Paper 2026/530

Balthazar Wallet: Making Password Authentication Practical on Web3 via OPAQUE and Privacy-Preserving Smart Contracts

Tomas Krajci, Brno University of Technology
Samuel Oleksak, Brno University of Technology
Ivan Homoliak, Brno University of Technology
Abstract

Username & password is the most common authentication method in Web2 because of its high usability and efficient protection against brute-force attacks by applying rate limits on the server. In contrast, Web3 wallets cannot securely support password-derived keys. Passwords typically have low entropy, and because blockchain environments are public and impose no rate limits on brute-force attempts, attackers can repeatedly test guesses offline until the private key is recovered. In this work, we present a novel password-based blockchain wallet that enables secure management of private keys (of any blockchain type) within a privacy-preserving smart contract platform (PPP). To store the keys, we adapt the OPAQUE protocol to fit the decentralized environment of blockchains and leverage the properties of TEE within PPP. Our design consists of the client, relay, and smart contract deployed at PPP. To this end, we propose the user enrollment protocol and private key retrieval protocol that require knowledge of the username and password and apply blockchain-enforced rate limits on guessing attempts. Our implementation is based on the Oasis Sapphire confidential EVM as an instance of PPP. Our system implements OPAQUE’s Oblivious Pseudorandom Function (OPRF) inside a smart contract, allowing the contract to act as the protocol’s server while keeping the long-term OPRF key protected within the enclave. During authentication, the client performs a blinded OPRF interaction so that neither the password nor its derivatives are revealed to the relay, blockchain, or the public. Experiments show that a single authentication attempt requires approximately 500k and 300k gas for 2048-bit and 1024-bit numbers within finite-field DLP, respectively, while one-time registration costs approximately 270k gas.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
OPAQUEWeb3walletauthenticationusability
Contact author(s)
homoliak @ fit vutbr cz
History
2026-03-19: approved
2026-03-16: received
See all versions
Short URL
https://ia.cr/2026/530
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2026/530,
      author = {Tomas Krajci and Samuel Oleksak and Ivan Homoliak},
      title = {Balthazar Wallet: Making Password Authentication Practical on Web3 via {OPAQUE} and Privacy-Preserving Smart Contracts},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/530},
      year = {2026},
      url = {https://eprint.iacr.org/2026/530}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.