Discover more from web3 newsletter
magic, secrets, minimal viable security; mixtapes
Feature: Secrets, and how to prove them — a magician’s guide to zero knowledge proofs
with Michael Blau
Any sufficiently advanced technology is indistinguishable from magic (or so science fiction writer Arthur C. Clarke famously said). One such area of sci-fi-like progress is that of zero-knowledge proofs (or ZKPs), a cryptographic tool that addresses two critical challenges in web3: scalability, and privacy. In particular, ZKPs could be the key to unlocking lower transaction fees and designing new privacy-preserving applications — ushering in many more crypto users. But beyond crypto, ZKPs can also help transmit sensitive data securely, combat illicit finance through privacy-preserving regulatory solutions, and fight disinformation.
But what are ZKPs, really? There are many clever explanations out there, but even with the wealth of analogies available — from Waldo to Ali Baba’s Cave — it’s not easy to find an accurate, easy-to-grasp explanation of zero-knowledge proofs. Especially one that fully captures their superpowers, including for those who aren’t cryptography researchers or engineers.
So in this post and special demo, a16z crypto partner Michael Blau combines his background in magic with his work in crypto to explore a new analogy for demystifying ZKPs: a magic trick. Magic tricks, and magicians hiding secrets, can serve as a helpful mental model for understanding the key properties of ZKPs. Which makes sense, since zero-knowledge proofs in practice are indistinguishable from magic…
Resource: ‘Back to school’ special playlists
The latest in crypto research
With the goal of advancing the science and technology of the next generation of the internet, last year we introduced a16z crypto research — a new kind of multidisciplinary lab dedicated to helping shape crypto and web3 as a formal area of study. One of our goals was to help bridge the worlds of academic theory with industry practice, and one of the ways we do so (besides working with our portfolio and publishing our own work) is by bringing together the very best research talent across disciplines relevant to the space.
To that end, we’ve now hosted two immersive summer programs at the a16z crypto office — where we invite both established and emerging researchers to present their work and ideas, collaborate on some of the hardest problems in the ecosystem, and sharpen each other’s ideas by spending time with one another. You can watch many of the seminars (and listen in on our in-room conversations!) from summer 2022 here, and from fall 2022/ spring 2023 here.
Now, we’re releasing new talks from the latest summer 2023 program & cohort. The initial drop included talks from a16z crypto research partners Joe Bonneau on distributed randomness beacons and Lera Nikolaenko on distributed data storage; as well as talks from Matt Green (Johns Hopkins) on “going beyond zero knowledge: next steps for compliance and constrained encryption on blockchains”; Sarah Meiklejohn (University College London, Google) on distributed key generation; and Ittai Abraham (Intel Labs, former VMWare; also Decentralized Thoughts blog) on “it’s all about trust”. The second drop, themed “cryptography week”, features talks from Dan Boneh (Stanford, a16z crypto); Elaine Shu (CMU); Foteini Baldimitsi (GMU); and Ron Rothblum (Technion), here. Be sure to subscribe to our YouTube channel to get notified about the next drops as we will be releasing these talks regularly there.
Bonus playlist: ‘web3 with a16z’ podcast, now also on YouTube
You can now listen to all episodes of our podcast “web3 with a16z” on YouTube, here… Including our most recent episode, which discusses, and debates! — with Solana Labs co-founder and CEO Anatoly Yakovenko (and a16z crypto’s Ali Yahya and Guy Wuollet) — the endgame for blockchain scalability, modular vs. monolithic architectures, hardware vs. software innovation, and much more.
Other recent episodes cover other blockchain ecosystems, company building in crypto, and the journey from web2 to web3; navigating strategy, competition, moats, network effects in both theory and in practice; community and marketing in web3; and more. Also catchup on or revisit episodes on specific trends A to Z: AI & crypto, decentralized creativity & collaboration, entertainment & technology, metaverse, NFTs, policy, programming languages, security, web3 gaming, and several others.
PSA: The 3 types of secrets humans have to securely store, and how
Eddy Lazzarin, Matt Gleason
We live in a digitally active world, and as our online accounts and information online increases, so does our need to hold on to secrets so no one can access that data. There are 3 main types of secrets most people have to hold for online access:
Passwords — which people use to access various websites and services. These must not only be kept secret, but be unique from service to service.
TOTP codes — which are often generated by an authenticator app or TOTP (time-based one time password) system. These provide two-factor authentication, where a second layer of security (hence the “two”, and “multi-” if more layers) helps protect access.
Seed phrases — “mnemonic” codes or recovery phrases that give direct control of all crypto wallets derived from that seed phrase. This reflects one of the empowering features of crypto wallets: Once you enter your seed phrase, you have total control of your assets without needing to move them from one custodian to another.
Note, these “secrets” aren’t all specific to crypto/ web3; anyone using the internet today should be using these practices (or something custom tailored for their needs)! And while our recommendation would be to harden everything to the maximum extent possible, the practical reality is that purchasing hardware wallets, webauthn keys, and machines with TEEs isn’t easy to do for most people (at least, not yet). Furthermore, losing secrets can sometimes be a greater risk than having them compromised: some information, once lost, can’t ever be found.
So one could consider this a “minimal viable security” approach. That minimum setup — using things many people already have — would be to use a well-vetted password manager to store your seed phrases and passwords; and a TOTP app on your phone to store and use TOTP codes for 2FA (two-factor authentication). Here’s more on why and how:
Do NOT use text messages on your phone (SMS) as a second factor for authentication. SMS is a very weak choice for 2FA, given the rise of SIM swapping/ jacking: where a hacker pretends to be you to your mobile provider (“I lost my phone and need help accessing it…”); then reroutes your phone number to their device; and then can then access any accounts linked to that phone. That’s why we recommend using authenticator apps (like Authy, Google Authenticator, etc.). Not all services allow two-factor authentication, unfortunately; so you should still make sure you’re using strong, unique passwords.
Store your passwords in a password manager. This is mostly to make having unique passwords for all internet services possible; otherwise most people default to reusing passwords across sites. A password manager secures each online account with a unique, complex password — and uses one strong “master password” to encrypt all the stored passwords (see for example 1Password, Bitwarden, or Dashlane).
Your master password should be at least 16 characters — preferably a randomly generated passphrase of at least 5 words, which is usually around 30 characters, but easier to remember. This is not an arbitrary recommendation; the GPU costs for computers to guess passwords by brute force goes up exponentially the more characters and words there are in a password. That’s why longer is better. Finally: Never forget the master password! If you have to, you can write down a password hint with pen and paper, store that in the safest place you can think of, and remember where it is.
Store an encrypted copy of your backup codes/ TOTP in cloud storage, and print them out in a secure hard safe. But what about storing your TOTP codes in a password manager? Some password managers do support this, but it is better to use two different applications so that both security “factors” — password, and TOTP — remain separated. So then where should you store seed phrases? While the answer is a bit more complicated, the short answer is: in your password manager. (If you have a crypto wallet with a lot of assets in it, consider a more complex scheme; otherwise, this approach should work for most).
📑 Wallet security: the ‘non-custodial’ fallacy (with Nassim Eddequiouaq & Riyaz Faizullabhoy)
🎧 Bridge hack, wallet hack (with Matt Gleason)
☑️ 16 steps to securing your data, and life (a16z)
-- Sonal Chokshi and a16z crypto teams
You’re receiving this newsletter because you signed up for it on our websites, at an event, or elsewhere (you can opt out any time using the ‘unsubscribe’ link below). This newsletter is provided for informational purposes only, and should NOT be relied upon as legal, business, investment, or tax advice. Furthermore, the content is not directed at nor intended for use by any investors or prospective investors in any a16z funds. Please see a16z.com/disclosures for additional important details, including link to list of investments.