Hacker News

Favorites Setup
Comment by Groxx | original | Opening up 'Zero-Knowledge Proof' technology to promote privacy in age assurance
[−]Groxx · 2026-07-02 Thu 00:27 UTC · link
I've been trying to figure out how zero-knowledge stuff would work in practice for age verification, where "when issued" (or extremely coarse, like what year), "to whom", and "where it's used" are hidden from everyone except the individual holding the proof (since that's the gold standard, and the only one worth accepting).

I get that ZK techniques work, and reveal "nothing". That's useful.

But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used? Or are there ways to construct data leaks that are not user-identifying but are abuse-identifying (and what would that even mean)?

[−]doginasuit · 2026-07-02 Thu 00:45 UTC · link
My understanding as someone who is just learning about the tech is that zero-knowledge isn't a great description of what is happening. The issuer (some party with the proof, like the government) shares the knowledge and that is only valid for a single verifier. So knowledge is held and is shared, just the minimum amount possible to be credible.
[−]Aurornis · 2026-07-02 Thu 01:06 UTC · link
> But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used?

Yep!

This is why the concept of zero knowledge age gating is such a trap for technically minded people. They imagine receiving a private cryptographic object that can be used to anonymously confirm that the government says it was issued to someone over 18.

That’s completely useless because a single leaked token could be used forever, so nobody actually considers this.

All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.

Other proposals involve online government handshakes in various ways, with a pinky promise that the government won’t keep logs or tap it for national security purposes. So we get back to anonymous by trust only.

[−]countcol · 2026-07-02 Thu 02:01 UTC · link
You can use a Linux… if it’s a Android

:(

[−]whiplash451 · 2026-07-02 Thu 02:48 UTC · link
We might be over complicating things here.

The governments’ focus might be on protecting genuine users (adults or not), not fighting fraudsters.

In other words if ZKP works for the vast majority of technically illiterate people with their EU ewallet, the job is done.

[−]denkmoon · 2026-07-02 Thu 03:01 UTC · link
Absolutely. We don't look at the use of false identity documents as a failure of age gating tobacco and alcohol, it's just an accepted consequence that we try to mitigate knowing that we cannot stop all instances.
[−]zeofig · 2026-07-02 Thu 03:57 UTC · link
I agree with your analysis, but doesn't that make this blogpost by google a bit overoptimistic, or even disingenuous?
[−]semi-extrinsic · 2026-07-02 Thu 05:10 UTC · link
> Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.

The reason this is a non-problem for the purpose being discussed (age verification on social media) is that you can simply allow anyone with a de-Googled phone or using Linux on a laptop (or even Mac or Windows) to bypass the age check. You don't need a 100.0% accuracy solution, anything above 90% is fine.

Essentially all teenagers are using social media on Android or iOS with apps from the official app store. If you make social media unavailable only on those devices, they are not going to be switching en masse to SailfishOS or start to carry around backpacks with laptops.

Maybe a few will. But then they're going to be very lonely on their social media and subsequently stop caring.

[−]miki123211 · 2026-07-02 Thu 06:11 UTC · link
Oh you'd be surprised.

Social media is something people want. A large part of why people buy smartphones in the first place (especially at that age) is to be on social media. If you need to buy some weird kind of smartphone to do it, or ask your tech-savvy friend to do some voodoo on it for ten bucks, people absolutely will do that.

See the story of console modchips in eastern Europe for an example. Legal games were so expensive at that time that most kids / families weren't able to afford them. Console modchips existed, but they were difficult to install, and most people just didn't have the expertise. What ended up happening was that everybody "knew a guy", and that guy would do their modchip for a fee. They didn't need to know anything about rooting, ROMs, flashing or soldering, they gave a legal console to somebody and got a console that could play pirated games back.

[−]hexasquid · 2026-07-02 Thu 06:42 UTC · link
This is interesting in light of the discussion on hacker news yesterday, where folk were talking about how they had to learn how to make games work on early PCs, given limitations that aren't present to the young today.

Motivated kids can find a way! Perhaps evading age gates will produce the next generation of hackers.

[−]Nursie · 2026-07-02 Thu 05:31 UTC · link
There are a variety of schemes possible that do not have these flaws.

There's an interesting post here which goes into some of this - https://blog.cryptographyengineering.com/2026/03/02/anonymou...

So -

> Yep!

Actually nope.

[−]mavhc · 2026-07-02 Thu 07:56 UTC · link
why would a token a) last forever, and b) not be created as a response by your smart ID card to a challenge token?
[−]wmf · 2026-07-02 Thu 01:19 UTC · link
This is basically the double spending problem which has been solved in various ways.
[−]Groxx · 2026-07-02 Thu 01:21 UTC · link
It has? I've been under the impression that the "solutions" are "trust us, we don't allow that" (relying on an authority with full knowledge, as partial knowledge isn't sufficient) and "use more resources than anyone can feasibly contest" (bitcoin).

You could build a merkle tree to say "we exist after X" but not "there is no other X". And publishing that tree for verification would seemingly violate "zero knowledge", unless you know of some way to scrub that, and also hide timing information, because timing information can identify visitors to observers.

[−]wmf · 2026-07-02 Thu 04:03 UTC · link
For example, Chaum's blind signatures https://en.wikipedia.org/wiki/Blind_signature let you create a credential that can be anonymously used once but it gets de-anonymized and invalidated if used a second time. This could be applied to age verification so that each credential could only be used once.
[−]Epa095 · 2026-07-02 Thu 01:28 UTC · link
Idk if this scheme is zero knowledge, but what's wrong with it? :

- you enter ph and must age-verify. It says 'your secret: "capable peanut", enter age proof below'.

- you go to age-knower (e.g bank or government page). You provide the secret phrase, and you get back a cryptographically signed json with the secret phrase, a claim 'above18', and a field stating who attested for the age (e.g government or bank or whoever).

- you paste this signed json (maybe encoded as base64 or something) into ph. It will verify that the attestee is good, then use it's public key to verify the signature, before checking that the secret is the correct one, and that it contains the age-claim.

Is the problem that if ph and the attestee colludes they can compare the secret string and figure out who you are?

[−]Groxx · 2026-07-02 Thu 01:39 UTC · link
Yes, that allows collusion. Which has historically happened quite regularly any time money or politics are involved, which means we should not accept that strategy.

For some isolated scenarios, that collusion risk may be completely fine. But not for something that is poised to control access to the internet as a whole, or in any way relates to maintaining safe free speech on the dominant public platform for doing so (the internet). People need protection from their government (present and future), or it's not a "right", it's just temporary retroactively-revokable permission.

[−]ekr____ · 2026-07-02 Thu 04:02 UTC · link
The proof is bound to a cryptographic key stored in a tamper-resistant module (as in a phone).

See https://educatedguesswork.org/posts/age-verification-id/#dev... for some more detail.

[−]wmf · 2026-07-02 Thu 04:16 UTC · link
So privacy 1, antitrust 0.
[−]tzs · 2026-07-02 Thu 04:18 UTC · link
Briefly, your government issues you a digital signed copy of a document, such as a driver's license or passport, that gets bound to a hardware security element that you own. In current implementations these are the secure elements of smart phones, but there is no reason that standalone hardware security elements could not be supported.

When you want to provide information from that document to a third party a protocol is used which allows you to demonstrate to the third party that (1) you have a document from the government bound to your hardware security device, (2) you have unlocked the hardware security device, (3) and the document says what you say it says (e.g., "the birthdate field in this document contains a value that is more than 18 years in the past").

This third party gets no additional information about the contents of your document. The protocol takes place entirely between your device and the third party, so the government that issued you the bound document has no idea when or if you use it.

Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.

[−]baby · 2026-07-02 Thu 04:29 UTC · link
There are different ways to think about this:

1. Imagine what the protocol would look like without privacy (zk allows you to “sign” a computation, so just do the computation in the clear)

2. Imagine what the protocol would look like by revealing a hash of the passport only (the idea of a “nullifier”, a unique identifier that hides the data and and can be revealed to prevent replays)

The first one should already answer your question: the way you would prevent replays or portability (I use your proof) is to attach some sort of session context to your proof

[−]vatsachak · 2026-07-02 Thu 05:32 UTC · link
Even if you had to submit a picture of your driver's license, you can send someone else's
[−]miki123211 · 2026-07-02 Thu 06:06 UTC · link
That's where trusted computing comes in.

Your proof proves two claims. That the person proving their age is over 18, and that they're using a device and software that hasn't been tampered with. That software requires human presence at every age check.

ZKPs for age assurance are trading off privacy at the expense of software malleability.

Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want.

[−]vasco · 2026-07-02 Thu 06:20 UTC · link
> Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want

The released code can do all of that, and then nothing still assures me that they didn't implement just a POST <my whole information> to their partner and called it ZKP and pointed at google's repo.

[−]vrypan · 2026-07-02 Thu 07:07 UTC · link
[−]rstuart4133 · 2026-07-02 Thu 07:49 UTC · link
> But if they reveal nothing, isn't it wide open for abuse?

Good point, they do contain more information than "They are over 18". The primary (usually only) thing is who is attesting they are over 18. That might be the government, or a bank.

That's inevitable, because the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".

This can leak other information aside from the site knowing who is verifying your age. For example, done the wrong way, the Google / the government could know what porn sites you like. OAuth, for example leaks that sort of information. But there is no technical reason it has to be that way.

The major barrier to all this isn't whether it's possible to design a protocol that proves your age, having a driver's licence or even an amount in a bank account. It is absolutely possible. It's that to be useful, everyone has to agree on the same protocol. That has so far proved to be near insurmountable.