Conversation with Mysten Labs’ Chief Cryptographer: How Does Password Innovation Become the Core of Sui Design?

Interview with Mysten Labs' Chief Cryptographer: How Password Innovation Became Key to Sui Design

In this article, we spoke with Kostas Chalkias, co-founder and Chief Cryptographer of Mysten Labs, about how cryptographic innovation became central to Sui’s design and what makes their upcoming features exciting.

Q: Can you briefly explain the role of a cryptographer in building blockchain?

A: Actually, I worked with one of the first developers of Satoshi Nakamoto, Mike Hearn, and I have a PhD in cryptography. Before the blockchain era, my focus was mainly on the academic side. Through this involvement, I can accurately tell you how cryptographic technologies play a role in blockchain infrastructure companies, which is usually divided into three key roles.

First is research, where you have to innovate in cryptography because it’s usually very advanced mathematics, part of which is finding cool new algorithms while also researching how to break them. My previous role at a blockchain company involved reviewing the implementation of cryptography and acting as a white-hat hacker looking for attacks against them. The work involved “you’re a mathematician, you’re a cryptographer, go look at this specific digital signature algorithm or random beacon or whatever. Check to see if everything is okay.” This is in the research area.

Second is implementation, where you apply the concepts of cryptography. Applied cryptographers do get requests from product teams – “hey, we want a new faster signing scheme, or we want to create a new privacy feature for our customers or clients or community.” Then applied cryptographers not only have to design and research, but also implement it. Sometimes applied cryptographers also have to be very powerful software developers, and they need to do novel optimizations in coding.

Finally, it’s creating new products, based on the primitives that cryptographers understand, and coming up with their own innovative ideas.

In summary, we cover research, implementation, and product, which is the typical role of a blockchain cryptographer.

Q: Can the same person typically do all three things? Or is it done in groups?

A: For Sui, because we introduce a lot of innovation, we need multiple people working on many workflows. I am the Chief Cryptographer of Mysten Labs and also one of the co-founders of Sui, so I participate in most of the work. However, you can’t do everything alone, and I’m still learning from my team.

We don’t use just one programming language. For example, we used Rust for proof-of-concept, but then we realized that most people on the internet use JavaScript or TypeScript, and cryptographers can’t do everything themselves. But you can’t delegate to a generalist like a software engineer because some optimizations require knowledge of advanced math and cryptographic primitives, or you may need to interact with libraries you’re not familiar with, so you need someone else to take over that work.

Our research team consists of about 10 people in total, dedicated to innovation and implementation in our daily work. We have these “smart” minds and sometimes I’m the one who comes up with ideas, and sometimes I’m following the lead of other cryptographers. Our team can help with implementation, provide resources, or provide tips on how to extend and apply a cool idea.

Two eyes are not enough, because cryptography is an extremely critical part of the blockchain infrastructure, and if there is a problem, it could be GAME OVER, so more eyes are needed. In addition, there are many innovators needed.

Q: What key progress and impact have external research that has been applied in Sui design? What are the key innovations in internal dialogue?

A: In cryptography, the external signals that have influenced us are the evolution of technologies such as zero-knowledge proofs and general privacy-preserving technologies proposed in the literature. Not only blockchain is doing cryptography, research institutions and university departments all over the world are doing theoretical work. Personally, I think Mysten Labs is very good at finding new theories in areas that no one has ever implemented, some of which may be inaccurate assumptions, but we combine them with our existing technologies and ultimately drive us to create a novel product.

Sui has a new feature, ZK Login, that was born out of this. External technologies were proposed, but they were not enough for L1 blockchains to provide a seamless authentication mechanism, and we invented a new feature on top of it, which is an internally vertical area of applied research, and ultimately we came up with a complete solution.

We’re not a university, we’re not just theory, we need something that’s production-ready, so we get feedback from internal and external discussions. Many times we read scientific papers, we attend events, we are reviewers and presenters, and we receive feedback. Obviously, we turn all of this into implementations on Sui.

I realized that some of our code is subsequently used by other people, other companies, or even outside of our industry, and ultimately, big companies will get this code and inject it into their own infrastructure, not necessarily blockchain infrastructure.

Internal innovation is usually triggered by the product team. They’ll come to us and say, “This is currently impossible, we haven’t seen any research in this area. Can you solve this problem?”

For example, an interesting problem is enabling discoverable blockchain addresses but with privacy. How can I send something to your email or phone number even before you create an account? Imagine Venmo-style functionality where I send you assets and then you go fetch them when you realize they’re there. Solving this problem requires internal brainstorming and discussion about how to do this with a privacy mindset. Getting theory from the outside, we combine all of this into a set of tools. Most of the time we are actually very successful in this regard. We manage to solve the above problem, rarely having a product problem without a solution.

Q: How does Move help you create these cryptographic innovations and provide a safer experience for developers using Sui?

A: I used to be a Solidity developer, writing Ethereum contracts, and I was also passionate about breaking smart contracts on Ethereum. My first job was auditing lottery contracts on Ethereum and I successfully broke some algorithms. Back then, you could almost say that random algorithms were unfair and opaque. This actually made me realize that smart contract developers are typically engineers who write small scripts. Smart contracts are not big programs or complex databases, and typically someone who receives a few days of training can write smart contracts and deploy them, but this requires very careful auditing, and there may be hidden traps in web2-web3 interactions.

We realized that on Ethereum, some of the security features of Solidity are problematic due to two special factors. First, engineers are optimizing compression to reduce GAS costs, which can cause users to miss out on certain things because they don’t cover edge cases. And there is also a problem of re-entry attacks. Like a smart contract pays another smart contract without updating its state. This type of attack vector has caused a lot of fund losses in the past, including the Ethereum DAO years ago, which led to Ethereum forking.

Move does not have these problems, especially with reentrancy, we protect the source code from the ground up. Additionally, we made a lot of changes to the original Facebook Move by creating a more object-oriented Move language, which greatly helps the code’s reusability. You don’t need to copy and paste smart contract code and maybe make some adjustments; instead, you can call the original code and get better consistency guarantees.

At the same time, in Move, we provide objects for everything. In Solidity, when you transfer something from one contract to another, if there is no context, you often don’t know what it is. Is this an address? Is this a number? Is this an image URL? When you treat everything as an object, similar to Java and C++ and all object-oriented languages, you can first convert existing client projects to a smart contract-based world without worrying about triple optimization compression mechanisms. Because you can literally see that this is a “tiger” object, and I am transmitting a “tiger” object to you.

What about cryptography? When you have these items, when I send something from one wallet to another address, you will see a pop-up window that says “You are transferring Tiger NFT. This Tiger NFT has X characteristics.” Due to the object-oriented design, no matter what object you touch, you can see exactly what you are doing, which can help you identify any problems in the transaction. Many users are tempted by malicious software or applications that try to convince you to sign something in another blockchain wallet that you do not want to sign. But for Move, this is a bit difficult, and users can see clearly what is happening, which enhances end-user security.

Another really helpful thing for designing more interesting and cooler algorithms is parallelization with objects. Suppose I have some bills, a $10 bill and a $100 bill. If I want to give these bills to two people next to me, I can do this in parallel.

On Ethereum, the basic concept is a central account balance from which you can transfer things. Therefore, if I want to send or receive funds, I must sort these transactions, I will send the $100 first and then submit the $10 transaction, and if someone sends me funds, all three transactions must be sorted, which is expensive.

This is the direction we get all the cool stuff from the Move language, as cryptographers, we can use the parallelization and object-oriented programming provided by Move to create better security and cooler innovative algorithms. That’s the whole idea. For example, we created a lottery plan. Although it seems easy at first glance, to be honest, doing it correctly is often very, very difficult, especially when building multiplayer lotteries with complex edge cases, which is also the highlight of excellent cryptographers. We need some randomness, you need to buy a lottery ticket, and these tickets can be purchased in parallel. How do you do this on the blockchain? Move and its available cryptographic primitives help provide a better, more secure cryptographic ecosystem.

I understand that something like a lottery system can be used in a product, for example, if there are 300 tickets available but thousands of people want them and you want them to be randomly assigned? This system is the basis of Sui, and any company can add it to their product.

The benefit here is that, due to Sui’s object-oriented nature, you can call the same contract from many different other smart contracts. We have the concept of composability, which can actually help you use the same ticket in two different lotteries, which is very useful for creating new experiences that didn’t exist before.

In the gaming space, you need randomness, and Sui is actually one of the best blockchains for that. For board games, even seemingly deterministic games like chess, you need to know who goes first. Who is white, who is black (as we know, in chess, white has the advantage), and it needs a certain level of transparency to match different players correctly in the same game. There are also government applications. Imagine the tax office is doing some statistical sampling and selecting an audit target. Can they really provide evidence that the statistical sampling was done in a fair and transparent way?

If there is an algorithm that provides undeniable transparency and good randomness that the organizers cannot change, then each lottery or random sampling will have a new fairness.

Q: You recently wrote a tweet discussing the importance of storing NFTs on-chain so that they remain dynamic and change over time. Could you share more about this view, particularly how Sui’s data structure enhances the utility of NFTs?

A: This is a controversial topic. I’m trying to explain that the NFT attributes enabled by different infrastructures are different, and when it’s just a static image, traditional structures are really good when you don’t perform any high traffic operations on that image. But in some cases, like games, players want to get more value out of the NFTs, then traditional NFT structures are not good enough.

Sui has some algorithms that allow for dynamic NFTs, and their fields are updated every time a transaction occurs. When you play a game, you have a hero, you win, you pass the level, you may get some new weapons or powers, all of which can be recorded in the blockchain state and create a whole new type. In addition, because storage costs on Sui are cheap, NFTs can be stored on-chain. This makes it easier to read and write to different smart contracts on-chain and achieve composability.

On other chains, you face an issue because changes are not in state. To let another smart contract read your contract, they need to know your schema, you need an off-chain resolver, which causes some user experience complexity. There are also issues with threat models, in fact, some specific applications may tolerate compression and off-chain storage. But in reality, when we store some content off-chain, we are changing the threat model. The reasons are usually centralized, imagine one day, if you stored it in AWS, and then… Amazon goes down. Amazon is a single company, if it fails and you cannot access that particular off-chain data, you won’t be able to use it on-chain; even if you can, you need data to generate a proof that you do indeed own the off-chain data, because sometimes you just need to prove, right? To prove, you need to get content from AWS, hash it, and send a minuscule amount of data to the blockchain, which is somewhat verified, but if you don’t have the data, you can’t prove what my NFT content is.

So there are some centralized issues, although some people say it’s not because we can store it in different places. I agree, if we can somehow figure out a specific design that encodes all these threat models into the blockchain, but another issue is latency, in on-chain practice, we need to obtain content with minimal latency, if we store NFTs on other chains, it will cause double the latency, which is not what we want, we want everything stored on-chain while reducing latency.

Q: What are you most excited about for Sui’s future?

A: That’s my favorite question. The main reason I joined Mysten Labs is that I prefer innovation-driven product development places. We are providing some new things to the community. I even named my son Kryptos.

If you specifically ask me about Sui’s crypto innovation, one thing is for sure, we allow a lot of ways for identity verification. Typically, most blockchains only support one signature algorithm, Ethereum has its own algorithm, Cardano and Solana support another algorithm. We are trying to make Sui talk to other public chains, which means we allow all existing algorithms, which means we are compatible with more wallets. Existing wallets don’t need to reinvent the wheel, you like the algorithm based on Ethereum, we support that algorithm, so go use it. You use an iPhone, then you don’t even need a wallet, the secure chip that supports only specific algorithms is built into more advanced Android devices and iPhones, and we support that too.

One of our flagship features is the cryptographic identity verification, which ensures safety and will create a new authentication experience. We have also introduced zero-knowledge proof and privacy protection technology within Sui from day one. This allows people to create KYC systems with as much privacy as possible, even enabling the creation of confidential amount transfers, while also giving them the opportunity to comply with legal and auditing requirements. We provide everything for developers to use.

Aside from all these algorithms, our development solutions engineering team actually provides great support. We work with teams every day who aren’t cryptography experts, but have some really cool ideas. If we get some feedback, we help them implement it. If something isn’t working or has problems, we solve it quickly.