zklogin: add to multisig (MystenLabs#14145)

## Description 

add zklogin to multisig

## Test Plan 

unit test in rust, unit test and e2e test in typescript

one tab:
```
cargo run --bin sui-test-validator
```

another tab:
```
cargo build --bin sui && target/debug/sui keytool zk-login-sign-and-execute-tx --max-epoch 10 --fixed --network localnet

   Compiling sui v1.12.0 (/Users/joy/mysten/sui/crates/sui)
    Finished dev [unoptimized + debuginfo] target(s) in 7.86s
Ephemeral key identifier: 0xcc2196ee1fa156836daf9bb021d88d648a0023fa387e695d3701667a634a331f
Ephemeral pubkey (BigInt): 84029355920633174015103288781128426107680789454168570548782290541079926444544
Jwt randomness: 100681567828351849884072155819400689117
Visit URL (Google): https://accounts.google.com/o/oauth2/v2/auth?client_id=25769832374-famecqrhe2gkebt5fvqms2263046lj96.apps.googleusercontent.com&response_type=id_token&redirect_uri=https://sui.io/&scope=openid&nonce=hTPpgF7XAKbW37rEUS6pEVZqmoI
Visit URL (Twitch): https://id.twitch.tv/oauth2/authorize?client_id=rs1bh065i9ya4ydvifixl4kss0uhpt&force_verify=true&lang=en&login_type=login&redirect_uri=https://sui.io/&response_type=id_token&scope=openid&nonce=hTPpgF7XAKbW37rEUS6pEVZqmoI
Visit URL (Facebook): https://www.facebook.com/v17.0/dialog/oauth?client_id=233307156352917&redirect_uri=https://sui.io/&scope=openid&nonce=hTPpgF7XAKbW37rEUS6pEVZqmoI&response_type=id_token
Finish login and paste the entire URL here (e.g. https://sui.io/#id_token=...):
https://sui.io/#id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImM2MjYzZDA5NzQ1YjUwMzJlNTdmYTZlMWQwNDFiNzdhNTQwNjZkYmQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIyNTc2OTgzMjM3NC1mYW1lY3FyaGUyZ2tlYnQ1ZnZxbXMyMjYzMDQ2bGo5Ni5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjI1NzY5ODMyMzc0LWZhbWVjcXJoZTJna2VidDVmdnFtczIyNjMwNDZsajk2LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTA2Mjk0MDQ5MjQwOTk5MzA3OTIzIiwibm9uY2UiOiJoVFBwZ0Y3WEFLYlczN3JFVVM2cEVWWnFtb0kiLCJuYmYiOjE2OTY5Njc4NDUsImlhdCI6MTY5Njk2ODE0NSwiZXhwIjoxNjk2OTcxNzQ1LCJqdGkiOiJjMTM5NjYwMzc3NmIxZjdlMWQ2NmI5NTM3YmM5NDRmNDdiNTA3ZTY4In0.hZl02IMAENkZpdPhHBhSAB0-A-WhaxzDCjGssRCNpZI_qcvc8F2ChkCnhwJeyAVU8Pr8EeDUMx0eNGugkzllWVDIoWns-evVX78oL2YCkUWHAOPR0RTpu6Skm0NQAC8XPGEiv0Kz2kCwDdWdjPgH23arwAi9NmANKfeZ3vrk6Svsfeez9f5wqv3c_MGki21U0jzz8kNgAOyB6uCccpy-YLD50EZk0DcsNKmjXbiY2ZhV-P-e8tG7xiPyIj5VxblmPHVZ7qL6o2tQhizXWgKArqgU9oe9K8OLeLp5awnS4vFCZ6eB8nfxab2AqBFnSqZPNC66erkUhlN1lby27OCITg&authuser=0&prompt=none
User salt: 206703048842351542647799591018316385612
ZkLogin inputs:
"{\"proofPoints\":{\"a\":[\"11071960508875089201057730565518101556775475169375579509065140489026077099654\",\"14174912479081119851997528327158995273006699149457531618246292146613112372944\",\"1\"],\"b\":[[\"7216990298660783302143896853289290021326436249623860051904679351585173012040\",\"18087701151940901281958636377056618090618208573732569791579703653413943983699\"],[\"19224763285739841430265605268687720210313145998503468635464708573454324013744\",\"12393241310435082598360753545909989326027524395613882552873544890506438935027\"],[\"1\",\"0\"]],\"c\":[\"20983561555479787714367945653854194275982221313962694075743870227818357229450\",\"16024834658814099899544865951708812186847146613075692342239549354247901181345\",\"1\"]},\"issBase64Details\":{\"value\":\"yJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLC\",\"indexMod4\":1},\"headerBase64\":\"eyJhbGciOiJSUzI1NiIsImtpZCI6ImM2MjYzZDA5NzQ1YjUwMzJlNTdmYTZlMWQwNDFiNzdhNTQwNjZkYmQiLCJ0eXAiOiJKV1QifQ\"}"
Use multisig address as sender
Sender: 0xf9266082764281fd99430ed349c1cac0796b6bbb9cc474b2d022e6232cd11486
Faucet requested and created test transaction: "AAACACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEA1dbpfp+rpZ8z/hzODNRSLRna+szYuNg9QLVOTdlfZSUCAAAAAAAAACCr+M/bjvBJUnDgzRkpu09Uq167uXZqh7rPU6afAlob1QEBAQEBAAEAAPkmYIJ2QoH9mUMO00nBysB5a2u7nMR0stAi5iMs0RSGAQ/xwfsWOdApvK5lmAUT38ExbUsebssxk+l5UNRPap4kAgAAAAAAAAAguHVDIcb31XqwlIXvQPLGrVP8PYNH2KC8sBYEhr0HVvH5JmCCdkKB/ZlDDtNJwcrAeWtru5zEdLLQIuYjLNEUhugDAAAAAAAAQEtMAAAAAAAA"
Signature Serialized: "AwEDA00xMTA3MTk2MDUwODg3NTA4OTIwMTA1NzczMDU2NTUxODEwMTU1Njc3NTQ3NTE2OTM3NTU3OTUwOTA2NTE0MDQ4OTAyNjA3NzA5OTY1NE0xNDE3NDkxMjQ3OTA4MTExOTg1MTk5NzUyODMyNzE1ODk5NTI3MzAwNjY5OTE0OTQ1NzUzMTYxODI0NjI5MjE0NjYxMzExMjM3Mjk0NAExAwJMNzIxNjk5MDI5ODY2MDc4MzMwMjE0Mzg5Njg1MzI4OTI5MDAyMTMyNjQzNjI0OTYyMzg2MDA1MTkwNDY3OTM1MTU4NTE3MzAxMjA0ME0xODA4NzcwMTE1MTk0MDkwMTI4MTk1ODYzNjM3NzA1NjYxODA5MDYxODIwODU3MzczMjU2OTc5MTU3OTcwMzY1MzQxMzk0Mzk4MzY5OQJNMTkyMjQ3NjMyODU3Mzk4NDE0MzAyNjU2MDUyNjg2ODc3MjAyMTAzMTMxNDU5OTg1MDM0Njg2MzU0NjQ3MDg1NzM0NTQzMjQwMTM3NDRNMTIzOTMyNDEzMTA0MzUwODI1OTgzNjA3NTM1NDU5MDk5ODkzMjYwMjc1MjQzOTU2MTM4ODI1NTI4NzM1NDQ4OTA1MDY0Mzg5MzUwMjcCATEBMANNMjA5ODM1NjE1NTU0Nzk3ODc3MTQzNjc5NDU2NTM4NTQxOTQyNzU5ODIyMjEzMTM5NjI2OTQwNzU3NDM4NzAyMjc4MTgzNTcyMjk0NTBNMTYwMjQ4MzQ2NTg4MTQwOTk4OTk1NDQ4NjU5NTE3MDg4MTIxODY4NDcxNDY2MTMwNzU2OTIzNDIyMzk1NDkzNTQyNDc5MDExODEzNDUBMTF5SnBjM01pT2lKb2RIUndjem92TDJGalkyOTFiblJ6TG1kdmIyZHNaUzVqYjIwaUxDAWZleUpoYkdjaU9pSlNVekkxTmlJc0ltdHBaQ0k2SW1NMk1qWXpaREE1TnpRMVlqVXdNekpsTlRkbVlUWmxNV1F3TkRGaU56ZGhOVFF3Tmpaa1ltUWlMQ0owZVhBaU9pSktWMVFpZlFNMTMzMTk5NjgyNDQyNDUzNDI3MDI5NDQzNjQ2MDgzMTY3Nzc3NzI1NDcyNTk3OTg0MjU2OTc5MjMwOTkzOTAzNTU1Mzg1Mjk5MzEyMTEKAAAAAAAAAGEAnR5aXx6mSFmFTaghl8pFm9LtTJm+K9c2UbhjmksW2qUsluzhVREBkYWzzv2oJ2KEESe+6sXgGzs3/1QrzSOLCrnG7hYw7z5xEUSmSNsGu7IoT3J0z77lP/zuUDzBpJIAAQACAzwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tHXLVuWKZ0YRWr+lAR0ZRWMBuaVbAL5w4tETSyLG6z8sBAIxVMzXu6Aub+gxUSkX+Y0dKCd/5xLCzPbK2Yvk06kbEAQEA"
╭──────────┬────────────────────────────────────────────────╮
│ txDigest │  GbM5sxq3m9PJh8EbafdTWyKNbN1KBPSkoXzvTLHXkPQX  │
╰──────────┴────────────────────────────────────────────────╯
```
---
If your changes are not user-facing and not a breaking change, you can
skip the following section. Otherwise, please indicate what changed, and
then add to the Release Notes section as highlighted during the release
process.

### Type of Change (Check all that apply)

- [x] protocol change
- [ ] user-visible impact
- [ ] breaking change for a client SDKs
- [x] breaking change for FNs (FN binary must upgrade)
- [x] breaking change for validators or node operators (must upgrade
binaries)
- [ ] breaking change for on-chain data layout
- [ ] necessitate either a data wipe or data migration

### Release notes
Add protocol version 32 with flag accept zklogin sig inside multisig.
This allows Sui to verify a multisig that combined single sigs with
zklogin sigs.

.changeset/silver-eels-tell.md

@@ -0,0 +1,5 @@
+---
+'@mysten/sui.js': minor
+---
+
+Add support for zklogin sig inside multisig

apps/explorer/src/pages/transaction-result/Signatures.tsx

@@ -101,7 +101,7 @@ export function Signatures({ transaction }: Props) {
 				return {
 					signatureScheme: parsed.signatureScheme,
 					address: parsed.zkLogin.address,
-					signature: parsed.bytes,
+					signature: parsed.signature,
 				};
 			}
 

crates/sui-core/benches/batch_verification_bench.rs

@@ -79,6 +79,7 @@ fn async_verifier_bench(c: &mut Criterion) {
                         vec![],
                         ZkLoginEnv::Test,
                         true,
+                        true,
                     ));
 
                     b.iter(|| {

crates/sui-core/src/authority/authority_per_epoch_store.rs

@@ -696,6 +696,7 @@ impl AuthorityPerEpochStore {
             supported_providers,
             zklogin_env,
             protocol_config.verify_legacy_zklogin_address(),
+            protocol_config.accept_zklogin_in_multisig(),
         );
 
         let authenticator_state_exists = epoch_start_configuration

crates/sui-core/src/generate_format.rs

@@ -2,6 +2,7 @@
 // Copyright (c) Mysten Labs, Inc.
 // SPDX-License-Identifier: Apache-2.0
 use clap::*;
+use fastcrypto_zkp::bn254::zk_login::OIDCProvider;
 use move_core_types::{
     language_storage::{StructTag, TypeTag},
     vm_status::AbortLocation,
@@ -13,9 +14,6 @@ use serde_reflection::{Registry, Result, Samples, Tracer, TracerConfig};
 use shared_crypto::intent::{Intent, IntentMessage, PersonalMessage};
 use std::str::FromStr;
 use std::{fs::File, io::Write};
-use sui_types::effects::{
-    IDOperation, ObjectIn, ObjectOut, TransactionEffects, UnchangedSharedKind,
-};
 use sui_types::execution_status::{
     CommandArgumentError, ExecutionFailureStatus, ExecutionStatus, PackageUpgradeError,
     TypeArgumentError,
@@ -46,6 +44,11 @@ use sui_types::{
         Argument, CallArg, Command, EndOfEpochTransactionKind, ObjectArg, TransactionKind,
     },
 };
+use sui_types::{
+    crypto::{PublicKey, ZkLoginPublicIdentifier},
+    effects::{IDOperation, ObjectIn, ObjectOut, TransactionEffects, UnchangedSharedKind},
+    utils::DEFAULT_ADDRESS_SEED,
+};
 use typed_store::TypedStoreError;
 
 fn get_registry() -> Result<Registry> {
@@ -83,10 +86,14 @@ fn get_registry() -> Result<Registry> {
         SuiKeyPair::Secp256k1(get_key_pair_from_rng(&mut StdRng::from_seed([0; 32])).1);
     let kp3: SuiKeyPair =
         SuiKeyPair::Secp256r1(get_key_pair_from_rng(&mut StdRng::from_seed([0; 32])).1);
+    let pk_zklogin = PublicKey::ZkLogin(
+        ZkLoginPublicIdentifier::new(&OIDCProvider::Twitch.get_config().iss, DEFAULT_ADDRESS_SEED)
+            .unwrap(),
+    );
 
     let multisig_pk = MultiSigPublicKey::new(
-        vec![kp1.public(), kp2.public(), kp3.public()],
-        vec![1, 1, 1],
+        vec![kp1.public(), kp2.public(), kp3.public(), pk_zklogin],
+        vec![1, 1, 1, 1],
         2,
     )
     .unwrap();
@@ -98,24 +105,25 @@ fn get_registry() -> Result<Registry> {
         },
     );
 
-    let sig1 = Signature::new_secure(&msg, &kp1);
-    let sig2 = Signature::new_secure(&msg, &kp2);
-    let sig3 = Signature::new_secure(&msg, &kp3);
+    let sig1: GenericSignature = Signature::new_secure(&msg, &kp1).into();
+    let sig2: GenericSignature = Signature::new_secure(&msg, &kp2).into();
+    let sig3: GenericSignature = Signature::new_secure(&msg, &kp3).into();
+    let sig4: GenericSignature = GenericSignature::from_str("BQNNMTczMTgwODkxMjU5NTI0MjE3MzYzNDIyNjM3MTc5MzI3MTk0Mzc3MTc4NDQyODI0MTAxODc5NTc5ODQ3NTE5Mzk5NDI4OTgyNTEyNTBNMTEzNzM5NjY2NDU0NjkxMjI1ODIwNzQwODIyOTU5ODUzODgyNTg4NDA2ODE2MTgyNjg1OTM5NzY2OTczMjU4OTIyODA5MTU2ODEyMDcBMQMCTDU5Mzk4NzExNDczNDg4MzQ5OTczNjE3MjAxMjIyMzg5ODAxNzcxNTIzMDMyNzQzMTEwNDcyNDk5MDU5NDIzODQ5MTU3Njg2OTA4OTVMNDUzMzU2ODI3MTEzNDc4NTI3ODczMTIzNDU3MDM2MTQ4MjY1MTk5Njc0MDc5MTg4ODI4NTg2NDk2Njg4NDAzMjcxNzA0OTgxMTcwOAJNMTA1NjQzODcyODUwNzE1NTU0Njk3NTM5OTA2NjE0MTA4NDAxMTg2MzU5MjU0NjY1OTcwMzcwMTgwNTg3NzAwNDEzNDc1MTg0NjEzNjhNMTI1OTczMjM1NDcyNzc1NzkxNDQ2OTg0OTYzNzIyNDI2MTUzNjgwODU4MDEzMTMzNDMxNTU3MzU1MTEzMzAwMDM4ODQ3Njc5NTc4NTQCATEBMANNMTU3OTE1ODk0NzI1NTY4MjYyNjMyMzE2NDQ3Mjg4NzMzMzc2MjkwMTUyNjk5ODQ2OTk0MDQwNzM2MjM2MDMzNTI1Mzc2Nzg4MTMxNzFMNDU0Nzg2NjQ5OTI0ODg4MTQ0OTY3NjE2MTE1ODAyNDc0ODA2MDQ4NTM3MzI1MDAyOTQyMzkwNDExMzAxNzQyMjUzOTAzNzE2MjUyNwExMXdpYVhOeklqb2lhSFIwY0hNNkx5OXBaQzUwZDJsMFkyZ3VkSFl2YjJGMWRHZ3lJaXcCMmV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SWpFaWZRTTIwNzk0Nzg4NTU5NjIwNjY5NTk2MjA2NDU3MDIyOTY2MTc2OTg2Njg4NzI3ODc2MTI4MjIzNjI4MTEzOTE2MzgwOTI3NTAyNzM3OTExCgAAAAAAAABhAG6Bf8BLuaIEgvF8Lx2jVoRWKKRIlaLlEJxgvqwq5nDX+rvzJxYAUFd7KeQBd9upNx+CHpmINkfgj26jcHbbqAy5xu4WMO8+cRFEpkjbBruyKE9ydM++5T/87lA8waSSAA==").unwrap();
 
-    let multi_sig =
-        MultiSig::combine(vec![sig1.clone(), sig2.clone(), sig3.clone()], multisig_pk).unwrap();
+    let multi_sig = MultiSig::combine(
+        vec![sig1.clone(), sig2.clone(), sig3.clone(), sig4.clone()],
+        multisig_pk,
+    )
+    .unwrap();
     tracer.trace_value(&mut samples, &multi_sig)?;
 
     let generic_sig_multi = GenericSignature::MultiSig(multi_sig);
     tracer.trace_value(&mut samples, &generic_sig_multi)?;
 
-    let generic_sig_1 = GenericSignature::Signature(sig1);
-    tracer.trace_value(&mut samples, &generic_sig_1)?;
-    let generic_sig_2 = GenericSignature::Signature(sig2);
-    tracer.trace_value(&mut samples, &generic_sig_2)?;
-    let generic_sig_3 = GenericSignature::Signature(sig3);
-    tracer.trace_value(&mut samples, &generic_sig_3)?;
-
+    tracer.trace_value(&mut samples, &sig1)?;
+    tracer.trace_value(&mut samples, &sig2)?;
+    tracer.trace_value(&mut samples, &sig3)?;
+    tracer.trace_value(&mut samples, &sig4)?;
     // ObjectID and SuiAddress are the same length
     let oid: ObjectID = addr.into();
     tracer.trace_value(&mut samples, &oid)?;

crates/sui-core/src/signature_verifier.rs

@@ -118,6 +118,7 @@ struct ZkLoginParams {
     /// The environment (prod/test) the code runs in. It decides which verifying key to use in fastcrypto.
     pub env: ZkLoginEnv,
     pub verify_legacy_zklogin_address: bool,
+    pub accept_zklogin_in_multisig: bool,
 }
 
 impl SignatureVerifier {
@@ -128,6 +129,7 @@ impl SignatureVerifier {
         supported_providers: Vec<OIDCProvider>,
         env: ZkLoginEnv,
         verify_legacy_zklogin_address: bool,
+        accept_zklogin_in_multisig: bool,
     ) -> Self {
         Self {
             committee,
@@ -150,6 +152,7 @@ impl SignatureVerifier {
                 supported_providers,
                 env,
                 verify_legacy_zklogin_address,
+                accept_zklogin_in_multisig,
             },
         }
     }
@@ -160,6 +163,7 @@ impl SignatureVerifier {
         supported_providers: Vec<OIDCProvider>,
         zklogin_env: ZkLoginEnv,
         verify_legacy_zklogin_address: bool,
+        accept_zklogin_in_multisig: bool,
     ) -> Self {
         Self::new_with_batch_size(
             committee,
@@ -168,6 +172,7 @@ impl SignatureVerifier {
             supported_providers,
             zklogin_env,
             verify_legacy_zklogin_address,
+            accept_zklogin_in_multisig,
         )
     }
 
@@ -352,6 +357,7 @@ impl SignatureVerifier {
                     self.zk_login_params.supported_providers.clone(),
                     self.zk_login_params.env.clone(),
                     self.zk_login_params.verify_legacy_zklogin_address,
+                    self.zk_login_params.accept_zklogin_in_multisig,
                 );
                 signed_tx
                     .tx_signatures()
@@ -483,7 +489,13 @@ pub fn batch_verify_certificates(
     certs: &[CertifiedTransaction],
 ) -> Vec<SuiResult> {
     // certs.data() is assumed to be verified already by the caller.
-    let verify_params = VerifyParams::new(Default::default(), Vec::new(), Default::default(), true);
+    let verify_params = VerifyParams::new(
+        Default::default(),
+        Vec::new(),
+        Default::default(),
+        true,
+        true,
+    );
     match batch_verify(committee, certs, &[]) {
         Ok(_) => vec![Ok(()); certs.len()],
 

crates/sui-core/src/unit_tests/batch_verification_tests.rs

@@ -120,6 +120,7 @@ async fn test_async_verifier() {
         vec![],
         ZkLoginEnv::Test,
         true,
+        true,
     ));
 
     let tasks: Vec<_> = (0..32)

crates/sui-core/src/unit_tests/transaction_deny_tests.rs

@@ -26,6 +26,7 @@ use sui_types::transaction::{
     CallArg, CertifiedTransaction, Transaction, TransactionData, VerifiedCertificate,
     VerifiedTransaction, TEST_ONLY_GAS_UNIT_FOR_TRANSFER,
 };
+use sui_types::utils::get_zklogin_user_address;
 use sui_types::utils::{
     make_zklogin_tx, to_sender_signed_transaction, to_sender_signed_transaction_with_multi_signers,
 };
@@ -188,7 +189,7 @@ async fn test_zklogin_transaction_disabled() {
             .build(),
     )
     .await;
-    let (_, tx, _) = make_zklogin_tx(false);
+    let (_, tx, _) = make_zklogin_tx(get_zklogin_user_address(), false);
     assert_denied(&process_zklogin_tx(tx, &state).await);
 
     let (_, state1) = setup_test(
@@ -197,7 +198,7 @@ async fn test_zklogin_transaction_disabled() {
             .build(),
     )
     .await;
-    let (_, tx1, _) = make_zklogin_tx(false);
+    let (_, tx1, _) = make_zklogin_tx(get_zklogin_user_address(), false);
     assert_denied(&process_zklogin_tx(tx1, &state1).await);
 }
 

crates/sui-core/tests/staged/sui.yaml

@@ -226,6 +226,10 @@ CompressedSignature:
           TUPLEARRAY:
             CONTENT: U8
             SIZE: 64
+    3:
+      ZkLogin:
+        NEWTYPE:
+          TYPENAME: GenericSignature
 ConsensusCommitPrologue:
   STRUCT:
     - epoch: U64
@@ -735,6 +739,10 @@ PublicKey:
           TUPLEARRAY:
             CONTENT: U8
             SIZE: 33
+    3:
+      ZkLogin:
+        NEWTYPE:
+          TYPENAME: ZkLoginPublicIdentifier
 SenderSignedData:
   NEWTYPESTRUCT:
     SEQ:
@@ -1019,4 +1027,7 @@ UpgradeInfo:
         TYPENAME: ObjectID
     - upgraded_version:
         TYPENAME: SequenceNumber
+ZkLoginPublicIdentifier:
+  NEWTYPESTRUCT:
+    SEQ: U8
 

crates/sui-e2e-tests/tests/zklogin_tests.rs

@@ -3,17 +3,20 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use sui_test_transaction_builder::TestTransactionBuilder;
+use sui_types::base_types::SuiAddress;
 use sui_types::error::{SuiError, SuiResult};
-use sui_types::utils::{get_zklogin_user_address, make_zklogin_tx, sign_zklogin_tx};
+use sui_types::utils::{
+    get_legacy_zklogin_user_address, get_zklogin_user_address, make_zklogin_tx, sign_zklogin_tx,
+};
 use sui_types::SUI_AUTHENTICATOR_STATE_OBJECT_ID;
 use test_cluster::{TestCluster, TestClusterBuilder};
 
 use sui_core::authority_client::AuthorityAPI;
 use sui_macros::sim_test;
 
-async fn do_zklogin_test(legacy: bool) -> SuiResult {
+async fn do_zklogin_test(address: SuiAddress, legacy: bool) -> SuiResult {
     let test_cluster = TestClusterBuilder::new().build().await;
-    let (_, tx, _) = make_zklogin_tx(legacy);
+    let (_, tx, _) = make_zklogin_tx(address, legacy);
 
     test_cluster
         .authority_aggregator()
@@ -36,7 +39,9 @@ async fn test_zklogin_feature_deny() {
         config
     });
 
-    let err = do_zklogin_test(false).await.unwrap_err();
+    let err = do_zklogin_test(get_zklogin_user_address(), false)
+        .await
+        .unwrap_err();
 
     assert!(matches!(err, SuiError::UnsupportedFeatureError { .. }));
 }
@@ -50,7 +55,9 @@ async fn test_zklogin_feature_legacy_address_deny() {
         config
     });
 
-    let err = do_zklogin_test(true).await.unwrap_err();
+    let err = do_zklogin_test(get_legacy_zklogin_user_address(), true)
+        .await
+        .unwrap_err();
     assert!(matches!(err, SuiError::SignerSignatureAbsent { .. }));
 }
 
@@ -61,7 +68,9 @@ async fn test_legacy_zklogin_address_accept() {
         config.set_verify_legacy_zklogin_address(true);
         config
     });
-    let err = do_zklogin_test(true).await.unwrap_err();
+    let err = do_zklogin_test(get_legacy_zklogin_user_address(), true)
+        .await
+        .unwrap_err();
 
     // it does not hit the signer absent error.
     assert!(matches!(err, SuiError::InvalidSignature { .. }));

crates/sui-open-rpc/spec/openrpc.json

@@ -1350,6 +1350,7 @@
               "maxSupportedProtocolVersion": "32",
               "protocolVersion": "6",
               "featureFlags": {
+                "accept_zklogin_in_multisig": false,
                 "advance_epoch_start_time_in_safe_mode": true,
                 "advance_to_highest_supported_protocol_version": false,
                 "ban_entry_init": false,
@@ -5502,6 +5503,18 @@
               }
             },
             "additionalProperties": false
+          },
+          {
+            "type": "object",
+            "required": [
+              "ZkLogin"
+            ],
+            "properties": {
+              "ZkLogin": {
+                "$ref": "#/components/schemas/GenericSignature"
+              }
+            },
+            "additionalProperties": false
           }
         ]
       },
@@ -7788,6 +7801,18 @@
               }
             },
             "additionalProperties": false
+          },
+          {
+            "type": "object",
+            "required": [
+              "ZkLogin"
+            ],
+            "properties": {
+              "ZkLogin": {
+                "$ref": "#/components/schemas/ZkLoginPublicIdentifier"
+              }
+            },
+            "additionalProperties": false
           }
         ]
       },
@@ -10704,6 +10729,14 @@
             }
           }
         }
+      },
+      "ZkLoginPublicIdentifier": {
+        "description": "A wrapper struct to retrofit in [enum PublicKey] for zkLogin. Useful to construct [struct MultiSigPublicKey].",
+        "allOf": [
+          {
+            "$ref": "#/components/schemas/Base64"
+          }
+        ]
       }
     }
   }

crates/sui-protocol-config/src/lib.rs

@@ -340,6 +340,10 @@ struct FeatureFlags {
     // If true, recompute has_public_transfer from the type instead of what is stored in the object
     #[serde(skip_serializing_if = "is_false")]
     recompute_has_public_transfer_in_execution: bool,
+
+    // If true, multisig containing zkLogin sig is accepted.
+    #[serde(skip_serializing_if = "is_false")]
+    accept_zklogin_in_multisig: bool,
 }
 
 fn is_false(b: &bool) -> bool {
@@ -1034,6 +1038,10 @@ impl ProtocolConfig {
         self.feature_flags.verify_legacy_zklogin_address
     }
 
+    pub fn accept_zklogin_in_multisig(&self) -> bool {
+        self.feature_flags.accept_zklogin_in_multisig
+    }
+
     pub fn throughput_aware_consensus_submission(&self) -> bool {
         self.feature_flags.throughput_aware_consensus_submission
     }
@@ -1648,7 +1656,7 @@ impl ProtocolConfig {
                         cfg.feature_flags.shared_object_deletion = true;
                     }
                 }
-                32 => {}
+                32 => cfg.feature_flags.accept_zklogin_in_multisig = true,
                 // Use this template when making changes:
                 //
                 //     // modify an existing constant.

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__Mainnet_version_32.snap

@@ -32,6 +32,7 @@ feature_flags:
   loaded_child_object_format_type: true
   verify_legacy_zklogin_address: true
   recompute_has_public_transfer_in_execution: true
+  accept_zklogin_in_multisig: true
 max_tx_size_bytes: 131072
 max_input_objects: 2048
 max_size_written_objects: 5000000