Security and Performance of Single Sign-On Based on One-Time Pad Algorithm

: Single sign-on (SSO) techniques allow access control for multiple systems with a single login. The aim of our study is to construct an authentication algorithm that provides the authentication information of a user to a requester without requiring any speciﬁc token, thereby achieving domain-free access control. In this study, we propose an authentication algorithm for SSO based on a veriﬁable encryption (VE)-based authentication algorithm and implementation. VE is a kind of cryptosystem that allows calculation on cyphertexts, generating an encrypted result, which matches the distance between two plaintexts when decrypting. In our approach, we ﬁrst construct the mathematical SSO algorithm based on the VE-based algorithm, and then implement the algorithm by applying the one-time pad to the algorithm and using sample data. We also consider robustness against theoretical attacks such as man-in-the-middle attack. In addition to that, our algorithm is robust against the well-known classical and theoretical attacks, the man-in-the-middle attack against the proposed algorithm is also impracticable. Furthermore, with security analysis using Proverif, the algorithm has been shown to be secure. The execution speed is less than 1 ms even with a text length of 8192 bits. Based on our results, it is evident that the computational burden of trusted third parties, such as a certiﬁcate authority, can be alleviated because the public key agreement is not required in our algorithm. Moreover, since only the authentication information is disclosed to the service provider, big tech such as GAFA cannot obtain personal information of the user without consent. As for the originality of our algorithm, any personal information, such as biometric information and non-contact magnetic IC cards in addition to the pair of ID and password, which is used for common SSO algorithms, is available.


Introduction
According to the 2019 mid-year estimates of the world internet usage and population statistics, there are more than 4.5 billion internet users in the world, and this number is persistently increasing [1]. From 2000 to 2019, the number of internet users increased by 1157%; this significant increase in the number of users can also be attributed to the remarkable developments in network technologies.
In general, a system or device accepts or rejects a user's request for a network service by first verifying the user's identity when it receives the request. In a traditional electronic system or device, the validity of a service request is verified by checking whether the pair of ID and password provided by the user matches the stored ID and password information. This identity verification process is called authentication, which refers to the act of checking whether the identity provided by Alice is the same as the identity of Alice held by Bob. Here, Bob is called a verifier, while Alice is called a 1. Reduces Help Desk costs; 2. Improves customer satisfaction; 3. Boosts productivity; 4. Improves compliance and security capabilities; 5. Facilitates B2B collaboration.
As a first benefit, users do not need to assign and remember passwords for a plurality of systems and services with SSO. Reference [4] states that up to 50% of the inquiries of the service provider help desk are only password resets. To counter threats such as unauthorized access to data and personal information, some companies have requested the use of complex and long passwords as one of their strong security policies. Recent users access multiple (not a few) applications and are required to enter the ID and a long and complex password many times per day to log in. Namely, users are required to remember a large number of long and complex passwords. SSO helps to reduce the chance that users forget their password and consequently decreases the temporal and financial costs associated with password-related issues, such as account blocking due to forgotten passwords or incorrect entries, and password assistance. The next benefit is improving customer satisfaction. According to [4], many sites providing SSO such as social networking services value user experience and have a user-friendly login process. SSO is laid out to improve the user experience when logging in by a quick and simple process. Moreover, SSO reduces the number of long and complex passwords entered during login and the number of help desk requests if the users make a mistake, thus reducing the user wait-time. As a result, SSO boosts productivity, which is the third benefit. Businesses encourage employees to use security applications such as a secure file transfer system to protect sensitive data. In fact, these applications are underutilized because users usually find them too complicated. Against this problem, since SSO can reduce the hassle of logging in, it can help encourage employees to adhere to security policies of the organizations. Moreover, SSO increases the chance of avoidance of password reuse and the use of easily guessable passwords. Hence, SSO helps improve compliance and security capabilities. Facilitation of B2B collaboration is listed as the last benefit. Using SSO technologies, the companies can centralize and simplify the management of authentication and authorization. Moreover, users have to login once and then simply and quickly access any participating partners' shared applications.
According to [5][6][7], there are four primary architectures for Web SSO; these are listed in Table 1. In the token-based SSO approach, tokens and tickets are distributed between the interacting parties if user authentication based on user credentials containing an ID and password pair is successful. There are two types of token-based SSO implementations, namely the Kerberos authentication protocol and SSO for cookies. In the former case, an authentication ticket is transported using a method called remote procedure call (RPC), which allows a program to execute the procedures and subroutines present in another address space. Please refer to [8,9] for more details. In contrast, in the server-side credential caching approach, all credentials are stored in a central repository; however, a cache is also maintained on the server side. There are several SSO implementations depending on the network environment and requirements. As examples of common used SSO implementation, there are Kerberos [8,9], security assertion markup language (SAML) [10], and OpenID [11]. Not only Kerberos, SAML and OpenID but also OAuth [12] is one of the well-known SSO technologies. However, OAuth is not focused in this paper because OAuth is a technology that focuses on authorization rather than authentication. Kerberos is an authentication method in which the user is authenticated only with the ID and password for the first time and thereafter utilizes the identity certificate called a ticket. In Kerberos authentication, if the user sends the correct ID and password and then succeeds in authentication, the user receives a ticket. The server of the service provider determines whether to allow or reject the user by checking whether the user has a ticket. SAML is an XML-based markup language for security assertions and provides three types of statements: authentication, attribute, and authorization decision. In SAML, the user ID of the identity provider and service provider need to correspond to each other before the SSO process where the identity provider is a trusted entity that issues or registers a user's identity. Thus, SAML requires building up trustful relations between the identity provider and service provider. OpenID is an authentication method that allows the use of common ID information on various websites. It provides only authentication information in contrast with SAML, which handles authentication, authorization, and attribute information. A server, which is provided by a company called Big Tech such as GAFA, serves as the identity provider and service provider and provides authentication to other service providers. Here, Big Tech refers to the largest and most paramount companies in the information technology industry. Moreover, OpenID differs from SAML in that there is no pre-established trust relationship between the identity provider and service provider, and it does not need security tokens such as assertions.
However, according to the survey by [13], a certain number of people refuse or hesitate to use WebSSO. One of the reasons why network users refuse to use WebSSO may be because they are hesitant to disclose their personal information. In fact, [14] says that the government and the companies collect personal information to monitor personal lives without permission of individuals is regarded as a problem. For example, personal information of users who use SSO (search history, purchase history, etc.) may be disclosed to SSO providers and used for marketing, or posted advertisements on web browsers without user permission. Such issues are called the consent management issues. Since many SSO mechanisms require the user to provide an ID and password directly, it is regarded problematic in [6] because many people also have the impression that sensitive personal information is stored somewhere locally using the mechanism. Although various SSO products currently exist, unified rules and verification regarding security have not been achieved. (See [15][16][17][18].) Therefore, the SSO algorithm in which personal information can be used only for authentication as originally intended, and enables to maintain security is required.
The aim of this study is to realize construction of an SSO algorithm that provides only authentication information without disclosing the user identity and sensitive personal information to the service provider. We propose an authentication algorithm based on verifiable encryption, which is a type of cryptosystem that allows calculation on the space of cyphertexts and returns an encrypted result representing the distance between two plaintexts. The SSO algorithm is constructed by applying a one-time pad, and the VE-based authentication algorithm proposed in the previous paper [19]. Both the VE-based authentication algorithm and the algorithm proposed in this paper do not need to store any personal information in local storage. Moreover, many user identities such as biometric information and unique numbers without limiting the usable personal information of the ID can be applied to not only VE-based authentication algorithms but also to the algorithm proposed in this paper.
The structure of this paper is outlined as follows: in Section 2, we describe our methodology. In Section 3, we define a cryptosystem and verifiable encryption and present the VE-based authentication algorithm, and then construct the SSO algorithm based on a VE-based authentication algorithm. In addition, the theorem for a mathematical subclass of VE and the theorem associated with the algorithm proposed in this study are proven in this section. In Section 4, the demonstration of our SSO algorithm is shown. We discuss (1) the robustness of the theoretical attacks against our algorithm; (2) the comparison with those of the above-mentioned major SSO implementations, viz. Kerberos, SAML, and OpenID; and (3) the impact on customer and business in Sections 5 and 6 concludes the paper.

Methodology
As the background of this research, the current SSO technology has issues of consent management and security as mentioned in the introduction. The purpose of this research is to construct an SSO algorithm that solves these issues. That is, our purpose is to construct the SSO algorithm that achieves • Maintenance of security • Without unauthorized disclosure of user's personal information Especially, we aim for the construction of the algorithm in which the user's personal information cannot be leaked in principle, and assume that the service provider cannot obtain anything other than authentication information.
To complete the purpose, we try to achieve the objective by constructing an algorithm that satisfies the following conditions as our research strategy.
• The affiliation of each information such as the user's personal information, the key for encryption the user's one, and the personal information of the service provider is clarified. • The user's personal information and the key used to encrypt the user's one are not stored in the same storage. • The user's personal information and authentication information are not possessed at the same time. • The key used to encrypt user's personal information and authentication information are not possessed at the same time.
In our research design, the VE-based authentication algorithm and its implementation are utilized for the construction SSO algorithm. The VE-based authentication realizes secure and fast authentication for unlocking a local device via a network without key distribution to the server. The server never knows user's personal information and its authentication information. Moreover, not only ID and password but also arbitrary personal information, for example, biometric information and unique numbers held by individuals such as credit card numbers and contactless magnetic IC card numbers can be applied to the VE-based algorithm.
Our research approach is as follows: • Construction to mathematical SSO algorithm based on VE-based authentication algorithm; • Prototype implementation and testing; • Security discussion.
Our research procedure used is the following: 1. Define parties; 2. Define network configuration; 3. Define parameters such as plaintext, etc.; 4. Define the affiliation of each parameter; 5. Construct mathematical algorithm; 6. Implement.

Algorithm
SSO access control is a property of software systems that allows a user to log in to some approved systems using a single login account. In this section, we introduce the authentication procedure based on VE proposed in [19]; in addition, we describe our modifications to this algorithm to realize SSO.

Cryptosystem and Authentication Algorithm Based on VE
Let P, C, and K be spaces of plaintexts, cyphertexts, and keys, respectively. Then, sets E and D of encryptions and decryptions, respectively, can be given by ∀p ∈ P, ∃k ∈ K, D k (E k (p)) = p.
Let V : P × P → R + (= [0, +∞)) be a metric between two texts. Definition 2. For a given metric V and two cryptosystems C 1 = (P, C, K, E , D) and C 2 = (P, C, K , E , D ), a set (E , E ) is called a VE, if for all p 1 , p 2 ∈ P, there exist maps F : C × C → C and D : C → R + , and two keys (k, k ) ∈ K × K such that Here, we introduce the proposed authentication algorithm based on VE, which includes a registration step to enroll a user's secret information for a system or service, and a verification step to verify this information. As a prerequisite, we describe the entities and channels used here as follows.
• S is a computation server and untrusted party; • Alice is a prover; • Bob is a verifier; • The channel between Alice and Bob is secure; • The channel between Bob and S is insecure; • Alice does not have direct access to S. Let C 1 = (P, C, K, E , D) and C 2 = (P, C, K , E , D ) be two cryptosystems where the set (E , E ) is a VE. Let p 1 , p 2 ∈ P be two plaintexts, (k, k ) ∈ K × K be two keys, and be two cyphertexts.

Registration step
Step1 Alice sends p 1 to Bob.
Step2 Bob generates k and calculates E k (p 1 ) = c 1 .
Step3 Bob sends c 1 to the server S.

Verification step
Step1 Alice sends p 2 to Bob.
Step2 Bob generates k and calculates E k (p 2 ) = c 2 .
Step3 Bob sends c 2 to S.
Step4 Server S calculates F(c 1 , c 2 ) = c d , and sends c d to Bob.
In this algorithm, the key distribution between Alice and Bob or Bob and the server is not required. The distance between two plaintexts can be essentially calculated on the cyphertexts space on the server without decryption. Furthermore, the distance between two plaintexts can be obtained by applying the map D k,k to F(c 1 , c 2 ) where k and k are two keys. It is noteworthy that when a one-time pad is applied as a cryptosystem, minimal computational resources are required [19].

Mathematical Subclass of VE
Let (G, •) be an abelian group. We construct two maps F and D using the operator •, and discuss the mathematical subclass of VE.
Theorem 1. If a cryptosystem C = (P, C, K, E , D), a metric V and two maps F and D satisfy the following conditions, this cryptosystem belongs to the class of VE.
1. P, C, and K are the abelian groups that belong to a group G closed by the operator Proof. Let C = (P, C, K, E , D) be a cryptosystem such as • P, C, and K are the same arbitrary abelian groups, and P, C, K ⊂ G, where G is a group closed by the operator cryptosystems that are the same as cryptosystem C. Let p 1 , p 2 ∈ P be two plaintexts, (k, k ) ∈ K × K be two keys, and be the corresponding cyphertexts. Here, we construct maps F : C × C → C and D : C → R + as respectively. Furthermore, we calculate For all p 1 , p 2 ∈ P, there exist keys k, k , such that the metric V(p 1 , p 2 ) can be achieved. Therefore, this cryptosystem that satisfies the above-mentioned conditions belongs to the class of VE.

Corollary 1. The cryptosystem composed of a Caesar cypher belongs to the class of VE.
Proof. The cryptosystem of a Caesar cypher can be represented as C cs = (P, C, K, E , D), where Here, a − b mod 26 can be considered as a + (−b) mod 26, where (−b) is the inverse of b. Z 26 is an abelian group closed by addition +. Hence, C cs satisfies conditions 1, 2, and 3 in Theorem 1.
Let p 1 , p 2 ∈ P be two plaintexts, (k, k ) ∈ K × K be two keys, and be the corresponding cyphertexts. We define a metric V : P × P → R + as V(p 1 , p 2 ) = |p 1 − p 2 |. Because −p 2 is the inverse of p 2 , V can be considered as being composed in the addition operation +. Furthermore, we construct two maps F : C × C → C and D : C → R + as follows: Hence, the cryptosystem of the Caesar cypher satisfies the conditions 4, 5, 6. Therefore, it belongs to the class of VE. In fact, we calculate Thus, it can be confirmed that a cryptosystem with a Caesar cypher belongs to the class of VE.

SSO Based on VE
The Digital Identity Guidelines of the National Institute of Standards and Technology (NIST) [20] defines the authentication entities and prescribes the identity assurance standards for each process of identity proofing and authentication. These authentication entities are listed below.
User A person whose identity is to be verified using one or more authentication protocols. Identity provider (IdP) A trusted entity that issues or registers a user's identity. An IdP may be an independent third party. Verifier The entity that verifies the user's identity using an authentication protocol. Relying party (RP) This entity relies upon the authentication information for user's identity sent from a verifier typically to process a transaction or permit access to information or a system.
To construct a simpler model than that defined by the Digital Identity Guidelines, we assume that IdP also plays the role of a verifier.
Furthermore, NIST defines the identity assurance levels (IALs) and authenticator assurance levels (AALs) as specifications for identity assurance. For additional information on IALs and AALs, please refer to NIST SP 800-63A and 800-63B, respectively [20].
IAL: IAL refers to the robustness of the identity proofing process to confidently determine the identity of an individual. An IAL is selected to mitigate the potential identity proofing errors. (18) AAL: AAL refers to the robustness of the authentication process as well as that of the binding between an authenticator and an individual's identifier. An AAL is selected to mitigate the potential authentication errors (i.e., a false claimant using a credential that does not rightfully belong to them). (18) The IALs and AALs are suggested as follows (Tables 2 and 3) [20]. Table 2. Identity Assurance Levels (IALs).

Identity Assurance Level
IAL1 At IAL1, attributes, if any, are self-asserted or should be treated as self-asserted.

IAL2
At IAL2, either remote or in-person identity proofing is required. IAL2 requires the identification attributes to be verified in person or remotely using, at least, the procedures described in SP 800-63A.

IAL3
At IAL3, in-person identity proofing is required. Identification attributes must be verified by an authorized IdP representative by examining the physical documentation as described in SP 800-63A.
In our study, we selected IAL1 and AAL1 for identity assurance. In addition, we assumed that the authentication information provided to the RP and the personal information collected from the user are minimized according to the guidelines of [20]. Let Alice be a user, Bob be an IdP with a computation server S, and Charlie be an RP. The security policy of the proposed model can be summarized as follows.
• Alice accesses Charlie's service and does not reveal her identity to Charlie.
• Charlie provides service only to an authenticated user but does not handle the user's identity.
• Alice and Charlie trust Bob.
• The channel between Alice and Bob is a secure channel.
• The channel between Bob and Charlie is a secure channel.
• The channel between Alice and Charlie is an insecure channel. Table 3. Authenticator Assurance Levels (AALs).

AAL1
AAL1 provides some assurance that a claimant controls an authenticator registered to the subscriber. AAL1 requires single-factor authentication using a wide range of available authentication technologies. Successful authentication requires a claimant to prove the possession and control of the authenticator(s) through a secure authentication protocol.

AAL2
AAL2 provides high confidence that a claimant controls the authenticator(s) bound to the subscriber's account. Proof of possession and control of two distinct authentication factors are required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.

AAL3
AAL3 provides very high confidence that a claimant controls the authenticator(s) registered to the subscriber. Authentication at AAL3 is based on the proof of possession of a key through a cryptographic protocol. AAL3 is like AAL2, but also requires a "hard" cryptographic authenticator that provides verifier impersonation resistance.
The channels between the user (Alice), IdP (Bob), and RP (Charlie) are depicted in Figure 1. In Figure 1, the double-lined bars indicate a secure channel, while the single-lined bars indicate an insecure channel. Here, S is the computation server, which is independent of Alice, Bob, and Charlie as with [19]. S manages the database that cyphertexts is stored calculates cyphertexts with a map F. For the implementation of our algorithm, Bob contains both A and D, where A refers to a registration machine and D refers to a verification machine. The one-time pad cryptosystem C otp , which belongs the class of VE, can be defined as C otp = (P, C, K, E , D), where It should be noted that Pr(k) is the appearance probability of k, and ⊕ indicates the bitwise exclusive OR operator.
Let p A,i ∈ P be two plaintexts owned by Alice (i = 1, 2) , k A,i be keys, and c A,i ∈ C be the two corresponding cyphertexts (i = 1, 2). Similarly, let p C,i ∈ P be two plaintexts owned by Charlie, k C,i be keys, and c C,i ∈ C be the two corresponding cyphertexts (i = 1, 2).

Registration step for Alice
Step 1 Alice sends p A,1 to A Step 2 A generates k A,1 and computes c A,1 = p A,1 ⊕ k A,1 Step 3 A sends c A,1 to S Step 4 A send k A,1 to D Similar to Figure 1, the double-lined arrows indicate a secure channel, while the single-lined arrows indicate an insecure channel in Figures 2 and 3.

Registration step for Charlie
Step 1 Charlie sends p C,1 to A Step 2 A generates k C,1 and computes c C,1 = p C,1 ⊕ k C,1 Step 3 A sends c C,1 to S Step 4 A sends k C,1 to Charlie Similar to Figure 1

Verification step
Step 1 Alice sends request for Charlie's service to Charlie Step 2 Charlie generates k C,2 and computes c C,2 = p C,2 ⊕ k C,2 Step 3 Charlie sends c C,2 to Alice Step 4 Alice computes p c C,2 = c C,2 ⊕ p A,2 and sends p c C,2 to D Step 5 D generates k A,2 and computes c 2 = p c C,2 ⊕ k A,2 Step 6 D sends c 2 to S Step 7 S computes c 3 = c A,1 ⊕ c C,1 ⊕ c 2 , where Step 8 S sends c 3 to D Step 9 D computes c r = c 3 ⊕ k A,1 ⊕ k A,2 , where Step 10 D sends c r to Charlie Step 11 Charlie computes r = c r ⊕ k C,1 ⊕ k C,2 , where Step 12 If r = 0, Charlie returns OK to Alice. Otherwise, Charlie returns NG. Similar to Figure 1, the double-lined arrows and the single-lined arrows mean a secure channel and insecure channel in Figures 6 and 7. At step 12 in verification step, if p C,1 ⊕ p C,2 = 0, the result of p A,1 ⊕ p A,2 can be known by only Charlie. Only Charlie is able to know the authentication result of Alice, however, he cannot obtain anything other than the authentication result. With this algorithm, even Bob who is an IdP trusted by Alice and Charlie, cannot know the authentication result.  Let us consider the dependency of information from two sides; whether to be transmitted and who has the information.
At first, the following two Venn diagrams (Figures 8 and 9) show whether or not to transmit in the registration step and verification step, respectively. Here, the elements that belong to the intersection is the text to be transmitted.  It can be seen from the Figure 8 that the plaintext of Alice p A,1 is an element of the intersection of Alice and Bob, and the plaintext of Charlie p C,1 and the key k C,1 are elements of the intersection of Bob and Charlie. In contrast, it can be found from the Figure 9 that the plaintext of Alice p A,2 , the plaintext of Charlie p C,2 and the key k C,2 not in the intersection, namely, these texts are never sent as is to even Bob who is trusted by Alice and Charlie. For this result, it can be said that the channel between Alice and Bob and the channel between Bob and Charlie should be secure during the registration step. A Venn diagram summarizing both the registration and verification steps is shown in Figure 10. Next, Figure 11 shows the Venn diagram of the information held by each party. It is obvious that all information is not in all intersections. Namely, there is no information held by two or more parties at the same time. Since all cyphertexts and keys are possessed by different parties, the server which possesses cyphertexts cannot decrypt.
Next, we describe the construction of the proposed SSO algorithm using the operator • defined in Section 3.1.1.

Theorem 2.
If a cryptosystem such as that described in Theorem 1 is considered, the proposed SSO algorithm based on VE can be constructed.
Proof. The cryptosystem C = (P, C, K, E , D), metric V, and maps F and D are given as follows.
• P, C, and K are the same arbitrary abelian groups, and P, C, K ⊂ G, where G is a group closed by the operator Let p A,i ∈ P be two plaintexts owned by Alice, k A,i be the keys, and E k A,i (p A,i ) = p A,i • k A,i = c A,i ∈ C be the two corresponding cyphertexts (i = 1, 2). Similarly, let p C,i ∈ P be two plaintexts owned by Charlie, k C,i be the keys, and E k C,i (p C,i ) = p C,i • k C,i = c B i ∈ C be the two corresponding cyphertexts (i = 1, 2). It should be noted that the VE can be configured using only one cryptosystem C in this case.

Registration step for Alice
Step 1 Alice sends p A,1 to A Step 2 A generates k A,1 and computes c A,1 = E k A,1 (p A,1 ) = p A,1 • k A,1 Step 3 A sends c A,1 to S Step 4 A sends k A,1 to D

Registration step for Charlie
Step 1 Charlie sends p C,1 to A Step 2 A generates k C,1 and computes c C,1 = E k C,1 (p C,1 ) = p C,1 • k C,1 Step 3 A sends c C,1 to S Step 4 A sends k C,1 to Charlie

Verification step
Step 1 Alice sends request for Charlie's service to Charlie Step 2 Charlie generates k C,2 and computes c C,2 = E k C,2 (p C,2 ) = p C,2 • k C,2 Step 3 Charlie sends c C,2 to Alice Step 4 Alice computes p c C,2 = p A,2 • c C,2 and sends p c C,2 to D Step 5 D generates k A,2 and computes c 2 = E k A,2 (p c C,2 ), where Step 6 D sends c 2 to S Step 7 S computes c 3 = c A,1 • c C,1 • c 2 −1 , where Step 8 S sends c 3 to D Step 9 D computes c r = D k A,1 ,k A,2 (c 3 ), where Step 10 D sends c r to Charlie Step 11 Charlie computes r = D k C,1 ,k C,2 (c r ), where Step 12 If V(p C,1 , p C,2 ) = 0, Charlie can obtain V(p A,1 , p A,2 ).
Hence, the SSO algorithm based on VE is constructed.
Moreover, the following two corollaries are derived using Theorems 1 and 2.

Corollary 2.
A one-time pad can be constructed using the SSO algorithm based on VE.
Proof. Considering [19], V, F, and D are composed of the operation ⊕. In the one-time pad cryptosystem, spaces for plaintexts, cyphertexts, and keys are as follows.
n is an abelian group and isomorphic to {0, 1} n , namely, For all a, there exists a −1 that is a part of the one-time pad itself. Hence, {0, 1} n is also an abelian group, and correspondingly, the one-time pad satisfies all conditions of Theorem 1. Therefore, the one-time pad can be successfully constructed using the SSO algorithm based on VE. The proof is omitted because it is evident from Corollary 1 and Theorem 2.

Demonstration
We apply the QP-DYN algorithm [21] to our algorithm as a pseudorandom number generator. QP-DYN is a pseudorandom number generator that is faster than AES. Since the underlying VE-based authentication algorithm applies QP-DYN which has better speed performance than AES, we apply it in this study. For additional information on QP-DYN performance, please refer to [22]. Because any pseudorandom number generator can be used with the proposed algorithm, the time required for key generation is not discussed in this paper.
The specifications of the experimental environment are listed in Table 4. The registration information for Alice and Charlie is presented in Tables 5 and 6, respectively. The verification is presented in Table 7. In this case, the plaintexts of Alice and Charlie at the verification are identical with the plaintexts used at the registration, respectively. Namely, p A,2 = p A,1 and p C,2 = p C,1 .
The verification times are listed in Table 8 and graphically shown in Figure 12. In the proposed algorithm, the speed from the time Charlie received the request sent by Alice in the verification step 1 to the output of the final calculation r in the verification step was measured. Table 8 and Figure 12 show the averages of 100 measurements taken for each text length. It is evident from the results above that increasing the length of the plaintext leads to an increase in the execution time; however, it is noteworthy that a plaintext of 8192 bits can be processed in less than 1 ms.

Discussion
In this section, we discuss the robustness of the algorithm against attacks as well as present a special case of the algorithm and compare the proposed algorithm with Kerberos, OpenID, and SAML. Moreover, we discuss the impact on the customers and businesses.

Theoretical and Classical Attack
Here, we discuss the robustness of the algorithm against theoretical and classical attacks. First, the results of a cyphertext-only attack (COA) against our algorithm and the case wherein the authentication result r becomes 0 are discussed. COA is the attack model that seeks plaintext using only cyphertext, and also called the known cyphertext attack (KCA). Each cyphertext is listed in Table 9, where p A,1 and p A,2 are the plaintexts of Alice at the registration and verification steps, respectively. Similarly, p C,1 and p C,2 are the plaintexts of Charlie at the registration and verification steps, respectively. Table 9. Appearing cyphertexts.

Ciphertext Contents
It should be noted that in our study, p c C,2 and c r are targeted via the cyphertext-only attack; however, they are sent to A and Charlie via a secure channel, respectively.
We show the attack by changing the number of elements to be extracted from the set of cyphertexts {c A,1 , c C,1 , c C,2 , p c C,2 , c 2 , c 3 , c r }. Table 10 shows the case when the number of elements to be extracted is two. In this case, p A,2 and k A,2 can be stolen during the combinations (c C,2 , p c C,2 ) and (p c C,2 , c 2 ), respectively. However, there is no need to be concerned regarding the security of the system in this case because p c C,2 is sent via a secure channel.  Table 11 shows the case when the number of elements to be extracted is three. In this case, p A,1 can be stolen during the combination (c C,1 , p c C,2 , c r ). However, similar to the case of the extraction of two elements, p c C,2 is not compromised. Table 12 shows the case when the number of elements to be extracted is four.

Combination Calculation
In this case, there is a possibility that k A,2 and k A,1 can be stolen. However, it should be noted that both include p c C,2 in the calculation. Table 13 shows the case when the number of elements to be extracted is five. In this case, there is a possibility that p A,1 and p A,1 ⊕ p A,2 can be stolen. However, p c C,2 and c r are included in the calculation. Table 14 shows the case when the number of elements to be extracted is six. In this case, p A,2 can be stolen. However, p A,2 is protected because p c C,2 is included in the calculation.
Even when the calculation is performed using all cyphertexts, neither Alice nor Bob's plaintext information is compromised (See Table 15).

Combination Calculation
In addition to the cyphertext only attack, we present our consideration of the classical and theoretical attacks (known plaintext attack (KPA), chosen plaintext attack (CPA), chosen cyphertext attack (CCA1), and adaptive chosen cyphertext attack (CCA2)) against our algorithm.
KPA is the attack model that the plaintext is obtained from the cyphertext under the condition that the cyphertext corresponding to the known plaintext can be obtained. In KPA, all cyphertexts are assumed using the same private key for encryption. This attack does not hold against our algorithm, where all cyphertexts are encrypted with different keys.
CPA is the attack model that obtains a plaintext from a cyphertext under the condition that a cyphertext corresponding to an arbitrary plaintext can be obtained. We have already discussed about CPA against the underlying VE-based authentication algorithm of our SSO algorithm in previous paper [19]. An attacker could get plaintext if a stream cypher was used instead of a one-time pad. However, since the one-time pad is applied to our algorithm, the algorithm is secure by Shanon's perfect secrecy.
CCA1 and CCA2 are the attack model that obtains a plaintext from a certain cyphertext under the condition that a plaintext corresponding to an arbitrary cyphertext excluding the cyphertext to be decrypted can be obtained. From this obtained information, the attacker attempts to recover the private key used for decryption. However, similar to CPA, the used key for encryption cannot be obtained by the attacker because we apply a one-time pad to the algorithm.
Let us assume that the condition r = 0 is realized at Step 11 of the verification process in Theorem 1. The calculation step r = V(p A,1 , p A,2 ) • V(p C,1 , p C,2 ) can be considered as Here, V(a, b) = a • b −1 . From the above equation, the condition that r is equal to 0 is represented by V(p A,1 , p A,2 ) = V(p C,1 , p C,2 ). If V(p A,1 , p A,2 ) = V(p C,1 , p C,2 ) = 0, then authentication is successful. However, there is a possibility that V(p A,1 , p A,2 ) = V(p C,1 , p C,2 ) = 0 and r = 0; nevertheless, the occurrence probability can be reduced by increasing the size of the plaintext.

Man-in-the-Middle Attack
Man-in-the-middle attack (MITM) is an active attack in which the attacker secretly relays the information communicated by two parties who believe that they are communicating directly with each other, and then eavesdrops or alters it. We discuss the robustness of our proposed algorithm against the MITM, which is a well-known attack for Kerberos, OpenID, and SAML.
MITM effectively attacks against the algorithms using the public key cryptography and agreement; however, the public key cryptography and agreement are not required in our algorithm. Therefore, MITM cannot hold against our algorithm. The three major algorithms can avoid man-in-the-middle attacks by a signature to the token and using a secure channel such as SSL/TLS.
Let us consider that attacker Eve masqueraded as Charlie who is RP in the verification step of our algorithm (See Figures 13 and 14). We assume that Eve wants to obtain Alice's authentication information but does not possess the registered plaintext of Charlie p C,1 and key k C,1 . Although the channel between Bob and Charlie is actually secure, we assume that Eve communicates with Alice on the same channel as Charlie. Suppose that the condition setting is the same as the algorithm proposed in Section 2.

Verification step
Step 1 Alice sends a request to Eve, impersonating Charlie's service.
Step 2 Eve generates k E and computes c E = E k E (p E ) = p E ⊕ k E Step 3 Eve sends c E to Alice Step 4 Alice computes p c E = p A,2 ⊕ c E and sends p c E to D Step 5 D generates k A,2 and computes c 2 = p c E ⊕ k A,2 Step 6 D sends c 2 to S Step 7 S computes c 3 = c A,1 ⊕ c C,1 ⊕ c 2 , where Step 8 S sends c 3 to D Step 9 D computes c r = c 3 ⊕ k A,1 ⊕ k A,2 , where Step 10 D sends c r to Eve who impersonates Charlie Step 11 Eve computes r = c r ⊕ c E , where  If Eve could obtain c C,1 in the registration step, she can compute the authentication information of Alice with r and c C,1 as follows Eve can obtain only the distance between two plaintexts of Alice p A,1 and p A,2 . In fact, because the channel between Bob and Charlie is a secure channel, this attack does not hold.
Moreover, consider the case in which Bob who is an IdP trusted by Alice and Charlie is impersonated by Eve who is a malicious third party. In this case, Eve can obtain plaintext from both Alice and Charlie at the registration step. Bob's reliability as a security policy is very important because the protocol does not hold. That is, the channel between Alice and Bob and the channel between Bob and Charlie must be secure or directly accessible.

Security Analysis
Here, we show security analyses of our algorithm using Proverif [23] in Tables 16-18.      Query not attacker(pc2[]) is true.
---------------------From the above three tables, it is obvious to say that our algorithm maintains security in all phases. Table 19 presents the comparisons between the proposed VE-based SSO algorithm and the Kerberos-based, OpenID, and SAML implementations. The first line compares the independence of IdP and RP. OpenID and our algorithm are assumed to be independent between IdP and RP; however, Kerberos and SAML are not independent. Because the independency depends on the requirements of the application used, it cannot be said which algorithm is better.

Comparison
The second line compares the cryptographic systems used. The cryptosystems used in major SSO implementations are considered to be computationally secure cryptosystems. In contrast, VE-based SSO algorithms are based on the one-time pad, which is a theoretically secure information cryptosystem. Furthermore, our proposed algorithm and Kerberos are based on secret key cryptography, while the other two algorithms are based on public key cryptography (including agreement). Obviously, the speed is higher when secret key cryptography is used when comparing only cryptosystems. However, in secret key cryptography, it is necessary to share the key in advance, so it cannot be clearly said which algorithm is faster. In the registration step of our algorithm, although there is a key distribution from Bob who is IdP, to Charlie who is RP, the key is distributed as it is via a secure channel. The encryption using a cryptographic system such as public key agreement is not required. Because Bob never holds Charlie's key, the key management burden of Bob is small. In addition, AES which is applied to Kerberos is applicable to our implementation.
As listed in the third line in the table above, any identity can be applied to our algorithm; in contrast, only the ID and password can be applied using other implementations. In our algorithm, because usable personal information is arbitrary, password attacks such as pass the hash attack, password list attack, and password spray attack cannot be performed against the algorithm unless the pair of ID and password is applied.

The Impact on Businesses
As mentioned in the introduction, the use of SSO leads to five benefits: Reduction in help desk costs, improved in customer satisfaction, boost in productivity, improvement in compliance and security capabilities, and B2B collaboration. In addition to these benefits, we discuss the impact of our algorithm on our business and our customers.
First, our proposed algorithm can be expected to exhibit a different personal information management method than existing algorithms. In the VE-based authentication algorithm, which is the basis of the SSO algorithm proposed here, the server that manages the database cannot obtain any authentication information as well as personal information and keys. Moreover, our algorithm does not need to store personal information in local storage or the database of IdP and RP and enables information decentralization. The VE-based SSO algorithm proposed in this study differs from other SSO algorithms in that the information lists held by the IdP or RP and the encrypted personal information can be managed separately.
Next, the VE based-SSO algorithm enables the application of any personal information in contrast with the algorithm of a typical SSO which is based on a pair of ID and password, as compared in the above Section 5.2. Because the amount of personal information that users can select other than ID, such as biometric information, increases, it may be possible for the users to protect their own personal information by selecting the information that they want to use. Moreover, our assumption is the construction of a system with independent RP and IdP, which states that only the authentication result is disclosed to the RP and that the authentication result is not disclosed to the IdP. In other words, IdP cannot obtain any information in the verification step, and RP cannot obtain any information other than the authentication information as to whether the plaintexts of the user match. Because users can avoid providing information that they do not wish to disclose, it may reduce the possibility of the unintended collection of user information by GAFA, which is a problem in [14].
Finally, in addition to the benefits of using SSO, our algorithm has the potential to realize SSO that solves the current problems such as unintended collection of user information and the hesitancy of disclosure of their personal information.

Conclusions
In this study, we constructed a VE-based algorithm that enables users to securely provide authentication information to a service provider and achieve SSO. By using the proposed algorithm, the personal information of the user is not required to be unnecessarily disclosed and used without their permission. Moreover, the algorithm can be used with a pair of ID and password as well as other identity information, including biometric information, and unique numbers known by the user, among others. Based on our experimental results, the proposed algorithm takes less than 1 ms even for a plaintext with a length of 8192 bits. Our algorithm maintains security against classical and theoretical attacks. The security of our algorithm against classical and theoretical attacks is maintained. Also, the man-in-the-middle attack, which is one of the most popular methods against major SSO implementations is impossible against our algorithm because our algorithm does not require public key agreement.

Patents
The VE-based authentication algorithm proposed in [19] is patented [25]. Patents for the SSO algorithm proposed in this study are currently pending [26].