Paper 2026/530
Balthazar Wallet: Making Password Authentication Practical on Web3 via OPAQUE and Privacy-Preserving Smart Contracts
Abstract
Username & password is the most common authentication method in Web2 because of its high usability and efficient protection against brute-force attacks by applying rate limits on the server. In contrast, Web3 wallets cannot securely support password-derived keys. Passwords typically have low entropy, and because blockchain environments are public and impose no rate limits on brute-force attempts, attackers can repeatedly test guesses offline until the private key is recovered. In this work, we present a novel password-based blockchain wallet that enables secure management of private keys (of any blockchain type) within a privacy-preserving smart contract platform (PPP). To store the keys, we adapt the OPAQUE protocol to fit the decentralized environment of blockchains and leverage the properties of TEE within PPP. Our design consists of the client, relay, and smart contract deployed at PPP. To this end, we propose the user enrollment protocol and private key retrieval protocol that require knowledge of the username and password and apply blockchain-enforced rate limits on guessing attempts. Our implementation is based on the Oasis Sapphire confidential EVM as an instance of PPP. Our system implements OPAQUE’s Oblivious Pseudorandom Function (OPRF) inside a smart contract, allowing the contract to act as the protocol’s server while keeping the long-term OPRF key protected within the enclave. During authentication, the client performs a blinded OPRF interaction so that neither the password nor its derivatives are revealed to the relay, blockchain, or the public. Experiments show that a single authentication attempt requires approximately 500k and 300k gas for 2048-bit and 1024-bit numbers within finite-field DLP, respectively, while one-time registration costs approximately 270k gas.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- OPAQUEWeb3walletauthenticationusability
- Contact author(s)
- homoliak @ fit vutbr cz
- History
- 2026-03-19: approved
- 2026-03-16: received
- See all versions
- Short URL
- https://ia.cr/2026/530
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2026/530,
author = {Tomas Krajci and Samuel Oleksak and Ivan Homoliak},
title = {Balthazar Wallet: Making Password Authentication Practical on Web3 via {OPAQUE} and Privacy-Preserving Smart Contracts},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/530},
year = {2026},
url = {https://eprint.iacr.org/2026/530}
}