> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults. You can have the issuing government in the loop signing one-time tokens to stop Adults-Georg from creating 10k 18+ attestations per day, but then the issuing government and the service providers have a timing side-channel they can use to correlate identities to service users. Is there some other scheme I'm missing that solves this dilemma?
> It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
This is not designed to prevent adults from coöperating with minors; that makes no sense as a design goal because any technical measure can always be bypassed with “download this for me and give me the file”. This is designed to prevent minors from being able to access systems without an adult.
Nothing prevents an adult from buying alcohol on behalf of minors; that doesn’t mean laws that prevent minors from directly buying alcohol are useless.
But laws against selling/giving alcohol to minors are moderately successful at curbing teen alcohol use because they carry with them a risk of punishment that grows with the scale of the operation. If all it took was one adult who thought "kids should be allowed to drink if they want" to provide all the kids in the country with free booze and that adult had no meaningful fear of repercussions, the laws would be nothing but sternly worded advice.
If the proof of adulthood scheme is truly anonymous, one adult with some technical chops who thinks "kids should be allowed to watch porn if they want" would be able to, say, run an adult-o-matic-9000 TOR hidden service that anyone can use to pinky promise that they are an adult without fear of repercussions. If such a service comes with a meaningful risk of being identified and punished, it is by definition not anonymous.
I suppose I'm just not convinced giving up some basic liberties for a law that converts into sternly worded advice if just one adult chooses to break it is a great idea.
> You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults
The certificates in question can use a few mitigations: short lived, hardware stored (in a TPM, making distribution harder), be single use, have a random id which the service being accessed can check how many times has been used.
> but then the issuing government and the service providers have a timing side-channel they can use to correlate identities
That's not reallya concern, IMO. That would always exist as a risk - most people would probably have a flow of trying to do something, having to prove ID/age, doing that step, continuing with the something, which means you'd probably be able to time correlate the two sides quite often. The solution here is legal with strong barriers, not technical.
Precisely. To rate-limit attestations you either need government somewhere in the loop so that they get notified and can revoke certificates when they detect abuse (but then they can correlate requests to prove adulthood with the service provider), or you need the proof of adulthood to be tied to the certificate in some way that the service provider can tell if a certificate is being re-used. But then anyone with a copy of all the certificates (read: the government) can re-run the proof on their end and figure out who is who.
Can you give a brief explanation of how this is done with a zero-knowledge proof? That site is low information and painful to navigate, and it seems quite surprising to me that this is possible. ID verification, in the government sense, is ostensibly going to require matching an ID against a some other resource. If done locally then you can trivially spoof the result, akin to hacking a game, but if done remotely then it's not zero-knowledge.
I think a zero-knowledge system here would be quite desirable. But a centralized repository that is e.g. maintaining tabs on every single adult-authorization for every single person with verifiable details of them is, by contrast, a dystopic disaster waiting to happen because it will be hacked, leaked, and abused, sooner or later.
Most countries in the EU already have widely accepted identity proof apps mostly verified by the banks or the government itself. Once verified the identity app gets a certificate which is signed by the authority which issues the identity. We all know how that works as that’s how TLS works as well. The zero proof age check is based on verifiable credentials and the related verifiable presentation. Once you have a wallet with your identity it’s not hard to issue cryptographic proofs of some properties of your credentials, and age is a property of your identity credentials basically. To learn more about the technical details, search for the specifications I mentioned above: verifiable credentials, verifiable presentations.
Ah, and the sites (or whatever else) can then verify the key is valid locally? Assuming that is the case, that'd make for a surprisingly nice system, further assuming that the produced credential is not reversible. I'm highly cynical and so I expected it to be a backdoor for surveillance as it feels like most things under the pretext of 'won't anybody think about the children' are.
> The solution leverages the existing eIDAS infrastructure, including eIDAS nodes and the trust framework for trusted services, to ensure a high level of security and reliability. By aligning with the technical architecture of the EU Digital Identity Wallet ARF, the solution delivers secure, reusable, and interoperable proofs of age.
> The solution enables users to present their Proof of Age attestation to Relying Parties, primarily for online use cases. The system is optimised for secure and privacy-preserving online presentation, allowing users to prove their eligibility without disclosing unnecessary personal information.
> AVI SHOULD support the generation of Zero-Knowledge Proofs using the solution detailed in: "Matteo Frigo and abhi shelat, Anonymous credentials from ECDSA, Cryptology ePrint Archive, Paper 2024/2010, 2024, available at https://eprint.iacr.org/2024/2010".
> Anonymous digital credentials allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a digital passport credential can prove their “age is ” without revealing any other attributes such as their name or date of birth.
Without exposing my citizenship, I was able to use by EU-nation issued ID to confirm only my year of birth.
The website supported this country's national ID login method, in the login challenge asked the server to provide my age, before I signed in to confirm (scanning qr code with my mobile app) I was informed what data was requested, then I consented to them confirming my data.
Not very sensitive things work without my physical ID present, sensitive have additional step with me providing my physical ID (to the NFC reader) and unlocking my key (stored on the ID) with a pin.
All in all it's really very sensible and fast.
Not necessarily the EU ID apps we're talking about but some of the existing implementations.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
That's the theory. How is it in practice?
In my opinion, it just means there is a single government database to hack to get copies of all IDs...
By the way have the "security experts" checking this app evaluated that part? Or they're just worried about the app users cheating?
> In my opinion, it just means there is a single government database to hack to get copies of all IDs...
That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
The implementations I've seen rely on an app reading your physical ID and its NFC chip, comparing that with a selfie to ensure it's the same person, and being able to provide anonymous proof you are of age based on that, or proof that you are indeed who you say you are.
> That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
Yes and those databases are decently protected. However for an "app" someone will do a web 4.0 or 6.0 bridge to access these databases. Maybe even vibe code it. That's what I'm worried about.
The alternative would be to just not do anything and to remove liability from Meta et al. In the world we live in, where competing interests already spent tens of billions to bribe/lobby the EU, we have to be realistic about it.
This open source and transparent ZKP-based approach is extremely surprising to see, publishing a draft in advance and inviting the public to break it so it can be improved? Are you kidding me? What about the billions of private investment in all the companies that offer centralized ID checks like Persona, Socure, ID.me and more? Thats a growing billion dollar industry. They all counted on this as a future market opportunity that the EU just seem to have destroyed at least in the EU?
People fighting against this age id app might be paradoxically useful idiots for billion dollar investments and lobbying efforts. The demos is once again dragged into the trenches to fight a war they don't understand.
The main issue appears to be that as per the blueprint user MUST use one of the mandated handsets (iPhone or Android with pre-installed and privileged Google Services) and:
- MUST use either Google or Apple account
- must not be banned by the provider or sanctioned in the USA
These issues have been flagged to the devs working on the blueprint since the inception, only to be handwaved away.
Getting banned can happen randomly even if you're not doing anything illegal or wrong (it's enough for a robot to decide you're within the blast radius), getting sanctioned can happen if you're an UN lawyer investigating human rights abuses USA actually likes.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
No it isn't.
Literally that is not the scope document, and such a solution would not be permitted by the EU as compliant with the legislation.
The app isn't zero knowledge. A prototype workflow has been designed for a one way transfer to sites that is zero knowledge, but it doesn't actually deliver zero knowledge because it you have to verify your age with an external provider to get the credential (which is not zero knowledge), the app has to be secured with either Apple or Google's attestation services (which are not zero knowledge), and the site has to be able to check with the original external provider that the credential hasn't been revoked (which is in no way zero knowledge).
Zero knowledge proofs are when the prover can prove the statement is true to the verifier without disclosing more information beyond the statement. It doesn’t mean the prover cannot talk to other systems to produce the statement.
That only works in the context of when the sender isn't the adversary, which isn't the case in an age verification system - it very much does treat the sender as the enemy and untrusted. And again, the revocation chain on the backend is not zero proof.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults. You can have the issuing government in the loop signing one-time tokens to stop Adults-Georg from creating 10k 18+ attestations per day, but then the issuing government and the service providers have a timing side-channel they can use to correlate identities to service users. Is there some other scheme I'm missing that solves this dilemma?
> It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
This is not designed to prevent adults from coöperating with minors; that makes no sense as a design goal because any technical measure can always be bypassed with “download this for me and give me the file”. This is designed to prevent minors from being able to access systems without an adult.
Nothing prevents an adult from buying alcohol on behalf of minors; that doesn’t mean laws that prevent minors from directly buying alcohol are useless.
But laws against selling/giving alcohol to minors are moderately successful at curbing teen alcohol use because they carry with them a risk of punishment that grows with the scale of the operation. If all it took was one adult who thought "kids should be allowed to drink if they want" to provide all the kids in the country with free booze and that adult had no meaningful fear of repercussions, the laws would be nothing but sternly worded advice.
If the proof of adulthood scheme is truly anonymous, one adult with some technical chops who thinks "kids should be allowed to watch porn if they want" would be able to, say, run an adult-o-matic-9000 TOR hidden service that anyone can use to pinky promise that they are an adult without fear of repercussions. If such a service comes with a meaningful risk of being identified and punished, it is by definition not anonymous.
I suppose I'm just not convinced giving up some basic liberties for a law that converts into sternly worded advice if just one adult chooses to break it is a great idea.
2 replies →
> You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults
The certificates in question can use a few mitigations: short lived, hardware stored (in a TPM, making distribution harder), be single use, have a random id which the service being accessed can check how many times has been used.
> but then the issuing government and the service providers have a timing side-channel they can use to correlate identities
That's not reallya concern, IMO. That would always exist as a risk - most people would probably have a flow of trying to do something, having to prove ID/age, doing that step, continuing with the something, which means you'd probably be able to time correlate the two sides quite often. The solution here is legal with strong barriers, not technical.
Can attestations be rate-limited or is that the timing side-channel you are talking about?
Precisely. To rate-limit attestations you either need government somewhere in the loop so that they get notified and can revoke certificates when they detect abuse (but then they can correlate requests to prove adulthood with the service provider), or you need the proof of adulthood to be tied to the certificate in some way that the service provider can tell if a certificate is being re-used. But then anyone with a copy of all the certificates (read: the government) can re-run the proof on their end and figure out who is who.
Can you give a brief explanation of how this is done with a zero-knowledge proof? That site is low information and painful to navigate, and it seems quite surprising to me that this is possible. ID verification, in the government sense, is ostensibly going to require matching an ID against a some other resource. If done locally then you can trivially spoof the result, akin to hacking a game, but if done remotely then it's not zero-knowledge.
I think a zero-knowledge system here would be quite desirable. But a centralized repository that is e.g. maintaining tabs on every single adult-authorization for every single person with verifiable details of them is, by contrast, a dystopic disaster waiting to happen because it will be hacked, leaked, and abused, sooner or later.
https://blog.google/innovation-and-ai/technology/safety-secu...
Basically you can prove that you have an identification document and that a certain property is true without revealing anything else.
Most countries in the EU already have widely accepted identity proof apps mostly verified by the banks or the government itself. Once verified the identity app gets a certificate which is signed by the authority which issues the identity. We all know how that works as that’s how TLS works as well. The zero proof age check is based on verifiable credentials and the related verifiable presentation. Once you have a wallet with your identity it’s not hard to issue cryptographic proofs of some properties of your credentials, and age is a property of your identity credentials basically. To learn more about the technical details, search for the specifications I mentioned above: verifiable credentials, verifiable presentations.
Ah, and the sites (or whatever else) can then verify the key is valid locally? Assuming that is the case, that'd make for a surprisingly nice system, further assuming that the produced credential is not reversible. I'm highly cynical and so I expected it to be a backdoor for surveillance as it feels like most things under the pretext of 'won't anybody think about the children' are.
You are mixing things up, and EU abbreviations do not help.
Many countries in EU already have electronic identity documents and delegate authentication to mobile apps one way or another.
eID or mobile identity application operating over QR codes and used to log into websites and apps is a commodity here.
This has nothing to do with age verification.
I’m not sure what you are saying I am mixing up.
The article links to the source code repository here:
https://github.com/eu-digital-identity-wallet/av-app-android...
That links to the tech spec:
> The solution leverages the existing eIDAS infrastructure, including eIDAS nodes and the trust framework for trusted services, to ensure a high level of security and reliability. By aligning with the technical architecture of the EU Digital Identity Wallet ARF, the solution delivers secure, reusable, and interoperable proofs of age.
> The solution enables users to present their Proof of Age attestation to Relying Parties, primarily for online use cases. The system is optimised for secure and privacy-preserving online presentation, allowing users to prove their eligibility without disclosing unnecessary personal information.
— https://github.com/eu-digital-identity-wallet/av-doc-technic...
Annex A includes details on the ZKP:
> AVI SHOULD support the generation of Zero-Knowledge Proofs using the solution detailed in: "Matteo Frigo and abhi shelat, Anonymous credentials from ECDSA, Cryptology ePrint Archive, Paper 2024/2010, 2024, available at https://eprint.iacr.org/2024/2010".
— https://github.com/eu-digital-identity-wallet/av-doc-technic...
And the linked paper:
> Anonymous digital credentials allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a digital passport credential can prove their “age is ” without revealing any other attributes such as their name or date of birth.
— https://eprint.iacr.org/2024/2010
You're both right.
Without exposing my citizenship, I was able to use by EU-nation issued ID to confirm only my year of birth.
The website supported this country's national ID login method, in the login challenge asked the server to provide my age, before I signed in to confirm (scanning qr code with my mobile app) I was informed what data was requested, then I consented to them confirming my data.
Not very sensitive things work without my physical ID present, sensitive have additional step with me providing my physical ID (to the NFC reader) and unlocking my key (stored on the ID) with a pin.
All in all it's really very sensible and fast.
Not necessarily the EU ID apps we're talking about but some of the existing implementations.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
That's the theory. How is it in practice?
In my opinion, it just means there is a single government database to hack to get copies of all IDs...
By the way have the "security experts" checking this app evaluated that part? Or they're just worried about the app users cheating?
> In my opinion, it just means there is a single government database to hack to get copies of all IDs...
That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
The implementations I've seen rely on an app reading your physical ID and its NFC chip, comparing that with a selfie to ensure it's the same person, and being able to provide anonymous proof you are of age based on that, or proof that you are indeed who you say you are.
> That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
Yes and those databases are decently protected. However for an "app" someone will do a web 4.0 or 6.0 bridge to access these databases. Maybe even vibe code it. That's what I'm worried about.
3 replies →
The alternative would be to just not do anything and to remove liability from Meta et al. In the world we live in, where competing interests already spent tens of billions to bribe/lobby the EU, we have to be realistic about it.
This open source and transparent ZKP-based approach is extremely surprising to see, publishing a draft in advance and inviting the public to break it so it can be improved? Are you kidding me? What about the billions of private investment in all the companies that offer centralized ID checks like Persona, Socure, ID.me and more? Thats a growing billion dollar industry. They all counted on this as a future market opportunity that the EU just seem to have destroyed at least in the EU?
People fighting against this age id app might be paradoxically useful idiots for billion dollar investments and lobbying efforts. The demos is once again dragged into the trenches to fight a war they don't understand.
The main issue appears to be that as per the blueprint user MUST use one of the mandated handsets (iPhone or Android with pre-installed and privileged Google Services) and:
- MUST use either Google or Apple account - must not be banned by the provider or sanctioned in the USA
These issues have been flagged to the devs working on the blueprint since the inception, only to be handwaved away.
Getting banned can happen randomly even if you're not doing anything illegal or wrong (it's enough for a robot to decide you're within the blast radius), getting sanctioned can happen if you're an UN lawyer investigating human rights abuses USA actually likes.
So I do see a problem here.
> The alternative would be to just not do anything and to remove liability from Meta et al.
Or just give parents easy to use parental controls. But that wouldn't grow the surveillance state.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
No it isn't.
Literally that is not the scope document, and such a solution would not be permitted by the EU as compliant with the legislation.
The app isn't zero knowledge. A prototype workflow has been designed for a one way transfer to sites that is zero knowledge, but it doesn't actually deliver zero knowledge because it you have to verify your age with an external provider to get the credential (which is not zero knowledge), the app has to be secured with either Apple or Google's attestation services (which are not zero knowledge), and the site has to be able to check with the original external provider that the credential hasn't been revoked (which is in no way zero knowledge).
Zero knowledge proofs are when the prover can prove the statement is true to the verifier without disclosing more information beyond the statement. It doesn’t mean the prover cannot talk to other systems to produce the statement.
That only works in the context of when the sender isn't the adversary, which isn't the case in an age verification system - it very much does treat the sender as the enemy and untrusted. And again, the revocation chain on the backend is not zero proof.
Or just let us set our age in the OS profile? Works for adults and kids.