Encrypted Spaces: An Architecture for Trustworthy Collaborative Applications on Untrusted Servers
Encrypted Spaces proposes an architectural pattern for building collaborative applications where data confidentiality and user control are paramount, even when relying on untrusted cloud servers. It achieves this through careful application of cryptography, including change logs and zero-knowledge proofs, to ensure data is encrypted at rest and in transit, and server operations are cryptographically verifiable. The core idea is to shift trust from the server to cryptographic verification, enabling collaborative features without compromising sensitive user data.
Read original on Hacker NewsThe Challenge of Trust in Cloud Collaboration
Modern collaborative applications, while convenient, centralize sensitive user data on cloud servers. This introduces significant risks: data exposure through breaches or insider threats, loss of user control over data sharing and retention policies, and self-censorship due to uncertainty about server data handling. Encrypted Spaces directly addresses these challenges by proposing an architecture where applications can operate on untrusted infrastructure while maintaining strong confidentiality and verifiability guarantees for users.
Encrypted Spaces Architectural Principles
- Untrusted Server, Trusted Client: The server acts solely as a data store and synchronization point, never holding plaintext user data.
- Verifiable Operations: Users can cryptographically verify that servers behave correctly, ensuring data integrity and correct application of changes.
- Schema-Driven Encryption: An application data schema explicitly defines what data is encrypted versus what the server can see (for query support), balancing privacy with functionality.
- Integrated Security: The system handles membership, access control, and key management seamlessly, abstracting cryptographic complexities from users and developers.
- Attributable Changes: All data modifications are cryptographically attributed to their authors, enhancing auditability.
Core Mechanisms: Change Logs and Zero-Knowledge Proofs
The architecture relies on a persistent change log to record every user-made alteration to encrypted data. To efficiently synchronize clients without replaying the entire history, Encrypted Spaces leverages zero-knowledge proofs. These proofs allow users to verify that they have the latest version of their group's data and that all changes have been correctly applied by the untrusted server, without needing to process every individual change in the log or reveal underlying data.
Simplified Data Flow in Encrypted Spaces
1. User makes a change (e.g., updates a row in a table). 2. Client encrypts the change and sends it to the server. 3. Server appends the encrypted change to a global, verifiable change log. 4. Server generates zero-knowledge proofs demonstrating the state transition and validity of the log. 5. Other clients fetch new encrypted changes and proofs, verify them, and update their local state without decrypting data on the server side. 6. Key management ensures only authorized users can decrypt relevant data.
Prototyping a Sync Engine
The research includes a prototype sync engine, similar to Firebase or Supabase, built on the Encrypted Spaces SDK. This engine abstracts the low-level verifiable data operations (inserts, updates, deletions) and provides higher-level data structures (Tables, Lists, TextAreas) to applications. This demonstrates the practicality of building user-friendly applications that benefit from the strong privacy and integrity guarantees of Encrypted Spaces, while still offering a familiar developer experience.