The term Web3 was originally coined by Etherium co-founder Gavin Wood as a secure, decentralized, peer-to-peer version of the Internet. The idea was to build an Internet based on blockchain technology and a peer-to-peer network, without the need for large data centers or third party providers. These days, however, blockchain is most famous as the tool enabling cryptocurrencies. Most recently, the Trump administration has taken on a pro-cryptocurrency stance, boosting blockchain’s popularity and media prominence.
Cryptography is central to the functioning of blockchains, whether for a decentralized web or for cryptocurrencies. Every time a cryptocurrency transaction is initiated, all parties involved in the transaction need to securely prove that they agree to the transfer. This is done via a digital signature: a cryptographic protocol that generates a secret, private key that is unique to each user and a public key that the user shares. Then, the private key is used to generate a unique signature for each transaction. The public key can be used to verify that, indeed, the signature was created by the holder of the private key. In this way, Web3 in every incarnation relies heavily on cryptography.
To learn more about the evolution of Web3, and cryptography’s role, we caught up with Riad Wahby, assistant professor of electrical and computer engineering at Carnegie Mellon University and a co-founder and CEO of hardware-backed Web3 security platform Cubist.
Wahby explained what Web3 was meant to be, what it’s become, and how hardware-backed cryptography will enable its future.
Web3 Began as a Response to What Came Before
IEEE Spectrum: What is Web3?
Riad Wahby: That’s the hardest question that you’re going to ask by far, because I don’t know how to answer it in a way that satisfies everyone.
The term Web3 was coined around 2018, by people who looked at the way that the web had developed. Web 1.0 was the first web bubble, the dot com bubble. Web 2.0 roughly speaking is Google and Facebook and Microsoft and Apple and Netflix, etc. And the perception, especially from folks who originally coined this term Web3, was that these companies had basically taken the web in the wrong direction, because your privacy is gone, and you’re the product, so to speak. You use Gmail for free because Google is mining your emails to sell better advertising, etc. Web3 was originally a reaction to this. Early proponents of Web3 basically said, “We don’t want that. We want to take back control of our stuff. I want to own my own data, and maybe cryptocurrencies and blockchains are the way there.” So that’s where the term originally came from.
What does the term mean now?
Wahby: Now it doesn’t mean anything like that at all. Now Web3 is the broader ecosystem around cryptocurrencies and blockchain-based technologies. And I think basically all of that revolutionary spirit has gone away in favor of building financial products and making a lot of money doing it. As far as I can tell, the term has really transformed from a reaction to a lack of privacy and a lack of sovereignty in my own data to “Hey, this is a technology that has something to do with blockchains.” Maybe you can buy some kind of speculative meme coin and make a bunch of money doing it. So I don’t know, maybe that took a dark turn at the end. That’s how things go.
How are those two definitions connected?
Wahby: Cryptography really fits into the revolutionary spirit, in the sense that the folks who want to cast off the chains of Google and Facebook, etc., one of the tenets was—”The way that we’ll do that is we’ll build this technology that’s sort of amazing and that gives us all these great properties.” And they were going to do that using some advanced cryptographic technologies. This is the reason that there’s so many people who are cryptography researchers at universities that also are involved deeply in some kind of cryptocurrency. Because it’s like this is a sea change in the way that cryptography gets used in the world.
20 years ago, it used to be that if you were working on really any kind of cryptography, regardless of how theoretical or how practical you intended it to be, you knew that there was not much of a chance that any of it was going to get really used in the world, unless it was extremely practical and extremely focused on solving some immediate problem. And it just used to be the case that people were extremely conservative about what kind of cryptography they used. Basically, everyone thought, “We don’t need any of this crazy stuff. That’s all theory. Nobody cares. The only stuff we need is what lets you connect to Amazon and safely buy stuff.” The rise of cryptocurrencies brought with it this whole shift in the way that cryptography gets deployed in the world, where now if you can come up with some interesting functionality that’s enabled by some advanced cryptography, probably somewhere somebody is going to try and turn that into a product that they can sell.
Web3 Is Both Good and Bad for Cryptography
What effect has this had on the cryptographic community?
Wahby: It’s both good and bad. It’s good in that this means that there’s a lot of motivation to build interesting, cool stuff. And as a researcher in cryptography, I love it because it means that, there’s tons more research money being poured into cryptography.
That’s the good side. The bad side is that the reason that people were so conservative about deploying new cryptography is that it’s easy to get the security mechanism wrong. The default state of cryptography is [to assume everything is] broken. You have to be very, very careful that each change that you make isn’t returning your cryptography to the default state. I’m not saying that people in Web3 aren’t careful. They are. It’s just by the nature of things, since it’s a much faster timeframe, there’s much more pressure to just push stuff into production. And I think the downside is that we have seen a little bit of brokenness. It’s hopefully not causing people to lose oodles of money. And I think the historical record bears this out, people lose oodles of money because other people are really dishonest, not because the cryptography is broken for the most part. But the cryptography can also be broken, and that can also be worrisome. But I’d say from the perspective of somebody who’s doing research in cryptography, the impact of Web3 on the cryptographic community has generally been a good thing.
Now you’re focused on hardware security. Can you explain what that is?
Wahby: Any cryptocurrency has this property that if I hold some token, and I want to send it to somebody else, the way that I do that is by producing a digital signature that says, I want to spend this token. The secret key is what lets you generate a signature. So if you have 10 Ethereum [cryptocurrency coins], and they’re all protected by this key, and somebody takes a copy of your key, then life is bad.
With a digital signature key it could just be sitting on your hard drive, and then you get some malware, and now somebody has silently stolen your key. There have been these big, broadly targeted malware campaigns where millions and millions of people have all had their keys stolen. So now the criminals are just like sitting there counting up all the money that they’ve stolen, and there’s no reversing transactions, unlike at a bank.
Here’s where hardware comes in. This is not really a Web3 technology, this is kind of old, good stuff. There are these devices called hardware security modules, and they’ve been used for multiple decades. This is a physical device, and this device can run certain cryptographic algorithms. And it knows enough that when you tell it, “Hey, please generate me a key,” it can generate you a key securely. And when you tell it, “Please give me a signature,” it can give you a signature securely. But the important thing is the way that it’s designed, the key never leaves this piece of hardware. It turns what was a piece of data into a physical object. And we know how to secure a physical object.
You’re working on extending hardware security for more use cases. Can you explain what you’re doing?
Wahby: There are two issues with the standard hardware security module.
Number one, you need more cryptography support, so you need to be able to apply digital signatures to transactions very quickly, if you’re actively trading. And number two, you need a way of expressing that it’s not just a key that can generate any signature. It’s a key that also has attached to it some kind of policy that says these are the kinds of signatures that are okay to generate, and everything else is not allowed, to add extra security. These are the two directions that we have that our technology enables within traditional hardware security modules.
We start with the security that’s provided by the traditional hardware security module, and we extend it using this, actually another piece of trusted hardware called the Trusted Execution Environment. We extend it to support the actual kinds of cryptography that are needed for Web3 and to support this rich programmable policy layer that lets you say, “This key is only intended for this specific kind of use,” or “anytime somebody tries to make a payment from this key, first I have to check whether the recipient is subject to sanctions,” or any other rule. So in the end, we have, not only a hardware security module, we have also this Trusted Execution Environment and this policy layer, and all this other cryptographic stuff that together gives us a hardware security module that’s really designed for the Web3 use case.
From Your Site Articles
Related Articles Around the Web