Zero-knowledge service

In cloud computing, the term zero-knowledge (or occasionally no-knowledge or zero access) is a commonly-used term for online services that store, transfer or manipulate data with a high level of confidentiality, where the data is only accessible to the data's owner (the client), and not to the service provider. However, unlike "end-to-end encryption", the term "zero-knowledge" does not imply any specific threat model or security notion, and its use is commonly frowned-upon by the security community.^[1]^[2]

The term "zero-knowledge" was popularized by backup service SpiderOak, which later switched to using the term "no knowledge", acknowledging that the previous terminology was not technically accurate.^[3]

Disadvantages

Most^{[citation needed]} cloud storage services keep a copy of the client's password on their servers, allowing clients who have lost their passwords to retrieve and decrypt their data using alternative means of authentication; but since zero-knowledge services do not store copies of clients' passwords,^[4] if a client loses their password then their data cannot be decrypted, making it practically unrecoverable.

Most^{[citation needed]} cloud storage services are also able to furnish access requests from law enforcement agencies for similar reasons; zero-knowledge services, however, are unable to do so, since their systems are designed to make clients' data inaccessible without the client's explicit cooperation.

References

^ Soatok. "What To Use Instead of PGP". Dhole Moments. Retrieved 7 April 2025.
^ Albrecht, Martin R.; Paterson, Kenneth G. (November 2024). "Analyzing Cryptography in the Wild: A Retrospective" (PDF). IEEE Security & Privacy. 22 (6): 3. doi:10.1109/MSEC.2024.3441764. Retrieved 7 April 2025.
^ SpiderOak. "Why We Will No Longer Use the Phrase Zero Knowledge to Describe Our Software". Medium. Retrieved 7 April 2025.
^ Kiefer, Franziskus; Manulis, Mark (2014). "Zero-Knowledge Password Policy Checks and Verifier-Based PAKE" (PDF). Computer Security - ESORICS 2014. Lecture Notes in Computer Science. Vol. 8713. pp. 295–312. doi:10.1007/978-3-319-11212-1_17. ISBN 978-3-319-11211-4.
^ Kiss, Jemima (2014-07-17). "Snowden: Dropbox is hostile to privacy, unlike 'zero knowledge' Spideroak". The Guardian. Retrieved 2021-05-29.
^ O'Sullivan, Fergus (2015-08-25). "What Exactly is Zero-Knowledge in The Cloud and How Does it Work?". Cloudwards. Retrieved 2021-05-29.
^ Farivar, Cyrus (2016-10-04). "FBI demands Signal user data, but there's not much to hand over". Ars Technica. Retrieved 2021-05-29.

[1] Soatok. "What To Use Instead of PGP". Dhole Moments. Retrieved 7 April 2025.

[2] Albrecht, Martin R.; Paterson, Kenneth G. (November 2024). "Analyzing Cryptography in the Wild: A Retrospective" (PDF). IEEE Security & Privacy. 22 (6): 3. doi:10.1109/MSEC.2024.3441764. Retrieved 7 April 2025.

[3] SpiderOak. "Why We Will No Longer Use the Phrase Zero Knowledge to Describe Our Software". Medium. Retrieved 7 April 2025.

[4] Kiefer, Franziskus; Manulis, Mark (2014). "Zero-Knowledge Password Policy Checks and Verifier-Based PAKE" (PDF). Computer Security - ESORICS 2014. Lecture Notes in Computer Science. Vol. 8713. pp. 295–312. doi:10.1007/978-3-319-11212-1_17. ISBN 978-3-319-11211-4.

[5] Kiss, Jemima (2014-07-17). "Snowden: Dropbox is hostile to privacy, unlike 'zero knowledge' Spideroak". The Guardian. Retrieved 2021-05-29.

[6] O'Sullivan, Fergus (2015-08-25). "What Exactly is Zero-Knowledge in The Cloud and How Does it Work?". Cloudwards. Retrieved 2021-05-29.

[7] Farivar, Cyrus (2016-10-04). "FBI demands Signal user data, but there's not much to hand over". Ars Technica. Retrieved 2021-05-29.

[1]

[2]

[3]

[4]

Disadvantages

References

zproxy.org