Does NordPass Make the Same Error SpiderOak Stopped Making in 2017?

brethvoice

2/26/24, 11:34 AM

According to a Reddit post I am participating in, SpiderOak “repented” of its incorrect usage of the term “zero knowledge” in 2017, as shown here:

https://medium.com/@SpiderOak/why-we-will-no-longer-use-the-phrase-zero-knowledge-to-describe-our-software-ddef2593a489

NordPass has yet to walk back its claim to a zero knowledge architecture:

https://nordpass.com/features/zero-knowledge-architecture/#

Is it technically wrong to claim that “no knowledge” is the same as “zero knowledge” as SpiderOak previously did? If so, why?

1 + 2

zero-knowledge

brethvoice

2/26/24, 11:34 AM

Reddit comment: https://www.reddit.com/r/cryptography/comments/10nc1np/zeroknowledge_encryption_vs_endtoend_encryption/j68q3qp/?utm_source=share&utm_medium=ios_app&utm_name=iossmf&context=3

mentallurg

2/26/24, 1:25 PM

**Marketing texts** attempt to find short and well memorable definitions for important product features. That's why the wording "zero-knowledge" is understandable in the cases mentioned in the OP. But despite the product features have nothing to do with zero-knowledge proofs, discussion of **marketing texts** is off-topic on Crypto SE. I suggest to close the question.

Score:2

Crypto

fgrieu

2/27/24, 5:55 PM

The cryptography outlined on the NordPass page is not using zero-knowledge as that's understood in a cryptographic context, which is (per the Handbook of Applied Cryptography, chapter 10)

a zero-knowledge protocol allows a proof of the truth of an assertion, while conveying no information whatsoever about the assertion itself other than its actual truth.

Instead, NordPass uses zero-knowledge architecture (or zero-knowledge encryption, zero-knowledge cloud storage) to mean they do not hold the encryption key to the user data they store (including password vault). They describe a system with a master password, turned into a key for encryption with XChaCha20, by key stretching using Argon2. All this is symmetric cryptography, entirely unrelated to zero-knowledge as considered in the first paragraph and quote.

At least I do not see them using zero knowledge to qualify one of their protocol, or a proof made of something in their system.

+ 2

brethvoice

3/2/24, 11:34 AM

This article may show the results of widespread ignorance spreading ever wider: https://www.howtogeek.com/811527/what-is-zero-knowledge-encryption/

fgrieu

3/2/24, 11:53 AM

@brethvoice: the above article indeed makes several errors: it talks of "zero-knowledge encryption" as if this marketing term was standard in cryptography; AES-256 is said to be a protocol; and while it acknowledges that "Zero-knowledge encryption and zero-knowledge proof are different concepts", it twice states ZK proof is used for password verification in zero-knowledge encryption, which AFAIK is not even attempted in NordPass.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does NordPass Make the Same Error SpiderOak Stopped Making in 2017?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.