All About Blockchain

Ripple's University Blockchain Research Initiative (UBRI) is accelerating education, adoption and innovation in partnership with global universities. We can better understand this emerging tech by hearing from scholars who are developing real use-case that solve for today's challenges. Host Lauren Weymouth interviews leading blockchain experts covering various applications across a wide range of sectors.

All Episodes

All About Blockchain

How to Safely Navigate Web3

February 11, 2025 • The UBRI Podcast from Ripple • Season 7 • Episode 2

As crypto security remains a major concern, secure key management infrastructure is increasingly important.

A conversation with Riad Wahby the CEO of Cubist. Riad is a leading academic researcher and applied cryptographer responsible for the design and specification of several cryptographic protocols that form the basis for many Blockchains such as Ethereum and Avalanche. Additionally he is an electrical and computer engineering professor at Carnegie Mellon University.

Lauren Weymouth: 00:08 ] I'm Lauren Weymouth, spearheading Ripple's University Blockchain Research Initiative. The UBRI Program that supports universities worldwide, accelerating understanding, adoption and innovation with blockchain technology.

On this podcast all about blockchain, we look under the hood at what academic and industry partners are building across all different industries to give us a better understanding. The goal is to convey how blockchain is solving current [00:01:00] challenges, and making all different sectors more efficient.

Today we're gonna focus on infrastructure of crypto custody. We're joined by Riad Wahby, Co-Founder and CEO of Cubist. He's also a professor of Electrical and Computer Engineering at Carnegie Mellon University.

Now, I know Riad. Riad was an early Ripple UBRI fellow at Stanford while doing his PhD. He spoke at our 2019 UBRI conference on privacy. So, I've been following his career for some time now.

Riad, great to see you again. Welcome to All About Blockchain.

Riah Wahby: 01:02 likewise this is fantastic, and thank you so much for having me. it must be, as you said, five years ago we were, uh, at Berkeley and I think I was giving a talk about anonymous airdrops. And, wow, yeah, very cool.

Lauren Weymouth: 01:12 That's right. Okay, so, just giving us a little background on yourself, you probably didn't start out thinking that you would develop secure key storage. When you were younger, what did you want to be when you grew up?

Riah Wahby: 01:21 Oh, geez. um you know, I- I went through a bunch of phases I come from a family of doctors, and then actually, strangely, like kind of, ended up at cryptography pretty soon after that.

So, like, when I was in middle school I was, like, the weird kid who dragged around a copy of Bruce Schneier's Applied Cryptography. You know, that really big, red book. which somehow I managed to convince my dad to, to get me. He was, like, "Do you, is this really appropriate? Like, do you care about this stuff?"

I was, like, "Yeah, it looks so cool." Um, and so that's, kind of, what convinced me to think about computer science,all of this. So,I was working on, all kinds of weird stuff on the computer, the internet was new and things were cool. Uh, and cryptography, it was, like, "Oh, this is, this is a really cool thing."

and then somehow I wandered away from that and ended up, uh, as an electrical engineer for a long time. for undergrad I- I, you know, did sort of, a combination of electrical engineering and computer science, uh, but then ended up as, uh, a circuit designer.

I worked for about 10 years as an analog and mixed signal circuit designer, which has very little, uh, uh, (laughs) to do with cryptography. and, then, was, uh, strangely, again, like, one of these weird turns, like, convinced by a good friend of mine, Mike Walfish, uh, to, um, quit my job and go to grad school. which, yeah, it worked out okay. I mean, it was, it was pretty fun. Uh, it was, sort of, interesting. And and I ended up back in cryptography, which is, kind of, where I started.

Lauren Weymouth: 02:32 Well, I think it's g- interesting for our listeners to hear. I- I think what you've done is, kinda, a- a dream for a lot of grad students, where you're still straddling academia, but you've started and launched your own company. So, you're in the industry as an entrepreneur. and a well-accomplished cryptographer at that.

Now, when you were back with Dan Bonet, doing your computer science PhD, you were, kind of, involved in everything in Web3. How did you start to focus [00:04:00] onto security?

Riah Wahby: 02:58 the earliest stuff that I worked on that was even close to Web3-related was really around zero knowledge proof systems. And actually that's still mainly what I'm, uh, what I think about in my, uh, research life. some of my PhD students now are thinking about, uh, ZK proofs. But also, you know, more generally about computer security.

we, kind of, worked on all these things, and little by little ended [00:04:30] up, sort of, coming closer and closer to actual practice. You know, some of the earliest stuff it was, like, "Yeah, in theory you could do this."

and then, actually the anonymous airdrop, uh, protocol actually deployed at least one protocol used it to actually, uh, send airdrops to people. And so, that was, like, really cool, because it was, like, "Oh, wow, we can actually, like, get this out into the hands of people who, who will really use it.

and then Dan and I ended up working together on a standard for, um, a signature scheme, like a, a digital signature scheme that's now used by Ethereum in the Ethereum beacon chain. writing a standard was, like, this very interesting, uh, thing.

And so, as I, kind of, did more and more of this practical stuff where I was really interacting with developers day-to-day, I, kind of, got more and more convinced that actually, there, there's a ton of work to do, kind of, connecting even stuff that seems really boring like key management but doing it in a way that's really, really good.

And- and, by the way, I say "boring" I mean that in a good way. Like, I- I wanna (laughs) this is, like, you know what? You really just have to get this stuff right. And everyone needs to do it. So, it's not, like, there's only three companies that are working on the most cutting edge, you know, whatever, proof system or fully homomorphic encryption or something awesome like that, right? And that's super cool.

but on the other hand, like, at the other end of the spectrum, it's, like, everyone has this problem. And, like, when we go talk to customers, everyone is, like, "Oh, yeah. Well, we have tons of keys, we need to manage them somehow." And so, r- really, I was just drawn to that problem, where it's, like, everyone's got this problem, we really wanna solve it in a really clean way that- that actually, really helps performance, and helps security in the, in the whole space.

Lauren Weymouth: 04:43 Okay. And- and take us back a level. Like, when we're talking about the limitations of current security mechanisms in crypto and in fintech initiatives what are the most pressing issues?

Riah Wahby: 04:53 this is great question this is, like, two sides of one coin. I actually teach one of the, undergrad computer security classes at Carnegie Mellon. And we spend a good portion of the semester thinking about a unit called "Human Factors." And it's, like, when you build a secure system, if there are only three people who able to use it effectively, then you failed, right? Because everyone else who tries to use it is using it wrong, somehow, right?

And so, to me, this is actually one of the places where we still have a lot of work to do in- in the Web3 space. And part of that is just, we're, we really are trying to appeal really, really broadly, right? It's not the same thing as, you know, in traditional finance there are a few companies and a few people inside those companies who really understand how PINs are protected when you go to an ATM and, like, type in your PIN.

there's a really complex system that, lets you type in your PIN securely on an ATM and it gets checked by our bank. I don't need to understand that when I go to an ATM. there's a nice user interface, I type in my PIN, life is okay.

All right, we're trying to get to that point in Web3,, but we're, doing it in a much, less well-organized way. And that's, kind of, by design, right? It's decentralized. Everyone can, kinda, join in, can, can build things., and, so, unfortunately that means that we end up having a lot of, sort of, reinvention of the, like, human interface wheel.

it sounds, like, "Oh, is that even really a security thing?" Yes, absolutely. Human interfaces fo- for security are super important, because, like, the most secure piece of software, again, if I can't use it correctly, doesn't help me, right?

So, that's one place where I see that we still have a ton of ground to cover. to spend 10 more seconds on it, I promise [00:08:30] I won't belabor. I think one of the things that we, that we need to do to get there is, there's a little bit of, like, an attitude shift that we need in the whole industry. and by that I mean this, most of us who are currently in Web3, we discovered it or, we, you know, fell into it, or somebody told us about it. And then we went out and, like, consumed every blog post and, and, you know, Discord channel we could and, sort of, through the, you know, this trial and error and making a bunch of mistakes we kinda got stuff figured out.

nd now it feels, like, "Well, I fought for all this knowledge that I've got, and so everyone else should have to do that, too." And it's, like, well... I, like, my dad is not going to, right? Like, he doesn't, he doesn't wanna read d- you know, Discord channels before he, like, sends money to somebody. He just wants it to work, right? And I think many people are in that boat. So, so, if we can, kind of, get over that, like, hazing (laughs) uh, mentality a little bit whether conscious or not, I think that'll help.

as far as another kind of technical security mechanism goes, where I think there, there's a lot of room for improvement. if you think about it, everything in, in, you know, Web3, basically every action I take is mediated by something, like, uh, a secret key, right? A sign in key, right?

If I want to send a transaction, I have to sign the transaction and then send it to the chain. Or, if I'm trying to get, generate a new identity on a new chain, what do I do? Well, I derive a new key.

And, okay, so, everything is about, like, these secret keys. They're, kind of, our interface to the whole world, right? I, I can't touch Web3 except through my key, right? And so, that's a really interesting point of leverage for trying to figure out, okay, well, w- what do I mean when I say that I'm interacting with, Ethereum using this key, Right? if I go to a gas station and I pull out my wallet, it's, like, well, (laughs) there I am, it's just me. (laughs) my wallet's right here. I'm not really worried about, you know, whether simultaneously my wallet (laughs) is getting used, you know, at another gas station 100 miles away.

But, the same is not true in Web3, right? because, you know, somebody could, just, like, maybe break into my computer, steal my key, and then off they go, right? Okay, so, having, um, the ability to specify in a really, uh, uh, sort of, fine-grained way,, "This is what my key is allowed to do. This is what my key, you know, should do. And anything else is considered out of bounds." And the key should basically just refuse to do the wrong thing, [00:11:00] uh, whatever that means.

I think that would end up being a really important and a really crucial safeguard for, every interaction. If I know that, this is a key that I use for a trading strategy that I'm executing, and that trading strategy has these parameters, then any signature somebody requests from that key that doesn't match, at least roughly match that trading strategy should just be, like, "Well, no, because I know that that key should never be used for this thing."So, like, don't pay the bad guy, because, it's like, that's not (laughs) part of my trading strategy, right?"

So, I think really getting into this mentality that it's not just a key. It's a key and it's a set of capabilities that the key has. And anything else just, the key doesn't do that. I think once we get to that point, then we really have a super powerful way...and by the way, also a super intuitive way, of, protecting ourselves from things like key theft and fund theft.

Lauren Weymouth: 09:23 Absolutely. I mean, that's actually a new thought for me. The ability to be able to put parameters around your keys as a secondary safeguard. So, if I only like to trade a certain type of day, a certain digital asset on a certain exchange and it's happening somewhere else that it's gonna stop and check in with me, and send me some kind of text or email or ask for some kind of authentication because it knows, maybe, "This is out of my bounds." That would be awesome.

Riah Wahby: 12:26 Yeah.

Lauren Weymouth: 12:26 going back to what you were saying earlier about increasing widespread or, removing barriers to people getting involved in this, like your dad. Or, you know, my sister recently has been actively asking me questions about crypto and wanting to learn more. part of the th- thing that we're up against is that there is major concerns still with crypto fraud. And it's an unfortunate byproduct of cryptocurrency getting more worldwide traction.

I think we're all looking for there to be more safety measures, reduce our vulnerabilities. explain to us how you see cryptography addressing these shortcomings, and what advancements are most promising in the near future?

Riah Wahby: 10:23 Yeah, so, I- I think a couple things here. let's think about it from, like, a Web2 perspective. Like, you know, 10 years ago, there's the, nobody's really thinking, maybe 15 years ago, nobody's really thinking about cryptocurrencies. But, people are doing tons of transactions online. Right?

I mean, first of all, people definitely do get scammed on (laughs) in Web2 every day, right? Like, we, we shouldn't just say, "This is a Web3 pr-" It- it, it's certainly a problem for everyone. I think the prevalent thought on this is, yeah, Web3 is, kind of, rife with scams, whereas Web2,there's, kind of, some safety bounds. We, kind of, know, you know, I go to Amazon and I buy something, [00:14:00] I mean, unless I managed to buy something counterfeit, like, probably I'm getting something that's what I ordered, right?

why is that? Well, in, in Web2 we have, kind of, this, this actually quite curated set of people who tell us stuff is safe, right? And we don't think about it, because it's all, kind of, under the covers, right? It's, you know, my browser knows that there are certificates that are signed by certain certificate authorities and those people are considered trustworthy. And those are the ones who say, "Yes, you're actually talking to Amazon." And, and so, kind of, all of that happens really smoothly.

But at the bottom that's basically a reputation system, right? in Web3, we don't have that same kind of centralized authority, and that's good. It's also bad, right? and this is one way in which it's bad. Like, there isn't just that, sort of, easy, like, off you go, uh, you know, that this is probably Amazon.

I think one of the things that we're going to start to see is some more of that kind of reputation-based system. But in, but in ways that are, kind of, more compatible with the decentralized ethos of Web3. Right?

a lot of folks in the last couple of years when I've gone to conferences, some of my students have been super interested in things like, um, federated identity, or, you know, self sovereign identity, uh, things like anonymous credentials.

And one of the reasons for that is this actually gives us, kind of, a glimmer of hope. In- in, really, in two directions. W- in one directions I'm preserving my anonymity, and we can come back to that. But in the other direction having this, kind of, more robust credential system, uh, kind of, in place, not in a way that, kind of, forces me, like, "You must trust Google." But, you know, you can have a, like a reasonable set of people that you trust and, like, over time you're allowed to expand them on your own, and stuff like this.

but, having, kind of, that safety net there, uh, in a way that's just, kind of, easy for everyone to use, I think that's, that's really the way that we start to see a lot more trust and a lot less of the, "Well, is this thing a scam?"

how do we get there? Well, I think there are, on the technology side still a few, questions to answer, especially, um, because right now we, we seem to have a little bit, uh, of the question of, like, "Who do I trust? And, and how do I, uh, sort of, gain that trust?" Is a little bit bound up in the the complimentary question, like, "How do I prove my identity to other people?"

And those two things really are closely] related, so it makes sense. I think that maybe there's a little

bit more focus on the second one, especially around preserving anonymity. Um, and so, maybe this is a little bit of a just a, another kind of mental shift required in the industry.

But, then I think the other thing we really need to do is actually get, uh, more and more, kind of, big protocols to- to participate in this sort of thing, right? you know, if I go to Coinbase, uh, like, I can click on some stuff and they, they will basically present me with a set of tokens that they've curated as, like, more or less trustworthy. to first order, right?

But, but if I'm trying to do the same thing in, you know, an ecosystem that's really all about, sort of, uh, uh, Meme coins and stuff like this there's not that same thing because it's a different ethos. This is a, sort of, a freewheeling, you know, everyone gets to, kind of, play, uh, ethos.

And so, trying to marry those two things, right? Trying to have, kinda, a, a broader reputation system, uh, a way for me to gain confidence that, like, "Okay here are these people, they're pretty well known. They say that these two things are good but this other thing is bad." Like, having that kind of thing at my fingertips where I don't have to go dig through Discord channels to figure out where something is (laughs) uh, whether something is a scam or not is, to me, really huge.

And then the other thing, I think, that we're, of course, going to have to see is and I think we will and maybe this sounds like a bad thing, I don't think it is at all, is just, you know, an improvement in the way that, that law enforcement deals with these scams. Like, today, I think a lot of times you get scammed and then, like, it's done. And maybe the scammer gets caught, but I think a lot of people have a notion that, "Eh, the scammers just don't get caught all that frequently."

So, like, in some sense the playing field is set up (laughs) for, for the scammers, right? They get to do it and then they, kind of, get away with it.

18:15 I think, really, just changing the game theory a little bit there. Making it less likely that they succeed on the one hand and also more likely that they get caught when they try. On the other, you can, sort of, start to see, uh, almost, like, a phase change in, in the industry where those, those scammers just, sort of, recognize, "This is just not as profitable anymore. It's too risky. I'm just not gonna do it."

Lauren Weymouth: 14:52 I mean, we could spend an entire other show desired legal protections, in the industry. (laughs)

Riah Wahby: 18:37 (laughs)

Lauren Weymouth: 18:43 But, I wanna, kinda, dive deeper into the importance of cross industry partnerships in creating a safer Web3 space. Can you share a success story where collaboration between protocols has significantly enhanced security in the crypto space?

Riah Wahby: 15:09 Oh, yeah, absolutely. Cubist, uh, sort of, uh, helped to launch, uh, what we call the Secure Staking Alliance. and this was, a little over a year ago.and that was really focused on how do we, sort of, put together best practices for people who are running, uh, you know, validators and, and other staking related infrastructure, sort of, the basic stuff that's running everything, right?

the perspective, or, at least my s- perspective from, from a couple years ago or more was that, um, there was a lot of, maybe you could call it folklore and knowledge in the industry. There were people who were, like, "Yeah, this is basically the right way to..." Uh, for example, run a whole big bunch of Ethereum validators, right? Like, if I'm running a farm of Ethereum validators, I've probably over time, kind of, worked out, like, this is the way that, you know, [00:20:00] how to make operations smooth. This is the way that I'm going to keep my key secure. This is the way I'm gonna prevent slashing, and this sort of thing, right?

partially because of the, you know, decentralized ethos, uh, you know, I think we had a lot of reinvention of the wheel in things like that, right? And so as the older players, sort of, have that knowledge and newer players don't, it just, sort of, makes it difficult for people to enter into play in the market right?

So, our thought here was, "Look, we wanna just, like, kinda, level the playing field a little bit." Kinda, have a set of standards, or at least a set of, you know, descriptions of, "These are the kinds things that you're going to need to worry about. Here's a problem that you probably wouldn't anticipate up front, but you will have to deal with at some point, right?

we saw a lot of interest and a lot of participation across the industry. there were folks who were doing things like providing insurance. There were folks who were, uh, actually running validators, who were running, uh, liquid staking protocols.all of these folks, super interested in, kind of, getting together some, uh, kind of, community knowledge that would help everyone to advance the state of play, right?

And I think w- we're also seeing that more recently, in things like the, la- the Babylon ecosystem, in the EigenLayer ecosystem. in these places where, you know, you have these (laughs) this extra complexity on top of stuff that's already been there, right?

and now that we've added this layer of complexity, well, we also add, you know, a whole bunch of new knowledge that people need. And so by sharing that knowledge and by, by, sort of, making sure we have people at least, uh, hitting some minimum standard for, say, securing their keys, this does a few things. Number one, actually im- like, just reduces the (laughs) amount of the amount of threat in the industry, right?

But the second thing it does is, it really gives people who aren't, sort of, deeply in the weeds on the technical details, it gives them, you know, a relatively easy heuristic for, "Should I trust this or not?" Right? Because if somebody says, "Look, I'm following all of these procedures that, you know, were developed in coordination with the rest of the industry and you can see the document here." yes, I'm doing these things.

I don't have to go in and look in detail at, like, was this the right decision? Was this the right decision? I just, sort of, have a high level notion that, "Okay, they're basically doing the right stuff, they're trying to follow industry [00:22:30] standards." And that gives me a little bit more comfort.

this is kind of related to the reputation thing, but maybe we can think about it more generally as, uh, (laughs) almost this, information infrastructure that you need, kind of, on top of the (laughs) technical infrastructure, right? We need a way for people to discover who's behaving in a way that's, sort of, conducive to security and who's behaving in a way that's not.

And one way to discover that, of course, it to, you know, to get your (laughs) phone stolen. But we'd rather (laughs) discover it before that happens, right? And so, we'd rather make it really, really easy for people to say, "Ah, these folks, probably they're doing the right thing. These folks, hmm, maybe they have some practices that are a little questionable. And, and so, I can make a decision before I risk my funds who to go after, or, who to invest with, or whatever."

Lauren Weymouth: 18:40 Yeah. Well, big kudos for being a part of creating the Secure Staking Alliance. Having been at Ripple for almost seven years we're also in the spirit that Web3 benefits from stronger cross industry collaborations in the space. the feeling that rising all, tides lifts all boats.

Riah Wahby: 18:56 Absolutely.

Lauren Weymouth: 18:57 And brings down those barriers to new players coming into the space, just as you said. have you had any challenges with building these partnerships?

Riah Wahby: 19:03 Yeah, absolutely. I mean, folks think to themselves, "Should we be spending time on this?" You know, everyone's, everyone's, kind of, busy all the time. Like, is this the right way to, you know, allocate time?

Number two, "Is this helping my competitors?" I- I think it's a reasonable question to ask, like, "Do- does this help them?" Sure, it also helps you, and it helps to, kind of, build trust in the system. And exactly as you said, the rising tide is the effect that we want here, we want all the boats to be lifted.I think these are the kinds of questions where we tend to see things.

And then, of course, you know, the people who have more seniority and more experience, um, I- I think, again, it's justifiable, but the first response might be, "Well, look, I have, kinda, all this hard-won secret sauce, maybe I'll, just keep it for myself, right? And my (laughs) my..." Uh, you know...

Lauren Weymouth: 24:34 (laughs)

Riah Wahby: 24:54 "My protocol will just be more secure, more efficient than yours." Again, it's, kind of, a totally justifiable thing, like, this is hard-won knowledge.from my perspective, the, the thing that's been most successful in, kind of, convincing people to move away from those, uh, objections is to point out, uh, exactly as you said, this isn't a zero-sum game. This is something where, as we make the whole industry better, w- more people come into the industry, and there's just more available for everyone.

So, I- I think growing the pie is really the most convincing, counter-argument that I can give. And in general, I think people have been convinced.

Lauren Weymouth: 20:20 Yeah. Inspiring. Okay, zooming into your baby, Cubist. Uh, who are your co-founders and when did you launch?

Riah Wahby: 20:26 we've had a system out in production for nearly two years. Um, and we actually started the company, two and a half years ago, a little more than two and a half years ago.

my co-founders. our Chief Operating Officer is Ann Stefan. She's got a ton of experience in fintech. She was, in operations in

fintech for about 10 years. Including doing a bunch of work in a, in a high risk vertical preventing fraud and doing, kind of, compliance work. So, that's super, super helpful, right?

Lauren Weymouth: 20:50 Perfect.

Riah Wahby: 20:51 Because we have this perspective on... Yeah, exactly. We have the, the, like, the operations' perspective on security. Which is, um, up until I, you know, spoke extensively with Ann about it, I hadn't really thought about it. But that's, that's, kind of, this huge other hammer that we have, which is fantastic.

Lauren Weymouth: 21:04 She's your businessperson. (laughs)

Riah Wahby: 21:06 Um, that's right. Absolutely, yeah. She's our, she's our business savior. my two other co-founders are Dan Stefan, who is a professor at UC San Diego. He's sort of, programming languages and security. He helps around the security group there. He's done a ton of work on all kinds of really interesting both attack work and defense work. So, yeah, really, really, like, core security dude. Great person.

and, Fraser Brown, she's a professor at CMU. She works on program correctness bug finding, verification. so, very much security aligned. but much more on the, kind of, let's prove that this program has the correct properties. let's detect, uh, bugs in operating systems and browsers and stuff like this, automatically so that we can, you know, find them before the bad guys do.

So, really, really super different perspectives from mine on computer security, and I- I think together it's been a really interesting thing to, kind of, build a system with somebody who thinks about, "How do we build this from the ground up to, um, make it correct." how do we build this in a way that lets us take advantage of programming language features. essentially all of our code is in Rust so we can take advantage of, like, really nice programming language features to, sort of, statically guarantee certain security things.

And then, of course, I get to think about cryptography, which is what I like to do. Uh, (laughs) so, it's, it's really fun.

Lauren Weymouth: 22:14 I'm looking at you, so I can see the passion in your eyes and, and the energy that you're putting towards this.

for you, what was the light bulb moment when you actually realized, "Wow, I'm gonna make a company out of this idea?"

Riah Wahby: 22:24 It wasn't quite such a straight line as that. So, we, we actually (laughs) we-

Lauren Weymouth: 22:27 No, it never is. (laughs)

Riah Wahby: 22:28 No, yeah, of course, right? someday I'll revise the story and it'll be, like, "And there it was, I had the idea in my hands." Um, but, [00:28:30] but until then, no, the really true version of it is, we really started out thinking about Web3 security, but actually a slightly different, um, question in Web3 security. Much more on basically how do you build, distribute applications in a way that even if your application is running across multiple chains you can still, sort of, ensure properties sta- statically, and ensure the security of your DApp and all of this.

And, by the way, I still think that's a fantastic question, and I think it's, it's a, it's a really really, of course, really, really hard thing to do. Like, many of the hacks that we see are in bridges and other, kind of, cross chain communication links, right?

so, we started, you know, kind of, working on that in earnest, and as we did one of the things we realized was, "Well, look, if you're gonna do real (laughs) software development with, trying to get all these, kind of, super s- gray static guarantees. One of the things we're going to need is, like, a really great, uh, kind of, testing story."

And so, (laughs) that was actually where the cube signer idea [00:29:30] really, really came from, was, like, "Well, we're gonna need a bunch of automation around. Like, all

the key management stuff that we have to do in order for, like, the rest of our system to work." And so, then we went and talked to a bunch of customers. this is actually the closest thing to a light bulb moment was, after talking with dozens of customers... And by the way, that was because Ann told us, "Look, you guys have to just talk to customers. You can't sit in the basement writing code all the time."

Lauren Weymouth: 29:25 (laughs)

Riah Wahby: 29:50 Which, it turns out, is true. Well, no, no, I'd, I'd like to, but it's, it doesn't help, I think. Um (laughs)...

Lauren Weymouth: 29:57 You're growing. (laughs)

Riah Wahby: 29:58 Yeah. So, basically we would talk to customers and they would, frequently they would say, "Yeah, you know, that is, that's a super interesting problem, and definitely I can see that we will have that in a few years. But you mentioned this, like, automatic key management stuff, and that sounds really interesting, because that's a problem we have right now."

And basically, we just heard that story over and over again. It was, like, "Well, when we were two developers, we just had some ledgers and that kind of worked. And now we're 12 developers and we're on 14 different chains. And the products (laughs) turns into something, right? And so, [00:30:30] that was the moment really when we realized, "Look, this is actually something that's completely missing, um, is this ability in a really secure, totally programmatic way, do things, like generate all my keys, generate signatures in an automated way. set policies, this thing that I was talking about earlier, where you basically say, "This key basically has these powers and no others."

eally being able to do that in a fine- [00:31:00] grained way that, that is really responsive to automation. and that really was the, the, the closest thing to a light bulb moment for us. since then people have had a similar light bulb moment, but that's great. that's, sort of, confirmation. Like, I think, nowadays, we're seeing a lot more interest in this highly automated stuff.

And I think if you look at the corresponding technology in, in Web2 you'll see things [00:31:30] like hash court fault, and a lot of these, uh, technologies that are roughly analogous, and clearly, like, core to the way that a lot of, uh, businesses in Web2 operate.

in Web3, it's even more that, right? Because in Web2, generally speaking your finance team doesn't have to use your cryptographic keys. But in Web3, if I'm, like, a fully on-chain business my finance team, my ops team, like all those folks, their interface to the world is also cryptographic keys. And by the way, they're probably not developers which means, you know, you really need to give them, uh, the right kind of security, the right kind of, you know, policy enforcement, the ability to have, you know, multiple sign -offs. Whatever it is.

to us, this is, like, a really, really cool area to be in. Number one, because it, kind of, I mean, it touches all of my co-founders interests. Whether it's, you know, sort of, fraud prevention from Ann, or, you know, using programming languages or verification or cryptography, whatever it is, right? Um, so, it touches all of that, which is great. That's the bonus. The, the actual part that, that's really important, I'd say, is, this is a problem that is, sort of, pervasive in Web3.

Lauren Weymouth: 26:04 Yeah. I mean, the need for security at all leverals, is profound. So, you're playing (laughs) at the right game. can you share with us some of your customers or clients that you're building security for?

Riah Wahby: 26:13 we've been working a lot recently in the Babylon ecosystem. So, we work a lot with Lombard. they are, I- think, currently the biggest sort of, Babylon-related Bitcoin LSTs. that's a really, really cool protocol, and we've had a lot of fun working with those folks. They're super sharp and they've got really awesome stuff going on there. our technology actually powers, um, the Avalanche Core Wallet, which is the first party

wallet in the Avalanche ecosystem. and this is, you know, basically what enables folks to do things, like, "Hey, just sign up for, you know, sign in with your Google account. Now you've got [00:33:30] a wallet. if you need it on another device, great. Just sign in there, off you go." Right?

And so, uh, actually, I'll just pause there and point out, those are super different, uh, use cases, right? But both of them really fundamentally need really great team management.

we're working with folks like Consensus, we're working with, uh, actually, our very, very first customer was Anchor.we're working with them on, uh, on an Ethereum LST, uh, that they've got, had running in, in production for a long time. Um, we've got a bunch of other Ethereum LSTs,, that we work with.

So, yeah, we're we're kind of across the, the spectrum here. I'm certainly forgetting a whole bunch, because,, I haven't listed the majority of our customers. (laughs) I'd say we're, we're, kind of, doing a bunch of really interesting work, both in the, like, full automation side of things, and in the, kind of, very user facing things, like, like end user wallets. And fundamentally, the technology that's supporting these is all based on having secure hardware to store the keys, making sure that you can apply policies, having a really great, uh, set of authentication mechanisms, and, kind of, backup security and all of this. So, yeah, it's pretty fun.

Lauren Weymouth: 27:39 Well, I love hearing about the variety of projects you get to work on. Like, the, the vast ways you're helping out these protocols. and big names. That's really impressive clients that we all have heard of. That's very cool. how would you say that your custodial key storage and secure hardware addresses the limitations differently than existing solutions? Or, how do you differentiate from competitors that are rising up in the space?

Riah Wahby: 28:00 that's a great question. we're never the custodians. So, that al- already differentiates us from a bunch of people, right? So, we're providing infrastructure that's very much like what a custodian would use. Which, I- I think is super interesting for many customers who aren't ready to s- have a whole team developing their key management infrastructure.

I would say our biggest differentiators, uh, are, effectively, look, we are f- fundamentally building on top of secure hardware. So, we're using hardware security modules, secure enclaves, kind of the same stuff that's used, uh, in Web2. Like, if you look at the, the way that eCommerce is, um, secured today, [00:36:00] there's, what, $33 trillion worth of eCommerce, and basically all of it comes back to the security of these hardware security modules that are powering things like certificate trees, right?

so, fundamentally, we look at that as the best technology to use for, uh, key management. And another word for that is the most boring. Like, we're not interested in doing, like, the most exciting, most advanced cryptography, because, uh, and by the way I am personally excited about (laughs) using the most advanced cryptography, because I'm a cryptographer. But, when I look at the problem like this, I think, "The right tool for the right job." And to us, that's secure hardware.

So, that's one really, really big way in, in which we differentiate on a technological side. Now, from the perspective of the user who's actually touching the thing, uh, compared to our competitors, the response times are about 100 times faster. operating cost is way cheaper., and we're able to handle a much, much larger volume of signatures and volume of keys, then, than the competitors because, as I said, we're kind of, using the right tool for the right job.

another thing that I- I think we tend to see as a really big positive, uh, at least for some customers, is that, y- you

know, we have a couple different ways that we can interact with the customer. One is, if a company comes to us and say, "Look, we just, we need a service that'll just handle all this stuff for us, give us an API." That's good, that's easy. we're able to do that in a way that ensures that, you know, either they're the custodian if it's their keys, or, they're not the custodian, their end users are, if it's something like a wallet.

on the other hand, you know, we have some customers who come to us and say, "Well, we really need a solution that can be installed into our infrastructure and can run there." and that's also something that we can handle. So, we have, we have customers who are, basically, you know, run their own, sort of, pocket universe version of CubeSigner, um, where, y- you know, they have full control over everything. And, you know, for, for sophisticated customers that's a, can be a really important requirement.

So, I'd say y- the, the, kind of, flexibility in, not only the deployment model but also the custodial model,is really, really, really important to customers.

So, overall I'd say, look, security, performance, flexibility, these are the places where we differentiate.

Lauren Weymouth: 30:32 Winning features. I'm sure Ann is proud of you for saying all these things. That you've really thought very well through how to distinguish yourself from competitors.

Ooh, quick question, how did you come up with the name Cubist?

Riah Wahby: 30:43 You know, if you ask all f- all four of us you'll get probably four different answers.

Lauren Weymouth: 30:49 (laughs)

Riah Wahby: 30:50 Although it's, ri- I think it'll be, like, you know, recognizable. maybe there's a Kurosawa film that's relevant here.

we were sitting around one day, we were thinking, like, "Oh, maybe it, you know, it's, like, um, we're, we're, kinda, re envisioning the way, w- we're, kinda, we're kinda taking it apart and putting it back together again. What do we... Ah, that's, like, kinda like Cubism, right?" Like, it's sort of, uh, an- anyway.

So, w- we're, we're art nerds and, and, and this, [00:39:00] kind of, stuck out to us as, like, related to, to the Cubist movement in a sense, that we're, kind of, re-imagining the way that you, you look at the world through keys, I guess.

Lauren Weymouth: 31:22 Now, you're two, two and a half years in, this is just the business development person in me, I mean, you're still really busy creating all the mechanisms, and safety protocols and building your client list. But, is there an exit strategy in mind?

Riah Wahby: 31:35 in one word no (laughs) we're, we're really focused on building the best product we can. I think that this is some, something that's in such high demand that, we have, essentially, infinite opportunity to, um, worry about every detail, every technical detail, every business detail of this thing. And, and so, I think for that reason more than any other we're really still focused on those things.

But I think if you, if you zoom out and look broadly at the way that, like, the Web3 market is going generally, like there's a huge opportunity in the next few years for, kind of, everyone in Web3, right? what everyone seems to think is that we're pah, potentially entering a friendlier regulatory environment. That gives more certainty. That makes it more likely that we'll see a lot of participation.

from our perspective what that means is, there's going to be a lot more of the, kind of, mature interests whether that's, um, sort of, en- enterprised, or, or, y- you know, sort of, larger companies that are getting into the space I think

that this is the one reason to think that, like, there's actually a ton of growth, s- potential still hanging around.

40:40 So, I- I think we're ore focused on that at this point, than on, uh, "How do we get out of here?" (laughs)

Lauren Weymouth: 32:34 No, well, understandable. I mean, I can hear in your voice that you are, still in the early days, very excited about what you're building and not thinking about the end. (laughs) Or, or enterprise adoption, you know, or something like that.

for the listener who is not a crypto native, like your doctor dad, or my pharmaceutical sister, who are just starting to dabble with digital assets. What are some steps they can take in the Web3 space to protect themselves?

Riah Wahby: 33:00 Yeah. This is a really good one. So, um, I think, uh, "go slowly,", is a really super simple way to put it. I think one of the things that, um, folks t- tend to see when they get into Web3, like, initially, is there's just this huge amount, like, like, just an overwhelming amount of information. There's just so many different things that you can do that all fall under the Web3 umbrella, right?

I think many times, y- you know, it's, like, "Well, let's skip the shallow end, let's just, let's jump right into the deep." It's, like, well, okay, that can be okay, and you can, kind of, get out the other side and, uh, look, many of us who are in Web3 now did exactly that, right?

maybe the sharks (laughs) are bigger than they used to be. So, it makes sense to, to really think, uh, carefully about, like, lets, sort of, get the concepts down first. Let's do the boring things for a while. Uh, and then, uh, maybe get into, sort of, more advanced things. So, okay, what does that mean,, more concretely?

It means maybe stick to a few really well-known chains, DApps, whatever it is, just, kind of, you know, get used to the concepts. Maybe, really figure out how you're interacting with the Web3 space., and then, you know, get into the crazy stuff, right?

sort of, tucked in as an addendum there is, "By the way, like, many, you know, all of the same kinds of attacks you tend to see by email, whether it's phishing or spam or whatever, you're gonna get here to. (laughs) So, so be on the alert for it." Um, so that's one, one class of, uh, of, uh, uh, maybe warning, is, go slow. You're, you, you, you got plenty of time.

a second one is, uh, I'd say, and, and primarily this is because I'm, you know, thinking about keys and wallets all the time, is, think really careful about, you know, what you're gonna do for a wallet solution. I think the tendency is, like, "Oh, let's, I mean, that's the boring part I don't care about that.", but this is, yeah, this is your interface, and this is really the fundamental portion of your security, right?

if I'm trying to do tiny transactions, eh, that's okay, fine. If I'm getting $5 or $10 in, no problem. But, the thing that you, you tend to see is, you know, two weeks ago I had $5 or $10 bucks and now I have $500 or $1000 bucks, and maybe a few weeks from now it'll be $5000, or whatever. Okay, now, we need, at some point, you need a shift, right? Because if you're still using, you know, whatever, kind of, rando wallet that you just downloaded, who knows, uh, whether that's gonna remain secure, whether it's getting updates, whether it's just been sold to somebody that's just gonna turn it into a scam, whatever it is, right?

at some point it makes sense to think carefully about, "What is the, you know, wallet software that I'm using, is this software trustworthy?" And it's unfortunate, I think, partially, that we're in the situation that where, you know, kind of, each individual has to think, like, "What's my software supply chain look like?" But that's where we are. And so, using products that are, built carefully and, and maintained by, you know, trustworthy folks, I think, is, is, kind of, crucial. Because if you don't have that, you don't have anything.

we power a bunch of wallets. (laughs) I would always recommend those. the one that jumps out, um, which I already mentioned, is the Ava Core Wallet. it's a nice user experience. if you've used the sign in with Google or one of these options, you're, you're powered by CubeSigner, so your keys are basically stored in a remote, private HSM, and that lives in the cloud. [00:45:00] Um, you can use it from a bunch of different, uh, devices, and you get really, really strong security.

So, I'd say, that, that to me is, like, if you don't have good wallet security you, kinda, don't have anything. Um, so, that's a really crucial one. the third thing here is, um... And this is not an, uh, maybe computer security thing, it's just, like, kinda, think through, if somebody is promising you a lot, like, Web3 isn't magic. (laughs) if something seems too good to be true, it definitely is. That's still true in Web3 even though maybe we, we'd all like it not to be.

So, just, y- you know, uh, y- you know, come armed with, uh, ample common sense.

Lauren Weymouth: 36:32 I say the same things to students in blockchain clubs who I'm talking to. If, there's no such thing as a sweepstakes, or, giveaway where you have to pay them first. That makes absolutely no sense. Stay away from that. Or, if you're getting emails or texts from unsolicited people that seem to know you, or there are spelling or grammar errors, like, stay away from that. (laughs)

Riah Wahby: 36:52 Absolutely. Absolutely, yeah.

Lauren Weymouth: 36:53 Yeah. And then for, you know, the listener who's, like, an exec at a more traditional company, or, organization who's looking to use blockchain, maybe, or dabble in digital assets for their company , what are some things that they can think about, or, or do in adopting systems to ensure a safe interaction?

Riah Wahby: 37:09 when we speak with, with bigger companies, you could, kind of, divide it into two worlds. The, the really good world is when I talk to somebody who's like, "All

right we're thinking about building in Web3, and here's the reason. This and this and this is gonna be more efficient. We're gonna be able to do it this way. We're gonna be able to reduce this cost, uh, or, you know, improve this efficiency or whatever it is, um, because we're switching to, kind of, a fundamentally better technology."

when I hear a story like that I love it because the person, kind of, knows why they're doing it, and, uh, uh, you know, their, they have some expectation, they have some bar that they're, that they're gonna try to hit. Which is great, okay? the less good world is, "Well, seems like everyone else is doing it, so we should, too."

And you know, basically, if you don't have a standard to meet, then, uh, one of two things is gonna happen. You're gonna waste a bunch of time, or you're just never gonna be happy. You're gonna be, like, "Well, well, shouldn't it be better than this?" Right?

So, I- I think set an expectation, whatever it is, set it. Figure out, like, what is reasonable. And, maybe adjust it over time if it turns out you undershot or overshot. But, like, figure out, like, "What is my goal?" And then do that. and that sounds so dumb and simple that (laughs) maybe I shouldn't even have said it. But, this t- this seems like the number one failure mode that, that we've tended to see is folks who really just, like, don't have a metric yet.

okay, getting more into, like, technical weeds, I think one of the other things that you're really gonna find quickly is, it is really easy to build a system that just, kind of, limps along. Um, and (laughs) you know, it'll work c- when there's not much pressure. And it'll work, you know, as, as a demo. And that's it, right?

and, so if you do that, like, you know, it's possible to build up essentially infinite technical debt in Web3, right? Because Web3 cu- te- technology is very complex. Because there's all kinds of security questions and all of this. Like, you can end up in a situation very rapidly where your whole system has, like, sort of, pervasive problems.

sure, you need to get something. You need an MVP., but on the other hand, I- I think really keep an eye on the horizon and, and really understand, like, v- at some point, this technical debt isn't just, like, developer productivity anymore, a- as it might be in other [00:49:00] industries. It's, like, direct risk to my end customer because I didn't have time to, you know, do the key management right. Or, you know, my, my bridging solution is, kind of, sub par, but it's, kind of, working well enough for now, right?

Like with, with security, and this is, like, a good thing and a bad thing. But, like, with, with computer security generally, what we tend to see is, like, a, a system is secure not when, like, it (laughs) functions correctly, but, when it doesn't fall to an attacker. And that second part is much harder, right? it's much harder to prove a negative, right?

So, um, care in, sort of, building from the beginning is ideal. Not always possible, but at least keeping a running tally of, "This is where my debt is, and these are the things that are most important to fix as soon as possible, because otherwise, at some point you really do end up in a situation where your customers are directly at risk.

Lauren Weymouth: 40:10 Absolutely. That makes perfect sense. Riad, you know me, I, in my day job I'm someone that deeply is involved in both the theoretical research and practical application. That's something that we really have in common.

I'd like to hear from you where you see the intersection of academia and industry having the greatest impact on the evolution of Web3?

Riah Wahby: 40:27 This is great, this is a great question. one of the really cool things about Web3 is I- I'd say just how deep its root in academia and research are. And that's partially because a lot of folks who were in, or maybe still are in research like me, uh, have ended up a- also working in Web3. And, and I think it's just partially because it's, like, it's just really cool advanced technology, right?

50:51 this is, kind of, a unique thing, compared to a lot of other industries, where there's a much brighter dividing line between what's happening in academia and what's happening in industry. one way to capitalize on that is to really think through, like, when we have an industry partnership, uh, like, for example, at Carnegie Mellon, like,, how do we enable say, really fast iteration by the engineers at, at the company while we're still, kind of, (laughs) plodding along in our research. And of course, we like to go fast, but, like, research just moves more slowly, right?

and to me getting that division, correct, like, figuring out, like, how do we capitalize as quickly as possible on research, whose timeline is often unpredictable is, like, a huge, a huge opportunity for jumping ahead because of the research that you just managed to, to, to make use of.

Okay, so, I- I'd say one thing there is really, really thinking carefully about like, where are the strengths coming from on each side of the line and making sure that we're capitalizing as much as possible.

Okay, I think the other one is unlike in a lot of other, uh, industries, because Web3 is, you know, decentralized and permission-less, I can really go from, a research idea to, uh, at least a proto- prototype very, very, very, very quickly.

And so, what this means is that we just have more opportunity for iteration than in a lot of other industries. - I think that's, just, like, this sustaining, uh, advantage that, that we will continue to have for a long time, where, the, sort of, opportunity cost of trying out a new research idea, in, you know, the "real world" quote, unquote, is, is, is quite low compared to in a lot of other places.

to me, these are the really, really exciting things about working at that intersection.

Lauren Weymouth: 42:30 To me, too. That's perfect. where can our listeners learn more about Cubist, and your work?

Riah Wahby: 42:35 we're at Cubist.dev. my, like, academic work is at, like, Wahby.net, ping us anytime, we're always happy to chat. we've got a lot of, uh, interesting things going on whether it's securing keys, or securing bridging.

actually, one thing that we didn't really touch on involves a new way of, of adding extra layers of security to cross chain bridging. we'd love to apply that more widely. we call that Bascule. we had a blog post about it somewhat recently.

check out our blog ping us. I'm on Telegram @Kwantam, K-W-A-N-T-A-M. yeah, hit me up anytime. I'm always happy to chat.

Lauren Weymouth: 43:00 That's amazing. Okay, listeners, you heard that. Riad just offered his mentorship, and I would totally take advantage of his brainpower. yeah. (laughs) Riad, this has been an amazing conversation talking about secure key management infrastructure. You've shared so many insightful stories, and I'm really grateful that you're spending your time and your brainpower on safely bringing blockchain and crypto to the mainstream. Thanks for joining us today.

Riah Wahby: 43:28 Thank you so much for having me. This has been super, super fun.

Lauren Weymouth: 43:30 Awesome. to our listeners and subscribers, thank you for your ears, and for your feedback to my UBRI@Ripple.com email. If you have any questions about this episode, or ideas for future episodes, please reach out. Until next time.