Key Participants

Issuer: Creates the ACDC with a selectively disclosable attribute section, computing the cryptographic aggregator over all attributes and signing the compact form

Holder/Discloser: Controls which attributes to reveal in each presentation, maintaining custody of the full credential while presenting selective views

Verifier/Disclosee: Receives selectively disclosed attributes and validates both the revealed attributes and the cryptographic commitment to undisclosed attributes

Process Flow

Step 1: Credential Issuance with Selective Disclosure Structure

The issuer creates an ACDC with an Attribute Aggregate section (A field) designed for selective disclosure:

{
  "v": "ACDC10JSON00011c_",
  "d": "EAdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
  "i": "did:keri:EBkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
  "s": "ED6jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
  "A": [
    {
      "d": "ELGgI0fkloqKWREXgqUfgS0bJybP1LChxCO3sqPSFHCj",
      "u": "0ABghkDaG7OY1wjaDAE0qHcg",
      "i": "did:keri:EpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDI"
    },
    {
      "d": "EKWREXgqUfgS0bJybP1LChxCO3sqPSFHCjLGgI0fkloq",
      "u": "0AE0qHcgBghkDaG7OY1wjaDA",
      "i": "did:keri:E66jpf3uFv7vklXKhzBrAqjsKAn2EDIpZfFk"
    }
  ]
}

Each element in the A array represents a blinded attribute block with:

• d: SAID of the attribute block (serves as cryptographic commitment)
• u: High-entropy UUID for rainbow table attack resistance
• i: Optional attribute-specific identifier

Step 2: Cryptographic Aggregator Computation

The issuer computes a cryptographic aggregator over all attribute block SAIDs. This aggregator is not an accumulator (as explicitly noted in Document 1)—it uses a different cryptographic primitive that requires all field maps to be disclosed in either blinded or published form.

The aggregator creates a cryptographic commitment that binds:

• The complete set of selectively disclosable attributes
• The order and structure of attribute blocks
• The issuer's signature to all attributes (disclosed or not)

Step 3: Compact Form Signing

The issuer signs the compact ACDC where the A field contains only the SAIDs of attribute blocks:

{
  "v": "ACDC10JSON00011c_",
  "d": "EAdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
  "i": "did:keri:EBkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
  "s": "ED6jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
  "A": "ELGgI0fkloqKWREXgqUfgS0bJybP1LChxCO3sqPSFHCj"
}

This signature cryptographically commits to all attributes through the aggregator mechanism, even though individual attribute values are not visible in the compact form.

Step 4: Selective Attribute Disclosure Decision

When presenting the credential, the holder decides which attributes to disclose based on:

• Verifier requirements specified in the presentation request
• Privacy preferences and risk assessment
• Contextual appropriateness of each attribute
• Legal or contractual obligations

Critically, all attribute blocks must be disclosed—either in blinded form (SAID only) or published form (full attribute data). This is a fundamental requirement of the aggregator-based approach.

Step 5: Presentation Construction

The holder constructs a presentation with:

Disclosed attributes: Full attribute blocks with all field maps revealed

{
  "d": "ELGgI0fkloqKWREXgqUfgS0bJybP1LChxCO3sqPSFHCj",
  "u": "0ABghkDaG7OY1wjaDAE0qHcg",
  "i": "did:keri:EpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDI",
  "legalName": "Alice Smith",
  "birthDate": "1990-01-15",
  "nationality": "US"
}

Blinded attributes: Only the SAID commitment without revealing content

{
  "d": "EKWREXgqUfgS0bJybP1LChxCO3sqPSFHCjLGgI0fkloq"
}

Step 6: Verification Process

The verifier performs multiple validation steps:

1. Signature Verification: Validates the issuer's signature on the compact ACDC
2. SAID Verification: Recomputes SAIDs of disclosed attribute blocks and confirms they match the committed SAIDs
3. Aggregator Verification: Validates that the set of disclosed and blinded SAIDs matches the aggregator commitment
4. Schema Validation: Ensures disclosed attributes conform to the credential schema
5. Issuer Trust: Validates the issuer's AID against trusted issuer registries

Technical Requirements

Cryptographic Requirements

Aggregator Primitive: The selective disclosure mechanism uses a cryptographic aggregator (explicitly distinguished from accumulators in the specification). The aggregator must:

• Provide cryptographic binding of all attribute SAIDs
• Enable verification of the complete set without revealing individual attributes
• Support efficient proof generation for disclosed attributes
• Resist collision attacks on the aggregation function

SAID Computation: Each attribute block must have a properly computed SAID that:

• Uses a cryptographically strong hash function (typically Blake3-256)
• Includes the UUID field for rainbow table resistance
• Maintains deterministic serialization for reproducible computation
• Embeds the SAID self-referentially within the attribute block

UUID Entropy: Each selectively disclosable attribute block requires a high-entropy UUID (≥128 bits) to prevent rainbow table attacks. Without sufficient entropy, attackers could pre-compute SAIDs for common attribute values and correlate blinded attributes across presentations.

Structural Requirements

Complete Disclosure Mandate: A critical requirement distinguishing selective disclosure from other mechanisms is that all field maps must be disclosed in either blinded or published form. This means:

• The holder cannot omit attribute blocks entirely
• Every attribute in the selectively disclosable set must appear (as SAID or full content)
• The aggregator verification depends on the complete set being present

Field Map Granularity: Selective disclosure operates at the field map level, where each field map can be independently:

• Blinded: Represented by its SAID commitment
• Published: Revealed with full attribute data

This granularity enables fine-grained control compared to partial disclosure, which operates on nested branches with less flexibility.

Timing Considerations

Issuance Time Decisions: The issuer must decide at credential issuance which attributes will be selectively disclosable. This decision is encoded in the credential structure and cannot be changed post-issuance without re-issuing the credential.

Presentation Time Flexibility: The holder retains full flexibility at presentation time to choose which attributes to disclose, enabling dynamic privacy decisions based on:

• Current verification context
• Evolving trust relationships
• Changing privacy preferences
• Regulatory requirements

Verification Latency: Verifiers must perform cryptographic operations including:

• SAID recomputation for disclosed attributes
• Aggregator verification across all attributes
• Signature validation on the compact form

These operations introduce minimal latency (typically milliseconds) but must be considered in high-throughput verification scenarios.

Error Handling

Missing Attribute Blocks: If the presentation omits required attribute blocks (either blinded or published), verification fails because the aggregator cannot be validated against an incomplete set.

SAID Mismatches: If a disclosed attribute block's recomputed SAID doesn't match the committed SAID, verification fails, indicating either:

• Tampering with attribute values
• Incorrect SAID computation
• Serialization inconsistencies

Schema Violations: Disclosed attributes must conform to the credential schema. Schema violations indicate either:

• Malformed credential issuance
• Presentation construction errors
• Attempted attribute injection attacks

Usage Patterns

Typical Scenarios

Age Verification Without Birthdate Disclosure:

A credential contains selectively disclosable attributes including birthdate, legal name, and address. For age-restricted service access:

• Disclose: Age verification attribute ("over18": true)
• Blind: Exact birthdate, legal name, address
• Result: Verifier confirms age eligibility without learning unnecessary personal information

Employment Verification with Privacy:

An employment credential includes employer, position, salary, start date, and performance ratings:

• Disclose: Employer name, position title, employment dates
• Blind: Salary information, performance ratings
• Result: Background check verifier confirms employment history without accessing sensitive compensation data

Educational Credentials for Job Applications:

A degree credential contains institution, degree type, major, GPA, graduation date, and thesis title:

• Disclose: Institution, degree type, major, graduation date
• Blind: GPA, thesis title
• Result: Employer verifies educational qualifications without accessing academic performance details

Best Practices

Minimize Disclosed Attributes: Always disclose the minimum set of attributes required for the verification context. Over-disclosure increases correlation risk and violates data minimization principles.

Use Contextual Disclosure Strategies: Develop disclosure policies that adapt to verification context:

• Low-trust initial interactions: Minimal disclosure
• Established relationships: Progressive disclosure as trust builds
• High-stakes transactions: Full disclosure with contractually protected disclosure

Implement Disclosure Logging: Maintain audit logs of disclosure decisions including:

• Which attributes were disclosed
• To which verifiers
• Under what circumstances
• With what legal/contractual protections

Combine with Other Privacy Mechanisms: Selective disclosure works synergistically with:

• Graduated disclosure: Progressive revelation over time
• Chain-link confidentiality: Legal protections on disclosed data
• Contractually protected disclosure: Binding usage restrictions

Integration Considerations

IPEX Protocol Integration: Selective disclosure is implemented through the IPEX (Issuance and Presentation Exchange) protocol, which provides:

• Standardized presentation request formats
• Disclosure negotiation mechanisms
• Cryptographic proof attachment
• Multi-step disclosure workflows

Schema Design: Credential schemas must explicitly designate which attributes are selectively disclosable by structuring them in the A (Attribute Aggregate) section rather than the a (Attribute) section. This design decision is made at schema definition time and affects all credentials issued under that schema.

Wallet Implementation: Digital wallets implementing selective disclosure must:

• Parse selectively disclosable attribute structures
• Provide user interfaces for disclosure decisions
• Construct presentations with correct blinded/published attribute sets
• Maintain cryptographic integrity across disclosure operations

Verifier Systems: Verification systems must:

• Support aggregator-based verification algorithms
• Handle presentations with mixed blinded/published attributes
• Validate completeness of attribute sets
• Integrate with trust registries for issuer validation

Comparison with Partial Disclosure

Selective disclosure is explicitly described as the "more fine-grained" version compared to partial disclosure. Key differences:

Granularity:

• Selective disclosure: Attribute-level control within a set
• Partial disclosure: Branch-level control in nested structures

Cryptographic Foundation:

• Selective disclosure: Aggregator-based (not accumulator)
• Partial disclosure: Different cryptographic primitive

Disclosure Requirements:

• Selective disclosure: All field maps must be disclosed (blinded or published)
• Partial disclosure: Nested branches can be entirely omitted

Use Cases:

• Selective disclosure: Fine-grained attribute privacy within flat or shallow structures
• Partial disclosure: Hierarchical data with entire subtrees that may be hidden

Privacy Considerations

Correlation Resistance

Selective disclosure provides partial correlation resistance by limiting disclosed attributes. However, it does not eliminate correlation risk entirely:

Contextual Linkability: Even with selective disclosure, contextual linkability attacks can succeed if verifiers capture sufficient contextual metadata (location, time, device fingerprints) to correlate presentations.

Disclosed Attribute Correlation: Attributes that are disclosed become correlatable across presentations to the same or different verifiers. Unique or rare attribute combinations can serve as quasi-identifiers.

Blinded Attribute Inference: Statistical analysis of which attributes are blinded across multiple presentations may reveal information about the holder's privacy preferences or the nature of blinded attributes.

Mitigation Strategies

Combine with Contractual Protections: Use contractually protected disclosure to impose legal obligations on verifiers regarding data usage and correlation.

Vary Disclosure Patterns: Avoid predictable disclosure patterns that could enable behavioral profiling. Randomize disclosure decisions when multiple valid strategies exist.

Use Pairwise Identifiers: Present credentials using different AIDs to different verifiers to prevent identifier-based correlation.

Implement Disclosure Policies: Develop and enforce organizational policies governing when and how selective disclosure is used, balancing verification requirements with privacy protection.

Limitations and Trade-offs

Complete Set Requirement: The mandate to disclose all field maps (blinded or published) means selective disclosure cannot hide the existence of attributes, only their values. This structural information may itself be sensitive in some contexts.

Aggregator Overhead: The aggregator-based approach requires additional cryptographic computation compared to simpler disclosure mechanisms, though this overhead is typically negligible in practice.

Schema Rigidity: The decision about which attributes are selectively disclosable is made at schema design time and cannot be changed without schema versioning and credential re-issuance.

Verifier Complexity: Implementing aggregator-based verification is more complex than simple signature verification, requiring specialized cryptographic libraries and careful implementation to avoid vulnerabilities.

Future Directions

The selective disclosure mechanism in ACDC represents a pragmatic approach using "minimally sufficient means" (digests and signatures) rather than more complex zero-knowledge proof systems. This design choice prioritizes:

• Universal implementability across platforms
• Reduced cryptographic complexity
• Faster verification performance
• Broader ecosystem adoption

Future enhancements may include:

• Integration with zero-knowledge proof systems for stronger privacy
• Dynamic attribute set modification without re-issuance
• Advanced aggregator schemes with additional properties
• Standardized disclosure policy languages

Error Handling

• Validate attribute block structure before SAID computation
• Check for missing required fields (d, u) in disclosed blocks
• Verify UUID entropy meets minimum requirements
• Handle malformed presentations gracefully with clear error messages

Security Considerations

• Never log or persist disclosed attribute values without encryption
• Implement disclosure audit trails for compliance
• Validate issuer AIDs against trusted issuer registries
• Use secure channels (TLS 1.3+) for presentation transmission
• Implement rate limiting on verification endpoints to prevent DoS attacks

Interoperability

• Follow ACDC specification version indicated in the v field
• Support multiple serialization formats (JSON, CBOR, MGPK) as specified
• Implement CESR encoding for cryptographic primitives
• Ensure compatibility with IPEX protocol message formats