| There is some discussion of that sort of system here [1]. Search for "zero knowledge proof of age" or "zero knowledge age verification" or similar and you should find more. Another approach uses digital signatures. The naive approach that isn't very good from a privacy point of view would work something like this. We have three parties: (1) U, a user that wants to use a site V, (2) V, a site that wants verification that its users are at least 18, and (3) T, a site that U is willing to reveal personal information to that proves their age to T. Good candidates for T would be sites that already have U's information, such as a site run by their government or their bank. In this naive approach what would happen is V would give U some sort of login token, U would pass that token to T along with sufficient proof for T to verify U is at least 18, and then T would sign the token and give the signed token back to U. T would use a signature that they only use for for verifications that age is at least 18. If they offered other verification service, such as verification that a person lives is a resident of a specific state, they would have a different signature for those. U would verify that the token was signed with T's "at least 18" signature, and U has passed age verification. That's not good as far as privacy goes because T sees the contents of the token. They could log it, and someone who obtained those logs and the logs of V could match them up. Also T could recognize from the format of the token that it is a V token so T would know what site you are trying to sign up for. That can be addressed by replacing the signature with a blind signature. A blind signature is a kind of digital signature where before sending the token to T to sign U can apply a special transformation that essentially randomizes the token. T only sees that transformed token and signs it. What's special about the transformation is that if the inverse transformation is applied to the signature of the transformed token it produces a signature for the original token. You then end up with the original token and a T signature for that token, which you can give to V just as in the naive case. What T sees no longer matches anything V issues, and no longer looks like a V token. If the volume of verifications at T is too low and the volume of people verifying at V is too low someone who obtains both T and V logs might make some deductions from timing. If age verification requirements become widespread so that it isn't just porn sites but nearly all social media sites and e-commerce sites, the T sites should have enough volume that timing attacks aren't effective. You could further reduce their effectiveness by adding some delays. Wait a few hours after getting your transformed token signed by T before completing the verification at V. You could also toss in fake requests to T. Send them random tokens every now and then to sign and then throw the tokens and signatures away. Then T, or someone who is spying on T, won't have any idea which of those requests are for real verifications and which are just noise. [1] https://crypto.stackexchange.com/questions/96232/zkp-prove-t... |