logoalt Hacker News

kruncktoday at 1:48 PM2 repliesview on HN

"ZKP makes it possible for people to prove that something about them is true without exchanging any other data. So, for example, a person visiting a website can verifiably prove he or she is over 18, without sharing anything else at all."

But not "...without sharing anything else even when setting up your token."

Can I prove that some cryptographic token A) doesn't contain any PII and B) that the token itself can't be used as an ID tied to my identity in a Google or government database?

No and no. So, I do not support schemes like this.


Replies

rcxdudetoday at 2:32 PM

As I understand it, ZKPs can prove both those properties. You can get a certificate from whoever is trusted to verify that you're over 18, and then you can use that to generate tokens that only encode the information 'X has verified that I am over 18' without either the original verifier or the entity you are providing it to being able to link that to the original certificate.

See section 2 of this document: https://eudi.dev/2.4.0/discussion-topics/g-zero-knowledge-pr... . If there are any objections that this is not technically feasible to achieve in practice, I would like to know what they are.

(Also, AFAIK, setting up such a thing would comply with any of the age-verification laws that are being proposed around the world. You could even set up this as two arms of the same company and be able to prove to your users that while you've seen all their IDs, you cannot link their usernames to their IDs. This still isn't the best because you're still handling their PII with associated risk of leaks but it's a lot better than anyone is doing ATM)

geek_attoday at 2:03 PM

Of course not? The idea would be a government (who already has your age data for example) will allow you to create a signed message and the platform you are verifying your age to doesn't know who you are, what age you are but that you are of age

show 1 reply