Existing SSO protocols such as OIDC pose privacy risks: identity providers (IdPs) can track users’ service provider (SP) access patterns. This work proposes a privacy-enhancing OIDC extension leveraging Groth16 zk-SNARKs to enable bidirectional anonymity—users prove possession of valid credentials and authorization for a target SP without revealing the SP’s identity, while IdPs remain unidentifiable to SPs. To eliminate reliance on centralized trust assumptions, we introduce a decentralized verifiable trusted setup. The scheme achieves strong security—namely, simulator-extractable indistinguishability—while significantly reducing proof generation/verification overhead and storage requirements. Experimental evaluation demonstrates end-to-end latency under 300 ms, confirming production-readiness.

User authentication is one of the most important aspects for secure communication between services and end-users over the Internet. Service providers leverage Single-Sign On (SSO) to make it easier for their users to authenticate themselves. However, standardized systems for SSO, such as OIDC, do not guarantee user privacy as identity providers can track user activities. We propose a zero-knowledge-based mechanism that integrates with OIDC to let users authenticate through SSO without revealing information about the service provider. Our system leverages Groth's zk-SNARK to prove membership of subscribed service providers without revealing their identity. We adopt a decentralized and verifiable approach to set up the prerequisites of our construction that further secures and establishes trust in the system. We set up high security targets and achieve them with minimal storage and latency cost, proving that our research can be adopted for production.