Remix.run Logo
Groxx 7 hours ago

I've been trying to figure out how zero-knowledge stuff would work in practice for age verification, where "when issued" (or extremely coarse, like what year), "to whom", and "where it's used" are hidden from everyone except the individual holding the proof (since that's the gold standard, and the only one worth accepting).

I get that ZK techniques work, and reveal "nothing". That's useful.

But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used? Or are there ways to construct data leaks that are not user-identifying but are abuse-identifying (and what would that even mean)?

Aurornis 6 hours ago | parent | next [-]

> But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used?

Yep!

This is why the concept of zero knowledge age gating is such a trap for technically minded people. They imagine receiving a private cryptographic object that can be used to anonymously confirm that the government says it was issued to someone over 18.

That’s completely useless because a single leaked token could be used forever, so nobody actually considers this.

All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.

Other proposals involve online government handshakes in various ways, with a pinky promise that the government won’t keep logs or tap it for national security purposes. So we get back to anonymous by trust only.

semi-extrinsic 2 hours ago | parent | next [-]

> Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.

The reason this is a non-problem for the purpose being discussed (age verification on social media) is that you can simply allow anyone with a de-Googled phone or using Linux on a laptop (or even Mac or Windows) to bypass the age check. You don't need a 100.0% accuracy solution, anything above 90% is fine.

Essentially all teenagers are using social media on Android or iOS with apps from the official app store. If you make social media unavailable only on those devices, they are not going to be switching en masse to SailfishOS or start to carry around backpacks with laptops.

Maybe a few will. But then they're going to be very lonely on their social media and subsequently stop caring.

miki123211 an hour ago | parent | next [-]

Oh you'd be surprised.

Social media is something people want. A large part of why people buy smartphones in the first place (especially at that age) is to be on social media. If you need to buy some weird kind of smartphone to do it, or ask your tech-savvy friend to do some voodoo on it for ten bucks, people absolutely will do that.

See the story of console modchips in eastern Europe for an example. Legal games were so expensive at that time that most kids / families weren't able to afford them. Console modchips existed, but they were difficult to install, and most people just didn't have the expertise. What ended up happening was that everybody "knew a guy", and that guy would do their modchip for a fee. They didn't need to know anything about rooting, ROMs, flashing or soldering, they gave a legal console to somebody and got a console that could play pirated games back.

hexasquid an hour ago | parent | prev [-]

This is interesting in light of the discussion on hacker news yesterday, where folk were talking about how they had to learn how to make games work on early PCs, given limitations that aren't present to the young today.

Motivated kids can find a way! Perhaps evading age gates will produce the next generation of hackers.

whiplash451 5 hours ago | parent | prev | next [-]

We might be over complicating things here.

The governments’ focus might be on protecting genuine users (adults or not), not fighting fraudsters.

In other words if ZKP works for the vast majority of technically illiterate people with their EU ewallet, the job is done.

denkmoon 5 hours ago | parent | next [-]

Absolutely. We don't look at the use of false identity documents as a failure of age gating tobacco and alcohol, it's just an accepted consequence that we try to mitigate knowing that we cannot stop all instances.

4 hours ago | parent | prev [-]
[deleted]
countcol 5 hours ago | parent | prev | next [-]

You can use a Linux… if it’s a Android

:(

Nursie 2 hours ago | parent | prev | next [-]

There are a variety of schemes possible that do not have these flaws.

There's an interesting post here which goes into some of this - https://blog.cryptographyengineering.com/2026/03/02/anonymou...

So -

> Yep!

Actually nope.

zeofig 4 hours ago | parent | prev [-]

I agree with your analysis, but doesn't that make this blogpost by google a bit overoptimistic, or even disingenuous?

vrypan 25 minutes ago | parent | prev | next [-]

This may help: https://blog.vrypan.net/2026/06/29/260629-whats-wrong-with-e...

miki123211 an hour ago | parent | prev | next [-]

That's where trusted computing comes in.

Your proof proves two claims. That the person proving their age is over 18, and that they're using a device and software that hasn't been tampered with. That software requires human presence at every age check.

ZKPs for age assurance are trading off privacy at the expense of software malleability.

Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want.

vasco an hour ago | parent [-]

> Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want

The released code can do all of that, and then nothing still assures me that they didn't implement just a POST <my whole information> to their partner and called it ZKP and pointed at google's repo.

tzs 3 hours ago | parent | prev | next [-]

Briefly, your government issues you a digital signed copy of a document, such as a driver's license or passport, that gets bound to a hardware security element that you own. In current implementations these are the secure elements of smart phones, but there is no reason that standalone hardware security elements could not be supported.

When you want to provide information from that document to a third party a protocol is used which allows you to demonstrate to the third party that (1) you have a document from the government bound to your hardware security device, (2) you have unlocked the hardware security device, (3) and the document says what you say it says (e.g., "the birthdate field in this document contains a value that is more than 18 years in the past").

This third party gets no additional information about the contents of your document. The protocol takes place entirely between your device and the third party, so the government that issued you the bound document has no idea when or if you use it.

Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.

baby 3 hours ago | parent | prev | next [-]

There are different ways to think about this:

1. Imagine what the protocol would look like without privacy (zk allows you to “sign” a computation, so just do the computation in the clear)

2. Imagine what the protocol would look like by revealing a hash of the passport only (the idea of a “nullifier”, a unique identifier that hides the data and and can be revealed to prevent replays)

The first one should already answer your question: the way you would prevent replays or portability (I use your proof) is to attach some sort of session context to your proof

doginasuit 7 hours ago | parent | prev | next [-]

My understanding as someone who is just learning about the tech is that zero-knowledge isn't a great description of what is happening. The issuer (some party with the proof, like the government) shares the knowledge and that is only valid for a single verifier. So knowledge is held and is shared, just the minimum amount possible to be credible.

Epa095 6 hours ago | parent | prev | next [-]

Idk if this scheme is zero knowledge, but what's wrong with it? :

- you enter ph and must age-verify. It says 'your secret: "capable peanut", enter age proof below'.

- you go to age-knower (e.g bank or government page). You provide the secret phrase, and you get back a cryptographically signed json with the secret phrase, a claim 'above18', and a field stating who attested for the age (e.g government or bank or whoever).

- you paste this signed json (maybe encoded as base64 or something) into ph. It will verify that the attestee is good, then use it's public key to verify the signature, before checking that the secret is the correct one, and that it contains the age-claim.

Is the problem that if ph and the attestee colludes they can compare the secret string and figure out who you are?

Groxx 6 hours ago | parent [-]

Yes, that allows collusion. Which has historically happened quite regularly any time money or politics are involved, which means we should not accept that strategy.

For some isolated scenarios, that collusion risk may be completely fine. But not for something that is poised to control access to the internet as a whole, or in any way relates to maintaining safe free speech on the dominant public platform for doing so (the internet). People need protection from their government (present and future), or it's not a "right", it's just temporary retroactively-revokable permission.

ekr____ 3 hours ago | parent | prev | next [-]

The proof is bound to a cryptographic key stored in a tamper-resistant module (as in a phone).

See https://educatedguesswork.org/posts/age-verification-id/#dev... for some more detail.

wmf 3 hours ago | parent [-]

So privacy 1, antitrust 0.

vatsachak 2 hours ago | parent | prev | next [-]

Even if you had to submit a picture of your driver's license, you can send someone else's

wmf 6 hours ago | parent | prev [-]

This is basically the double spending problem which has been solved in various ways.

wmf 3 hours ago | parent | next [-]

For example, Chaum's blind signatures https://en.wikipedia.org/wiki/Blind_signature let you create a credential that can be anonymously used once but it gets de-anonymized and invalidated if used a second time. This could be applied to age verification so that each credential could only be used once.

Groxx 6 hours ago | parent | prev [-]

It has? I've been under the impression that the "solutions" are "trust us, we don't allow that" (relying on an authority with full knowledge, as partial knowledge isn't sufficient) and "use more resources than anyone can feasibly contest" (bitcoin).

You could build a merkle tree to say "we exist after X" but not "there is no other X". And publishing that tree for verification would seemingly violate "zero knowledge", unless you know of some way to scrub that, and also hide timing information, because timing information can identify visitors to observers.