Client Side Implementation

This explains how the password is used on the client

Creating and account

When you create an account you need to enter a good or strong password

The password is verified using zxcvbn which provides strong protection against password crackers!

When setting up an account the user supplied password is used to encrypt your account together with a public key. Your plaintext secret is never exposed to the server and it never leaves the scope of this function:

export async function setUpAccount(
  password: string,
  ethEncryptPublicKey: string,
) {
  const note = newAccountSecrets();
  const secrets = decodeAccountSecrets(note);
  const commitment = toNoteHex(secrets.commitment);
  //Password encrypt the note!
  const passwdEncryptedNote = await aesEncryptData(note, password);
  //Encrypt the note with a public key
  const encryptedNote = await ethEncryptData(

  const packed = await packEncryptedMessage(encryptedNote);

  return { encryptedNote: packed, commitment };

The encrypted note is saved on-chain inside the smart contract. This same encryption method is in production in Tornado cash Note Accounts and was used here also.

Checkout page

The checkout page is a react application that will use the password to compute a ZKP and save the ZKP on the server. The server does Passkey verification before decrypting the secret with the asymmetric key, then it will forward it to the front end where it can be further decrypted to create the zkp:

    const [password, setPassword] = useState("");
    async function payClicked() {

        const decryptedNote = await aesDecryptData(props.symmetricEncryptedNote, password);
        .... Error handling
        const paymentIntent = await createPaymentIntent({
            paymentIntentSecret: {
                note: decryptedNote,
                payee: props.itemData.payeeAddress,
                maxDebitAmount: parseEther(props.itemData.maxPrice),
                debitTimes: props.itemData.debitTimes,
                debitInterval: props.itemData.debitInterval
            snarkArtifacts: {
                wasmFilePath: "/directDebit.wasm",
                zkeyFilePath: "/directDebit_final.zkey"
       ..... Error Handling
        if (paymentIntent !== null) {

            await uploadPaymentIntent({
                button_id: props.itemData.buttonId,
                proof: JSON.stringify(paymentIntent.proof),
                publicSignals: JSON.stringify(paymentIntent.publicSignals),
                maxDebitAmount: props.itemData.maxPrice,
                debitTimes: props.itemData.debitTimes,
                debitInterval: props.itemData.debitInterval,
                paymentIntent: toNoteHex(paymentIntent.publicSignals[0]),
                commitment: toNoteHex(paymentIntent.publicSignals[1])

            }).then(async (status) => {
                if (status === 200) {
                    // Success is true!
                    // Log out so the back button will not reload the page
                    await logoutRequest();
                    // navigate to the redirect page
                    setTimeout(() => {
                    }, 3000)
              .... Error handling

Last updated