Re: [cryptography] Zero knowledge as a term for end-to-end encryption

2013-02-13 Thread Tony Arcieri 
On Tue, Feb 12, 2013 at 10:27 PM, ianG i...@iang.org wrote:

 AFAIK, the term 'least authority' as used by Tahoe-LAFS folks does not
 refer to 'zero knowledge' as per cryptographic protocols, but to the
 concept of least authority as derived from the 'capabilities' school of
 security thought.


I strongly agree that capabilities are quite important to the Tahoe-LAFS
idea of least authority, and I have been following the project for many
years. But I think the Tahoe style of least authority and end-to-end
encryption go hand-in-hand.

Tahoe's capabilities are crypto capabilities, a.k.a. capabilities as
keys. The capability tokens are the cryptographic keys themselves. This
means the entire storage system is opaque to anyone who doesn't hold at
least a readcap. The system, by design, deals only in ciphertext. It's
ciphertext all the way down

After the launch of MEGA, I've seen several sites (e.g. SpiderOak) trying
to claim to be the first to have invented this concept. I don't know who
did it first, but I'm pretty sure Tahoe was the first to actually get it
right.

-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Zero knowledge as a term for end-to-end encryption

2013-02-12 Thread Tony Arcieri 
I have seen several services/people using the phrase zero knowledge
recently, e.g.:

https://spideroak.com/

Based on my understanding of zero knowledge proofs and the traditional use
of zero knowledge in cryptography, this usage seems... novel, to put it
politely. In the case of SpiderOak, they're using it to mean we never see
plaintext and we hold no keys to your ciphertexts so there's no way we can
read them

I've seen the Tahoe-LAFS folks, for example, attempt to use the phrase
least authority to imply the same thing, which makes sense to me, but
figuring out what least authority means in the context of a distributed
filesystem may be a tad... indirect.

Is there a better phrase to describe this? End-to-end encryption?
Client-side encryption? Or is it okay to let people start using the phrase
zero knowledge refer to this idea?

How do people feel about zero knowledge being used in this way?

-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Zero knowledge as a term for end-to-end encryption

2013-02-12 Thread ianG 

On 13/02/13 05:33 AM, Tony Arcieri wrote:

I have seen several services/people using the phrase zero knowledge
recently, e.g.:

https://spideroak.com/

Based on my understanding of zero knowledge proofs and the traditional
use of zero knowledge in cryptography, this usage seems... novel, to
put it politely.



Not without some precedent, there was a company called Zero Knowledge 
Systems back in the early 2000s that tried to build what we now would 
see as a Skype or Tor competitor.



In the case of SpiderOak, they're using it to mean we
never see plaintext and we hold no keys to your ciphertexts so there's
no way we can read them

I've seen the Tahoe-LAFS folks, for example, attempt to use the phrase
least authority to imply the same thing, which makes sense to me, but
figuring out what least authority means in the context of a
distributed filesystem may be a tad... indirect.



AFAIK, the term 'least authority' as used by Tahoe-LAFS folks does not 
refer to 'zero knowledge' as per cryptographic protocols, but to the 
concept of least authority as derived from the 'capabilities' school of 
security thought.  This school has it in short that once one agent has 
authority over some object (data perhaps) then there is no economic 
model available to us to stop that agent from sharing the authority (by 
accident or intent) and thus breaching security.  Given this 'truth', it 
derives that the best strategy for security is to reduce the amount of 
authority in many and serious ways.



Is there a better phrase to describe this? End-to-end encryption?
Client-side encryption? Or is it okay to let people start using the
phrase zero knowledge refer to this idea?



As a technical paradigm, the capabilities school models everything more 
or less in the same way as OO programming.  Every active thing is an 
object, and references (called capabilities) are passed around 
carefully.  I think this fits precisely with what Tahoe-LAFS tries to do 
(although I'm writing from osmosis not real knowledge).  It seems from a 
quick browser that SpiderOak use the same design?




How do people feel about zero knowledge being used in this way?



Although there are parallels, I don't think it helpful to interchange 
the terms 'least authority' and 'zero knowledge' in more technical 
conversations.  They operate at different layers or levels, and achieve 
rather different things.


That said, in the world of marketing, it is far more appropriate to tell 
the customer something they understand.  Least authority isn't 
meaningful to the end-user;  zero knowledge does come much closer to 
what grandma can conceive of.


iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography