Bye Bye Private Key

In order for Ethereum to scale beyond its niche base, there must be an improvement to private key architecture. Protecting and managing private keys has too many pitfalls. Unfortunately, there are not many alternatives for the cryptographic security provided by private keys.

However, account abstraction has opened opportunities to explore some of these alternatives. Account abstraction separates the act of signing from the activity that happens on the network. Ethereum has rules about what happens when a transaction is signed and sent. Account abstraction lets developers write their own rules.

The Ethereum community's current efforts with account abstraction involve ERC-4337. zkSync has followed this roadmap, but rather than putting the logic into a contract standard, it has made much of ERC-4337 part of its native protocol. This means that zkSync's structure and use is slightly different that its counterpart on the Ethereum mainnet. However, if one understands ERC-4337, it won't be difficult to learn how to use zkSync's account abstraction.

This project uses Webauthn to create a key pair, where the key used for signing is stored on a user's device. The public key is stored on-chain in a contract and is used for validation. A fingerprint or a passcode is all it takes to generate a signature that can be checked against the public key.

We took these concepts and explored some possibilities:

1. Integrating Webauthn signatures into Ethereum by means of zkSync's account abstraction. This means that an Ethereum private key is not needed to sign transactions used on the Ethereum network.

2. Creating EOA-like accounts on zkSync that are tied to a user's device instead of a private key.

3. Transferring ownership of an EOA-like account from one device to another.

4. Transactions that are protected not only by the signature of a device but also by geolocation data determined by the device owner.

We used Webauthn and zkSync for the signatures and contracts. React and chakra-ui were used for the frontend.

zkSync's account abstraction made this project possible. Signature validations that do not involve private keys but complicated cryptographic computations are very gas expensive, so this project would be impossible on L1.

We found some contracts to handle the signatures on the secp256r1 curve used by Webauthn. But it was tricky to get the data from Webauthn into the contract function call.

The documentation and tutorials for zkSync's account abstraction made the learning curve fairly easy and freed up time to explore features that are not possible on mainnet.