The Proof Engine design ensures:
- Verifier learns only the statement outcome, never raw values.
- Merkle paths do not reveal other attributes (only needed leaves).
- No direct attribute identifiers are exposed unless needed by template.
- Different proofs can be unlinkable if:
- new nonces are used
- per-verifier pseudonyms are adopted (future extension).
- Templates prevent “over-broad queries” by design:
- verifiers can only request approved templates, not custom arbitrary math.