Hacker News new | ask | show | jobs
by miki123211 103 days ago
Europe is rolling out ZKP afaik.

The actual problem with ZKP is that you need a way to prevent generating thousands or millions of assertions from one ID and distributing them to whoever wants one, in a way which is undetectable and unstoppable by the government, and the only way to do that is with Google Play Integrity Protection and such.
1 comments
ulrikrasmussen 103 days ago
Sort of, but not really. They have a design document for how ZKP-based age verification would be implemented in the white-label prototype app, but it is my understanding that the first implementation to be rolled out in the early adopter countries like mine (Denmark) will be based on "trust me, bro" central verifiers who promise not to do logging, with ZKP mentioned as a possible future alternative. Until I see the requirement of ZKP or equivalent provable zero-trust privacy guarantees in the law, I consider the promise of ZKP as a distraction (lie) to shut down the harshest criticism.

Google Play Integrity is not a requirement, but governments think it is. All you need to avoid trivial duplication of certificates is that keys are bound to a device which is also able to perform the primitive cryptographic operations needed to construct a ZKP proof. This could be achieved using a USB dongle. Still proprietary technology, but the scope of what needs to be locked down is much, much smaller than with a solution like Play Integrity.

link
miki123211 102 days ago
> This could be achieved using a USB dongle.

What stops one from selling access to that USB dongle over the internet, anonymously doing thousands of verifications per second, cardsharing[1] style?

With Google Play Integrity Protection, each such verification needs a human physically clicking buttons on the device, which makes things much harder.

[1] https://en.wikipedia.org/wiki/Card_sharing

link
ulrikrasmussen 102 days ago
Built-in rate limiting perhaps? What you describe is also just rate limiting, and buttons/swipes can always be faked, also on a smartphone using mechanized fingers. What do you think Play Integrity adds that cannot be done on a USB dongle?
link