zkLogin not only represents a revolutionary leap in bringing more users to Web3 apps, its development also resulted in safer and faster zero knowledge (ZK) APIs. Developing zkLogin, Sui's OAuth credentialing primitive, was no small feat. Apart from the challenging design of the system, it required making several contributions to external ZK proof and cryptography libraries. Some of these contributions identified and fixed bugs in popular software while others offered speed optimizations and added new useful features that should be beneficial for other developers. Below we outline all the contributions made by Mysten Lab’s cryptography team.

Speed improvements for BLS

Arkworks has an implementation of Groth16 zkSNARKS which is curve agnostic, meaning that it works for all the elliptic curve constructions supported by Arkworks (BN254, BLS12-388, BLS12-377, etc.). For the specific case of BLS12-388 we optimized this implementation by using the elliptic curve arithmetic from Supranationals BLST crate, which is a highly optimized implementation of the BLS12-381 elliptic curve construction, instead of Arkworks’ own. Combining the two libraries requires some conversions between their data formats, but results in an implementation about two times faster than the original Arkworks’ Groth16 implementation.

Bug fixes in kobi/phase2-bn254 and compatibility with snarkjs

To provide software diversity for the Groth16 trusted setup, we offer ceremony participants to either contribute via snarkjs or Kobi's Rust implementation. We fixed bugs in Kobi’s implementation so that the community’s perpetual powers of tau can be reused and reduced to a smaller size, in particular 2 to the power of 20 for our circuit size. We also modified both of these libraries so that the generated contribution files are compatible with each other. Our changes can be found in Mysten Lab’s forks of these repos (snarkjs-fork, kobi’s fork).

Poseidon for any curve 

The Neptune library by Lurk Lab contains a fast implementation of the zk-friendly Poseidon hash function. Neptune was implemented and optimized for the BLS12-381 curve construction, but can in principle support other curves. It is faster than straight-forward implementations, such as poseidon-ark, because it uses optimized implementations of Poseidon where the number of multiplications is reduced in each round.

When trying to use Neptune for another curve, namely the BN254 curve construction, we noticed that the implementation expected the MDS matrices used to compute the Poseidon hash to be symmetric, giving unexpected results if this was not the case. We submitted a fix to this bug to the Neptune repository, which was included in version 13.0.0 of Neptune.

Upgrading ark-circom (now renamed circom-compat)

Arkworks and Circom are the two main ecosystems in the realm of ZK development. For example, Sui’s Groth16 verification builds on arkworks. On the other hand, circom is really popular among ZK developers. We wanted to provide a way for ZK developers using circom to easily build on Sui. Thankfully, most of the work was already done by the authors of the open-source ark-circom library. We contributed to this library by ensuring compatibility with the latest arkworks 0.4.0, enhancements to the circom and witness modules, rectifications for buffer type issues, and various cosmetic improvements.