Keybase: bringing public-key cryptography to mainstream users

2015-06-27

Today I’m excited to announce that a16z is leading a $10.8M Series A financing of Keybase, a company that is trying to make the internet more secure by making public-key cryptography accessible to mainstream internet users. I’ll be joining Keybase’s board.

Almost every day we read about another major internet security breach. Recent examples include the Sony Pictures hack, in which confidential business emails were stolen and made public, and the Apple iCloud hack, in which private celebrity photos were stolen and made public.

Major security breaches have become frighteningly common
Major security breaches have become frighteningly common

Hackers are increasingly sophisticated, with the skills and resources to penetrate security systems that were developed mostly for a prior generation of threats. People are — quite justifiably — starting to question whether they can trust technology companies with their private information.

This is happening despite the fact that technology exists that can provide complete end-to-end security: public-key cryptography. Public-key cryptography was invented by mathematicians and computer scientists in the 1970s. It is hard to overstate the significance of this invention. As MIT computer science professor Scott Aaronson explains:

Even though cryptography has influenced human affairs for millennia, developments over the last thirty years have completely — yes, completely — changed our understanding of it. If you plotted when the basic mathematical discoveries in cryptography were made, you’d see a few in antiquity, maybe a few from the Middle Ages till the 1800's, one in the 1920's (the one-time pad), a few more around World War II, and then, after the birth of computational complexity theory in the 1970's, boom boom boom boom boom boom boom

Using public-key cryptography, person A can send person B a message that nobody else in the world except person B can decrypt, even though persons A and B have never communicated before. Person A simply needs to know person B’s “public key” (a long number that can be listed in public) and use that to encrypt the message. Person B uses a “private key” (another long number that has a mathematical relationship to the public key and is kept private) to decrypt the m tessage.

Public-key cryptography means you don’t need to trust email providers, messaging companies, social networks, search engines, ISPs, cellular carriers, venture capitalists, tech startups, politicians, legal agreements, IT departments, and so on. You just need to trust math.

1zKRxnaArGgVXMV4daSk5nA

So why isn’t public-key cryptography widely used? It is, but in diluted form: various forms of cryptography are baked into almost every popular internet service. Yet the hacks and data breaches continue, mainly because the otherwise invulnerable cryptographic protocols are embedded within larger systems in which vulnerabilities are introduced by software bugs, employee mistakes, product design tradeoffs, legal constraints, management decisions, etc.

The ideal solution would be for users to adopt public-key cryptography themselves, in its pure, unadulterated form, without having to trust third-party service providers. Today, you’ll see this being done on occasion by more tech-savvy internet users. For example, here is Kashmir Hill, an investigative journalist for Fusion, publishing her public key on Twitter:

A journalist publishing her public key
A journalist publishing her public key

To send her an encrypted message, however, you’d have use software tools that are generally too complicated and cumbersome for mainstream internet users. As a result, public-key cryptography is mostly limited to a small circle of tech savvy security enthusiasts.

xkcd.com/1269/
xkcd.com/1269/

The idea behind Keybase is to make public-key cryptography accessible to everyday internet users. Keybase is, at its core, a database that connects people’s social media identities to their public cryptographic keys. For example, here’s the Keybase profile for Stripe co-founder Patrick Collison:

Patrick’s keybase profile
Patrick’s keybase profile

Each identity listed on his profile has been cryptographically verified to be owned by Patrick (other people can verify this for themselves by following the links on the page). So if you interact with Patrick as, say, patrickc on Twitter, you know the public key listed here is owned by the same person.

There are many things you can do with public-key cryptography besides sending messages. You can share files with individuals or with groups. You can verify that a file was created by the stated author and wasn’t altered (this use case is common with software developers who want to verify code they download doesn’t contain malware). In the future, you should also be able to use public-key cryptography to login to websites instead of having to remember passwords (this is already common behavior among developers who use cryptographic methods to login to servers)

Keybase is developing native apps
Keybase is developing native apps

A database by itself is useful to only the most tech savvy users. So Keybase is also building a set of applications to complement the database. These include native software clients for all the major platforms (iOS, Android, OS X, Linux, and Windows) that make it easy to do secure messaging and file sharing using the Keybase directory. Keybase will remain in invite-only private beta until the client software is ready.

A key design principle of Keybase is: you don’t have to trust Keybase. All the relevant software is open source and therefore independently auditable, fork-able, etc. The keybase directory is fully public and therefore also fully auditable, fork-able, etc. Everything you need to verify that you can trust the end-to-end cryptography is open and auditable. Keybase could get hacked or acquired or shut down and it wouldn’t affect the security of anything that uses Keybase. You don’t need to trust Keybase. You only need to trust math.

Chris and Max
Chris and Max

The founders of Keybase, Chris Coyne and Max Krohn, met at Harvard where they studied math and computer science and started their first company, SparkNotes. Max also got his PhD from MIT where he focused on security and file systems. Chris and Max and two other friends then founded OKCupid, where Chris and Max ran product and technology up until the company was acquired by Match.com in 2011. Chris and Max have both technical depth and consumer design savvy, an ideal combination for a project like Keybase.

Many of the best internet services were derived from ideas that came from Unix and the Unix-related academic and open-source communities:

Entrepreneurs have had considerable success adapting these amazing tools for mainstream use. Public-key cryptography has been cloistered within niche technical communities for too long. The time is right to bring it to the mainstream. We are thrilled to back the Keybase team on their mission to make that happen.

1n7G6jdQsTC9NeaMsLy7SyQ

Keybase is hiring — more info here.

    Next post: One man came to Mozart and asked him how to write a symphony.
    Previous post: The Babe Ruth Effect in Venture Capital

    Views expressed in “content” (including posts, podcasts, videos) linked on this website or posted in social media and other platforms (collectively, “content distribution outlets”) are my own and are not the views of AH Capital Management, L.L.C. (“a16z”) or its respective affiliates. AH Capital Management is an investment adviser registered with the Securities and Exchange Commission. Registration as an investment adviser does not imply any special skill or training. The posts are not directed to any investors or potential investors, and do not constitute an offer to sell -- or a solicitation of an offer to buy -- any securities, and may not be used or relied upon in evaluating the merits of any investment.

    The content should not be construed as or relied upon in any manner as investment, legal, tax, or other advice. You should consult your own advisers as to legal, business, tax, and other related matters concerning any investment. Any projections, estimates, forecasts, targets, prospects and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Any charts provided here are for informational purposes only, and should not be relied upon when making any investment decision. Certain information contained in here has been obtained from third-party sources. While taken from sources believed to be reliable, I have not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. The content speaks only as of the date indicated.

    Under no circumstances should any posts or other information provided on this website -- or on associated content distribution outlets -- be construed as an offer soliciting the purchase or sale of any security or interest in any pooled investment vehicle sponsored, discussed, or mentioned by a16z personnel. Nor should it be construed as an offer to provide investment advisory services; an offer to invest in an a16z-managed pooled investment vehicle will be made separately and only by means of the confidential offering documents of the specific pooled investment vehicles -- which should be read in their entirety, and only to those who, among other requirements, meet certain qualifications under federal securities laws. Such investors, defined as accredited investors and qualified purchasers, are generally deemed capable of evaluating the merits and risks of prospective investments and financial matters. There can be no assurances that a16z’s investment objectives will be achieved or investment strategies will be successful. Any investment in a vehicle managed by a16z involves a high degree of risk including the risk that the entire amount invested is lost. Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by a16z is available at https://a16z.com/investments/. Excluded from this list are investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets. Past results of Andreessen Horowitz’s investments, pooled investment vehicles, or investment strategies are not necessarily indicative of future results. Please see https://a16z.com/disclosures for additional important information.