skip to main content
10.1145/3658644.3690356acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

zkLogin: Privacy-Preserving Blockchain Authentication with Existing Credentials

Published: 09 December 2024 Publication History

Abstract

For many users, a private key based wallet serves as the primary entry point to blockchains. Commonly recommended wallet authentication methods, such as mnemonics or hardware wallets, can be cumbersome. This difficulty in user onboarding has significantly hindered the adoption of blockchain-based applications.
We develop zkLogin, a novel technique that leverages identity tokens issued by popular platforms (any OpenID Connect enabled platform e.g., Google, Facebook, etc.) to authenticate transactions. At the heart of zkLogin lies a signature scheme allowing the signer to sign using their existing OpenID accounts and nothing else. This improves the user experience significantly as users do not need to remember a new secret and can reuse their existing accounts.
zkLogin provides strong security and privacy guarantees. Unlike prior works, zkLogin's security relies solely on the underlying platform's authentication mechanism without the need for any additional trusted parties (e.g., trusted hardware or oracles). As the name suggests, zkLogin leverages zero-knowledge proofs (ZKP) to ensure that the sensitive link between a user's off-chain and on-chain identities is hidden, even from the platform itself.
zkLogin enables a number of important applications outside blockchains. It allows billions of users to produce verifiable digital content leveraging their existing digital identities, e.g., email address. For example, a journalist can use zkLogin to sign a news article with their email address, allowing verification of the article's authorship by any party.
We have implemented and deployed zkLogin on the Sui blockchain as an additional alternative to traditional digital signature-based addresses. Due to the ease of web3 on-boarding just with social login, many hundreds of thousands of zkLogin accounts have already been generated in various industries such as gaming, DeFi, direct payments, NFT collections, sports racing, cultural heritage, and many more.

References

[1]
Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Yan Ji, Jonas Lindstrøm, Deepak Maram, Ben Riva, Arnab Roy, Mahdi Sedaghat, and Joy Wang. 2024. zkLogin: Privacy-Preserving Blockchain Authentication with Existing Credentials. arxiv: 2401.11735 [cs.CR] https://arxiv.org/abs/2401.11735
[2]
Marta Bellés-Mu noz, Miguel Isabel, Jose Luis Mu noz-Tapia, Albert Rubio, and Jordi Baylina. 2022. Circom: A Circuit Description Language for Building Zero-knowledge Applications. IEEE Transactions on Dependable and Secure Computing (2022).
[3]
Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. 2018. Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046. https://eprint.iacr.org/2018/046.
[4]
Sam Blackshear, Andrey Chursin, George Danezis, Anastasios Kichidis, Lefteris Kokoris-Kogias, Xun Li, Mark Logan, Ashok Menon, Todd Nowacki, Alberto Sonnino, et al. 2023. Sui lutris: A blockchain combining broadcast and consensus. arXiv preprint arXiv:2310.18042 (2023).
[5]
C2PA. 2023. Content Credentials : C2PA Technical Specification. https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_trust_model Accessed: [Nov 29, 2023].
[6]
Tim Carstens and Hans Martin. 2023. Bridging Web2 and Web3 with Bonsai Pay: A Bonsai-powered Demo Application. https://www.risczero.com/blog/bonsai-pay.
[7]
Melissa Chase and Anna Lysyanskaya. 2006. On Signatures of Knowledge. In CRYPTO 2006 (LNCS, Vol. 4117), Cynthia Dwork (Ed.). Springer, Heidelberg, 78--96. https://doi.org/10.1007/11818175_5
[8]
Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, and Nicholas P. Ward. 2020. Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS. In EUROCRYPT 2020, Part I (LNCS, Vol. 12105), Anne Canteaut and Yuval Ishai (Eds.). Springer, Heidelberg, 738--768. https://doi.org/10.1007/978--3-030--45721--1_26
[9]
Alessandro Chiesa, Ryan Lehmkuhl, Pratyush Mishra, and Yinuo Zhang. 2023. Eos: Efficient Private Delegation of zkSNARK Provers. In 32nd USENIX Security Symposium (USENIX Security 23). 6453--6469.
[10]
Damian. 2024. Oauth-controlled Blockchain accounts | Near Documentation. https://docs.near.org/blog/chain-signatures-use-cases.
[11]
Ariel Gabizon, Zachary J. Williamson, and Oana Ciobotaru. 2019. PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge. Cryptology ePrint Archive, Report 2019/953. https://eprint.iacr.org/2019/953.
[12]
Sanjam Garg, Aarushi Goel, Abhishek Jain, Guru-Vamsi Policharla, and Sruthi Sekar. 2023. zkSaaS: Zero-Knowledge SNARKs as a Service. In 32nd USENIX Security Symposium (USENIX Security 23). 4427--4444.
[13]
Shafi Goldwasser, Silvio Micali, and Charles Rackoff. 1985. The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract). In 17th ACM STOC. ACM Press, 291--304. https://doi.org/10.1145/22145.22178
[14]
Lorenzo Grassi, Dmitry Khovratovich, Christian Rechberger, Arnab Roy, and Markus Schofnegger. 2021. Poseidon: A new hash function for Zero-Knowledge proof systems. In 30th USENIX Security Symposium (USENIX Security 21).
[15]
Jens Groth. 2016. On the Size of Pairing-Based Non-interactive Arguments. In EUROCRYPT 2016, Part II (LNCS, Vol. 9666), Marc Fischlin and Jean-Sébastien Coron (Eds.). Springer, Heidelberg, 305--326. https://doi.org/10.1007/978--3--662--49896--5_11
[16]
Ulrich Haböck. 2022. Multivariate lookups based on logarithmic derivatives. Cryptology ePrint Archive, Paper 2022/1530. https://eprint.iacr.org/2022/1530.
[17]
Christie Harkin. 2021. Mt. Gox Rehabilitation Plan Worth Billions in Compensation Approved, Finalization to Follow. CoinDesk.
[18]
Ethan Heilman, Lucie Mugnier, Athanasios Filippidis, Sharon Goldberg, Sebastien Lipman, Yuval Marcus, Mike Milano, Sidhartha Premkumar, and Chad Unrein. 2023. OpenPubkey: Augmenting OpenID Connect with User held Signing Keys. Cryptology ePrint Archive, Report 2023/296. https://eprint.iacr.org/2023/296.
[19]
K. Huang. 2022. Why Did FTX Collapse" Here"s What to Know. The New York Times. https://www.nytimes.com/2022/11/10/technology/ftx-binance-crypto-explained.html
[20]
iden3. 2023. rapidsnark. https://github.com/iden3/rapidsnark.
[21]
M. Jones. 2015. JSON Web Algorithms (JWA) Section 3. RFC 7518. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/rfc7518#section-3 Section 3.
[22]
Marcel Keller. 2020. MP-SPDZ: A Versatile Framework for Multi-Party Computation. In ACM CCS 2020, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM Press, 1575--1590. https://doi.org/10.1145/3372297.3417872
[23]
Ahmed Kosba, Charalampos Papamanthou, and Elaine Shi. 2018. xJsnark: A Framework for Efficient Verifiable Computation. In 2018 IEEE Symposium on Security and Privacy (SP). 944--961. https://doi.org/10.1109/SP.2018.00018
[24]
Hugo Krawczyk. 2000. Simple Forward-Secure Signatures From Any Signature Scheme. In ACM CCS 2000, Dimitris Gritzalis, Sushil Jajodia, and Pierangela Samarati (Eds.). ACM Press, 108--115. https://doi.org/10.1145/352600.352617
[25]
Leona Lassak, Elleen Pan, Blase Ur, and Maximilian Golla. 2024. Why Aren"t We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication. (2024).
[26]
Deepak Maram, Harjasleen Malvai, Fan Zhang, Nerla Jean-Louis, Alexander Frolov, Tyler Kell, Tyrone Lobban, Christine Moy, Ari Juels, and Andrew Miller. 2021. CanDID: Can-Do Decentralized Identity with Legacy Compatibility, Sybil-Resistance, and Accountability. In 2021 IEEE Symposium on Security and Privacy (SP). https://doi.org/10.1109/SP40001.2021.00038
[27]
Deepak Maram, Harjasleen Malvai, Fan Zhang, Nerla Jean-Louis, Alexander Frolov, Tyler Kell, Tyrone Lobban, Christine Moy, Ari Juels, and Andrew Miller. 2021. Candid: Can-do decentralized identity with legacy compatibility, sybil-resistance, and accountability. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1348--1366.
[28]
David Z. Morris. 2021. Gerald Cotten and Quadriga: Unraveling Crypto?s Biggest Mystery. https://www.coindesk.com/markets/2021/06/29/gerald-cotten-and-quadriga-unraveling-cryptos-biggest-mystery/ Accessed: Oct 27, 2023.
[29]
Alexander Nilsson, Pegah Nikbakht Bideh, and Joakim Brorsson. 2020. A survey of published attacks on Intel SGX. arXiv preprint arXiv:2006.13598 (2020).
[30]
Santiago Palladino. 2019. Sign in with Google to your Identity Contract. https://forum.openzeppelin.com/t/sign-in-with-google-to-your-identity-contract-for-fun-and-profit/1631
[31]
Sanghyeon Park, Jeong Hyuk Lee, Seunghwa Lee, Jung Hyun Chun, Hyeonmyeong Cho, MinGi Kim, Hyun Ki Cho, and Soo-Mook Moon. 2023. Beyond the Blockchain Address: Zero-Knowledge Address Abstraction. Cryptology ePrint Archive, Report 2023/191. https://eprint.iacr.org/2023/191.
[32]
Pete Rizzo. 2017. The Big News Behind the BTC-e Arrest and Mt Gox Connection. https://www.coindesk.com/markets/2017/07/26/the-big-news-behind-the-btc-e-arrest-and-mt-gox-connection/ Accessed: Oct 27, 2023.
[33]
Jeff John Roberts. 2024. Old Bitcoin wallets keep waking up: How many of the 1.8 million "lost" coins are really gone? https://fortune.com/crypto/2024/04/24/bitcoin-wallets-waking-up-lost-coins-satoshi/.
[34]
N. Sakimura, J. Bradley, M. Jones, B. de Medeiros, and C. Mortimore. 2014. OpenID Connect Core 1.0 incorporating errata set 1. OpenID Foundation. Accessed: Oct 27, 2023.
[35]
N. Sakimura, J. Bradley, M. Jones, B. de Medeiros, and C. Mortimore. 2014. OpenID Connect Core 1.0 incorporating errata set 1: Subject Identifier Types. OpenID Foundation. Accessed: Oct 27, 2023.
[36]
Apple Platform Security. 2024. iCloud encryption. https://support.apple.com/guide/security/icloud-encryption-sec3cac31735/web
[37]
Adi Shamir. 1984. Identity-Based Cryptosystems and Signature Schemes. In CRYPTO'84 (LNCS, Vol. 196), G. R. Blakley and David Chaum (Eds.). Springer, Heidelberg, 47--53.
[38]
Technology Review. 2023. Cryptography, AI, and the labeling problem: How C2PA aims to establish digital provenance. Technology Review (28 07 2023). https://www.technologyreview.com/2023/07/28/1076843/cryptography-ai-labeling-problem-c2pa-provenance/
[39]
URL. - a. Dauth. https://www.dauth.network/.
[40]
URL. - b. Face Wallet. https://facewallet.xyz/
[41]
URL. - c. Magic. https://magic.link.
[42]
URL. - d. Privy. https://docs.privy.io.
[43]
URL. - e. RISC Zero. https://github.com/risc0/risc0.
[44]
URL. - f. Web3Auth. https://web3auth.io.
[45]
URL. 2024. Aptos Keyless | Aptos Docs. https://aptos.dev/en/build/guides/aptos-keyless.
[46]
Muthuramakrishnan Venkitasubramaniam. 2023. Ligetron: Lightweight Scalable End-to-End Zero-Knowledge Proofs. Post-Quantum ZK-SNARKs on a Browser. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 86--86.
[47]
Yaman Yu, Tanusree Sharma, Sauvik Das, and Yang Wang. 2024. " Don't put all your eggs in one basket": How Cryptocurrency Users Choose and Secure Their Wallets. In Proceedings of the CHI Conference on Human Factors in Computing Systems. 1--17.
[48]
Fan Zhang, Deepak Maram, Harjasleen Malvai, Steven Goldfeder, and Ari Juels. 2020. Deco: Liberating web data using decentralized oracles for tls. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1919--1938.

Cited By

View all
  • (2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025

Index Terms

  1. zkLogin: Privacy-Preserving Blockchain Authentication with Existing Credentials

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security
    December 2024
    5188 pages
    ISBN:9798400706363
    DOI:10.1145/3658644
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 09 December 2024

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. authentication
    2. blockchain
    3. privacy
    4. zero-knowledge

    Qualifiers

    • Research-article

    Conference

    CCS '24
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)341
    • Downloads (Last 6 weeks)121
    Reflects downloads up to 28 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media