ZPrize II Spotlight: Introducing the Architects: David Wong, zkSecurity

Sep 23, 2023

Today we’re proud to introduce David Wong from zkSecurity as our architect of Prize 3: High Throughput Signature Verification. Below you’ll learn more about his background, what drives him in the zero-knowledge sphere, why ZPrize matters to him and zkSecurity, and much more.

Tell us about your background - what got you interested and kept you interested in privacy tech and ZPrize?

It all started back when I was studying mathematics in university. I was doing theoretical mathematics, and feeling quite miserable at the time. I didn’t really know what I was going to do with my life, and I couldn’t see myself doing math for a living. I couldn’t imagine how people could get paid doing math. 

One summer, in-between flipping burgers at McDonalds and learning German on duolingo at the public library, I discovered Coursera and one of their new courses on cryptography from Dan Boneh (called Cryptography I). At the end of the summer I had finished the course and discovered a new passion. 

I had always liked mathematics yet deplored the lack of application in the math I was studying. On the other hand I had been programming since I was a kid, writing BASIC on calculators and later ActionScript to make video games with Flash. Cryptography was, to me, the perfect marriage of the two disciplines. That year, I applied to all the Cryptography Master’s programs in France. Two years later, I was getting my first job at NCC Group auditing cryptographic applications. The rest is history.

What got you into the sphere of zk-tech?

During my time as a security consultant at NCC Group, I had the chance of auditing a ton of different cryptographic applications (from SSL/TLS to secure messaging to ed25519 implementations). Around 2017 we started getting a lot of blockchain work. I remember doing some work for ZCash, and after that ZK was a keyword that sort of stayed around in my head.

Next, however, I went to work for Facebook on the Libra project. During the project I also wrote a book (Real-World Cryptography), and while I didn’t touch much ZK at the time I kept thinking about it. Once I got out of the project, I went straight for a ZK project. My goal was to do everything I could to learn as much as possible about the new technology. I ended up joining the Mina protocol project, from O(1) Labs, and working on their proof system Kimchi, until I left to found zkSecurity.

What was the catalyst for zkSecurity?

During my time at Mina, working on a framework for people to write ZK apps, two other coworkers and I (Brandon the CTO of O(1) Labs, and Gregor the lead engineer on o1js/snarkyjs) noticed that people were writing a ton of bugs when using it. It was a new paradigm, a new way of writing applications, and with it came some dangerous implications.

Then we looked at the smart contract auditing market which is huge, and which I used to be part of (having published the top 10 smart contract security in 2018, at www.dasp.co). At the time we just thought that the ZK application market was going to boom as well, and that there was no one serious to fill the void in terms of security audits.

So we decided to fill the void, and we founded zkSecurity. It’s been almost half a year and I think we did a pretty good job establishing ourselves as the go-to zero-knowledge security company. Right now we’re mostly doing low-level work on proof systems while we wait for major ZK projects to launch their platforms and for ZK applications to be built on top of them.

Let’s circle back to Libra: Why didn’t it catch on during its initial rise? 

I joined Libra when it was still in stealth mode. It was extremely exciting to me, I was joining a FAANG to work on one of their coolest projects. We even worked from a secret building at Facebook. I will always remember the day we publicly announced the project. A number of us stayed up all night, as the announcement was planned for 4am or something. We played board games, gave each other talks on why gold was going to crash, started a firecamp in the Facebook parking lot and cooked some smores. It was surreal. At 4am we were all drinking champagne and debugging last-minute things, then watching David Marcus give interviews on TV.

Anyway, there was a lot of excitement around the project at the time. When it started, Libra was very idealistic. As time went on though, a lot of concessions were made. The project changed a lot until it was killed. I think we’ll never know what really happened. But my theory is twofold: Facebook being behind the project was a big issue. At the time Facebook had a bad image with the public. Second, Facebook launching a blockchain project meant that it would have been available to billions of people on day one (through WhatsApp, Instagram, Messenger, etc.) and that was too scary for most. Cryptocurrencies were (and perhaps are still) a small market, and mistakes won’t cause “too much” trouble. I think the technology is still seen as experimental, and so large-scale experiments are too scary right now to regulators.

What inspired you to write Real-World Cryptography? 

I’ve always liked teaching things to people. I think the reward you get for producing content or helping people directly is somewhat similar to the reward you get when you build a product that gets used by people.

I also get really frustrated when something is overly complex and difficult - especially when it’s unnecessarily difficult. When I cannot find a simplification for something I’m banging my head on, when no one has synthesized the complex into the easy, then I tend to get motivated to do it myself.

At the end of the day, I think Real-World Cryptography really filled a need in cryptography. Before, developers and newcomers in cryptography did not really have a modern option to learn cryptography without having to delve into the theory of things. I wrote this book for my past-self, the book I wish existed when I started learning about all the stuff you need to know to understand cryptography. It’s also a book that acknowledges cryptocurrencies. I think it’s the first, and perhaps still the only, cryptography book with a chapter on cryptocurrencies.

Do we need more teachers in this space, not just in ZK, but in crypto as a whole?

In ZK we’re very lucky. We’re lucky because people really care about producing good content and helping each other. We have so many good resources to learn. Interestingly, this reminds me of the Rust community, which we are also lucky to be strongly linked to. Everything seems to be written in Rust in ZK, and so it might be why we have such a helpful and productive culture.

For example, we have the zkStudy Club, the zkWhiteboard Sessions, the ZK MOOCs, the Zero Knowledge Podcast, the MoonMath Manual, the zkMesh newsletter, Thaler’s book, all these ZK conferences like ZK summit, and so on. There’s no way to summarize all the good stuff we have. We really are lucky. I guess other fields could learn something from us.

If I had to say something more, I would encourage people to be part of this. Write blog posts! Even recording a short video that explains something that you just learned can be super useful to others. There’s so many ways to express yourself using that creative part of your brain. Don’t just build. Express yourself through other means, mentor people around you and be a part of your community. 

Can we just put privacy on the back-end of our apps and not require any sort of opting in?

There’s this project called Penumbra and they’re doing a DEX and a privacy coin on Cosmos. I believe I read somewhere that the project’s strategy is that if they make their product fast and useful, and even cheaper (by avoiding MEV), then people will actually use the product and benefit from the privacy. 

So I’d say a good strategy is to just create a better product that is privacy-centric and users will naturally flow toward the product. If you give users the choice between something that will work better for them, and something that brings more privacy, they will always choose the one that works better/faster/cheaper.

Whenever you’re building a ZK app, you’re always playing with this tension. You have to make tradeoffs and not just think about privacy if you want the thing to be used. Take encrypted emails, for example. It’s not well integrated, the user experience is horrendous, and so it has essentially failed at getting adopted. 

Can the zk-space learn from the legacy web in terms of attracting users and having as seamless user experience as possible?

Yes. If your app is as easy as possible to use and provides value to the user, then people will use it naturally. Additionally, it’s important to mention that while we’re always obsessed with human users, a lot of the ZK applications that are sort of unexplored at the moment are those that target machines instead of human users.

Can you expand upon the idea of machine-to-machine use cases for zk-applications?

I’m thinking about server-to-server use cases. For example, blockchains that use zero-knowledge proofs to improve their consensus: by proving the whole state transition from genesis to the latest state, nodes don’t have to spend time going through the whole history to synchronize to the network (this has also been seen in verifiable light client projects like Plumo). In these kinds of use cases, where humans are not directly involved, it seems like the “ZK” part is less essential than the succinctness part of zero-knowledge proofs.

Why ZPrize?

Personally, the succinctness of zero-knowledge proofs was always a major attraction to me. When we think about optimizing things in the zero-knowledge sphere, that’s mostly what we optimize. We optimize the succinctness, speed, and similar elements of zero-knowledge proofs. The ZK part often comes for free, or at little cost. Now, to optimize these things, what’s better than a competition? A competition is exciting, it creates hype, it makes the whole experience of working in this field more fun. 

The second part is that it turns incentives around and pushes companies to open source some of their most interesting code. Again, we’re really lucky to work in a field that’s completely open. All the protocols we use are published as free whitepapers on the Internet, most if not all libraries and proof systems are open sourced projects (and when they’re not the community pushes back). ZPrize is sort of the last step that says “hey, I know this could be a competitive advantage for your project, but if you make it an open competition with an open source solution, you’ll get the best people working on optimizing your problems”. And this tends to gather people around the most impactful problems to solve in the field, as opposed to working on solving theoretical projects that have no impact.

What would you like to see ZPrize focus more on/do more of and why?

Generally, I’m excited that ZPrize is a community-driven project. It’s still quite young, and so we need to keep getting feedback from the community, understanding what drives people to join these kinds of competitions, and getting to know the types of problems that people want to solve. The more involved people are, the more ideas people come up with, the better the system.

How can we learn more about zkSecurity’s work and your work as a whole?

About zkSecurity, the best way to follow our work is to check our blog at https://www.zksecurity.xyz/blog/. We not only post about our public audits, but we also post about anything interesting we have to say.

Check out my book Real-World Cryptography and find me on twitter @cryptodavidw.


Interested in getting involved in ZPrize 2023? Head to our Discord and join in on discussions as the competition continues to take shape!

Type your email here
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Prize winners will be determined in good faith and in the sole discretion of prize sponsors
© 2023 ZPrize. All Rights Reserved.