BBS+ Signatures (Boneh-Boyen-Shacham, plus enhancements) are a digital signature scheme built on pairing-based cryptography that allows a signer to produce a single, compact signature on multiple messages. The defining feature, known as signature proof of knowledge, enables a holder to selectively disclose only a subset of the signed messages to a verifier while keeping the rest hidden, all without revealing the original signature or compromising the cryptographic proof's validity. This property is critical for privacy-preserving systems where data minimization is required.
LABS
Glossary
BBS+ Signatures
BBS+ is a cryptographic signature scheme that supports selective disclosure and unlinkable multi-message signing, forming a core component of privacy-preserving verifiable credentials.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What are BBS+ Signatures?
BBS+ is a cryptographic signature scheme that enables advanced privacy features like selective disclosure and unlinkable multi-message signing, making it foundational for verifiable credentials and zero-knowledge proofs.
The "+" in BBS+ refers to key improvements over the original BBS scheme, primarily the addition of a randomizing factor during signing. This enhancement strengthens security proofs and provides crucial blind signing capabilities, where a signer can endorse a set of messages without learning their contents. The scheme operates over elliptic curve groups with a bilinear pairing, such as the BLS12-381 curve, which allows for efficient verification of complex statements about the signed data.
Core to its utility is the ability to generate zero-knowledge proofs. A prover can create a proof that they possess a valid BBS+ signature on a set of attributes and can reveal only specific, necessary attributes (e.g., proving they are over 21 without revealing their exact birthdate). The proof does not reveal the signature itself, preventing verifiers from linking different presentations back to the same credential or holder, a property known as unlinkability.
The primary application of BBS+ signatures is in Decentralized Identity (DID) and Verifiable Credentials (VCs), as standardized by the W3C. It forms the cryptographic backbone for protocols like AnonCreds, allowing for the creation of reusable, privacy-respecting digital credentials. Compared to simpler schemes, BBS+ provides a balance of strong security, efficient proof generation, and the flexible disclosure necessary for real-world identity systems.
From an implementation perspective, BBS+ signatures involve several algorithms: KeyGen for creating public/private key pairs, Sign for signing a vector of messages, Verify for verifying a full signature, and ProofGen/ProofVerify for creating and checking selective disclosure proofs. Its integration requires careful cryptographic engineering but offers a powerful toolset for building applications that prioritize user privacy and data sovereignty by design.
etymology
CRYPTOGRAPHIC LINEAGE
Etymology and Origin
The development of BBS+ signatures is a story of cryptographic evolution, building upon decades of research to create a signature scheme uniquely suited for privacy-preserving credentials.
The name BBS+ is a direct reference to its cryptographic lineage, combining the foundational BBS group signature scheme with crucial + enhancements. The original BBS signatures were introduced in a seminal 2004 paper by Dan Boneh, Xavier Boyen, and Hovav Shacham, providing a method for a member of a group to sign a message while hiding their specific identity within that group. The + suffix denotes a series of critical improvements, most notably the work by Man Ho Au, Willy Susilo, and Yi Mu in 2006, which extended the scheme to support efficient proofs on signed messages, a capability essential for modern zero-knowledge credential systems.
This evolution was driven by the need for more expressive and practical anonymous credentials. While the original BBS scheme enabled group anonymity, it lacked the ability to selectively disclose specific attributes from a signed credential without revealing the entire signature or the signer's identity. The + modifications, particularly the introduction of randomizable signatures and the security proof in the standard model, enabled what is now called BBS+ signatures. This allowed a prover to generate a zero-knowledge proof that they possess a valid signature on a set of messages (attributes) and can reveal only a chosen subset of them, a paradigm known as predicate proof.
The cryptographic core of BBS+ relies on pairing-based cryptography over elliptic curve groups, specifically type-3 bilinear pairings. Its security is based on the q-Strong Diffie-Hellman (q-SDH) and Decision Linear (DLIN) assumptions. The choice of these building blocks was not arbitrary; they provide the necessary algebraic structure for signatures to be randomizable and for proofs to be efficiently generated. This mathematical foundation distinguishes BBS+ from other signature schemes like ECDSA or Schnorr, which are not natively designed for such complex, attribute-based proofs without additional protocol layers.
The development path of BBS+ illustrates a key trend in applied cryptography: adapting theoretical constructs for real-world systems. Its design directly addresses requirements for user-centric identity, where an individual must control and minimally disclose personal data. Consequently, BBS+ has become the cornerstone for W3C Verifiable Credentials data model implementations, such as AnonCreds, and is standardized in documents like RFC 9383 for the BBS Signature Scheme. Its origin story is thus a bridge from academic group signature theory to a standardized tool for decentralized, privacy-enhancing digital identity.
key-features
BBS+ SIGNATURES
Key Features and Cryptographic Properties
BBS+ (Boneh-Boyen-Shacham with a pairing-friendly curve) is a cryptographic signature scheme enabling advanced privacy features like selective disclosure and multi-message signing.
01
Selective Disclosure
A core feature allowing a prover to reveal only a specific subset of signed messages from a credential, while keeping the rest hidden and cryptographically proving the signature's validity. This enables minimal disclosure and data minimization.
- Example: A user can prove they are over 21 from a driver's license credential without revealing their exact birth date, name, or address.
02
Blind Signatures
Enables a signer to issue a signature on a set of messages without learning their contents. This is foundational for privacy-preserving issuance of credentials, separating the roles of issuer and data collector.
- Process: The user sends a blinded commitment of their messages to the issuer, who signs it. The user can then unblind the signature to obtain a valid one on the original messages.
03
Multi-Message Signing
A single BBS+ signature can securely commit to and sign multiple discrete messages (attributes) simultaneously. This creates a compact, unified credential.
- Efficiency: Verifying a signature for a subset of messages is more efficient than verifying multiple individual signatures, reducing on-chain gas costs and proof size.
04
Zero-Knowledge Proof Compatibility
BBS+ signatures are succinct non-interactive zero-knowledge proof (zk-SNARK) friendly. The signature can be used as a private witness in a proof, allowing a user to prove possession of a valid signature and the disclosed messages without revealing the signature itself.
- Use Case: This enables anonymous authentication and credential presentation in decentralized identity systems.
05
Signature Aggregation
Multiple BBS+ signatures from different issuers on potentially different message sets can be aggregated into a single, constant-size signature. This enables efficient batch verification and complex credential compositions.
- Benefit: Dramatically reduces the verification overhead when presenting credentials from multiple sources, which is critical for scalable decentralized systems.
06
Post-Quantum Security
BBS+ is based on elliptic curve pairings and the q-Strong Diffie-Hellman (q-SDH) assumption. While not currently considered post-quantum secure, its structure within pairing-based cryptography provides a potential migration path to isogeny-based or other post-quantum secure pairing alternatives being researched.
- Context: This distinguishes it from schemes based on factoring or discrete log problems, which are broken by Shor's algorithm.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How BBS+ Signatures Work
BBS+ is a digital signature scheme enabling the selective disclosure of signed data, forming a core component of privacy-preserving verifiable credentials.
BBS+ signatures are a cryptographic scheme that allows a signer to create a single, compact signature over multiple messages (or attributes), which a verifier can later validate without learning all the original data. This is achieved through zero-knowledge proofs, where the holder of the signature can generate a proof that reveals only a chosen subset of the signed messages while cryptographically convincing the verifier that the revealed data is authentic and unaltered. The "+" in BBS+ denotes an enhancement over the original Boneh-Boyen-Shacham (BBS) scheme, adding support for signing multiple messages and improved security proofs.
The protocol operates over a pairing-friendly elliptic curve, such as BLS12-381, which enables efficient cryptographic pairings. The signer's secret key is used to generate a signature that binds to a commitment of all messages. A critical feature is randomization: the signature holder can randomize the signature to produce a unique, unlinkable presentation for each verification session, preventing tracking across different interactions. This randomization is key to user privacy in decentralized identity systems.
During verification, the holder creates a zero-knowledge proof of knowledge (ZKPoK). This proof demonstrates possession of a valid BBS+ signature and that the disclosed attributes match the originally signed values, without exposing the signature itself or the hidden messages. The verifier checks this proof using only public parameters and the signer's public key. This process ensures data minimization and selective disclosure, as credentials like a driver's license can prove age without revealing name or address.
Compared to other schemes, BBS+ provides significant advantages for verifiable credentials. Unlike BLS signatures, which sign a single hash, BBS+ supports multi-message signing. It offers greater flexibility and smaller proof sizes for complex disclosures than generic zk-SNARKs circuits. Its security is based on well-studied q-type assumptions in bilinear groups. The standardization of BBS+ through the IETF and its adoption by the W3C for Decentralized Identifiers (DIDs) and Verifiable Credentials underscore its role as a foundational privacy-enhancing technology.
examples
BBS+ SIGNATURES
Examples and Use Cases
BBS+ (Boneh-Boyen-Shacham with key binding) signatures enable advanced cryptographic protocols by allowing a single signature to prove multiple, selective statements about the signed data.
01
Selective Disclosure for Credentials
A user can present a verifiable credential (e.g., a driver's license) and prove they are over 21 without revealing their exact birth date or other attributes. The verifier only learns the truth of the predicate (age ≥ 21) from the BBS+ signature proof.
02
Multi-Message Signing Efficiency
Sign a bundle of messages (e.g., {name, age, country, credit_score}) with one BBS+ signature. Later, any subset can be disclosed or used in zero-knowledge proofs. This is more efficient than creating separate signatures for each attribute.
03
Anonymous Authentication
Users can authenticate to a service by proving they hold a valid credential signed by a trusted issuer, without revealing their specific identity or credential identifier. This supports privacy-preserving systems like anonymous access tokens or voting.
04
Resource-Constrained Environments
Because a BBS+ signature is a constant size (~160 bytes) regardless of the number of signed messages, it is suitable for blockchain and IoT applications where bandwidth and storage are limited, unlike attaching multiple individual signatures.
05
Revocation Without Identifiers
Credentials can be revoked using mechanisms like accumulators or revocation lists without needing to expose a persistent user identifier in the proof. The user proves non-revocation as part of the zero-knowledge proof.
06
Complex Policy Proofs
Prove complex logical statements about attributes, such as (citizen = US AND age > 18) OR (employee_status = active). The BBS+ signature serves as the cryptographic foundation for proving these predicates in zero-knowledge.
SIGNATURE SCHEMES
Comparison: BBS+ vs. Traditional Digital Signatures
A technical comparison of BBS+ (Boneh-Boyen-Shacham Plus) signatures, a type of pairing-based signature, against widely-used traditional schemes like ECDSA and EdDSA.
| Feature / Property | BBS+ Signatures | ECDSA / EdDSA |
|---|---|---|
Core Cryptography | Pairing-based (bilinear maps) | Elliptic Curve Discrete Log (ECDLP) |
Signature Aggregation | ||
Selective Disclosure | ||
Multi-Message Signing | Single signature for N messages | One signature per message |
Proof Generation | Zero-Knowledge Proof (ZKP) compatible | Not natively ZKP compatible |
Signature Size (Scalable) | Constant (~192B) for N messages | Linear growth with messages |
Verification Complexity | Pairing operations | Point multiplications & hashing |
Primary Use Case | Privacy-preserving credentials, ZKPs | Transaction auth, TLS, general-purpose signing |
ecosystem-usage
BBS+ SIGNATURES
Ecosystem Usage and Standards
BBS+ (Boneh-Boyen-Shacham Plus) is a cryptographic signature scheme enabling selective disclosure and unlinkable multi-message signing, forming a core standard for privacy-preserving verifiable credentials and zero-knowledge proofs.
01
Core Cryptographic Mechanism
BBS+ is a digital signature scheme built on pairing-based cryptography. Its defining feature is the ability to sign multiple messages with a single signature, which can later be selectively disclosed. A prover can reveal only a subset of the signed messages, generating a zero-knowledge proof that the revealed data is part of the original, valid signature without exposing the undisclosed data or the signature itself.
02
Selective Disclosure & Unlinkability
This is the primary use case. A verifiable credential (e.g., a digital driver's license) signed with BBS+ can contain many attributes (name, DOB, address, license number). The holder can prove they are over 21 by disclosing only their birth date and a proof of signature validity, without revealing their name or exact date. Each presentation is cryptographically unlinkable to the original credential or other presentations.
04
Comparison to Other Schemes
- vs. ECDSA (Bitcoin/Ethereum): ECDSA signs a single hash; reveals all data. BBS+ signs multiple messages; enables selective disclosure.
- vs. RSA Signatures: RSA is used for traditional certificates; reveals all signed data. BBS+ provides unlinkable, subset disclosures.
- vs. BLS Signatures: BLS enables aggregation but not selective disclosure. BBS+ is derived from BLS but adds the crucial zero-knowledge proof capability for hidden messages.
05
Use Cases in Blockchain & Identity
- Decentralized Identity (DID): Users control credentials in a wallet, proving claims without correlatable identifiers.
- DeFi & Compliance: Proving credit score or jurisdiction for loan eligibility without exposing full identity.
- Access Control: Proving membership or subscription status without a linkable token.
- Supply Chain: Revealing specific product attestations (organic, fair-trade) while keeping supplier details private.
security-considerations
BBS+ SIGNATURES
Security Considerations and Assumptions
BBS+ signatures provide advanced cryptographic security for selective disclosure, but their implementation relies on specific, well-defined assumptions and careful parameter choices.
01
Assumption: q-Strong Diffie-Hellman (q-SDH)
The security of BBS+ signatures rests on the q-Strong Diffie-Hellman (q-SDH) assumption in bilinear groups. This is a well-established computational hardness assumption stating that, given a tuple of group elements (g, g^x, g^(x^2), ..., g^(x^q)), it is computationally infeasible to compute a pair (c, g^(1/(x+c))) for any freely chosen c. The security proof for BBS+ reduces to this assumption, meaning breaking the signature scheme would require solving the q-SDH problem.
02
Assumption: Random Oracle Model (ROM)
The standard security proofs for BBS+ signatures are conducted in the Random Oracle Model (ROM). This model treats cryptographic hash functions (like SHA-256) as ideal, perfectly random functions. While a practical and widely accepted model, it is a theoretical abstraction. Real-world hash functions are not perfect random oracles, so the security guarantee is conditional on this assumption. Implementations must use cryptographically strong, well-vetted hash functions.
03
Key Considerations for Implementation
Secure deployment requires attention to several critical parameters and practices:
- Bilinear Pairing Group Selection: Must use a secure, standardized elliptic curve pairing-friendly group (e.g., BLS12-381).
- Private Key Generation: Signer secret keys must be generated with a cryptographically secure random number generator.
- Blinding Factor Security: The prover's random blinding factors for generating proofs must be non-zero, secret, and never reused across different proofs for the same signature.
- Deterministic vs. Randomized Signing: The core BBS+ signing algorithm is deterministic, enhancing security by eliminating randomness failures.
04
Selective Disclosure & Unlinkability
A core security property is unlinkability: different presentations (proofs of possession) derived from the same signature cannot be linked to each other or to the original issuance transaction. This relies on the zero-knowledge property of the proof system. However, this unlinkability can be compromised if:
- The prover reuses a nonce during proof generation.
- The disclosed attributes themselves contain unique identifiers.
- The verifier uses a malicious, non-standard verification process.
05
Resistance to Common Attacks
BBS+ is designed to be resilient against several attack vectors:
- Forgery Attacks: Security under q-SDH prevents creation of valid signatures without the signer's secret key.
- Replay Attacks: Context-specific nonces or verifier-challenges are required in the proof protocol to bind a proof to a specific session.
- Malleability: The signature itself is not malleable, but the proof generation process must be carefully implemented to prevent proof malleability.
- Attribute Framing: The signature binds a specific message vector; an attacker cannot falsely attribute an undisclosed message to a signature without breaking the scheme.
06
Post-Quantum Considerations
BBS+ signatures, like most pairing-based cryptography, are not considered post-quantum secure. A sufficiently powerful quantum computer running Shor's algorithm could solve the underlying elliptic curve discrete logarithm and q-SDH problems, breaking the scheme. For long-term data that requires quantum resistance, BBS+ should be used with caution or combined with cryptographic agility plans to migrate to post-quantum secure alternatives (e.g., lattice-based schemes) in the future.
BBS+ SIGNATURES
Common Misconceptions About BBS+
BBS+ is a powerful cryptographic primitive for privacy-preserving credentials, but its unique properties are often misunderstood. This section clarifies frequent points of confusion regarding its security, functionality, and practical application.
No, BBS+ is a digital signature scheme that enables zero-knowledge proofs (ZKPs) of possession, but it is not a ZKP system itself. BBS+ produces a standard signature on a set of messages. Its special property, selective disclosure, allows a prover to cryptographically derive a new, valid signature on any subset of the original signed messages without interacting with the original signer. This derived proof is what constitutes the zero-knowledge proof, demonstrating knowledge of the signature and the disclosed messages without revealing the undisclosed ones or the original signature.
- Core Distinction: BBS+ is the signing algorithm. The ZKP is a derived artifact using that signature.
- Analogy: It's like a master key (BBS+ signature) that can create single-use, limited-access keycards (ZKPs) for specific doors (message subsets).
BBS+ SIGNATURES
Frequently Asked Questions (FAQ)
BBS+ (Boneh-Boyen-Shacham with a positive sign) is a cryptographic signature scheme enabling advanced privacy features like selective disclosure and multi-message signing. This FAQ addresses common technical questions about its operation and applications.
BBS+ signatures are a type of digital signature that allows a single signature to authenticate multiple messages and enables selective disclosure, where a prover can reveal only a subset of the signed messages. They work by using pairing-based cryptography on elliptic curves (typically BLS12-381). A signer with a secret key creates a signature over a commitment to a set of messages. A verifier can then check this signature, and later, a holder can generate a zero-knowledge proof to prove knowledge of the signature and the disclosed messages without revealing the signature itself or the hidden messages. This core mechanism underpins verifiable credentials and privacy-preserving authentication.
further-reading
BBS+ SIGNATURES
Further Reading and Technical Resources
Dive deeper into the cryptographic foundations, formal specifications, and practical implementations of BBS+ signatures.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall