BBS Signatures - a building block for privacy-by-design

In this article, we'll explore how this implementation empowers us to combat unwanted user tracking and further solidify our privacy-by-design ethos. We will cover:

• The role of the BBS cryptographic scheme.
• Why we think it is a building block for secure and consent-driven digital interactions.
• Practical applications of the BBS cryptographic scheme.
• What the future may bring in this evolving space.

What is the BBS cryptographic scheme?

Privacy-focused, consent driven digital ecosystems leverage a range of different technologies to achieve high assurance outcomes. Over the last several years, MATTR has been innovating the BBS cryptographic scheme to provide new advanced privacy options for the future.

Cryptography (aka “fancy maths”) uses algorithms that enable us to establish and scale trust in digital interactions. BBS is a cryptographic signature scheme that is used to provide integrity and verifiable authorship in various protocols. It is named for its academic originators Dan Boneh, Xavier Boyen, and Hovav Shacham.

Over the last few years, a definition of the BBS scheme based on its academic origins has been peer-reviewed, improved and evolved in a collaborative environment at the Decentralized Identity Foundation (DIF) and, more recently, the Internet Engineering Task Force (IETF). It’s an underlying cryptographic primitive capable of supporting many different kinds of applications. Members of the MATTR team have participated in leading out working groups at DIF and IETF to help research and develop this cryptographic scheme that we believe is a pioneer in the field. As of today, we have implemented a recent draft of the BBS spec across our entire suite of MATTR product offerings as well as open sourced our pairing crypto library for all to use.

Read on to learn more about the unique properties that support privacy preserving data sharing.

What makes the BBS signature scheme different in the world of cryptographic digital signatures?

Much like other cryptographic digital signature schemes, BBS can be used to verify the integrity and authenticity of information back to an issuer or signer. However, what makes the scheme different to most other (conventional) signature schemes are the additional properties it provides: selective disclosure, unlinkable proofs and proof of possession.

Selective disclosure

The BBS scheme allows multiple messages to be independently signed while producing a single output signature. As an example, a digital identity card could include a name, birthdate and address as individual pieces of verifiable data within a single proof. Selective disclosure allows the holder of that information to reveal only some of this data, depending on what the verifying party requires. When applying for a library card, for example, an individual could consent for their wallet to create a signed presentation which reveals only their name and address as verified information, while occluding their birthdate.

Unlinkable proofs

Generally speaking, the proofs generated by the BBS signature scheme belong to a class of technologies known as Zero Knowledge Proofs or ZKPs. In particular, BBS enables what’s known as unlinkable proofs where a holder can generate unique proofs from the same issued signature while preventing the possibility of being correlated based on the cryptographic information in the proof. This is enabled as the holder generates a unique proof from a single issued signature for every verification request.

Many existing (conventional) signature schemes cannot achieve this functionality, opting instead to protect against this form of correlation by mandating that the holder can only ever use a token/credential once with a relying party or verifier. This means that the holder must get new tokens/credentials from the issuer for every presentation, which creates trade-offs around data leakage and holder tracking by the issuer, among others.

Proof of possession

Proofs generated under the BBS signature scheme prove to a verifying party that the holder was in possession of a valid signature when they generated the proof. This is referred to as proof of possession. If the verifier supplies a nonce to the prover prior to generating the proof, they can include this in the presentation header, which gives the verifier the ability to determine freshness of a proof or detect a replay attack.

Conventional signature schemes typically either 1) don’t have this property or 2) achieve it through an additional layer using a second signature. For example, OAuth2 bearer-based access tokens, which use signature schemes like ECDSA, have no built-in proof of possession – making them highly vulnerable to several forms of token theft. To mitigate this, additional layers like decentralized proof of possession (DPoP) can be used but are much more complex for application developers to implement robustly. With BBS, proof of possession comes inherent in the scheme, keeping the complexity away from the application layer.

Some readers familiar with cryptographic schemes might be thinking “there are multiple ways to do selective disclosure” or “proof of possession can be solved in different ways” - which are both true. However, schemes that achieve all three properties described above, in a performant manner, are exceedingly rare – that is precisely what makes BBS different.

Applications for BBS and future considerations

We’re excited about the future of this technology and continue to be involved in a variety of efforts to support additional applications of BBS that are aiming to solve various privacy and data challenges. We’re seeing these applications show up across areas such as identity, authentication, web browsing and more.

We first introduced BBS to our MATTR VII platform in May 2020. At the time, we were interested in developing a standards-based approach to using Verifiable Credentials with BBS. We pioneered a method that leveraged the “Linked Data Proofs” credential format in a simple and extensible way. This approach offered -- for the very first time -- a way to accomplish selective disclosure with verifiable credentials that:

• Leveraged existing standards and data schemas.
• Was highly performant and efficient.
• Didn’t require any special setup or external dependencies.

Since then, we have seen increasing interest in securing Verifiable Credentials with a different proof format layer, namely one based on the JOSE technology stack (JSON & JWTs). In fact, when we first introduced our approach in 2020, we conceptualized this very thing occurring.

“What we have done is create an approach which combines Linked Data Proofs with BBS+ signatures. This solution is defined in a new specification as well as a new cryptographic signature suite... We can also envision a similar specification and cryptographic suite that would combine JWT/JWS with BBS+ signatures.”

-- A solution for privacy-perserving verifiable credentials (May 2020) --

In particular, we’re seeing strong promise in terms of how the BBS scheme can be applied with new emerging approaches such as JSON Web Proofs. We’re excited about this method’s potential for flexibility and power. We feel like it lies in that sweet spot between preventing correlation when disclosing information to multiple verifiers and the reliability and consistency needed for selective disclosure proofs to scale to different kinds of data and relying parties.

We believe the combination of these technologies (BBS and JWP) can once again move the needle in terms of what's possible in the market today, balancing trade-offs and providing a selective disclosure mechanism that truly is scalable, interoperable and based on common standards. Others are also recognising the potential and value of this approach, as evidenced by the recent report eIDAS 2.0 and Privacy, Official Response from GSMA Europe (June 2023).

Improvements to BBS and updated crypto suites in MATTR products

We’ve been hard at work in the global standards community, contributing to efforts to advance the BBS cryptographic scheme and engaging with experts and researchers. We’re proud of the work that’s happened since 2020 to bring the state-of-the-art forward in terms of security, efficiency and much more.

Our involvement has largely centred on the underlying cryptographic layer, focusing on new design goals and key security properties for BBS which we have nurtured and developed in collaboration with global experts and implementors. These kinds of initiatives are the boring but critical work of hardening and reviewing cryptographic algorithms that makes them usable to begin with. These improvements not only enhance the security and efficiency of the BBS scheme but also enable new kinds of applications and build confidence and resilience to the approach.

Since our original announcement we’ve also invested in a ground up re-build of our implementation of the BBS signature scheme, which we are excited to announce we are making open source. The implementation is written in RUST, making it highly performant. We have also built a variety of language wrappers to facilitate easy adoption of the technology in different languages including Java, Obj-C, C and popular Javascript/Typescript environments such as react native and web through WASM support. These are all available in our new open source library.

On the product side of things, we now support the updated BBS cryptographic scheme across all MATTR products, transitioning from the previous draft to a recent IETF draft.

Towards true privacy by design

The technology to enable privacy-enhancing solutions for users will undoubtedly continue to evolve and we believe that cryptographic schemes like BBS will provide an important building block for today’s solutions and those still to emerge.

MATTR is unwavering in its dedication to staying at the forefront of evolving standards and serving as your reliable partner in crafting verifiable data ecosystems with a steadfast focus on privacy. Reach out to us today to initiate a conversation about how we can empower your solution.