Papers
Topics
Authors
Recent
Search
2000 character limit reached

BBS+ Signatures: Efficient Privacy-Preserving Credentials

Updated 3 July 2026
  • BBS+ signatures are pairing-based cryptographic schemes that enable efficient, privacy-preserving multi-attribute credential issuance with selective disclosure.
  • They rely on bilinear pairings and the hardness of the discrete logarithm problem to generate verifiable signatures and non-interactive zero-knowledge proofs.
  • BBS+ signatures offer practical performance with sub-millisecond issuance and optimized proof sizes, making them ideal for digital identity and eID systems.

BBS+ signatures are pairing-based cryptographic primitives enabling compact, efficient multi-attribute credentials with native support for privacy-preserving selective disclosure. Designed for verifiable credentials, the BBS+ scheme permits a credential holder to prove possession of a valid signature and certify revealed attributes without disclosing the complete signed message set. The cryptographic foundations rely on bilinear pairings and discrete log hardness, providing efficient protocols for credential issuance, verification, and non-interactive zero-knowledge proofs facilitating selective attribute release. BBS+ is established as a reference mechanism for digital credentials in privacy-oriented standards and open-source implementations, balancing unlinkability, performance, and cryptographic agility, but is not quantum-resistant (Flamini et al., 2024).

1. Algebraic Foundations and Key Generation

BBS+ signatures operate over three cyclic groups of prime order pp: G1=g1\mathbb{G}_1 = \langle g_1 \rangle, G2=g2\mathbb{G}_2 = \langle g_2 \rangle, and GT\mathbb{G}_T, equipped with an efficient, non-degenerate bilinear pairing

e:G1×G2GT,\mathbf{e}: \mathbb{G}_1 \times \mathbb{G}_2 \longrightarrow \mathbb{G}_T,

satisfying bilinearity e(g1a,g2b)=e(g1,g2)ab\mathbf{e}(g_1^a, g_2^b) = \mathbf{e}(g_1, g_2)^{ab} and polynomial-time computability. Public parameters are fixed as pp=(p,G1,g1,G2,g2,GT,e,h0,,hm)\mathsf{pp} = (p, \mathbb{G}_1, g_1, \mathbb{G}_2, g_2, \mathbb{G}_T, \mathbf{e}, h_0, \ldots, h_m), where h0,,hmh_0, \ldots, h_m are random generators in G1\mathbb{G}_1.

Key generation proceeds by sampling a secret key xZpx \leftarrow \mathbb{Z}_p^* and setting the public key as G1=g1\mathbb{G}_1 = \langle g_1 \rangle0, such that G1=g1\mathbb{G}_1 = \langle g_1 \rangle1 and G1=g1\mathbb{G}_1 = \langle g_1 \rangle2 (Flamini et al., 2024).

2. Signature Generation and Verification

Given messages (or attributes) G1=g1\mathbb{G}_1 = \langle g_1 \rangle3, signing involves the following steps:

  1. Sample randomness G1=g1\mathbb{G}_1 = \langle g_1 \rangle4.
  2. Compute the commitment

G1=g1\mathbb{G}_1 = \langle g_1 \rangle5

  1. Calculate

G1=g1\mathbb{G}_1 = \langle g_1 \rangle6

  1. Output the signature G1=g1\mathbb{G}_1 = \langle g_1 \rangle7.

Verification, given G1=g1\mathbb{G}_1 = \langle g_1 \rangle8 and the (revealed) attributes, uses the equation: G1=g1\mathbb{G}_1 = \langle g_1 \rangle9 accepting if the equation is satisfied and G2=g2\mathbb{G}_2 = \langle g_2 \rangle0.

3. Selective Disclosure via Non-Interactive Proofs of Knowledge

Selective disclosure allows a holder to reveal a subset G2=g2\mathbb{G}_2 = \langle g_2 \rangle1 of signed attributes while proving the signature’s validity on the whole set. The holder generates a non-interactive zero-knowledge proof (NIZKP) of knowledge of a BBS+ signature using the Fiat–Shamir transform with a Sigma protocol for linear relations.

Key steps:

  • The presentation proof involves re-randomizing signature elements (using fresh randomizers G2=g2\mathbb{G}_2 = \langle g_2 \rangle2), constructing commitments, and deriving a Fiat–Shamir challenge.
  • The proof convinces the verifier that all disclosed attributes are certified, and that hidden attributes complete the original signature, without leaking any additional information.
  • Verification recomputes the challenge and checks pairing and commitment equations. Successful verification confirms knowledge of a valid BBS+ signature on all G2=g2\mathbb{G}_2 = \langle g_2 \rangle3 attributes, with only the G2=g2\mathbb{G}_2 = \langle g_2 \rangle4 disclosed.

This property makes BBS+ signatures suitable for privacy-preserving credential presentations in eID systems and digital wallets (Flamini et al., 2024).

4. Security Assumptions and Privacy Guarantees

Security of BBS+ signatures is based on discrete log and pairing hardness assumptions:

  • Unforgeability reduces to the q-Strong Diffie–Hellman (q-SDH) problem in G2=g2\mathbb{G}_2 = \langle g_2 \rangle5.
  • Zero-knowledge is ensured in the honest-verifier setting under the random-oracle model, due to the simulability of the Fiat–Shamir transformed Sigma protocol.
  • Unlinkability arises from signature and proof randomization: each selective disclosure presentation is statistically independent due to the fresh choice of randomizers, precluding correlation across distinct presentations.
  • Quantum resistance: BBS+ signatures, relying on discrete logarithm assumptions, are not quantum-safe. Several lattice-based constructions (such as by Jeudy–Sanders and Bootle–Sanders) aim to address this but remain works in progress without standardization (Flamini et al., 2024).

5. Performance Characteristics and Implementation Trade-Offs

Empirical benchmarks targeting 128-bit security (using the BLS12-381 pairing-friendly curve and SHA-256) indicate:

Object Size Computation Time (AMD Ryzen 7 5800X)
BBS+ signature (G2=g2\mathbb{G}_2 = \langle g_2 \rangle6) 112 bytes ~1 ms for issuance
Presentation proof G2=g2\mathbb{G}_2 = \langle g_2 \rangle7 B (33 attributes) 1.65 ms (generation), 2.14 ms (verification)
  • Proof size scales with the number of hidden attributes, i.e., G2=g2\mathbb{G}_2 = \langle g_2 \rangle8, so disclosing more attributes reduces bandwidth and CPU cost.
  • Cost is linear in the number of hidden attributes.
  • Threshold-issuance variants are supported, preserving existing proof and verification APIs.
  • A trade-off exists between instantiating the scheme in G2=g2\mathbb{G}_2 = \langle g_2 \rangle9 versus GT\mathbb{G}_T0: GT\mathbb{G}_T1 operations are cheaper and keys smaller.
  • Sub-millisecond issuance and few-millisecond proof operations enable practical deployments in resource-constrained environments such as mobile devices (Flamini et al., 2024).

6. Comparisons, Applications, and Standardization

BBS+ signatures represent one of two principal classes of selective disclosure mechanisms for verifiable credentials, the other based on hiding commitments (e.g., mdl ISO/IEC 18013-5). BBS+ excels at supporting unlinkable, multi-attribute presentations with predicate proofs and admits threshold-issuance variants while maintaining strong privacy guarantees.

BBS+ has seen adoption in open-source Rust implementations, empirical studies, and regulatory-driven deployments such as eIDAS2 digital identity frameworks. Its efficiency, flexibility for selective disclosure, and unlinkability have driven its use as a reference construction in privacy-preserving verifiable credential standards. The lack of quantum resistance remains a research focus, with emerging but as-yet non-standardized lattice-based alternatives (Flamini et al., 2024).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to BBS+ Signatures.