Inferensys

Glossary

BBS+ Signatures

A pairing-based, multi-message digital signature scheme supporting selective disclosure and zero-knowledge proofs, enabling a holder to derive proofs that hide specific signed attributes.
Knowledge engineer constructing knowledge base on laptop, document hierarchy visible, casual office setup.
SELECTIVE DISCLOSURE CRYPTOGRAPHY

What is BBS+ Signatures?

A pairing-based, multi-message digital signature scheme enabling a holder to derive zero-knowledge proofs that selectively reveal or hide specific signed attributes without invalidating the original cryptographic signature.

BBS+ Signatures are a pairing-based, multi-message digital signature scheme that supports selective disclosure and zero-knowledge proofs. The scheme allows a signer to issue a single signature over a vector of messages. The holder can then derive a proof of knowledge of the signature that reveals only a subset of the signed messages while cryptographically hiding the rest, without any interaction with the original issuer.

The protocol relies on bilinear pairings over elliptic curves, specifically the BLS12-381 curve, to achieve short signatures and efficient proof generation. Unlike Camenisch-Lysyanskaya (CL) signatures, BBS+ proofs are unlinkable, meaning a verifier cannot correlate multiple presentations from the same credential. This makes BBS+ foundational for privacy-preserving Verifiable Credentials and W3C standards where minimal disclosure is a core requirement.

CRYPTOGRAPHIC CAPABILITIES

Key Features of BBS+ Signatures

BBS+ signatures extend standard digital signatures with advanced privacy-preserving features essential for modern decentralized identity and verifiable credential systems.

01

Multi-Message Signing

A BBS+ signature is computed over a vector of distinct messages rather than a single payload. This allows an issuer to sign multiple attributes—such as name, age, and nationality—simultaneously within a single cryptographic signature.

  • Efficiency: One signature secures an entire credential's attribute set
  • Schema Binding: Each message position corresponds to a specific schema-defined claim
  • Proof Generation: The holder can later prove knowledge of any subset of these signed messages without revealing the others
02

Selective Disclosure

The holder of a BBS+ signature can derive a zero-knowledge proof that reveals only a chosen subset of the signed messages while cryptographically hiding the rest. A verifier receives exactly the information they need and nothing more.

  • Minimal Data Exposure: Prove age over 21 without revealing birth date
  • Unlinkability: Different disclosures from the same credential cannot be correlated
  • Predicate Proofs: Support for range proofs and logical conditions on hidden attributes
03

Zero-Knowledge Proof Generation

BBS+ enables the creation of succinct proofs of knowledge of a valid signature without revealing the signature itself or the undisclosed messages. The proof convinces a verifier that the holder possesses a validly issued credential satisfying specific conditions.

  • Signature Blinding: The original signature value is never exposed to verifiers
  • Proof Non-Interactivity: Proofs are generated without verifier interaction using the Fiat-Shamir heuristic
  • Succinctness: Proof size remains compact regardless of the number of hidden attributes
04

Pairing-Based Cryptography

BBS+ signatures are constructed using bilinear pairings over elliptic curves, specifically the BLS12-381 curve. This mathematical foundation enables the signature scheme's unique combination of multi-message signing and zero-knowledge proof capabilities.

  • Bilinear Maps: The pairing function e: G1 × G2 → GT enables signature verification across groups
  • BLS12-381: The standardized pairing-friendly curve providing 128-bit security
  • Type 3 Pairings: Asymmetric pairings used for efficient implementation without loss of security
05

Unlinkable Presentations

Each proof derived from a BBS+ signature is cryptographically randomized, ensuring that multiple presentations of the same credential cannot be linked together by a verifier or colluding parties. This prevents tracking and correlation across different interactions.

  • Randomized Proofs: Every generated proof is statistically unique
  • Domain Separation: Proofs can be bound to specific verifier domains to prevent cross-context replay
  • Privacy by Default: Unlinkability is an inherent property, not an optional feature
06

Proof of Possession

BBS+ proofs bind the derived zero-knowledge proof to a specific presentation request and the holder's private key. This prevents replay attacks and ensures the presenter is the legitimate holder of the credential, not someone who obtained a copy of the proof.

  • Holder Binding: The proof commits to the holder's secret key
  • Non-Malleability: Proofs cannot be altered or repurposed for different contexts
  • Challenge-Response Integration: Compatible with verifier-issued nonces for freshness guarantees
BBS+ SIGNATURES EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about BBS+ signatures, selective disclosure, and zero-knowledge proof generation for verifiable credentials.

A BBS+ signature is a pairing-based, multi-message digital signature scheme that enables a signer to sign multiple messages at once, while allowing the holder to derive zero-knowledge proofs that selectively disclose only a subset of those signed messages. The scheme operates over bilinear groups using elliptic curve pairings, specifically the BLS12-381 curve. During signing, the issuer commits to a set of attributes—such as name, age, and nationality—producing a single compact signature. The holder can later generate a proof of knowledge of a signature that reveals only the attributes they choose, while cryptographically hiding the rest. The verifier checks this proof against the issuer's public key and the disclosed attributes, confirming authenticity without learning anything about the hidden data. This mechanism is foundational to privacy-preserving verifiable credentials and anonymous credentials systems like AnonCreds.

CRYPTOGRAPHIC COMPARISON

BBS+ Signatures vs. Other Signature Schemes

A technical comparison of BBS+ signatures against standard ECDSA and CL-Signatures across key privacy and efficiency dimensions relevant to selective disclosure and zero-knowledge proofs.

FeatureBBS+ SignaturesECDSA (secp256k1)CL-Signatures

Selective Disclosure Support

Zero-Knowledge Proof Generation

Multi-Message Signing

Unlinkable Presentations

Proof of Possession Only

Signature Size (Bytes)

112

64

~200-400

Proof Size (Bytes)

~368

N/A

~300-500

Pairing-Based Cryptography

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.