TL;DR: Google's open-source Longfellow ZKP library shipped v0.9 on March 31, 2026, cutting the prover's memory footprint from 600MB to under 200MB. The library, written primarily in C++ under an Apache 2.0 license, is designed to let a user prove a single attribute (for example, "over 18") from a mobile ID credential without revealing anything else. The European Union's eIDAS regulation, set to take effect in 2026, encourages member states to fold the same kind of cryptography into the EU Digital Identity Wallet ("EUDI Wallet"). German savings bank Sparkasse is Google's first national partner for the rollout. The same technology is now the most credible technical answer to the age-verification bills stacking up in California, New York, Illinois, and the UK. The trade: this only works if the underlying digital ID is real, which means the surveillance fight shifts from "show me your face" to "do you trust the wallet issuer."
What Actually Changed on March 31
On March 31, 2026, Google's Longfellow ZKP repository shipped v0.9, the project's first major release of the year [1]. The headline change: the prover, the part of the system that generates a cryptographic proof on the user's phone or laptop, now runs in under 200MB of memory. The previous build sat at 600MB [1]. That is the cut that determines whether the library can ever run inside a wallet app on a mid-range Android handset.
The release notes describe the change as a focus on "reducing memory utilization," with "more idiomatic C++ for circuit creation" and fixes to issues #139 and #140 [1]. The repository itself has 241 commits, is 97.7% C++ with a thin Go wrapper, and is released under Apache 2.0 [2]. The repo's name comes from a bridge near the Google Cambridge office [2]. None of that matters to a user. What matters is that the code now fits inside the kind of process budget a phone app actually has.
What Zero-Knowledge Proofs Actually Do Here
The cryptography is real, and it is built around a problem that almost every age-verification bill in 2026 has been trying to solve badly.
Alan Stapelberg, Group Product Manager for Google Wallet, described the mechanism in plain language when the library first went open source on July 3, 2025: "a person visiting a website can verifiably prove he or she is over 18, without sharing anything else at all" [3]. The library implements what Google calls the "ZKP" pattern: "ZKP makes it possible for people to prove that something about them is true without exchanging any other data" [3].
Under the hood, Longfellow works with three credential formats: ISO MDOC, JWT, and W3C Verifiable Credentials [2]. The user holds a signed credential from an issuer (a state DMV, a national ID authority, a Sparkasse branch) that says, for example, "date of birth: 1991-04-12." When a website asks "are you over 18?", the wallet app runs a proof on the device. The website receives a yes-or-no answer plus a cryptographic signature proving the credential was issued by a trusted authority. The website never sees the birthdate, the name, the credential number, or any other field [2][3].
This is a categorical shift from the dominant 2026 model, in which a user uploads a photo of an ID or runs a face scan, and a vendor stores a copy of both. The Discord breach in 2025 exposed roughly 70,000 age-verification IDs to a third-party vendor, which is the kind of outcome ZKP is supposed to make structurally impossible [4].
Why Sparkasse Is the Lead EU Partner
Sparkasse, Germany's network of public-law savings banks, is named in Google's 2025 announcement as the first national credential partner for the EU age-assurance rollout [3]. The framing matters: Sparkasse is not a payments processor, it is one of the largest retail banking networks in Europe, and its customers already hold government-issued IDs that German law treats as identity-of-record for opening accounts.
The Google post ties the partnership directly to eIDAS. "The European Union's eIDAS Regulation set to take effect in 2026 encourages Member States to integrate privacy-enhancing technologies like ZKP into the European Digital Identity Wallet," the post reads [3]. The "EUDI Wallet" is the cross-border digital ID that every EU member state is now obligated to make available to citizens under eIDAS 2.0, and Google's open-source release is positioned as the technical substrate Member States can fold into their national wallet builds [3].
The German rollout through Sparkasse is a test case for whether a ZKP-based wallet can scale past a Google demo. If a Sparkasse customer can prove "over 18" to a website using nothing but a phone tap, the same plumbing ports to any other EU bank that issues digital credentials.
Why US State Bills Keep Circling the Same Problem
The US side of the story has been running in parallel. California's AB 1043 (the Digital Age Assurance Act) and New York's SAFE for Kids Act both force platforms to age-gate users. Illinois just passed HB 5511, a sweeping device-level age-gating framework that the EFF formally asked Governor J.B. Pritzker to veto on June 29, 2026 [5]. The UK Online Safety Act has been driving age-verification vendor selection through 2026 [6].
The EFF's June 29 letter to Pritzker describes HB 5511 as "a massive privacy and free speech nightmare" that would "effectively dismantle online anonymity, jeopardize data security, and severely restrict access to constitutionally protected speech" [5]. The bill is modeled on California's AB 1043 and New York's SAFE for Kids Act [5]. None of these bills require a privacy-preserving proof mechanism. They all assume the platform or a third-party vendor inspects an ID or a face.
This is where Longfellow's v0.9 release becomes a live policy question. If the technical answer to "verify this user is over 18" is "ask their wallet for a ZKP, get back yes or no, learn nothing else," then the entire architecture of the current US bills is solving the wrong problem. The bills were drafted when ZKP at this memory budget was not real. v0.9 changes that.
The Surveillance Risk Inside the Good Story
Zero-knowledge proofs remove the surveillance risk at the moment of the age check. They do not remove the surveillance risk at the moment of issuance, and they do not remove the risk that the wallet itself becomes the universal authenticator.
The EUDI Wallet is mandated by eIDAS 2.0 to be issued by the state. A user who wants to prove "over 18" to a website is, in practice, asking a government-issued wallet to vouch for them. The wallet knows the user's full identity. The website does not. The proof is "selective disclosure." But the issuer still holds the master record, and the issuer is the state.
That is a different surveillance posture than the US status quo, where age verification has been delegated to a long tail of private vendors (Yoti, AgeChecker.Net, dozens more) who each hold their own copy of the ID. The EU model consolidates trust in a single state-run issuer. The US model scatters it across hundreds of private databases. Neither is a clean privacy win.
The EFF's June 29 letter makes the consolidation argument more bluntly: device-level age-gating that forces every app to call a state-issued wallet "would 'effectively dismantle online anonymity,'" the letter reads [5]. ZKP makes the in-the-moment disclosure private, but the issuer-of-record problem does not disappear.
What to Watch
Three inflection points will determine whether Longfellow-style age assurance becomes the default or stays a Google-funded curiosity.
The Sparkasse pilot. The first production EU deployment out of Germany will tell the rest of the EU banking sector whether the cryptography holds up at scale. If a Sparkasse customer can prove "over 18" with a single tap and the verifier side runs cheaply, the rest of eIDAS implementation picks it up quickly.
Pritzker's veto window on HB 5511. Illinois is the first state to put a device-level age-gating bill modeled on AB 1043 and SAFE for Kids on the governor's desk in 2026. A veto would slow the copycat pipeline. A signature would accelerate it.
What "verifiable parental consent" actually means in practice. AB 1043, SAFE for Kids, and HB 5511 all rely on "verifiable parental consent" as the mechanism for under-13 access. If consent becomes another ZKP claim ("over 18" or "parent of a child under 13"), then the entire age-assurance architecture rides on whichever wallet the state or platform picks. If consent collapses into "upload the kid's birth certificate to a vendor," nothing has changed.
Longfellow v0.9 is a real engineering milestone. Whether it gets used in the way its proponents claim depends on whether state legislatures and EU member states pick the proof architecture or pick the ID-upload architecture. The bills being filed right now do not require them to choose. They should.
Sources
- GitHub: “Releases: google/longfellow-zk”
- GitHub: “google/longfellow-zk”
- Google: “Opening up ‘Zero-Knowledge Proof’ technology to promote privacy in age assurance” (July 3, 2025)
- State of Surveillance: “Age Gates Are Surveillance Gates” (Jan 27, 2026)
- EFF Deeplinks: “EFF to Gov. Pritzker: Veto Illinois HB 5511” (June 29, 2026)
- State of Surveillance: “Age Gates Are Surveillance Gates” (Jan 27, 2026)