A BBS+ signature is a short, multi-message digital signature scheme built on bilinear pairings over elliptic curves. Unlike standard signatures that require full message disclosure for verification, BBS+ allows a holder to derive a zero-knowledge proof that reveals only a subset of signed attributes. The verifier confirms the signature's validity and the disclosed attributes' authenticity without learning the hidden data, making it foundational for privacy-preserving verifiable credentials.
Glossary
BBS+ Signature

What is BBS+ Signature?
A BBS+ signature is a pairing-based digital signature scheme that supports selective disclosure, enabling a prover to reveal only specific attributes from a signed credential while maintaining cryptographic integrity and unlinkability.
The scheme's core innovation is its ability to generate unlinkable proofs—each presentation of the same credential produces a cryptographically distinct proof, preventing correlation across different verifiers. BBS+ signatures are standardized by the W3C and IETF for use with Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), enabling selective disclosure of claims such as age verification without revealing birthdate, or proof of accreditation without exposing the issuing institution's full signature chain.
Key Features of BBS+ Signatures
BBS+ is a pairing-based digital signature scheme that enables a prover to reveal only specific attributes from a signed credential while maintaining cryptographic integrity and zero-knowledge properties.
Selective Disclosure
The defining capability of BBS+ signatures. A holder of a signed credential can derive a proof that reveals only a subset of attributes while hiding the rest. For example, from a digital driver's license, a prover can disclose only age >= 21 without revealing their name, address, or exact birthdate. The verifier receives cryptographic assurance that the revealed attributes were part of the original signed credential without ever seeing the hidden fields.
Multi-Message Signing
BBS+ signs a vector of messages (attributes) simultaneously within a single, compact signature. This is fundamentally different from signing each attribute individually. The scheme produces a signature of constant size regardless of the number of messages signed, making it highly efficient for credentials with many claims. A single BBS+ signature can cover dozens of attributes—name, address, credentials, permissions—while remaining only a few hundred bytes.
Unlinkable Proof Presentations
Each derived proof is cryptographically unlinkable to other proofs from the same credential. Even if a verifier colludes with the original issuer, they cannot correlate two separate presentations. This prevents tracking and surveillance. A user can prove their professional certification to multiple employers, and none can determine it is the same credential being presented, preserving privacy across sessions.
Zero-Knowledge Predicate Proofs
BBS+ supports proofs about attributes without revealing the attributes themselves. A prover can demonstrate predicates such as:
age > 18(range proof)expiry_date > today(comparison)country_of_origin NOT IN sanctioned_list(set membership) The verifier learns only the truth of the predicate, not the underlying value. This is achieved through efficient zero-knowledge proof techniques integrated into the signature scheme.
Constant-Size Proofs
A BBS+ proof is constant in size regardless of the number of revealed attributes. Whether disclosing 1 attribute or 50, the proof remains approximately the same length—typically a few hundred bytes. This is a significant advantage over schemes where proof size grows linearly with the number of disclosed attributes, making BBS+ ideal for bandwidth-constrained environments like mobile devices and IoT.
Pairing-Based Cryptography Foundation
BBS+ is built on bilinear pairings over elliptic curves, specifically the BLS12-381 curve. The security relies on the q-Strong Diffie-Hellman assumption. This mathematical foundation enables the scheme's unique combination of properties: multi-message signing, selective disclosure, and unlinkable proofs. The BLS12-381 curve provides approximately 128-bit security and is widely adopted in standards including W3C Verifiable Credentials and IETF drafts.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Explore the core concepts behind BBS+ signatures, a pairing-based cryptographic scheme enabling selective disclosure of signed attributes without compromising the underlying signature's integrity.
A BBS+ signature is a short, pairing-based digital signature scheme that supports selective disclosure, allowing a prover to reveal only specific attributes from a signed credential while maintaining cryptographic integrity. It operates over bilinear groups (pairing-friendly elliptic curves like BLS12-381), where a signer issues a signature on a vector of messages (attributes). The holder can then derive a zero-knowledge proof-of-knowledge of the signature, revealing only a subset of the signed messages. The verifier checks the proof against the signer's public key and the disclosed attributes, cryptographically confirming that the unrevealed attributes were validly signed without ever seeing them. This mechanism relies on the hardness of the q-Strong Diffie-Hellman assumption and the Discrete Logarithm problem in the group.
Related Terms
BBS+ signatures are a core primitive within a broader landscape of privacy-enhancing and integrity-verification technologies. These related concepts are essential for understanding how selective disclosure fits into complete enterprise governance architectures.
Zero-Knowledge Proof (ZKP)
A cryptographic method where a prover demonstrates knowledge of a secret without revealing the secret itself. BBS+ signatures are a specific type of ZKP-friendly signature scheme.
- Proof of knowledge: The verifier learns nothing beyond the validity of the disclosed attributes
- Unlinkability: Multiple presentations of the same credential cannot be correlated
- BBS+ proofs are significantly shorter and faster to verify than general-purpose ZK-SNARKs for credential use cases
Pairing-Based Cryptography
The mathematical foundation enabling BBS+ signatures, built on bilinear pairings over elliptic curves. The BLS12-381 curve is the standard choice.
- A pairing operation
e(aP, bQ) = e(P, Q)^(ab)enables signature aggregation and proof generation - BBS+ security relies on the q-Strong Diffie-Hellman assumption
- Pairing-based constructions allow a single multi-message signature to be split into proofs about individual messages
Non-Repudiation Token
Cryptographic evidence preventing an entity from denying its involvement in an action. In AI governance, a BBS+ signature on an audit entry serves as a non-repudiation token.
- An auditor can selectively disclose which model version and inference timestamp were signed without revealing proprietary input data
- The signature binds the signer's identity to the specific audit event
- Enables privacy-preserving accountability in regulated AI decision logs
Model Inference Hash
A cryptographic fingerprint generated from the inputs, outputs, and version of an AI model during inference. BBS+ signatures can sign these hashes to create verifiable, selectively disclosable audit records.
- A signed inference hash proves a specific model produced a specific output at a specific time
- Selective disclosure allows revealing the model version while keeping the input data confidential
- Creates an immutable chain of custody for AI decisions without exposing sensitive business logic

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us