Formula: SHA-256("gmail:{email}:{sub}:verified:true") produces a 32-byte hash. We take the first 31 bytes (248 bits) and interpret them as a big-endian integer. This guarantees the value is less than the BN254 field prime (~2²⁵⁴), avoiding silent modular reduction.

This hash is deterministic — the same Google account always produces the same identity hash. But it’s one-way — you can’t recover the email from the hash.

The server generates a Poseidon hash binding your identity to a timestamp and random nonce: Poseidon(identityHash, timestamp, nonce).

Why Poseidon? SHA-256 costs ~25,000 constraints inside a ZK circuit. Poseidon costs ~250 — a 100x reduction. It’s an algebraic hash designed specifically for finite field arithmetic.

Trust model: The server attests “I verified this identity at this time.” The attestation includes a serverPubCommitment = Poseidon(serverSecret, 1), which is verified on-chain. A different server = different commitment = proof fails.

Read the full explanation →

Your browser generates a Groth16 proof using the identity attestation circuit (2,295 constraints on BN254). The proof is 3 elliptic curve points (A, B, C) = 256 bytes.

Private inputs (never leave your device): identityHash, blinding, nullifierSecret, attestation data, serverPubCommitment.

Public outputs (go on-chain):
• commitment = Poseidon(identity, blinding) — hides your identity
• nullifierHash = Poseidon(identity, nullifierSecret) — prevents replay

The circuit is identity-agnostic — same WASM, zkey, and verification key for both Google and passkey providers.

See the full circuit code →

Off-chain: snarkjs.groth16.verify() runs the BN254 pairing check entirely in your browser. This is real cryptographic verification — the same math the contract uses.

On-chain: The proof is encoded to Soroban bytes and submitted as a transaction. The identity-auth contract calls groth16-verifier for the BN254 pairing check, then stores the nullifier to prevent replay.

The verification equation: e(A, B) = e(α, β) · e(Σ vk_k · x_k, γ) · e(C, δ)

See the contract code →

Your ZK-proven identity now controls a Stellar account. The keypair is generated in your browser and stored in localStorage, linked to your identity hash. Same Google account or passkey = same wallet on return.

Self-custody: The secret key never leaves your browser. Transactions are signed client-side using the Stellar SDK. In production, an encrypted backup (keyed by identity) would enable cross-device recovery.

No seed phrase: Your Google account or passkey IS your recovery mechanism. Authenticate again → same identity hash → same wallet.