Selective disclosure is the killer feature for on-chain credentials. It allows a user to prove a specific claim (e.g., 'I am over 18') without revealing the entire credential, preserving privacy while enabling verification. This is the missing primitive for compliant DeFi, Sybil-resistant airdrops, and private voting.
zero-knowledge-privacy-identity-and-compliance
Blog
Why BBS+ Enables a New Era of Selective Disclosure
BBS+ signatures are the cryptographic engine for selective disclosure, moving beyond all-or-nothing ZK proofs. This analysis explains why it's a foundational primitive for compliant, private identity on-chain.
introduction
THE CREDENTIALS PROBLEM
Introduction
BBS+ signatures solve the fundamental trade-off between privacy and verifiability in on-chain identity.
Traditional signatures fail this test. A standard ECDSA signature on a credential is an all-or-nothing proof. Verifying any single attribute requires exposing the entire signed document, creating unacceptable privacy leaks. This limitation has stalled adoption of verifiable credentials in transparent environments like Ethereum.
BBS+ provides cryptographic zero-knowledge. The Boneh-Boyen-Shacham (BBS+) signature scheme enables zero-knowledge proofs of possession. A prover can generate a proof that they hold a valid signature from a known issuer for a subset of attributes, without revealing the signature or the undisclosed attributes themselves.
This enables new trust architectures. Projects like Verax for attestation registries and Sismo for aggregated ZK badges are building on this foundation. The W3C Verifiable Credentials Data Model standard is now implementable on-chain without sacrificing user data sovereignty.
key-insights
FROM CREDENTIALS TO CRYPTO
Executive Summary
BBS+ signatures transform static, all-or-nothing data proofs into dynamic, privacy-preserving building blocks for on-chain identity.
01
The Problem: The Privacy vs. Utility Trade-Off
Traditional zero-knowledge proofs (ZKPs) for credentials are computationally heavy and require specialized circuits for each new attribute check. This creates a scalability bottleneck and vendor lock-in, making selective disclosure impractical for mainstream dApps.
- High Overhead: Proving a single attribute often requires proving the entire credential structure.
- Circuit Bloat: Each new proof statement requires a new, audited circuit, slowing development.
~10-100x
Gas Cost
Weeks
Dev Cycle
02
The Solution: BLS Signatures with Proof of Possession (BBS+)
BBS+ is a randomizable signature scheme where a single credential can generate countless zero-knowledge proofs for any subset of its attributes, without interacting with the original issuer.
- Attribute-Wise Randomization: Cryptographically unlink each proof to the master credential.
- One Credential, Infinite Proofs: Supports any future predicate without new circuits.
- Post-Quantum Secure: Based on elliptic curve pairings, resistant to quantum attacks.
~200ms
Proof Gen
1
Credential
03
The Architecture: W3C Verifiable Credentials + BBS+
The W3C VC Data Model provides the standardized container (JSON-LD), while BBS+ provides the cryptographic layer. This combo, championed by MATTR and Sphereon, creates portable, vendor-agnostic credentials.
- Interoperability: Works across chains and off-chain systems.
- Selective Disclosure: Prove you're over 21 without revealing your birthdate or name.
- Holder-in-the-Loop: User cryptographically controls all disclosures, enabling true self-sovereign identity.
Zero
Data Leakage
W3C
Standard
04
The On-Chain Primitive: Soulbound Tokens (SBTs) 2.0
Current SBTs are non-private and non-composable. BBS+ enables Private, Provable SBTs where the on-chain token is a commitment, and the holder stores the private credential. Think Aztec Protocol for identity.
- Private Attestations: Prove SBT ownership without exposing wallet address.
- Cross-Chain Reputation: Use a credential from Ethereum to access a DeFi pool on Arbitrum with a privacy-preserving KYC proof.
- Composable ZK Proofs: Feed BBS+ proofs into other ZK circuits (e.g., zkSNARKs in zkSync).
100%
Private
Multi-Chain
Utility
05
The Killer App: Trustless, Private Access Control
Replace opaque DAO membership NFTs or KYC gateways with cryptographic proofs of eligibility. Projects like Orange Protocol and Verax are building registries for this.
- DeFi: Prove accredited investor status or country eligibility without a middleman.
- DAO Governance: Prove you hold a specific NFT from a collection (e.g., BAYC) without revealing which one.
- Gaming: Prove achievement completion across games without a centralized backend.
Zero
Trust Assumed
Micro-Proofs
Granular
06
The Economic Layer: Minimizing On-Chain Footprint
BBS+ shifts the computational burden off-chain. The on-chain verifier is a single, constant-time pairing check, making it ~100x cheaper than generic ZK verification. This enables high-frequency, low-value attestations.
- Fixed Gas Cost: Verification cost is constant, regardless of how many attributes are disclosed.
- Batch Verification: Verify thousands of credential proofs in a single transaction, akin to ERC-4337 bundling.
- L2 Native: Ideal for Starknet and zkEVM rollups where compute is cheap but data is expensive.
<50k
Gas
~$0.01
Cost (L2)
thesis-statement
THE ZK-SNARK DILEMMA
The Core Argument: Selective Disclosure is the Only Scalable Privacy Model
BBS+ signatures enable verifiable credentials where users reveal only the data a verifier needs, solving the privacy-scalability trade-off inherent to zero-knowledge proofs.
Full anonymity is a scalability trap. Protocols like Zcash and Tornado Cash require a new, computationally intensive zero-knowledge proof for every transaction, creating prohibitive on-chain verification costs and latency for mainstream applications.
Selective disclosure is the pragmatic alternative. A BBS+ signature creates a single, reusable credential. Users prove specific attributes (e.g., 'age > 18') without revealing their entire identity, akin to showing a physical ID with details covered.
This model mirrors real-world verification. The W3C Verifiable Credentials standard, used by projects like Dock and cheqd, is built for this. It enables compliance (KYC with exchanges like Coinbase) without exposing raw personal data.
The evidence is in verification cost. A BBS+ signature verification is a simple elliptic curve pairing, orders of magnitude cheaper than verifying a generic ZK-SNARK circuit, making it viable for high-throughput DeFi and gaming applications.
CREDENTIAL ARCHITECTURE
The Disclosure Spectrum: BBS+ vs. Traditional ZK Proofs
Compares the core cryptographic capabilities of BBS+ signatures against traditional Zero-Knowledge Proofs (like zk-SNARKs) for enabling selective disclosure of verifiable credentials.
| Cryptographic Feature / Metric | BBS+ Signatures | zk-SNARKs (e.g., Groth16, Plonk) | zk-STARKs |
|---|---|---|---|
Selective Disclosure of Attributes | |||
Proof Size per Revealed Attribute | ~100-200 bytes | Fixed ~0.5-1 KB | Fixed ~45-100 KB |
Prover Compute per Attribute | O(n) for signing, O(1) for disclosure | O(n log n) for circuit | O(n log² n) for circuit |
Trusted Setup Required | |||
Post-Quantum Security | Plausible (Lattice-based variants) | ||
Signature Aggregation (n-of-1 Proof) | |||
Typical Use Case | Verifiable Credentials (AnonCreds), Portable Reputation | Private Transactions (Zcash), Rollup Validity Proofs | High-Throughput, Quantum-Resistant Validity Proofs |
deep-dive
THE MECHANICS
How BBS+ Works: The Cryptography of Controlled Revelation
BBS+ is a zero-knowledge signature scheme that allows a single credential to be used for countless selective disclosures without linkability.
Selective Disclosure Core: A BBS+ signature binds multiple attributes into one credential. The holder can then prove possession of a subset of those attributes without revealing the others or the master signature. This enables minimal disclosure proofs for KYC or credit scoring.
Unlinkable Presentations: Each proof presentation is cryptographically independent. A verifier cannot link two proofs to the same credential or holder, solving the privacy flaw of deterministic schemes like ECDSA-based signatures used in many existing identity systems.
Post-Quantum Foundation: BBS+ relies on pairing-based cryptography over elliptic curves, which is currently considered more resilient to quantum attacks than RSA or ECDSA. This provides a forward-looking security guarantee for long-lived credentials.
W3C Standardization: The protocol is being standardized by the W3C as the BBS+ Signatures standard, ensuring interoperability. This is the cryptographic backbone for verifiable credential ecosystems like those proposed by Microsoft's ION and the Decentralized Identity Foundation.
protocol-spotlight
FROM ZK CREDENTIALS TO ON-CHAIN PRIVACY
Builders in Production: Who's Using BBS+ Today?
BBS+ signatures are moving from academic papers to production systems, enabling selective disclosure for verifiable credentials and private on-chain interactions.
01
The W3C Verifiable Credentials Standard
BBS+ is the core signature scheme for W3C's Selective Disclosure standard. It allows a single credential to be reused for multiple proofs without correlation.
- Key Benefit: Enables privacy-preserving KYC where users prove they are over 18 without revealing their birthdate or name.
- Key Benefit: Powers reusable identity proofs for DeFi, replacing one-time attestations that leak user graphs.
1 Credential
Infinite Proofs
Zero Correlation
Leakage
02
Anon Aadhaar: Private Proof-of-Personhood
This project uses BBS+ to create ZK proofs from India's national ID. Users prove citizenship or uniqueness without exposing their Aadhaar number.
- Key Benefit: Enables sybil-resistant governance and airdrops for ~1.3B people without doxxing them.
- Key Benefit: The credential is bound to a user's wallet, preventing sale or transfer, which plagues NFT-based proof-of-personhood.
1.3B+
Potential Users
ZK Proof
From Gov't ID
03
Sismo's ZK Badges & Data Vault
Sismo uses BBS+ for its ZK Badges, which are non-transferable attestations derived from private user data (e.g., GitHub, Twitter).
- Key Benefit: Users aggregate reputation across platforms into a single private profile for on-chain access.
- Key Benefit: Protocols can gate access based on provable traits (e.g., "Top 100 Gitcoin donor") without seeing a user's full history.
Non-Transferable
Soulbound Data
Multi-Source
Reputation
04
Polygon ID's Issuer Node
Polygon ID's infrastructure uses BBS+ for privacy-by-default credentials. Enterprises issue verifiable claims that users can selectively disclose.
- Key Benefit: Supports large-scale enterprise adoption where data minimization is a legal requirement (GDPR).
- Key Benefit: Enables private credential revocation, a critical feature for real-world compliance that naive ZK schemes lack.
Enterprise-Grade
Compliance
Selective Revocation
Supported
05
The Hyper Oracle zkGraph Architecture
Hyper Oracle uses BBS+ to create verifiable off-chain computations. Provers can sign state attestations that allow for selective disclosure of the computation result.
- Key Benefit: Enables private verifiable data feeds (oracles) where the data source or specific values can remain hidden.
- Key Benefit: Allows ZK-authenticated APIs where a user proves a property about API data without the verifier querying the API directly.
Off-Chain Compute
ZK Proven
Private Oracles
Enabled
06
The Shift from zk-SNARKs for Credentials
Projects are replacing heavy zk-SNARK circuits with BBS+ for credential proofs. The math is simpler and cheaper for the core function of hiding attributes.
- Key Benefit: ~100x cheaper proof generation than a generic zk-SNARK circuit for the same selective disclosure claim.
- Key Benefit: Native multi-message signing means the cryptographic primitive aligns perfectly with a credential's structure, reducing complexity.
100x
Cheaper Proofs
Primitive Alignment
Less Complexity
counter-argument
THE PROOF
The Steelman: Is BBS+ Just Another Academic Curiosity?
BBS+ is the cryptographic primitive enabling selective disclosure, moving zero-knowledge proofs from monolithic verification to granular data sharing.
BBS+ enables selective disclosure. It allows a single credential to reveal specific attributes without exposing the entire dataset. This solves the 'all-or-nothing' problem of standard ZK-SNARKs, where proving one fact requires verifying the entire proof.
The standard is production-ready. The IETF's BBS+ Signatures RFC (draft-irtf-cfrg-bbs-signatures) provides a formal specification. This standardization, driven by entities like MATTR and Microsoft, provides the interoperability needed for enterprise and DeFi adoption.
Compare it to existing systems. Traditional attestations, like X.509 certificates, reveal all data. BBS+ credentials function like a Verifiable Credential where you prove you are over 21 without revealing your birthdate, name, or issuing authority.
Evidence: The W3C Verifiable Credentials Data Model v2.0 explicitly recommends BBS+ for selective disclosure. This institutional backing separates it from purely academic constructs and anchors it in the web's future architecture.
takeaways
WHY BBS+ ENABLES A NEW ERA
Architectural Imperatives
Traditional zero-knowledge proofs are a sledgehammer; BBS+ is a scalpel, enabling selective disclosure as a core architectural primitive.
01
The Problem: All-or-Nothing ZK Blobs
Standard ZK-SNARKs verify the entire statement, leaking data or forcing re-proving. This is inefficient for credentials with multiple claims.\n- Forces Over-Disclosure: Proving you're over 21 reveals your exact birthdate.\n- High Recomputation Cost: Sharing a new subset of attributes requires a new, expensive proof.
~100KB
Proof Bloat
>1s
Re-prove Latency
02
The Solution: BLS12-381 & BBS+ Signatures
BBS+ is a signature scheme on the BLS12-381 curve that allows a prover to cryptographically sign a set of messages, enabling zero-knowledge proofs about any subset.\n- Selective Disclosure: Prove statements like "age > 21" or "country = DE" without revealing other signed data.\n- Signature Re-use: The same original signature can be used to generate infinite, unique subset proofs.
1
Master Signature
N Proofs
Derivable
03
The Architecture: Decoupling Issuance from Verification
BBS+ enables a clean separation between credential issuers (e.g., DMV, DAOs) and verifiers (dApps, DeFi pools).\n- Issuer Simplicity: Issuer signs a standard payload, no ZK circuit knowledge required.\n- Verifier Flexibility: Verifiers define their own policy (which claims to check) without contacting the issuer.
~80%
Issuer Cost Cut
Off-Chain
Policy Logic
04
The Application: Portable, Composable Credentials
This creates a new design pattern for on-chain identity, moving beyond static NFTs to active attestations.\n- DeFi: Prove accredited investor status or KYC tier across chains without exposing SSN.\n- DAOs/Gaming: Prove reputation score or guild membership to access specific contract functions.
Multi-Chain
Portability
Uniswap, Aave
Use Case Fit
05
The Benchmark: vs. Circom & Halo2
For selective disclosure, BBS+ outperforms general-purpose ZK tooling on key metrics.\n- Prover Speed: ~10-100x faster for subset proofs vs. re-running a full Circom circuit.\n- Proof Size: Constant and small (~200 bytes) regardless of hidden attributes.
200B
Proof Size
10-100x
Speed Gain
06
The Imperative: Privacy as a Default, Not a Feature
BBS+ shifts the architectural mindset from prove everything to prove the minimum. This is critical for mass adoption.\n- User Sovereignty: Users control their data footprint across the stack.\n- Regulatory Path: Enables compliant disclosure (e.g., GDPR, Travel Rule) without full transparency.
GDPR
Compliance
Data Minimization
Principle
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall