According to a Reddit post I am participating in, SpiderOak “repented” of its incorrect usage of the term “zero knowledge” in 2017, as shown here:
NordPass has yet to walk back its claim to a zero knowledge architecture:
https://nordpass.com/features/zero-knowledge-architecture/#
Is it technically wrong to claim that “no knowledge” is the same as “zero knowledge” as SpiderOak previously did? If so, why?
The cryptography outlined on the NordPass page is not using zero-knowledge as that's understood in a cryptographic context, which is (per the Handbook of Applied Cryptography, chapter 10)
a zero-knowledge protocol allows a proof of the truth of an assertion, while conveying no information whatsoever about the assertion itself other than its actual truth.
Instead, NordPass uses zero-knowledge architecture (or zero-knowledge encryption, zero-knowledge cloud storage) to mean they do not hold the encryption key to the user data they store (including password vault). They describe a system with a master password, turned into a key for encryption with XChaCha20, by key stretching using Argon2. All this is symmetric cryptography, entirely unrelated to zero-knowledge as considered in the first paragraph and quote.
At least I do not see them using zero knowledge to qualify one of their protocol, or a proof made of something in their system.
