An Efficient Fractional Chebyshev Chaotic Map-Based Three-Factor Session Initiation Protocol for the Human-Centered IoT Architecture

Abstract

One of the most frequently used signaling techniques for initiating, sustaining, and dismissing sessions on the internet is a session initiation protocol (SIP). Currently, SIPs are gaining widespread applications in the human-centered Internet of Things (HC-IoT) domain. In HC-IoT environments, sensitive user data are transmitted over open communication channels that require secure authentication to protect sensitive user information from unlawful exploitation. In order to provide robust authentication for critical user data, SIP-based authentication mechanisms have been proposed; however, these authentication schemes have not provided perfect authentication and effective security for users. Additionally, the existing schemes are computationally intensive and cost-prohibitive in design and implementation. In order to address this problem, especially in the human-centered IoT context, this work introduces a provably secure, lightweight, three-factor SIP-based scheme to tackle the shortcomings of traditional schemes. The presented scheme is based on an extended fractional Chebyshev chaotic map. A formal security verification of the session key in the real-or-random (ROR) model is conducted to evaluate the projected scheme. The investigation results indicate that the new scheme is SIP compatible and achieves secure mutual authentication with robust security features compared to the existing schemes. Therefore, the proposed SIP-enabled scheme can be deployed in the human-centered Internet of Things to secure critical user information.

1. Introduction

In recent years, the session initiation protocol (SIP) has become the most widely used application layer control protocol [1,2,3]. Specifically, a SIP creates, modifies, and terminates sessions [4]. A SIP supports five key aspects required for establishing and maintaining the termination of a multimedia session; the five aspects are user location, user ability, user effectiveness, session management, and session initiation. Additionally, a SIP can define how to manage a session to meet expected outcomes in real time [5]. This flexible feature makes it possible to use a SIP in numerous applications and services such as music, videos, and web meetings [6,7].

In the literature, SIP-based schemes have been broadly categorized as one-factor SIP authentication [6,8,9,10,11], two-factor SIP authentication [2,12,13,14,15], and three-factor SIP authentication [16,17,18,19,20] schemes. One-factor SIP authentication schemes pose limited security against adversarial attacks since they only using passwords to prove user authenticity. The vulnerabilities identified include, but are not limited to, dictionary attacks, guessing attacks, and Trojan attacks [3]. Additionally, two-factor SIP authentication schemes use passwords and smart cards, making them safer. However, several drawbacks have been associated with two-factor SIP authentication schemes [21,22]; it is not unlikely that they are vulnerable to smart card loss attacks [12]. Three-factor SIP authentication schemes combine passwords, smart cards, and biometrics, which reinforces the security architecture of the schemes, making them suitable for applications in human-centered IoT environments [23,24,25]. These schemes have been used in medical decision support systems, smart homes, learning systems, and more [26,27]. Figure 1 depicts the network configuration and application scenarios for the session initiation protocol (SIP).

Figure 1. Network configuration and application scenarios for the session initiation protocol.

Whereas the services provided by a SIP are beneficial, the associated security challenges are enormous and require critical examination. Several SIP-based authentication schemes have been reported [14,22,28,29,30]. In addition, a few SIP-based key agreement schemes pose high resistance to sophisticated attacks [31]. However, most SIP-based authentication schemes are vulnerable to well-known threats. Thus, the need for robust security and a key agreement protocol for a SIP scheme that is not susceptible to any known attack is imperative, which is the basis for the current study.

1.1. Research Contributions

This article proposes a provably secure, lightweight, three-factor session initiation protocol using extended fractional Chebyshev chaotic maps (FCCM) in the HC-IoT environment. In particular, the key contributions of this paper are highlighted as follows.

▪

An efficient and secure remote authentication scheme for a SIP is proposed using extended FCCM, a smart card (SC), and user biometrics simultaneously in the HC-IoT environment.

▪

An informal security analysis of the projected protocol is demonstrated, and the results show that it is provably secure in the ROR model.

▪

A comparison of the projected protocol with related authentication protocols is conducted and it is found that it is cost-efficient and requires fewer computational resources. This is because the presented approach uses FCCM, which eliminates computationally intensive elliptic curve point multiplication.

1.2. Organization of Manuscript

The remainder of this work is organized as follows: In Section 2, we outline related works; in Section 3, we provide the background and material; In Section 4, we present our new SIP scheme based on FCCM; in Section 5, we provide a comprehensive security analysis of the projected technique; in Section 6, we demonstrate the performance evaluation of the projected technique; finally, in Section 7, we provide a concise conclusion to the paper.

2. Related Work

In wireless communication, especially in the human-centered IoT environment, guaranteeing a secure SIP for the communication requires secure authentication with a key agreement protocol executed before actual communication is initiated. In order to fulfill this criterion, several SIP-based schemes have been proposed [6,12,13,32,33]. Specifically, Arshad and Nikooghadam presented an effective authentication scheme for a SIP based on elliptic curve cryptography (ECC). In addition, Zhang et al. [12] reported a flexible authentication scheme for a SIP, leveraging smart cards. Interestingly, the scheme by Zhang et al. [12] showed impressive security features; however, the security of the scheme was not perfect, as claimed. In the work by Irshad et al. [13], the flaws in Zhang et al.’s scheme were highlighted, and solutions were offered to improve the scheme. In particular, one of the main limitations of Zhang et al.’s scheme was its vulnerability to a DoS attack. As a result, Irshad et al. [13] presented an improved SIP based on chaotic constructions. In another related study that examined the limitations of Irshad et al.’s protocol [13], Arshad et al. [6] mentioned that the protocol was vulnerable to client impersonation attacks. In order to address the limitations posed by Irshad et al.’s protocol, Arshad et al. projected a secure protocol that employed elliptic curve cryptography (ECC) [6]. In a recent analysis, Lin et al. [32] showed that the protocol, due to Arshad et al., was not secure against several attacks such as server spoofing, denial-of-service (DoS), and privilege insider attacks. Lin et al. [32] also demonstrated that Arshad et al.’s protocol failed the user anonymity test. In order to strengthen the security of Arshad et al.’s protocol [6], Lin et al. suggested a new scheme for a SIP using the ECC.

In [34], Chen et al. examined the security of the protocol presented by Lin et al. [32]. The SIP for anonymous authentication and key negotiation was shown to have various security issues. The protocol failed an offline password-guessing attack and could not sustain a stolen memory device attack. Furthermore, Lin et al.’s protocol could not verify a wrong password and showed a weak password updating procedure. In order to address the proliferating issues in Lin et al.’s protocol, Chen et al. [34] presented a new mutual authentication with a key agreement protocol with robust features compared to Lin et al.’s protocol. An authentication scheme for a SIP was presented by Islam et al. [35]. The authors claimed that the SIP-based scheme was immune to known attacks. However, the work conducted by Chen et al. [34] revealed that Islam et al.’s protocol [35] failed impersonation attacks and could not achieve user anonymity.

Chen et al.’s scheme [34] used an extended chaotic map that supported fast computation. Additionally, the scheme was tested using Burrows–Abadi–Needham (BAN) logic to demonstrate that it supported secure mutual authentication. The ROR model was also used to examine the formal security investigation of the session key. The most critical part of a SIP is the authentication process required for a network user to access the SIP server. SIP security is becoming increasingly significant, and the need for a reliable authentication scheme for the SIP is not out of place.

However, the security of a SIP-based authentication protocol has been questioned, primarily as billions of sensitive user data are currently being conveyed in real time over open communication channels. In order to boost the security frameworks of these schemes, Zhang et al. [36] employed biometric identification technology to project a lightweight SIP authentication leveraging symmetric encryption. Zhang et al.’s scheme [36] showed good resilience to insider attacks, offline dictionary attacks, replay attacks, and it had lower computational costs. It should be emphasized that Zhang et al.’s scheme was not perfect. Recently, Naqvi et al. [16] revealed some security vulnerabilities in Zhang et al.’s scheme, such as limited resistance to replay attacks and failure to meet user anonymity requirements.

Naqvi et al. suggested a three-factor SIP-based protocol to address the vast limitations of Zhang et al.’s protocol. Furthermore, Mishra et al. [17] analyzed the protocol reported in [37] and showed that it was vulnerable to man-in-the-middle and impersonation attacks. A SIP protocol based on biometrics offering robust security against active and passive attacks has been demonstrated by Mishra et al. [17] to address the limitations of the scheme by Tu et al. [37]. Additionally, Mishra et al. [17] used the Automated Validation of Internet Security Protocols and Application (AVISPA) tool to investigate the formal security of the projected protocol. However, Islam et al. [20] observed that the SIP-based protocols reported by [16,17,36] were vulnerable to DoS attacks and lacked resiliency against clock synchronization issues. In order to improve the performance of this protocol, Islam et al. [20] suggested a robust and cost-effective scheme using hash functions and hard computational problems.

However, several vulnerabilities, such as limited resistance to impersonation attacks, forgery attacks, user anonymity issues, and lack of forward secrecy, limit the protocol’s authenticity. In order to improve user anonymity and other problems identified in Islam et al.’s procedure [20], Wang et al. [38] put forward a public key scheme that provided robust security and supported user anonymity. Due to design deficiencies, most SIP-based protocols [27,39,40] have shown some security vulnerabilities. In addition, the application of scalar multiplication in SIP-based protocols has contributed to high computation overhead. Nevertheless, Chebyshev chaotic maps find useful applications in human-centered IoT environments in facilitating identity verification in healthcare information systems [41], cloud computing [42], and the Internet of Things (IoT) [43].

Another work closely related to the current study is the scheme reported in [3]. Specifically, the scheme is based on an extended chaotic map, which avoids computationally expensive elliptic curve point multiplication. In addition, the study aimed to enhance mutual authentication to eliminate the drawbacks of the exisitng schemes. The study applied Burrows–Abadi–Needham logic to prove that the proposed scheme achieved secure mutual authentication and was suitable for SIP applications. However, the work in [3] failed the clock synchronization attack, which is critical to protecting sensitive user information. In order to address this problem, there is a need for a more robust and enhanced security scheme for SIP applications. To this end, the current work proposes using fractional Chebyshev chaotic maps to address the prevailing issues in the existing SIP-based protocols. The proposed scheme successfully resolved the clock synchronization problem in the scheme reported in [3].

The preliminaries and background of fractional Chebyshev chaotic maps employed in designing our SIP-based protocol are briefed in this paper.

3. Background and Material

In this section, we briefly discuss the functionality and security requirements, the hash function [44], the Chebyshev chaotic map [45], the FCCM [46], and the biometrics and fuzzy extractor [47] which are described in this article. Table 1 lists the notations used for the protocol developed in this paper.

Table 1. The notations used in the development of the protocol.

Notation	Explanation
$\mathtt{C}$	Client
$\mathcal{R}\mathcal{S}$	Remote server
${𝒾𝒹}_{\mathcal{C}}$	Identity of $\mathtt{C}$
$\mathfrak{F}$	Adversary
${pⱳ}_{\mathcal{C}}$	Password of $\mathtt{C}$
${BIO}_{\mathcal{C}}$	Biometrics of $\mathtt{C}$
${𝒾𝒹}_{sc}$	Smart cards identity
$s$	$\mathcal{R}\mathcal{S}$’s secret key
$\vartheta /y_r/a_{\mathcal{C}}/b_r$	Random number
${SƘ}_{\mathcal{C}r}$	Session key
$\delta$	Random rational number from [0, 1]
$F_q$	A finite field, where $q$ is a huge prime
${Ʈ}_n\left(.\right)$	A $n$th degree Chebyshev polynomial
${{Ʈ}_n}^{\delta }\left(.\right)$	A $n$th fractional Chebyshev polynomial
$\mathsf{ɦ}\left(·\right)$	Cryptographic one-way hash function
$\oplus$	XOR operation
$\parallel$	Concatenation operation

3.1. Hash Function

A hash function of the form $ɦ:{\left\{0,1\right\}}^{\ast }\to {\left\{0,1\right\}}^n$ accepts any binary length string $q\in {\left\{0,1\right\}}^{\ast }$ as input and gives a binary string ${ɦ}_q\in {\left\{0,1\right\}}^n$ as yield. The following is the collision-resistance of $ɦ\left(·\right)$:

Definition 1. 

Assume that  ${Adv}_{\mathcal{A}}^{Hash}\left(t\right)$ reflects an adversary  𝒜’s advantage in locating a hash collision in polynomial time  $t$ , i.e.,  ${Adv}_{\mathcal{A}}^{Hash}\left(t\right)=Pr[\left(𝒶,𝒷\right)\Leftarrow :𝒶\ne 𝒷,\mathcal{ɦ}\left(𝒶\right) = ɦ\left(𝒷\right)]$ , where  $Pr\left[E\right]$ denotes the probability of an  $E$ event occurring. When a  $\left(\varsigma ,t\right)$ -adversary  𝒜 attacks the resistance of   $ɦ\left(·\right)$ , this indicates that   𝒜’s runtime is, at most,   $t$ and that  ${Adv}_{\mathcal{A}}^{Hash}\left(t\right)\le \varsigma$ is true for an adequately small   $\varsigma >0$.

3.2. Chebyshev Chaotic Maps

Let ʑ $\in \left[-\mathrm{1,1}\right]$ be a real number and n be an integer, the Chebyshev polynomial ${Ʈ}_n\left(ʑ\right):\left[-\mathrm{1,1}\right]\to \left[-\mathrm{1,1}\right]$ is then defined as follows:

$${Ʈ}_n\left(ʑ\right)=\mathrm{c}\mathrm{o}\mathrm{s}(n·{cos}^{-1}(ʑ\left)\right)$$

The Chebyshev polynomial has the following recurrence relation:

$${Ʈ}_n\left(ʑ\right)=\left\{\begin{array}{ll}1& if n=0\\ ʑ& if n=1\\ 2ʑ{Ʈ}_{n-1}\left(ʑ\right)-{Ʈ}_{n-2}\left(ʑ\right)& if n\ge 2\end{array}\right.$$

• Chaotic map-based discrete logarithm problem (CMDLP): For any given x and y, it is not computationally feasible to calculate the integer n such that ${Ʈ}_n\left(ʑ\right) mod p=y.$
• Chaotic map-based computational Diffie–Hellman problem (CMDHP): It is not computationally feasible to compute ${Ʈ}_{rs}\left(ʑ\right) \mathrm{m}\mathrm{o}\mathrm{d} p$, for three elements $ʑ,{Ʈ}_r\left(ʑ\right) mod p,$ and ${Ʈ}_s\left(ʑ\right) \mathrm{m}\mathrm{o}\mathrm{d} p$.

Where there is a large prime number, the Chebyshev polynomial with CMDHP has the following formal definition:

Definition 2. 

For any  $\mathcal{A}$ adversary with   $t$ execution time, the advantage probability  ${Adv}_{\mathcal{A}}^{ɦASɦ}\left(t\right)$  of the CMDHP is negligible, that is,   ${Adv}_{\mathcal{A}}^{Hash}\left(t\right)\le \varsigma$ for a sufficiently small   $\varsigma >0$.

3.3. Fractal Chaotic Maps (FCM)

Fractal calculus (FC) was formerly known as a local fractional calculus [45,48]. In addition, fractional calculus accepts holdings. The following preparation takes priority over FC:

Suppose that the fractional difference operator ${\xi }^{\gamma }$ is defined by the formal equation for a random fractional-order $\gamma ϵ$ [0, 1]. Then,

$${\xi }^{\gamma }\psi \left(ʓ\right)=\frac{{∆}^{\gamma }(\psi \left(ʓ\right)-\psi \left({ʓ}_0\right))}{{(ʓ-{ʓ}_0)}^{\alpha }}=\Gamma \left(\gamma +1\right)\left(\psi \left(ʓ\right)-\psi \left({ʓ}_0\right)\right)$$

and the fractal integral operator is the same as this:

$$I^{\gamma }\psi \left(ʓ\right)=\frac{1}{\Gamma \left(\gamma +1\right)}{\int }_a^b\psi \left(ʓ\right){(dʓ)}^{\gamma }.$$

By using the formula in (1), it can be approximated as:

$$I^{\gamma }\psi \left(ʓ\right)=\frac{{(b-a)}^{\gamma }}{\Gamma \left(\gamma +1\right)}\psi \left(ʓ\right), a \le ʓ \le b.$$

(1)

By generalizing the polynomial ${Ʈ}_n\left(𝓋\right)$ with the FC notion, we obtain the following Equation (2):

$$I^{\gamma }{Ʈ}_n\left(𝓋\right):={{Ʈ}_n}^{\gamma }\left(𝓋\right)=\frac{{\left(2\right)}^{\gamma }}{\Gamma \left(\gamma +1\right)}{Ʈ}_n\left(𝓋\right),$$

(2)

The fractal Chebyshev polynomial is abbreviated as FCP (see Figure 2).

Figure 2. 3D-FCP when $\gamma$ = 0, 1/2, and 3/4.

3.4. Possessions of Fractal Chaotic Maps with Extension

The following are two of the FCP’s critical properties:

Definition 3 

(Chaotic possessions of FCM).The fractal chaotic maps [45,49] satisfy the chaotic possessions recurrent relations, i.e., ${{Ʈ}_n}^{\gamma }\left(𝓋\right)=\frac{{\left(2\right)}^{\gamma }}{\Gamma \left(\gamma +1\right)}\left(2𝓋{Ʈ}_{n-1}\right(𝓋)-{Ʈ}_{n-2}\left(𝓋\right))(mod q_1)$. The usual significant effect, as observed by Yang et al. [48], is well known when   $\gamma \to 0$ is used.

Definition 4 

(Semi-group possessions of FCM).For FCMs on the interval (-∞, ∞) (it is known as extended FCCM) [45], the semi-group possessions hold.

$${{Ʈ}_k}^{\gamma }\left({{Ʈ}_n}^{\gamma }\left(𝓋\right)\right)(mod q_1)={{Ʈ}_n}^{\gamma }\left({{Ʈ}_k}^{\gamma }\left(𝓋\right)\right)(mod q_1)={{Ʈ}_{kn}}^{\gamma }\left(𝓋\right).(mod q_1)$$

3.5. Biometrics and Fuzzy Extractor

Because of their distinct qualities, biometric keys such as palm prints, fingerprints, and iris are being used in numerous authentication procedures. There are three significant advantages to using biometric keys: They are incredibly tough to fabricate or distribute, as well as duplicate or share, and they cannot be misplaced or forgotten.

The fuzzy extractor approach has recently been discovered to be effective in extracting the biometric key from the biometric input from users. The fuzzy extractor takes a user’s biometric feature input, say ${BIO}_{\mathcal{C}}$, and generates the unique random string, ${\xi }_{\mathcal{C}}$, as well as the auxiliary string, ${\zeta }_{\mathcal{C}}$, in an error-tolerant manner using a probabilistic generation function. Furthermore, it uses a deterministic replication technique to construct the identical original string ${\xi }_{\mathcal{C}}$, an auxiliary string ${\zeta }_{\mathcal{C}}$, and a noisy user biometric ${BIO}_{\mathcal{C}}^{\prime }$ that differs from the original biometric ${BIO}_{\mathcal{C}}$ up to a threshold value.

Two algorithms, $Gen\left(·\right)$ and $Rep\left(·\right)$, are used in the fuzzy extraction method. $\left({\xi }_{\mathcal{C}},{\zeta }_{\mathcal{C}}\right)=Gen\left({BIO}_{\mathcal{C}}\right)$ and ${\xi }_{\mathcal{C}}=Rep\left({BIO}_{\mathcal{C}}^{\prime },{\zeta }_{\mathcal{C}}\right)$ are the definitions for the functions $Gen\left(·\right)$ and $Rep\left(·\right)$.

4. The Proposed Three-Factor SIP Scheme Based on FCCM under the HCIoT Environment

An efficient and secure SIP is projected in this segment. The proposed SIP is divided into five major stages: (1) setup, (2) registration, (3) login, (4) authentication and key formation, and (5) password and biometrics change. The specifics are listed as follows:

4.1. Setup Stage

During this stage, the $\mathcal{R}\mathcal{S}$ produces all systems’ public constraints.

Step 1.

The $\mathcal{R}\mathcal{S}$ picks $s\in F_q$ as its secret key.

Step 2.

${Ʈ}^{\delta }\left(·\right)\left(\vartheta \right)$ and a secure hash function $ɦ\left(·\right)$ are computed by the $\mathcal{R}\mathcal{S}$ using a random number $\vartheta \in \left(-\infty ,+\infty \right)$ and rational number $\delta \in \left[\mathrm{0,1}\right].$

Step 3.

The $\mathcal{R}\mathcal{S}$ makes the constraints $\left\{ɦ\left(·\right),\vartheta ,{Ʈ}^{\delta }\left(·\right)\left(\vartheta \right)\right\}$ available to all legal users.

4.2. Registration Stage

During this stage of the protocol, the $\mathtt{C}$ and the $\mathcal{R}\mathcal{S}$ use a secure channel to complete the following tasks in order to publish a valid $SC$. It is worth noting that this is a one-time procedure.

Step 1.

The $\mathtt{C}$ scans her/his biometrics ${BIO}_{\mathcal{C}}$ using a biometric scanner gadget. The $\mathtt{C}$ picks an ${𝒾𝒹}_{\mathcal{C}}$, as well as a password ${p\mathsf{ⱳ}}_{\mathcal{C}}$. Then, he/she computes $Gen\left({BIO}_{\mathcal{C}}\right)=\left({\xi }_{\mathcal{C}},{\zeta }_{\mathcal{C}}\right)$ and ${\eta }_{\mathcal{C}}=ɦ\left({𝒾𝒹}_{\mathcal{C}},{p\mathsf{ⱳ}}_{\mathcal{C}},{\xi }_{\mathcal{C}}\right)$, and sends ${𝒾𝒹}_{\mathcal{C}}$, ${\eta }_{\mathcal{C}}$ through a secure channel to the $\mathcal{R}\mathcal{S}$.

Step 2.

When the registration message is received, the $\mathcal{R}\mathcal{S}$ usages its private key s and ${𝒾𝒹}_{\mathcal{C}}$ to calculate ${\mathsf{\Upsilon }}_{\mathcal{C}}=\mathrm{ɦ}\left(s,{𝒾𝒹}_{\mathcal{C}}\right),$ ${\mathrm{Ʋ}}_{\mathcal{C}}={\mathsf{\Upsilon }}_{\mathcal{C}}\oplus {\eta }_{\mathcal{C}}$, ${\mathrm{Ʈ}}_s^{\delta }\left(\vartheta \right)$, and $O_{\mathcal{C}}=\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. Then, the $\mathcal{R}\mathcal{S}$ stores $\left\{{\mathrm{Ʋ}}_{\mathcal{C}},O_{\mathcal{C}},\vartheta ,{\mathrm{Ʈ}}_s^{\delta }\left(\vartheta \right),\mathrm{ɦ}\left(·\right),{\mathrm{Ʈ}}^{\delta }\left(·\right)\left(\vartheta \right),Rep\left(·\right)\right\}$ into a $SC$ and transmits it to the $\mathtt{C}$ over a protected channel.

Step 3.

When the $\mathtt{C}$ receives the $SC$, he/she writes ${\zeta }_{\mathcal{C}}$ on it.

Finally, the $SC$ contains the following info: $\left\{{\mathrm{Ʋ}}_{\mathcal{C}},O_{\mathcal{C}},{\zeta }_{\mathcal{C}},\vartheta ,{\mathrm{Ʈ}}_s^{\delta }\left(\vartheta \right),\mathrm{ɦ}\left(·\right),{\mathrm{Ʈ}}^{\delta }\left(·\right)\left(\vartheta \right),Rep\left(·\right)\right\}$.

4.3. Login Stage

The $\mathtt{C}$ and their $SC$ carry out the following steps:

Step 1.

The $\mathtt{C}$ enters his/her ${𝒾𝒹}_{\mathcal{C}}$ and ${p\mathsf{ⱳ}}_{\mathcal{C}}$ into the terminal contraption before allowing a scan to obtain his/her biometrics ${BIO}_{\mathcal{C}}^{\prime }$. In addition, the $\mathtt{C}$ must use the terminal card reader to input his/her $SC$.

Step 2.

The $SC$ calculates ${\xi }_{\mathcal{C}}=Rep\left({BIO}_{\mathcal{C}}^{\prime },{\zeta }_{\mathcal{C}}\right)$, ${\eta }_{\mathcal{C}}=\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{p\mathrm{ⱳ}}_{\mathcal{C}},{\xi }_{\mathcal{C}}\right)$, ${\mathsf{\Upsilon }}_{\mathcal{C}}={\mathrm{Ʋ}}_{\mathcal{C}}\oplus {\eta }_{\mathcal{C}}$, and $\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. If $\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{p\mathrm{ⱳ}}_{\mathcal{C}},{\xi }_{\mathcal{C}}\right)\ne O_{\mathcal{C}}$, the $SC$ exits this stage, and the $\mathtt{C}$’s login request is rejected. Otherwise, the next phase is carried out by both the $\mathtt{C}$ and the $\mathcal{R}\mathcal{S}$.

4.4. Authentication and Key Formation Stage

After a registered user successfully signs in, the authentication of a remote server is confirmed. The session key ${SƘ}_{\mathcal{C}r}$ is recognized among the $\mathtt{C}$ and the $\mathcal{R}\mathcal{S}$ after the successful mutual authentication. The specific steps are outlined as follows:

Step 1.

The $\mathtt{C}$’s $SC$ picks an arbitrary number $a_{\mathcal{C}}\in F_q$ and computes ${\mu }_{\mathcal{C}}={\mathrm{Ʈ}}_{a_{\mathcal{C}}}^{\delta }\left(\vartheta \right),$ $\mathrm{Ƙ}\mu ={\mathrm{Ʈ}}_{a_{\mathcal{C}}}^{\delta }\left({\mathrm{Ʈ}}_s^{\delta }\left(\vartheta \right)\right),$ ${D𝒾𝒹}_{\mathcal{C}}={𝒾𝒹}_{\mathcal{C}}\oplus \mathrm{ɦ}\left(\mathrm{Ƙ}\mu \right),$ and ${\mathrm{Ⱳ}}_{\mathcal{C}}=\mathrm{ɦ}\left({\mu }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. The $SC$ uses a public channel to send a request message $\left\{{D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},{\mathrm{Ⱳ}}_{\mathcal{C}}\right\}$ to the $\mathcal{R}\mathcal{S}$.

Step 2.

The $\mathcal{R}\mathcal{S}$ computes ${\mu }^{\prime }={\mathrm{Ʈ}}_s^{\delta }\left({\mu }_{\mathcal{C}}\right),$ ${𝒾𝒹}_{\mathcal{C}}={D𝒾𝒹}_{\mathcal{C}}\oplus \mathrm{ɦ}\left(\mathrm{Ƙ}{\mu }^{\prime }\right)$, ${\mathsf{\Upsilon }}_{\mathcal{C}}=\mathrm{ɦ}\left(s,{𝒾𝒹}_{\mathcal{C}}\right)$, and ${\mathrm{Ⱳ}}_{\mathcal{C}}^{\prime }=\left({\mu }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$ after receiving the request message $\left\{{D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},{\mathrm{Ⱳ}}_{\mathcal{C}}\right\}$. If ${\mathrm{Ⱳ}}_{\mathcal{C}}$ is equal to the computed value ${\mathrm{Ⱳ}}_{\mathcal{C}}^{\prime }$. If the verification fails, the $\mathcal{R}\mathcal{S}$ immediately rejects this stage. Otherwise, the $\mathcal{R}\mathcal{S}$ selects an arbitrary number $b_r\in F_q$ and computes $B_r={\mathrm{Ʈ}}_{b_r{a}_{\mathcal{C}}}^{\delta }\left(\vartheta \right)$, ${\mathrm{Ƙ}}_{\mathcal{C}r}={\mathrm{Ʈ}}_{b_r}^{\delta }\left(\vartheta \right),$ and ${\mathrm{Ⱳ}}_r=\mathrm{ɦ}\left({\mathrm{Ƙ}}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}},B_r\right)$. Over a public channel, the $\mathcal{R}\mathcal{S}$ sends ${\mathrm{Ⱳ}}_r \mathrm{a}\mathrm{n}\mathrm{d} B_r$ to the $\mathtt{C}$.

Step 3.

When the $\mathtt{C}$ receives ${\mathrm{Ⱳ}}_r \mathrm{a}\mathrm{n}\mathrm{d} B_r$, it computes ${\mathrm{Ƙ}}_{\mathcal{C}r}={\mathrm{Ʈ}}_{a_{\mathcal{C}}}^{\delta }\left(B_r\right)={\mathrm{Ʈ}}_{a_{\mathcal{C}}{b}_r}^{\delta }\left(\vartheta \right)$ and $C_{\mathcal{C}}=\mathrm{ɦ}\left({\mathrm{Ƙ}}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}},B_r\right)$. The $\mathtt{C}$ validates the correctness of $\left\{{\mathrm{Ⱳ}}_r,B_r\right\}$ by comparing $C_{\mathcal{C}}$ to ${\mathrm{Ⱳ}}_r$. If $C_{\mathcal{C}}\ne {\mathrm{Ⱳ}}_r$, the $\mathtt{C}$ aborts the session; otherwise, it calculates $D_{\mathcal{C}}=\mathrm{ɦ}\left({\mathrm{Ƙ}}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$ and transmits the $D_{\mathcal{C}}$ answer message to the $\mathcal{R}\mathcal{S}$ through a public channel. Then, $\mathtt{C}$ calculates the ${S\mathrm{Ƙ}}_{\mathcal{C}r}=\mathrm{ɦ}\left({\mu }_{\mathcal{C}},B_r,{\mathrm{Ƙ}}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$.

Step 4.

When the $\mathcal{R}\mathcal{S}$ gets $D_{\mathcal{C}}$ from the $\mathtt{C}$’s smart card, it computes $ɦ\left({Ƙ}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$ and compares $D_{\mathcal{C}}$ to the calculated value. If $ɦ\left({Ƙ}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)=D_{\mathcal{C}}$, the $\mathcal{R}\mathcal{S}$ calculates the ${SƘ}_{\mathcal{C}r}=ɦ\left({\mu }_{\mathcal{C}},B_r,{Ƙ}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. Figure 3 depicts the registration, login, authentication, and key establishment processes.

Figure 3. The registration, login, authentication, and key formation stages of the projected protocol.

4.5. Password and Biometrics Change Stage

The $\mathtt{C}$ can update her/his existing ${p\mathsf{ⱳ}}_{\mathcal{C}}$ and ${BIO}_{\mathcal{C}}^{\prime }$ without involving the $\mathcal{R}\mathcal{S}$ during this step, as indicated below:

Step 1.

The $\mathtt{C}$ inserts the $SC$ into the card reader and enters the credentials ${𝒾𝒹}_{\mathcal{C}}$ and ${p\mathsf{ⱳ}}_{\mathcal{C}}$. Then, the $\mathtt{C}$ uses a biometric scanner gadget to scan her/his biometrics ${BIO}_{\mathcal{C}}^{\prime }$.

Step 2.

The smart card calculates ${\xi }_{\mathcal{C}}=Rep\left({BIO}_{\mathcal{C}}^{\prime },{\zeta }_{\mathcal{C}}\right),$ ${\eta }_{\mathcal{C}}=\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{p\mathrm{ⱳ}}_{\mathcal{C}},{\xi }_{\mathcal{C}}{,\mathsf{\Upsilon }}_{\mathcal{C}}\right)={\mathrm{Ʋ}}_{\mathcal{C}}\oplus {\eta }_{\mathcal{C}}$, and $\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}}{,\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. Then, the smart card checks to see if the calculated $\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}}{,\mathsf{\Upsilon }}_{\mathcal{C}}\right)$ is similar to $O_{\mathcal{C}}$. If the conditions are met, the $\mathtt{C}$ can change the existing ${p\mathrm{ⱳ}}_{\mathcal{C}}$ and ${BIO}_{\mathcal{C}}^{\prime }$. Otherwise, the request can be denied.

Step 3.

The $\mathtt{C}$ updates the smart card with a new password ${\overline{p\mathrm{ⱳ}}}_{\mathcal{C}}$ and biometrics ${\overline{BIO}}_{\mathcal{C}}$. Then, the smart card computes ${\overline{\xi }}_{\mathcal{C}}=Rep\left({\overline{BIO}}_{\mathcal{C}},{\zeta }_{\mathcal{C}}\right)$, as well as ${\overline{\eta }}_{\mathcal{C}}=\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{\overline{p\mathrm{ⱳ}}}_{\mathcal{C}},{\overline{\xi }}_{\mathcal{C}}\right)$, ${\overline{\mathrm{Ʋ}}}_{\mathcal{C}}={\mathsf{\Upsilon }}_{\mathcal{C}}\oplus {\overline{\eta }}_{\mathcal{C}}$, and ${\overline{O}}_{\mathcal{C}}=\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{\overline{\eta }}_{\mathcal{C}}{,\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. The smart card replaces the tuple $\left\{{\mathrm{Ʋ}}_{\mathcal{C}},O_{\mathcal{C}},{\zeta }_{\mathcal{C}},\vartheta ,{\mathrm{Ʈ}}_s^{\delta }\left(\vartheta \right),\mathrm{ɦ}\left(·\right),{\mathrm{Ʈ}}^{\delta }\left(·\right)\left(\vartheta \right),Rep\left(·\right)\right\}$ with the new tuple $\left\{{\overline{\mathrm{Ʋ}}}_{\mathcal{C}},{\overline{O}}_{\mathcal{C}},{\zeta }_{\mathcal{C}},\vartheta ,{\mathrm{Ʈ}}_s^{\delta }\left(\vartheta \right),\mathrm{ɦ}\left(·\right),{\mathrm{Ʈ}}^{\delta }\left(·\right)\left(\vartheta \right),Rep\left(·\right)\right\}$.

5. Security Examination of the Proposed Protocol

We examine the introduced protocol from the standpoint of security analysis in this section, employing all available analyses. The session key’s formal security is demonstrated using the widely established ROR model [50], and other known attacks are evaluated using informal (non-mathematical) security analysis.

5.1. The ROR Model for Session Key Security

In order to investigate the security of a session key, the ROR model [50] is extensively used in authentication based on key agreement techniques [51,52,53,54,55,56,57]. In order to prove the security of the session key, the introduced protocol also employs the ROR model.

Bellare et al. [58] introduced the security mechanism for the password-based authenticated key exchange procedure. By introducing a few new oracles to Abdalla et al.’s ROR model [50], we made it a three-factor model. The following are the definitions of the terms:

• Participants

Let $P$ stand for the proposed scheme. $P$ polynomial times can be executed by both a genuine user $\mathtt{C}$ and a $\mathcal{R}\mathcal{S}$. The symbols ${\mathtt{C}}_i$ and ${\mathcal{R}\mathcal{S}}_j$ denote the place of the $\mathtt{C}$ and the $\mathcal{R}\mathcal{S}$, respectively.

b.

Partnering

In practice, each key agreement conversation has its session identification (sid). If ${\mathtt{C}}_i$ and ${RS}_j$ have the same non-null session identifiers, we call them partnered.

c.

Adversary

The widely established Dolev–Yao (DY) threat model [59] is used to model an adversary $\mathfrak{F}$ in the ROR model. $\mathfrak{F}$ can interrupt, remove, modify, or even insert some or all messages transmitted among the ${\mathtt{C}}_i$ and ${\mathcal{R}\mathcal{S}}_j$ communication participants using the following queries, according to the DY model:

Execute$\left\{{\mathtt{C}}_i,{\mathcal{R}\mathcal{S}}_j\right\}$: This inquiry simulates an eavesdropping attack and returns to its partner ${\mathcal{R}\mathcal{S}}_j$ a copy of the messages sent by ${\mathtt{C}}_i$.

Send$\left({\mathtt{C}}_i/{\mathcal{R}\mathcal{S}}_j\right)$: This inquiry executes an active attack. $\mathfrak{F}$ can transmit this inquiry to a participant instance ${\mathtt{C}}_i/{\mathcal{R}\mathcal{S}}_j$ via message $m$. Then, they will respond to the $\mathfrak{F}$ with an analogous reply message.

Corrupt$\left({\mathtt{C}}_i,z\right)$: It represents the loss of ${\mathtt{C}}_i\prime s$ info. There are three available cases:

• $z=0$: ${p\mathsf{ⱳ}}_{\mathcal{C}}$ is obtained by $\mathfrak{F}$ via the query.
• $z=1$: The query allows $\mathfrak{F}$ to obtain data from ${\mathtt{C}}_i$’s Smart card.
• $z=2$: Through the query, $\mathfrak{F}$ obtains ${\mathtt{C}}_i$’s biometrics ${\xi }_{\mathcal{C}}$.

This inquiry is depicted as an active attack in which $\mathfrak{F}$ can extract all of the sensitive secret info contained in its memory by using power analysis attacks.

Test $\left({\mathtt{C}}_i,{\mathcal{R}\mathcal{S}}_j\right)$: In the test inquiry, the session key’s semantic security is emulated. In order to respond to the inquiry, the test oracle invokes execute $\left({\mathtt{C}}_i,{\mathcal{R}\mathcal{S}}_j\right)$ and flips a fair arbitrary coin $b\in${0,}. If $b=0$, the test oracle sends to the adversary $\mathfrak{F}$ the yield of execute $\left({\mathtt{C}}_i,{\mathcal{R}\mathcal{S}}_j\right)$ and the session key ${SƘ}_{\mathcal{C}r}$. If $b=1$, the test oracle sends to the adversary $\mathfrak{F}$ the yield of execute $\left({\mathtt{C}}_i,{\mathcal{R}\mathcal{S}}_j\right)$ and an arbitrary binary string. The random binary string must be a similar length as the session key in this scenario. If adversary $\mathfrak{F}$ asks many test questions, all of the answers should depend on the same $b$ value.

Hash $\left(\alpha ,ɦ\left(\alpha \right)\right)$: When a query is issued to the hash oracle, it examines its table for $x$ and proceeds $ɦ\left(\alpha \right)$ if $\alpha$ exists; otherwise, it proceeds to a uniformly arbitrary string $\beta$ and stores $\left\{\alpha ,\beta \right\}$, in the table.

d.

Semantic Security

If the above-noted inquiries are provided, the $\mathfrak{F}$ may communicate with the situations to assist him/her in determining the value of bit $b$. If they guess properly, the strategy does not give semantic security. Let $b\prime$ be $\mathfrak{F}$’s guessed bit. Then, a polynomial-time $t,$ the $\mathfrak{F}$’s advantage in breaching the proposed scheme’s session key security $P,$ is defined as ${Adv}_{A,s\mathit{u}cc}^P\left(t\right)=\left|2Pr\left[b-b\prime \right]-1\right|$|, where $Pr\left[E\right]$ indicates the probability of an event $E$ occurring.

5.2. The Proof of Security

Theorem 1. 

Let   ${Adv}_{\mathfrak{F},s\mathit{u}cc}^P\left(𝓉\right)$  be the advantage that a   $\mathfrak{F}$  adversary with execution time   $𝓉$  violates the semantic security of our projected protocol   $P$  . Then,

$${Adv}_{\mathfrak{F},s\mathit{u}cc}^P\left(𝓉\right)\le 2\left(\frac{{\mathcal{Q}}_{ɦ}^2}{2^{{𝓁}_{ɦ}-1}}+\frac{{\mathcal{Q}}_s}{2^{{𝓁}_{ɦ}-3}}+\frac{{\left({\mathcal{Q}}_s+{\mathcal{Q}}_e\right)}^2}{2^{{𝓁}_{𝓉}-1}}+\frac{{\mathcal{Q}}_{ɦ}}{2q}+{{\mathcal{Q}}_{ɦ}Adv}_{\mathfrak{F}}^{FCMDHP}\left(𝓉\right)+max\left\{\frac{{\mathcal{Q}}_s}{\left|\mathsf{ӽ}\right|},\frac{{\mathcal{Q}}_s}{2^{{𝓁}_b}},{\mathcal{Q}}_s{ϵ}_{bm}\right\}\right)$$

where  ${\mathcal{Q}}_e$ $,{\mathcal{Q}}_s,$ and  ${\mathcal{Q}}_{ɦ}$ represent the number of execute, send and hash queries, respectively.  ${\left|\mathsf{ӽ}\right|,{𝓁}_t,𝓁}_{ɦ},{ϵ}_{bm},$ and  ${𝓁}_b$ represent the size of the homogeneously distributed password dictionary  $\mathsf{ӽ}$ , the string length of the result of the Chebyshev polynomial, the string length of hash results, the probability of false positive, and the extracted string length of user biometrics, respectively. The advantage of  $\mathfrak{F}$  in breaching the FCMDHP with the  $𝓉$  execution time is indicated by  ${Adv}_{\mathfrak{F}}^{FCMDHP}\left(𝓉\right)$.

Proof: 

Our proof establishes a series of hybrid games, beginning with the actual attack and ending with a game in which  $\mathfrak{F}$  has no advantage. $S_i$  is an occurrence in which   $\mathfrak{F}$  has a chance to win the game  $G_i$.  Below is a detailed portrayal of the games. □

Game $G_0$: This game simulates an actual attack by $\mathfrak{F}$. We have, according to the preliminary definitions given by Equation (3),

$${Adv}_{\mathfrak{F},succ}^P\left(𝓉\right)=\left|2Pr\left[S_0\right]-1\right|$$

(3)

Game $G_1$: The only difference between this game and the previous one is that $\mathfrak{F}$ replicates the hash oracle $ɦ$ by keeping a list ${\mathsf{\Upsilon }}_{ɦ}$. If there is a record $\left(\alpha ,\beta \right)$ in ${\mathsf{\Upsilon }}_{ɦ}$ for a hash query $ɦ\left(\alpha \right)$, the oracle proceeds $\beta$ to the $\mathfrak{F}$. Otherwise, the oracle selects an arbitrary number $\beta$, proceeds to the $\mathfrak{F}$, and inserts the record $\left(\alpha ,\beta \right)$ to ${\mathsf{\Upsilon }}_{ɦ}$. This accomplishment of the corrupt, send, execute, and test inquiries are similar to the execution of the actual attack. Thus, we have Equation (4):

$$Pr\left[S_1\right]=Pr\left[S_0\right]$$

(4)

Game $G_2$: We simulate all inquiries in this game in the same way that we did in $G_1$, except that we halt all simulations when a collision ensues in the documents $\left\{{D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},{Ⱳ}_{\mathcal{C}}\right\},\left\{{Ⱳ}_r,B_r\right\}$, and $\left\{D_{\mathcal{C}}\right\}$. The $ɦ$ oracles may clash with distinct input values if ${\mu }_{\mathcal{C}}$ and $B_r$ are the same locations in multiple documents. We stop the game if any of the above scenarios appear. The probability of collision in the oracle output is, at most, ${\mathcal{Q}}_{ɦ}^2/2^{l_h+1}$, according to the birthday paradox. In the documents simulation, the chance of collisions is limited to ${\left({\mathcal{Q}}_e+{\mathcal{Q}}_s\right)}^2/2^{l_{𝓉}+1}$, because ${\mu }_{\mathcal{C}}$ and $B_r$ were arbitrarily selected from a uniform distribution $F_q^{\ast }$. As a result, (5):

$$\left|Pr\left[S_2\right]-Pr\left[S_1\right]\right|\le \frac{{\mathcal{Q}}_{ɦ}^2}{2^{{𝓁}_{ɦ}+1}}+\frac{{\left({\mathcal{Q}}_s+{\mathcal{Q}}_e\right)}^2}{2^{{𝓁}_{𝓉}+1}}$$

(5)

Game $G_3$: We abort the executions in this game if the adversary $\mathfrak{F}$ guesses the authentication values ${Ⱳ}_{\mathcal{C}},{Ⱳ}_r$, and $D_{\mathcal{C}}$ by chance (that is, without having to use the hash inquiry $ɦ$). Except that the $\mathcal{R}\mathcal{S}$ (or the $\mathtt{C}$) discards a legal authentication assessment, there is no difference between $G_3$ and $G_2$. Thus, we have Equation (6):

$$\left|Pr\left[S_3\right]-Pr\left[S_2\right]\right|\le \frac{{\mathcal{Q}}_s}{2^{l_{ɦ}}}$$

(6)

Game $G_4$: The adversary’s situation is avoided in this game. $\mathfrak{F}$ predicts the authentication value ${\mathsf{\Upsilon }}_{\mathcal{C}}$ directly and correctly. At most, the probability is ${\mathcal{Q}}_s/2^{{𝓁}_{ɦ}}$. We arrive at Equation (7):

$$\left|Pr\left[S_4\right]-Pr\left[S_3\right]\right|\le \frac{{\mathcal{Q}}_s}{2^{{𝓁}_{ɦ}}}$$

(7)

Game $G_5$: In this game, we try to prevent adversary $\mathfrak{F}$ from using corrupt $\left({\mathtt{C}}_i,z\right)$ to compute the authentication value ${\mathsf{\Upsilon }}_{\mathcal{C}}$. According to the premise, oracle corrupt $\left({\mathtt{C}}_i,z\right)$ can only provide $\mathfrak{F}$ with two factors. If $\mathfrak{F}$ only has ${BIO}_{\mathcal{C}}$ and ${p\mathsf{ⱳ}}_{\mathcal{C}}$, she/he will be unable to find the session key. As a result, corrupt $\left({\mathtt{C}}_i,1\right)$ is required for $\mathfrak{F}$, and we assume $\mathfrak{F}$ has asked about it. The analysis that follows is split into two parts.

Case 1:

Assume $\mathfrak{F}$ sends a query to corrupt $\left({\mathtt{C}}_i,1\right)$ to guess the real password. The probability is ${\mathcal{Q}}_s/\left|\mathsf{ӽ}\right|$ because there are ${\mathcal{Q}}_s$ chances to send inquiries and $\left|\mathsf{ӽ}\right|$ passwords.

Case 2:

Assume $\mathfrak{F}$ inquiries corrupt $\left({\mathtt{C}}_i,0\right)$ to crack ${BIO}_{\mathcal{C}}$. There are two subcases to consider:

(a)

Within ${\mathcal{Q}}_s$, $\mathfrak{F}$ guesses ${BIO}_{\mathcal{C}}.$ Send queries. ${\mathcal{Q}}_s/2^{{𝓁}_b}$ is the probability.

(b)

$\mathfrak{F}$ tries the event of “false positive” with send inquiries using her/his biometrics. ${\mathcal{Q}}_s{ϵ}_{bm}$ is the probability.

In this game, adversary $\mathfrak{F}$ can choose between Cases 1 and 2. The games $G_5$ and $G_4$ are indistinguishable without these guessing attacks, and therefore, we have Equation (8):

$$\left|Pr\left[S_5\right]-Pr\left[S_4\right]\right|\le max\left\{\frac{{\mathcal{Q}}_s}{\left|\mathsf{ӽ}\right|},\frac{{\mathcal{Q}}_s}{2^{{𝓁}_b}},{\mathcal{Q}}_s{ϵ}_{bm}\right\}$$

(8)

Game $G_6$: In this game, instead of using the $ɦ$, we include and use the private $ɦ$’ oracle to calculate the ${SƘ}_{\mathcal{C}r}$. The adversary is unaware of ${ɦ}^{\prime }$ because he/she is a private oracle. $Pr\left[S_6\right]=1/2$ is the value we have. Except that the $\mathfrak{F}$ makes a hash inquiry $ɦ\left({\mu }_{\mathcal{C}},B_r,{Ƙ}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$, the games $G_6$ and $G_5$ are indistinguishable. We call this event $Query{ɦ}_{in-6}$. Therefore, we have Equation (9):

$$\left|Pr\left[S_6\right]-Pr\left[S_5\right]\right|\le Pr\left[Query{ɦ}_{in-6}\right]$$

(9)

Game $G_7$: In this game, we simulate FCMDHP’s random self-reducibility. To build the session key ${Ƙ}_{\mathcal{C}r}$, hash entries with two chaotic map variables ${\mu }_{\mathcal{C}}=$ ${Ʈ}_{a_{\mathcal{C}}}^{\delta }\left(\vartheta \right)$ and $B_r={Ʈ}_{b_r}^{\delta }\left(\vartheta \right)$ are utilized. This game executes ${\mathsf{\Upsilon }}_{\mathcal{C}}$ without running the $ɦ$ oracle or possessing the s or ${𝒾𝒹}_{\mathcal{C}}$. As a result, the probability in this case is ${\mathcal{Q}}_h{Adv}_{\mathit{A}}^{FCMDHP}\left(t\right)+\raisebox{1ex}{${\mathcal{Q}}_{ɦ}$}\!\left/ \!\raisebox{-1ex}{$q$}\right.$. As a result, we obtain Equation (10):

$$Pr\left[Query{ɦ}_{in-6}\right]\le {\mathcal{Q}}_{ɦ}{Adv}_{\mathfrak{F}}^{FCMDHP}\left(𝓉\right)+\frac{{\mathcal{Q}}_{ɦ}}{q}$$

(10)

As a result, we manipulated Equations (3)–(10) to give the following inequality:

$${Adv}_{\mathfrak{F},succ}^P\left(ɦ\right)\le 2\left(\frac{{\mathcal{Q}}_{ɦ}^2}{2^{{𝓁}_{ɦ}-1}}+\frac{{\mathcal{Q}}_s}{2^{{𝓁}_{ɦ}-3}}+\frac{{\left({\mathcal{Q}}_s+{\mathcal{Q}}_e\right)}^2}{2^{{𝓁}_{ɦ}-1}}+\frac{{\mathcal{Q}}_{ɦ}}{2q}+{{\mathcal{Q}}_{ɦ}Adv}_{\mathfrak{F}}^{FCMDHP}\left(𝓉\right)+max\left\{\frac{{\mathcal{Q}}_s}{\left|\mathsf{ӽ}\right|},\frac{{\mathcal{Q}}_s}{2^{{𝓁}_b}},{\mathcal{Q}}_s{ϵ}_{bm}\right\}\right)$$

5.3. Informal Security Examination and Discussion

In this area, we address the security of the presented protocol informally (non-mathematically) in terms of existing known attacks and some of the proposed protocol’s core functionality characteristics.

5.3.1. User Anonymity

Due to privacy considerations, user anonymity becomes a major worry for authentication schemes. It stipulates that no one can reveal the user’s true identity without the remote server’s private key. Our technique ensures user anonymity because $\mathfrak{F}$ cannot find ${𝒾𝒹}_{\mathcal{C}}$ from any attacker login or authentication communication. In our design, the $\mathtt{C}$ never conveys the ${𝒾𝒹}_{\mathcal{C}}$ to the $\mathcal{R}\mathcal{S}$ over a public channel. Only ${D𝒾𝒹}_{\mathcal{C}}$ and ${D𝒾𝒹}_{\mathcal{C}}={𝒾𝒹}_{\mathcal{C}}\oplus ɦ\left({Ʈ}_{a_{\mathcal{C}}}^{\delta }\left({Ʈ}_s^{\delta }\left(\vartheta \right)\right)\right)$ are sent by the $\mathtt{C}$, and ${𝒾𝒹}_{\mathcal{C}}$ is protected by the arbitrary number $a_{\mathcal{C}}$. As a result of $a_{\mathcal{C}}$, the $\mathfrak{F}$ is unable to extract it from ${D𝒾𝒹}_{\mathcal{C}}$. As a result, our proposed scheme protects user privacy.

5.3.2. User Untraceability

User untraceability specifies that no two messages from the same session will be identical. If it is, $\mathfrak{F}$ will have little trouble tracing the $\mathtt{C}$. We suppose that the $\mathfrak{F}$ catches two request messages, $\left\{{D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},{Ⱳ}_{\mathcal{C}}\right\}$ and $\left\{{D𝒾𝒹}_{\mathcal{C}}^{\ast },{\mu }_{\mathcal{C}}^{\ast },{Ⱳ}_{\mathcal{C}}^{\ast }\right\}$, which are created by the $\mathtt{C}$ in two sessions, where ${\mu }_{\mathcal{C}}={Ʈ}_{a_{\mathcal{C}}}^{\delta }\left(\vartheta \right),Ƙ\mu ={Ʈ}_{a_{\mathcal{C}}}^{\delta }\left(\left({Ʈ}_s^{\delta }\left(\vartheta \right)\right)\right),$ ${D𝒾𝒹}_{\mathcal{C}}={𝒾𝒹}_{\mathcal{C}}\oplus ɦ\left(Ƙ\mu \right)$, ${Ⱳ}_{\mathcal{C}}=ɦ\left({\mu }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$ and ${\mu }_{\mathcal{C}}^{\ast }={Ʈ}_{a_{\mathcal{C}}^{\ast }}^{\delta }\left(\vartheta \right)$, ${Ƙ\mu }^{\ast }={Ʈ}_{a_{\mathcal{C}}^{\ast }}^{\delta }\left({Ʈ}_s^{\delta }\left(\vartheta \right)\right)$, ${D𝒾𝒹}_{\mathcal{C}}^{\ast }={𝒾𝒹}_{\mathcal{C}}\oplus ɦ\left({Ƙ\mu }^{\ast }\right)$, ${Ⱳ}_{\mathcal{C}}^{\ast }=ɦ\left({\mu }_{\mathcal{C}}^{\ast },{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. The messages $\left\{{D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},{Ⱳ}_{\mathcal{C}}\right\}$ and $\left\{{D𝒾𝒹}_{\mathcal{C}}^{\ast },{\mu }_{\mathcal{C}}^{\ast },{Ⱳ}_{\mathcal{C}}^{\ast }\right\}$ are different because of the random numbers $a_{\mathcal{C}}$ and $a_{\mathcal{C}}^{\ast }$. As a result, $\mathfrak{F}$ will be unable to discover the relationship between $\left\{{D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},{Ⱳ}_{\mathcal{C}}\right\}$ and $\left\{{D𝒾𝒹}_{\mathcal{C}}^{\ast },{\mu }_{\mathcal{C}}^{\ast },{Ⱳ}_{\mathcal{C}}^{\ast }\right\}$. As a result, our suggested approach provides high user anonymity.

5.3.3. Impersonation Attack

The attacker $\mathfrak{F}$ attempts to mimic either the $\mathtt{C}$ or the $\mathcal{R}\mathcal{S}$, or both, in this attack. If $\mathfrak{F}$ achieves some sort of success, the system will not provide strong security. As a result, the $\mathfrak{F}$ cannot imitate any of the $\mathtt{C}$ or the $\mathcal{R}\mathcal{S}$ because the message $\left\{{D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},{Ⱳ}_{\mathcal{C}}\right\},\left\{{Ⱳ}_r,B_r\right\}$, and $\left\{D_{\mathcal{C}}\right\}$ cannot be fabricated by the $\mathfrak{F}$. If $\mathfrak{F}$ intends to impersonate the user, she/he must first construct an arbitrary number in order to calculate a request message. ${D𝒾𝒹}_{\mathcal{C}}={𝒾𝒹}_{\mathcal{C}}\oplus ɦ\left(Ƙ\mu \right)$ and ${Ⱳ}_{\mathcal{C}}=ɦ\left({\mu }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$ may be computed by the $\mathfrak{F}$. With a legitimate request message, to impersonate the user, the $\mathfrak{F}$ must know the assessment of ${\mathsf{\Upsilon }}_{\mathcal{C}}=ɦ\left(s,{𝒾𝒹}_{\mathcal{C}}\right)$ and ${𝒾𝒹}_{\mathcal{C}}$, that is, the $\mathfrak{F}$ must know the $s$ and ${𝒾𝒹}_{\mathcal{C}}$. Authentication will fail if this is not done. Similarly, the $\mathfrak{F}$ cannot deceive the user and the remote server by forging the messages $\left\{{Ⱳ}_r,B_r\right\}$, and $\left\{D_{\mathcal{C}}\right\}$. As a result, under our suggested approach, impersonating the $\mathtt{C}$ and the $\mathcal{R}\mathcal{S}$ is not possible.

5.3.4. Offline Password Guessing Attack

Assume you have a competitor. $\mathfrak{F}$ obtains all of the recorded information $\left\{{\mathsf{Ʋ}}_{\mathcal{C}},O_{\mathcal{C}},{\zeta }_{\mathcal{C}},\vartheta ,{Ʈ}_s^{\delta }\left(\vartheta \right),ɦ\left(·\right),{{Ʈ}^{\delta }}_{\left(·\right)}\left(\vartheta \right),Rep\left(·\right)\right\}$ from the memory of a stolen or lost $SC$ of a legitimate user $\mathtt{C}$ employing power analysis attacks. To properly guess ${p\mathsf{ⱳ}}_{\mathcal{C}}$ from ${\mathsf{Ʋ}}_{\mathcal{C}}={\mathsf{\Upsilon }}_{\mathcal{C}}{\oplus \eta }_{\mathcal{C}}=ɦ\left(s,{𝒾𝒹}_{\mathcal{C}}\right)\oplus ɦ\left({𝒾𝒹}_{\mathcal{C}},{p\mathsf{ⱳ}}_{\mathcal{C}},{\theta }_{\mathcal{C}}\right)$, $\mathfrak{F}$ must be aware of $\mathcal{R}\mathcal{S}$’s private key $s$, as well as $\mathtt{C}$’s biometrics ${\theta }_{\mathcal{C}}$ and ${𝒾𝒹}_{\mathcal{C}}$. In addition, knowledge of ${\theta }_{\mathcal{C}},{𝒾𝒹}_{\mathcal{C}}$, and $s$ is required to accurately guess ${p\mathsf{ⱳ}}_{\mathcal{C}}$ from $O_{\mathcal{C}}=ɦ\left({𝒾𝒹}_{\mathcal{C}},ɦ\left({𝒾𝒹}_{\mathcal{C}},{p\mathsf{ⱳ}}_{\mathcal{C}},{\theta }_{\mathcal{C}}\right),ɦ\left(s,{𝒾𝒹}_{\mathcal{C}}\right)\right)$. However, only ${\mathtt{C}}_i$ can supply its ${\theta }_{\mathcal{C}}$, only the $\mathtt{C}$ and $\mathcal{R}\mathcal{S}$ involved in the authentication procedure are aware of the ${𝒾𝒹}_{\mathcal{C}}$, and only $\mathcal{R}\mathcal{S}$ is aware of its secret key $s$. As a result, our technique is resistant to offline password-guessing attacks.

5.3.5. Known Key Secrecy

Even if a specific session key in the proposed technique is compromised, $\mathfrak{F}$ will not be able to discover the other session keys. ${SƘ}_{\mathcal{C}r}=ɦ\left({\mu }_{\mathcal{C}},B_r,{Ƙ}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$, where ${Ƙ}_{\mathcal{C}r}={Ʈ}_{b_r{a}_{\mathcal{C}}}^{\delta }\left(\vartheta \right)$ is how our technique computes the session key. $a_{\mathcal{C}}$ and $b_r$ are generated at random and only once for each new session. As a result, in order to calculate future session keys, an attacker cannot extract any personal info from an obtained session key.

5.3.6. Temporary Information Attack on Known Sessions

In the projected system, the $\mathtt{C}$ and the $\mathcal{R}\mathcal{S}$ estimate a mutual session key in each session as ${SƘ}_{\mathcal{C}r}=ɦ\left({\mu }_{\mathcal{C}},B_r,{Ƙ}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. The secrecy of ${SƘ}_{\mathcal{C}r}$ is determined by the parameters ${Ƙ}_{\mathcal{C}r}={Ʈ}_{b_r{a}_{\mathcal{C}}}^{\delta }\left(\vartheta \right)$ and ${\mathsf{\Upsilon }}_{\mathcal{C}}=ɦ\left(s,{𝒾𝒹}_{\mathcal{C}}\right)$. The temporary secrets $a_{\mathcal{C}}$ and $b_r$ are assumed to be known by $\mathfrak{F}$. By using this information, on the one hand, the $\mathfrak{F}$ may compute ${Ƙ}_{\mathcal{C}r}={Ʈ}_{b_r{a}_{\mathcal{C}}}^{\delta }\left(\vartheta \right)$. The $\mathfrak{F}$, on the other hand, cannot compute ${\mathsf{\Upsilon }}_{\mathcal{C}}=ɦ\left(s,{𝒾𝒹}_{\mathcal{C}}\right)$ without being aware of the $\mathcal{R}\mathcal{S}$’s private key $s$ and the $\mathtt{C}$’s identification ${𝒾𝒹}_{\mathcal{C}}$. As a result, the $\mathfrak{F}$ cannot compute ${SƘ}_{\mathcal{C}r}=ɦ\left({\mu }_{\mathcal{C}},B_r,{Ƙ}_{\mathcal{C}r},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$; thus, our suggested strategy is resistant to this type of attack.

5.3.7. Privileged-Insider Attack

The $\mathtt{C}$ selects an ${𝒾𝒹}_{\mathcal{C}}$ and a ${p\mathsf{ⱳ}}_{\mathcal{C}}$ during the user registration process. Then, they compute $Gen\left({BIO}_{\mathcal{C}}\right)=\left({\xi }_{\mathcal{C}},{\zeta }_{\mathcal{C}}\right)$ and ${\eta }_{\mathcal{C}}=ɦ\left({𝒾𝒹}_{\mathcal{C}},{p\mathsf{ⱳ}}_{\mathcal{C}},{\xi }_{\mathcal{C}}\right)$, and sends $\left\{{𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}}\right\}$ to the $\mathcal{R}\mathcal{S}$ through a secure channel. Nevertheless, due to the one-way of $ɦ\left(·\right)$, an insider client of the $\mathcal{R}\mathcal{S}$ who is an adversary is unable to extract ${p\mathsf{ⱳ}}_{\mathcal{C}}$ and ${BIO}_{\mathcal{C}}$ from $\left\{{𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}}\right\}$. As a result, our suggested solution resolves the problem caused by the privileged-insider attack.

5.3.8. Password and Biometrics Change Attack

The $SC$ of an approved registered user $\mathtt{C}$ first authenticates the user by computing ${\xi }_{\mathcal{C}}=Rep\left({BIO}_{\mathcal{C}}^{\prime },{\zeta }_{\mathcal{C}}\right)$, ${\mathsf{\Upsilon }}_{\mathcal{C}}={\mathrm{Ʋ}}_{\mathcal{C}}\oplus {\eta }_{\mathcal{C}}$ and, ${\eta }_{\mathcal{C}}=\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{p\mathrm{ⱳ}}_{\mathcal{C}},{\xi }_{\mathcal{C}}\right)$, and then validating the condition $\mathrm{ɦ}\left({𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)=O_{\mathcal{C}}$ based on the user’s initiated identity ${𝒾𝒹}_{\mathcal{C}}$, ${p\mathrm{ⱳ}}_{\mathcal{C}}$, and ${BIO}_{\mathcal{C}}^{\prime }$. The $SC$ will allow you to alter your password and biometrics if this condition is met. As a result, updating the password and biometrics of $\mathtt{C}$ without knowing the private integrity ${𝒾𝒹}_{\mathcal{C}},{p\mathrm{ⱳ}}_{\mathcal{C}},{BIO}_{\mathcal{C}}^{\prime }$ is a computationally infeasible assignment for $\mathfrak{F}$. As a result, the presented protocol protects against password and biometrics change attacks.

5.3.9. Efficient Password and Biometrics Change

Through the password and biometrics change stage of the presented technique, a legitimately registered user $\mathtt{C}$ inserts her/his identification, biometrics, and current password into her/his smart card to update the recent password and biometrics. The $\mathtt{C}$ can update the password and biometrics if all of the secret integrity entered are correct. The password and biometrics are then updated locally in the smart card’s memory, bypassing the remote server $\mathcal{R}\mathcal{S}$. As a result, the stage of changing passwords and biometrics goes smoothly.

5.3.10. Three-Factor Confidentiality

Three-factor confidentiality means that even if one or both authentication parameters are exposed, the adversary will not impersonate the user successfully. In the following three cases, we demonstrate that our technique ensures three-factor confidentiality:

• If the user’s smart card and biometrics are revealed, the adversary $\mathfrak{F}$ attempts to crack the password. On the one hand, the parameters $\left\{{\mathsf{Ʋ}}_{\mathcal{C}},O_{\mathcal{C}},{\zeta }_{\mathcal{C}},\vartheta ,{Ʈ}_s^{\delta }\left(\vartheta \right),ɦ\left(·\right),{{Ʈ}^{\delta }}_{\left(·\right)}\left(\vartheta \right),Rep\left(·\right)\right\}$ and ${\xi }_{\mathcal{C}}$ are obtained by the $\mathfrak{F}$, where ${\mathsf{Ʋ}}_{\mathcal{C}}={\mathsf{\Upsilon }}_{\mathcal{C}}\oplus {\eta }_{\mathcal{C}},$ and $O_{\mathcal{C}}=ɦ\left({𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. The $\mathfrak{F}$, on the other hand, is unable to reveal ${p\mathsf{ⱳ}}_{\mathcal{C}}$ because ${\mathsf{\Upsilon }}_{\mathcal{C}}=ɦ\left(s,{𝒾𝒹}_{\mathcal{C}}\right)$, where $s$ is known only to the $\mathcal{R}\mathcal{S}$ and ${𝒾𝒹}_{\mathcal{C}}$ is known only to the user.
• If the user’s smart card and password are revealed, on the one hand, the $\mathfrak{F}$ obtains the parameters $\left\{{\mathsf{Ʋ}}_{\mathcal{C}},O_{\mathcal{C}},{\zeta }_{\mathcal{C}},\vartheta ,{Ʈ}_s^{\delta }\left(\vartheta \right),ɦ\left(·\right),{{Ʈ}^{\delta }}_{\left(·\right)}\left(\vartheta \right),Rep\left(·\right)\right\}$, and ${p\mathsf{ⱳ}}_{\mathcal{C}}$, where ${\mathsf{Ʋ}}_{\mathcal{C}}={\mathsf{\Upsilon }}_{\mathcal{C}}\oplus {\eta }_{\mathcal{C}}$ and $O_{\mathcal{C}}=ɦ\left({𝒾𝒹}_{\mathcal{C}},{\eta }_{\mathcal{C}},{\mathsf{\Upsilon }}_{\mathcal{C}}\right)$. The $\mathfrak{F}$, on the other hand, is unable to deduce ${\xi }_{\mathcal{C}}$ from $O_{\mathcal{C}}$ and ${\mathsf{Ʋ}}_{\mathcal{C}}$ because it must simultaneously guess correct ${𝒾𝒹}_{\mathcal{C}},{\xi }_{\mathcal{C}}$, and $s$.
• The $\mathfrak{F}$ tries to crack the smart card’s specifications if the biometrics and password are disclosed. Because ${\mathsf{\Upsilon }}_{\mathcal{C}}$ is unavailable, retrieving the critical factor $O_{\mathcal{C}}$ is impossible.

5.3.11. Clock Synchronization Issue

Unlike many previous SIPs, the presented SIP might work even if the clock is out of sync, providing adequate communication between the recipient and the sender. Since the timestamp is merely relevant to the receiver’s clock, synchronized clocks are not necessary. He/she only verifies the timestamp generated by the recipient.

6. Performance Evaluation

In this segment, we compare the proposed protocol’s communication, computation, and smart card storage costs to those of other relevant SIPs, such as [3,6,13,18,19,35]. We state that the presented SIP involves two major stages: login/authentication and the key establishment, which must be completed each time the system is accessed. As a result, we simply look at the phases of login/ authentication and the key establishment in this segment. All of the comparisons are described in detail below.

6.1. Computation Cost Analysis

The notations used for comparison estimations are listed in Table 2. We signify certain notations and their implementation times on an Intel Pentium 4 2600 MHz processor with 1024 MB RAM, as conducted in [3], and given in Table 3. To estimate the effectiveness of the presented SIP and compare it to earlier SIPs, we ignore the bitwise XOR operation because it is insignificant.

Table 2. Syntaxes for making comparative estimates.

Syntaxes	Description
${ȶ}_{hash}$	The execution time of the hash function
${ȶ}_{sym}$	The execution time of symmetric key decryption/encryption
${ȶ}_{mul}$	The execution time of ellipse curve point multiplication
${ȶ}_{chos}$	The execution time of the Chebyshev map operation
${ȶ}_{fchos}$	The execution time of fractional Chebyshev map operation
${ȶ}_{fuzzy}$	The execution time of fuzzy extractor operation

Table 3. The computation costs comparison.

Protocols	Computational Cost	Running Time (In Milliseconds)
[6]	${7ȶ}_{mul}+{8ȶ}_{hash}$	445.6
[13]	${4(ȶ}_{mul}+{2ȶ}_{hash})$	256.4
[18]	$2(3{ȶ}_{mul}+5{ȶ}_{hash})$	383.5
[19]	${7ȶ}_{mul}+10{ȶ}_{hash}$	446.6
[35]	${4ȶ}_{mul}+10{ȶ}_{hash}+2{ȶ}_{sym}+{ȶ}_{fuzzy}$	337.8
[3]	${6ȶ}_{chos}+9{ȶ}_{hash}+{ȶ}_{fuzzy}$	193.7
Proposed SIP	${6ȶ}_{fchos}+9{ȶ}_{hash}+{ȶ}_{fuzzy}$	126.5

According to [3], the execution time for ${ȶ}_{hash}$, ${ȶ}_{sym}$, ${ȶ}_{mul}$, ${ȶ}_{chos}$, ${ȶ}_{fuzzy}$, and ${ȶ}_{fchos}$ for $\delta =0.75$ [45] are given by 0.5 ms, 8.7 ms, 63.08 ms, 21.02 ms, 63.08 ms, and 9.82 ms, respectively. We compare the computational cost of the presented protocol with the other associated SIPs [3,6,13,18,19,35]. Table 3 shows the comparison of computational cost results. These findings indicate that the presented protocol is more efficient than other SIP schemes.

6.2. Communication Cost and Smart Card Storage Assessment

In this subsection, we compare our proposed SIP to comparable SIPs in terms of smart card storage and communication costs. The SHA-1 hash function is used, and its output length is 160 bits. The identity/password/arbitrary number is 64 bits long. The output of the Chebyshev chaotic map (CCM) is 128 bits long. The function $Gen\left(·\right)$ returns a tuple with 80 bits for each component. The smart card in our proposed SIP holds $<{\mathsf{Ʋ}}_{\mathcal{C}},O_{\mathcal{C}},{\zeta }_{\mathcal{C}},{Ʈ}_s^{\delta }\left(\vartheta \right)>$, and the storage cost is $2\times 160+128+80=528$ bits. As a result, our proposed SIP significantly reduces smart card storage capacity. In our login, authentication and key formation process, the $\mathtt{C}$ first sends ${D𝒾𝒹}_{\mathcal{C}},{\mu }_{\mathcal{C}},\mathrm{a}\mathrm{n}\mathrm{d}{Ⱳ}_{\mathcal{C}}$ to the $\mathcal{R}\mathcal{S}$ at a cost of $2\times 160+128=448$ bits. Then, the $\mathcal{R}\mathcal{S}$ sends ${Ⱳ}_r \mathrm{a}\mathrm{n}\mathrm{d} B_r$ to the $\mathtt{C}$ at a cost of $128+160=288$ bits. Lastly, the $\mathtt{C}$ transmits $D_{\mathcal{C}}$ to the $\mathcal{R}\mathcal{S}$ at a cost of $160$ bits. As a result, the overall cost of communication is $488+288+160=896$ bits. We also compute the costs of communication and smart card storage [3,6,13,18,19,35], as shown in Figure 4.

Figure 4. A comparison of the costs of communication and smart card storage.

6.3. Analysis of Security and Functionality

Table 4 provides a full comparison of various security attacks and functionality aspects. As shown in Table 4, our suggested SIP solves the security and functionality flaws prevalent in existing SIPs. Among the contenders, the work in [3] appears to show related results to the results of the current study. However, the work in [3] failed the clock synchronization attack, whereas our presented scheme successfully resolved the clock synchronization problem. Regarding running costs, our scheme also shows favorable costs compared to the scheme reported in [3], as shown in Table 4.

Table 4. Comparison of security and functionality attributes.

Security Features	[6]	[13]	[18]	[19]	[35]	[3]	Proposed SIP
${\mathsf{Տ}F}_1$	⊠	⊠	☑	☑	☑	☑	☑
${\mathsf{Տ}F}_2$	☑	☑	☑	☑	⊠	☑	☑
${\mathsf{Տ}F}_3$	☑	⊠	⊠	⊠	☑	☑	☑
${\mathsf{Տ}F}_4$	☑	☑	☑	☑	☑	☑	☑
${\mathsf{Տ}F}_5$	⊠	☑	☑	☑	⊠	☑	☑
${\mathsf{Տ}F}_6$	⊠	⊠	⊠	☑	⊠	☑	☑
${\mathsf{Տ}F}_7$	☑	☑	☑	⊠	☑	☑	☑
${\mathsf{Տ}F}_8$	☑	☑	⊠	⊠	☑	☑	☑
${\mathsf{Տ}F}_9$	⊠	⊠	⊠	☑	☑	☑	☑
${\mathsf{Տ}F}_{10}$	⊠	⊠	☑	☑	☑	☑	☑
${\mathsf{Տ}F}_{11}$	⊠	⊠	⊠	⊠	⊠	⊠	☑

${\mathsf{Տ}F}_1$, stolen smart card attack; ${\mathsf{Տ}F}_2$, offline password guessing attack; ${\mathsf{Տ}F}_3$, strong replay attack; ${\mathsf{Տ}F}_4$, privileged insider attack; ${\mathsf{Տ}F}_5$, impersonation attack; ${\mathsf{Տ}F}_6$, user anonymity provision; ${\mathsf{Տ}F}_7$, efficient password change; ${\mathsf{Տ}F}_8$, login phase efficiency; ${\mathsf{Տ}F}_9$, mutual authentication; ${\mathsf{Տ}F}_{10}$, stolen smart card attack; ${\mathsf{Տ}F}_{11}$, clock synchronization problem. Note: ☑: Secure; ⊠: Vulnerable.

7. Conclusions

In this paper, we proposed a lightweight, provably, protected three-factor session initiation protocol in human-centered IoT. We used the ROR model for formal security analysis, and the results indicated that our proposed SIP provides session key security. Additionally, we performed an informal security analysis to demonstrate that our proposed SIP could withstand various existing attacks. Based on the FCCM-CDH problem’s hardness assumption, the proposed SIP is provably secure. Lastly, through a rigorous performance assessment, we showed that it significantly decreased total computing time, smart card storage, and communication costs compared to other associated protocols. Future studies will analyze the presented protocol in a simulated and real-world context to further investigate the performance characteristics. In addition, the projected technique would be tested using Bergamo’s and other security attacks to demonstrate its efficacy.