zkLogin: Privacy-Preserving Blockchain Authentication with Existing Credentials

Abstract: For many users, a private key based wallet serves as the primary entry point to blockchains. Commonly recommended wallet authentication methods, such as mnemonics or hardware wallets, can be cumbersome. This difficulty in user onboarding has significantly hindered the adoption of blockchain-based applications. We develop zkLogin, a novel technique that leverages identity tokens issued by popular platforms (any OpenID Connect enabled platform e.g., Google, Facebook, etc.) to authenticate transactions. At the heart of zkLogin lies a signature scheme allowing the signer to sign using their existing OpenID accounts and nothing else. This improves the user experience significantly as users do not need to remember a new secret and can reuse their existing accounts. zkLogin provides strong security and privacy guarantees. Unlike prior works, zkLogin's security relies solely on the underlying platform's authentication mechanism without the need for any additional trusted parties (e.g., trusted hardware or oracles). As the name suggests, zkLogin leverages zero-knowledge proofs (ZKP) to ensure that the sensitive link between a user's off-chain and on-chain identities is hidden, even from the platform itself. zkLogin enables a number of important applications outside blockchains. It allows billions of users to produce \textit{verifiable digital content leveraging their existing digital identities}, e.g., email address. For example, a journalist can use zkLogin to sign a news article with their email address, allowing verification of the article's authorship by any party. We have implemented and deployed zkLogin on the Sui blockchain as an additional alternative to traditional digital signature-based addresses.

• The paper presents zkLogin, a method that integrates existing OpenID credentials with zero-knowledge proofs for secure blockchain authentication.
• It introduces a novel signature mechanism that eliminates the need for traditional private key management and minimizes the reliance on trusted third parties.
• Deployment on the Sui blockchain demonstrates its scalability, with hundreds of thousands of accounts across various sectors including DeFi and gaming.

Privacy-Preserving Blockchain Authentication with zkLogin: An Overview

zkLogin offers an innovative approach to blockchain authentication by leveraging existing credentials from widely-used platforms enabled by OpenID Connect (OIDC). Rather than introducing new mechanisms or trusted parties for blockchain authentication, zkLogin establishes a user-friendly gateway that critiques cumbersome access through private key-based wallets. Built upon zero-knowledge proofs (ZKPs), zkLogin ensures that transaction authentication remains both secure and private.

The essence of zkLogin lies in its ability to utilize identity tokens—specifically JSON Web Tokens (JWTs)—to authorize blockchain transactions. The paper elaborates on the method by which zkLogin achieves secure and private blockchain authentication without additional trust frameworks like oracles or trusted hardware. By coupling JWTs with ZKP technology, zkLogin maintains a shrouded link between off-chain and on-chain identities.

Key Contributions and Features

1. User Experience Enhancement: zkLogin facilitates user entry into blockchains without requiring mnemonic phrases or physical wallets. It capitalizes on existing digital identities, allowing users to sign transactions via their established OpenID accounts.
2. Privacy and Security: The system provides strong privacy guarantees by hiding the bridge between users' off-chain and on-chain identities even from the underlying platforms. zkLogin innovatively uses zero-knowledge proofs to ensure this privacy, whereas traditional methods often necessitate extraneous trust parties which zkLogin circumvents.
3. Novel Signature Mechanism: By focusing on a mechanism akin to identity-based signatures, zkLogin extends potential applications beyond blockchains to areas like digital content verification. Authors can sign their creations—such as articles—with their digital identity (e.g., email), ensuring authenticity without relying on conventional PKI systems.
4. Deployment and Adoption: Implemented on the Sui blockchain, zkLogin has demonstrated feasibility with hundreds of thousands of generated accounts across various sectors such as DeFi, gaming, and cultural heritage, indicating substantial early adoption.

Technical Assertions and Optimizations

The approach pivots around generating ephemeral key pairs and embedding public keys into JWT nonces, allowing transactions to be signed without exposing sensitive information. This provides resilience against common pitfalls such as frontrunning attacks prevalent in prior suggestions like those proposed by OpenZeppelin.

To alleviate resource constraints, zkLogin offloads proof generation to external servers—a move contrasted with traditional settings requiring proofs generated in user environments—thus maintaining efficiency and scalability. The optimization of computational components, notably the zero-knowledge proof circuit, marks a crucial advancement. The system employs Groth16 for ZKP instantiation, judiciously managing computational overheads by exploiting structure in JSON token formatting.

Implications and Future Directions

Theoretically, zkLogin exemplifies a leap toward naturally blending identity mechanics into blockchain ecosystems, unlocking use cases with enhanced privacy controls while safeguarding assets without dependency on traditional custodianship. By proving the concept with actual deployments, the paper situates zkLogin as a key player in reimagining digital interactions, asserting that it can cater to both content provenance and cross-platform digital identity needs.

Going forward, researchers and practitioners alike might explore more generalized applications under zkLogin's umbrella, such as adapting mechanisms for platforms not adhering strictly to OIDC specifications or integrating with universal zkSNARKs like Plonk for broader applicability. Additionally, the system's inherent exploitability of existing digital identity frameworks suggests potential intersections with upcoming technological horizons, such as those in decentralized finance or secure digital governance systems.

In conclusion, zkLogin presents a strategically poised convergence of zero-knowledge arguments and ubiquitously trusted identity systems, establishing a paradigm where blockchain access aligns seamlessly with existing user habits and expectations while safeguarding privacy and security.