Selective disclosure is a cryptographic technique that enables a holder of a verifiable credential (VC) to prove specific claims from it without revealing the entire document. This is foundational for privacy-preserving compliance, allowing regulated entities like exchanges or banks to demonstrate they have performed KYC checks without exposing a user's full identity document. Core standards enabling this include the W3C Verifiable Credentials Data Model and cryptographic primitives like BBS+ signatures or zk-SNARKs, which allow for zero-knowledge proofs on signed data.
LABS
Guides
How to Implement Selective Disclosure for Regulatory Compliance
A technical guide for developers building fractional ownership platforms that need to share specific investor or asset data with regulators and auditors while preserving privacy.
Chainscore © 2026
introduction
GUIDE
How to Implement Selective Disclosure for Regulatory Compliance
Selective disclosure allows entities to share verifiable credentials while maintaining privacy, a critical feature for meeting regulations like GDPR, FATF Travel Rule, and MiCA.
Implementing selective disclosure typically involves a three-step architecture. First, an issuer (e.g., a licensed KYC provider) creates a VC containing multiple claims (name, date of birth, residency) and signs it. Second, the holder (the user) receives this VC into their digital wallet. Third, when a verifier (a regulated DeFi platform) requests proof of a specific claim—like "is this user over 18 and a resident of jurisdiction X?"—the holder's wallet generates a verifiable presentation. This presentation includes only the required claims, along with a cryptographic proof that they originate from the valid, unaltered issuer signature.
For developers, libraries like Veramo, Trinsic, and Sphereon's SSI-SDK provide abstractions for these flows. A basic example using Veramo in Node.js involves creating a credential with a BBS+ signature, then deriving a proof for selective disclosure. The key is separating the credential issuance logic from the presentation logic, ensuring the presentation is generated client-side by the holder's agent to maintain user sovereignty over their data.
Regulatory frameworks are increasingly acknowledging this model. The EU's eIDAS 2.0 regulation explicitly supports electronic attestations of attributes (EAA), a form of selective disclosure. For Travel Rule compliance (FATF Recommendation 16), solutions like TRP Labs or Sygnum's approach use selective disclosure to share only the mandated sender/receiver information between VASPs, rather than full transaction histories. This minimizes data leakage while fulfilling the legal obligation.
The main challenges in implementation include ensuring cryptographic agility to adapt to new signature schemes, managing revocation status for disclosed claims, and achieving interoperability across different VC formats and governance frameworks. Best practices involve using decentralized identifiers (DIDs) for issuers and verifiers, anchoring credential status to a blockchain or other immutable ledger, and conducting regular security audits of the proof-generation code to prevent replay or forging attacks.
prerequisites
PREREQUISITES
How to Implement Selective Disclosure for Regulatory Compliance
This guide outlines the technical and conceptual foundations required to build a system for selective disclosure of on-chain data to meet regulatory requirements like FATF's Travel Rule or MiCA.
Before implementing selective disclosure, you must understand the core cryptographic primitive: Zero-Knowledge Proofs (ZKPs). ZKPs, specifically zk-SNARKs or zk-STARKs, allow a prover (e.g., a wallet or exchange) to cryptographically verify a statement (e.g., "the sender is not on a sanctions list") to a verifier (e.g., a regulator) without revealing the underlying data. For selective disclosure, you'll need a ZKP system that supports private inputs and public outputs. Frameworks like Circom for SNARKs or Cairo for STARKs are common starting points. A basic understanding of circuit writing and proof generation/verification is essential.
Your system must integrate with a decentralized identity (DID) and verifiable credentials (VCs) framework. The W3C's DID specification provides a standard for creating self-sovereign identifiers, while VCs are tamper-evident claims that can be presented selectively. For blockchain compliance, you'll often use Ethereum's EIP-712 for typed structured data signing to create verifiable presentations. You need to decide on a DID method (e.g., did:ethr, did:key) and a VC data model. Libraries like Veramo or DIDKit provide essential tooling for creating, signing, and verifying DIDs and VCs in a Node.js or browser environment.
You require a secure and private data storage solution for the sensitive information that will be disclosed. The VC containing private user data (e.g., full name, address) should not be stored on a public blockchain. Options include encrypted decentralized storage like IPFS with Lit Protocol for access control, or client-side storage with user-held encrypted data vaults. You must architect a system where the user (or their wallet) controls the private data, and only the ZKP or a minimal, consented data slice is shared with the verifying party. Understanding key management for encryption and decryption is critical here.
To build a compliant flow, you must map the regulatory requirement to a provable circuit. For example, for the Travel Rule, you need to prove a transaction's value exceeds a threshold and that the sender's verified identity data matches a whitelist, without leaking the identity data or the exact amount. This involves designing a circuit with private inputs (user ID, tx amount) and public inputs (regulatory threshold, merkle root of the whitelist). You'll use a merkle tree to efficiently prove membership. Implement this circuit in your chosen ZK framework and host the verification key (e.g., on-chain) for others to verify proofs.
Finally, you need a verification infrastructure. This typically involves a smart contract (e.g., on Ethereum or a zkEVM chain like Polygon zkEVM) that holds the verification key for your ZKP circuit. When a regulated entity needs to verify compliance, they submit the proof to this contract. The contract's verify function checks the proof against the public inputs. You must also design off-chain components: an API for proof generation (which could be run by the user's wallet) and a service for verifiers to request and validate presentations. Ensure all components adhere to data minimization principles.
key-concepts-text
CORE TECHNICAL CONCEPTS
How to Implement Selective Disclosure for Regulatory Compliance
Selective disclosure allows users to prove specific claims from a credential without revealing the entire document, a critical feature for meeting privacy-preserving compliance requirements like GDPR, FATF Travel Rule, and KYC.
Selective disclosure is a cryptographic technique that enables a verifier to confirm the validity of specific attributes from a verifiable credential (VC) without accessing the full data set. This is essential for regulatory compliance, where proving age, jurisdiction, or accreditation is required, but sharing a full identity document is unnecessary and risky. Core methods include zero-knowledge proofs (ZKPs), BBS+ signatures, and CL signatures, which allow the credential holder to generate a proof that a signed statement contains certain true claims. For example, a user can prove they are over 21 from a driver's license VC without revealing their name, address, or exact birth date.
Implementing selective disclosure typically involves a three-step architecture: issuance, presentation, and verification. First, an issuer (e.g., a bank) creates a VC with BBS+ signatures, signing multiple attributes. The holder then uses a presentation request from a verifier (e.g., a DeFi platform) to create a verifiable presentation. Using libraries like @mattrglobal/bbs-signatures or anoncreds-rs, the holder generates a ZK proof that discloses only the required fields, such as "countryOfResidence": "UK" and "isAccreditedInvestor": true, while keeping all other data hidden. The verifier checks the proof against the issuer's public DID and the disclosed claims.
For developers, integration starts with choosing a W3C-compliant framework. Here's a simplified code snippet using the json-ld and vc-js libraries to create a selective disclosure presentation:
javascript// Pseudocode for generating a selective disclosure proof const { BbsBlsSignature2020 } = require('@mattrglobal/bbs-signatures'); const vc = await createVerifiableCredential({/*...issuance logic...*/}); // Derive a proof for specific disclosed fields const derivedProof = await BbsBlsSignature2020.deriveProof({ verifiableCredential: vc, frame: { '@context': vc['@context'], 'type': ['VerifiableCredential', 'ProofOfCompliance'], 'credentialSubject': { 'taxID': true, // Disclose this field 'isAccreditedInvestor': true // Disclose this field } } }); // The `derivedProof` hides all other credentialSubject properties
Key design considerations include schema design and revocation. Attributes must be structured atomically to allow independent disclosure. Use cryptographic accumulators or status lists (like W3C Status List 2021) for revocation without compromising privacy. Regulatory frameworks like the Travel Rule (FATF Recommendation 16) require disclosing sender/receiver info to VASPs while protecting other transaction details; selective disclosure proofs can satisfy this by revealing only the mandated fields from a broader transaction VC. Always audit the ZK circuit or signature scheme for security assumptions.
Real-world compliance use cases are driving adoption. A Sybil-resistant governance system might require proof of unique humanity (via a VC) without linking to a real-world identity. A licensed securities platform could verify investor accreditation status from an issuer's VC without seeing the user's net worth. The European Identity Framework (EBSI) uses selective disclosure for cross-border educational diplomas. When implementing, prioritize interoperability by adhering to W3C Verifiable Credentials Data Model v2.0 and DIF Presentation Exchange specifications to ensure compatibility across regulators and jurisdictions.
The future of compliant, privacy-first systems depends on robust selective disclosure. As regulations evolve, building on standards like BBS+ (draft IETF standard) and zk-SNARKs provides longevity. Developers should integrate with agent frameworks (Aries) and wallet SDKs to handle key management and proof generation client-side. The technical outcome is a system where users maintain data minimization by default, auditors receive cryptographic assurance, and applications meet complex compliance rules without becoming data silos.
implementation-methods
TECHNICAL GUIDE
Implementation Methods
Selective disclosure allows entities to prove specific claims without revealing the underlying data. This guide covers the primary cryptographic methods for implementing this in Web3 compliance.
TECHNICAL IMPLEMENTATION
Selective Disclosure Method Comparison
Comparison of cryptographic and smart contract methods for implementing selective disclosure in regulatory compliance.
| Feature / Metric | Zero-Knowledge Proofs (ZKPs) | Verifiable Credentials (VCs) | Smart Contract Access Control |
|---|---|---|---|
Cryptographic Basis | zk-SNARKs, zk-STARKs | JSON-LD, BBS+ Signatures | EVM, Solidity Access Lists |
Data Minimization | |||
Off-Chain Verification | |||
On-Chain Verification Cost | $5-50 per proof | $0.10-2 per credential | $0.01-0.5 per check |
Regulatory Audit Trail | |||
Revocation Mechanism | Proof of non-revocation | Status List / Registry | Contract state update |
Developer Complexity | High (specialized circuits) | Medium (W3C standards) | Low (familiar tooling) |
Example Protocol | zkSync Era, Polygon zkEVM | DIF, W3C Verifiable Credentials | OpenZeppelin AccessControl |
ARCHITECTURE PATTERNS
Implementation by Use Case
Selective Disclosure for KYC
Implementing selective disclosure for Know Your Customer (KYC) compliance allows users to prove specific identity attributes without exposing their full data. This is critical for DeFi platforms requiring jurisdictional compliance.
Common Implementation:
- Zero-Knowledge Proofs (ZKPs): Use ZK-SNARKs or ZK-STARKs to prove a user is over 18 or resides in a permitted country.
- Verifiable Credentials (VCs): Issue W3C-compliant credentials from a trusted issuer (e.g., a licensed KYC provider).
- On-Chain Verification: Store only the proof hash and issuer signature on-chain, keeping raw data off-chain.
Example Flow:
- User completes KYC with an issuer like Sphereon or Veramo.
- Issuer provides a signed VC containing claims (age, residency).
- User generates a ZK proof for a specific claim (e.g.,
age >= 18). - DApp verifies the proof on-chain via a verifier contract.
Key Consideration: The trust model shifts to the credential issuer. Ensure issuers are audited and their public keys are securely registered on-chain.
secure-gateway-architecture
TECHNICAL GUIDE
How to Implement Selective Disclosure for Regulatory Compliance
Selective disclosure allows users to prove specific claims from their credentials without revealing the entire document, a critical feature for privacy-preserving KYC/AML.
Selective disclosure is a cryptographic technique that enables a user to share only the necessary information from a verifiable credential (VC). Instead of submitting a full passport scan, a user could prove they are over 18 or a resident of a specific jurisdiction. This is achieved using zero-knowledge proofs (ZKPs) or BBS+ signatures, which allow a verifier to cryptographically confirm the truth of a statement without seeing the underlying data. For regulatory compliance, this balances the need for proof with the principle of data minimization mandated by frameworks like GDPR.
To implement this, you first need issuers to sign credentials with a selective disclosure-capable scheme. A common choice is the BBS+ signature scheme, standardized by the W3C for Linked Data Proofs. When a verifier (e.g., a DeFi platform) requests proof of residency, the user's wallet generates a derived proof from their signed VC. This proof contains only the disclosed attributes and a ZKP that the undisclosed attributes were validly signed. The verifier checks this proof against the issuer's public DID (Decentralized Identifier) on a registry like the ION network or Ethereum Name Service.
Here is a conceptual flow using the @mattrglobal/jsonld-signatures-bbs library for BBS+:
javascript// 1. Issuer signs a credential with a BBS+ proof const signedCredential = await bbs.sign(credential, { suite: new BbsBlsSignature2020({ key: issuerKey }), purpose: new AssertionProofPurpose() }); // 2. User creates a derived proof disclosing only 'countryOfResidence' const derivedProof = await bbs.createDisclosureProof({ document: signedCredential, disclosureFrame: { countryOfResidence: true }, suite: new BbsBlsSignatureProof2020() }); // 3. Verifier checks the derived proof const verified = await bbs.verifyProof(derivedProof, { suite: new BbsBlsSignatureProof2020(), purpose: new AssertionProofPurpose(), documentLoader: customLoader // Resolves issuer's DID public key });
For regulatory compliance, you must map disclosed claims to specific rules. A compliance engine should define policies like "requiresKYC: { minimumAge: 18, allowedJurisdictions: ['US', 'UK'] }". When a user presents a proof, the engine validates the cryptographic signature and then evaluates the disclosed data against these policies. Smart contracts on chains like Ethereum or Polygon can serve as non-custodial verifiers, granting access to a pool only if the proof passes. This creates a privacy-by-design architecture, reducing liability from storing sensitive PII.
Key challenges include ensuring interoperability between different VC formats and signature suites, and managing revocation. Implementations should support the StatusList2021 standard for checking credential status without revealing the user's identity. Furthermore, the issuer's DID and public key must be trusted and accessible. For production systems, consider using verifiable data registries and DID resolvers compliant with W3C standards to maintain a decentralized and auditable trust framework.
In practice, platforms like Ontology and Sovrin offer SDKs for selective disclosure, while Polygon ID provides an integrated toolkit using Circom ZK circuits. The end result is a user flow where compliance is proven with minimal data exposure, audits are cryptographically verifiable, and the system adheres to regulations like Travel Rule (FATF) and eIDAS in the EU. Start by prototyping with a test credential from a trusted issuer and a simple verification policy to understand the proof generation and validation lifecycle.
SELECTIVE DISCLOSURE
Frequently Asked Questions
Common technical questions and solutions for implementing selective disclosure in Web3 applications for regulatory compliance.
Selective disclosure is a cryptographic technique that allows a user to prove a specific claim about their data without revealing the underlying data itself. It's essential for regulatory compliance (like GDPR, FATF Travel Rule) because it enables applications to verify user eligibility (e.g., age, jurisdiction, accredited investor status) while preserving user privacy and minimizing data liability.
Instead of submitting a full passport, a user can generate a Zero-Knowledge Proof (ZKP) that cryptographically attests they are over 18 and a resident of a permitted country. The verifier (a dApp or protocol) can trust this proof without ever seeing the user's birth date or passport number. This aligns with data minimization principles and reduces the attack surface associated with storing sensitive Personally Identifiable Information (PII).
SELECTIVE DISCLOSURE
Common Implementation Mistakes
Selective disclosure is a core feature of verifiable credentials, allowing users to share only specific claims from a credential. However, implementation errors can compromise privacy, security, and regulatory compliance. This guide addresses frequent developer pitfalls.
This common error stems from improper derivation of the disclosed messages. When creating a BBS+ signature proof, you must cryptographically derive the disclosed messages from the original signed messages, not just copy the raw data. Using raw values allows a verifier to link the proof back to the original credential's signature, breaking unlinkability.
How to fix it:
- Use the correct proof generation algorithm from the BBS+ RFC.
- Ensure your SDK (e.g.,
@mattrglobal/bbs-signatures) is deriving disclosed messages via theProofGenfunction. - Never pass the original, signed claim values directly to the proof's
revealedMessagesfield.
javascript// Incorrect - using raw values const revealedMessages = [userCredential.claim.dateOfBirth]; // Correct - using derived disclosed messages from the proof generation process const { proof, disclosedMessages } = await bbs.proofGen({ messages: originalMessages, // All signed messages revealed: [2], // Index of the message to disclose // ... other params });
resource-links
IMPLEMENTATION GUIDE
Tools and Resources
Practical tools and standards developers use to implement selective disclosure for KYC, AML, and other regulatory requirements without exposing full user data.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
This guide has outlined the core principles and technical patterns for implementing selective disclosure using zero-knowledge proofs to meet regulatory requirements like KYC and AML.
Selective disclosure transforms compliance from a binary data dump into a privacy-preserving, cryptographic proof. By leveraging ZK-SNARKs or ZK-STARKs, systems can verify user attributes—such as age, jurisdiction, or accredited investor status—without exposing the underlying sensitive data. This approach minimizes data liability, enhances user trust, and aligns with regulations like GDPR's data minimization principle. The key is to architect your Verifiable Credentials and ZK circuits to prove specific predicates about private data.
For implementation, start by defining the precise compliance claims. For a decentralized exchange requiring proof of non-sanctioned jurisdiction, a circuit would verify a user's hashed country code is not on a prohibited list. Use libraries like circuitlib for Ethereum or noir for broader ecosystems to build these circuits. Integrate with an identity provider like Veramo or SpruceID to issue signed credentials. The verification contract, often a Verifier.sol, needs to be deployed on-chain to validate proofs submitted by users.
Next, consider the user flow. A typical pattern involves: 1) User obtains a verifiable credential from a trusted issuer off-chain. 2) User generates a ZK proof locally that they satisfy the rule (e.g., age >= 21). 3) User submits only the proof to the dApp's smart contract. The contract verifies the proof's validity and the issuer's signature, granting access if true. This keeps the user's exact birthdate private from both the dApp and the blockchain.
Future developments are focusing on standardization and interoperability. Initiatives like the W3C Verifiable Credentials Data Model and the Decentralized Identity Foundation (DIF) specifications are creating common formats. Look into zkPass for portable KYC proofs or Sismo for reusable ZK attestations. For scaling, explore validity rollups like zkSync or StarkNet which have native ZK verification for efficient, low-cost compliance checks.
Your next step is to prototype. Use a testnet and a development framework like Hardhat or Foundry. Begin with a simple circuit—proving a number is within a range—using circom and snarkjs. Experiment with on-chain verifiers. The goal is to move from a theoretical model to a working proof-of-concept that demonstrates a specific compliance use case without compromising user privacy.