- The paper introduces COD-ssi, the first framework to preserve verifier privacy in SSI systems using oblivious pseudorandom functions and authenticated encryption.
- It integrates OPRFs with symmetric encryption to allow verifiers to access selected credential claims without revealing their selection to the holder.
- Experimental evaluations show practical efficiency with sub-100 ms verification times and linear scaling, making the approach viable for diverse SSI applications.
Ensuring Verifier Privacy in Self-Sovereign Identity: A Technical Analysis of COD-ssi
Introduction
Self-Sovereign Identity (SSI) architectures have established mechanisms for users (Holders) to selectively disclose verifiable credentials (VCs), allowing privacy-preserving sharing of identity data. However, nearly all practical and researched SSI selective disclosure schemes exclusively focus on Holder privacy while neglecting the privacy needs of Verifiers. The disclosure policies implemented by the Verifier—i.e., which subset of claims from a VC is actually accessed—often encode business secrets, risk models, or sensitive decision criteria. This paper, "COD-ssi: Enforcing Mutual Privacy for Credential Oblivious Disclosure in Self Sovereign Identity" (2604.10685), introduces the first framework to enforce mutual privacy in credential exchanges, fundamentally strengthening Verifier privacy in SSI ecosystems.
Motivation: Limitations of Current Selective Disclosure Approaches
Existing mechanisms allow Holders to reveal a controlled subset of claims, yet Verifiers are forced to openly request claim sets, thereby exposing confidential business logic. For example, in financial services, the requested risk indicators (e.g., debt-ratio or delinquency count) can leak risk models or classification logic to applicants. In research-oriented medical data access, the fields accessed might betray the researcher's current projects, undermining competitive advantage.
The core deficiency addressed by this paper is the absence of an SSI-compatible mechanism that enables Verifiers to retrieve arbitrary subsets of claims—bounded by the Holder's disclosure consent—without revealing to the Holder which claims are actually being accessed.
The COD-ssi Framework
Conceptual Workflow and Participants
COD-ssi (Claim Oblivious Disclosure for SSI) re-engineers the credential presentation protocol by integrating Oblivious Pseudorandom Function (OPRF) primitives with authenticated encryption, over standard selective-disclosure (SD) credential formats. The architecture isolates the following roles:
- Issuer: Issues standard hash-based SD verifiable credentials, cryptographically binding to (hashed) claims.
- Holder: Maintains credentials and prepares verifiable presentations (VPs), acting as an OPRF server.
- Verifier: Initiates claim-specific disclosure, acting as an OPRF client, but keeps the subset of accessed claims fully hidden.
The enhanced workflow is depicted in Figure 1.


Figure 1: End-to-end flow of credential issuance, presentation, and verification, contrasting classical, selective, and claim-oblivious (COD-ssi) disclosure.
The process proceeds as follows: Holders pre-commit to a set of claims (size N), out of which a Verifier may retrieve up to No​≪N. The Verifier's exact choice—i.e., which claims among the N are accessed—is cryptographically shielded from the Holder.
Oblivious Pseudorandom Function Core
At the cryptographic core is an application of OPRFs—specifically the 2Hash Diffie-Hellman (2HashDH) protocol (Figure 2).

Figure 2: The 2HashDH protocol for OPRF, used to derive per-claim encryption keys without leaking indices.
For each claim i, the Holder encrypts (vi​,ti​) using a key derived via OPRF from xi​=H(vi​∣∣ti​) under a presentation-specific session key. During claim retrieval, the Verifier engages in the OPRF protocol to recover only the decryption keys for the selected indices, without exposing the selection itself. The process can be executed adaptively or in batch mode, with mutual privacy retained.
Data and Encryption Flow
Each claim to be potentially disclosed is encrypted with AEAD (specifically AES-GCM), using nonces and binding the digest xi​ as associated data. Preprocessing, per-claim key derivation, and symmetric encryption dominate the overhead.
Security Model
The construction assumes:
- AEAD encryption is IND-CPA and INT-CTXT secure.
- OPRF (2HashDH) is UC-secure in the random oracle model (ROM).
- SHA-3 is used as the ROM commitment for selective disclosure.
- Each VP session employs a fresh OPRF master key for unlinkability.
- Session and replay protections are enforced at the protocol edge.
Security guarantees (formally defined) encompass:
- Confidentiality: Undisclosed claim ciphertexts are indistinguishable from random.
- Authenticity: Tampering of ciphertexts is detected due to AEAD.
- Obliviousness: The Holder cannot learn which claim keys the Verifier retrieves; the Verifier gains access only to explicitly selected claims.
- Issuer-verifiability: Consistency between disclosed claims and issuer-signed commitments.
Experimental Evaluation
An open-source JavaScript proof-of-concept was implemented and benchmarked across realistic parameters, varying n (number of claims per VC) up to 1024 and executing thousands of protocol runs per configuration.
Claim-Level Operations
Timings for claim hashing, verifying, encryption, decryption, and OPRF operations are summarized in Figure 3.
Figure 3: Per-claim computational statistics for core operations: hashing, verifying, encrypting, decrypting, and OPRF phases.
Encryption and OPRF client computations lie around 7.5 ms per claim; decryption and OPRF server response about 6 ms. This demonstrates reasonable efficiency even in scenarios with double to triple digit claim counts.
Presentation-Level Overhead
End-to-end creation and verification timing, as a function of claim count, is characterized in Figure 4; additional OPRF-mandated data overheads appear in Figure 5.
Figure 4: Creation and verification timings of VPs with respect to claim count; VP size scaling as the right axis.
Figure 5: Overhead from OPRF-encrypted claim data as the claim count grows; both timing and data size shown.
- VP creation and verification stay below 100 ms across the tested claim range.
- OPRF-encrypted data size dominates metadata footprint, but remains practical (few KB to ~1 MB for 1024 claims).
- Per-claim encryption/decryption is the main bottleneck but scales linearly.
Interactive Protocol Overheads
Statistics for the networked OPRF exchange are shown in Figure 6, demonstrating roughly symmetric request/response data and processing loads.
Figure 6: OPRF protocol batch interaction cost compared to reference (hash-based) SD schemes.
As a baseline, the classic (non-oblivious) hash-based selective disclosure approach is shown in Figure 7 for comparison.
Figure 7: Overhead of hash-based selective disclosure interaction for comparative purposes; lower computational cost at the expense of Verifier privacy.
COD-ssi introduces moderate computational and data overhead relative to classic SD (which involves trivial transmission of claim values and nonces), but these are justified by the privacy enhancement.
Theoretical and Practical Implications
Theoretical Impact
COD-ssi is the first protocol to realize Verifier-privacy-preserving selective disclosure in line with the data minimization ethos of GDPR, enabling Verifiers to comply with organizational policies and regulatory frameworks while avoiding leakage of profiling mechanisms and trade secrets. The OPRF-based construction achieves this without introducing expensive zero-knowledge proofs, leveraging well-established cryptographic assumptions.
One key limitation is susceptibility to malicious Holder behavior during VP creation: in the absence of binding proofs, a Holder could introduce selective-failure attacks if permitted to arbitrarily deviate, as discussed theoretically in the paper. Enforcing robust binding between claims and ciphertexts in the presence of malicious Holders requires further work, potentially harnessing zero-knowledge proofs.
Practical Impact
COD-ssi is deployable in existing SSI ecosystems relying on hash-based SD-JWT or similar mechanisms, requiring only protocol extensions at the Holder and Verifier ends; the Issuer role and credential encoding are unchanged.
Use cases include:
- Financial KYC and loan origination, hiding risk model structure from applicants.
- Biomedical research credential sharing, concealing research focus from data subjects.
- Any regulated environment where secret Verifier logic and data minimization must coexist.
The moderate (but manageable) increase in computation and communication overhead is acceptable for most real-world SSI applications given enhanced mutual privacy. For mobile and constrained platforms, further optimization and alternative OPRF primitives (including post-quantum variants) are possible future directions.
Future Research Directions
- Cryptographic binding of Holder-created ciphertexts (e.g., via efficient zero-knowledge proofs).
- Post-quantum secure OPRF implementations (leveraging e.g., the 2HashOPRF framework).
- Integration with encrypted credential schemes for offloading preprocessing to Issuers.
- Regulatory auditability of VP policies without Verifier policy leakage.
- Formalization of Verifier-privacy-preserving selective disclosure as a construction-agnostic cryptographic primitive.
Conclusion
COD-ssi fills a critical mutual-privacy gap within the SSI ecosystem by enabling Verifiers to select claims for disclosure without leaking policy or internal logic to Holders. The design is theoretically sound under standard cryptographic assumptions, practical for deployment, and efficient in benchmarked settings. This framework sets a new privacy standard for credential exchanges by protecting both participants and offers a platform for further advances in privacy-preserving decentralized identity infrastructure.