, d} to S through a secure channel.
Step R2. S computes c � d⊕E s (ID||n), where n � pq. S stores {c, n, h()} on a smart card and issues the smart card to U via a secure channel.

Authenticated Key Exchange PHASE.
e user U and the server S cooperatively perform the following steps to generate a session key SK, which is also illustrated in Figure 5.
Step A1. U inserts the smart card into the terminal and enters the identity ID and the password PW. e smart card checks whether d 2 is equal to h((ID⊕PW)||d 1 ||n). If ID and PW are valid, it computes c � d 1 ⊕h(ID||PW). It generates a nonce n 1 of the c's binary length and randomly chooses a positive integer i and a real number x over [−1,1]. e card computes the Chebyshev poly- is of l-bits. e symbol means that the binary form of c interleaves the binary form of n 1 bit by bit. en, the card transmits the message M 1 � e, w 1 , θ 1 to the server S.
Step A2. Once receiving the login request, S uses Chinese Remainder theorem with p and q to solve the square roots of e. S parses the four roots into two parts, c′,n 1 ′ , respectively. en, S decrypts c ′ to obtain (ID * , n * ) and determines the right root by checking if n * is equal to n. Finally, S obtains the right root (c ′ n 1 ′ ) and the identity ID . If the equation holds, the server believes that the login comes from a registered user with the identity ID * . S generates a nonce n 2 such that n 2 ||T j (x) is l-bit in length and randomly chooses a positive integer j. en, S computes And, S sends back the message M 2 � w 2 , θ 2 to U. Otherwise, S rejects the login request from U.
Step A4. After receiving the confirmation message from the card, S checks if h(SK‖n 1 ′ � � � � � n 2 � � � �c * 0 ) equals θ 3 . If they are equal, the user U with identity ID is authenticated. Moreover, S confirms the session key SK.

Password Change
Phase. If the user U wants to update his password, U performs the following steps.
Step C1. U inserts the smart card into the terminal and inputs the identity ID and the old password PW. en, U issues the updating request.
e smart card checks whether d 2 � h((ID ⊕PW)||d 1 ||n) holds. If the equation holds, it answers accepting updating.
Step C3. U submits a new password PW new .
Step C4. e smart card computes e card removes {d 1 , d 2 } and stores d 1 ′ , d 2 ′ . Now, we describe briefly the TAKACP-2 scheme. ere is a little difference between the registration phase of the TAKACP-2 scheme and that of the TAKACP-1 scheme. We will give the detailed description of the registration phase of TAKACP-2 scheme. Another fundamental difference of the authenticated key exchange phase of TAKACP-2 scheme from TAKACP-1 scheme is that the real number x is drawn from the interval (−∞, +∞). e card/server computes the Chebyshev polynomial T i (x)/T j (x) mod p 0 . By making similar modifications to the registration phase, we can have the password change phase. Here, we omit the description of the authenticated key exchange phase and the password change phase in the TAKACP-2 scheme.

Registration Phase of TAKACP-2.
We adopt the same notations as those in the TAKACP-1 scheme. e server S selects a large prime p 0 besides the symmetric encryption key s, two large primes p, q, and a one-way hash function h():

Security and Communication Networks
{0,1} * ⟶{0,1} l . S keeps p, q, and s secret. en, U performs the following steps to execute the registration.
Step R1'. U selects a random integer n ′ , an identity ID, and password PW. en, U computes d � h(ID‖PW)n ′ and delivers {ID, d} to S through a secure channel.
Step R2'. S computes c � d⊕E s (ID||n||p 0 ) where n � pq. S stores {c, n, p 0 , h()} on a smart card and issues the smart card to U via a secure channel.
Step R3'. e card computes en, U removes n ′ , c, d and stores {d 1 , d 2 } in the card.

Security Analyses
In this section, we will present the formal semantic security analysis of the proposed protocols under the random oracle model in Part A. Mutual authentication between a user and a server will be confirmed through the widely used BAN logic [46][47][48] in Part B. In Part C, we conduct the detailed informal security analysis of the proposed protocol. e formal security analysis and informal security analysis both show that our schemes provide stronger security attributes.

Formal Security Analysis in Random Oracle Model.
In this subsection, we introduce a formal security model under the widely used Real Or-Random model [49], the authentication security model [50], and the sequence of game models [51]. Assume that the server is a trustworthy entity. e server can accept the registration of users and validate the real identity of the users to provide them with services.
ere exists a secure channel between the server and the user to protect the registration of the user. In the following, we will apply the Dolev-Yao threat model (DY model) [52] to analyze the security of the proposed schemes. According to DY model, any two communicating parties communicate over an insecure channel. Assume that a polynomial time adversary has the ability to control the communication channel, for example, modifying, injecting, monitoring, and deleting messages over the open channel. Any adversary A can make oracle queries, which model the adversary's capabilities in a real attack. e goal of the adversary is to penetrate the anonymous authentication of a key agreement protocol by compromising requirements for the protocols described below. A malicious registered user may act as A to attempt to obtain the identity information of other users who have registered on the same server.
We will simulate various security attacks on the proposed schemes through all possible oracle queries listed below.
Execute(U i , S j ): is query models eavesdropping attacks on honest execution among the user instance U i and the server instance S j . e output of this query consists of the messages that were exchanged during the honest execution of the protocol. Send(U i /S j ,m): is query models an active attack. e oracle query enables A to receive an actual response from a participant U i /S j . Specifically, the adversary A sends a message m to instance U i /S j , and the participant instance U i /S j follows the protocol to give a reply.
is query models known session key attacks. If no session key is defined for an instance U i /S j , or if either U i /S j , or its partner is asked a Test query, the output of this query is the invalid symbol ⊥. Otherwise, it returns the current session key SK, which has been established between U i /S j and its partner to A. Corrupt(U,a): e query models the capability of A to obtain the secret information of a user participant U, thereby corrupting the protocol. If a � 1, the query returns U's password to A. If a � 2, the query returns the message stored in the user U's smart card with A. e oracle simulates that when A gains the smart card of user U, it can extract the secret stored information. Test(U i /S j ): If no session key is defined, for instance, U i / S j or if either U i /S j or its partner is asked a Reveal query, the output of this query is the invalid symbol ⊥. Otherwise, the oracle flips a coin b. If b � 1, the output is the session key. Otherwise, the output is a random string drawn from the space of session keys. e Test query is invoked once by the adversary with a fresh oracle. e query is used to define the semantic security of the session key SK. Definition 10. An instance U i /S j is called to be accepted, if upon receiving the last expected protocol message, it goes into an accept state. e ordered concatenation of all sent and received messages by instance U i /S j forms the session identification(sid) of U i /S j for the current session.
Definition 11. Two instances U i and S j are said to be partnered if the three conditions hold simultaneously: (1) both U i and S j are accepted; (2) both U i and S j share the same sid; and (3) U i and S j are mutual partners of each other. Definition 12. An instance U i /S j is called to be fresh if the following conditions are fulfilled simultaneously: (1) U i /S j is in the accepting state; (2) Reveal(U i /S j ) query has never been submitted to U i /S j or its partner; and (3) strictly fewer than two Corrupt(U i ,a) queries have been made to U i or strictly fewer than two Corrupt(U i ,a) queries have been submitted to S j 's partner U i .

Definition 13.
For the semantic security, the security model is defined by a game, which consists of two phases. In the first phase, an adversary A is allowed to adaptively issue Send, Execute, Reveal, and Test queries. In the second phase, the adversary A executes a single Test (U i /S j ) query with the chosen bit b directed to a fresh instance and the query outputs a guess bit b ′ for b. If b ′ � b, then the adversary A wins the above game, i.e., A succeeds in breaking the semantic security of the game of a TAKACP protocol. Let Succ(A) be an event where the adversary A wins the above game.
e advantage of the adversary A in breaking the semantic security of the TAKACP protocol is defined by A TAKACP protocol is said to be semantically secure if the advantage Adv TFAKA (A)of any probabilistic polynomial time-bounded adversary A is negligible.

where l refers to the string length of hash results, Adv CMCDH (t) is the success probability of any probabilistic polynomial time Turing machine within time upper bound t in solving CPCDH problems, and Adv IF (t ′ ) is the probability of integer factorization for any probabilistic polynomial time Turing machine within time upper bound t'.
Proof. We shall use the approach of sequent games to prove this theorem. We first define a sequence of modified attack games G i (i � 0,1,2,3,4,5) starting from G 0 and terminating at G 5 . Let Succ i be an event defined as the successful guessing of the bit b in Test query corresponding to each game G i by an adversary A.
Game G 0 : is starting game and the real protocol in random oracles are assumed to be identical. Hence, G 0 is the actual attack game. By definition, we have Game G 1 : is game is the same as the game G 0 except that the game simulates all oracle queries including Send, Reveal, Corrupt, Execute, Test, and hash queries. e hash oracles and Reveal, Test, Corrupt, and Execute queries are simulated in Table 3. We simulate the Send queries in Table 4 as in the actual attack game. e simulations maintain three lists of queries: (1) list L h records the answers to hash oracles, (2) list L A records the answers to the queries which are initiated by A, and (3) list L T records the transcripts between S and U. is game is perfectly indistinguishable from the real execution of the protocol. Hence, we have Pr succ 1 � Pr succ 0 .
Game G 2 : In this game, we consider collisions among the results of hash queries, random numbers, and Chebyshev polynomials in the transcripts of messages M 1 , M 2 , and M 3 . We take the random value h from 0, 1 { } l as the response of the hash queries. If this query is directly asked by the adversary and ( * , h)←L h , we abort the game. Otherwise, h is returned. Following the birthday paradox, the probability of collisions of the oracle hash query is at most (qh 2 /2 l+1 ). Furthermore, the messages contain random numbers {n 1 , n 2 } and two Chebyshev polynomials {T i (x), T j (x)}. And, the probability of random numbers and polynomials collision is at most ((q 2 s + q 2 e )/2 n+1 ) + ((q 2 s + q 2 e )/2(p 0 − 1)). Games G 2 and G 1 are perfectly indistinguishable except that the abovementioned collision causes the game to abort. Hence, we have Game G 3 : is game would abort the execution in the situation where A obtains a valid authenticator without active participation of hash oracles. In the TAKACP-2 protocol, the authenticated key exchange phase involves three message communications, M i , i � 1,2,3. We consider three cases, Send(U, M 1 ), Send(S, M 2 ), Send(U, M 3 ) in the game G 3 .

Case 1.
Considering Send(U, M 1 ) oracle query, we must carefully analyze the elements of message M 1 . e hash values h(c||x||T i (x)||c 0 )∈L A must hold, otherwise the session will be terminated. e maximum calculated probability is up to (q h /2 l ). Again, it must be that h(ID||n 1 ) ∈L A whose probability is at most (q h /2 l ). Finally, the message M 1 ∈L T should hold, or the session will stop. For this, the probability is (q s /2 3l ).
))) ∈ L A must hold; otherwise, the session will be terminated. e maximum probability is up to(q h /2 l ). e probability of value h(ID )) falling within the list L A is at most (q h /2 l ). Finally, the message M 2 should fall within L T , or the session will terminate. e maximum probability is (q s /2 2l ).
Considering the three cases, we have, Game G 4 : In this game, when the session key SK is required to compute, we replace the random hash oracle H 1 with private oracle H'. at is, the session key is determined without querying the hash oracle. Moreover, we do not use T j (T i (x)) or T i (T j (x)) to compute SK�H′ (ID||T i (x)||T j (x)||n 1 ||n 2 ). us, the session key is completely independent of hash oracle and T j (T i (x)) or T i (T j (x)). Games G 4 and G 3 are perfectly indistinguishable unless the following event AskH 1 occurs: the adversary A queries the hash function on ID||T i (x)||T j (x)||n 1 ||n 2 ||T j (T i (x)) or on the message ID||T i (x)||T j (x)||n 1 ||n 2 ||T i (T j (x)). Hence, we have Pr Succ 4 − Pr Succ 3 ≤ Pr AskH 1 .
Game G 5 : In this game, we simulate the executions using the random self-reducibility of the CPCDH problem, given one CPCDH instance (T i (x), T j (x)). We choose randomly two integers u, vand compute T u (T i (x)), T v (T j (x)). e event AskH 2 means that the adversary A had queried the random hash oracle H 1 on ID||T i (x)||T j (x)||n 1 || n 2 ||Z, where Z � CPCDH(T u (T i (x)), T v (T j (x))). It is easy to know that the equation CPCDH (T u (T i (x)), T v (T j (x))) � T uv (CPCDH(T i (x), T j (x))) holds. We have Pr Succ 5 − Pr Succ 4 , According to the definition of the event AskH, the accumulated probability is at least Pr[AskH 2 ]/q h . us, we have Pr AskH 2 ≤ q h Adv CPCDH (t). (25) In Game G 5 , Diffie-Hellman keys SK are random and independent of passwords and ephemeral keys. So, there are two possible cases where the adversary distinguishes the real session key from the random key as follows: Case 1. e adversary queries the hash oracle on ID|| T i (x)|| T j (x)||n 1 ||n 2 ||T j (T i (x)). e probability that this event occurs is (q h /2 l ). (i) Hash simulation query performs as follows: If the record ( * ; h) is found in the list L h corresponding to the hash query h( * ), return the hash function h. Otherwise, select a string h ∈ 0, 1 { } l and add ( * ; h) into L h . If the query is initiated by A, ( * ; h) is stored in L A . (ii) Reveal(U i /S j ) simulation query performs as follows: If U i /S j is in the accepting state, the current session key SK formed by U i /S j and its partner is returned. (iii) Test(U i /S j ) simulation query performs as follows: rough Reveal(U i /S j ) query, obtain the current session SK and then flip an unbiased coin b. If b � 1, return SK. Otherwise, return a random string from {0,1} l . (iv) Corrupt(U, a) simulation query performs as follows: If a � 1, the query returns the password PW of U. If a � 2, the query returns the secret information stored in the user smart card.
(v) Simulation of Execute(U i , S j ) query occurs in succession with the simulation of Send queries as shown below.
(ii) On a query Send(S j ; e, w 1 , θ 1 ), assuming S j is in the correct state, we proceed as follows: Solve the square roots of e and obtain c ′ ,n 1 ′ . Decrypt c ′ and get (ID * , n * ). Compute (x‖T i (x)) � h(n 1 ′ )⊕w 1 , c 0 * � h(ID * ||n 1 ′ ), and check if the received θ 1 � h(c′||x||T i (x)||c 0 * ). If the equation does not hold, the server instance terminates without accepting. Otherwise, choose randomly a nonce n 2 , a positive integer j, and compute en, the answer w 2 , θ 2 to the query is returned. (iii) On a query Send(U i ; w 2 , θ 2 ), assuming U i is in the correct state, we proceed as follows: )), and check whether θ 2 � h(c||(T j (x)⊕h(n 2 ))||SK * ). If the equation does not hold, the user instance terminates without accepting. Otherwise, compute θ 3 � h(SK * ||(n 1 ⊕n 2 )||c 0 ), authenticate S j , and establish SK as the session key. en, the answer {θ 3 } to the query is returned.
(iv) On a query Send(S j ; {θ 3 }), assuming S j is in the correct state, we proceed as follows: Check if θ 3 � h(SK||(n 1 ′ ⊕n 2 )||c * 0 ). If the equation does not hold, the server instance terminates without accepting and aborts the session. Otherwise, S accepts the session key SK. Case 2. e adversary asks the Send (U i , m) query and successfully impersonates a user. If the Corrupt(U, 1) has been made, it implies that the Corrupt (U, 2) has not been made. To impersonate the user, the adversary has to obtain the parameter c and the identity. e probability that the event happens is Adv IF (t ′ )(q s / |W|). On the contrary, if the Corrupt (U,2) has been made, it is not allowed to reveal the static key PW of the user. us, in order to impersonate the user, the adversary has to obtain some information on the password of the user. e success probability of the adversary in the q s sessions is (q s /(|D| + |W|)). If the adversary just makes an attempt at random to impersonate the user by computing θ 3 and succeeds, it will make the difference; but, the probability for qs sessions is less than. (q s /2 l ) Hence, we have Using the triangular inequality and equations (19)- (26), we have the following: Pr Succ i − Pr Succ i+1 us, we have completed the proof of the theorem. e above theorem is about the security of the proposed TAKACP-2 scheme based on the extended Chebyshev polynomials defined on the interval [−∞, +∞]. To complete the security proof of the TAKACP-1 scheme based on Chebyshev polynomials over the interval [−1, 1], one only needs to delete the CPCDH simulation in Game G 5 of the proof of eorem 1. We only state the results as eorem 2 without detailed proof.

Theorem 2. Let D(W) be a uniformly distributed password (identity) dictionary of size |D|(|W|). Let A (including A 1 and A 2 ) be the polynomial time-bound adversary against the semantic security of the TAKACP-1 scheme. Suppose A makes
Send queries q s times, Executes queries q e times, and hash oracle queries q h times at most. en, we have Proof. Consider that the insider adversary A 1 would attempt to violate the user anonymity of the proposed schemes. Further suppose that the Corrupt (U, 2) has been made. e smart card of the user U is compromised. e adversary A has extracted the elements {d 1 , d 2 , n} for TAKACP-1({d 1 , d 2 ,n,p 0 } for TAKACP-2) in the smart card. Since in TAKACP-2, A cannot divide d 1 or d 2 into the exclusive-OR items E s (ID||n) or E s (ID||n||p 0 ), h(ID||PW), h(ID⊕PW) correctly. In essence, even if A has E s (ID||n), A cannot still recover ID from it without the master key s. Since d 2 � h((ID⊕PW)||d 1 ||n) or h((ID⊕PW)||d 1 || (n⊕p 0 )), owing to the one-way hash function, A 1 cannot derive ID or PW from d 2 .
erefore, A believes that M 0,1 and M 1,1 are independent of each other. We can make similar analysis of the response messages M 0,2 � w 0,2 , θ 0,2 , M 1,2 � w 1,2 , θ 1,2 , and the confirmation Security and Communication Networks 13 messages M 0,3 � w 0,3 , θ 0,3 , M 1,3 � w 1,3 , θ 1,3 . From the above analysis, we have Pr[A Decide ] � 1/2. us, Adv Strong−Unlin (A) � 0. erefore, our protocols achieve medium unlinkability. Any adversary (but A 0 ) is unable to link two different protocol sessions to the same user. □ 6.2. Authentication Proof Based on BAN-Logic. In this section, we introduce the well-popular Burrows-Abadi-Needham Logic (BAN-logic) to validate the authentication of the proposed protocols. By using BAN logic, we also try to find out flaws in the proposed schemes and deal with authentication issues among the participants. e formal verification of the BAN logic demonstrates that the proposed protocols achieve mutual authentication and allow the user and the server to establish session keys. It is well-known that BAN logic [46] is the widely used logical analysis method of reasoning the beliefs of participants in an authentication protocol [47,48]. BAN logic uses a set of postulates to analyze and verify authentication schemes. BAN logic has three elementary items, i.e., formulas/statements, principals, and keys. Let X and Y be two statements, P and Q be principals, K be the symbol for a key. e basic expressions of BAN logic are described in Table 5. More details can be found in [46][47][48].
e main logical postulates of the BAN logic are listed as follows: Message-meaning rule: If P believes that it shares K with Q and sees X encrypted by K (or X combined with K), then P believes that Q once said X. e nonce-verification rule: (P| ≡ #(X), P| ≡ Q| ∼ X/ P| ≡ Q| ≡ X) If P believes that X could have been uttered only recently and Q once said X, then P believes that Q believes X. e freshness propagation rule: (P| ≡ #(X)/P| ≡ # (X, Y)) If P believes that X is fresh, then P also believes that (X, Y) is fresh. e jurisdiction rule: (P| ≡ Q|⇒X, P| ≡ Q| ≡ X/ P| ≡ X) If P believes that Q has authority over X and Q believes X, then P trusts Q on the truth of X. e message decryption rule: If P believes that it shares K with Q and sees encrypted X by K, then P sees X.
In the following, we apply BAN logic to analyze the TAKACP-1 scheme. Similar analysis can be applied to the TAKACP-2 scheme. According to the analytic procedures of the BAN logic, the proposed TAKACP-1 scheme must satisfy the following goals: e generic form of the proposed TAKACP-1 scheme is described below. From S 11 , H 7 , and Rule (4), we have S 12 : S| ≡ U↔ SK S (Goal (4)).

Informal Security Analysis.
In this section, we analyze the security of the proposed protocols. We will show that the proposed protocols satisfy the essential security requirements, including the ability to provide medium unlinkability, the contributory property of key agreements, session key security, two-factor secrecy, and free updating of passwords. Furthermore, we confirm that the proposed schemes can withstand replay attacks and passwordguessing attacks. In the following, we will not expound the two-factor security since its proof has been given in Part A and Part B of Section 4, respectively.

Medium Unlinkability.
In Part A of Section 4, we have demonstrated that our protocols can provide medium unlinkability. Now, we compare the privacy-preserving of our protocols with that of the schemes of Guo-Chang [19], Lin [20], and Sun et al. [24]. In the Guo-Chang scheme, since the user identity is encrypted with the master key of the server into the login request R, any adversary A cannot reveal the user identity. So Pr[A Guess ] � 1/N. However, R is unchanged until the user updates the password.
us, any outside adversary can distinguish whether the users in two authentication sessions are identical.
at is, Pr[A Decide 2 ] � 1. us, we have Adv Anon−Alone (A) � 0 and Adv Weak−Unlin (A)≥1/2. Hence, the Guo-Chang scheme provides anonymity-alone but weak unlinkability. Similarly, since every request of the user contains the unchanged element IM, Sun et al.'s scheme [24] only achieves the property anonymity-alone. e Lin scheme can provide weak unlinkability. Specifically, although the elements Q and R are kept unchanged, they are transmitted in the ciphertext E v (Q, R, T 1 ). Since any outside adversary A 2 cannot calculate the key v, they cannot obtain R. But any inside adversary A 1 can compute v and acquire Q, R. For every login of the user, the parameters {Q, R} are static until the user changes its password or identity. In the proposed protocols, i and x are chosen randomly by every individual user. erefore, no unchanged login message can be derived by the other registered users. us, we obtain that Adv Medium-Unlin (A) � 0. However, each time the user logins to the server, the server validates his or her identity. So, the advantage Adv Strong-Unlin (A) is nonnegligible. e proposed schemes cannot achieve the medium unlinkability.

Contributory Property of Key Agreement.
In the proposed protocols, the session key SK is h(ID||T i (x)||T j (x)|| n 1 ||n 2 ||T i (T j (x))). Only for the TAKACP-1 scheme, the server can use the method mentioned in [18,44] to compute i * and j * , thus satisfying T i (x) � T i * (x), T j (x) � T j * (x), where T i * (T j * (x)) represents a previous parameter. Since x, T i (x)and n 1 are randomly selected by the user and SK contains T i (x) and n 1 , the server still fails to predetermine a session key. Likewise, since T j (x) and n 2 are randomly selected by the server and SK contains T j (x) and n 2 , the user cannot predetermine a session key. Notably, neither the server nor the user can determine the specific session key alone in advance. erefore, the proposed protocols satisfy the contributory property of key agreements.

Session Key Security.
Firstly, since i, j, n 1 and n 2 are selected randomly in every run of the protocols, the session key SK � h(ID||T i (x)|| T j (x)||n 1 ||n 2 ||T i (T j (x))) is independent of the previously generated session keys. us, the proposed protocols can resist against known-key attacks.
Secondly, we demonstrate that the proposed protocols can prevent any inside adversary from computing the session keys. Consider that an inside adversary A 1 has eavesdropped the communication messages e, w 1 , θ 1 , w 2 , θ 2 , θ 3 between the user and the server. Since A 1 is a legal user of the same server, A 1 knows n. However, n 1 cannot be derived from e without the server's private keys p and q, where e � (cn 1 ) 2 mod n, owing to the quadratic residue assumption.
us, the adversary cannot still recover x||T i (x) from w 1 without the knowledge of n 1 , where w 1 � h(n 1 )⊕(x‖T i (x)). Moreover, A cannot work out h(ID||n 1 ). A 1 cannot obtain

Symbol
Descript P| ≡ X e principal P believes a statement X, or P would be entitled to believe X. P⊲X P sees X. P has received a message containing X and can read and repeat X (possibly after doing some decryption).
P| ∼ X P once said X. P at some time sent a message containing X. It is not known whether this is a replay, though it is known that P believed X when he or she sent it. P| ≡ X P has jurisdiction over X. P is an authority on X and is trusted on this matter. #(X) e formula X is fresh. at is, X has never been sent in a message at any time before the current run of the protocol P↔ K Q K is a key shared between P and Q. P and Q may use K to communicate. And K is good since it can never be discovered by any principal except P or Q, or a principal trusted by either P or Q. P⇔ X Q e formula X is a shared key known only to P and Q, possibly to principals trusted by them. {X} K e formula X is encrypted by K.
<X> Y is represents X combined with the formula Y. It is intended that Y be a secret and that its presence proves the identity of whoever utters <X> Y . X is simply concatenated with Y while Y plays a role as proof or origin for X. n 2 ||T j (x) from w 2 , since w 2 � h(ID * ‖n 1 ′ )⊕(n 2 � � � �T j (x)). Since ) � � � � � SK), and θ 3 � h(SK * ‖(n 1 ⊕n 2 ) � � � �c 0 ), due to the one-way property of the hash function, A 1 cannot determine T i (x), T j (x), or SK. In a word, the session key cannot be derived from the messages transmitted over the public channel. e proposed schemes achieve session key security.
6.3.4. Free Updating of Password. As described in Part C of Section 5, a user can freely update password without any interaction with the server during the password change phase.

Resistance to Password Guessing Attacks.
In the proposed TAKACP protocols, the login request message e is information that involves password PW. An inside adversary A 1 may guess the password through the equation c � d 1 ⊕ h(ID||PW). However, an inside adversary A 1 cannot still obtain c from e since e � (cn 1 ) 2 mod n. erefore, the proposed protocols can resist password guessing attacks.

Resistance to Replay Attacks.
e proposed schemes maintain freshness by using two nonces and two chaotic maps. Specifically, the proposed protocols guarantee the freshness of messages by using T i (x) and n 1 in Step A1, T j (x) and n 2 in Step A2, and {T i (x), T j (x), n 1 , n 2 } in Steps A3 and A4, respectively. Since n 1 is protected by the quadratic residues, only the server and the user itself know it. T i (x), T j (x), and n 2 are contained in w 1 and w 2 . ey can be calculated only when one knows the nonce n 1 . erefore, the proposed schemes can prevent replaying attacks.

Security, Functionality, and Performance Comparison
In this section, we will make a comparison with the related TAKACP protocols in terms of security, functionality, and performance.

Security Comparison.
We compare the security of our proposed TAKACP schemes with respect to the related authenticated key agreement schemes [19][20][21][22][23][24][25][27][28][29][30]. Table 6 summarizes the security properties of the proposed schemes and illustrates the comparison result. As is indicated in Table 6, the proposed schemes are highly secure as compared to the related authenticated key agreement schemes [19][20][21][22][23][24][25][27][28][29][30]. Especially, the proposed schemes can deal with several imperative security issues which most of the authenticated key agreement protocols based on the Chebyshev polynomials defined on the interval [−1,+1] suffer from. For example, the proposed schemes eliminate their weaknesses of the Lin scheme and the Guo-Chang scheme. In contrast, the authentication protocols [22,23,25,28,29] cannot preserve user anonymity. e protocol in [27] cannot provide the contributory property of key agreement since the session key is determined by the user. e authentication protocols [19,20,23] even cannot provide the session key security. ose protocols presented in [19][20][21]23] cannot provide free updating of passwords. e Guo-Chang scheme achieves the anonymity-alone, while the Lin scheme provides weak unlinkability. e proposed schemes achieve the property, medium unlinkability. Note that designing the two-factor authentication protocol with strong unlinkability is still challenging.

Performance Comparison.
In this section, we evaluate the performance of the proposed schemes and make a comparison with the related authenticated key agreement schemes [19][20][21][22][23][24][25] in terms of the communication cost, storage, and computational overhead.
We suppose that the block size of secure symmetric cryptosystems is 128 bits, and the output size of a secure oneway hash function is 256 bits. In order to make the factoring problems infeasible in practical implementation, let the module n be an integer of 1024 bits. Since the registration of our schemes is based on a one-way hash function, the password length can be 128 bits. Suppose that the size of ID is 64 bits. In our proposed scheme, the cryptographic parameters {c, d} must be stored in the smart card.  [20], and 128 × 2 + 128 + 128 � 512 bits in Lee's scheme [21]. As is shown in Table 7, during the registration, the smart card needs a little larger storage space in the proposed schemes than those in other schemes [19-25, 28, 29]. However, it is practically insignificant considering the fact that most current mobile devices, including 4G cellular phones, personal digital assistants (PDAs), and notebook computers, have over a few hundred MB or a few GB of available memory.
In our proposed schemes, the messages transmitted in the registration phase are {ID, d}. e communication cost of the login protocol is 64 + 256 � 320 bits. e total size of messages transmitted during the authenticated key exchange phase for cryptographic parameters e, w 1 , θ 1 , w 2 , θ 2 , and {θ 3 } is (1024 + 256 + 256) + (256 + 256) + 256 � 2294 bits. e authenticated key exchange phase requires three rounds of message transmission. During the password change, the proposed schemes require no message transmission between the user and the server since the server is not involved with the phase. Let the module number of the elliptic curve be an integer of 163 bits in Juang et al.'s scheme [23] and Sun et al.'s scheme [24]. Let the time stamp be a string of 32 bits in Guo et al.'s scheme [19], Lin's scheme [20], and Lee's scheme [21]. In Juang [23] requires that the user needs to agree on a session key with the server through the log-in phase in advance and then transmit the messages E S k (ID i , h(PW * i � � � �b * ))and E S k (b * i ), respectively. Hence, the size of the message transmitted in the password change phase of Juang et al.'s scheme is 2560 bits. By similar analysis, we can evaluate the communication cost of other related schemes [19-22, 24, 25, 27-30]. e communication cost and storage cost among our schemes and related schemes are shown in Table 7.
As can be seen from Table 7, during the authenticated key exchange phase, the size of the message transmitted between the user and the server in the proposed schemes is a little larger than the size of the message in the schemes [19][20][21][22][23][24]29]. However, the proposed schemes can provide the user with stronger privacy protection than the schemes in [22][23][24]. It also can achieve the session key confirmation, but the schemes [19][20][21]29] cannot provide the function. Moreover, the scheme in [29] cannot preserve the anonymity of the user. During the password change phase in the proposed schemes, no message transmission between the user and the serve is required. Compared with the proposed scheme, the server of the other schemes [19][20][21][22][23]25] is involved with the password change. Furthermore, quite a few messsages will be transmitted between the user and the server. Now, we evaluate the computation cost of our protocols and related protocols. Let T c denote the time to execute a Chebyshev polynomial computing. Let T s represent the time to execute a symmetric encryption/decryption operation. We refer to T h as the time to execute a one-way hash function operation. Let T m denote the time to execute a scalar multiplication in the elliptic curve group. T e represents the time to execute one exponentiation operation. We denote by T sq the time to execute a squaring operation. T crt represents the time to solve the square root through the CRT method. Since the XOR operations cost very little, we neglect it. Since a user is required to register with a server one time, the computational cost in the registration phase is not listed in Table 8. e proposed protocols protect the random number n 1 and the shared secret c by using the quadratic residues. e user requires one modular squaring operation, and the  server requires one square root solving operation through the CRT and one symmetric decryption. e proposed protocols require no symmetric encryption operation. It needs only one Chebyshev polynomial computing in the user, which is less than one (two) Chebyshev polynomial computing than those in the Lin scheme (the Guo-Chang scheme). e proposed protocol requires one symmetric encryption operation and one Chebyshev polynomial computing in the server, which is less than two (one) symmetric encryption operations and two (two) Chebyshev polynomial computing than those in the Lin scheme (the Guo-Chang scheme). In the proposed protocols, one modular squaring operation does not affect user efficiency since the implementation of one modular squaring [35] can be reduced to only a few hundred gate-equivalents. In practical implementation of the proposed protocols, to efficiently compute the square roots in Z * n , the server does the pre-computation [22]. To be specific, S pre-computes and stores the inverse p' of p modular q and the inverse q' of q modular p. In order to compute the square root of a, one first computes a 1 � a (p+1)/4 mod p and a 2 � a (q+1)/4 , then he or she can calculate rapidly the four square roots of a in Z * n , for example, (p'pa 2 + q'qa 1 ) mod n. Due to p ≡ q ≡ 3 (mod 4), the computation of (a 1 , a 2 ) requires about the same time as performing a modular exponentiation computation in Z * n . Consequently, we have 1T crt ≈ 1T e .
We have executed these operations by utilizing PyCrypto library in Python language in the computer with 16 GB RAM and a clock speed of 3.60 GHz. e time cost of all operations is as follows: T h ≈ 0.0035 ms, T c ≈ 0.1215 ms, T s ≈ 0.0105 ms, T m ≈ 0.109 ms, T sq ≈ 0.0035 ms, and T crt ≈ 0.0028 ms. Table 8 summarizes the computation cost of our scheme with those described in [19][20][21][22][23][24][25][27][28][29][30]. As shown in Table 8 and Figure 6, during the authenticated key exchange phase, both the user and the server in the proposed protocols are required at the lowest computation cost among these twofactor authentication protocols [19-21, 29, 30] based on chaotic maps. In addition, the proposed schemes require no involvement of the server during the password change phase. Moreover, in comparison with the related schemes [19][20][21][22][23][24][25], the user is required at a very low computation cost during the password change phase of the proposed schemes.

Conclusion
In this paper, we examine the limitations of Lin's chaotic map-based authenticated key agreement protocol. We have proposed two TAKACP protocols with key confirmation. Compared with the Lin protocol and the Guo-Chang protocol, the proposed protocols achieve the following additional merits: session key secrecy, medium unlinkability, and free updating of passwords. e proposed protocols with the enhanced security do not affect the user's or the server's efficiency.
erefore, the proposed protocols are highly feasible for practical implementation.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request. Guo et al. [19] Lin [20] Lee [21] Irshad et al. [29] Irshad et al. [30] Our protocols Security and Communication Networks 19