ETSI TR 119 476 V1.2.1 (2024-07)

TECHNICAL REPORT
Electronic Signatures and Trust Infrastructures (ESI);
Analysis of selective disclosure and zero-knowledge proofs
applied to Electronic Attestation of Attributes

2 ETSI TR 119 476 V1.2.1 (2024-07)

Reference
RTR/ESI-0019476v121
Keywords
identity, trust services
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from:
https://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure Program:
https://www.etsi.org/standards/coordinated-vulnerability-disclosure
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2024.
All rights reserved.
ETSI
3 ETSI TR 119 476 V1.2.1 (2024-07)
Contents
Intellectual Property Rights . 7
Foreword . 7
Modal verbs terminology . 7
Executive summary . 7
Introduction . 10
1 Scope . 19
2 References . 19
2.1 Normative references . 19
2.2 Informative references . 20
3 Definition of terms, symbols and abbreviations . 28
3.1 Terms . 28
3.2 Symbols . 31
3.3 Abbreviations . 31
4 Selective disclosure signature schemes . 34
4.1 General . 34
4.2 Atomic (Q)EAAs schemes . 34
4.3 Multi-message signature schemes . 35
4.3.1 The BBS+ signature scheme . 35
4.3.1.1 Background: Boneh-Boyen-Shacham (BBS04) signature scheme . 35
4.3.1.2 Introducing the BBS+ signature scheme . 36
4.3.1.3 Overview of BBS+ . 36
4.3.1.4 IETF CFRG BBS specification . 37
4.3.1.5 Cryptographic analysis of the BBS+ signature scheme . 37
4.3.2 Camenisch-Lysyanskaya (CL) signatures . 37
4.3.2.1 Introduction to CL-signatures . 37
4.3.2.2 The CL-signature scheme . 38
4.3.2.3 The CL-signature scheme and selective disclosure . 38
4.3.2.4 The CL-signature scheme, predicates, and knowledge proofs . 39
4.3.2.5 Cryptographic analysis of the CL-signature scheme . 39
4.3.3 Mercurial signatures . 39
4.3.4 Pointcheval-Sanders Multi-Signatures (PS-MS). 40
4.3.5 ISO standardisation of multi-message signature schemes . 41
4.3.5.1 ISO/IEC 20008 - Anonymous digital signatures . 41
4.3.5.2 ISO/IEC PWI 24843 - Privacy-preserving attribute-based credentials . 41
4.3.5.3 ISO/IEC CD 27565 - Guidelines on privacy preservation based on ZKP . 41
4.3.6 Extensions of multi-messages signature schemes . 42
4.4 Salted attribute hashes . 42
4.4.1 Overview of salted attribute hashes . 42
4.4.2 Issuance phase . 43
4.4.3 Presentation and verification phase . 43
4.4.4 Salted attribute hashes and unlinkability . 44
4.4.4.1 General criteria of unlinkability for salted attribute hashes . 44
4.4.4.2 Hierarchical Deterministic Keys and blinded key proof of possession . 44
4.4.5 Cryptographic analysis . 47
4.4.6 Predicates based on computational inputs . 47
4.4.7 HashWires. 47
4.4.7.1 Introduction . 47
4.4.7.2 Using a hash chain for inequality tests . 48
4.4.7.3 Using multiple hash chains for inequality tests . 48
4.4.7.4 Protecting optimized HashWires with SD-JWT or MSO . 50
4.4.7.5 Less than or equal to and range proofs . 51
4.4.7.6 Cryptographic analysis of HashWires . 52
4.4.8 Authentic Chained Data Containers (ACDC) . 52
ETSI
4 ETSI TR 119 476 V1.2.1 (2024-07)
4.4.9 Gordian Envelopes . 54
4.5 Proofs for arithmetic circuits (programmable ZKPs) . 55
4.5.1 General . 55
4.5.2 zk-SNARKs . 55
4.5.2.1 Introduction to zk-SNARKs . 55
4.5.2.2 Trusted setup of zk-SNARKs . 56
4.5.2.3 Transparent setup zk-SNARKs . 57
4.5.2.4 Cryptography behind zk-SNARKs . 57
4.5.2.5 Implementations . 58
4.5.2.6 Cryptographic analysis . 59
5 (Q)EAA formats with selective disclosure . 59
5.1 General . 59
5.2 Atomic (Q)EAA formats . 60
5.2.1 Introduction to atomic (Q)EAA formats . 60
5.2.2 PKIX X.509 attribute certificate with atomic attribute . 60
5.2.3 W3C Verifiable Credential with atomic attribute . 60
5.3 Multi-message signature (Q)EAA formats . 61
5.3.1 W3C VC Data Model with ZKP . 61
5.3.2 W3C VC Data Integrity with BBS Cryptosuite . 62
5.3.2.1 W3C BBS Cryptosuite v2023 . 62
5.3.2.2 W3C VC Data Integrity with ISO standardized BBS04/BBS+ . 62
5.3.3 W3C Data Integrity ECDSA Cryptosuites v1.0 . 63
5.3.4 Hyperledger AnonCreds (format) . 63
5.3.5 Cryptographic analysis . 63
5.4 (Q)EAAs with salted attribute hashes . 63
5.4.1 General . 63
5.4.2 IETF SD-JWT . 64
5.4.3 ISO/IEC 18013-5 Mobile Security Object (MSO) . 64
5.5 JSON container formats . 65
5.5.1 IETF JSON WebProof (JWP) . 65
5.5.2 W3C JSON Web Proofs For Binary Merkle Trees . 65
6 Selective disclosure systems and protocols . 66
6.1 General . 66
6.2 Atomic attribute (Q)EAA presentation protocols . 66
6.2.1 PKIX X.509 attribute certificates with single attributes . 66
6.2.2 VC-FIDO for atomic (Q)EAAs . 67
6.3 Multi-message signature protocols and solutions . 68
6.3.1 Hyperledger AnonCreds (protocols) . 68
6.3.2 Direct Anonymous Attestation (DAA) used with TPMs . 68
6.4 Salted attribute hashes protocols . 69
6.4.1 OpenAttestation (Singapore's Smart Nation) . 69
6.5 Proofs for arithmetic circuits solutions . 69
6.5.1 Anonymous (Q)EAAs from programmable ZKPs and existing digital identities . 69
6.5.1.1 Overview . 69
6.5.1.2 Setup phase . 70
6.5.1.3 Issuance phase . 70
6.5.1.4 Proof phase . 70
6.5.2 Cinderella: zk-SNARKs to verify the validity of X.509 certificates . 71
6.5.3 zk-creds: zk-SNARKs used with ICAO passports . 71
6.5.4 Analysis of systems based on programmable ZKPs . 72
6.6 Anonymous attribute based credentials systems . 72
6.6.1 Idemix (Identity Mixer) . 72
6.6.2 U-Prove . 73
6.6.3 ISO/IEC 18370 (blind digital signatures) . 74
6.6.4 Keyed-Verification Anonymous Credentials (KVAC) . 75
6.7 ISO mobile driving license (ISO mDL) . 75
6.7.1 Introduction to ISO/IEC 18013-5 (ISO mDL) . 75
6.7.2 ISO/IEC 18013-5 (device retrieval flow) . 75
6.7.3 ISO/IEC 18013-5 (server retrieval flows) . 76
6.7.4 ISO/IEC 18013-7 (unattended flow) . 76
ETSI
5 ETSI TR 119 476 V1.2.1 (2024-07)
6.7.5 ISO/IEC 23220-4 (operational protocols) . 77
7 Implications of selective disclosure on standards for (Q)EAA/PID . 78
7.1 General implications. 78
7.2 Implications for ISO mDL with selective disclosure . 79
7.2.1 QTSP/PIDP issuing ISO mDL . 79
7.2.1.1 General . 79
7.2.1.2 Certificate profiles . 79
7.2.1.3 Trusted Lists . 80
7.2.1.4 Issuance of ISO mDLs . 80
7.2.1.5 Comparison with ETSI certificate profiles for Open Banking (PSD2) . 81
7.2.1.6 Mapping of ISO mDL and eIDAS2 terms . 82
7.2.2 EUDI Wallet mDL authentication key. 82
7.2.3 EUDI Wallet used with ISO mDL device retrieval flow . 82
7.2.3.1 Overview of the ISO mDL device retrieval flow . 82
7.2.3.2 Analysis of the ISO mDL device retrieval flow applied to eIDAS2 . 84
7.2.4 EUDI Wallet used with ISO mDL server retrieval flow . 84
7.2.4.1 Overview of the ISO mDL server retrieval flows . 84
7.2.4.2 ISO mDL flow initialization . 84
7.2.4.3 ISO mDL server retrieval flow initialization. 85
7.2.4.4 ISO mDL server retrieval WebAPI flow . 86
7.2.4.5 Analysis of the ISO mDL server retrieval WebAPI flow applied to eIDAS2 . 87
7.2.4.6 ISO mDL server retrieval OIDC flow . 88
7.2.4.7 Analysis of the ISO mDL OIDC server retrieval flow applied to eIDAS2 . 88
7.2.5 EUDI Wallets used with ISO/IEC 18013-7 for unattended flow . 89
7.2.5.1 Overview of the ISO/IEC 18013-7 flows . 89
7.2.5.2 ISO/IEC 18013-7 Device Retrieval flow . 89
7.2.5.3 ISO/IEC 18013-7 OID4VP/SIOP2 flow . 90
7.3 Implications for SD-JWT selective disclosure . 91
7.3.1 Background to W3C VCDM and SD-JWT . 91
7.3.2 A primer on W3C VCDM . 92
7.3.2.1 Overview of W3C Verifiable Credential Data Model (VCDM) . 92
7.3.2.2 W3C VC, JSON-LD, data integrity proofs, and linked data signatures . 93
7.3.2.3 JWT based W3C VC . 94
7.3.2.4 SD-JWT based attestations . 95
7.3.2.5 Securing the W3C VC payload using SD-JWT . 97
7.3.2.6 Using SD-JWT VC only . 100
7.3.2.7 SD-JWT and multi-show unlinkable disclosures . 100
7.3.2.8 Predicates in SD-JWT . 101
7.3.3 Analysis of using SD-JWT as (Q)EAA format applied to eIDAS2 . 101
7.4 Feasibility of BBS+ applied to eIDAS2 . 102
7.4.1 General . 102
7.4.2 Standardization of BBS+ . 102
7.4.3 Feasibility of using BBS+ with W3C VCDM . 103
7.4.4 Post-quantum considerations for BBS+ . 103
7.4.5 Conclusions of using BBS+ applied to eIDAS2 . 103
7.5 Feasibility of programmable ZKPs applied to eIDAS2 (Q)EAAs. 104
7.5.1 Background and existing solutions . 104
7.5.2 Extensions to EUDI Wallets, relying parties and protocols . 104
7.5.3 Conclusions of programmable ZKPs applied to eIDAS2 (Q)EAAs . 105
7.6 Secure storage of PID/(Q)EAA keys in EUDI Wallet . 106
8 Privacy aspects of revocation and validity checks . 106
8.1 Introduction to revocation and validity checks . 106
8.2 Online certificate status protocol (OCSP) . 107
8.3 Revocation lists . 107
8.4 Validity status lists . 108
8.5 Cryptographic accumulators . 109
8.6 Using programmable ZKP schemes for revocation checks . 109
8.7 Conclusions on validity status checks . 110
9 Post-quantum considerations - general remarks . 110
ETSI
6 ETSI TR 119 476 V1.2.1 (2024-07)
10 Conclusions . 112
Annex A: Comparison of selective disclosure mechanisms . 114
A.1 Selective disclosure signature schemes . 114
A.2 (Q)EAA formats with selective disclosure . 116
A.3 Selective disclosure systems and protocols . 117
A.4 zk-SNARK protocols . 118
Annex B: Code examples . 119
B.1 Hash chain code example . 119
B.2 HashWires for SD-JWT and MSO . 120
Annex C: Post-quantum safe zero-knowledge proofs and anonymous credentials. 121
C.1 General . 121
C.2 Quantum physics applied on ZKP schemes . 121
C.2.1 Background . 121
C.2.2 Quantum key distribution (QKD) . 121
C.2.3 Quantum physics applied to the graph 3-colouring ZKP scheme . 122
C.2.4 ZKP using the quantum Internet (based on Schnorr's algorithm) . 123
C.2.5 Conclusions on quantum ZKP schemes . 124
C.3 Lattice-based anonymous credentials schemes . 124
C.3.1 Background . 124
C.3.2 Research on effective lattice-based anonymous credentials . 124
Annex D: Bibliography . 126
Annex E: Change history . 127
History . 128

ETSI
7 ETSI TR 119 476 V1.2.1 (2024-07)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its

Members. 3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP
Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of the ®
oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Trust
Infrastructures (ESI).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The eIDAS2 regulation and the Architecture and Reference Framework (ARF) define regulatory requirements on
selective disclosure and unlinkability for the EUDI Wallet. The present document provides a general yet comprehensive
analysis of signature schemes, formats and protocols that cater for selective disclosure, unlinkability and predicates.
More specifically, the present document includes an analysis of how certain selective disclosure techniques can be
applied on eIDAS2 and the EUDI Wallet.
The term selective disclosure means that a user should be capable of presenting a subset of attributes from at least one,
but potentially multiple, (Qualified) Electronic Attestations of Attributes ((Q)EAAs). For example, a user should be
able to only present their birth date.
The term unlinkability means that different parties should not be able to connect the user's selectively disclosed
attributes beyond what is disclosed. There are different categories and degrees of unlinkability, and the present report
focuses both on verifier unlinkability and full unlinkability. Verifier unlinkable means that one or more verifiers cannot
collude to determine if the selectively disclosed attributes describe the same identity subject, whilst fully unlinkable
means that no party can collude to determine if the selectively disclosed attributes describe the same identity subject.
ETSI
8 ETSI TR 119 476 V1.2.1 (2024-07)
Predicate proofs are verifiable Boolean assertions (true or false) about attributes in a (Q)EAA without disclosing the
attribute value itself. For example, a user could derive a proof that they are above the age of 20 from their birthdate and
show only the proof as opposed to the birthdate itself. Predicate proofs are often employed in Zero-Knowledge Proof
(ZKP) systems aimed at limiting information disclosure.
The selective disclosure signature schemes described in the present report are divided in the following categories:
• Atomic (Q)EAA schemes. An atomic electronic attribute attestation is a (Q)EAA with a single attribute claim,
which can be issued by a (Q)TSP upon request or as part of a batch to an EUDI Wallet. The atomic (Q)EAAs
can be selected by the user and be included in a verifiable presentation that is presented to a verifier.
• Multi-message signature schemes. The category of multi-message signature schemes has the capability of
proving knowledge of a signature while selectively disclosing any subset of the signed messages. The
following schemes in this category are described: BBS/BBS+, Camenisch-Lysyanskaya (CL) signatures,
Mercurial signatures, and Pointcheval-Sanders Multi-Signatures (PS-MS). ISO/IEC have standardized parts of
BBS and PS-MS in ISO/IEC 20008 [i.143], and have taken the initiative to standardize BBS+ and PS-MS in
ISO/IEC PWI 24843 [i.144] and ISO/IEC CD 27565 [i.150]. Furthermore, there are cryptographic research
projects, such as MoniPoly, where undisclosed attributes have no impact on the proof size.
• Salted attribute hashes. The general concept of this category is to combine each attribute with a salt, hash the
combined values, and insert the resulting salted attribute hashes in a list that is signed. The user presents a
selection of attributes to the verifier, which can validate them against the list of salted attribute hashes. The
following schemes, based on salted attribute hashes, are described: HashWires, Authentic Chained Data
Containers (ACDC), and Gordian Envelopes.
• Proofs for arithmetic circuits (programmable ZKPs). This category of ZKP protocols enable the user to
prove to the verifier that a certain statement is true, without revealing any additional information beyond the
truth of the statement itself. The discussion of proofs for arithmetic circuits is focused on zk-SNARKs.
The present document also includes descriptions of (Q)EAA formats that can be used with selective disclosure. The
(Q)EAA formats are divided in the following categories:
• Atomic (Q)EAA formats. These (Q)EAA formats are based on the category of atomic (Q)EAA formats. The
following (Q)EAA formats in this category are described: PKIX X.509 attribute certificate with atomic
attribute and W3C Verifiable Credential with atomic attribute.
• Multi-message signature (Q)EAA formats. This category of (Q)EAA formats is based on the multi-message
signature schemes. Mainly W3C and Hyperledger have specified such formats to be used for privacy
preserving features. The following (Q)EAA formats in this category are described: W3C VC Data Model with
ZKP, W3C VC Data Integrity with BBS Cryptosuite, W3C Data Integrity ECDSA Cryptosuites v1.0, and
Hyperledger AnonCreds (format).
• (Q)EAAs with salted attribute hashes. This category of (Q)EAA formats is based on the concept of salted
attribute hashes. These (Q)EAA formats specify in detail how the attributes are combined with the random
salts and hashed, inserted in a list, which is signed. The following (Q)EAA formats of this category are
described: IETF SD-JWT and ISO/IEC 18013-5 [i.140] Mobile Security Object (MSO).
• JSON container formats. This category of generic JSON container formats allows for combining and
presenting a mix of selective disclosure signature schemes. The following JSON container formats are
described: IETF JSON WebProof (JWP) and W3C JSON Web Proofs For Binary Merkle Trees.
Furthermore, the present document describes systems and protocols with selective disclosure capabilities. The systems
and protocols are divided in the following categories:
• Atomic attribute (Q)EAA presentation protocols. This category of protocols is designed to present the
atomic attribute (Q)EAA formats. The atomic attribute (Q)EAAs may be issued on demand to the user, upon
request by a verifier. The following protocols in this category are described: PKIX X.509 attribute certificates
with single attributes and VC-FIDO for atomic (Q)EAAs.
• Multi-message signature protocols and solutions. This category of protocols is based on the multi-message
signature schemes, such as BBS+ and CL-signatures, and are used to present selected attributes of the
(Q)EAAs. The following protocols and solutions in this category are described: Hyperledger AnonCreds
(protocols) and Direct Anonymous Attestation (DAA) used with Trusted Platform Modules (TPMs); the TPMs
have been deployed in personal computers at a large scale.
ETSI
9 ETSI TR 119 476 V1.2.1 (2024-07)
• Salted attribute hashes protocols. These solutions and protocols are designed to present selectively disclosed
attributes based on salted attribute hashes. The OpenAttestation solution of Singapore's Smart Nation is
described in the present report. Furthermore, ISO mDL MSOs can be shared over the proximity protocols
described in ISO/IEC 18013-5 [i.140] or over the Internet by using ISO/IEC 23220-4 [i.146]. The SD-JWTs
can be presented with different protocols, such as OID4VP (OpenID for Verifiable Presentations),
ISO 18013-7 [i.141] or ISO/IEC 23220-4 [i.146].
• Solutions based on proofs for arithmetic circuits (programmable ZKPs). The solutions that are based on
proofs for arithmetic circuits intend to use ZKP schemes such as zk-SNARK to facilitate data-minimizing
verifiable presentations based on existing digital identity infrastructures. In particular, they can provide
selective disclosure, unlinkability, and predicates. The projects Cinderella (zk-SNARKs used with X.509
certificates) and zk-creds (zk-SNARKs used with ICAO passports) are described in the present document.
• Anonymous attribute based credentials systems. These solutions are implementations of existing multi-
message signature schemes such as CL-signatures or BBS+, with the purpose to present anonymous
credentials ((Q)EAAs) to a verifier. The following solutions in this category are described: Idemix (Identity
Mixer), U-Prove, ISO/IEC 18370 [i.142] (blind digital signatures), and Keyed-Verification Anonymous
Credentials (KVAC).
• ISO mobile driving license (ISO mDL). The ISO mDL standard specifies various flows for selective
disclosure of attributes. In the present document, the following ISO mDL flows are described:
ISO/IEC 18013-5 [i.140] (device retrieval flow), ISO/IEC 18013-5 [i.140] (server retrieval flows),
ISO/IEC 18013-7 [i.141] (unattended flow) and ISO/IEC 23220-4 [i.146] (operational protocols).
The ARF proposes two protection mechanisms for the PID, which support selective disclosure but not unlinkability
(unless batch issued):
• ISO/IEC 18013-5 [i.140] (ISO mDL). The ISO mDL mdoc contains all attributes of a user, whilst the ISO
mDL MSO contains the corresponding hashed salted attributes.
• A JWT encoding of the W3C Verifiable Credentials Data Model v1.1 in conjunction with IETF SD-JWT. The
JWT contains the user attributes, whilst the SD-JWT contains the corresponding hashed salted attributes.
The present document includes an extensive analysis of ISO mDL MSO and SD-JWT and how the formats comply with
the eIDAS2 requirements on selective disclosure and unlinkability.
The ISO mDL MSO and the S
...