Development and study of a methodology for implementing a zero-knowledge cryptographic protocol to ensure privacy in age verification

Abstract

In modern web systems, user age verification is critical for compliance with legislation protecting minors in the online environment. Traditional approaches to age verification include uploading document copies, credit card verification, and Short Message Service confirmation. These methods have several drawbacks, such as privacy violations, risks of personal data leakage, and non-compliance with General Data Protection Regulation requirements. Given the strengthening of European Union regulatory requirements (Digital Services Act, 2024) and growing user concerns about personal data preservation, there is a need to implement new approaches that balance effective verification and privacy preservation. This study examines a method based on Zero-Knowledge Proofs (ZKP) cryptography, which allows users to mathematically prove their adulthood without revealing their exact date of birth or other personal data. The approach uses the Groth16 ZKP protocol and the snarkjs library to generate cryptographic proofs on the client side. The system architecture includes local processing of digital documents through optical character recognition (OCR), generation of ZKP proof for the statement "age ≥ 18 years", and server verification without access to personal data. A comparative analysis showed that the ZKP approach significantly outperforms traditional methods in privacy protection while maintaining reasonable verification accuracy. Accuracy depends on OCR quality: 90-95% for high-quality scans at 300+ DPI (up to 98% under ideal conditions with preprocessing), 40-70% for typical smartphone photos using Tesseract OCR, though commercial specialized ID OCR solutions can achieve 90-98%. The method ensures compliance with the GDPR data minimization principle, as the server receives only cryptographic confirmation of adulthood without storing any personal data. Proof generation time is 40-50 seconds on modern mobile devices for typical circuits, though this can be reduced to 10-15 seconds for the simplest schemes under optimal conditions, which remains acceptable for non-critical applications where privacy is prioritized over speed. The approach can resist forgery attempts due to the cryptographic properties of ZKP protocols. A critical limitation is the requirement for integration with trusted data sources (government APIs or document NFC chips) to ensure input data authenticity, as ZKP provides verification privacy but not source authentication without additional cryptographic mechanisms. The architecture is suitable for non-critical applications where privacy compliance is prioritized.