Paper 2023/915

Attribute-based Single Sign-On: Secure, Private, and Efficient

Tore Kasper Frederiksen, Zama Inc.
Julia Hesse, IBM Research - Zurich
Bertram Poettering, IBM Research - Zurich
Patrick Towa, Aztec Network

A Single Sign-On (SSO) system allows users to access different remote services while authenticating only once. SSO can greatly improve the usability and security of online activities by dispensing with the need to securely remember or store tens or hundreds of authentication secrets. On the downside, today's SSO providers can track users' online behavior, and collect personal data that service providers want to see asserted before letting a user access their resources. In this work, we propose a new policy-based Single Sign-On service, i.e., a system that produces access tokens that are conditioned on the user's attributes fulfilling a specified policy. Our solution is based on multi-party computation and threshold cryptography, and generates access tokens of standardized format. The central idea is to distribute the role of the SSO provider among several entities, in order to shield user attributes and access patterns from each individual entity. We provide a formal security model and analysis in the Universal Composability framework, against proactive adversaries. Our implementation and benchmarking show the practicality of our system for many real-world use cases.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. PoPETS 2023
SSOMPCthreshold cryptographyidentity management
Contact author(s)
tore frederiksen @ zama ai
JHS @ zurich ibm com
POE @ zurich ibm com
patrick towa @ gmail com
2023-06-14: approved
2023-06-12: received
See all versions
Short URL
Creative Commons Attribution-NonCommercial-NoDerivs


      author = {Tore Kasper Frederiksen and Julia Hesse and Bertram Poettering and Patrick Towa},
      title = {Attribute-based Single Sign-On: Secure, Private, and Efficient},
      howpublished = {Cryptology ePrint Archive, Paper 2023/915},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.