Closing of CRS Ceremony Kickstarts the Launch of zkLogin

Last week, the Sui Foundation successfully hosted the zkLogin ceremony, an important step towards the release of Sui’s new authentication primitive on Mainnet. zkLogin allows users to generate a wallet address from their Web2 credentials, such as Google or Twitch, using OAuth. To preserve the privacy of the OAuth artifacts, a zero-knowledge proof of possession is provided to verify that in fact the user has been authorized without revealing the artifact itself.

zkLogin employs the Groth16 zkSNARK construction to instantiate the zero-knowledge proofs, and in order to achieve greater efficiencies, Groth16 needs a computation-specific Common Reference String (CRS) setup by a trusted party. As zkLogin is expected to ensure the safe-keeping of high value transactions and the integrity of critical smart contracts, the security of the system can’t rely on the honesty of a single entity. Instead, to generate the CRS for the zkLogin circuit, Sui must run a protocol which bases its security on the assumed honesty of a small fraction of a large number of parties. The zkLogin ceremony was the process by which these parties created the necessary CRS.

What was the ceremony?

The Sui zkLogin ceremony was essentially a cryptographic multi-party computation (MPC) performed by a diverse group of participants to generate this CRS and follows the MPC protocol MMORPG described by Bowe, Gabizon and Miers. The protocol roughly proceeds in 2 phases. The first phase results in a series of powers of a secret quantity τ in the exponent of an elliptic curve element g, that is, of the form g, g^τ, g^τ2,...,g^τn. Since this phase is circuit-agnostic, we adopted the result of the existing community contributed perpetual powers of tau. Our ceremony was the second phase, which is specific to the zkLogin circuit.

The MMORPG protocol allows an indefinite number of parties to participate in sequence, without the need of any prior synchronization or ordering. Each party needs to download the output of the previous party, generate randomness of its own, and then layer it on top of the received result, producing its own contribution, which is then relayed to the next party. The protocol guarantees security, if at least one of the participants follows the protocol faithfully, generates strong randomness and discards it reliably.

How was the ceremony performed?

Invitations were sent to 100+ people with diverse backgrounds and affiliations: Sui validators, cryptographers, Web3 experts, world-renowned academics, and business leaders. The ceremony was planned for September 12-15 (later extended to September 18). Participants could join when they wanted with no fixed slots or appointments.

Since the MPC is sequential, each contributor had to wait until the previous contributor finished in order to receive the previous contribution, follow the MPC steps, and produce their own contribution. Due to this structure, participants waited in a queue while those who joined before them finished. To authenticate participants, each participant received a unique activation code. The activation code was the secret key of a signing key pair, which had a dual purpose: it allowed the coordination server to associate the participant’s email with the contribution, and it verified the contribution with the corresponding public key.

Participants had two ways to contribute: through a browser or a docker. The browser option was the more user-friendly as all parts of the process happened in the browser. The Docker option required Docker setup but was more transparent—the Dockerfile and contributor source code are open-sourced and the whole process is verifiable. The browser option utilized snarkjs while the Docker option utilized Kobi’s implementation. This provided software variety so that contributors could choose whichever method they trust most. In addition, participants could generate entropy via entering random text or making random cursor movements.

The zkLogin circuit and the ceremony client code were made open source and the links were made available to the participants to review before the ceremony, if they chose to do so. In addition, developer docs and an audit report on the circuit from zkSecurity were posted for review. Challenge #0081 was adopted (resulting from 80 community contributions) from perpetual powers of tau in phase 1, which is circuit agnostic. The output of the Drand random beacon at epoch #3298000 was applied to remove bias. For phase 2, the ceremony had 111 contributions, 82 from the browser and 29 from Docker. Finally, the output of the Drand random beacon at epoch #3320606 was applied to remove bias from contributions. All intermediate files can be reproduced following instructions here for phase 1 and here for phase 2.

What’s next?

The final CRS along with the transcript of every participant’s contribution is available in a public repository. Contributors received both the hash of the previous contribution they were working on and the resulting hash after their contribution, displayed on-screen and sent via email. They can compare these hashes with the transcripts publicly available on the ceremony site. In addition, anyone is able to check that the hashes are computed correctly and each contribution is properly incorporated in the finalized parameters.

Participants were requested to choose if they want their name and affiliation to be published. For anonymous participants, the Sui Foundation will know the participant’s email, but there won't be any public disclosure. Participants who consented to have their names published, are listed on Github.

Developers can test out zkLogin equipped with the ceremony CRS using Sui’s docs.

Thank you!

The ceremony was an auspicious start to the launch of zkLogin. While it wasn’t without ups and downs, particularly the early rush that resulted in long wait times, the lessons learned will help significantly for future ceremonies.

The Sui community is grateful beyond words to those who waited hours, made multiple attempts, and contributed precious time to leave their mark on the application. It is particularly exciting to see many participants share their experience via blogs and tweets!

Thanks to everyone who made this ceremony a success. Now, let’s build!