"zero knowledge" does not seem to be the right term

[kwantam]

The project's description says

Zbox is a zero-knowledge, privacy-focused embeddable file system.

This seems to be false: there is nothing "zero knowledge" about this (or any) filesystem. Zero knowledge is a property of a proof; informally, it means that the proof reveals nothing except its correctness [1].

I think the term you're looking for is something closer to "semantic security" [2], meaning that the filesystem does not leak anything about the contents except their length.

I am aware that several other projects currently misuse this terminology in the same way you are. It's harmful to your users (in that it misinforms them), to the community (in that it confuses useful pieces of terminology), and to your project (in that it looks unschooled) to follow their example.

[1] https://en.wikipedia.org/wiki/Zero-knowledge_proof
[2] https://en.wikipedia.org/wiki/Semantic_security

[burmecia]

Yes, totally agree.

I am even aware of there was a long discussion about zero-knowledge on Hacker News.

• https://news.ycombinator.com/item?id=13303436
• https://news.ycombinator.com/item?id=13852139

The reason why I am using it is mainly for marketing purpose. I understand for those who have cryptography background, zero-knowledge has a strict meaning and may think this term is misleading when it is used in an improper way. But for the other broader audience with less or without crypto mind, zero-knowledge may has more simple and straightforward meaning to them.

I am going to put more clear words in the disclaimer section in regarding this. Thanks for your suggestions anyway, @kwantam !

[kwantam]

Sorry, but this reasoning does not make sense to me. You know that you're lying about the properties of zbox and that sophisticated users will recognize this, and you are choosing to make a false statement. This is harmful to the community, the project, and your users, full stop. In more detail:

• I completely reject the premise that saying "zero knowledge" is simpler and more straightforward than just saying "secure." In fact, I don't think you believe it, either! My evidence is that you said you're using the phrase for "marketing purposes." In other words, the goal isn't to inform potential users, it's to impress them with fancy-sounding terminology. "Secure" is the simple, straightforward, and correct term.

• If zbox becomes popular, it will be because it is known and recommended as a reliable, secure, usable piece of code---not because you manage to trick naive developers into using it with lies"marketing."

  Meanwhile, it's safe to assume that misusing the term "zero knowledge" will make sophisticated developers avoid your library---if you can't even get the terminology right, how on earth are you going to get the security right?

If you are really worried that users will not use zbox because you don't call it "zero knowledge," a more constructive approach is to use the proper terminology ("semantically secure" or just "secure") in your project description, and then add a FAQ like

Is zbox a "zero knowledge" filesystem?

The term zero knowledge has been misused by other projects. There is no such thing as a "zero knowledge filesystem"---it is a misuse of cryptographic terminology and it does not mean anything. The correct term is semantically secure, which means that the filesystem reveals nothing about its contents other than an upper bound on the total size. This is a very strong security property, and it is one that most other secure filesystems do not give (for example, because they leak metadata).

[jedisct1]

Zbox looks like a terrific project, but I agree that the "zero-knowledge" terminology is misleading here, and should be removed from the description.

[burmecia]

Thanks @jedisct1 and @kwantam , your suggestions are really making sense to me now. The term is indeed misleading in professionals' eyes. I even saw somebody is already misled on reddit.

Alright, as I do prefer the word zero, actually that's the name Zbox comes from, I am going to change the term to zero leakage, what do you guys think?

[jedisct1]

Why not just "encrypted"? Or if you want to add an adjective, "fully encrypted"?

With "zero leakage", people are going to point out side channels.

[kylone]

If you're trying to keep zero and part of the description, perhaps "zero details"? Use something that's not confusable with a wrongly used cryptographic term.

edit: Hmm, "zero environment" maybe?

[diegomarcov]

At SpiderOak, we changed the term "Zero Knowledge" to "No Knowledge" for this exact same reason a few months ago. Here's our blog post about it.

[pinkisemils]

On a similar note, it seems that nothing has been done to ensure that the plaintext password or the encryption keys never get written out to disk during swapping.

[letalvoj]

Well it worked. I clicked on the link just because of that particular term. Subjectively the feeling of being cheated was weaker than my overall positive impression.

This project is cool. You've got the initial attention. IMHO it's time to change it to reflect the reality.

[burmecia]

Why not just "encrypted"? Or if you want to add an adjective, "fully encrypted"?

With "zero leakage", people are going to point out side channels.

@jedisct1 , good point. But IMHO that will lost the most differential selling point, and makes people thinking "oh, nothing new there, that's just anther boring encrypted file system".

[burmecia]

If you're trying to keep zero and part of the description, perhaps "zero details"? Use something that's not confusable with a wrongly used cryptographic term.

edit: Hmm, "zero environment" maybe?

@kylone , "zero details" sounds a more proper term for me. Thanks.

[burmecia]

At SpiderOak, we changed the term "Zero Knowledge" to "No Knowledge" for this exact same reason a few months ago. Here's our blog post about it.

@diegomarcov , yes I saw that discussion happened on HN as well, and you guys done a great job when dealing with it.

[burmecia]

On a similar note, it seems that nothing has been done to ensure that the plaintext password or the encryption keys never get written out to disk during swapping.

@pinkisemils , managing the plaintext password is not Zbox's responsibility. As you can see from this link, open() method only accepts &str as the password. It is the application's job to destroy the password after use.

For the encryption key, it is derived from the plaintext password by libsodium password hash, and all the keys are managed by the SafeBox (src/base/crypto.rs), which uses sodium_memzero, sodium_malloc and sodium_free to ensure the key is safe and will not be written to disk. Thanks @jedisct1 for your awesome libsodium!

[burmecia]

Well it worked. I clicked on the link just because of that particular term. Subjectively the feeling of being cheated was weaker than my overall positive impression.

This project is cool. You've got the initial attention. IMHO it's time to change it to reflect the reality.

@letalvoj , thanks. I will change it soon in the next release.

[burmecia]

I've changed the term to zero-details, this issue is now fixed by c41cb83.

[pinkisemils]

@burmecia Thank you very much for elaborating!