Demonstration of a privacy-preserving age verification process

The protocol relies primarily on a cryptographic concept named “group signature”. In cryptographic terms, this primitive allows users to sign anonymously inside of a group. The expression “anonymously” is to be taken in its cryptographic sense; according to GDPR, this would be qualified as “pseudonymization”.

Considering this is a signature generated by a member of the group, it is impossible (except for an authority) to know which member generated it. To build such a primitive, we combine two fundamental blocks in cryptography:

- On one side, digital signatures (which allow a person to certify a piece of data and then anyone can verify that certificate)

- And on the other side, zero-knowledge proofs (ZK) allowing to prove knowledge of a secret without revealing it

Thanks to the combination of these primitives, an authority can generate a public key, add members to that group and provide a certificate of their own public key which is valid through the main key of the group. Then, group members are able to sign challenges for users, who in turn will be able to prove they own a challenge signed by someone belonging to the group. This way, ZK proofs guarantee both pseudonymity for the authority that processed the signature (via the ZK propriety) and the fact that it is indeed a member of that group (via the soundness propriety, namely, that no one can forge a fake proof). As a result, the service-providing website is certain of the user’s age validity without actually knowing who certified it.

Olivier Blazy is a cyber security professor in the Computer Science department of 'École Polytechnique. He has been a researcher in cryptography for 10 years, his research interest includes various topics including privacy cryptography and post-quantum cryptography. At the national level, he co-manages the CNRS Coding and Cryptography working group within the Research Group (GDR) Computer Security and the Research Group (GDR) Computer-Sicence and Mathematics.

To illustrate the mechanisms at work in the previous box, the LINC provides an open source demonstrator on the following platforms: Github, Adullact and dockerhub.io. This demo has been co-desienged with Olivier Blazy from LIX (c.f. supra)  and the development has been done with the PEReN in the context of a convention. We recommend to use the latter, as it only requires the installation of the software Docker and the use of the following command prompt once authenticated to this platform:

docker run -p 9091:9091 -p 9092:9092 -p 9093:9093 cnil/siggroup 

Its code is freely modifiable and reusable, commercially or not, under reserve of being credited.

This demonstrator simulates the functioning of the three entities that are necessary for the setup of a zero-knowledge age-verification proof exchange, i.e. :

- A website requiring age-verification for access to its content
- One or more “certified” websites to verify the user’s real age
- A “trusted” authority granting certification of those website

In the version made available by the LINC, these three entities are accessible from a browser at the following addresses: website or service (https://localhost:9093), certified third-party ( https://localhost9091), certifying authority ( https://localhost:9092).

This demonstrator illustrates the prerequisites laid out by the CNIL on the age-verification procedures for trusted third-party relying websites: the proof-of-age used includes neither the user’s real identity nor the website’s identity that provides the certificate for age verification, while ensuring that the age-verification process is compliant with the requirements specified. The certified websites for age verification have no information whatsoever on the purpose of this verification, and the user’s information and browsing habits remain confidential.

The website or service’s interface (by default localhost:9093) allows for the initialization and the download of a challenge to be signed by a certified third-party. Each downloaded challenge is unique and associated to a required age and has a limited lifespan.

The person using the service (in this case, Bob or Alice) has to upload the challenge on a certified third-party’s interface intended to verify users age (by default localhost:9091). To each identified user on this platform is associated a name and age. The demonstrator has two test-users available after initialization: Bob who is 16 years-old, and Alice, who is 25 years-old. The website’s interface also allows for the creation of new users. The challenge’s signature can only be carried out if the user has the required age to access the website (18 years-old by default). If they have the required age, the user (here, Alice) can download and share the signed challenge to the website that verifies its authenticity. The signature of the challenge is considered valid if and only if it is issued by a third-party certified by the “trusted authority”. Furthermore, it does not contain information directly revealing the user’s real identity.

The certifying authority’s interface (by default localhost:9092) allows for the simulation of certifying new third-parties authorized to verify user’s age. By default, the demonstrator has two certified third-parties for age verification. In the event a third party is deprived of its certification because its age-verification process is no longer in line with the requirements specified by the trusted authority, a revocation mechanism allows the invalidation of the signatures generated by this third-party. The accreditation process thus allows conducting age-verification audit by a “higher-trust” or “main” authority.