zkLogin

You can decode the JWT at , which will display the following structure:

where $\mathsf{sk_{OIDC}}$ is the secret key of the OIDC Provider, $\mathsf{claim} = \{\mathsf{iss, sub, aud, iat, exp, nonce, \dots}\}$ represents the claims included in the $\mathsf{jwt}$, and $\mathsf{jwt}$ is the signed token that contains both $\mathsf{claim}$ and the signature $\sigma_{\mathsf{OIDC}}$.

On the client side, the generated $\mathsf{jwt}$ can be verified as follows:

For further details on why OIDC was chosen over alternatives such as Passkey, MPC, and HSM, interested readers can refer to .

We explore various approaches to achieve this goal. The following explanation is inspired by , as it provides a clear and intuitive understanding.

Refer to of the for the reason why aud is included.

However, this approach has a drawback: the validator can infer the relationship between sub and $\mathsf{addr}$, potentially exposing user identity information.

Here, we use the notation from .

However, this approach still has a flaw: the OIDC Provider can infer the relationship between sub and $\mathsf{addr}$, which could compromise user privacy.

To further improve privacy, we introduce a $\mathsf{salt}$ when deriving the user’s on-chain address:

With this modification, unless the OIDC Provider knows the $\mathsf{salt}$, it cannot link the user's sub to their on-chain activity. The only requirement is ensuring that the user does not lose their $\mathsf{salt}$. However, since our goal is for users to remember nothing, we need a mechanism that allows only the user to generate their $\mathsf{salt}$ securely. (This document does not cover how to achieve this—refer to or of the for details.)

Now, we introduce an ephemeral key pair $(\mathsf{esk}, \mathsf{epk})$. The transaction is signed using this ephemeral key pair, allowing users to regenerate their key pair via Google login or another OIDC provider if they ever lose it. This ensures that users do not need to remember anything.

Additionally, by sending the proof that includes the new ephemeral public key $\mathsf{epk}$, the user updates their ephemeral key on-chain, ensuring the system recognizes the new key for future transactions.

Next, we embed $\mathsf{epk}$ into the nonce and modify the ZK circuit accordingly:

Key Generation: The user generates an ephemeral key pair $(\mathsf{esk}, \mathsf{epk})$.

Proof Creation: The user constructs a ZK proof $\pi$ proving ownership of their identity.

Tx Submission: The user signs a transaction $\mathsf{tx}$ and signature using $\mathsf{esk}$, producing $\sigma_{\mathsf{tx}}$.

Submission & Key Update: The user submits $(\pi, \mathsf{epk}, \mathsf{tx}, \sigma_{\mathsf{tx}})$, to the validator. Upon verification, the validator may update the user's ephemeral public key ($\mathsf{epk}$) on-chain.

Subsequent Transactions: Until the ephemeral key expires, the user only needs to submit a new transaction $\mathsf{tx}'$ and its signature $\sigma_{\mathsf{tx'}}$ to the validator, without regenerating a new proof.

However, one issue remains: the OIDC Provider can still infer which transactions were signed by a given sub through the $\mathsf{epk}$.

A simple solution, such as hashing $\mathsf{epk}$ before embedding it into nonce, is insufficient because $\mathsf{epk}$ is public. An adversary could still brute-force the mapping between $\mathsf{epk}$ and sub.

To prevent this, we introduce randomness $\mathsf{r}$ and modify the nonce by hashing both $\mathsf{epk}$ and $\mathsf{r}$:

Since $\mathsf{pk_{OIDC}}$ (OIDC Provider's public key) changes periodically, we add iss to the public input. The validator must then verify that $\mathsf{pk_{OIDC}}$ indeed corresponds to the public key of iss.

The following figure, extracted from the , provides an overview of the entire login process:

As mentioned in of the paper, unfortunately, according to the , the nonce field is not mandatory.

To answer this, let's recall the role of nonce. It was used to bind $\mathsf{epk, exp}$ to the JWT. Thus, by modifying the circuit derived in Method 7, we can adapt zkLogin as follows:

Why Is $\mathsf{r}$ No Longer Needed?

Previously, we introduced randomness $\mathsf{r}$ to prevent the link between sub and $\mathsf{epk}$ through nonce. However, in this case, since nonce does not exist, there is no longer a need for $\mathsf{r}$.

In previous methods, even if an attacker obtained a valid $\mathsf{jwt}$, they could not forge a transaction signature.

However, in this case, since we do not commit $\mathsf{epk}$ via nonce an attacker who obtains a valid $\mathsf{jwt}$ could use it to generate a different ephemeral key pair $(\mathsf{esk}, \mathsf{epk})$ and sign arbitrary transactions.

This introduces a new security vulnerability, which must be addressed before deploying this approach. This could be mitigated to an extent through client-side proof generation, but still poses the same risk if the client themselves leak their valid own $\mathsf{jwt}$. Thus, since there is no current true solution to this vulnerability, transaction signatures with nonce-less JWT are not in use commercially today.

Thus, $\mathsf{JWT.Verify}$ must be implemented as follows:

However, since $\mathsf{jwt} = \mathsf{Base64.Encode(claim)}$, accessing a specific value like $\mathsf{jwt.x}$ actually requires $\mathsf{Base64.Decode(jwt).x}$.

As a result, the ZK circuit must represent RSA signatures, SHA-2 hashing, and Base64 decoding—all of which are not ZK-friendly. This was implemented using , and it introduces the following computational overhead (Reference: ):

RSA signature verification – 15% (Utilizes a trick from )

Currently, the Sui zkLogin codebase is private. However, the implementation of Aptos Keyless Wallet is publicly available at 🔗 .

The function $\mathsf{SelectivePayloadParsing}(S, i, \ell, j) \rightarrow (k, v)$ operates as follows. Assume $S$ represents the above JSON structure. For simplicity, whitespace handling and boolean values are omitted from the explanation.

Extract the substring $S' := S[i: i +\ell]$.

Example: If $i = 1$ and $\ell = 12$, then $S'$ becomes "sub":"123",.

Ensure $S'$ ends with either , or }:

Verify that $S'[j]$ is ::

Using column index $j$, extract:

Key: $k := S'[0:j]$

Value: $v:=S'[j + 1:-1]$

Ensure both $k$ and $v$ start and end with ":

For a string $S$ of length $n$, where $0 \le t < n$, the value $S[t]$ can be computed as follows:

For $0 \le t < n$, the indexing operator $O_t$ is defined as:

For example, to check whether $S'$ ends with ,, we transform it into:

Similarly, extracting $S[i: i + \ell]$ follows:

Checking whether $k$ starts with " can be rewritten as:

Since computing $S[t]$ requires $n$ multiplications, extracting $S[i:i+m]$ requires $n \times m$ constraints. However, we can significantly reduce constraints by leveraging field packing:

Even after adding boundary checks and unpacking logic, the constraint count drops from $n \times m$ to $18m + \frac{n \times m}{32}$, resulting in a major efficiency gain. (The paper doesn't explain how.)

In addition to verifying transaction signatures using , as commonly used in Sui and Aptos, validators must now also verify ZK proofs.

Although a proof is generated only once, it is verified multiple times by validators. Given that ZK verification must not be significantly slower than traditional EdDSA signature verification, was chosen as the proving scheme. Groth16 requires only three pairing operations for verification, making it computationally efficient. (There are additional computations using public inputs, but these are omitted for simplicity.)

One advantage of Groth16 is that it allows . However, if at least one proof is invalid, all $n$ proofs must be re-verified individually, leading to a worst-case scenario that could be exploited as a DDoS attack vector.

"This drastically reduces the time between when a user logs in with their keyless account to when that user is able to transact, from ~25 seconds to 3 seconds. In turn, this greatly improves the user experience of keyless accounts." —

According to AIP-75, generating a proof using on the client side takes approximately 25 seconds, which is unacceptable from a UX perspective. To address this, both Sui and Aptos have adopted a prover service to generate proofs on the server side.

Privacy Issue: The prover service gains access to $w: \{\mathsf{jwt, salt, r}\}$, meaning it can infer the relationship between sub and $\mathsf{addr}$ (similar to the issue in Method 1). Fortunately, the prover does not know $\mathsf{esk}$, preventing transaction signature forgery.

The image below, taken from the , shows that Sui has a server-side proof generation time of around 3 seconds, which is similar to Aptos's proof generation time mentioned above:

Written by from