Selective disclosure is a core feature of self-sovereign identity architectures, implemented using cryptographic techniques like BBS+ signatures or CL signatures. It allows a user to satisfy a verifier's request for a specific attribute from a signed credential without exposing all other personal data bundled in that document. For example, a digital driver's license can prove a user is legally old enough to enter a venue by disclosing only the boolean result of an 'over-21' check, keeping the user's exact birthdate, address, and license number private.
Glossary
Selective Disclosure

What is Selective Disclosure?
Selective disclosure is a privacy-enhancing mechanism that allows the holder of a **verifiable credential** to reveal only a specific subset of the claims contained within it, or to prove a property of a claim (such as 'age > 21') without revealing the underlying raw data (e.g., the exact birthdate).
The mechanism relies on the issuer signing each individual claim within a credential separately, or using a signature scheme that supports zero-knowledge proofs. When a holder presents the credential, they generate a cryptographic proof that a specific claim was signed by the issuer without revealing the claim's raw value or other claims. This is fundamentally different from traditional attribute-based access control, which requires presenting the entire credential for inspection. The W3C Verifiable Credentials standard incorporates selective disclosure through derived predicates and zero-knowledge proofs, ensuring data minimization principles are cryptographically enforced rather than relying on the policy compliance of the verifier.
Key Features of Selective Disclosure
Selective disclosure transforms how verifiable credentials are shared, moving from an all-or-nothing paradigm to a granular, privacy-preserving model. These core features define its technical implementation.
Atomic Claim Revelation
The foundational capability to reveal only a specific subset of claims from a larger verifiable credential. A holder can present a credential containing ten attributes but disclose only the two required by a verifier.
- Mechanism: Achieved through W3C Verifiable Credential data model, where each claim is a discrete element in a JSON-LD document.
- Example: A digital driver's license credential contains name, address, birth date, and organ donor status. For age verification at a bar, the holder reveals only the
birth_dateclaim and a derivedage_over_21boolean, concealing the exact address and donor status. - Technical implementation: Uses JSON-LD framing to select specific fields for presentation, generating a derived credential that contains only the disclosed claims, still signed by the original issuer.
Zero-Knowledge Range Proofs
A cryptographic method that allows a holder to prove a claim satisfies a condition without revealing the claim's actual value. This is the mathematical backbone of predicate proofs.
- Mechanism: Uses Bulletproofs or zk-SNARKs to construct a proof that a secret value
xfalls within a specified range (e.g.,x > 21) without disclosingxitself. - Example: Proving
salary > $100,000for a loan application without revealing the exact salary figure. The verifier receives a cryptographic proof that validates the inequality against a signed commitment to the salary, not the salary itself. - Key distinction: Unlike atomic claim revelation, the underlying data is never transmitted. The verifier learns only the truth value of the predicate.
CL-Signatures & BBS+
Specialized signature schemes that enable the holder to derive a new, valid signature on a subset of signed messages without interacting with the original issuer.
- CL-Signatures (Camenisch-Lysyanskaya): Allow a signer to issue a signature on a block of messages. The holder can then generate a zero-knowledge proof of knowledge of a signature on a specific subset of those messages.
- BBS+ Signatures: An evolution of CL-signatures that supports multi-message signing and efficient proof generation. Standardized at IETF and W3C, BBS+ allows creating a single proof that reveals some messages while keeping others hidden, all verifiable against the issuer's public key.
- Practical impact: Enables unlinkable presentations. A verifier cannot correlate two separate disclosures from the same credential because each presentation generates a distinct, randomized proof.
Conditional Disclosure with Predicates
The ability to attach logical conditions to claim revelation, ensuring that sensitive data is only released when specific criteria are met by the verifier.
- Mechanism: Implemented through presentation definitions that specify
constraintsandrules. A holder's wallet evaluates these rules before constructing the presentation. - Example: A credential proving membership in a professional organization is only disclosed if the verifier presents a valid verifiable credential proving they are an accredited auditor. This creates a mutual authentication loop.
- Use case: Regulatory compliance where data can only be shared with entities possessing specific licenses or certifications, enforced cryptographically rather than through policy alone.
Holder Binding & Audience Restriction
Cryptographic mechanisms that bind a disclosed credential to a specific verifier and a specific transaction, preventing replay attacks and unauthorized forwarding.
- Mechanism: The holder's wallet generates a presentation that includes a nonce (a random number provided by the verifier) and the verifier's Decentralized Identifier (DID). The presentation is then signed by the holder's private key.
- Result: The resulting Verifiable Presentation is only valid for that specific verifier and that specific interaction. If a malicious actor intercepts the presentation, it cannot be replayed to a different verifier because the audience DID and nonce will not match.
- Technical detail: This is enforced through the
proofsection of the Verifiable Presentation, which includeschallenge(the nonce) anddomain(the verifier's identifier) fields.
Schema-Based Selective Disclosure
The use of predefined, machine-readable schemas to declare which claims within a credential type are selectively disclosable and under what conditions.
- Mechanism: Credential schemas, often defined using JSON Schema and stored on a verifiable data registry (like a blockchain), explicitly mark fields as
selectivelyDisclosable: true. - Function: Issuers publish these schemas to inform holders and verifiers about the disclosure capabilities of a credential type before issuance. A verifier's software can automatically generate a proof request that respects these schema constraints.
- Example: A "Permanent Resident Card" schema defines
country_of_citizenshipas selectively disclosable, whilecard_serial_numberis not. The verifier's system reads this schema and constructs a request that only asks for the permitted fields.
Frequently Asked Questions
Clear, technical answers to the most common questions about how selective disclosure works to preserve privacy within verifiable credential ecosystems.
Selective disclosure is a privacy-enhancing cryptographic technique that allows the holder of a verifiable credential to reveal only a specific subset of the claims contained within it, rather than presenting the entire credential. This mechanism works by enabling the holder to generate a zero-knowledge proof or a derived credential that mathematically proves a subset of attributes satisfies a verifier's request without exposing the underlying raw data. For example, a digital driver's license credential containing name, address, date of birth, and license number can be presented to a bar to prove only that the holder's age is over 21, without revealing the actual birth date or home address. The core technologies enabling this include BBS+ signatures, Camenisch-Lysyanskaya (CL) signatures, and SD-JWT (Selective Disclosure for JSON Web Tokens). The verifier receives cryptographic assurance from the original issuer that the disclosed claims are authentic and untampered, even though the issuer is not contacted during the verification process. This fundamentally decouples the act of proving a qualification from the act of sharing all associated personal data.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Selective disclosure relies on a stack of complementary standards and techniques. These related concepts form the technical foundation for revealing only what is necessary from a verifiable credential.
BBS+ Signatures
A specific digital signature scheme that natively supports multi-message selective disclosure. A signer issues a signature over a set of messages; the holder can then derive a new, unlinkable proof that reveals only a subset of those messages. Key properties:
- Unlinkability: Derived proofs cannot be correlated
- Proof of possession: Holder proves knowledge of the issuer's signature
- Used in W3C Verifiable Credential Data Integrity proofs
Predicate Proof
A proof that a claim satisfies a condition without revealing the claim's value. Common predicates include:
- Range proofs: Prove
x > 18without revealingx - Set membership: Prove
country in {US, CA, UK}without revealing which one - Comparison: Prove
balance_A > balance_Bwithout revealing either Predicate proofs are a core building block of privacy-preserving selective disclosure.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us