Comment by Groxx
5 days ago
I've been trying to figure out how zero-knowledge stuff would work in practice for age verification, where "when issued" (or extremely coarse, like what year), "to whom", and "where it's used" are hidden from everyone except the individual holding the proof (since that's the gold standard, and the only one worth accepting).
I get that ZK techniques work, and reveal "nothing". That's useful.
But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used? Or are there ways to construct data leaks that are not user-identifying but are abuse-identifying (and what would that even mean)?
> But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used?
Yep!
This is why the concept of zero knowledge age gating is such a trap for technically minded people. They imagine receiving a private cryptographic object that can be used to anonymously confirm that the government says it was issued to someone over 18.
That’s completely useless because a single leaked token could be used forever, so nobody actually considers this.
All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
Other proposals involve online government handshakes in various ways, with a pinky promise that the government won’t keep logs or tap it for national security purposes. So we get back to anonymous by trust only.
> Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
The reason this is a non-problem for the purpose being discussed (age verification on social media) is that you can simply allow anyone with a de-Googled phone or using Linux on a laptop (or even Mac or Windows) to bypass the age check. You don't need a 100.0% accuracy solution, anything above 90% is fine.
Essentially all teenagers are using social media on Android or iOS with apps from the official app store. If you make social media unavailable only on those devices, they are not going to be switching en masse to SailfishOS or start to carry around backpacks with laptops.
Maybe a few will. But then they're going to be very lonely on their social media and subsequently stop caring.
Oh you'd be surprised.
Social media is something people want. A large part of why people buy smartphones in the first place (especially at that age) is to be on social media. If you need to buy some weird kind of smartphone to do it, or ask your tech-savvy friend to do some voodoo on it for ten bucks, people absolutely will do that.
See the story of console modchips in eastern Europe for an example. Legal games were so expensive at that time that most kids / families weren't able to afford them. Console modchips existed, but they were difficult to install, and most people just didn't have the expertise. What ended up happening was that everybody "knew a guy", and that guy would do their modchip for a fee. They didn't need to know anything about rooting, ROMs, flashing or soldering, they gave a legal console to somebody and got a console that could play pirated games back.
This is interesting in light of the discussion on hacker news yesterday, where folk were talking about how they had to learn how to make games work on early PCs, given limitations that aren't present to the young today.
Motivated kids can find a way! Perhaps evading age gates will produce the next generation of hackers.
You can fix the leaked token problem if your prover also proves that (a) the private token id is not on the public revocation list, and (b) the token has not yet expired. Use short expirations and auto-renew, this is just to keep the revocation list from growing forever.
Attackers could still compromise the system with proxies, but you can fix that by (a) passing in a random sessionid from the server so proofs can't be replayed, (b) also passing in the server's public key, so a MITM attack will result in proof the server can't verify, and (c) as you mention, using secure hardware on the client, and encrypting communications between that hardware and the server. The secure hardware doesn't have to preclude general-purpose computers; it can work like a yubikey or hardware wallet, just plug into USB or bluetooth.
Without proxies, a leaked key has a minor impact unless it's widely distributed online, in which case it's easy to notice and add to the revocation list.
Tracking clients can be prevented if the client generates a new public key for each session.
Requiring hardware is in one sense a downside, and strong protections for access would have to be part of the law. But giving everyone secure cryptographic hardware that can do key management and zero-knowledge proofs would be a huge improvement for everyone's privacy and security, so it might be a good trade.
> Use short expirations
And now you can use time correlation attack to unmask people.
1 reply →
We might be over complicating things here.
The governments’ focus might be on protecting genuine users (adults or not), not fighting fraudsters.
In other words if ZKP works for the vast majority of technically illiterate people with their EU ewallet, the job is done.
Absolutely. We don't look at the use of false identity documents as a failure of age gating tobacco and alcohol, it's just an accepted consequence that we try to mitigate knowing that we cannot stop all instances.
From my limited knowledge of ZKP I believe there are protocols that don't allow token reuse, i.e., once you consume a token for one round, you cannot reuse it for another attestation.
Which requires some record keeper transaction.
Which turns into a handshake with the centralized entity, the government.
If every token is single use then you also need to get them all from the government, either on demand or in bulk. They can then be sold.
[dead]
There are a variety of schemes possible that do not have these flaws.
There's an interesting post here which goes into some of this - https://blog.cryptographyengineering.com/2026/03/02/anonymou...
So -
> Yep!
Actually nope.
Thanks for sharing, this was interesting to read! I wonder if the approach in the "How to win clone wars" section would also work to limit the number of accounts one can have on a given service (the article seems to rather consider rate limiting). It would be refreshing to have a forum where everyone is guaranteed to have at most 1 (or perhaps 2, say one anonymous and one with your name) account that is also backed by a unique government ID (without disclosing to the government your account or even that you have one). This could help a lot with the bot spam and trust issues.
why would a token a) last forever, and b) not be created as a response by your smart ID card to a challenge token?
> All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
SPOT ON! This needs to be plastered across the top of every single thread on "age verification" (really: identity verification).
Talk of "zero knowledge proofs" or other technical schemes are essentially just nerd sniping on this topic. These sound like really cool solutions where we can have our cake and eat it too, but the reality is that the cool technical bits are just the tip of the iceberg. For them to actually be secure (ie prevent the trivial proxying of credentials), there has to be another, much more draconian, part to the system.
Even if that part is missing to begin with, then calls to add it down the line will be inevitable once the idea that websites are responsible for verifying users "ages" (identities) has taken hold and those flaws become glaringly apparent.
I am a parent who will be staring down this issue in a few short years. The Internet is not the place we grew up. Faceboot and other engagement-farming companies are most certainly malevolent threats to the human psyche [0], and it's reasonable to assume that their effects are even stronger on developing minds.
The only approaches that are workable to protect kids as well as preserve Internet/computing freedom (which is actually an additional angle of protecting kids from continuing loss of freedom to roam) involve the client device being responsible for what to block/show, with information only ever flowing from the server to the client - for example tags that assert a site/app is suitable for people over a given age, and on-device parental control software that operates on those tags. If parental controls are enabled and a website has no tags, then the site does not display - failing closed and preserving compatibility with the open web.
Given that this is a dire problem that parents face that has reached a tipping point, it would be reasonable to create a legal mandate that mass market device manufacturers must include parental control software that can be enabled during setup process, and that websites over a certain size have to include tags stating their age appropriateness. That would bootstrap the ecosystem and lead to the development of more vibrant tags and blocking software, enabling parents to set their own policies independent of corporate attorneys decreeing what is acceptable for their kids.
[0] It is also worth keeping in mind that it is exactly Faceboot and its ilk that are pushing these identity verification laws in the first place! They are simply trying to remove their legal liability for harming kids, so they can otherwise continue business as usual
You can use a Linux… if it’s a Android
:(
I agree with your analysis, but doesn't that make this blogpost by google a bit overoptimistic, or even disingenuous?
Briefly, your government issues you a digital signed copy of a document, such as a driver's license or passport, that gets bound to a hardware security element that you own. In current implementations these are the secure elements of smart phones, but there is no reason that standalone hardware security elements could not be supported.
When you want to provide information from that document to a third party a protocol is used which allows you to demonstrate to the third party that (1) you have a document from the government bound to your hardware security device, (2) you have unlocked the hardware security device, (3) and the document says what you say it says (e.g., "the birthdate field in this document contains a value that is more than 18 years in the past").
This third party gets no additional information about the contents of your document. The protocol takes place entirely between your device and the third party, so the government that issued you the bound document has no idea when or if you use it.
Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.
TPM can solve the "neither side gets info about who you are or where it's used" part, but it seems like that might mean any TPM leak also means a single token can be used infinitely without detection, yea? Otherwise it's uniquely identifying, which wouldn't be even slightly private.
> Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.
You can still automate age-verification-as-a-service using a physical autoclicker on a smartphone with the camera oriented at a screen showing QR codes. I expect this to happen, and for that reason I also expect true anonymity to be something that will last a year or so until it will be politically decided to fix the issue using some central party that verifiers have to contact to impose rate limiting.
My understanding as someone who is just learning about the tech is that zero-knowledge isn't a great description of what is happening. The issuer (some party with the proof, like the government) shares the knowledge and that is only valid for a single verifier. So knowledge is held and is shared, just the minimum amount possible to be credible.
> But if they reveal nothing, isn't it wide open for abuse?
Good point, they do contain more information than "They are over 18". The primary (usually only) thing is who is attesting they are over 18. That might be the government, or a bank.
That's inevitable, because the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".
This can leak other information aside from the site knowing who is verifying your age. For example, done the wrong way, the Google / the government could know what porn sites you like. OAuth, for example leaks that sort of information. But there is no technical reason it has to be that way.
The major barrier to all this isn't whether it's possible to design a protocol that proves your age, having a driver's licence or even an amount in a bank account. It is absolutely possible. It's that to be useful, everyone has to agree on the same protocol. That has so far proved to be near insurmountable.
> the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".
This is false. There are many problems with age verification, but the EU approach does not involve the id provider in the verification flow. The site requiring verification presents a QR code which encodes a presentation request and the provider controlled URL which is to receive a presentation of the age credential, and then the smartphone generates a unique presentation signed by a device bound key and sends it to that endpoint.
It is however true that in addition to the one bit of information saying age>18, what is also revealed is the public key of the identity provider. This will at least reveal the nationality of the credential holder and - in the case there are multiple issuers within a nation - may reveal even more information about their demography.
> This is false. There are many problems with age verification, but the EU approach does not involve the id provider in the verification flow. The site requiring verification presents a QR code which encodes a presentation request and the provider controlled URL
The nit you look to be picking is "redirect" means "a web page directs your browser to go to another URL". That is an interpretation you could use, but I was using a broader one. In the EU case, it isn't the browser following the redirect, it's you. The "server" you are redirected to is a government-provided app on your phone that implements openid4vp. But the underlying principle is still the same - you are "redirected" to a third-party proof-of-age provider, who sends a reply signed by the provider.
To the OP: openid4vp is an example of a protocol that is about as private as you can get. It all works offline, so the government does not know what sites you have visited. And the age verifier has no idea who owns the phone. As you say, the connection between the phone and the person holding it is a weakness; junior could just borrow big brother's phone to prove his age.
Idk if this scheme is zero knowledge, but what's wrong with it? :
- you enter ph and must age-verify. It says 'your secret: "capable peanut", enter age proof below'.
- you go to age-knower (e.g bank or government page). You provide the secret phrase, and you get back a cryptographically signed json with the secret phrase, a claim 'above18', and a field stating who attested for the age (e.g government or bank or whoever).
- you paste this signed json (maybe encoded as base64 or something) into ph. It will verify that the attestee is good, then use it's public key to verify the signature, before checking that the secret is the correct one, and that it contains the age-claim.
Is the problem that if ph and the attestee colludes they can compare the secret string and figure out who you are?
Yes, that allows collusion. Which has historically happened quite regularly any time money or politics are involved, which means we should not accept that strategy.
For some isolated scenarios, that collusion risk may be completely fine. But not for something that is poised to control access to the internet as a whole, or in any way relates to maintaining safe free speech on the dominant public platform for doing so (the internet). People need protection from their government (present and future), or it's not a "right", it's just temporary retroactively-revokable permission.
That's where trusted computing comes in.
Your proof proves two claims. That the person proving their age is over 18, and that they're using a device and software that hasn't been tampered with. That software requires human presence at every age check.
ZKPs for age assurance are trading off privacy at the expense of software malleability.
Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want.
> Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want.
But note that it does have everything to do with software freedom. Being able to read the source is little consolation if you're unable to modify it. And preventing users from using modified software is the entire point of remote attestation.
"Zero-Knowledge Proof" based schemes for this problem is nothing more than a marketing scheme by Google to continue locking down devices and the previously-open web ala WEI, SafetyNet, etc. https://news.ycombinator.com/item?id=48760232
> Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want
The released code can do all of that, and then nothing still assures me that they didn't implement just a POST <my whole information> to their partner and called it ZKP and pointed at google's repo.
There are different ways to think about this:
1. Imagine what the protocol would look like without privacy (zk allows you to “sign” a computation, so just do the computation in the clear)
2. Imagine what the protocol would look like by revealing a hash of the passport only (the idea of a “nullifier”, a unique identifier that hides the data and and can be revealed to prevent replays)
The first one should already answer your question: the way you would prevent replays or portability (I use your proof) is to attach some sort of session context to your proof
The proof is bound to a cryptographic key stored in a tamper-resistant module (as in a phone).
See https://educatedguesswork.org/posts/age-verification-id/#dev... for some more detail.
So privacy 1, antitrust 0.
This may help: https://blog.vrypan.net/2026/06/29/260629-whats-wrong-with-e...
This is basically the double spending problem which has been solved in various ways.
It has? I've been under the impression that the "solutions" are "trust us, we don't allow that" (relying on an authority with full knowledge, as partial knowledge isn't sufficient) and "use more resources than anyone can feasibly contest" (bitcoin).
You could build a merkle tree to say "we exist after X" but not "there is no other X". And publishing that tree for verification would seemingly violate "zero knowledge", unless you know of some way to scrub that, and also hide timing information, because timing information can identify visitors to observers.
For example, Chaum's blind signatures https://en.wikipedia.org/wiki/Blind_signature let you create a credential that can be anonymously used once but it gets de-anonymized and invalidated if used a second time. This could be applied to age verification so that each credential could only be used once.
I should really look into blinding strategies some time - there are some very interesting possibilities in there.
Even if you had to submit a picture of your driver's license, you can send someone else's