Seminario: "Towards Efficient Privacy-Preserving Single-Sign On" - Octavio Pérez Kempner

Seminario della serie "Seminari CrypTO", in collaborazione con Telsy SpA, centro di competenza in crittografia e cybersecurity del Gruppo TIM che opera nel perimetro di TIM Enterprise

"Towards Efficient Privacy-Preserving Single-Sign On"
Octavio Pérez Kempner
NTT Social Informatics Laboratories

Venerdì 26 Settembre 2025 - ore 11:30
Aula Seminari - Dipartimento di Scienze Matematiche
Politecnico di Torino

Abstract:

Single Sign-On (SSO) is one of the most widely used mechanisms for user authentication on the web. It provides a highly convenient and secure alternative to password-based logins, as users do not need to maintain long-term credentials for every service provider (Relying Party, or RP). Instead, a central Identity Provider (IdP) mediates authentication.

While SSO offers convenience, it raises serious privacy concerns: the IdP is involved in every login and thus learns which RPs the user is accessing. To mitigate this, recent works (PoPETs ’23, ’25) introduced privacy-preserving SSO protocols that build on ideas from anonymous credentials. These techniques enable users to authenticate towards authorized RPs without revealing their identity, and without exposing the RP’s identity to the IdP. A central tool here are oblivious pairwise pseudonyms, which allow the IdP to issue unlinkable per-RP pseudonyms for each user. Despite this progress, existing approaches remain vulnerable: if both the IdP and an RP are compromised, they can still collude to de-anonymize users.

In this talk, I will present our work on strengthening privacy in SSO by achieving forward-secure unlinkability. Concretely, even if the IdP’s key is later compromised, previously issued pseudonyms remain unlinkable to the user. To make this possible, we extend the plain SSO model minimally: users maintain a lightweight secret key, which is jointly used with the IdP to compute pseudonyms in a distributed manner. Beyond improving privacy, we also focus on efficiency and deployability. By tailoring the protocol to the fact that only the IdP verifies user authentication, we can eliminate pairings and rely solely on standard elliptic-curve operations. This reduces computational costs by factors of 3 (for the IdP) and 5 (for the RP), and cuts communication overhead by half.
This talk will therefore give an accessible overview of anonymous authentication and how it underpins privacy-preserving SSO, before presenting our new contributions towards making such protocols both more efficient and more private.