Google just open-sourced Longfellow ZK, its zero-knowledge proof library for identity protocols. The same week, the European Commission confirmed that its age verification blueprint is feature-ready and urged Member States — including Ireland — to roll out implementations by 31 December 2026. If your web application serves users in the EU, zero-knowledge proofs have moved from cryptography lecture halls to your product roadmap.
TL;DR
- Google has open-sourced Longfellow ZK, a production-grade zero-knowledge proof library for privacy-preserving age verification.
- The EU is pushing Member States to deploy age verification solutions by the end of 2026, with Ireland among the front-runner pilot countries.
- Zero-knowledge proofs let users prove a claim (e.g. “I am over 18”) without revealing any personal data — no date of birth, no ID number, no name.
- Web platforms subject to the Digital Services Act (Article 28) will need to integrate age assurance mechanisms that respect privacy by design.
- Development teams should start evaluating ZKP integration patterns now, before the compliance deadline arrives.
What Are Zero-Knowledge Proofs, in Plain English?
A zero-knowledge proof (ZKP) is a cryptographic method where one party proves a statement is true to another party without revealing any information beyond the truth of that statement. In practical terms: a user visiting your website can verifiably prove they are over 18 without sharing their name, date of birth, passport number, or anything else. The only information your server receives is a boolean — yes or no.
This is a fundamental shift from how age verification works today. Most current approaches require users to upload identity documents, submit to facial recognition scans, or hand over credit card details. Each of these creates a data liability, a privacy risk, and a friction point that tanks conversion rates. ZKPs eliminate all three.
Why This Is Happening Now
Three forces have converged to push ZKPs from Web3 novelty to mainstream web infrastructure:
1. Google’s Longfellow ZK Goes Open Source
Google built its ZKP library in partnership with Sparkasse, one of Europe’s largest financial institutions, and released it under the Apache 2.0 licence. This is not a research prototype — it is production-grade code designed for identity protocols at scale. The library is available on GitHub, and any development team can now integrate privacy-preserving verification without building cryptographic primitives from scratch.
Google Wallet already uses ZKPs for age verification, with Bumble as an early integration partner. The open-sourcing signals that Google expects this pattern to become an industry standard, not a proprietary advantage.
2. The EU Age Verification Blueprint Is Feature-Ready
The European Commission’s age verification solution became feature-ready on 15 April 2026. It is designed to be fully interoperable with the forthcoming EU Digital Identity (EUDI) Wallets mandated under the revised eIDAS Regulation. The Commission is now urging Member States to have implementations live by the end of this year.
Seven front-runner countries are already piloting the solution: France, Denmark, Greece, Italy, Spain, Cyprus, and — notably for Irish businesses — Ireland. The blueprint explicitly encourages privacy-enhancing technologies including zero-knowledge proofs as part of the credential presentation layer.
3. The Digital Services Act Demands Action
Article 28 of the DSA requires online platforms to take appropriate measures to ensure a high level of privacy, safety, and security for minors. Age verification is the enforcement mechanism. Platforms that collect excessive personal data to verify age are likely to find themselves on the wrong side of both the DSA and the GDPR simultaneously. ZKP-based solutions offer a path that satisfies both regulations without creating new data processing liabilities.
What This Means for Development Teams
If you are building or maintaining a web application that serves EU users — particularly one involving age-restricted content, e-commerce for regulated goods, financial services, or social platforms — here is what your team needs to be thinking about.
Understand the Integration Pattern
ZKP age verification follows a three-party model:
- Issuer: A trusted identity provider (government, bank, or accredited verifier) issues a credential to the user’s wallet.
- Holder: The user stores the credential in their EUDI Wallet or compatible application and generates a zero-knowledge proof when prompted.
- Verifier: Your web application verifies the proof cryptographically without ever seeing the underlying data.
Your application only needs to implement the verifier role. You will present a verification challenge, receive a proof, and validate it against the issuer’s public parameters. No personal data touches your servers. No GDPR data processing agreement needed for the verification itself.
Prepare Your Authentication Architecture
If your application currently uses traditional age-gating (date of birth fields, credit card checks, or document uploads), you will need an abstraction layer that can support both legacy methods and ZKP-based verification. Not all users will have EUDI Wallets on day one, so a graceful fallback is essential.
Consider building a verification provider interface now. When the EUDI Wallet ecosystem matures, you swap in the ZKP verifier without touching your business logic.
Watch the EUDI Wallet Timeline
The revised eIDAS Regulation mandates that all EU Member States offer at least one EUDI Wallet. The age verification blueprint is designed to plug directly into these wallets. For Irish businesses, this means your customers will soon have a government-backed, privacy-preserving way to prove their age. Your application needs to be ready to accept it.
Know the Limitations
ZKPs are not a silver bullet. Brave’s research team has identified that when proofs are combined with contextual signals — the site where the credential is used, the identity of the credential issuer, or the user’s location — the resulting data can still uniquely identify individuals. Development teams must be careful not to log or correlate verification metadata in ways that reconstruct identity from supposedly anonymous proofs.
There are also performance considerations. ZKP verification involves cryptographic computation that is heavier than a simple API call. For high-traffic applications, you will need to benchmark proof verification times and potentially offload verification to edge workers or dedicated services.
A Practical Starting Point
You do not need to implement ZKP verification tomorrow. But you should be doing three things right now:
- Audit your current age verification flow. Document what personal data you collect, where it is stored, and what your legal basis is under GDPR. This audit will tell you exactly how much liability ZKP verification can eliminate.
- Explore Longfellow ZK. Clone the repository, run the examples, and understand the verification API surface. Even if you do not ship it this quarter, familiarity with the tooling will shorten your integration timeline when the EUDI Wallet launches.
- Design for provider abstraction. Whether you are building a new feature or maintaining an existing platform, ensure your verification logic is decoupled from any single provider. The age verification landscape will fragment before it consolidates — your architecture should handle that gracefully.
The Bigger Picture
Zero-knowledge proofs represent something larger than age verification. They are the first mainstream application of a technology that will reshape how web applications handle identity, credentials, and trust. Once users have ZKP-enabled wallets, the same pattern extends to proving employment status, professional qualifications, financial standing, or membership — all without exposing underlying documents.
For development teams, this is a genuine architectural shift. The web is moving from a model where applications collect and store identity data to one where they verify cryptographic proofs and store nothing. That is better for privacy, better for security, and — once the infrastructure matures — significantly better for user experience.
At REPTILEHAUS, we work with teams navigating exactly these kinds of architectural transitions — from Web3 infrastructure and cryptographic integration to compliance-driven platform modernisation. If your team is evaluating how ZKP-based verification fits into your product roadmap, get in touch. We have been building at the intersection of Web3 and mainstream web development since before it was fashionable.
📷 Photo by Markus Spiske on Unsplash

