arxiv: 2604.10685 · v1 · submitted 2026-04-12 · 💻 cs.CR · cs.CY· cs.DC· cs.ET

Recognition: unknown

COD-ssi: Enforcing Mutual Privacy for Credential Oblivious Disclosure in Self Sovereign Identity

Elia Onofri , Andrea De Salve , Paolo Mori , Laura Emilia Maria Ricci , Roberto Di Pietro

Authors on Pith no claims yet

Pith reviewed 2026-05-10 15:21 UTC · model grok-4.3

classification 💻 cs.CR cs.CYcs.DCcs.ET

keywords self-sovereign identityselective disclosureoblivious pseudorandom functionsmutual privacycredential verificationdecentralized identitycryptographic protocols

0 comments

The pith

The COD-ssi framework uses oblivious pseudorandom functions to let verifiers select specific credential claims without the holder learning which ones were chosen.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces COD-ssi to bring mutual privacy to self-sovereign identity credential exchanges, protecting both the holder's data and the verifier's selection criteria. Existing selective disclosure methods shield only the holder, but this protocol composes an Oblivious Pseudorandom Function so a verifier can request a subset of claims while the holder stays unaware of the exact selection. If the construction holds, verifiers can apply internal rules or business logic during checks without leaking those details to the credential owner. Readers would care because decentralized identity systems currently leave one side exposed, and this closes that gap while preserving selective disclosure. The authors back the approach with a formal security proof and a working prototype that incurs only moderate overhead.

Core claim

COD-ssi is a framework that leverages Oblivious Pseudorandom Functions to allow Verifiers to selectively access a subset of claims without revealing which specific claims were accessed to the credential Holder. The security of the solution is formally verified and its feasibility is assessed through the experimental evaluation of an open-source prototype implementation, showing that provable mutual privacy in SSI can be achieved with just moderate computational and communication overhead.

What carries the argument

The Claim Oblivious Disclosure for SSI (COD-ssi) protocol, which composes an Oblivious Pseudorandom Function to mask the verifier's claim selection from the holder.

Load-bearing premise

The underlying Oblivious Pseudorandom Function must deliver the required obliviousness property and the protocol must compose it correctly without introducing leaks under standard cryptographic assumptions.

What would settle it

An experiment or attack in which the credential holder can determine the verifier's chosen claims from the exchanged messages or outputs would falsify the mutual privacy guarantee.

Figures

Figures reproduced from arXiv: 2604.10685 by Andrea De Salve, Elia Onofri, Laura Emilia Maria Ricci, Paolo Mori, Roberto Di Pietro.

**Figure 1.** Figure 1: End-to-end flow of credential issuance, presentation, and verification. 1. Introduction The Self Sovereign Identity (SSI) [1] paradigm has been recently introduced to give back to users the control of their identities and of the data paired to them, i.e., the claims describing users’ features, such as, e.g., their degree attestations, their vaccination certificates, or their proofs of income. In fact, in t… view at source ↗

**Figure 2.** Figure 2: Hash-based selective disclosure structure: claims are committed with nonce ti inside the VC as values xi , while clear values vi are separately delivered as DVC. VCs with additional metadata and signing them in a triple VP = (VC[·], MVP, PVP). Verification of a VC or VP involves resolving the Issuer and Holder DIDs to recover the cryptographic material for signature validation. Selective Disclosure. A fund… view at source ↗

**Figure 3.** Figure 3: The 2HashDH approach for OPRF evaluation. and ensuring pseudorandomness even under adaptive queries [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

**Figure 4.** Figure 4: Structure of the standard selective disclosable Verifiable presentation (VP) on the left and of our encrypted presentation data on the top right. that the Verifier has access to the Holder to run the OPRF protocol. The encrypted claim blobs EVC are transported as part of (VP, DVP) prior to any OPRF interaction. 4.2. Creation of the Verifiable Presentation. The core idea of COD-ssi is to create a set of enc… view at source ↗

**Figure 5.** Figure 5: Claim-wise statistics of the computational time for: claim hashing, verifying, encrypt, and decrypt, along with Verifier and Holder computation in the OPRF. 6. Experimental Results To assess the practical performance of our framework, we conducted an experimental campaign. All benchmarks were executed on a Linux personal laptop equipped with an Intel Core i7-9750H CPU @ 2.60GHz, 16GB RAM. The PoC implement… view at source ↗

**Figure 6.** Figure 6: Verifiable presentation (VP) statistics w.r.t. the claim size of their single VC. Timings (left scale) of creation and verification are reported as boxplot, while VP size (right scale) is reported as a bar plot since negligible variance is present. 2 4 8 16 32 64 128 256 512 1024 Claims [#] 1 ms 10 ms 100 ms 1 s 10 s Time DVP Encryption Time DVP Decryption Time 100 B 1 kB 10 kB 100 kB 1 MB Size DVP Size [… view at source ↗

**Figure 7.** Figure 7: Verifiable presentation overhead caused by data DVP creation w.r.t. the claim size of their single VC. Timings (left scale) of encryption and decryption are reported as boxplot, while DVP size (right scale) is reported as a bar plot since negligible variance is present. 6.2. Run-level results. A comparative analysis of the performance and size metrics required to present a VC with varying numbers of claims… view at source ↗

**Figure 8.** Figure 8: Statistics of the OPRF interaction (overhead, cf [PITH_FULL_IMAGE:figures/full_fig_p019_8.png] view at source ↗

**Figure 9.** Figure 9: Statistics of the hash-based selective disclosure interaction (reference) w.r.t. the claim size of their single VC. Timings (left scale) of Verifier request and Holder response are reported as boxplot, while corresponding message sizes (right scale) are reported as bar plots since negligible variance is present. Time scale (left, highlighted in red) is not consistent with other plots for readability. and t… view at source ↗

**Figure 10.** Figure 10: Verifiable credential (VC) statistics w.r.t. their claim size. Timings (left scale) of creation and verification are reported as boxplot, while sizes (right scale) of VC and DVC are reported as bar plots since variance is negligible. [38] D. Fett, K. Yasuda, B. Campbell, Selective Disclosure for JSON Web Tokens, RFC 9901 (Nov. 2025). doi:10. 17487/RFC9901. [39] National Institute of Standards and Technolo… view at source ↗

read the original abstract

The Self-Sovereign Identity (SSI) paradigm is instrumental for decentralised identity management, allowing an entity to create, manage, and present their digital credentials without relying on centralised authorities. Credential selective disclosure is one of the most attractive privacy-preserving features of SSI, allowing users to reveal only the minimum necessary information from their credentials. However, current selective disclosure mechanisms primarily focus on protecting the privacy of credential Holders, while offering limited protection to the Verifiers of credentials. Indeed, the specific credential information requested by a Verifier can inadvertently reveal to credential Holders sensitive information, including internal decision-making criteria, business rules, or strategic plans. In this work, we address this threat by proposing, to the best of our knowledge, the first approach that enforces mutual privacy in credential exchanges. To this end, we introduce COD-ssi (Claim Oblivious Disclosure for SSI), a novel framework that leverages Oblivious Pseudorandom Functions to allow Verifiers to selectively access a subset of claims without revealing which specific claims were accessed to the credential Holder. The security of our solution is formally verified and its feasibility is assessed through the experimental evaluation of our open-source prototype implementation. These results show that provable mutual privacy in the context of SSI can be achieved with just moderate computational and communication overhead.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows how to use OPRFs so verifiers can select claims without holders learning the selection, adding mutual privacy to SSI selective disclosure.

read the letter

The core contribution is a protocol that lets a verifier request a subset of claims from a credential while keeping the exact selection hidden from the holder. This is done by wrapping the selection in an oblivious pseudorandom function so the holder never sees which claims were actually retrieved. Prior selective-disclosure schemes in SSI mostly protected only the holder; this one adds protection for the verifier's internal criteria as well. They build directly on a standard OPRF primitive rather than inventing new crypto, and they supply an open-source prototype plus experimental runs that report moderate overhead in computation and communication. The abstract states the security argument is formally verified under standard assumptions, which is the right kind of evidence to include. No obvious circularity or self-referential fitting appears in the construction as described. The main soft spot is that the abstract gives no concrete security model, reduction steps, or performance tables, so the strength of the formal claim and the exact overhead numbers have to be checked in the body. If the proofs are a clean composition with the OPRF and the experiments cover realistic credential sizes, the results hold up; otherwise the mutual-privacy guarantee could leak through the presentation format. This paper is for people working on decentralized identity systems who need to protect both sides of a credential exchange. Readers already familiar with OPRFs and SSI selective disclosure will see the value quickly and can use the prototype as a starting point. It is worth sending to peer review because the idea fills a documented gap, the approach is grounded in existing primitives, and they provide implementation evidence rather than just a sketch.

Referee Report

2 major / 2 minor

Summary. The paper introduces COD-ssi, a framework that uses Oblivious Pseudorandom Functions (OPRFs) to enforce mutual privacy during credential selective disclosure in Self-Sovereign Identity (SSI) systems. Verifiers can obtain a chosen subset of claims while the selection remains hidden from the credential holder. The authors claim that security is formally verified under standard assumptions and demonstrate feasibility through experimental evaluation of an open-source prototype, reporting only moderate computational and communication overhead.

Significance. If the formal verification is sound and the prototype results are reproducible, the work would be significant for decentralized identity research. It addresses an asymmetry in existing SSI selective-disclosure schemes by protecting verifier privacy (business rules, decision criteria) in addition to holder privacy. Reliance on a well-studied OPRF primitive together with an open-source implementation and claimed formal verification are concrete strengths that support reproducibility and allow independent validation.

major comments (2)

[§4] §4 (Security Analysis): The central claim of provable mutual privacy rests on formal verification, yet the security model (game-based vs. simulation-based), the exact theorem statement, and the reduction steps from the overall protocol to the underlying OPRF security are not provided. Without these details it is impossible to confirm that the OPRF obliviousness property is preserved through the credential encoding and presentation flow.
[§5] §5 (Prototype Evaluation): The feasibility claim of 'moderate overhead' is load-bearing for practicality, but the abstract and high-level description supply no concrete metrics (latency, communication size, comparison baselines, or hardware platform). This leaves the experimental support for the central contribution only moderately substantiated.

minor comments (2)

The abstract would be strengthened by a single sentence naming the security model and one or two key performance figures from the prototype.
[§3] Notation for the OPRF inputs/outputs and the claim-selection vector could be introduced earlier with a small diagram to improve readability of the protocol description.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We address each major comment below and will revise the paper to strengthen the presentation of both the security analysis and the experimental results.

read point-by-point responses

Referee: [§4] §4 (Security Analysis): The central claim of provable mutual privacy rests on formal verification, yet the security model (game-based vs. simulation-based), the exact theorem statement, and the reduction steps from the overall protocol to the underlying OPRF security are not provided. Without these details it is impossible to confirm that the OPRF obliviousness property is preserved through the credential encoding and presentation flow.

Authors: We agree that the current version of Section 4 does not provide a sufficiently detailed exposition of the security model, theorem statements, or reduction steps. In the revised manuscript we will expand this section to explicitly define the game-based security model, state the formal theorems, and provide the step-by-step reductions showing how the overall protocol security follows from the standard OPRF obliviousness assumption while preserving the claim-oblivious property through the credential encoding and presentation flow. revision: yes
Referee: [§5] §5 (Prototype Evaluation): The feasibility claim of 'moderate overhead' is load-bearing for practicality, but the abstract and high-level description supply no concrete metrics (latency, communication size, comparison baselines, or hardware platform). This leaves the experimental support for the central contribution only moderately substantiated.

Authors: Section 5 of the manuscript already reports concrete experimental metrics, including latency, communication sizes, hardware platform details, and baseline comparisons. To address the referee's concern about the high-level presentation, we will revise the abstract and introduction to include a concise summary of these key numerical results and the evaluation setup, thereby making the feasibility claims more immediately substantiated. revision: partial

Circularity Check

0 steps flagged

No significant circularity; construction relies on external OPRF primitive

full rationale

The paper's central construction introduces COD-ssi by composing an established Oblivious Pseudorandom Function primitive with credential presentation flows to achieve mutual privacy. Security is claimed via formal verification under standard cryptographic assumptions on the OPRF, and feasibility is shown via prototype experiments. No derivation step reduces by construction to a fitted parameter, self-defined quantity, or load-bearing self-citation chain; the OPRF obliviousness property is treated as an independent external building block rather than derived internally. The argument is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The claim rests on the security properties of OPRFs and the correctness of the protocol composition; no free parameters or new invented entities are introduced beyond the protocol itself.

axioms (1)

domain assumption Oblivious Pseudorandom Functions provide the required obliviousness under standard cryptographic assumptions
The mutual privacy guarantee depends directly on this primitive behaving as assumed.

invented entities (1)

COD-ssi protocol no independent evidence
purpose: Framework for claim-oblivious disclosure in SSI
New protocol design whose security is asserted via formal verification rather than external evidence.

pith-pipeline@v0.9.0 · 5553 in / 1233 out tokens · 47656 ms · 2026-05-10T15:21:29.110827+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

45 extracted references · 29 canonical work pages

[1]

Tobin, D

A. Tobin, D. Reed, The inevitable rise of self-sovereign identity, The Sovrin Foundation 29 (2016) (2016) 18. URLhttps://sovrin.org/library/inevitable-rise-of-self-sovereign-identity/

2016
[2]

URLhttps://support.google.com/accounts/answer/12921417

Google, Google account help: How sign in with google helps you share data safely (2025). URLhttps://support.google.com/accounts/answer/12921417

work page arXiv 2025
[3]

Sporny, D

M. Sporny, D. Longley, M. Sabadello, D. Reed, O. Steele, C. Allen, Decentralized identifiers (DIDs) v1.0 (W3C recommendation 19 july 2022), Onlinehttps://www.w3.org/TR/2022/REC-did-core-20220719/(2022)

2022
[4]

Sporny, D

M. Sporny, D. Longley, D. Chadwick, I. Herman, Verifiable credentials data model v2.0 (W3C recommendation 15 may 2025), Onlinehttps://www.w3.org/TR/vc-data-model-2.0/(2025)

2025
[5]

In: 2022 IEEE Sym- posium on Computers and Communications (ISCC)

A. De Salve, A. Lisi, P. Mori, L. Ricci, Selective disclosure in self-sovereign identity based on hashed values, in: IEEE Symposium on Computers and Communications, ISCC 2022, Rhodes, Greece, June 30 - July 3, 2022, IEEE, Rhodes, Greece, 2022, pp. 1–8.doi:10.1109/ISCC55528.2022.9913052

work page doi:10.1109/iscc55528.2022.9913052 2022
[6]

URLhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32013R0575

The European Parliament and the Council of the European Union, Regulation (EU) No 575/2013 of the European Parliament and of the Council on prudential requirements for credit institutions and investment firms, Official Journal of the European Union L 176 (2013) 1–337. URLhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32013R0575

2013
[7]

Basel Committee on Banking Supervision, Pillar 3 disclosure requirements — consolidated and enhanced framework, Tech. Rep. BCBS 446, Bank for International Settlements (8 2018). URLhttps://www.bis.org/bcbs/publ/d446.htm

2018
[8]

URLhttps://gdpr-info.eu

European Parliament, Council of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council (05 2016). URLhttps://gdpr-info.eu

2016
[9]

URLhttps://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf

the Senate and House of Representatives of the United States of America, Health insurance portability and account- ability act of 1996 (hipaa), united States Federal Law (1996). URLhttps://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf

1996
[10]

Barral, F

P. Manimaran, T. Garrett, L. Jehl, R. Vitenberg, Decentralization trends in identity management: From federated to self-sovereign identity management systems, Computer Science Review 58 (2025) 100776.doi:10.1016/j.cosrev. 2025.100776

work page doi:10.1016/j.cosrev 2025
[11]

R. A. Pava-D´ ıaz, J. Gil-Ruiz, D. A. L´ opez-Sarmiento, Self-sovereign identity on the blockchain: contextual analysis and quantification of ssi principles implementation, Frontiers in Blockchain 7 (2024) 1443362.doi:10.3389/fbloc. 2024.1443362

work page doi:10.3389/fbloc 2024
[12]

M. S. Ferdous, F. Chowdhury, M. O. Alassafi, In search of self-sovereign identity leveraging blockchain technology, IEEE access 7 (2019) 103059–103079.doi:10.1109/ACCESS.2019.2931173. 22

work page doi:10.1109/access.2019.2931173 2019
[13]

Sporny, D

M. Sporny, D. Longley, D. Chadwick, O. Terbu, D. Zagidulin, B. Zundel, Verifiable credentials implementation guidelines 1.0 - implementation guidance for verifiable credentials (W3C w3c working group note 24 september 2019), Onlinehttps://www.w3.org/TR/vc-imp-guide/(2019)

2019
[14]

D. Fett, K. Yasuda, B. Campbell, Selective Disclosure for JWTs (SD-JWT), Internet-Draft draft-ietf-oauth-selective- disclosure-jwt-22, Internet Engineering Task Force, work in Progress (May 2025). URLhttps://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/22/

2025
[15]

Halpin, Vision: A critique of immunity passports and w3c decentralized identifiers, in: Security Standardisation Research, Springer International Publishing, Cham, 2020, p

H. Halpin, Vision: A critique of immunity passports and w3c decentralized identifiers, in: Security Standardisation Research, Springer International Publishing, Cham, 2020, p. 148–168.doi:10.1007/978-3-030-64357-7_7

work page doi:10.1007/978-3-030-64357-7_7 2020
[16]

Saito, S

K. Saito, S. Watanabe, Lightweight selective disclosure for verifiable documents on blockchain, ICT Express 7 (3) (2021) 290–294.doi:https://doi.org/10.1016/j.icte.2021.08.012

work page doi:10.1016/j.icte.2021.08.012 2021
[17]

Mukta, J

R. Mukta, J. Martens, H.-y. Paik, Q. Lu, S. S. Kanhere, Blockchain-based verifiable credential sharing with selective disclosure, in: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Com- munications (TrustCom), IEEE, Guangzhou, China, 2020, pp. 959–966.doi:10.1109/TrustCom50675.2020.00128

work page doi:10.1109/trustcom50675.2020.00128 2020
[18]

Tariq, H

A. Tariq, H. B. Haq, S. T. Ali, Cerberus: A blockchain-based accreditation and degree verification system, IEEE Transactions on Computational Social Systems 10 (4) (2022) 1503–1514.doi:10.1109/TCSS.2022.3188453

work page doi:10.1109/tcss.2022.3188453 2022
[19]

R. Tian, L. Kong, B. Zhang, X. Li, Q. Li, Authenticated selective disclosure of credentials in hybrid-storage blockchain, in: 2022 IEEE 28th International Conference on Parallel and Distributed Systems (ICPADS), IEEE, Nanjing, China, 2023, pp. 330–337.doi:10.1109/ICPADS56603.2022.00050

work page doi:10.1109/icpads56603.2022.00050 2022
[20]

J. L. Hern´ andez-Ramos, S. P´ erez, C. Hennebert, J. B. Bernab´ e, B. Denis, A. Macabies, A. F. Skarmeta, Protecting personal data in iot platform scenarios through encryption-based selective disclosure, Computer Communications 130 (2018) 20–37.doi:10.1016/j.comcom.2018.08.010

work page doi:10.1016/j.comcom.2018.08.010 2018
[21]

Sonnino, M

A. Sonnino, M. Al-Bassam, S. Bano, S. Meiklejohn, G. Danezis, Coconut: Threshold issuance selective disclosure credentials with applications to distributed ledgers, in: 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019, The Internet Society, San Diego, CA, USA, 2019, pp. 1–15.doi:10....

work page doi:10.14722/ndss.2019.23272 2019
[22]

Camenisch, A

J. Camenisch, A. Lysyanskaya, Signature Schemes and Anonymous Credentials from Bilinear Maps, Springer Berlin Heidelberg, 2004, pp. 56–72.doi:10.1007/978-3-540-28628-8_4

work page doi:10.1007/978-3-540-28628-8_4 2004
[23]

Tessaro, C

S. Tessaro, C. Zhu, Revisiting bbs signatures, in: Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Springer Nature Switzerland, Lyon, France, 2023, pp. 691–721.doi:10. 1007/978-3-031-30589-4_24

2023
[24]

In: 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023

M. Rosenberg, J. White, C. Garman, I. Miers, zk-creds: Flexible anonymous credentials from zksnarks and existing identity infrastructure, in: 2023 IEEE Symposium on Security and Privacy (SP), IEEE, 2023, pp. 790–808.doi: 10.1109/sp46215.2023.10179430

work page doi:10.1109/sp46215.2023.10179430 2023
[25]

Krawczyk, Cryptographic Extraction and Key Derivation: The HKDF Scheme, Springer, Berlin, Heidelberg, 2010, p

H. Krawczyk, Cryptographic Extraction and Key Derivation: The HKDF Scheme, Springer, Berlin, Heidelberg, 2010, p. 631–648.doi:10.1007/978-3-642-14623-7_34

work page doi:10.1007/978-3-642-14623-7_34 2010
[26]

Krawczyk, P

H. Krawczyk, P. Eronen, HMAC-based Extract-and-Expand Key Derivation Function (HKDF), RFC 5869 (5 2010). doi:10.17487/RFC5869

work page doi:10.17487/rfc5869 2010
[27]

The transport layer security (TLS) protocol version 1.3

E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3, RFC 8446 (8 2018).doi:10.17487/RFC8446

work page doi:10.17487/rfc8446 2018
[28]

Perrin, The noise protocol framework (7 2018)

T. Perrin, The noise protocol framework (7 2018). URLhttps://noiseprotocol.org/noise.html

2018
[29]

Perugini, A

L. Perugini, A. Vesco, On the integration of self-sovereign identity with tls 1.3 handshake to build trust in iot systems, Internet of Things 25 (2024) 101103.doi:10.1016/j.iot.2024.101103

work page doi:10.1016/j.iot.2024.101103 2024
[30]

Rogaway, Authenticated-encryption with associated-data, in: Proceedings of the 9th ACM conference on Com- puter and communications security, CCS02, ACM, New York, NY, USA, 2002, p

P. Rogaway, Authenticated-encryption with associated-data, in: Proceedings of the 9th ACM conference on Com- puter and communications security, CCS02, ACM, New York, NY, USA, 2002, p. 98–107.doi:10.1145/586110. 586125

work page doi:10.1145/586110 2002
[31]

McGrew, J

D. McGrew, J. Viega, The galois/counter mode of operation (gcm), submission to NIST Modes of Operation Process 20 (2004) 0278–0070. URLhttps://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf

2004
[32]

Y. Nir, A. Langley, ChaCha20 and Poly1305 for IETF Protocols, RFC 8439 (Jun. 2018).doi:10.17487/RFC8439

work page doi:10.17487/rfc8439 2018
[33]

Dobraunig, M

C. Dobraunig, M. Eichlseder, F. Mendel, M. Schl¨ affer, Ascon v1.2: Lightweight authenticated encryption and hashing, Journal of Cryptology 34 (3) (2021) 1–42.doi:10.1007/s00145-021-09398-9

work page doi:10.1007/s00145-021-09398-9 2021
[34]

Casacuberta, J

S. Casacuberta, J. Hesse, A. Lehmann, Sok: Oblivious pseudorandom functions, in: 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), IEEE, Genoa, Italy, 2022, pp. 625–646.doi:10.1109/eurosp53844. 2022.00045

work page doi:10.1109/eurosp53844 2022
[35]

M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, in: Proceedings 38th Annual Symposium on Foundations of Computer Science, SFCS-97, IEEE Comput. Soc, Miami Beach, FL, USA, 97, p. 458–467.doi:10.1109/sfcs.1997.646134

work page doi:10.1109/sfcs.1997.646134 1997
[36]

Jarecki, A

S. Jarecki, A. Kiayias, H. Krawczyk, Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model, Springer, Berlin, Heidelberg, 2014, p. 233–253.doi:10.1007/978-3-662-45608-8_13

work page doi:10.1007/978-3-662-45608-8_13 2014
[37]

Beullens, L

W. Beullens, L. Dodgson, S. Faller, J. Hesse, The 2Hash OPRF Framework and Efficient Post-quantum Instanti- ations, Springer Nature Switzerland, Cham, 2025, p. 332–362.doi:10.1007/978-3-031-91101-9_12. 23 2 4 8 16 32 64 128 256 512 1024 Claims [#] 1 ms 10 ms 100 ms 1 s 10 s Time VC Creation Time VC Verification Time 100 B 1 kB 10 kB 100 kB 1 MB Size VC Si...

work page doi:10.1007/978-3-031-91101-9_12 2025
[38]

D. Fett, K. Yasuda, B. Campbell, Selective Disclosure for JSON Web Tokens, RFC 9901 (Nov. 2025).doi:10. 17487/RFC9901

2025
[39]

National Institute of Standards and Technology (U.S.), Sha-3 standard: permutation-based hash and extendable- output functions, Tech. Rep. 202, National Institute of Standards and Technology (U.S.), Gaithersburg, MD (Aug. 2015).doi:10.6028/nist.fips.202

work page doi:10.6028/nist.fips.202 2015
[40]

M. J. Freedman, Y. Ishai, B. Pinkas, O. Reingold, Keyword Search and Oblivious Pseudorandom Functions, Springer, Berlin, Heidelberg, 2005, p. 303–324.doi:10.1007/978-3-540-30576-7_17

work page doi:10.1007/978-3-540-30576-7_17 2005
[41]

Iwata, K

T. Iwata, K. Ohashi, K. Minematsu, Breaking and Repairing GCM Security Proofs, Springer, Berlin, Heidelberg, 2012, p. 31–49.doi:10.1007/978-3-642-32009-5_3

work page doi:10.1007/978-3-642-32009-5_3 2012
[42]

Canetti, P

R. Canetti, P. Jain, M. Swanberg, M. Varia, Universally Composable End-to-End Secure Messaging, Springer Nature Switzerland, Cham, 2022, p. 3–33.doi:10.1007/978-3-031-15979-4_1

work page doi:10.1007/978-3-031-15979-4_1 2022
[43]

Miller, Noble cryptography, 1.9.4 (11 2022)

P. Miller, Noble cryptography, 1.9.4 (11 2022). URLhttps://github.com/paulmillr/noble-curves

2022
[44]

Project, Ethr-did method, v2.3.10 (6 2025)

U. Project, Ethr-did method, v2.3.10 (6 2025). URLhttps://github.com/uport-project/ethr-did

2025
[45]

reject after quota exhausted

D. I. Foundation, did-jwt-vc, v3.1.4 (08 2025). URLhttps://github.com/decentralized-identity/did-jwt-vc AppendixA.Notation For the reader’s convenience, we provide in Table 2 a list of all symbols adopted within the manu- script. AppendixB.Verifiable Credential Statistics The performance metrics related to the processing of aVC, which are equal to the cla...

2025