Sui Blockchain Explained: Complete Guide to MultiSig Transactions and zkLogin

Sui blockchain is redefining how developers and users interact with decentralized systems by combining cutting-edge cryptography with intuitive access mechanisms. At the heart of this innovation are two powerful features: MultiSig transactions and zkLogin—both designed to enhance security, usability, and trustless identity verification in Web3 applications.

This comprehensive guide dives deep into the architecture, implementation, and real-world applications of these technologies, helping developers and enthusiasts understand how Sui is lowering barriers to blockchain adoption while maintaining robust security standards.

Understanding zkLogin: Decentralized Identity with Privacy

zkLogin is a groundbreaking identity solution on the Sui blockchain that leverages zero-knowledge proofs (ZKPs) to enable secure, privacy-preserving user authentication. It allows users to log in to decentralized applications (dApps) using existing Web2 identities—such as Google, Apple, or Facebook accounts—without exposing sensitive personal data on-chain.

How zkLogin Works

The process integrates JWT (JSON Web Token) standards with advanced cryptographic techniques:

1. User Authentication: The user logs in via a supported identity provider (e.g., Google), which issues a JWT.
2. Token Verification: Sui nodes verify the JWT’s digital signature to confirm its authenticity.
3. Zero-Knowledge Proof Generation: A ZKP is created to prove specific claims (like ownership of an email) without revealing the full identity.
4. Address Derivation: Using the JWT payload and a user-provided salt value, a unique Sui address is generated deterministically.

This ensures that no personally identifiable information (PII) ever touches the blockchain, preserving user anonymity while enabling seamless access.

👉 Discover how easy it is to integrate secure, private login systems into your dApp.

Key Benefits of zkLogin

• Enhanced Privacy: Users retain control over their data; only verified claims are shared.
• Frictionless Onboarding: Eliminates the need for seed phrases or wallet creation for first-time users.
• Interoperability: Supports major OAuth providers, bridging Web2 and Web3 ecosystems.
• Decentralized Trust: No reliance on centralized identity gateways—the validation happens on-chain.

These advantages make zkLogin a pivotal tool for mass adoption, especially in applications where user experience and data protection are paramount.

Core Functions for Developers

Sui provides a well-documented SDK to help developers implement zkLogin seamlessly. Here's how you can use its primary functions.

Parsing zkLogin Signatures

To debug or validate incoming authentication requests, use parseZkLoginSignature:

import { parseZkLoginSignature } from '@mysten/sui/zklogin';

const serializedSignature = 'BQNNMTY4NjAxMzAyO...';
const parsedSignature = await parseZkLoginSignature(serializedSignature);

console.log(parsedSignature);

Sample Output:

{
  "claimName": "email",
  "claimValue": "[email protected]",
  "iss": "https://accounts.google.com",
  "aud": "https://your-app.com",
  "userSalt": "123456789"
}

This parsed object can be used to enforce business logic based on verified user attributes.

Generating zkLogin Signatures

To programmatically generate signatures during testing or backend flows:

import { getZkLoginSignature } from '@mysten/sui/zklogin';

const inputs = {
  claimName: "email",
  claimValue: "[email protected]",
  iss: "https://accounts.google.com",
  aud: "https://your-app.com"
};

const userSignature = "base64EncodedSignature";
const maxEpoch = "1689012302";

const serializedSignature = await getZkLoginSignature({
  inputs,
  maxEpoch,
  userSignature
});

console.log(serializedSignature);

Computing zkLogin Addresses

You can derive a Sui address from either a seed or direct JWT data:

import { computeZkLoginAddressFromSeed } from '@mysten/sui/zklogin';

const userSalt = 0n;
const identityProvider = 'https://accounts.google.com';
const address = computeZkLoginAddressFromSeed(userSalt, identityProvider);

console.log(address);

Or using full claim data:

import { computeZkLoginAddress } from '@mysten/sui/zklogin';

const address = computeZkLoginAddress({
  claimName: "email",
  claimValue: "[email protected]",
  iss: "https://accounts.google.com",
  aud: "https://your-app.com",
  userSalt: BigInt(123456789)
});

These tools empower developers to build flexible, secure, and scalable identity layers.

MultiSig Transactions: Enhanced Security Through Collaboration

Multi-signature (MultiSig) transactions are a cornerstone of secure asset management in blockchain environments. They require multiple parties to sign off before a transaction is executed, significantly reducing the risk of unauthorized access.

Why MultiSig Matters

• Risk Mitigation: Prevents single points of failure—if one key is compromised, assets remain safe.
• Governance Flexibility: Ideal for organizations managing treasury funds or shared wallets.
• Hybrid Security Models: Can integrate traditional keys with zkLogin for recovery and access redundancy.

Sui implements MultiSig through two core classes: MultiSigPublicKey and MultiSigSigner.

Creating a MultiSig Account

Here’s how to set up a MultiSig wallet requiring 2 out of 3 signatures:

import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
import { MultiSigPublicKey } from '@mysten/sui/multisig';

const kp1 = new Ed25519Keypair();
const kp2 = new Ed25519Keypair();
const kp3 = new Ed25519Keypair();

const multiSigPublicKey = MultiSigPublicKey.fromPublicKeys({
  threshold: 2,
  publicKeys: [
    { publicKey: kp1.getPublicKey(), weight: 1 },
    { publicKey: kp2.getPublicKey(), weight: 1 },
    { publicKey: kp3.getPublicKey(), weight: 2 }
  ]
});

const multisigAddress = multiSigPublicKey.toSuiAddress();
console.log(multisigAddress);

This creates a shared wallet where at least two participants must approve any outgoing transaction.

Combining and Verifying Signatures

Once signatures are collected:

const message = new TextEncoder().encode("hello world");

const signature1 = (await kp1.signPersonalMessage(message)).signature;
const signature2 = (await kp2.signPersonalMessage(message)).signature;

const combinedSignature = multiSigPublicKey.combinePartialSignatures([signature1, signature2]);
const isValid = await multiSigPublicKey.verifyPersonalMessage(message, combinedSignature);

console.log(isValid); // true

👉 Learn how to build enterprise-grade wallet security with MultiSig on Sui.

Integrating zkLogin with MultiSig

One of Sui’s most powerful capabilities is combining zkLogin with MultiSig setups. For example:

• A corporate treasury could require two executive approvals (via hardware keys) or allow recovery via zkLogin if keys are lost.
• Family wallets can include social login fallbacks without sacrificing decentralization.

This hybrid model enhances both security and recoverability, addressing two major pain points in traditional crypto wallets.

Real-World Use Cases

zkLogin Applications

• Social dApps: Gamified platforms where users log in with Google accounts but own their in-game assets.
• Regulated Services: KYC-light solutions where only verified claims (e.g., age > 18) are proven without disclosing IDs.
• Cross-Platform Identity: Single sign-on across multiple dApps using a consistent zkLogin address.

MultiSig Applications

• DAO Treasuries: Require multiple council members to approve large expenditures.
• Startup Founders: Co-manage company funds with predefined signing thresholds.
• High-Value NFT Custody: Protect rare digital collectibles with multi-party control.

Frequently Asked Questions (FAQ)

Q: Is zkLogin fully decentralized?
A: Yes. While identity providers issue JWTs, the proof generation and address derivation happen off-chain, and validation occurs on Sui without intermediaries.

Q: Can I use MultiSig with zkLogin as one of the signers?
A: Absolutely. zkLogin can be integrated as a valid signer within a MultiSig configuration, enabling hybrid authentication models.

Q: Are there gas fees for zkLogin transactions?
A: Yes, like all Sui transactions, zkLogin-based operations incur minimal gas fees paid in SUI tokens.

Q: How does Sui ensure JWT expiration isn’t bypassed?
A: Each JWT includes an exp (expiration) claim, and Sui enforces epoch limits (maxEpoch) when processing signatures.

Q: Is user salt stored on-chain?
A: No. The salt is provided by the user client-side and used only during address derivation—it never appears on-chain.

Q: Can I rotate my zkLogin identity?
A: Yes. By changing the salt value or using different claims, users can generate new addresses linked to the same Web2 account.

Conclusion

Sui blockchain stands at the forefront of Web3 innovation by merging usability with uncompromising security. With zkLogin, it removes the steep learning curve associated with crypto wallets. With MultiSig, it introduces enterprise-level control over digital assets.

Together, they form a powerful foundation for building scalable, user-friendly, and secure decentralized applications. Whether you're developing a consumer-facing dApp or managing organizational funds, Sui’s tooling offers the flexibility and reliability needed for success in the modern blockchain landscape.

👉 Start building smarter, safer dApps on Sui today.