BBS+ Signatures: Efficient Privacy-Preserving Credentials
- BBS+ signatures are pairing-based cryptographic schemes that enable efficient, privacy-preserving multi-attribute credential issuance with selective disclosure.
- They rely on bilinear pairings and the hardness of the discrete logarithm problem to generate verifiable signatures and non-interactive zero-knowledge proofs.
- BBS+ signatures offer practical performance with sub-millisecond issuance and optimized proof sizes, making them ideal for digital identity and eID systems.
BBS+ signatures are pairing-based cryptographic primitives enabling compact, efficient multi-attribute credentials with native support for privacy-preserving selective disclosure. Designed for verifiable credentials, the BBS+ scheme permits a credential holder to prove possession of a valid signature and certify revealed attributes without disclosing the complete signed message set. The cryptographic foundations rely on bilinear pairings and discrete log hardness, providing efficient protocols for credential issuance, verification, and non-interactive zero-knowledge proofs facilitating selective attribute release. BBS+ is established as a reference mechanism for digital credentials in privacy-oriented standards and open-source implementations, balancing unlinkability, performance, and cryptographic agility, but is not quantum-resistant (Flamini et al., 2024).
1. Algebraic Foundations and Key Generation
BBS+ signatures operate over three cyclic groups of prime order : , , and , equipped with an efficient, non-degenerate bilinear pairing
satisfying bilinearity and polynomial-time computability. Public parameters are fixed as , where are random generators in .
Key generation proceeds by sampling a secret key and setting the public key as 0, such that 1 and 2 (Flamini et al., 2024).
2. Signature Generation and Verification
Given messages (or attributes) 3, signing involves the following steps:
- Sample randomness 4.
- Compute the commitment
5
- Calculate
6
- Output the signature 7.
Verification, given 8 and the (revealed) attributes, uses the equation: 9 accepting if the equation is satisfied and 0.
3. Selective Disclosure via Non-Interactive Proofs of Knowledge
Selective disclosure allows a holder to reveal a subset 1 of signed attributes while proving the signature’s validity on the whole set. The holder generates a non-interactive zero-knowledge proof (NIZKP) of knowledge of a BBS+ signature using the Fiat–Shamir transform with a Sigma protocol for linear relations.
Key steps:
- The presentation proof involves re-randomizing signature elements (using fresh randomizers 2), constructing commitments, and deriving a Fiat–Shamir challenge.
- The proof convinces the verifier that all disclosed attributes are certified, and that hidden attributes complete the original signature, without leaking any additional information.
- Verification recomputes the challenge and checks pairing and commitment equations. Successful verification confirms knowledge of a valid BBS+ signature on all 3 attributes, with only the 4 disclosed.
This property makes BBS+ signatures suitable for privacy-preserving credential presentations in eID systems and digital wallets (Flamini et al., 2024).
4. Security Assumptions and Privacy Guarantees
Security of BBS+ signatures is based on discrete log and pairing hardness assumptions:
- Unforgeability reduces to the q-Strong Diffie–Hellman (q-SDH) problem in 5.
- Zero-knowledge is ensured in the honest-verifier setting under the random-oracle model, due to the simulability of the Fiat–Shamir transformed Sigma protocol.
- Unlinkability arises from signature and proof randomization: each selective disclosure presentation is statistically independent due to the fresh choice of randomizers, precluding correlation across distinct presentations.
- Quantum resistance: BBS+ signatures, relying on discrete logarithm assumptions, are not quantum-safe. Several lattice-based constructions (such as by Jeudy–Sanders and Bootle–Sanders) aim to address this but remain works in progress without standardization (Flamini et al., 2024).
5. Performance Characteristics and Implementation Trade-Offs
Empirical benchmarks targeting 128-bit security (using the BLS12-381 pairing-friendly curve and SHA-256) indicate:
| Object | Size | Computation Time (AMD Ryzen 7 5800X) |
|---|---|---|
| BBS+ signature (6) | 112 bytes | ~1 ms for issuance |
| Presentation proof | 7 B (33 attributes) | 1.65 ms (generation), 2.14 ms (verification) |
- Proof size scales with the number of hidden attributes, i.e., 8, so disclosing more attributes reduces bandwidth and CPU cost.
- Cost is linear in the number of hidden attributes.
- Threshold-issuance variants are supported, preserving existing proof and verification APIs.
- A trade-off exists between instantiating the scheme in 9 versus 0: 1 operations are cheaper and keys smaller.
- Sub-millisecond issuance and few-millisecond proof operations enable practical deployments in resource-constrained environments such as mobile devices (Flamini et al., 2024).
6. Comparisons, Applications, and Standardization
BBS+ signatures represent one of two principal classes of selective disclosure mechanisms for verifiable credentials, the other based on hiding commitments (e.g., mdl ISO/IEC 18013-5). BBS+ excels at supporting unlinkable, multi-attribute presentations with predicate proofs and admits threshold-issuance variants while maintaining strong privacy guarantees.
BBS+ has seen adoption in open-source Rust implementations, empirical studies, and regulatory-driven deployments such as eIDAS2 digital identity frameworks. Its efficiency, flexibility for selective disclosure, and unlinkability have driven its use as a reference construction in privacy-preserving verifiable credential standards. The lack of quantum resistance remains a research focus, with emerging but as-yet non-standardized lattice-based alternatives (Flamini et al., 2024).