Deepak Maram

Interesting findings, appreciate your sharing these with our team ahead of the publication of this paper, and we are in agreement that web-based authentication ecosystems require security practices beyond what ZKPs alone can offer. 
 As the creators of zkLogin, and as our team shared during that conversation, we fundamentally disagree with a few points:  1. You argue that zkLogin’s security relies on several environmental assumptions that are not enforced at the protocol level. On Sui, there is an explicit allowlist of providers, rendering this scenario impossible. You can see for yourself on the Mysten Labs github: #L775" target="_blank" rel="nofollow noopener">github.com/MystenLabs/sui…. The issuer checks are not prover-local as you seem to have assumed. 2. You suggest that impersonating real users is possible. A malicious AWS Cognito issuer cannot produce JWTs with a different issuer string than the one they have been assigned. Therefore, impersonating real users on Sui is impossible even with an attacker-controlled issuer, and zkLogin remains secure. 3. You argue for enforcing strong, specification-compliant JWT parsing and that validation be enforced at the RP side. Presumably, your idea is to protect against a malicious OP (issuer). Since OPs are trusted in our setting, it is not clear what this protection is for. We did find these areas of the paper helpful and wanted to share how we’re using your findings:
 1. You note that zkLogin does “ad-hoc selective parsing,” a finding echoed by the original zkLogin paper itself as you note. Thank you for highlighting more such patterns. However, this class of attacks remain out of scope since zkLogin assumes a trusted standard-compliant issuer. 2. You suggest that proving and salt services adopt strict verification rules such as canonical JSON enforcement. Thank you for suggesting that, we plan to adopt it into our service. However, as noted before, our system was designed assuming a standard-compliant issuer. Working in zk, a constantly evolving design space, necessitates close collaboration across researchers in the community, and even if we disagree on findings, I welcome further discussion and will continue to follow the work of this paper’s authors.

Town Crier and DECO (the first zk-TLS protocol) were developed by @0xFanZhang and @mskd96 along with @sgoldfed, @EthanCecchetti and Kyle Croman in my group at Cornell Tech, in collaboration with Harjasleen Malvai and @ElaineRShi.

And that's a wrap on SBC 2025! From foundational research to forward-looking policy, SBC brought clarity and energy to some of the most important conversations in crypto and blockchain. Special thanks to our speakers - Andrés Fábrega, @mskd96, James Austgen, and keynote speaker @HesterPeirce - for advancing the dialogue and helping chart what’s next.

@_mahimna @PurdueCS @Tim_Roughgarden Congrats!!!

📣Excited to announce that I will start as an Assistant Professor @PurdueCS in Fall 2026! I plan to recruit multiple PhD students for a broad range of cryptography and blockchain topics. More details soon. For the next year, I'll be a postdoc at Columbia with @Tim_Roughgarden.

Next up: @mskd96, researcher at @Mysten_Labs, presented Walrus: A decentralized storage and data availability (DA) protocol that uses @SuiNetwork blockchain as a coordination layer. According to @mskd96, the protocol has higher availability & security guarantees vs. centralized storage systems. It ensures the following: 1. Fault tolerance 2. Low replication overhead 3. Low recovery overhead Walrus employs erasure coding to divide data into slivers, distributing them across decentralized nodes. This design ensures that any subset of slivers, with some redundancy, can reconstruct the original file, even if two-thirds of the nodes go down.

Listen to learn more about all the cool things we are building at Mysten covering zkLogin, Walrus and Seal!

Privacy. Storage. Identity. Sui’s Suite, Unpacked The latest SNARK CHOCOLATE is out! 🍫 We sat down with Deepak Maram (@mskd96) from @Mysten_Labs to dive into @SuiNetwork's cryptography-driven roadmap and products: 🔹 ZKLogin, a privacy-preserving login system using OpenID and ZKPs, now powering millions of transactions 🔹 How Sui integrates ZK features at the protocol level for UX, scalability, and performance 🔹 Walrus (@WalrusProtocol) and Seal, new infrastructure for decentralized storage and programmable secret management 🔹 ZK light clients & scalable off-chain state verification 🔹 How Sui’s research team brings applied cryptography to real-world products 🎧 Listen now: 🔽 Spotify (next post) ⏬ Apple Podcasts (following post)

@madhavanmalolan Congrats Madhavan!

We'll look back at this day and laugh that we even celebrated 1m verifications - because, we're going to have verifications counted in billions soon. Incredibly proud of what the team has achieved. Extremely thankful to YOU for pushing us, encouraging us, building the cool things! Onwards!

1/ @SoundnessLabs is bringing SP1 to @SuiNetwork, growing ZK adoption in an ecosystem with millions of users. Sui developers can now experience the power of Succinct’s market-leading zkVM and create performant ZK apps at low cost.

ZK in @SuiNetwork We had an interview with @mskd96 from @Mysten_Labs Here's a TL;DR 👇 Spoiler: You may want to read the whole thing.

Interaction significantly improves security over commonly used (non-interactive) mechanisms like multisig or threshold wallets! Please check out our blog (initc3org.medium.com/improving-digi…) for more details.

We find priority, majority mechanisms and prove that they are "maximally secure". The key insight is the use of "interaction": the mechanism sends alert notifications (email / SMS) and waits for some time before any sensitive action. This extra time allows the user to abort!

Can we find the "most secure authentication mechanism"? Answering this question can help in many contexts, e.g., improving security of a crypto wallet or a bank a/c. In a recent work published at CCS'24, we find mechanisms that are provably the most secure!

Sui’s cryptography and security team dinner, they ordered Groth 🍷, not surprised… some cool innovations on top of Groth16 zero knowledge proofs are about to be published. Tagging @JensGroth16 for cheers🥂

@kobigurk @BainCapCrypto Congrats!

🥳 Excited to share with you all I’m joining @BainCapCrypto as Partner and Head of Research! 🥳 There, I will continue the journey of helping transform deep tech, especially around applied cryptography and decentralized protocols, into meaningful products 1/6

Finally!!!

These new features complement the Chainlink Platform’s existing privacy-preserving capabilities, including DECO—a novel ZK-oracle technology for authenticating web data in a privacy-preserving manner. DECO uses zero-knowledge proofs (ZKPs) and existing web infrastructure to enable financial institutions, enterprises, and Web3 developers to verify sensitive information without exposing the underlying data. In the very near future, we plan to make the DECO Sandbox publicly accessible, offering pre-configured use cases that showcase DECO's privacy-preserving capabilities including verifications around identity, proof of funds, and sanctions screenings, while maintaining the privacy of sensitive data. DECO 🤝 Data Verification

ICYMI Deepak also presented this research at SBC'24, watch the full presentation here: youtube.com/watch?v=zwZUvG…

IC3 alum Deepak Maram @mskd96, previously supervised by Prof. @AriJuels, was recently featured in a @BlockchainNewsM article on zkLogin. The IC3 research that was later developed by @Mysten_Labs offers a user-friendly approach to cryptocurrency wallets.

@ittayeyal @_mahimna Links: - Auth: eprint.iacr.org/2022/1682 (stay tuned for a blog!) - zkLogin: arxiv.org/pdf/2401.11735, sui.io/zklogin

Excited to present two works I'm very proud of at CCS next week! 1. Interactive Auth (Tue 11:45 PM) w/ @ittayeyal, @_mahimna 2. zkLogin (Thu 9 AM) w/ many fellow Mysties Some years you don't get any acceptances to the top confs, and then some, you get a double bonanza! 🎉