Selective Disclosure is the Killer Feature. BBS+ signatures let a user prove specific attributes from a credential without revealing the entire document, unlike monolithic signatures from ECDSA or EdDSA. This transforms credentials from static blobs into dynamic proof engines.
zero-knowledge-privacy-identity-and-compliance
Blog
Why BBS+ Signatures Are a Game-Changer for Reusable Credentials
BBS+ signatures solve the core cryptographic inefficiencies that have stalled anonymous credentials for a decade, enabling practical, reusable proofs for DeFi, compliance, and identity.
introduction
THE CREDENTIAL PRIMITIVE
Introduction
BBS+ signatures enable selective, reusable credential disclosure, solving the privacy and scalability bottlenecks of current identity systems.
The W3C Verifiable Credentials Standard is Incomplete. The standard defines the data model but lacks a privacy-preserving cryptographic layer. BBS+ provides this, enabling compliance with regulations like GDPR and CCPA by design, moving beyond the 'all-or-nothing' model of current implementations.
Compare to Existing Models. Zero-Knowledge Proofs (ZKPs) offer similar privacy but require complex circuit setup for each attribute. BBS+ signatures are signature-agnostic and computationally lighter, making them practical for mobile and resource-constrained environments where ZKPs are overkill.
Evidence: The W3C-CCG standardized BBS+ in 2022 (BBS Signature Suite 2020), and it is the core of Microsoft's Entra Verified ID service, which processes millions of credentials, demonstrating production-scale viability.
thesis-statement
THE CREDENTIAL ENGINE
The Core Argument: From One-Shot Proofs to Reusable Wallets
BBS+ signatures transform one-time ZK proofs into persistent, reusable credentials that power privacy-preserving wallets.
Traditional ZK proofs are ephemeral. A zk-SNARK for proving age or citizenship is a single-use object, forcing users to re-prove identity for every new application, which is inefficient and privacy-leaking.
BBS+ signatures create reusable credentials. This signature scheme allows a trusted issuer to sign a set of attributes into a single, compact credential that a user can selectively disclose parts of for different services without revealing the whole.
This enables persistent identity wallets. A user holds one BBS+ credential from an issuer like Verite or Ontology, then generates countless zero-knowledge, single-use proofs from it for dApps like Aave or Compound, without the issuer's further involvement.
The shift is from proof-of-statement to proof-of-credential. Instead of proving 'I am over 18' each time, you prove you hold a valid credential asserting that fact. This reduces on-chain verification costs and creates a portable, user-centric identity layer.
key-trends
REUSABLE CREDENTIALS
The Three Cryptographic Breakthroughs of BBS+
BBS+ signatures enable selective disclosure of signed data, moving beyond the all-or-nothing paradigm of traditional digital signatures.
01
The Problem: The Atomic Signature
Traditional signatures like ECDSA bind a signer to an entire document. To verify one claim (e.g., age > 21), you must expose the entire credential, leaking unnecessary data.
- Privacy Leak: Reveals all signed attributes in every transaction.
- Inflexible: No support for proving compound statements (e.g., 'citizen AND over 18').
- Reusability Gap: Credentials cannot be safely used across multiple verifiers without correlation.
100%
Data Exposure
0
Selective Proofs
02
The Solution: Selective Disclosure & Unlinkability
BBS+ allows a prover to cryptographically derive a proof for any subset of signed messages, without revealing the signature or the undisclosed data.
- Minimal Disclosure: Prove 'age > 21' without revealing name, address, or signature.
- Unlinkable Sessions: Each proof is zero-knowledge, preventing verifiers from linking transactions.
- Multi-Show Safe: The same credential can be used indefinitely without fear of tracking or exhaustion.
~1 KB
Proof Size
ZK
Correlation
03
The Architecture: Signature-Based, Not SNARKs
Unlike generic zkSNARK circuits (e.g., Zcash, Tornado Cash), BBS+ is a specialized signature scheme. This creates a simpler, more efficient trust model for credentials.
- No Trusted Setup: Eliminates the complex MPC ceremonies required by many SNARK systems.
- Native Verification: Proofs verify against the original public key, not a circuit-specific verification key.
- Protocol Integration: Fits directly into existing IETF standards like W3C Verifiable Credentials, enabling compatibility with DIDComm and Hyperledger Aries.
No MPC
Trust Model
~50ms
Verify Time
REUSABLE CREDENTIALS
Signature Scheme Showdown: BBS+ vs. The Old Guard
A first-principles comparison of cryptographic schemes for selective disclosure and multi-message signing, critical for on-chain identity and privacy.
| Feature / Metric | BBS+ Signatures (BLS12-381) | ECDSA (Secp256k1) | RSA (2048-bit) |
|---|---|---|---|
Selective Disclosure (Core) | |||
Multi-Message Binding (1 Proof, N Msgs) | |||
Proof Size for 10 Attributes | ~200 bytes | N/A (640 bytes for raw sigs) | N/A (~256 bytes for raw sigs) |
Verifier Sees Only Disclosed Data | |||
Post-Quantum Security Roadmap | Yes (Lattice-based variants) | No | No (Shor's algorithm vulnerable) |
Signature Aggregation Support | |||
Primary Use Case in Web3 | W3C VCs, zk-Credentials (e.g., Sismo) | Wallet Auth, TX Signing (Bitcoin, Ethereum) | TLS, Legacy PKI Systems |
deep-dive
THE CRYPTOGRAPHIC ENGINE
How BBS+ Actually Works: Selective Disclosure Without the Bloat
BBS+ signatures enable users to prove specific claims from a credential without revealing the entire document, solving the privacy and scalability issues of older schemes.
Selective disclosure is the core feature. A BBS+ signature binds multiple attributes into a single, compact cryptographic proof. A user can then generate a zero-knowledge proof for a subset of those attributes, like proving age >21 without revealing name or birthdate.
It eliminates credential bloat. Unlike pairing-based schemes like Boneh-Lynn-Shacham (BLS), BBS+ uses standard elliptic curves (e.g., BLS12-381) but structures proofs to keep size constant regardless of disclosed attributes. This makes it viable for on-chain verification.
The W3C Verifiable Credentials standard adopts BBS+ as a recommended cryptosuite. This institutional backing, seen in projects like Microsoft's Entra Verified ID, provides the interoperability layer missing from ad-hoc ZK proof systems.
Verification cost is the bottleneck. On Ethereum, verifying a BBS+ proof for a single disclosed attribute costs ~450k gas. This is why layer-2s like Arbitrum or zkSync, and co-processors like Axiom, are essential for mainstream adoption.
protocol-spotlight
THE REUSABLE CREDENTIAL FRONTIER
Who's Building With BBS+ Today
BBS+ signatures enable selective disclosure and multi-message signing, moving beyond the one-time-use limitations of traditional ZKPs. Here's who's leveraging it.
01
AnonCreds: The Enterprise Standard
The Hyperledger Indy ecosystem's core credential format, now powered by BBS+. It's the backbone for SSI networks like Indicio and Evernym.\n- Selective Disclosure: Prove specific attributes (e.g., age > 21) without revealing the entire credential.\n- Interoperability: Foundation for W3C Verifiable Credentials, enabling portable digital identity.
Zero-Knowledge
Proof Type
W3C-Aligned
Standard
02
The Problem: One-Proof-Per-Attribute
Traditional Schnorr or BLS signatures bind a single message. Proving you hold multiple credentials (e.g., KYC + credit score) requires separate, bulky proofs, killing UX.\n- State Bloat: Each proof is a new on-chain signature or ZK-SNARK.\n- High Cost: Aggregating claims across dApps becomes prohibitively expensive for users.
N Proofs
For N Claims
~100%
Data Overhead
03
The Solution: One Signature, Infinite Proofs
A single BBS+ signature can sign multiple messages (attributes). Users can later generate a zero-knowledge proof for any subset of those messages.\n- Credential Reusability: Sign your identity once, prove aspects of it across countless dApps.\n- Privacy-Preserving: The verifier only learns the truth of the disclosed statements, not the underlying data.
1 Signature
For N Claims
Subset Proofs
Selective Disclosure
04
Polygon ID: Scaling On-Chain Verification
Polygon's identity suite uses BBS+ for its Iden3 protocol, enabling reusable zk-proofs of identity for DeFi and governance.\n- Gas Efficiency: Verify a compact BBS+ proof on-chain instead of raw data.\n- Composability: A single credential can gate access to Aave, Compound, and DAOs without re-verification.
-90%
Gas vs. Data
Chain-Agnostic
Design
05
The Verifier's Dilemma: Trust vs. Cost
Verifying a traditional credential requires checking the issuer's signature and the credential's revocation status. This is O(n) complexity for batch checks.\n- Trusted Issuers: Centralized point of failure if the issuer's key is compromised.\n- Revocation Overhead: Maintaining and checking revocation lists (CRLs) is cumbersome and leaks privacy.
O(n) Checks
Verification Cost
CRL Leaks
Privacy Issue
06
BBS+ Enables Stateless Revocation
BBS+ supports non-revocation proofs where the user proves their credential is not on a blacklist without revealing which credential they hold.\n- Scalable Verification: Verifier checks one aggregate proof, not N signatures.\n- Enhanced Privacy: Issuer can revoke credentials without learning when/where they are used.
O(1) Check
Aggregate Verify
Zero-Knowledge
Revocation Proof
risk-analysis
WHY BBS+ ISN'T A SILVER BULLET
The Bear Case: Implementation Pitfalls & Limitations
BBS+ signatures enable reusable, privacy-preserving credentials, but real-world adoption faces significant technical and ecosystem hurdles.
01
The On-Chain Verifier Bottleneck
Verifying a BBS+ proof on-chain is computationally expensive, creating a gas cost barrier for protocols like Uniswap or Aave that require real-time credential checks. This limits use to high-value, low-frequency actions.
- Gas Cost: ~1M+ gas per verification, rivaling a complex Uniswap V3 swap.
- Throughput: Cripples applications requiring sub-second finality or high TPS.
- Solution Path: Requires specialized co-processors (e.g., Risc Zero, Brevis) or optimistic verification schemes.
1M+
Gas per Verify
~$50+
Cost on L1
02
The Credential Issuer Monopoly Risk
The system's trust model collapses to the credential issuer (e.g., a DAO, corporation, or government). A malicious or compromised issuer can revoke or falsify credentials for entire user bases, creating centralized failure points.
- Trust Assumption: Shifts from decentralized consensus to off-chain legal entities.
- Sybil Resistance: Relies on issuer KYC, creating gatekeepers akin to Coinbase or Binance.
- Mitigation: Requires decentralized issuance networks (e.g., BrightID, Iden3) which are nascent.
1
Point of Failure
0
Decentralization
03
The Interoperability Desert
BBS+ credentials exist in isolated silos without standardized schemas or revocation registries. A credential from Compound Governance cannot be used in Optimism's AttestationStation or a zkSync Era dApp without custom bridges and mapping.
- Fragmentation: Each protocol (Polygon ID, Sismo) uses proprietary formats.
- Composability Loss: Breaks the "money Lego" principle central to DeFi.
- Path Forward: Requires widespread adoption of standards like W3C Verifiable Credentials and cross-chain attestation layers (EAS, Hyperlane).
10+
Proprietary Formats
High
Integration Friction
04
The UX/Key Management Quagmire
Managing BBS+ signing keys and complex zero-knowledge proof generation is a user experience nightmare. The average user cannot securely store a BBS+ key and generate proofs for Snapshots or zkBob privacy pools.
- Cognitive Load: Shifts burden from protocols (MetaMask) to end-users.
- Loss Risk: Losing a BBS+ key means losing all associated credentials irrevocably.
- Necessary Evolution: Requires seamless embedded wallets (Privy, Dynamic) and proof abstraction layers.
~30s
Proof Gen Time
High
Abandonment Rate
future-outlook
THE CRYPTOGRAPHIC ENGINE
The Verifiable Credential Stack: A New Primitive for Everything
BBS+ signatures enable selective disclosure and unlinkability, making reusable credentials a practical reality.
BBS+ signatures enable selective disclosure. A user proves a single attribute, like being over 21, without revealing their entire credential or creating a correlatable signature. This is the core mechanism for privacy-preserving proofs.
This breaks the linkability of traditional signatures. With ECDSA, every proof is uniquely tied to the credential, creating a privacy-compromising fingerprint. BBS+ generates a unique, zero-knowledge proof for each disclosure event.
The W3C Verifiable Credentials standard formalizes this. It provides the data model, while BBS+ provides the cryptographic layer. Implementations like AnonCreds and Microsoft's Entra Verified ID use this stack for enterprise and decentralized identity.
Evidence: The IETF standardized BBS+ (RFC 9380) in 2023, signaling its readiness for production. This moves the tech from academic papers to deployable infrastructure for protocols like Veramo and cheqd.
takeaways
REUSABLE CREDENTIALS
TL;DR for CTOs & Architects
BBS+ signatures enable selective disclosure of verifiable credentials, moving beyond the all-or-nothing privacy of traditional proofs.
01
The Problem: Wasted Proofs
Traditional ZK proofs for credentials (like zk-SNARKs) are single-use and computationally heavy. Each new verification requires a fresh, expensive proof, making reusable attestations like KYC or credit scores impractical at scale.\n- Proof size: ~1-2 KB per new verification\n- Verification cost: ~$0.05 - $0.20 per check on L2\n- User friction: Re-proving for every dApp
~$0.15
Cost Per Check
1-2 KB
Proof Bloat
02
The Solution: BLS12-381 & Selective Disclosure
BBS+ is a signature scheme on the BLS12-381 curve that allows a single signature to support multiple, independent selective disclosures. The holder can reveal only specific attributes (e.g., 'age > 21') without re-signing.\n- One signature, infinite disclosures: Original issuer signature is constant\n- Attribute-level privacy: Reveal 'country' but hide 'passport number'\n- Post-quantum friendly: Based on elliptic curve pairings
1
Sig, N Uses
BLS12-381
Foundation
03
Architectural Impact: Stateless Verification
Verifiers only need the issuer's public key, the disclosed attributes, and a tiny proof. No need to query a registry or maintain state, enabling truly decentralized and scalable credential systems like those envisioned by the W3C Verifiable Credentials standard.\n- Verifier simplicity: No chain state lookups\n- Interoperability: Native fit with DIDComm and Solid protocols\n- Scale: Enables zk-credential networks without heavy consensus
~100 ms
Verify Time
~200 B
Proof Size
04
The Trade-off: On-Chain vs. Off-Chain
BBS+ excels for off-chain, peer-to-peer credential exchange (e.g., job applications, selective KYC). It's less optimal for direct on-chain verification where the proof itself must be verified in a smart contract, due to higher EVM gas costs for pairing operations compared to EdDSA.\n- Ideal for: Off-chain protocols, OIDC bridges, enterprise auth\n- Challenge: On-chain verification can be ~500k gas per proof\n- Hybrid approach: Use off-chain BBS+ proofs with on-chain attestation of the issuer's root key
Off-Chain
Primary Domain
~500k gas
On-Chain Cost
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall