Conformal Chebyshev chaotic map-based remote user password authentication protocol using smart card

Abstract

With the rapid advancement and growth of computer networks, there have been greater and greater demands for remote user password authentication protocols. In current ages, smartcard-based authentication protocol has formed the standard with their incredibly insubstantial, user-friendly equipment and low-cost apps. In this study, we proposed an effective robust authentication protocol using the conformable chaotic map, where a conformable calculus is a branch of newly appearing fractional calculus. It has a magnificent property, because it formulates using a controller term. We shall also offer formal proof of smooth execution of the proposed authenticated protocol. Our new protocol is more secure as compared to several comparable protocols.

Introduction

In recent years, research in chaotic maps and their applications within the field of cryptography has acquired significant attention Chaotic frameworks are defined by subtle need on initial situations and proximity to random behavior; features that appear to be fundamentally analogous to those needed by certain cryptographic primitives [1, 2]. In his doctoral thesis in 1993, Hwu [3] introduced the idea of chaos theory to public-key cryptography (PKC). He defined his chaotic development of a PKC with a quadratic equation of difference and a one-dimensional equation of difference (1DDE), which is a well-qualified one-way function. In contrast, Hwu’s scheme uses ElGmal’s method [4] to execute the cycle of encryption. The security of this scheme is based on the infeasibility of resolving the given discrete logarithm over finite fields. Nonetheless, it is possible to work out a trapdoor by letting the true owner know the reiteration times of the distinguishing condition.

The smartcard-founded remote client authentication system allows a device to authenticate a remote client through open, unsafe networks. In general, one of the two approaches next is used by a system to identify a client such as (a) use something that is accessible only to the client, like a password, (b) single client has permitted admission to use something, like a smart card (SC). The smartcard-founded authentication utilizes both methods and, therefore, it occasionally mentioned to as two-factor authentication. An authentication protocol based on a smartcard password requires an Authentication Server (AS) and a Client (C). The protocol typically has three main phases: the phase of registration, the phase of login and the phase of authentication. However, sometimes using the smart card, usually with the aid of AS, there may also be an additional stage for changing the password of the user. To date, a number of remote client password authentication protocols using SC have been published [5,6,7, 9, 10] with the purpose of providing stable and well-organized authentication services to connected clients. Nevertheless, furthermost of such systems are vulnerable to cryptographic occurrences online.

Xu et al. [7] planned a password confirmation procedure using SC. Nonetheless, Song et al. [9] and Sood et al. [10] recognized certain limitations in the template of Xu et al. [7]. Song et al. [9] demonstrated that an attacker can collect information from the SC of a legal client and thus launch an impersonation attack [11,12,13]. Song [8] suggested an improved form of the design of Xu et al. to solve the problem. Sood et al. [10] also introduced the upgraded form of the protocol of Xu et al. in 2010, by solving the problems of off-line password guessing and the spoofing attacks contained in the protocol of Xu et al. In 2013, yet, Chen et al. [5] found that both the protocol of Song et al. [8] and the protocol of Sood et al. [10] consumed security errors. Song's device is vulnerable to check the stolen smartcard attack besides offline password guessing attack, while Sood et al.’s protocol cannot do the shared authentication. An improved remote user password authentication protocol based on a SC was subsequently projected by Chen et al. [14]. Li et al. [15] argued at about the same time that the protocol of Chen et al. was unable to recognize incorrect passwords and during the login process did not provide security. He also argued that the password change process of Chen et al. was not feasible, because the database had to upgrade the old passwords.

In 2016, Islam [16] demonstrated that Li et al.’s [15] protocol is not single susceptible to a recognized session-specific provisional knowledge occurrence, a stolen smart card attack and an insider attack, but correspondingly lacks a mechanism to withdraw the stolen smart card. The proposed protocol of Islam has a noteworthy performance in falling the cost of computation. Li et al. [17] established in the random oracle (RO) model using chaotic maps based on computational Diffie-Hellman hypothesis, novel client authentication and key agreement procedure using chaotic maps for multi-server settings with known security. Luo et al. [18] introduced a dual-party strategic contract rules using chaos map with proven protection and outcomes show that the protocol could solve off-line password-guessing attacks. Li et al. [19] introduced a new triple-party password-based valid strategic argument procedure using chaotic maps with operator secrecy and demonstrated that the protocol is protect with appropriate computational complexity and overhead communication. In 2019, Zhao et al. [20] demonstrated an active three-factor remote user confirmation procedure using chaotic maps and demonstrated that the protocol offers a solider safety security at the charge of appropriate directly above computing and is suitable for secure mobile network communication. Dharminder and Gupta [21] discussed the security evaluation-related issues and application of Chebyshev chaotic map in the authentication protocols. In 2020, Mishra et al. [22] demonstrated a mutual authentication protocol using chaotic maps for vehicular cloud computing, with the goal of ensuring security and efficient communication while preserving anonymity. In 2021, Meshram et al. [23] presented efficient password-based authentication protocol for smart cities environments.

Fractional calculus (FC) and its presentations are essential in quite a lot of fields of mathematical sciences. The actual presentation of FC is considering the nonlinearity. It extended the concepts of integer order derivation. FC introduces an outstanding mechanism for the sketch the common possessions of different materials and developments. The benefits of FC converted specious in information technology, signal and vision processing and fractional chaotic map (see [24, 25]). Recently, different types of FC have imposed. One of these recent calculi is calling the conformable calculus (CC).

Our contribution

As outline mention above, we proposed a new protocol in this paper that assists the client to modify the password directly deprived of any assistance from AS. Furthermore, we provide the ability to reject a lost/stolen smartcard in order to reissue another card to the same client. All remote-related internet transactions require authentication mechanisms. As a result, it is vital to ensure that these protocols work properly so that the entire system can run smoothly. Despite the fact that the various approaches outlined above have had significant success in lowering the cost of computation, security flaws and inconvenience have been identified. To achieve the conformable calculus, we devised a new authentication mechanism based on conformable chaotic-map (CCM). The main security and presentation analysis confirms that the suggested approach has the following advantages (shown in Fig. 1):

1. (i)

   Identification of a wrong password by the smart-card without the involvement of the authentic server;

2. (ii)

   Replacement and selection of a password by client without the participation of the authentic server;

3. (iii)

   Protection of the session key from known active/passive attacks;

4. (iv)

   The security evaluation proof is done by utilizing the Real-Or-Random (ROR) model;

5. (v)

   Lower computation cost and adds better security aspects.

Fig. 1

Graphical overview of protocol

Road map of the article

The remainder of the paper is laid out as follows. “Mathematical backgrounds” describes the basic info, which includes a brief summary of the associated methods and a list of representations employed throughout this work. “Proposed authentication protocol” illustrates our presented authentication protocol. In “Security analysis in ROR model”, we will determine the security evaluation under the ROR Model. The suggested protocol's security investigation is shown in “Other security examination and discussion of the proposed protocol”. “Contrast with other protocols with experimental complexity evaluation” displays the results of our security argument as well as the proposed protocol's computing cost. “Conclusion” is where the conclusion is reached.

Mathematical backgrounds

This segment includes a brief outline of a few algorithms used by our presented protocol, Conformable Chebyshev polynomial, conformable chaotic maps and a list of notations (see Table 1) used throughout this paper.

Table 1 Symbolization to use in our new procedure

Chebyshev chaotic transforms

Basically, we review Chebyshev successive polynomials (CP) (see [26]) and evaluate their functionality. CP \({\mathcal{T}}_{\mathrm{r}}\left( z \right)\) is a polynomial of \(n\)-degree in the variable \( z \). Let \( z \in [-1, 1]\) be the type, and let \(n\) be an integer. CP mentioned the following in general:

$$\begin{aligned}&{\mathcal{T}}_{n}\left( z \right) = \mathrm{cos}(n \times \mathrm{arccos}( z )),\\ &{\mathcal{T}}_{0}\left( z \right) = 1\\ & {\mathcal{T}}_{1}( z )= z \\ & {\mathcal{T}}_{n}( z ) = 2 z {\mathcal{T}}_{n-1}( z )-{\mathcal{T}}_{n-2}( z );n\ge 2\end{aligned}$$

In this circumstance, the functionals \(\mathrm{arccos}( z )\) and \(\mathrm{cos}( z )\) characterized as \(\mathrm{arccos}: \left[-1, 1\right]\to \left[0,\uppi \right]\) and \(\mathrm{cos}:\mathrm{ R}\to \left[-1, 1\right]\).

There are two primary characteristics of CP [27,28,29] and [40, 41]: bisection-group and chaotic properties.

1. (1)

   The chaotic properties: The CP transform fixed as \({\mathcal{T}}_{r}: \left[-1, 1\right]\to \left[-1, 1\right]\) with degree\(n > 1\), is a chaotic transform associated the functional (invariant density) \({f}^{*}\left( z \right)=\frac{1}{\left(\uppi \sqrt{1-{ z }^{2}}\right)}\) for some positive Lyapunov exponent exponent \(\lambda = \text{In}\; n > 0\).

2. (2)

   The properties of what is calling semi-group satisfy the subsequent impartialities:

   \({\mathcal{T}}_{\fancyscript{w}}\left({\mathcal{T}}_{\fancyscript{l}}\left( z \right)\right)=\mathrm{cos}\left(\fancyscript{w}{\mathrm{cos}}^{-1}\left(\mathrm{cos}\left(\fancyscript{l}{\mathrm{cos}}^{-1}\left( z \right)\right)\right)\right)=\mathrm{ cos}(\fancyscript{w}\fancyscript{l}{\mathrm{cos}}^{-1}( z ))={\mathcal{T}}_{\fancyscript{l}\fancyscript{w}}( z )={\mathcal{T}}_{\fancyscript{l}}({\mathcal{T}}_{\fancyscript{w}}( z ))\), where \(\fancyscript{w}\) and \(\fancyscript{l}\) are positive integers and \( z \in [-1, 1].\)

Chebyshev polynomials have two tests that consider handling in polynomial time:

1. (1)

   The DL's task is to discover \(\fancyscript{w}\) an integer with the final aim of \({\mathcal{T}}_{\fancyscript{w}}\left( z \right)=\fancyscript{y}\) given two components, \( z \) and \(\fancyscript{y}\).

2. (2)

   For three variables \( z \), \({\mathcal{T}}_{\fancyscript{w}}\left( z \right)\), and \({\mathcal{T}}_{\fancyscript{l}}\left( z \right)\), the Diffie-Hellman problems (DHP) task is to measure the \({\mathcal{T}}_{\fancyscript{w}\fancyscript{l}}\left( z \right)\) element.

Conformable chaotic maps (CCM)

The conformable calculus (CC) previously stated to as a conformable fractional calculus [41]. However, it strains definite of the established upon properties for fractional calculus (derivatives of non-integer power). CC works on the basis of the following arrangement. Let \({\beta }\in [0,1]\). If and only if \({\delta }^{0}\) is the identity operator and \({\delta }^{1}\) is the classical differential operator, a differential operator \({\delta }^{\beta }\) is conformable. \({\delta }^{\beta }\) is conformable if and only if \(\vartheta \) =\(\vartheta \) \((x)\) given a differentiable function.

$${\delta }^{0} \vartheta \left(x\right)=\vartheta \left(x\right),\quad {\delta }^{1}\vartheta \left(x\right)={\vartheta }^{^{\prime}} \left(x\right).$$

Newly, Anderson and Ulness [42] presented a novel formulation of CC founded by the control theory to designate the performance of proportional-differentiation controller conforming to error function. The formula has the next definition.

Definition 2.1

Let \(\beta \in [0, 1]\) then CC has in the succeeding formal

$${\delta }^{\beta }\vartheta \left(x\right)= {\mu }_{1}\left(\beta ,x\right)\vartheta \left(x\right)+{\mu }_{0} \left(\beta ,x\right){\vartheta }^{^{\prime}}(x),$$

where the functions \({\mu }_{0}\) and \({\mu }_{1}\) attain the boundaries

$$\begin{aligned}& \underset{{\beta }\to 0}{\mathrm{lim\,}}{\mu }_{1}\left(\beta ,x\right)=1, \underset{{\beta }\to 1}{ \mathrm{lim\,}}{\mu }_{1}\left(\beta ,x\right)=0,\\ & \quad \underset{{\beta }\to 0}{\mathrm{lim\,}}{\mu }_{0}\left(\beta ,x\right)=0, \underset{{\beta }\to 1}{ \mathrm{lim\,}}{\mu }_{0}\left(\beta ,x\right)=1. \end{aligned}$$

We will deliberate to obtain the overhead description.

$$\begin{aligned}&{\mu }_{1}\left(\beta ,x\right)=\left(1-\beta \right){x}^{\beta }\,\mathrm{and} \,{\mu }_{0}\left(\beta ,x\right)=\beta {x}^{1-\beta },\, \mathrm{or}\\ & \quad {\mu }_{1}\left(\beta ,x\right)=\frac{(1-\beta )}{\Gamma (1+\beta )} \, \mathrm{and}\, {\mu }_{0}\left(\beta ,x\right)=\frac{\beta }{\Gamma (1+\beta )},\end{aligned}$$

where the conformable differential operator for the function \(\vartheta \left(x\right)\) is \({\delta }^{\beta }\vartheta \left(x\right)\). As a result, \({\mu }_{1},{\mu }_{0}\) correspond to the fractional tuning connections of the function ϑ and its derivative.

We get the following construction by using the idea of CC to generalize the polynomial \({\mathcal{T}}_{n}( z ):\)

Since \({\mathcal{T}}_{n}^{^{\prime}}\left( z \right)=2n {\mathcal{T}}_{n-1}( z )\), then \({\delta }^{\beta }{\mathcal{T}}_{n}( z )\) has the following formal

$${{{\mathcal{T}}_{n}}^{\beta }\left( z \right):= \delta }^{\beta }{\mathcal{T}}_{n}\left( z \right)= {\mu }_{1}\left(\beta ,z\right){\mathcal{T}}_{n}\left( z \right)+{\mu }_{0} \left(\beta ,z\right){\mathcal{T}}_{n}^{^{\prime}}\left( z \right).$$

(1)

In frequent formula (1) can replace by

$${{\mathcal{T}}_{n}}^{\beta }\left( z \right)={\mu }_{1}\left(\beta ,z\right){\mathcal{T}}_{n}\left( z \right)+{2n \mu }_{0} \left(\beta ,z\right)* \omega \left(z\right){\mathcal{T}}_{n-1}\left( z \right) ,$$

(2)

where \(\omega ( z )= 1+2 z +(4{ z }^{2}-1)+\dots +(n-1)\)-times. Equation (2) is called the Conformable Chebyshev polynomials (CCP). Figure 2 displays the dynamic plot of the offered CCP. The following is the consequence of the formula that is used more frequently.

Proposition 2.1

The CCP satisfies the most common relationships.

$${{\mathcal{T}}_{n}}^{\beta }\left( z \right)=[2z{\mu }_{1}\left(\beta ,z\right){+{2n \mu }_{0} \left(\beta ,z\right)* \omega \left(z\right)]\mathcal{T}}_{n-1}\left( z \right)-{ \mu }_{1} \left(\beta ,z\right){\mathcal{T}}_{n-2}\left( z \right) .$$

(3)

Proof

Linking (2) with the frequent formula \({\mathcal{T}}_{n}( z ) = 2 z {\mathcal{T}}_{n-1}( z )-{\mathcal{T}}_{n-2}( z );n\ge 2\), we have

$$\begin{aligned}&{{\mathcal{T}}_{n}}^{\beta }\left( z \right)= {\mu }_{1}\left(\beta ,z\right){\mathcal{T}}_{n}( z )+{2n \mu }_{0} \left(\beta ,z\right)* \omega \left(z\right){\mathcal{T}}_{n-1}\left( z \right)\\ & \quad = {\mu }_{1}\left(\beta ,z\right)[2 z {\mathcal{T}}_{n-1}( z )-{\mathcal{T}}_{n-2}( z )]+{2n \mu }_{0} \left(\beta ,z\right)* \omega \left(z\right){\mathcal{T}}_{n-1}\left( z \right)\\ & \quad =[2z{\mu }_{1}\left(\beta ,z\right){+{2n \mu }_{0} \left(\beta ,z\right)* \omega \left(z\right)]\mathcal{T}}_{n-1}\left( z \right)-{ \mu }_{1} \left(\beta ,z\right){\mathcal{T}}_{n-2}\left( z \right).\end{aligned}$$

It's worth noting that when β → 0, we get the main ordinary result, as shown in [29].

Proposition 2.2

The semi-group properties clamps for CCP situated on interval (− ∞, ∞).

Proof

Let \(H=z{\mu }_{1}\left(\beta ,z\right)+{n \mu }_{0} \left(\beta ,z\right)* \omega \left(z\right) z{\mu }_{1}\left(\beta ,z\right).\) By Proposition 2.1, we obtain

$${{\mathcal{T}}_{n+2}}^{\beta }\left( z \right)= 2H{\mathcal{T}}_{n+1}\left( z \right){- \mu }_{1} \left(\beta ,z\right){\mathcal{T}}_{n}\left( z \right).$$

The overhead formulation implies a modification equation (disconnected equation) with a well-known principle.

$${\sigma }^{2}-2H\sigma +{\mu }_{1}=0.$$

Satisfying the relations

$${\sigma }_{1}+ {\sigma }_{2}=2H, {\sigma }_{1} {\sigma }_{2}={\mu }_{1}, {\sigma }_{\mathrm{1,2}}=H\pm \sqrt{{H}^{2}{-\mu }_{1}}.$$

A computation yields that

$$\begin{aligned} {{\mathcal{T}}_{n}}^{\beta }\left( z \right)&={{(\sigma }_{1}}^{n}+ {{\sigma }_{2}}^{n})/2\\ & = \frac{{(H+\sqrt{{H}^{2}{-\mu }_{1}})}^{n}+{(H-\sqrt{{H}^{2}{-\mu }_{1}})}^{n}}{2} \\ & =\sum_{m=0}^{[n/2]}\left(\begin{aligned}{n}\\{m}\end{aligned} \right) {H}^{n-2m}{({H}^{2}-{\mu }_{1})}^{m}. \end{aligned}$$

Resulting the proof in [31] on the overhead summation, we get

$$\begin{aligned}& {{\mathcal{T}}_{k}}^{\beta }\left({{\mathcal{T}}_{n}}^{\beta }\left( z \right)\right)= {{(\tau }_{1}}^{k}+ {{\tau }_{2}}^{k})/2\\ & \quad {\tau }_{1}+ {\tau }_{2}=2{{\mathcal{T}}_{n}}^{\beta }\left( z \right), {\sigma }_{1} {\sigma }_{2}={\mu }_{1}.\end{aligned}$$

Hence, we have the important relation

$${{\mathcal{T}}_{k}}^{\beta }\left({{\mathcal{T}}_{n}}^{\beta }\left( z \right)\right)= {{\mathcal{T}}_{n}}^{\beta }\left({{\mathcal{T}}_{k}}^{\beta }\left( z \right)\right)={{\mathcal{T}}_{kn}}^{\beta }\left(z\right).$$

When β→ 0 is used, we get the original case of Proposition 2.2, which is described in [29] (Fig. 2).

Fig. 2

CCP for different values of β with \({\mu }_{1}\left(\beta ,x\right)=\frac{(1-\beta )}{\Gamma (1+\beta )}\; \mathrm{and}\; {\mu }_{0}\left(\beta ,x\right)=\frac{\beta }{\Gamma (1+\beta )}\) [55]

The DL and assignments for the CCP are approximately DHP occur at this point.

Proposed authentication protocol

We will present the new password authentication protocol in this section. As mentioned below, our proposed protocol includes five different phases. Figure 3 is the workflow of the planned protocol. The stages for every of the five phases are conferred in next investigation.

Fig. 3

Proposed authentication protocol

Registration phase

This is a preliminary phase that arises when a client interacts with the remote AS database for only one time. The steps that must be taken are:

ℛ1::

First, a \({\mathcal{C}}_{i}\) client picks an identity like \({\fancyscript{i}\fancyscript{d}}_{i}\) and a secure password like \({\fancyscript{p}\fancyscript{w}}_{i}\). Otherwise, the client will measure \({\mathcal{R}\fancyscript{p}\fancyscript{w}}_{i}=\fancyscript{h}({b}_{i}\oplus {\fancyscript{p}\fancyscript{w}}_{i})\), wherever \({b}_{i}\) an arbitrary numeral charge is.

ℛ2::

\({\mathcal{C}}_{i}\to AS: \left\{{\fancyscript{i}\fancyscript{d}}_{i}, {\mathcal{R}\fancyscript{p}\fancyscript{w}}_{i}\right\}\) is a secure channel of communication.

ℛ3::

Upon getting the demand for registration after the local \({\mathcal{C}}_{i}\) at time \({T}_{i},\) AS will verify whether it exists. If it occurs then mater AS will reject the application for recording; Else it will continue to produce a \(SC\) individuality \({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}\) detailed to \({\mathcal{C}}_{i}\) and measure \({\mathcal{V}}_{i}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||x||{\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i})\), \(T{\fancyscript{i}\fancyscript{d}}_{i}=\fancyscript{h}({T}_{i}||x)\) and \({SD}_{i}={\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}\oplus T{\fancyscript{i}\fancyscript{d}}_{i}\).

Note that AS stores \(\{T{\fancyscript{i}\fancyscript{d}}_{i},\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}), S{D}_{i}\}\) in its database for each \({\mathcal{C}}_{i}\) user, where \(x\) is a hidden key to the server.

ℛ4::

\(AS\to {\mathcal{C}}_{i}\), a \(SC\) containing \(\{{\mathcal{V}}_{i}, {\fancyscript{q}}_{1},\fancyscript{h}(.)\}\) along with \({T}_{i}\) and \({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}\) to the client \({\mathcal{C}}_{i}\) by incomes of a protected network of correspondence.

ℛ5::

\({\mathcal{C}}_{i}\) computes \({B}_{i}\), \({\mathcal{A}}_{i}\), \({\mathcal{R}}_{i}\), \({S}_{i}\) and inscribes these tenets to the \(SC\) after obtaining the SC. Currently the \(SC\) covers \(\left\{{\mathcal{A}}_{i}, {B}_{i}, {\mathcal{R}}_{i}, {S}_{i},{\fancyscript{q}}_{1},\fancyscript{h}\left(.\right)\right\}\), where \({B}_{i}= {\mathcal{V}}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({\mathcal{A}}_{i}=\fancyscript{h}({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i})\),\({\mathcal{R}}_{i}= {b}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({S}_{i}= {T}_{i}\oplus \fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||{b}_{i}||{\fancyscript{p}\fancyscript{w}}_{i})\).

Login phase

To obtain facility from \(AS\), a \({\mathcal{C}}_{i}\) client has to lodge his/her \(SC\) into the card peruse and consent their \({\fancyscript{i}\fancyscript{d}}_{i}\) and \({\fancyscript{p}\fancyscript{w}}_{i}\). SC then completes the steps that result.

\({\mathcal{L}}1:\):

Calculate: \({b}_{i}= {\mathcal{R}}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({\mathcal{V}}_{i}^{^{\prime}}= {B}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({\mathcal{A}}_{i}^{*}=\fancyscript{h}({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i})\).

\({\mathcal{L}}2:\):

Relate the measured \({A}_{i}^{*}\) and \({A}_{i}\) stowed in SC of \({\mathcal{C}}_{i}\). If together are the same, the credibility of the client's will be remembered, and SC will income the following move.

\({\mathcal{L}}3:\):

For a session, pick an arbitrary \(\alpha \) number and evaluate: \({D}_{i} = {\mathcal{T}}_{\alpha {b}_{i}}^{\beta }({\mathcal{V}}_{i})(mod {\fancyscript{q}}_{1})\),\({T}_{i} = {S}_{i}\oplus \fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||{b}_{i}||{\fancyscript{p}\fancyscript{w}}_{i})\),\({M}_{i}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||{\mathcal{V}}_{i}||{D}_{i}|| {T}_{i} || {T}_{1})\), where \({T}_{1}\) is the existing time, \(D{\fancyscript{i}\fancyscript{d}}_{i} = {\fancyscript{i}\fancyscript{d}}_{i}\oplus \fancyscript{h}({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i} ||{ T}_{1} ||{ T}_{i})\).

\({\mathcal{L}}4:\):

SC sends the message \(\left\{D{\fancyscript{i}\fancyscript{d}}_{i}, {D}_{i},{M}_{i},{ T}_{i},{T}_{1}\right\}\) of the login query to AS.

Authentication stage

After getting the access demand email from \({\mathcal{C}}_{i},\) AS carries out the following undertakings at the time \({T}_{1}^{^{\prime}}\):

\({\mathbb{A}}1:\):

Check the time stamp validity by checking if \(({T}_{1}^{^{\prime}} -{T}_{1})\leq \Delta t\). If the time stamp checks out, the following steps will be performed by AS.

\({\mathbb{A}}2:\):

To authenticate \({\mathcal{C}}_{i}\), AS calculates: \(T{\fancyscript{i}\fancyscript{d}}_{i}=\fancyscript{h}(x||{T}_{i})\), \({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}^{*} = S{D}_{i}\oplus T{\fancyscript{i}\fancyscript{d}}_{i}\), \({{\fancyscript{i}\fancyscript{d}}_{i}}^{*} = D{\fancyscript{i}\fancyscript{d}}_{i}\oplus \fancyscript{h}({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}^{*}|| {T}_{1}|| {T}_{i})\) and verifies \(\fancyscript{h}({{\fancyscript{i}\fancyscript{d}}_{i}}^{*})=?\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i})\)

If the above confirmation is correct, then \({\mathcal{C}}_{i}\) is a valid client; otherwise the login for authentication will be immediately terminated.

\({\mathbb{A}}3:\):

For a session, AS selects an arbitrary number δ and assesses the following:

$$\begin{aligned} {V}_{i}^{*}& =\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||x||{\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i})\\ {M}_{i}^{*} & =\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||{\mathcal{V}}_{i}^{*}||{D}_{i}|| {T}_{i}|| {T}_{1})\\ {\mathcal{W}}_{i} & = {\mathcal{T}}_{\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta }({\mathcal{V}}_{i}^{*})(\mathrm{mod} {\fancyscript{q}}_{1})\\ SK & = {\mathcal{T}}_{\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta }({D}_{i})(\mathrm{mod} {\fancyscript{q}}_{1})={\mathcal{T}}_{\alpha {b}_{i}\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta } ({\mathcal{V}}_{i})(\mathrm{mod} {\fancyscript{q}}_{1})\\ {M}_{s}& =\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}|| {\mathcal{V}}_{i}^{*}||{\mathcal{W}}_{i}||SK||{T}_{2})\\ \fancyscript{s}D{\fancyscript{i}\fancyscript{d}}_{i} & = D{\fancyscript{i}\fancyscript{d}}_{i}\oplus \fancyscript{h}({\mathcal{V}}_{i}|| {T}_{2})\\ {T}_{i}^{*} & = {T}_{i}\oplus \fancyscript{h}({T}_{1}||\delta )\\ {T}_{i}^{\mathrm{new}} & = {T}_{i}^{*}\oplus \fancyscript{h}({T}_{2}|\left|{\fancyscript{i}\fancyscript{d}}_{i}\right). \end{aligned}$$

AS modifies \({SD}_{i} = {\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}\oplus \fancyscript{h}(x||{T}_{i}^{*})\) in its database in response to the new timestamp \({T}_{i}^{*}\).

\({\mathbb{A}}4:\):

\(AS\to {\mathcal{C}}_{i}\) sends an access response message \(\{\fancyscript{s}D{\fancyscript{i}\fancyscript{d}}_{i}; {\mathcal{W}}_{i}; {M}_{s};{ T}_{2}; {T}_{i}^{\mathrm{new}}\}\) at period \({T}_{2}\).

\({\mathbb{A}}5:\):

\({\mathcal{C}}_{i}\) checks time validity \(({T}_{2}^{^{\prime}}- {T}_{2}) \leq \Delta t\), when receiving the account response message

$$\left({T}_{2}^{{^{\prime}}}- {T}_{2}\right)\leq \Delta t.$$

\({\mathbb{A}}6\):

If the interval of time is verified, it calculates: \(D{{\fancyscript{i}\fancyscript{d}}_{i}}^{*}=\fancyscript{s}D{\fancyscript{i}\fancyscript{d}}_{i}\oplus \fancyscript{h}({\mathcal{V}}_{i}|| {T}_{2})\),\({{\fancyscript{i}\fancyscript{d}}_{i}}^{*} = D{{\fancyscript{i}\fancyscript{d}}_{i}}^{*}\oplus \fancyscript{h}({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}|| {T}_{1}|| {T}_{i}). {\mathcal{C}}_{i}\) verifies \({{\fancyscript{i}\fancyscript{d}}_{i}}^{*} =? {\fancyscript{i}\fancyscript{d}}_{i}\) for \(\fancyscript{i}\fancyscript{d}\) verification and calculates

$$\begin{aligned}{SK}^{*} & = {\mathcal{T}}_{\alpha {b}_{i}}^{\beta }({\mathcal{W}}_{i})(\mathrm{mod }{\fancyscript{q}}_{1})= {\mathcal{T}}_{\alpha {b}_{i}\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta }({\mathcal{V}}_{i})(\mathrm{mod }{\fancyscript{q}}_{1})\\ {M}_{s}^{*} & =\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}|| {\mathcal{V}}_{i}||{\mathcal{W}}_{i}||{SK}^{*}|\left|{T}_{2}\right).\end{aligned}$$

\({\mathbb{A}}7\):

\({\mathcal{C}}_{i}\) associates the calculated \({M}_{s }^{*}\) esteem and the established \({M}_{s}\) value. If they contest, the authentication of the server will be completed; otherwise, the session will be closed immediately.

\({\mathbb{A}}8\):

\({\mathcal{C}}_{i}\) computes \({T}_{i}^{*} = {T}_{i}^{\mathrm{new}}\oplus \fancyscript{h}({T}_{2}||{\fancyscript{i}\fancyscript{d}}_{i})\), as \({\mathcal{C}}_{i}\) can deliver his/her own \({\fancyscript{i}\fancyscript{d}}_{i}\) and \({T}_{2}\).

Then, \({\mathcal{C}}_{i}\) modifies \({S}_{i}^{*} = {T}_{i}^{*}\oplus \fancyscript{h}\left({\fancyscript{i}\fancyscript{d}}_{i}\left|\left|{b}_{i}\right|\right|{\fancyscript{p}\fancyscript{w}}_{i}\right)\) in reference to the novel times fill \({T}_{i}^{*}\) in his/her SC.

\({\mathbb{A}}9\):

The framed session key SK encrypts all further communications between \({\mathcal{C}}_{i}\) and AS.

Password change stage

In this phase, without the aid of the server, \({\mathcal{C}}_{i}\) changes her/his old password \({\fancyscript{p}\fancyscript{w}}_{i}\) in the form of a new password \({\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{new}}\) in the form of a new password. Taking the following steps:

\({\mathcal{P}}1\):

\({\mathcal{C}}_{i}\) presents his/her SC addicted to a pass reader inters his/her deserted \(({\fancyscript{i}\fancyscript{d}}_{i},{\fancyscript{p}\fancyscript{w}}_{i})\), and chooses for an application for a password update.

\({\mathcal{P}}2\):

The SC calculates \({b}_{i}= {\mathcal{R}}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({\mathcal{V}}_{i} = {B}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}|| {\fancyscript{i}\fancyscript{d}}_{i})\) and \({\mathcal{A}}_{i}^{*}=\fancyscript{h}({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i})\).

\({\mathcal{P}}3\):

Next, SC tests \({\mathcal{A}}_{i}^{*} =? {\mathcal{A}}_{i}\). If both organize not competition, the SC refuses \({\mathcal{C}}_{i}\)’s call; otherwise, the client is permissible to select a other password \({\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{new}}\).

\({\mathcal{P}}4\):

Now, SC calculates \({T}_{i}= {S}_{i}\oplus \fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||{b}_{i}|| {\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{old}})\),\({B}_{i}^{*}= {\mathcal{V}}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{new}} ||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({\mathcal{A}}_{i}^{*}=\fancyscript{h}({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i}|| {\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{new}}||{\mathcal{V}}_{i})\), \({\mathcal{R}}_{i}^{*}= {b}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{new}} ||{\fancyscript{i}\fancyscript{d}}_{i})\), \({S}_{i}^{*} = {T}_{i}\oplus \fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||{b}_{i}|| {\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{new}})\), and the modified values \({B}_{i}^{*}, {\mathcal{A}}_{i}^{*}, {\mathcal{R}}_{i}^{*},{ S}_{i}^{*}\) are embedded into the SC. Currently the SC includes \(\{\fancyscript{h}(.),{\fancyscript{q}}_{1}, {B}_{i}^{*}, {\mathcal{A}}_{i}^{*}, {\mathcal{R}}_{i}^{*},{ S}_{i}^{*}\}\), and \({C}_{i}\) can log in with \({\fancyscript{p}\fancyscript{w}}_{i}^{\mathrm{new}}\).

SC revocation stage

If the client has lost her/his SC, she/he will be able to revoke the missing card and reissue the same account \(\fancyscript{i}\fancyscript{d}\).

R1::

\({\mathcal{C}}_{i}\) refers his/her old \({\fancyscript{i}\fancyscript{d}}_{i}\) to AS.

R2::

AS check the \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\) of \({\mathcal{C}}_{i}\) and additional individual details (e.g. PAN card, Voter card, Aadhaar card, birth information, etc.) through which \({\mathcal{C}}_{i}\) described perfectly.

R3::

AS subjects an original SC with a \({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}^{*}\) identity and calculates:\({\mathcal{V}}_{i}^{*}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||x||{\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}^{*})\),\({T{\fancyscript{i}\fancyscript{d}}_{i}}^{*}=\fancyscript{h}(x|\left|{T}_{i}^{*}\right)\) and \({SD}_{i}^{*}= {\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}^{*}\oplus T{{\fancyscript{i}\fancyscript{d}}_{i}}^{*}\).

R4::

AS keeps \(\{T{{\fancyscript{i}\fancyscript{d}}_{i}}^{*},\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}), S{D}_{i}^{*}\}\) in its record.

R5::

\(AS\to {\mathcal{C}}_{i}\), send an SC containing \(\{\fancyscript{h}(.),{\fancyscript{q}}_{1}, {\mathcal{V}}_{i}^{*}\}\) along with \({T}_{i}^{*}\) and \({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}^{*}\) via a protected network.

R6::

After obtaining the SC, \({\mathcal{C}}_{i}\) calculates \({B}_{i}^{*}={\mathcal{V}}_{i}^{*}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({\mathcal{A}}_{i}^{*}=\fancyscript{h}({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i}^{*})\), \({\mathcal{R}}_{i}= {b}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({S}_{i}={T}_{i}^{*}\oplus \fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||{b}_{i}||{\fancyscript{p}\fancyscript{w}}_{i})\).

R7:

Replace in place of \({V}_{i}^{*}\) with \({B}_{i}^{*}, {\mathcal{A}}_{i}^{*}, {\mathcal{R}}_{i}, {S}_{i}^{*}\) in the SC. Now the \(\{\fancyscript{h}(.),{\fancyscript{q}}_{1},{B}_{i}^{*}, {\mathcal{A}}_{i}^{*}, {\mathcal{R}}_{i},{S}_{i}^{*} \}\) includes the SC.

Security analysis in ROR model

In this segment, we analyze the projected authentication protocol from the standpoint of security analysis, including structured security under the widely recognized Real-Or-Random (ROR) model [30, 31].

Formal security using the ROR model

The object of the ROR model [30, 31] formal security analysis of the proposed authentication protocol is to show that it provides session key (SK) security against an active/passive adversary, say . The ROR model-based structured security examination has recently gained notoriety and has been used in a variety of authentication key exchange protocols [32,33,34,35]. To begin the formal security, we will go over the ROR model briefly before presenting the key proof in Theorem 1.

1. (1)

   ROR Model: The projected authentication protocol has two parties during the shared authentication and key agreement process: a server \({AS}_{j}\) and a client \({\mathcal{C}}_{\fancyscript{i}}\). The following sections go through the main components of the ROR model for the proposed authentication protocol.

   a: Participants: \({\mathcal{I}}_{{\mathcal{C}}_{\fancyscript{i}}}^{\fancyscript{c}}\) and \({\mathcal{I}}_{{ AS}_{j}}^{\fancyscript{s}}\) are represented as the illustrations \(\fancyscript{c}\) and \(\fancyscript{s}\) of \({\mathcal{C}}_{\fancyscript{i}}\) and \({AS}_{j}\), respectively. The oracles are another name for these.

   b: Accepted state: After receiving the final message, placed the instance \({\mathcal{I}}^{t}\) in the accept state. The accepted state is then referred to as \({\mathcal{I}}^{t}\). All contact messages, including those sent and received by \({\mathcal{I}}^{t}\), form the session identification for \({\mathcal{I}}^{t}\) for the existing session if they are arranged in order.

   c: Partnering: If the subsequent three circumstances are met instantaneously, the instances \({\mathcal{I}}^{\fancyscript{c}}\) and \({\mathcal{I}}^{\fancyscript{s}}\) are considered partners: (1) they are in an accept state, (2) they mutually authenticate between themselves and share the same session identity, and (3) they are reciprocal associates of each other.

   d: Freshness: We refer to \({\mathcal{I}}_{{\mathcal{C}}_{\fancyscript{i}}}^{\fancyscript{c}}\) or \({\mathcal{I}}_{{ AS}_{j}}^{\fancyscript{s}}\) as fresh if the SK formed among \({\mathcal{C}}_{\fancyscript{i}}\) and \({AS}_{j}\) is not leaked through the reveal oracle Reveal described below.

   e: Adversary: In the ROR model, an opponent is modeled using the widely known Dolev-Yao (DY) threat model, as defined in [SB-IEEE ACC]. According to the DY model, \({\mathcal{A}}\) can intercept, alter, delete, or even inject any or entirely messages exchanged among the cooperative players \({\mathcal{C}}_{\fancyscript{i}}\) and \({AS}_{j}\) using the following queries.

   Execute \(\left({\mathcal{I}}^{\fancyscript{c}}, {\mathcal{I}}^{\fancyscript{s}}\right)\): This inquiry apparatuses a snooping attack that consents \({\mathcal{A}}\) to recite the messages exchanged among \({\mathcal{C}}_{\fancyscript{i}}\) and \({AS}_{j}\).

   Send \(\left({\mathcal{I}}^{t}, M\right)\): This query implements an active attack in which \({\mathcal{A}}\) sends a message M to a participant instance \({\mathcal{I}}^{t}\) and receives a response from \({\mathcal{I}}^{t}\) in return.

   Reveal (\({\mathcal{I}}^{t}\)): \({\mathcal{A}}\) can find out the session key SK formed among \({\mathcal{I}}^{t}\) and its partner in the current session using this inquiry.

   Corrupt Smart Card \(\left({\mathcal{I}}_{{\mathcal{C}}_{\fancyscript{i}}}^{\fancyscript{c}}\right)\): This inquiry is showed as an active attack, in which \({\mathcal{A}}\) uses power analysis attacks to retrieve all of the sensitive secret information contained in its memory [36, 37].

   Test \(\left({\mathcal{I}}^{t}\right)\): Formerly, the game starts, an impartial coin ς is flipped, and the result is used as a decider in this query. Allow to run this inquiry. If the shared session key \(SK\) among \({\mathcal{C}}_{\fancyscript{i}}\) and \({AS}_{j}\) is valid, \({\mathcal{I}}^{t}\) returns SK when \(\varsigma =1\) and an arbitrary number when \(\varsigma =0\). Else, a null value \(\left(\perp \right)\) is returned.

   We restrict \({\mathcal{A}}\) in this formal security review to only allow a limited number of Corrupt Smart Card \(\left({\mathcal{I}}_{{\mathcal{C}}_{\fancyscript{i}}}^{\fancyscript{c}}\right)\) queries. \({\mathcal{A}}\), on the other hand, is allowed to run an infinite number of Test \(\left({\mathcal{I}}^{t}\right)\) queries.

   f: Semantic security: It is required by semantic security that \({\mathcal{A}}\) is unable to distinguish the real SK session key from a random number. The performance of Test (\({\mathcal{I}}^{t}\)) is compared to a random bit \(\varsigma \) for consistency checking. Let \({\varsigma }^{^{\prime}}\) be \({\mathcal{A}}\)'s guessed bit, and \(\text{Succ}\) be the game's winning probability. The advantage of a polynomial time \(\fancyscript{t}\) adversary \({\mathcal{A}}\) in breaking the proposed authentication protocol's session key (SK) security, say \(\fancyscript{p}\), is described as \({\mathrm{Adv}}_{\fancyscript{p}}^{\mathcal{A}}\left(\fancyscript{t}\right)=\left|2.\mathrm{Pr}\left[\mathrm{Succ}\right]-1\right|=\left|2.Pr\left[{\varsigma }^{^{\prime}}=\varsigma \right]-1\right|\), where \(\mathrm{Pr}\left[Y\right]\) represents the probability of an incident Y.

   g: Random oracle: We usage the one-way hash function \(\fancyscript{h}\left(\bullet \right)\) in our protocol, which is open to all participants, including adversary . \(\fancyscript{h}\left(\bullet \right)\) is modeled as a random oracle, say \(\fancyscript{h}\).

2. (2)

   Security proof

   Theorem 1 gives the SK protection of the proposed authentication protocol under the ROR model.

Theorem 1

Let \({Adv}_{\fancyscript{p}}^{\mathcal{A}}\left(\fancyscript{t}\right)\) be the polynomial-time \(\fancyscript{t}\)-adversary's function in breaking the proposed protocol \(\fancyscript{p}\)'s SK security. After that,

$${Adv}_{\fancyscript{p}}^{\mathcal{A}}\left(\fancyscript{t}\right)\le \left(\frac{{2\mathcal{Q}}_{s}}{{2}^{\fancyscript{l}}.\left|\eta \right|}+\frac{{\mathcal{Q}}_{\fancyscript{h}}^{2}}{\left|\fancyscript{h}\right|}\right),$$

where \({{\mathcal{Q}}_{\fancyscript{h}}}_{, },\fancyscript{l},{\mathcal{Q}}_{s},\left|\eta \right|\) and \(\left|\fancyscript{h}\right|\) represent the number of \(\fancyscript{h}\)-queries, bits in the private key, Send queries, the size of a uniformly distributed password dictionary \( \eta \), and the range space of the hash function \(\fancyscript{h}\left(\bullet \right)\), respectively.

Proof

This theorem uses a formal security proof close to those found in [32,33,34,35]. In this proof, we need the following four games i.e., \({\mathcal{G}}_{{m}_{j}}\left(j=0, 1, 2, 3\right)\). We represent \({\mathrm{Succ}}_{{\mathcal{G}}_{{m}_{j}}}^{\mathcal{A}}\) as an incident in which the \(\mathcal{A}\) adversary can win the \({\mathcal{G}}_{{m}_{j}}\) game. Additionally, \({\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{j}}}^{\mathcal{A}}=\mathrm{Pr}\left[{ \mathrm{Succ}}_{{\mathcal{G}}_{{m}_{j}}}^{\mathcal{A}}\right]\) denotes and defines \(\mathcal{A}\)‘s advantage in winning \({\mathcal{G}}_{{m}_{j}}.\)

• Game \({\mathcal{G}}_{{m}_{0}}\): Bit ς is chosen first in the initial game \({\mathcal{G}}_{{m}_{0}}\) by a polynomial-time \(\fancyscript{t}\) adversary \(\mathcal{A}\). Since the \({\mathcal{G}}_{{m}_{0}}\) and the ROR's actual procedure are virtually identical, it follows that

  $${\mathrm{Adv}}_{\fancyscript{p}}^{\mathcal{A}}\left(\fancyscript{t}\right)=\left|2.{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{0}}}^{\mathcal{A}}-1\right|.$$

  (4)

• Game \({\mathcal{G}}_{{m}_{1}}\): In the game, the eavesdropping attack is carried out by \(\mathcal{A}\), who uses the Execute query. After the game is over, \(\mathcal{A}\) invokes the Test query. Notice that the Test query's output serves as a decider between a real SK and a random number in a session. The SK creation is as follows. \(A{S}_{j}\) calculates the \(SK ={\mathcal{T}}_{\alpha {b}_{i}\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta } ({\mathcal{V}}_{i})(\mathrm{mod} {\fancyscript{q}}_{1})\) shared with \({\mathcal{C}}_{\fancyscript{i}}\), where \({\mathcal{V}}_{i}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}||x||{\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i})\) and the same SK calculated by \({\mathcal{C}}_{\fancyscript{i}}\) is shared with \({ AS}_{j}\) as \({SK}^{*} = {\mathcal{T}}_{\alpha {b}_{i}\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta }({\mathcal{V}}_{i}^{*})(\mathrm{mod} {\fancyscript{q}}_{1})\left(=SK\right)\). Presume \(\mathcal{A}\) interrupts message \({M}_{s}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}|| {\mathcal{V}}_{i}^{*}||{\mathcal{W}}_{i}||SK||{T}_{2})\). The long-term secrets \({\fancyscript{i}\fancyscript{d}}_{i}\), \({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}\) and \({\mathcal{W}}_{i}\) are needed for the computation of the SK by \(\mathcal{A}\). The probability of winning game \({\mathcal{G}}_{{m}_{1}}\) by intercepting messages \({M}_{s}\) is not augmented without these secret identifications. We have the following since both games \({\mathcal{G}}_{{m}_{0}}\) and \({\mathcal{G}}_{{m}_{1}}\) are virtually indistinguishable:

  $${\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{1}}}^{\mathcal{A}}={\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{0}}}^{\mathcal{A}}.$$

  (5)

• Game \({\mathcal{G}}_{{m}_{2}}\): In this game, the Send and \(\fancyscript{h}\)-queries are simulated. This game is modeled as an active attack, in which \(\mathcal{A}\) tries to calculate the SK among \({\mathcal{C}}_{\fancyscript{i}}\) and \({AS}_{j}\) by intercepting the message \({M}_{s}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}|| {\mathcal{V}}_{i}^{*}||{\mathcal{W}}_{i}||SK||{T}_{2})\). The random numbers \(\alpha ,\beta \) and \(\delta \), as well as the current time stamp \({T}_{2}\), are included in the messages \({M}_{s}\). As a consequence, when \(\mathcal{A}\) makes \(\fancyscript{h}\) queries on these interrupted messages, there is no collision in hash yields. Due to the collision resistant possessions of the one-way hash function \(\fancyscript{h}\left(\bullet \right)\), computing the long-term secrets \({\fancyscript{i}\fancyscript{d}}_{i}\), \({\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i}\) and \({\mathcal{W}}_{i}\), as well as the short-term secrets \(\alpha ,\beta \) and \(\delta \), is computationally unfeasible. Since the \({\mathcal{G}}_{{m}_{2}}\) game is comparable to the \({\mathcal{G}}_{{m}_{1}}\) game when the simulation of Send and \(\fancyscript{h}\)-queries is not involved, the birthday paradox outcomes are as follows:

  $$\left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{2}}}^{\mathcal{A}}-{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{1}}}^{\mathcal{A}}\right|\le \frac{{\mathcal{Q}}_{\fancyscript{h}}^{2}}{2\left|\fancyscript{h}\right|}.$$

  (6)

• Game\({\mathcal{G}}_{{m}_{3}}\): The Corrupt Smart Card query is simulated in this game. Consequently, \(\mathcal{A}\) has the secret identifications \(\{\fancyscript{h}(.),{\fancyscript{q}}_{1},{B}_{i}^{*}, {\mathcal{A}}_{i}^{*}, {\mathcal{R}}_{i},{S}_{i}^{*} \}\) from \({\mathcal{C}}_{i}^{^{\prime}}\) smart card\(SC\)’s memory, where\({B}_{i}^{*}={\mathcal{V}}_{i}^{*}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), \({\mathcal{A}}_{i}^{*}=\fancyscript{h}({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{i}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i}^{*})\),\({\mathcal{R}}_{i}= {b}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{i})\), and\({S}_{i}={T}_{i}^{*}\oplus \fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{i}{||b}_{i}||{\fancyscript{p}\fancyscript{w}}_{i})\). It is computationally impossible to derive the \(x\) private key and the password \({\fancyscript{p}\fancyscript{w}}_{i}\) of client \({\mathcal{C}}_{\fancyscript{i}}\) without the secret credentials \({b}_{i}\) and\({\mathcal{V}}_{i}\). The guessing probability of \(x\in {\left\{\mathrm{0,1}\right\}}^{\fancyscript{l}}\) by \(\mathcal{A}\) is approximately \(\frac{1}{{2}^{\fancyscript{l}}}\) [38], assuming \(x\) is \(\fancyscript{l}\) bits. Furthermore, it is believed that the opponent \(\mathcal{A}\) will be allowed to enter a limited number of incorrect passwords. When guessing attacks and password are not involved, the games \({G}_{{m}_{2}}\) and \({G}_{{m}_{3}}\) are similar. As a result, we arrive at the following conclusion:

  $$\left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{3}}}^{\mathcal{A}}-{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{2}}}^{\mathcal{A}}\right|\le \frac{{\mathcal{Q}}_{s}}{{2}^{\fancyscript{l}}.\left|\eta \right|}.$$

  (7)

Due to the fact that all the games have been completed, \(\mathcal{A}\) can only guess the accurate ς bit. After that, it follows that

$${\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{3}}}^{\mathcal{A}}=\frac{1}{2}.$$

(8)

The following is the consequence of Eqs. (4), (6), and (7):

$$\begin{aligned}\frac{1}{2}{\mathrm{Adv}}_{\fancyscript{p}}^{\mathcal{A}}\left(\fancyscript{t}\right)&=\left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{0}}}^{\mathcal{A}}-\frac{1}{2}\right|\\ & =\left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{1}}}^{\mathcal{A}}-\frac{1}{2}\right|\\ & =\left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{1}}}^{\mathcal{A}}-{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{3}}}^{\mathcal{A}}\right|. \end{aligned}$$

(9)

The triangular inequality yields the following result:

$$\begin{aligned} \left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{1}}}^{\mathcal{A}}-{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{3}}}^{\mathcal{A}}\right|& \le \left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{1}}}^{\mathcal{A}}-{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{2}}}^{\mathcal{A}}\right|+\left|{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{2}}}^{\mathcal{A}}-{\mathrm{Adv}}_{{\mathcal{G}}_{{m}_{3}}}^{\mathcal{A}}\right|\\ & \le \frac{{\mathcal{Q}}_{\fancyscript{h}}^{2}}{2\left|\fancyscript{h}\right|}+\frac{{\mathcal{Q}}_{s}}{{2}^{\fancyscript{l}}.\left|\eta \right|}.\end{aligned}$$

(10)

The following is the consequence of Eqs. (9) and (10):

$$\frac{1}{2}{\mathrm{Adv}}_{\fancyscript{p}}^{\mathcal{A}}\left(\fancyscript{t}\right)\le \left(\frac{{\mathcal{Q}}_{\fancyscript{h}}^{2}}{2\left|\fancyscript{h}\right|}+\frac{{\mathcal{Q}}_{s}}{{2}^{\fancyscript{l}}.\left|\eta \right|}\right).$$

(11)

Finally, by multiplying the factor of 2 on both sides of Eq. (8) and simplifying the equations, we get the required result:

$${\mathrm{Adv}}_{\fancyscript{p}}^{\mathcal{A}}\left(\fancyscript{t}\right)\le \left(\frac{{2\mathcal{Q}}_{s}}{{2}^{\fancyscript{l}}.\left|\eta \right|}+\frac{{\mathcal{Q}}_{\fancyscript{h}}^{2}}{\left|\fancyscript{h}\right|}\right).$$

Other security examination and discussion of the proposed protocol

We show in this segment that the proposed protocol is free from the below detailed attacks. Also, we demonstrate that it is not enough to deliver client anonymity and control of the password by the client.

Proposition 5.1

The proposed protocol could withstand round and stolen/lost SC round by the off-line /on-line key guessing.

Proof

Several researchers claimed that the information stored in the SC might be segregated in a variety of ways, including file structure with secret keys and encryption methods, power usage analysis, and so on [11,12,13, 43,44,45,46,47]. Assume that an attacker E robs \({\mathcal{C}}_{i}\) of her/his SC and collect data\(\{\fancyscript{h}(.),{\fancyscript{q}}_{1}, {\mathcal{A}}_{i}, {B}_{i}, {\mathcal{R}}_{i}, {S}_{i}\}\), where\({B}_{i}= {\mathcal{V}}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}})\), \({\mathcal{A}}_{i}=\fancyscript{h}({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i})\), \({\mathcal{R}}_{i}= {b}_{i}\oplus \fancyscript{h}({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}})\), and \( {S}_{i}={T}_{i}\oplus \fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}||{b}_{i}||{\fancyscript{p}\fancyscript{w}}_{i})\). Even the attacker E cannot determine the password of \({\mathcal{C}}_{i}\) from the above calculations, because he/she does not have \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}, {\fancyscript{p}\fancyscript{w}}_{i},{\mathcal{V}}_{i}\) and \({b}_{i}\). If the attacker had all the required standards excluding for \({\fancyscript{p}\fancyscript{w}}_{i}\) suddenly, then there may remain a small casual to guess it appropriately. However, it is not feasible to guess more than one worth at the same time (i.e\(. ({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}})\), or \(({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}})\), or (\({b}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i}\)). As a result, we can say that our approach protected against off-line password guessing's round and stolen/lost SC attacks.

In a round that guessing online password, the attacker challenges to log in to the database by adding one phrase after additional starting a dictionary in an effort to contest the client’s login \(\fancyscript{s}{\fancyscript{i}\fancyscript{d}}_{i}\) as well as \(\fancyscript{p}\fancyscript{w}\). This type of round is essentially not practical, because the task of estimating a solitary worth within the polynomial time (i.e., \(\Delta t\)) is usually deliberated difficult, let unaided when there are more than one parameter to handle at the same time (e.g., \(({\fancyscript{p}\fancyscript{w}}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}})\), or \(({\fancyscript{p}\fancyscript{w}}_{i}||{b}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}})\), or \({(b}_{i}||{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}||{\fancyscript{p}\fancyscript{w}}_{i}||{\mathcal{V}}_{i}\)). The attacker is only allowed three trials in total, and if all three fails, the SC will be locked up. Consequently, the online \(\fancyscript{p}\fancyscript{w}\) solving occurrence can touch our procedure.

Proposition 5.2

The presented protocol protected against known key attacks using session-specific random numbers.

Proof

In particular, a common session key SK will exchange by the server and client pair for all terms. To deliver adequate defense beside the identified key occurrence, we must confirm that the novel SK can never extracted from earlier session keys. That is, we remain need to confirm the security of forthcoming and/or former session keys with one SK exposed somewhere. In presented protocol, if the \(SK= {\mathcal{T}}_{\alpha {b}_{i}\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta }({\mathcal{V}}_{i})(\mathrm{mod} {\fancyscript{q}}_{1})\) would leakage out of a current session, the attacker will still not be able to use this information to disclose other SKs since the session-specific random numbers \(\alpha ,\delta \) are unlike for changed sittings as well as \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\) and \({b}_{i}\) are unknown.

Proposition 5.3

The presented protocol can avoid the attack on the restate.

Proof

This type of round chances when an invader tries to sign in to the database by referring communications previously trapped between the legal client and the server. Because the SC of the client and the server will utilize the current timestamps \({T}_{1}\) and \({T}_{2}\) in all inventive assemblies, the values of \({M}_{i}, D{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\), and \({M}_{s}\) will be dynamic in our procedure, there will be no effort in relaying messages from one assembly to another. \({T}_{i}\) Value is also variable in each session and will modify in both the storage of the server and the SC of the client. Our presented protocol therefore protected in contradiction of the attack of the message replay.

Proposition 5.4

The proposed protocol could withstand the attack of forgery/modification and the attack of the masquerade client/server.

Proof

Assume an attacker had some communications interrupted among the user and the server (e.g. authentication and login information) and now has \(\{D{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}, {D}_{i},{M}_{i}, {T}_{i}, {T}_{1}\}\) and\(\{ D{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}; {\mathcal{W}}_{i}; {M}_{s}; {T}_{2}; {T}_{i}^{\mathrm{new}}\}\), where \({M}_{i}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}||{\mathcal{V}}_{i}||{D}_{i}|| {T}_{i}|| {T}_{1})\) and \({M}_{s}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}|| {\mathcal{V}}_{i}^{*}||{\mathcal{W}}_{i}||SK||{T}_{2})\). Because he/she lacks \({\mathcal{V}}_{i}\), the attacker E is unable to interfere with \({M}_{i}\) and \({M}_{s}\). As a result, we can state that our protocol is secure from modification/forgery attacks. To impersonate a server, an attacker E must appropriately frame a login request message \(\{D{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}, {D}_{i},{M}_{i}, {T}_{i},{T}_{1}\}\). To be able to frame \(D{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}} = {\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\oplus \fancyscript{h}(\fancyscript{s}{\fancyscript{i}\fancyscript{d}}_{i} || {T}_{1}|| {T}_{i}) ,\) an attacker must have \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\) and \(\fancyscript{s}{\fancyscript{i}\fancyscript{d}}_{i}.\) Such two values, however, are unidentified to E. This indicates that presented protocol is secure from a masquerade attack on the server. To imitate a server, the attacker must create a login answer message that includes\(\{\fancyscript{s}D{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}; {\mathcal{W}}_{i}; {M}_{s}; {T}_{2}; {T}_{i}^{\mathrm{new}}\}\). The attacker must have \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\) and \({\mathcal{V}}_{i}\) to frame \(\fancyscript{s}D{\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\), \({\mathcal{W}}_{i}\) and \({M}_{s}\). The attacker, on the other hand, is completely oblivious of these two principles. This demonstrates that presented protocol can thwart a database masquerade attack.

Proposition 5.5

The presented protocol could withstand the session's detection of a temporary information attack.

Proof

Let's examine whether an attacker could cooperation the session-specific random numbers \((\alpha , \delta )\) that are chosen by AS and \({\mathcal{C}}_{i}\). In this situation, the session key \(SK ={\mathcal{T}}_{\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta } \left({D}_{i}\right)\left(\mathrm{mod} {\fancyscript{q}}_{1}\right)\)(or) \({\mathcal{T}}_{\alpha .{ b}_{i}}^{\beta }\left({\mathcal{W}}_{i}\right)\left(\mathrm{mod} {\fancyscript{q}}_{1}\right)\)(or) \({\mathcal{T}}_{\alpha {b}_{i}\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta }({\mathcal{V}}_{i})(\mathrm{mod} {\fancyscript{q}}_{1})\) has not yet been accessed by an attacker. An attacker may be able to get a public communication channel from \({D}_{i}\) or \({\mathcal{W}}_{i}\) over, but in order to frame SK, he/she requests to have either \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\), or \({b}_{i}\), or \({\mathcal{V}}_{i}\), which she/he does not have, sideways with \(\delta ,\alpha \). In this sense, we can say that our protocol prevents the known session-specific temporary information attack.

Proposition 5.6

The proposed protocol maintains perfect forward secrecy for the security of the session key.

Proof

To say that this feature is in our protocol, we must prove that no session keys are uncovered even if some attacker E knows the server's private key \(x\). The following fact demonstrates this: In our protocol, \(SK= {\mathcal{T}}_{\alpha {b}_{i}\delta {\fancyscript{i}\fancyscript{d}}_{i}}^{\beta }({\mathcal{V}}_{i})(\mathrm{mod} {\fancyscript{q}}_{1})\), where \({\mathcal{V}}_{i}=\fancyscript{h}({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}||x||{\fancyscript{s}\fancyscript{i}\fancyscript{d}}_{i})\) is generated by \({\mathcal{C}}_{i}\) and AS in our protocol. An attacker E is unable to extract SK from the overheard note \(\left\{{D}_{i}, {\mathcal{W}}_{i}\right\}\) even though \(x\) is on hand, since E does not have \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\) and \({b}_{i}\) at all.

Proposition 5.7

The proposed procedure grants the user anonymity.

Proof:

The anonymity of the user guarantees that the \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\) identity of a client like \({\mathcal{C}}_{i}\) is appropriately secured so that no attacker has access to it and can connect it to passwords. In our proposed protocol, the client's \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\) tremendous communicated over a community message network, so the attacker E has no mode to get anywhere near tremendous \({\fancyscript{i}\fancyscript{d}}_{\mathrm{i}}\). In other words, only the login message contains the user’s identity in the proposed protocol. The login message, on the other hand, is encrypted with the server’s public key, whose security is based on the hardness of conformal Chebyshev chaotic maps. As a result, the login message cannot be used to determine the user's identity. In addition, the login message contains a random number that is different for each session. As a result, an attacker will be unable to determine the connection between transmitted login messages. The user's anonymity is ensured by the unlinkability and encryption of the login message. This means that the conditions for client anonymity fulfilled by the recent procedure.

Contrast with other protocols with experimental complexity evaluation

In this section, we will compare our presented authentication protocol with five other protocols introduced by Chen et al. [5], Song et al. [9], Sood et al. [10], Li et al. [15], Islam [16], Reddy et al. [48], Moon et al. [49] and Pan et al. [50], respectively, to demonstrate the security performance (see Table 2) and efficiency of our new design. Notations used to present our evaluation results include \({\mathbbm{t}}_{ec}, {\mathbbm{t}}_{m,}{\mathbbm{t}}_{s, }, {\mathbbm{t}}_{e}\),\({\mathbbm{t}}_{c}\), and \({\mathbbm{t}}_{h}\), which to represent the execution time essential for elliptic curve scale multiplication, modular multiplication, symmetric encryption/decryption operation, group modular exponentiation, chaotic map operation, and one-way hash function in the password change, authentication, registration and login, phases. Please note that only phases of password change, registration, authentication and login are the dominant processes which need more computing possessions compared to the extraction phase and the setup phase. Therefore, in our computational cost comparison, we concentrate only on the phases of login, registration, password change and authentication as we contrast our current authentication protocols with the work of Chen et al. [5], the work of Song et al. [9], the work of Sood et al. [10], the work of Li et al. [15], the work of Islam [16], the work of Reddy et al. [48], the work of Moon et al. [49] and the work of Pan et al. [50]. The functionality analysis of the proposed protocol is shown in Table 3 with other related protocols [5, 9, 10, 15, 16]. Table 3, Figs. 4, and 5 show how our novel approach compares in terms of computing costs to similar techniques [5, 9, 10, 15, 16, 48,49,50]. Based on the experimental findings in [51,52,53], we reach at the following computation time figures with unit hashing time: \({\mathbbm{t}}_{e}= 600{\mathbbm{t}}_{h}\), \({\mathbbm{t}}_{m}=2.5{\mathbbm{t}}_{h}, {\mathbbm{t}}_{ec}=72.5{\mathbbm{t}}_{h} ,{\mathbbm{t}}_{s}= {\mathbbm{t}}_{h}\) and \({\mathbbm{t}}_{h}={\mathbbm{t}}_{c}\). In this method, we obtain the following order of computational complexity: \({\mathbbm{t}}_{h}\approx {\mathbbm{t}}_{c}\approx {\mathbbm{t}}_{s}<{\mathbbm{t}}_{m}<{\mathbbm{t}}_{ec}<{\mathbbm{t}}_{e}\). By the way, we know that 0.503 ms [51] is running time of\({\mathbbm{t}}_{h}\). The total communication costs of the work of Chen et al. [5], the work of Song et al. [9], the work of Islam [16], the work of Sood et al. [10], the work of Li et al. [15], the work of Pan et al. [50], the work of Reddy et al. [48] and the work of Moon et al. [49] and the proposed protocol are 2723.48 ms, 1815.35 ms, 2117.65 ms, 2721.25 ms, 3929.45 ms, 160.48 ms, 48.06 ms, 159.47 ms and 20.65 ms, respectively. The suggested protocol has by far the lowest interaction value, as evidenced by the study findings in Fig. 5. The proposed protocol frequently results in tests that outperform the rest of the protocols in terms of runtime.

Table 2 Functionality examination with other different protocols of the proposed protocol

Table 3 Computational cost analysis of the planned protocol with other related protocols

Fig. 4

Communication costs (ms) in different phases

Fig. 5

Total communication costs (ms)

Conclusion

In this paper, we proposed an effective remote user password authentication protocol based on CCM using smart card, where the client can get relief from several types of attacks. The projected protocol is more efficient, has reduced computing costs, and, most importantly, provides a higher level of security for smart card-based password authentication. The ROR model is also used to demonstrate the security evaluation of our proposed protocol. However, the other security and applied features of the proposed authentication protocol are examined. The proposed protocol is a more suitable and stable authentication protocol for genuine use compared to previous protocols. In the future, we plan to provide a security framework for CCM-based authentication and key agreement protocols, as well as develop authentication protocols using this mechanism. When establishing security protocols, we will also look into privacy protection and the most effective approach for client authentication and key agreement.