An Extended Chaotic Map-Based Authentication and Key Agreement Scheme for Multi-Server Environment

: With the increasing number of users and the emergence of different types of network services, a multi-server architecture has emerged in recent years. In order to ensure the secure communication of Internet participants in an open network environment, the authentication and key agreement protocol for multi-server architectures were proposed in the past. In 2018, Chatterjee et al. put forward a lightweight three-factor authentication and key agreement protocol for a multiserver environment, and they claimed that all known security features with satisfactory performance could be realized in their protocol. However, it is found that their scheme is vulnerable to user impersonation attacks and cannot achieve user un-traceability and three-factor security through our cryptanalysis. In order to solve these shortcomings, we propose a new lightweight and anonymous three-factor authentication scheme for the multi-server environment in this article. Furthermore, the proposed protocol is proved to be AKE secure theoretically, and we use BAN -logic to prove that our protocol realizes mutual authentication between communication participants. Finally, we show that our proposed scheme is practical and efﬁcient through the comparison of security features and performance.

In the traditional single-server network environment, there is a service prov provides network services for many users. When users access network services, th to provide legal user identity and authentication factors (passwords, smart cards rics). However, with the strong demand for more types of network services, user prepare multiple sets of user identity and authentication factors to register multip server network systems in order to access different single server network system ously, this has caused great inconvenience. If users set the same authentication f different systems, when the user password of a system is leaked, it will also a security of other systems, which has great security risks. On the other hand, each service system needs an authentication server to complete the user registration op which causes a serious waste of resources.
In order to solve the above drawbacks, the authentication key agreement pro a multi-server environment arises at the historic moment. Users can use the sam identity and authentication factors to complete mutual authentication with differ ers in the system so as to obtain the corresponding network services. Generally, t tration center RC needs to complete the initialization of the system. At the same t responsible for the registration of users and service providers into the system and utes the secret information related to the registrants when the registration is co When the registered users want to access the network services, they need to auth with the server and establish their session key after the authentication to ensure ture network communication security [5]. The network model of the multi-serv ronment is shown in Figure 1. In 2001, Li et al. [6] proposed the first authentication protocol in a multi-serv ronment. However, Lin et al. [7] pointed out that the performance of the protoco due to the use of the neural network. Meanwhile, to improve the performance of tocol, Lin et al. designed an authentication protocol based on a discrete logarithm [7]. Unfortunately, their scheme was soon found unable to resist the attack of fa [8]. At the same time, for the sake of improving the performance, many authe protocols based on symmetric cryptography primitives [9][10][11][12][13][14][15] have been propose Although these protocols use lightweight symmetric cryptography primit their performance has been improved, it is difficult for these protocols to achiev In 2001, Li et al. [6] proposed the first authentication protocol in a multi-server environment. However, Lin et al. [7] pointed out that the performance of the protocol is poor due to the use of the neural network. Meanwhile, to improve the performance of the protocol, Lin et al. designed an authentication protocol based on a discrete logarithm problem [7]. Unfortunately, their scheme was soon found unable to resist the attack of fake users [8]. At the same time, for the sake of improving the performance, many authentication protocols based on symmetric cryptography primitives [9][10][11][12][13][14][15] have been proposed.
Although these protocols use lightweight symmetric cryptography primitives and their performance has been improved, it is difficult for these protocols to achieve strong security attributes, such as perfect forward secrecy. To ensure the security and practicability of the protocol, researchers designed an authentication protocol based on Elliptic Curve Cryptography in a multi-server environment. In 2013, Yoon and Yoo proposed a threefactor authentication protocol based on elliptic curve cryptography [16]. However, the protocol is not secure; malicious users can fake the identity of other users to obtain network services [17]. Subsequently, He and Wang put forward an improved protocol [18] based on Yoon's protocol [16], but Odelu et al. [19] pointed out that the improved protocol could not achieve user anonymity. In 2015, Tsai proposed a new authentication protocol for multiserver environments [20] and claimed that their protocol could achieve strong security. However, reference [21] claimed that the protocol could not resist server spoofing attacks. Since 2017, Kumari et al. [22] and Wu et al. [23] have proposed relevant authentication protocols for multi-server environments. However, some security problems were found in the proposed scheme by Feng et al. [24] and Wang et al. [25], respectively. Kumari et al.'s scheme [22] has weak user un-traceability and is vulnerable to man-in-the-middle attacks. Wu et al.'s scheme [23] is vulnerable to smart card stolen attacks and temporary information leakage attacks. Based on the previous works, the improved schemes enhance the security and performance step by step. For example, Haq et al. [26] put forward a new, improved protocol based on the work of Ying-Nayak et al. [27] and Kumar-Om et al. [28] in 2021. In recent years, as an effective security mechanism to ensure network security, the authentication protocol in multi-server environments has been paid attention to by scholars, and the related protocols [29] have been proposed one after another. In the research process of authentication and key agreement protocol, these schemes not only need to improve the security (such as introducing biological information as the security factor) but also should have better performance to adapt to the more practical environment, such as wireless sensor network, body area network, and so on.
Through the review of the authentication schemes above, we find that researchers are easy to ignore the user un-traceability and N-factor security of their protocol, and many protocols are also vulnerable to user impersonation attacks. For instance, Chatterjee et al. proposed a three-factor authentication and key agreement protocol based on an extended chaotic map for the multi-server environment in 2018 [30] and claimed that the protocol could achieve all known security features with satisfactory performance. However, it is found that their scheme is vulnerable to user impersonation attacks and cannot achieve user un-traceability and three-factor security through our cryptanalysis.
Based on our analysis of the above protocols, we propose three basic design principles of authentication and key agreement protocol for multi-server environments in this study: (1) The authentication and key agreement protocol with high-level anonymity cannot be realized only by using symmetric cryptography (such as hash function and XOR operation). In other words, public key technology is a necessary condition to realize user anonymity.
(2) In order to ensure the n-factor security of the authentication protocol, the local verification of the smart card cannot be the deterministic verification method, and the fuzzy authentication technology should be introduced to avoid the offline password guessing attacks initiated by the adversary.
(3) In the login and authentication phase, the requester has a complete set of legal ID, password, smart card, and biological information, which is the necessary condition to generate legal login request information. Only in this way can we ensure the correctness of users' identity and resist the user impersonation attacks.

Contributions
Our crucial contributions are as follows.
(1) We review and analyze Chatterjee et al.'s three-factor authentication scheme for multi-server environments. Further, we show that their scheme is vulnerable to user impersonation attacks and cannot achieve user un-traceability and three-factor security. (2) We present a new lightweight anonymous three-factor authentication scheme with perfect forward secrecy for multi-server environments. Our scheme uses an extended chaotic map and achieves strong security.
(3) The proposed protocol is proved to be AKE secure theoretically, and we use BAN-logic to prove that our protocol realizes mutual authentication between communication participants (4) Through the comparison of security features and performance, it can be found that our proposed scheme is excellent and practical.

Discrete Logarithm
Given a finite cyclic group G 1 and its generator g ∈ G 1 , there is a unique integer x such that a = g x , a ∈ G 1 . xis the discrete logarithm of a, which is recorded as x = log g a.
Discrete logarithm problem (DLP): Given a finite cyclic group G 1 whose generator is g ∈ G 1 and an element a ∈ G 1 , DLP is to find the integer x such that a = g x .
Computational Diffie-Hellman problem (CDHP): Given a finite cyclic group G 1 whose generator is g ∈ G 1 and two elements g a , g b ∈ G 1 , CDHP is to calculate the value of g a·b .
DLP and CDHP are known mathematical problems, which are not computationally feasible; that is, they are not solvable in polynomial time. They are often used in the construction and design of public-key cryptography.

Chebyshev Chaotic Map
Chebyshev chaotic map satisfies the following iterative relation: Chebyshev chaotic map has semi-group property, i.e., T r (T s (x)) = T sr (x) = T s (T r (x)).
Chaotic map discrete logarithm problem (CMDLP): Given a Chebyshev chaotic map T n (x) and two random variables: x and y = T r (x), CMDLP is to calculate the value of r.
Computational chaotic maps Diffie-Hellman Problem (CMCDHP): Given a Chebyshev chaotic map T n (x) and (x , y = T r (x), z = T s (x)), CMCDHP is to calculate the value of T sr (x).

Adversarial Model
Due to the openness of the Internet, the attacker can easily control the information spread in the public channel, tamper, replay, block the information, and then launch a possible malicious attack, as shown in Figure 2. In this paper, the adversary A's capabilities in a multi-server environment are set as shown in Table 1.

1
A can enumerate every possibility of user identity and password.

2
A can extract the secret information from the smart card through side-channel technology. 3 A can intercept, modify, or block messages propagated in the public channels. 4 For a three-factor scheme, A can capture two of the authentication factors simultaneously. 5 A can capture an expired session key.

6
A can get the long-term private keys of users, RC, or servers (only when evaluating forward secrecy).  For a three-factor scheme, A can capture two of the authentication factors simultaneously. 5 A can capture an expired session key.

6
A can get the long-term private keys of users, RC, or servers (only when evaluating forward secrecy).

Review of Chatterjee et al.'s Scheme
In the highly cited paper published by Santanu Chatterjee et al., an authentication protocol based on an extended Chebyshev chaotic map for multi-server environments was proposed in 2016 [30]. This section will take Chatterjee's protocol as an example to analyze and point out the security defects of this kind of authentication protocol.
Chatterjee et al.'s scheme mainly consists of the following phases: system setup phase, user registration phase, server registration phase, login and authentication phase, user password, and biometric update phase. Table 2 lists the symbols used in their scheme.

Symbol
Description Hash function BH(·) Biological hash function T x (·) Chebyshev polynomial E k (·)/D k (·) Symmetric encryption/decryption alogrithms K s , K u Private key of RC x j Private key of S j ID U i Identification of U i ID S j Identification of S j PWi Password of U i

Review of Chatterjee et al.'s Scheme
In the highly cited paper published by Santanu Chatterjee et al., an authentication protocol based on an extended Chebyshev chaotic map for multi-server environments was proposed in 2016 [30]. This section will take Chatterjee's protocol as an example to analyze and point out the security defects of this kind of authentication protocol.
Chatterjee et al.'s scheme mainly consists of the following phases: system setup phase, user registration phase, server registration phase, login and authentication phase, user password, and biometric update phase. Table 2 lists the symbols used in their scheme.

Symbol
Description Symmetric encryption/decryption alogrithms K s , K u Private key of RC x j Private key of S j Session key of U i and S j ⊕ XOR operation Concatenation operation The detailed description of the scheme is as follows:

System Setup Phase
Step 1: The Registration Center RC randomly selects K s and K u from [− ∞, +∞].

Server Registration Phase
Step 1: The server S j sends its identity ID S j to RC through a secure channel.
Step 2: After receiving the registration information, RC randomly selects x j , calculates

User Registration Setup Phase
Step 1: The user U i selects his identity ID U i , password PW i and enters his biological information B i . Next, U i obtains the current timestamp T i , generates a random number R i Step 2: After receiving the registration request from U i , RC randomly selects x i and K u i and computes the Chebyshev polynomials T where m is the number of servers in the system.
Step 3: After U i completes registration, RC selects a random number Ur i and calculates Finally, RC transmits {Uh i , Ur i , ID i } to all servers in the system through the secure channel.

Login and Authentication Phase
Step 1: The user U i inserts his smart card SC i into the terminal, inputs his identity ID i , password PW i , and collects the biometrics The smart card verifies whether A i ? = A i is true or not; if not, SC i rejects the login request of U i ; otherwise, SC i obtains the current timestamp TS i , generates a random number RN i , and calculates K s Step 2: The server S j receives M 1 and first verifies the validity of the time stamp TS i . If the time stamp TS i is invalid, S j rejects the login request; otherwise, S j calculates , and compares the calculated result with the received corresponding value; if not, S j terminates the session; otherwise, S j authenticates U i successfully. Next, S j obtains the current timestamp TS j and calculates , and the session key Step 3: U i receives M 2 and verifies the validity of time stamp TS j . If TS j is invalid, U i terminates the session; otherwise, U i computes holds, U i authenticates S j successfully and calculates session key The process of login and authentication phase is shown in Figure 3.
, and the session key Step 3: Ui receives M2 and verifies the validity of time stamp TSj. If TSj is invalid, Ui terminates the session; otherwise, Ui computes and then Ui computes cates Sj successfully and calculates session key The process of login and authentication phase is shown in Figure 3.

User Password and Biometric Update Phase
Step 1: The user U i inserts his smart card SC i into the terminal, inputs his identity ID U i and password PW i , and collects his biometric if not, the smart card rejects the login request of U i ; otherwise, SC i makes U i enter a new password and new biological information. Step Step 3:

User Un-Traceability
The adversary can intercept the information transmitted between the user and the server in the public channel. Due to the protection of hash function, the adversary cannot directly extract the user's identity. However, in the login request information of user It can be found that the ID i generated by the same user in each login request is fixed. Therefore, it is easy for adversaries to determine whether two sessions are initiated by the same user through ID i , so as to track the user's behavior. Therefore, the protocol proposed by Chatterjee et al. cannot achieve user un-traceability.

Three-Factor Security
Chatterjee et al.'s protocol involves three security factors: user password, smart card, and user's biometrics. Suppose that the adversary accidentally obtains the smart card and biometric B i of user U i , the adversary can obtain the password of U i through the following operations: Step 1: The adversary A uses the side-channel attack technology [32] to extract the se- Step 2: A guesses that the identity and password of and PW * i are generated from user identity space D id and password space D pw , respectively.
Step 4: The smart card verifies whether According to the above steps, it takes (5T h ) ·|D id ·|D pw to complete the offline password guessing attack, where T h is the time-consuming of hash function running once, and XOR operation can be ignored due to its small time-consuming. According to reference [33], |D id | ≤ |D pw | ≤ 10 6 . Using the computing processor intel-i7-5500 3.6 g Hz in reference [34], T h ≈ 0.564µs, the adversary can complete the above attack within 33 days. If a high-performance cloud platform launches the attack, the user's password can be guessed within a few hours.

User Impersonation Attack
Since {(ID S j , T x j (K S ) )|1 ≤ j ≤ m} is stored in each user's smart card, malicious users can intercept the login request information of user U i to initiate login request as user U i and pass the authentication of server S j . The specific operations are as follows: Step 1: The malicious user A intercepts Step 2: Step 3: Through the information obtained in Step 2, A can generate a new timestamp TS i and construct the legitimate request information m of user U i requesting to log in to server S j :

The Proposed Scheme
The proposed protocol includes the following phases: system setup phase, server registration phase, login and authentication phase, user registration phase, user password, and biometric update phase. The symbols used in the proposed protocol are shown in Table 3. The detailed description of the agreement is as follows:

System Setup Phase
The registration center RC randomly selects x, y as the system master keys in [− ∞, +∞]. Next, RC selects a secure hash function h(·).

Server Registration Phase
Step 1: The server S j selects its identity SID j and passes it to RC through a secure channel.
Step 2: After receiving SID j , RC calculates K j = h(SID j y) and publishes information {SID j , z}. Next, RC sends K j back to S j through the secure channel.
Step 3: S j receives K j and keeps it in secret.

User Registration Setup Phase
Step 1: The user U i selects his identity ID i and password PW i and enters his biometric Bio i . Then, U i uses the biological hash function BH(.) to get b i and calculates Step 2: After receiving U i 's registration information, RC computes is the number of servers in the systems. At last, {A i , C i , E ij , F ij , n, h( .), h(x y) , z} are written into the smart card SC i , and SC i is transmitted to U i via the secure channel.
Step 3: U i keeps SC i properly.
The process of the registration phase is shown in Figure 4.
OR PEER REVIEW 10 of 21

User Registration Setup Phase
Step 1: The user Ui selects his identity IDi and password PWi and enters his biometric Bioi. Then, Ui uses the biological hash function BH(.) to get bi and calculates Step 2: After receiving Ui 's registration information, RC computes Step 3: Ui keeps SCi properly. The process of the registration phase is shown in Figure 4.

Login and Authentication Phase
Step 1: The user Ui inserts his smart card SCi into the terminal and inputs his identity IDi, password PWi, and biometric Bioi.

Login and Authentication Phase
Step 1: The user U i inserts his smart card SC i into the terminal and inputs his identity ID i , password PW i, and biometric Bio i . SC i calculates b i = BH(Bio i ), PID i = h(ID i b i ), PWB i = h(PW i b i ), and verifies whether A i ? = h(ID i PWB i ) mod n is established; if not, SC i terminates the session; otherwise, SC i generates a random number n i , selects the identity of the server to be accessed SID j , and calculates N i = T n i (z), Step 2: Upon the receipt of login request from U i , S j computes and verifies that M 1 and M * 1 match. If not, S j terminates the session. Otherwise, S j generates a random number n j and calculates N j = T n j (z), Step 3: U i receives {M 2 , M 3 } and calculates N j = M 3 ⊕ N k . U i verifies whether M 2 ? = h(PID i P ij D ij B i SID j N j is established; if not, U i terminates the session; otherwise, U i identifies S j as legal. After that, U i computes M 4 = h(B i D ij N j SID j , T ij = T n i (N j , and gets the session key SK ij = h(PID i P ij T ij . Ultimately, {M 4 } is delivered to S j .
Step 4: S j receives {M 4 } and verifies whether M 4 ? = h(B i D ij N j SID j holds; if not, S j terminates the session; otherwise, S j certifies that the identity of U i is legal.
Furthermore, S j computes T ji = T n j (N i and reaches the same session key with U i : The process of login and authentication phase is shown in Figure 5.

User Password and Biometric Update Phase
Step 1: The user U i inserts his smart card SC i into the terminal, inputs his identity ID U i and password PW i , and collects his biometric B i . SC i calculates b i = BH(Bio i ), if not, SC i terminates the session; otherwise, SC i makes U i enter a new password and new biological information.
Step Step 4: Sj receives {M 4 } and verifies whether M 4 ?= h(B i ∥D ij ∥N j ∥SID j ) holds; if not, Sj terminates the session; otherwise, Sj certifies that the identity of Ui is legal. Furthermore, Sj computes T ji = T n j (N i ) and reaches the same session key with Ui: The process of login and authentication phase is shown in Figure 5.

Provable Security
Based on the BPR2000 model [35], the following is the description of the random oracle model and the definition of AKE security: (1) Participants As participants, users U and servers S have many different instances, which are called oracle. The i-th instance of U and the j-th instance of S are denoted as U i and S j, respectively, and any instance can be denoted as I uniformly.
(2) Queries Execute(U i , S j : The query captures the passive eavesdropping of the scheme, and its output includes all the communication records of the scheme between U i and S j . Send(U i , start): This query indicates a login request that triggers the scheme startup and outputs U i .
Send(I i , m): This query captures active attacks. More precisely, the adversary A constructs a forged message m by interrupting and intercepting messages. Then, A sends m to I i and gets a response from I i .
Reveal(I i : If I i accepts the session and generates the session key SK, it will respond to A with SK. Corrupt(I i , a): The query simulates the capture of any two of the three security factors. If a = 1 and I = U, the user password and all parameters stored in the smart card are returned to A. If a = 2 and I = U, the user biometrics and all parameters stored in the smart card are returned to A. If a = 3 and I = U, the user password and biometrics are returned to A. If a = 1 and I = S, the long-term private key of the server is returned to A.
Test(I i : The oracle tosses a coin b ∈ (0,1); if b = 1, it returns the session key; if b = 0, it returns a random number with the same length as the session key.

(4) Freshness
A user instance or server instance is called fresh if (i) I has calculated an acceptable session key; (ii) A has not made any Reveal queries to I or its partners. (iii) From the beginning of the game, A makes Corrupt query to I or its partners at most once. Definition 1. The adversary A outputs the result of guess b ' through Test queries. If b ' = b, A wins the game. The advantage probability of breaking the security of the protocol P is defined as: If the probabilityAdv AKE P (A) is negligible for any probabilistic polynomial time adversary A, the protocol P is AKE secure. Theorem 1. Suppose the adversary A operates q send Send queries, q exe Execute queries and q h Hash queries to break the AKE security of the protocol. Adv CMCDH A (t) represents the advantage probability of A solving CMCDH problem in the polynomial time t, then we have: where C' and s' are the CDF-Zipf regression parameters of password space, l is the bit length of hash function output, t ≤ t + (q send +q exe +1)T c , and T c represents the running time of extended chaotic map operation.
Proof. Game G i , 0 ≤ i ≤ 5 is created to prove that the proposed scheme is provably secure, and Suc i stands for A correctly guessing b in game G i using Test queries.
Game G 0 : This game simulates the real attack in the random oracle model. We can get: Game G 1 : This game manages Hash list L h while simulating random oracle. Then we get: Game G 2 : In G 2 , if there is a collision of interactive information or a collision of Hash query results, the game ends; otherwise, G 2 simulates all queries in G 1 . According to the birthday paradox [36], the collision probability of the result of Hash query is ; therefore, we derive the following result: Game G 3 : In game G 3 , if A guesses the information M 1 and M 2 used for authentication correctly, the game ends; otherwise, G 3 is the same simulation as the previous game; therefore, we derive the following result: Game G 4 : In this game, A guesses the session key without asking the corresponding random oracle. Therefore, this game is indistinguishable from the previous game, except that A makes queries for SK ji = h(PID i P ij T ji ) = h(PID i P ij T ij ) = SK ij . Thus, we get that: where t ≤ t + (q send +q exe +1)T c . Game G 5 : This game is similar to the previous game, but the only difference is the Test query. If A performs the Test query on h(PID i P ij T n i n j (z)), the game will be terminated. Therefore, the maximum probability of obtaining session key by random oracle query is q 2 h 2 l + 1 . Moreover, if Corrupt(U i , 2) query is executed, Corrupt(U i , 1) and Corrupt(U i , 3) can no longer be queried. According to reference [37], in the case of q send times of send query for online guess, the probability of getting the password is at most C q s send . According to the definition of freshness, A can perform Test(I i query after performing Corrupt(I i , a) query. As a result, outdated copies are used in old games (perfect forward secrecy). Therefore, the maximum probability of A getting T n i n j (z) is . Then, we get: If A does not request any random oracle query with valid input, then the game has no advantage to distinguish the real SK from the random string with the same length, so we get: According to Formulas (2)

BAN-Logic
Burrow, Abadi, and Needham proposed BAN-logic [38] in 1989. BAN-logic is a beliefbased modal logic, which can be used to describe and verify authentication protocols. When using BAN-logic to analyze the security of authentication protocol, we first need to idealize the interaction information in the protocol, then make initialization assumptions according to the specific situation, and finally get the expected goal through reasoning rules. Table 4 introduces the notations for the BAN-logic, and some basic rules are described in Table 5. Table 4. BAN-logic notations.

Symbol Description
P| ≡ X P believes X. P X P sees . P|~X P sends X. P ⇒ X P has jurisdiction over X.
Use the key K to compute X. P SK ↔ Q P and Q reach shared key SK. Table 5. Basic logical postulates of BAN-logic.

Symbol Description
Message-meaning rule (1) The idealized form of the proposed scheme (2) Verification goals (3) Assumptions about the initial state A1: U i ≡ #(n i , n j . A2: S j ≡ #(n i , n j . (4) Proofs Step 1: According to Message 1, we know that S j (PID i , P ij Step 2: According to Step1, A4, and the message-meaning rule, we obtain the following: Step 3: According to A2, freshness-conjuncatenation rule, P ij = E ij ⊕ h(SID j h(x y) N i ), and N i = T n i (z), the following can be inferred: S j ≡ #(PID i , P ij .
Step 4: From Step 2, Step 3, and the nonce verification rule, we get that: Step 5: From Step 4, A4, and SK = h(PID i P ij T ij , we prove Goal 4: Step 6: According Step 5, A6, and the jurisdiction rule, we prove Goal 3: Step 7: According to Message 2, we know that Step 8: According to Step 7, A3, and the message-meaning rule, we obtain the follow- Step 9: According A1, freshness-conjuncatenation rule, N j = T n j (z), the following can be inferred: Step 10: From Step 8, Step 9, and the nonce verification rule, we get that: Step 11: From Step 10, A4, and , we prove Goal 2: Step 12: According Step 11, A5 and jurisdiction rule, we prove Goal 1: U i ≡ (U i SK ↔ S j . It can be seen from Goal 1, Goal 2, Goal 3, and Goal 4 that the mutual authentication between user U i and server S j is completed, and the session key SK trusted by both parties is reached.

Informal Security Analysis
The new scheme can effectively improve the shortcomings of Chatterjee et al.'s scheme. First of all, the new protocol ensures that the information related to user identity and security factors are used reasonably in the process of generating login request information, which can effectively resist the user impersonation attack. Secondly, in the verification phase of smart cards, the modular operation is introduced, which can avoid the offline password guessing attack so as to achieve three-factor security. Finally, the construction of user login request information needs the participation of random numbers to ensure the realization of user un-traceability.
On the other hand, according to the description of the login and authentication phase of the new protocol, only with the ID, password, biological information, and smart card of the legal user U i , the user can generate the legal login request information while only the server S j with the legal K j can generate the legal response information. Therefore, on the basis of ensuring the mutual authentication between the user and the server, the server S j can get the correct PID i by calculating PID i = CID ij ⊕ h(P ij (E ij ⊕ K j )). Due to the semigroup property of the extended Chebyshev polynomials, T ij = T n i (N j ) = T n j (N i ) = T ji , U i and S j reach the session key SK ji = h(PID i P ij T ji ) = h(PID i P ij T ij ) = SK ij for future sessions. They complete the session key agreement, and the contributions to session key generation are equal. Next, we make a specific security analysis of our proposed protocol.
(1) Anonymity and un-traceability In the login and authentication phase, the adversary can intercept the login request information of the user and the response information of the server. Obviously, under the protection of Hash function, the adversary cannot obtain the user's identity. Therefore, the proposed scheme can achieve user anonymity. On the other hand, the construction of P ij , CID ij , N i , M 1 , M 2 , M 3 , and M 4 is related to the random number n i or n j . Therefore, the interactive information generated in each session is different. Even if the adversary intercepts the message, it is still unable to determine whether two sessions originate from the same user. Therefore, the new protocol can achieve user un-traceability.
it is a CMCDH problem to get T ij = T n i (N j ) = T n j (N i ) = T ji in polynomial time from the known information. Therefore, the adversary is still unable to calculate the session key between user U i and S j , and the perfect forward secrecy of the new scheme is realized.

(3) Mutual authentication
According to the description of the new scheme, only with U i 's identity, password, smart card, and biometrics can the legitimate login request information be generated. The server can authenticate the U i 's identity by verifying the legitimacy of the received information. On the other hand, only the server S j with legal K j can correctly respond to the user's login request information. Therefore, the new scheme realizes the mutual authentication between the user and the server.

(4) Session key agreement
Based on the description of the new scheme, the user and the server can reach the session key for future communication after completing the login and authentication phase SK ji = h(PID i P ij T ji ) = h(PID i P ij T ij ) = SK ij .
(5) Three-factor security For the three-factor authentication protocol, the difficulty of breaking through the user password is obviously lower than the difficulty of breaking through the secret information of smart cards or user biometrics. Suppose the adversary accidentally obtains the smart card and biometrics of U i , and the secret information in the smart card is extracted through the side-channel technology. However, the verification A i ? = h(ID i PWB i ) mod n performed by the smart card in the login phase is a fuzzy verification. Even if the adversary's guess (ID * U i , PW * i passes the above verification, the adversary still cannot confirm whether PW * i is the real password of U i . Specifically, through offline password guessing, the adversary can get |D id ·|D pw |/2 8 ≈ 2 32 possible (ID * U i , PW * i pairs. The adversary still needs to log in online (not offline) and traverse these user identity and password pairs to obtain the accurate user password. The server can identify the victim according to the adversary's login request. By setting the threshold of login times, when the adversary's online login times exceed the threshold, the server can refuse the adversary's login request. The adversary cannot log in to the system many times, so he cannot get the correct one of the 2 32 possible passwords. Therefore, the new protocol can achieve three-factor security.

(6) Good Repairability
In our proposed scheme, the user U i 's private information stored in the smart card includes ). Therefore, U i 's password and biometrics will directly affect the secret information. When the smart card SC i is lost, U i only needs to modify his password and biometrics to ensure the security of the system. Thus, our scheme has good repairability.
(7) Resistance of other known attacks Insider attack: Insiders can get the registration information {ID i , PID i , PWB i } of user U i . However, the information is protected by Hash function, and the attacker cannot extract the user's password or biometrics. Therefore, the insider attack is invalid for the proposed new scheme.
Stolen verifier table attack: There is no password-related and biometric-related information table stored in the servers and RC. Therefore, the stolen verifier table attack is infeasible in our proposed scheme.
Temporary information leakage attack: In our proposed scheme, the user U i and the server S j reach a session key SK ji = h(PID i P ij T ji ) = h(PID i P ij T ij ) = SK ij . Even if an adversary captured the temporary information n i and n j , he could not launch a temporary information leakage attack without PID i . As a result, our proposed scheme can resist a temporary information leakage attack.
Replay attack: According to the description of the proposed protocol, the user and the server generate the new random number n i and n j in the authentication phase. Both sides can easily find replay attacks by checking the validity of the received message. Therefore, the new protocol can effectively resist replay attacks.
DoS attack: After receiving the login request from U i , the server S j verifies whether M * 1 ? = M 1 holds. Only U i calculates the legitimate login request information according to his identity, password, biometrics, and smart card and can pass the verification. Therefore, S j can confirm that the login request is from U i , which can effectively reject a large number of invalid login requests from attackers.
According to the previous analysis and proof, we also know that the new scheme can resist user impersonation attacks, server spoofing attacks, man-in-the-middle attacks, offline password guessing attacks, and smart card stolen attacks.

Performance Analysis
In this section, we will compare the performance of the proposed new protocol with other authentication protocols based on the extended chaotic map in multi-server environments, including the comparison of computation cost and communication cost. Since the registration phase of users and servers only occurs once, and users do not frequently update their passwords and biometrics, this section only discusses the performance comparison between the login and authentication phases.

Comparison of Computing Costs
The new scheme and other similar protocols [30,[39][40][41] all use fuzzy extractor algorithm or bio-hash function to extract users' biometrics for protocol design. According to literature [42,43], the time cost of the fuzzy extractor algorithm and bio hash function is considered equal. Therefore, the user biometric extraction operation is ignored in the comparison of computation cost.
The comparison between the new proposed protocol and the protocols proposed by Chatterjee et al. [30], Lee et al. [39], Irshad et al. [40], and Braeken et al. [41] is shown in Table 6. The symbols used in the table have the following meanings: (The computation overhead of XOR operation is ignored). The running time of the user to perform the above operation is obtained from the experiment of Intel Pentium 4 2600 MHZ processor and 1024 MB memory platform in reference [30]. The server performance is assumed to be 10 times of 2.4 GHz processor and 2GB memory platform. The running time of different operations on two platforms is shown in Table 7. From the results in Table 7, the proposed protocol has a lower computation cost than the other four protocols for both the user and server sides.

Comparison of Communication Costs
For the convenience of comparison, it is assumed that the length of identification, random number, timestamp, and other parameters involved in the new protocol and other related protocols is 128 bits, the length of large prime p is 128 bits, the output length of Hash function is 160 bits (such as SHA-1), and the ciphertext length of the symmetric encryption algorithm is an integral multiple of 128 bits (such as AES).
In the login and authentication phase of the proposed protocol, the interaction information between the user and the server includes {P ij , CID ij , N i , M 1 , {M 2 , M 3 }, and {M 4 }. The total length of interactive information is 160 * 7 = 1120 bits.
In the login and authentication phase of Chatterjee et al.'s protocol, the interaction information between the user and the server includes {ID i , ID S j , E K 1 (ID i ID S j T K 1 , H(TS i TS j RN i RN j Y T K 3 T x j (K u )), TS j . The total length of interactive information is (128 + 128 + 128 * 9 + 128 + 160) + (128 + 128 + 128 * 7 + 128 + 160) = 3136 bits. Table 8 shows the comparison of communication cost between the proposed new protocol and Chatterjee et al. [30], Lee et al. [39], Irshad et al. [40], and Braeken et al. [41]. From the comparison results, it can be seen that the communication cost of the new proposed scheme is at a better level compared with similar protocols, and it has good communication efficiency. It should be noted that our scheme is the only one that needs three times of data transmission. This is to further strengthen the identity authentication of the server to the user, to further ensure the security of the system. If we give up the information M 4 that the user transmits to the server, the server can complete the authentication of the user in the second step of the authentication phase and also generate the session key SK ji . We finally choose stronger security, and the communication overhead caused by this is acceptable.

Conclusions
In recent years, multi-server network architecture is widely used in practical applications. Moreover, due to the insecurity of the network, abundant researches on authentication and key agreement protocol for multi-server architecture have been put forward. In 2018, Chatterjee et al. published an authentication protocol based on an extended Chebyshev chaotic map for multi-server environments. However, through the analysis of their protocol, we find that the protocol cannot achieve user un-traceability and three-factor security and cannot resist the counterfeiting attacks launched by malicious users. In order to ensure the communication security of participants in multi-server network environments, this study proposed a secure three-factor authentication protocol based on the extended chaotic map. The new protocol can effectively avoid the security defects of Chatterjee's protocol and achieve all known security goals. Moreover, the proposed scheme is analyzed and verified by the provable security and BAN logic. The results show that our scheme realizes the mutual authentication of communication participants and can effectively resist all kinds of attacks. Compared with other related protocols, the new protocol has good practicability and can be applied to multi-server environments.