BBS+ Signature

BBS+ is a multi-message signature scheme prized in decentralized identity because it delivers three strong privacy properties at once: selective disclosure, zero-knowledge proof of knowledge, and unlinkability. An issuer signs an ordered array of messages — the individual claims of a credential — with a single constant-size signature. The holder can then derive a fresh proof that reveals only a chosen sub-array of those messages while keeping the rest hidden.

How the privacy works

BBS proofs are zero-knowledge proofs of knowledge of a BBS signature. The holder proves to a verifier that they possess a valid issuer signature over the credential without ever showing the signature itself. Because a new, randomized proof is generated for each presentation, two showings of the same credential are not correlatable by the signature — the unlinkability property that salted-hash schemes like SD-JWT lack. The IETF CFRG is standardizing the BBS signature scheme, and the W3C has published a Data Integrity BBS cryptosuite for use with credentials.

Why sovereign users should care

Unlinkability is to identity what address rotation is to Bitcoin: it denies observers a persistent correlation handle. A credential signed with BBS+ can be presented to a hundred verifiers, each time revealing a different minimal slice, and none can collude to rebuild a single tracking profile from the cryptography alone. The cost is heavier math and pairing-based curves rather than plain hashing, so verifier tooling is more specialized.

BBS+ is the cryptographic backbone of the most privacy-preserving forms of selective disclosure and is also being adopted as a signature option inside AnonCreds v2.