BBS+ Signatures are a pairing-based, multi-message digital signature scheme that supports selective disclosure and zero-knowledge proofs. The scheme allows a signer to issue a single signature over a vector of messages. The holder can then derive a proof of knowledge of the signature that reveals only a subset of the signed messages while cryptographically hiding the rest, without any interaction with the original issuer.
Glossary
BBS+ Signatures

What is BBS+ Signatures?
A pairing-based, multi-message digital signature scheme enabling a holder to derive zero-knowledge proofs that selectively reveal or hide specific signed attributes without invalidating the original cryptographic signature.
The protocol relies on bilinear pairings over elliptic curves, specifically the BLS12-381 curve, to achieve short signatures and efficient proof generation. Unlike Camenisch-Lysyanskaya (CL) signatures, BBS+ proofs are unlinkable, meaning a verifier cannot correlate multiple presentations from the same credential. This makes BBS+ foundational for privacy-preserving Verifiable Credentials and W3C standards where minimal disclosure is a core requirement.
Key Features of BBS+ Signatures
BBS+ signatures extend standard digital signatures with advanced privacy-preserving features essential for modern decentralized identity and verifiable credential systems.
Multi-Message Signing
A BBS+ signature is computed over a vector of distinct messages rather than a single payload. This allows an issuer to sign multiple attributes—such as name, age, and nationality—simultaneously within a single cryptographic signature.
- Efficiency: One signature secures an entire credential's attribute set
- Schema Binding: Each message position corresponds to a specific schema-defined claim
- Proof Generation: The holder can later prove knowledge of any subset of these signed messages without revealing the others
Selective Disclosure
The holder of a BBS+ signature can derive a zero-knowledge proof that reveals only a chosen subset of the signed messages while cryptographically hiding the rest. A verifier receives exactly the information they need and nothing more.
- Minimal Data Exposure: Prove age over 21 without revealing birth date
- Unlinkability: Different disclosures from the same credential cannot be correlated
- Predicate Proofs: Support for range proofs and logical conditions on hidden attributes
Zero-Knowledge Proof Generation
BBS+ enables the creation of succinct proofs of knowledge of a valid signature without revealing the signature itself or the undisclosed messages. The proof convinces a verifier that the holder possesses a validly issued credential satisfying specific conditions.
- Signature Blinding: The original signature value is never exposed to verifiers
- Proof Non-Interactivity: Proofs are generated without verifier interaction using the Fiat-Shamir heuristic
- Succinctness: Proof size remains compact regardless of the number of hidden attributes
Pairing-Based Cryptography
BBS+ signatures are constructed using bilinear pairings over elliptic curves, specifically the BLS12-381 curve. This mathematical foundation enables the signature scheme's unique combination of multi-message signing and zero-knowledge proof capabilities.
- Bilinear Maps: The pairing function e: G1 × G2 → GT enables signature verification across groups
- BLS12-381: The standardized pairing-friendly curve providing 128-bit security
- Type 3 Pairings: Asymmetric pairings used for efficient implementation without loss of security
Unlinkable Presentations
Each proof derived from a BBS+ signature is cryptographically randomized, ensuring that multiple presentations of the same credential cannot be linked together by a verifier or colluding parties. This prevents tracking and correlation across different interactions.
- Randomized Proofs: Every generated proof is statistically unique
- Domain Separation: Proofs can be bound to specific verifier domains to prevent cross-context replay
- Privacy by Default: Unlinkability is an inherent property, not an optional feature
Proof of Possession
BBS+ proofs bind the derived zero-knowledge proof to a specific presentation request and the holder's private key. This prevents replay attacks and ensures the presenter is the legitimate holder of the credential, not someone who obtained a copy of the proof.
- Holder Binding: The proof commits to the holder's secret key
- Non-Malleability: Proofs cannot be altered or repurposed for different contexts
- Challenge-Response Integration: Compatible with verifier-issued nonces for freshness guarantees
Frequently Asked Questions
Clear, technical answers to the most common questions about BBS+ signatures, selective disclosure, and zero-knowledge proof generation for verifiable credentials.
A BBS+ signature is a pairing-based, multi-message digital signature scheme that enables a signer to sign multiple messages at once, while allowing the holder to derive zero-knowledge proofs that selectively disclose only a subset of those signed messages. The scheme operates over bilinear groups using elliptic curve pairings, specifically the BLS12-381 curve. During signing, the issuer commits to a set of attributes—such as name, age, and nationality—producing a single compact signature. The holder can later generate a proof of knowledge of a signature that reveals only the attributes they choose, while cryptographically hiding the rest. The verifier checks this proof against the issuer's public key and the disclosed attributes, confirming authenticity without learning anything about the hidden data. This mechanism is foundational to privacy-preserving verifiable credentials and anonymous credentials systems like AnonCreds.
BBS+ Signatures vs. Other Signature Schemes
A technical comparison of BBS+ signatures against standard ECDSA and CL-Signatures across key privacy and efficiency dimensions relevant to selective disclosure and zero-knowledge proofs.
| Feature | BBS+ Signatures | ECDSA (secp256k1) | CL-Signatures |
|---|---|---|---|
Selective Disclosure Support | |||
Zero-Knowledge Proof Generation | |||
Multi-Message Signing | |||
Unlinkable Presentations | |||
Proof of Possession Only | |||
Signature Size (Bytes) | 112 | 64 | ~200-400 |
Proof Size (Bytes) | ~368 | N/A | ~300-500 |
Pairing-Based Cryptography |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
BBS+ signatures are a foundational primitive within the broader decentralized identity stack. Understanding these adjacent concepts is critical for architects implementing privacy-preserving selective disclosure.
Selective Disclosure
The core capability unlocked by BBS+ signatures. A holder can derive a proof that reveals only a subset of the signed attributes from the original credential. For example, proving you are over 21 without revealing your exact birthdate, or proving you are a licensed driver without exposing your license number. This minimizes data leakage and enhances privacy during verification.
Zero-Knowledge Proof (ZKP)
BBS+ signatures enable non-interactive zero-knowledge proofs (NIZK). The derived proof reveals nothing beyond the validity of the disclosed attributes and the issuer's signature. The verifier learns:
- The disclosed attributes are authentic.
- The credential was signed by a trusted issuer. The verifier learns nothing else about the hidden attributes, not even their values.
Verifiable Credential (VC)
BBS+ is a W3C-recommended signature scheme for securing Verifiable Credentials. Unlike simple JWT-based credentials, a BBS+-signed VC supports unlinkable presentations. Each derived proof is cryptographically unique and cannot be correlated back to the original credential or to other presentations, preventing issuer or verifier collusion tracking.
AnonCreds (Anonymous Credentials)
The predecessor to BBS+ in the Hyperledger ecosystem, AnonCreds uses Camenisch-Lysyanskaya (CL) signatures. BBS+ offers a modern, more efficient alternative with smaller key sizes and faster proof generation. Both support selective disclosure, but BBS+ is standardized by the IETF and W3C, ensuring broader interoperability across different ledger and non-ledger based systems.
Decentralized Identifier (DID)
BBS+ signatures are often used in conjunction with DIDs. The issuer's DID is embedded in the credential, and the holder's DID is bound to the credential subject. During a verifiable presentation, the holder proves control of their private key associated with their DID, binding the BBS+ proof to a specific, cryptographically authenticated entity without revealing the DID itself if unlinkability is required.
Revocation Registry
A critical infrastructure component for real-world BBS+ deployments. Since proofs are unlinkable, traditional certificate revocation lists (CRLs) do not work. BBS+ supports privacy-preserving revocation using accumulators. A holder can prove their credential has not been revoked in zero-knowledge by generating a proof of non-revocation alongside the selective disclosure proof, without revealing which specific credential they hold.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us