Author | a16z crypto
Compiled by Odaily Odaily( @OdailyChina )
Translator | Dingdang ( @XiaMiPP )
Editor's Note: The surge in Zcash's price in 2025 reignited the privacy narrative in the crypto industry. More often than not, we only see the rising tide of emotion and the influx of capital; many may believe this is merely a temporary emotional surge, lacking an understanding of the narrative's sustainability. a16z crypto's latest report, "Privacy Trends for 2026," attempts to bring the privacy issue back into the framework of infrastructure and long-term evolution . Through a collection of observations from several veteran crypto professionals, the article elucidates their assessments of how privacy will shape the next stage of the crypto system, covering decentralized communication, data access control, and security engineering methodologies.
1. Privacy will become the most important competitive advantage for the crypto industry this year.
Privacy is one of the key functions for the global financial system to move onto the blockchain; at the same time, it is also a function that is severely lacking in almost all blockchains today. For most chains, privacy has long been a matter of post-hoc consideration. But now, privacy itself is enough to substantially differentiate a chain from all other chains.
Privacy also brings an even more important point: chain-level locking effect—which you could call the "privacy network effect," if you prefer. This is especially true in a world where simply competing on performance alone is no longer enough to win .
Thanks to cross-chain bridge protocols, migration between different chains is virtually cost-free as long as all data is public. However, the situation is entirely different when privacy is involved: transferring tokens across chains is easy, but transferring "secret" data across chains is extremely difficult. Activities outside of privacy zones always carry the risk of being monitored and having their identities inferred from on-chain data, mempools, or network traffic. Whether switching from a privacy chain to a public chain or between two privacy chains, a significant amount of metadata is leaked, such as transaction times and scale correlations, making users easier to track.
Compared to new public chains that lack differentiation and whose transaction fees are likely to be squeezed to near zero in the competition (block space is essentially homogenized), blockchains with privacy capabilities can generate stronger network effects. The reality is: if a "general-purpose" blockchain lacks a thriving ecosystem, killer applications, and asymmetric distribution advantages, there is almost no reason for users to use it, let alone build and maintain loyalty on it.
In public blockchain environments, users can easily interact with users on other chains—which chain they join is relatively unimportant. However, on privacy chains, user choice becomes crucial because once on a privacy chain, users are less willing to migrate and risk identity exposure. This mechanism creates a winner-takes-all (or at least the majority of winners) landscape . And since privacy is essential for most real-world applications, ultimately, a few privacy chains may control most of the value activities in the crypto world.
— Ali Yahya ( @alive_eth ), General Partner of a16z crypto
2. This year, the key issue for instant messaging applications is not just how to resist quantum computing, but also how to decentralize.
As the world prepares for the quantum computing era, many instant messaging applications built on encryption technology (such as Apple, Signal, and WhatsApp) are already leading the way and performing exceptionally well. However, the problem is that all mainstream communication tools still rely on private servers run by a single organization. These servers are precisely the easiest targets for governments to shut down, implant backdoors in, or force to hand over private data.
If a country can shut down a server directly; if a company possesses the keys to a private server; or even just because a company owns a private server—then what is the point of even the strongest quantum encryption?
Private servers inherently require users to "trust me"; the absence of private servers means "you don't have to trust me." Communication doesn't need a single company acting as an intermediary. Messaging systems require open protocols that allow us to trust no one.
The way to achieve this is by completely decentralizing the network: no private servers, no single application, completely open-source code, and top-notch encryption—including encryption that combats quantum threats. In an open network, no individual, company, non-profit organization, or nation can deprive us of our ability to communicate. Even if a country or company shuts down an application, 500 new versions will appear the next day. Even if a node is shut down, a new node will immediately appear to replace it—mechanisms like blockchain provide clear economic incentives.
Everything changes when people control their messages as they control their own funds—through private keys. Applications may replace themselves, but users always retain control over their messages and identities; even if they no longer own the application itself, end users can still have control over their messages.
This goes beyond the realms of "quantum resistance" and "encryption," and is about ownership and decentralization . Without either of these, what we build is merely an encryption system that is "unbreakable but can still be shut down with a single click."
— Shane Mac ( @ShaneMac ), Co-founder and CEO of XMTP Labs
3. "Secrets-as-a-Service" will become the core infrastructure for privacy.
Behind every model, agent, and automated system lies a fundamental dependency: data. However, most current data pipelines—whether the data input to the model or the data output by the model—are opaque, variable, and unauditable.
This may be acceptable in some consumer applications, but in industries such as finance and healthcare, users and institutions often have strong privacy requirements. This is becoming a major obstacle for institutions in advancing the tokenization of real-world assets.
So how can we achieve secure, compliant, autonomous, and globally interoperable innovation while protecting privacy?
There are many solutions, but I want to focus on data access control : Who controls sensitive data? How does the data flow? And who (or what system) can access this data, and under what conditions?
In the absence of data access controls, any entity wishing to maintain data confidentiality currently relies on centralized services or builds its own customized systems—a process that is not only time-consuming and expensive but also severely hinders traditional financial institutions and other entities from fully realizing the potential of on-chain data management. However, as autonomous intelligent agent systems begin to browse, transact, and make decisions independently, users and institutions across industries require cryptographically guaranteed certainty , rather than "best-effort trust."
This is precisely why I believe we need "secrets-as-a-service": a new technology system that provides programmable, native data access rules; client-side encryption; and a decentralized key management mechanism that enforces on-chain "who can decrypt which data under what conditions and for how long".
When these mechanisms are combined with verifiable data systems, "secrets" can become part of the basic public infrastructure of the internet, rather than being patches added to the application layer after the fact—making privacy a true underlying infrastructure .
— Adeniyi Abiodun ( @EmanAbio ), Co-founder and Chief Product Officer of Mysten Labs
4. Security testing will shift from "code is law" to "standards are law".
Several DeFi hacks last year targeted protocols with established teams, multiple audits, and years of operation, not new projects. These incidents highlight a disturbing reality: current mainstream security practices still heavily rely on rules of thumb and case-by-case judgment.
To achieve true maturity this year, DeFi security must shift from "vulnerability pattern identification" to "design-level attribute guarantees," and move from "best-effort" to "principled methodology":
- In the static/pre-deployment phase (testing, auditing, formal verification), this means no longer verifying only a few selected local properties, but systematically proving global invariants . Currently, multiple teams are building AI-assisted proof tools that can help write specifications, propose invariant hypotheses, and take over the extremely costly human proof engineering work of the past.
- In the dynamic/post-deployment phase (runtime monitoring, runtime constraints, etc.), these invariants can be transformed into real-time guardrails , becoming the last line of defense. These guardrails will be directly encoded as runtime assertions, requiring every transaction to satisfy them.
In this way, we no longer assume that "all vulnerabilities have been discovered," but instead enforce key security attributes at the code level, and any transaction that violates these attributes will be automatically rolled back.
This is not just theoretical. In fact, almost every attack to date has triggered one of these checks during execution, potentially halting the attack altogether. Therefore, the once-popular "code is law" concept is evolving into "standards are law": even entirely new attack methods must meet the security attributes required to maintain system integrity, and the ultimately feasible attack space will be compressed to an extremely small or extremely difficult level to execute.
—— Daejun Park ( @daejunpark ), a16z Engineering Team
Related reading:
Is buying ZEC a ploy to dump BTC? 4 industry truths behind the surge in privacy coins
Messari: When BTC is disciplined, ZEC's hedging potential is beyond imagination .
ZEC bucks the trend and rises; what other projects in the privacy sector are worth watching?
