Selective disclosure is a privacy-enhancing technology that allows users to share only the minimum necessary information required for a service. In cross-border KYC, this means a user could prove they are over 18 and a resident of a permitted jurisdiction without revealing their exact birthdate, full address, or passport number. This shifts the paradigm from data collection to cryptographic proof of claims, reducing liability and attack surfaces for businesses while empowering user privacy. The core building blocks are Verifiable Credentials (VCs) and Zero-Knowledge Proofs (ZKPs), which enable these granular, attestable proofs.
LABS
Guides
How to Implement Selective Disclosure for Cross-Border KYC
This guide provides a step-by-step technical implementation for a cross-border KYC system using verifiable credentials and zero-knowledge proofs to share only necessary user attributes.
Chainscore © 2026
introduction
PRIVACY-PRESERVING COMPLIANCE
How to Implement Selective Disclosure for Cross-Border KYC
A technical guide to building KYC systems where users prove specific attributes without revealing their entire identity, using zero-knowledge proofs and verifiable credentials.
The implementation stack typically involves three roles: the Issuer (a trusted entity like a bank or government), the Holder (the end-user), and the Verifier (the service requiring KYC). The Issuer signs a VC containing the user's verified data. The Holder then generates a ZK-SNARK or ZK-STARK proof from this VC to satisfy the Verifier's policy. For example, using the circuits library in a framework like circom, you can write a circuit that proves a birthdate field is timestamped before a certain date without revealing the timestamp itself. The proof is verified on-chain or off-chain by the Verifier's smart contract or server.
A practical implementation for an "accredited investor" check might use the following flow. First, an SEC-registered entity issues a VC to a user with a signed claim: { "accredited": true, "issuanceDate": "2024-01-01", "expiry": "2025-01-01" }. The user stores this in a digital wallet. When accessing a DeFi platform, the platform's smart contract presents a verification request. The user's wallet generates a ZKP using a circuit that proves: 1) the credential is validly signed, 2) the accredited field is true, and 3) the current date is before the expiry. The proof is sent to the verifier contract, which checks it against the Issuer's public key, granting access without ever seeing the credential's full content.
Key technical considerations include schema design for credentials, revocation mechanisms like status lists or accumulators, and interoperability standards. The W3C Verifiable Credentials Data Model defines the credential format, while JSON-LD or JWT are common serializations. For revocation, a common pattern is for the Issuer to maintain a cryptographic accumulator (like a Merkle tree) of revoked credential IDs; the user's proof must also demonstrate their credential ID is not in this accumulator. Projects like iden3 and veramo provide open-source frameworks for building these systems.
For developers, start by defining the precise claims needed for your use case (e.g., age > 21, country NOT IN [OFAC list]). Use a ZKP toolkit like circom or snarkjs to build the arithmetic circuits for these predicates. Integrate a VC library such as veramo to handle credential issuance and storage. Finally, implement the verification logic in your application's backend or in a verifier smart contract on a chain like Ethereum or Polygon. Testing with local development networks and test credentials is crucial before mainnet deployment to ensure the proofs are sound and the user experience is seamless.
The future of cross-border compliance lies in portable, user-centric identity. Selective disclosure enables this by making KYC checks privacy-preserving and composable. A user can reuse a single credential from a trusted issuer across multiple services globally, each time disclosing only what's necessary. This reduces friction for users and operational cost for businesses, while aligning with emerging regulations like the EU's eIDAS 2.0 framework that recognizes qualified electronic attestations of attributes. The technical foundation is now robust enough for production systems demanding both compliance and user autonomy.
prerequisites
PREREQUISITES AND SYSTEM ARCHITECTURE
How to Implement Selective Disclosure for Cross-Border KYC
This guide outlines the technical foundation required to build a privacy-preserving KYC system using selective disclosure, enabling users to share verified credentials without exposing unnecessary personal data.
Selective disclosure is a core feature of Verifiable Credentials (VCs) and Decentralized Identifiers (DIDs), allowing users to prove specific claims from a credential without revealing the entire document. For cross-border KYC, this means a user can prove they are over 18 and a resident of a specific jurisdiction, while keeping their exact birthdate and full address private. The W3C Verifiable Credentials Data Model provides the standard schema, while cryptographic techniques like BBS+ signatures or zk-SNARKs enable the zero-knowledge proofs that make selective disclosure possible. You'll need a foundational understanding of these standards and cryptography.
The system architecture typically involves four main components: the Issuer (a regulated entity like a bank that creates the original KYC credential), the Holder (the end-user's wallet that stores and manages credentials), the Verifier (the service requiring KYC, like a DeFi platform), and a Verifiable Data Registry (like a blockchain or decentralized network for storing DIDs and credential schemas). Trust is established through the issuer's cryptographic signature and the public DID recorded on the registry, not by a central database. This decentralized model is key for cross-border interoperability.
Before writing code, you must choose your tech stack. For the credential format, JSON-LD with BBS+ signatures offers selective disclosure natively, as seen in the W3C CCG's jsonld-signatures library. Alternatively, AnonCreds (used by Hyperledger Indy/Aries) is a mature, production-tested option. For the user's wallet, consider Veramo (TypeScript/JavaScript) or Aries Framework JavaScript for agent development. The verifiable data registry can be any blockchain supporting DIDs; Ethereum (with the did:ethr method), Polygon, or Sovereign networks like Cheqd are common choices for their public verifiability.
A critical prerequisite is defining the credential schema and Presentation Definition. The schema, published to a registry, specifies the attributes (e.g., birthDate, countryOfResidence, customerSince). The Presentation Definition, used by the verifier, is a machine-readable request stating exactly which claims are required and what proof type to use. For example, a verifier's definition might request proof that countryOfResidence is equal to "DE" and that age is greater than 21, using a BBS+ signature for derivation. Tools like Sphereon's Presentation Exchange library can help format these definitions.
Finally, ensure your environment is set up for secure key management. Issuers and holders must safeguard their private keys, which are used to sign and present credentials. For developers, start with test networks and libraries' CLI tools to issue and verify sample credentials. Review the Decentralized Identity Foundation specifications and the OpenID Connect for Verifiable Presentations (OIDC4VP) standard to understand how these components integrate with existing web authentication flows, which is often the endpoint for a cross-border KYC verification.
key-concepts-text
VERIFIABLE CREDENTIALS
How to Implement Selective Disclosure for Cross-Border KYC
Selective disclosure allows users to prove specific claims from a credential without revealing the entire document, a critical feature for privacy-preserving KYC.
Selective disclosure is a cryptographic technique that enables a user to share only the necessary information from a Verifiable Credential (VC). In a cross-border KYC context, this means a user could prove they are over 18 and a resident of a specific country without revealing their full name, date of birth, or address. This is achieved using zero-knowledge proofs (ZKPs) or BBS+ signatures, which allow for the creation of a derived proof that validates only the disclosed attributes. The W3C's Verifiable Credentials Data Model provides the standard framework for implementing this functionality.
Implementing selective disclosure typically involves a two-step process: issuance and presentation. First, an issuer (like a bank) creates a signed VC containing all the user's KYC data. This credential uses a cryptographic scheme that supports selective disclosure, such as JSON Web Tokens with BBS+ signatures (JWT-BBS) or AnonCreds. The user stores this credential in a digital wallet. When a verifier (like a DeFi platform) requests proof, the wallet uses a Presentation Exchange protocol to generate a Verifiable Presentation (VP) that includes only the required claims and a cryptographic proof of their validity.
For developers, libraries like Sphereon's SSI-SDK, Microsoft's Verifiable Credentials SDK, or Hyperledger Aries frameworks provide the tools to implement this flow. A basic code snippet for creating a selective disclosure request using the Presentation Exchange (PE) specification might look like this:
json{ "challenge": "a1b2c3d4", "presentation_definition": { "id": "kyc_age_check", "input_descriptors": [{ "id": "age_proof", "constraints": { "fields": [{ "path": ["$.credentialSubject.age"], "filter": {"type": "number", "minimum": 18} }] } }] } }
This definition asks the user to prove they have a credential where the age field is at least 18, without submitting the credential itself.
Key considerations for a production system include choosing the right cryptographic suite (BBS+ is a common choice for its selective disclosure capabilities), managing revocation status without compromising privacy (e.g., using revocation registries), and ensuring interoperability across different wallets and verifiers via standards like DIDComm and OpenID for Verifiable Credentials (OID4VC). The trust triangle between issuer, holder, and verifier must be established using Decentralized Identifiers (DIDs) and public key infrastructure.
The primary benefits for cross-border finance are significant: reduced data leakage, compliance with regulations like GDPR's data minimization principle, and improved user experience. A user can complete KYC once with a trusted issuer and then reuse those credentials across multiple jurisdictions and services, sharing only what's necessary for each transaction. This architecture forms the backbone of self-sovereign identity (SSI) and is being piloted in initiatives like the Travel Rule compliance solutions and DeFi onboarding protocols.
resource-links
KYC IMPLEMENTATION
Essential Tools and Libraries
These tools and standards are used in production systems to implement selective disclosure for cross-border KYC. Each card focuses on how developers can prove regulatory facts without exposing raw identity data.
TECHNICAL OVERVIEW
Comparison of Selective Disclosure Methods
A technical comparison of cryptographic and protocol-based methods for implementing selective disclosure in cross-border KYC processes.
| Feature / Metric | Zero-Knowledge Proofs (ZKPs) | Verifiable Credentials (VCs) | Commitment Schemes |
|---|---|---|---|
Cryptographic Foundation | zk-SNARKs, zk-STARKs | JSON-LD, BBS+ Signatures | Pedersen, Merkle Tree |
Data Minimization | |||
Proof Reusability | |||
Proof Generation Time | 2-5 sec | < 1 sec | < 100 ms |
Verification Time | 10-50 ms | 5-20 ms | < 5 ms |
Supports Complex Logic | |||
W3C Standardization | |||
Typical Use Case | Proving age > 21 | Sharing accredited investor status | Proving list membership |
step1-issue-vc
CORE CONCEPT
Step 1: Issuing a Verifiable Credential
This guide explains how to issue a W3C Verifiable Credential (VC) for a cross-border KYC process, establishing the foundational data structure for selective disclosure.
A Verifiable Credential (VC) is a tamper-evident digital document that encodes claims about a subject, such as a user's identity attributes. In a cross-border KYC context, this could include a user's full name, date of birth, nationality, and residential address. The VC is cryptographically signed by the issuer (e.g., a regulated financial institution) to prove its authenticity and integrity. The standard data model is defined by the World Wide Web Consortium (W3C), ensuring interoperability across different systems and jurisdictions.
The core components of a VC are the credential metadata, credential subject (the user's data), and the proof (the issuer's digital signature). When issuing, you package these elements into a JSON-LD document. For KYC, the credentialSubject object contains the sensitive PII. The proof is typically created using a decentralized identifier (DID) and associated cryptographic keys, binding the credential irrevocably to the issuer. This creates a portable, user-controlled credential that can be presented to verifiers like foreign banks.
Here is a simplified example of a KYC Verifiable Credential JSON structure before it is signed:
json{ "@context": ["https://www.w3.org/2018/credentials/v1"], "id": "https://bank.example/credentials/kyc/123", "type": ["VerifiableCredential", "KYCCredential"], "issuer": "did:example:issuer123", "issuanceDate": "2024-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:user456", "name": "Jane Doe", "birthDate": "1985-05-15", "nationality": "US", "address": { "street": "123 Main St", "city": "Anytown", "country": "USA" } } }
Note that this is the unsigned credential. The next step is to generate a cryptographic proof and add it to this object.
To issue the credential, you must sign it. Common signing suites include Ed25519Signature2020 or JsonWebSignature2020. Using a Decentralized Identifier (DID) and its associated private key, you create a digital signature over the entire credential data. This proof is appended to the JSON object, resulting in a complete, verifiable document. The user's wallet or agent then stores this signed VC. It's crucial that the issuance process occurs over a secure, authenticated channel, as the issuer is legally attesting to the accuracy of the enclosed data.
The issued VC now serves as the source document for all future selective disclosures. The user possesses a single, strong credential containing all their attested KYC data. In subsequent steps, they will not present this full credential. Instead, they will generate derived Verifiable Presentations (VPs) that reveal only the specific attributes required by a verifier, such as just their nationality and age bracket, while keeping their full address and birth date hidden. This issuance step creates the trusted root from which minimal disclosures can be cryptographically proven.
step2-select-disclose
IMPLEMENTATION
Step 2: Creating a Selective Disclosure Presentation
This guide explains how to construct a verifiable presentation that reveals only the specific claims required for a cross-border KYC check, using W3C Verifiable Credentials and BBS+ signatures.
A Selective Disclosure Presentation is a cryptographically verifiable data structure that allows a holder to prove they possess certain credentials while revealing only a subset of the contained claims. For cross-border KYC, this means you can prove you are over 18 and a resident of a specific country without exposing your full name, date of birth, or address. The core technology enabling this is BBS+ signatures (Boneh-Boyen-Shacham), a zero-knowledge-friendly signature scheme that supports deriving proofs for subsets of signed messages.
To create a presentation, you start with a signed Verifiable Credential (VC) from a trusted issuer, like a bank or government. This VC contains all your KYC attributes as individual claims within its credentialSubject. Using a client SDK like @mattrglobal/bbs-signatures or anoncreds-rs, you generate a Derived Proof. This process takes the original VC, the issuer's public key, and a disclosure frame specifying which claims to reveal (e.g., {"credentialSubject": {"isOver18": true, "countryOfResidence": "DE"}}). The SDK produces a new, valid verifiable presentation containing only the revealed claims and a cryptographic proof.
Here is a conceptual code snippet using a Node.js wrapper for BBS+ signatures:
javascriptconst { BbsSignatures } = require('@mattrglobal/bbs-signatures'); const bbs = new BbsSignatures(); // The holder creates a presentation from their full credential const presentation = await bbs.createProof({ messages: fullCredential.credentialSubjectArray, // All original claims proof: fullCredential.proofValue, // Original BBS+ signature publicKey: issuerPublicKey, revealed: [0, 2], // Indices of claims to reveal (e.g., isOver18, country) nonce: crypto.randomBytes(16) // Verifier-provided challenge }); // The `presentation` object now contains the derived proof and revealed messages.
The verifier can check this proof using only the issuer's public key and the revealed claims, without seeing the hidden data or needing to contact the issuer.
The disclosure frame is critical. It must be agreed upon by the verifier's policy (e.g., a DApp's requirements) and the holder's consent. In practice, the verifier sends a Presentation Definition using a standard like DIF Presentation Exchange, which specifies the required claim types and constraints. The holder's wallet uses this definition to build the correct disclosure frame, query its stored credentials, and generate the compliant presentation. This ensures interoperability.
For cross-border compliance, the presentation must also include cryptographic nonces and domain separation to prevent replay attacks. The verifying service (e.g., a DeFi protocol in another jurisdiction) provides a unique nonce for each session. The holder binds the presentation to this nonce, proving the data is fresh and not reused from a previous interaction. This satisfies regulatory requirements for proof of liveness and consent in financial transactions.
Finally, the verifier validates the presentation by verifying the BBS+ signature proof against the issuer's public key, checking the revealed claims match their policy, and confirming the nonce. Successful verification proves the claims are authentic, unaltered, and were issued by a trusted entity—all while maintaining the user's privacy. This architecture is foundational for projects like Cheqd's trusted data and AnonCreds, enabling portable, privacy-preserving identity across chains.
step3-verify-zk
IMPLEMENTATION GUIDE
Step 3: Verifying with ZK-SNARKs for Complex Logic
This section details how to use ZK-SNARKs to prove compliance with cross-border KYC rules without revealing the underlying user data.
Selective disclosure in a cross-border KYC context requires proving complex, multi-jurisdictional logic. A user might need to prove they are over 21, a resident of Country A, and have a verified identity document—all without revealing their exact age, address, or passport number. A ZK-SNARK circuit encodes this business logic. For example, the circuit takes private inputs (the user's actual data) and public inputs (the compliance thresholds) and outputs a single true or false proof of compliance. The verifier only sees the proof and the public statement ("user meets requirements"), never the sensitive inputs.
Implementing this requires a proving system like Circom or Halo2. You define the logical constraints within a circuit. For an age check, the circuit would confirm privateBirthdate < (currentDate - 21 years). For residency, it might verify a cryptographic commitment (like a Merkle proof) that the user's hashed address is in an approved list maintained by the KYC provider. The key is that all constraints must be satisfied simultaneously for the proof to generate. The resulting proof is small (a few kilobytes) and can be verified on-chain in milliseconds by a smart contract using a verifier contract, such as one generated by the snarkjs library for Circom.
The on-chain verification is the final step. The user's client (e.g., a wallet) generates the ZK-SNARK proof locally and submits it along with the public signals to a verifier contract on the destination blockchain. A typical function call might look like VerifierContract.verifyProof(proof, publicSignals). If valid, the contract can mint a verifiable credential (VC) or an access token for the user. This token, representing proven compliance, can then be used to access cross-border DeFi services or complete transactions. This architecture separates data custody (user-held) from compliance verification (on-chain), resolving the privacy vs. regulation conflict inherent in traditional KYC.
PRACTICAL FRAMEWORKS
Implementation Examples by Platform
Using Zero-Knowledge Proofs for KYC
On EVM chains like Ethereum, Polygon, and Arbitrum, ZK-SNARKs are the primary mechanism for selective disclosure. A user's full KYC credentials are verified off-chain by an issuer (e.g., a licensed entity), which generates a verifiable credential (VC). The user then creates a ZK proof that they possess a valid VC meeting specific criteria (e.g., "is over 18," "is accredited") without revealing the underlying data.
Common Implementation Stack:
- Circom for writing ZK circuits to define attestation logic.
- SnarkJS for proof generation and verification.
- Semaphore or Sismo for reusable identity and attestation frameworks.
- EIP-712 for signing structured data when submitting proofs on-chain.
The on-chain verifier is a lightweight smart contract that checks the proof. Gas costs are a key consideration, making L2s like Polygon zkEVM or Scroll optimal for deployment.
DEVELOPER FAQ
Frequently Asked Questions
Common technical questions and solutions for implementing selective disclosure in cross-border KYC using zero-knowledge proofs and verifiable credentials.
Selective disclosure is a privacy-preserving technique that allows a user to prove they possess certain verified information without revealing the underlying data. In cross-border KYC, it enables users to share only the specific credentials required by a service (e.g., proving they are over 18 or a resident of a specific country) while keeping the rest of their identity document private.
This is typically implemented using Verifiable Credentials (VCs) and Zero-Knowledge Proofs (ZKPs). A trusted issuer (like a bank or government) signs a credential containing the user's attributes. The user then generates a ZKP, such as a zk-SNARK or zk-STARK, to cryptographically prove statements about those attributes (e.g., age >= 18 is true) to a verifier, without revealing their exact birth date or the credential's full content. Protocols like Iden3 and Sismo use this model.
SELECTIVE DISCLOSURE
Common Implementation Mistakes
Selective disclosure for cross-border KYC allows users to prove specific claims (e.g., age > 18, residency) without revealing their full identity document. Common pitfalls arise from cryptographic misuse, data schema design, and verification logic.
This is often due to a mismatch in the verification key or circuit constraints. The verifier must use the exact proving key that corresponds to the circuit used to generate the proof. Common causes:
- Key Mismatch: Deploying an updated circuit without updating the verifier contract's verification key.
- Public Inputs Order: The order of public inputs (e.g.,
rootHash,currentTimestamp) passed to theverifyProoffunction must match the circuit's signal declaration order exactly. - Constraint Violation: The proof is for a different statement than the verifier checks (e.g., proof shows age > 18 but verifier checks for age > 21).
Fix: Use a deterministic key generation process and store circuit metadata (like the circom compiler version and component templates) alongside the verification key.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
Selective disclosure for cross-border KYC offers a privacy-preserving alternative to traditional data sharing. This guide has outlined the core principles and technical components.
Implementing selective disclosure requires a shift from monolithic data dumps to granular, verifiable claims. The core workflow involves an issuer (like a regulated entity) creating Verifiable Credentials (VCs) for a user's verified attributes. The user then generates a Zero-Knowledge Proof (ZKP) or uses BBS+ signatures to create a Verifiable Presentation (VP) that reveals only the necessary information—such as proving they are over 18 without disclosing their birth date—to a relying party, like a foreign exchange. This minimizes data exposure and reduces liability for all parties.
For developers, the next step is to choose and integrate a Decentralized Identifier (DID) and VC stack. Practical libraries include SpruceID's didkit for credential issuance and verification, Microsoft's Verifiable Credentials SDK for Azure integration, or @veramo/core for a flexible agent-based framework. A basic issuance flow in TypeScript using Veramo might look like:
typescriptconst credential = await agent.createVerifiableCredential({ credential: { issuer: { id: issuerDid }, credentialSubject: { id: userDid, kycStatus: 'verified', residencyCountry: 'US' } }, proofFormat: 'jwt' });
This creates a signed credential that the user holds in their digital wallet.
The relying party's verification logic is critical. You must check the credential's cryptographic signature, the issuer's DID against a trusted registry, and the proof's validity for the specific disclosed claim. For selective disclosure with BBS+ signatures, you would verify a derived proof rather than the full credential. Always implement revocation checks by querying the issuer's Status List 2021 or similar revocation registry to ensure the credential is still valid at the time of presentation.
Looking ahead, consider these advanced topics and next steps for production systems: Interoperability via the W3C VC Data Model, key management for users (e.g., using MPC wallets), and oracle integration for real-time data like sanction list checks. Monitor emerging standards like AnonCreds for ZKP-based credentials and PE-ODC for policy enforcement. For further learning, explore the Decentralized Identity Foundation's resources, the W3C VC Implementation Guidelines, and audit reports on implementations like cheqd's Trusted Data Framework.