The name BBS comes from Boneh, Boneh and Shacham, the authors of the original 2004 group-signature scheme it descends from. The modern form is a signature over a list of messages rather than a single blob, and it is being standardized through the IETF and the W3C for use in verifiable credentials. What makes it interesting is not the signing itself, but what the holder of the signature can do afterward without going back to the issuer.
The Problem With Signing a Whole Document
A normal digital signature covers one message. If your ID is a single signed object, you cannot show part of it: the signature only verifies against the complete, unmodified document. Redact one field and the signature breaks. So selective disclosure with ordinary signatures forces a workaround, and the common one has real downsides.
The salted-hash approach, used by schemes like SD-JWT, signs a list of hashed, salted attributes. To reveal a field you disclose its salt and value; to hide one you withhold them. This genuinely works and is simpler to deploy, but it has a property worth noticing: every time you present the credential, the verifier sees the same issuer signature. Two presentations to two different verifiers carry the same signature value, so those verifiers can collude and link your visits. The disclosure is selective, but the credential is still a tracking beacon.
Selective disclosure means showing only the fields you choose. Unlinkability means two showings of the same credential cannot be tied together. Salted-hash schemes give you the first. BBS is built to give you both.
How BBS Achieves Unlinkable Disclosure
BBS signs a vector of messages at once, producing a single compact signature. The clever part is the presentation step. Instead of handing the verifier the issuer's signature directly, the holder generates a zero-knowledge proof that says, in effect: "I possess a valid issuer signature over a set of messages, here are the specific messages I choose to reveal, and I am proving the hidden ones exist and are covered by that signature without showing them."
Crucially, that proof is freshly randomized every single time. The issuer's actual signature never leaves the holder's device. Each presentation looks like an independent, unrelated proof, so two verifiers comparing notes find nothing in common to link. This rests on pairing-based cryptography over elliptic curves, the same family of math behind some advanced signature schemes, which is what lets the holder re-randomize while keeping the proof verifiable against the issuer's public key.
With a normal signature, showing your credential twice creates a link. With BBS, each showing is a fresh proof that the credential exists, carrying no fingerprint the verifier can save.
Predicate Proofs: Proving Without Revealing
Selective disclosure still reveals whole fields. The next step is proving a statement about a field without revealing the field at all. This is where BBS combines with range proofs and other zero-knowledge gadgets. Instead of disclosing your date of birth, you prove the predicate "this birthdate implies an age of at least 21." The verifier learns one bit, true or false, and nothing else. Not your birthday, not your age, just that you clear the bar.
This is the property that makes anonymous credentials genuinely privacy-preserving rather than merely tidy. A bouncer who scans a normal ID learns your name, address, and exact age to confirm one thing. A predicate proof reveals only the answer to the question actually being asked. It is the cryptographic form of the principle behind data minimization: collect and reveal the least information that accomplishes the task.
BBS Versus the Alternatives
| Approach | Selective disclosure | Unlinkable presentations |
|---|---|---|
| Plain signature (whole doc) | No | No |
| SD-JWT (salted hashes) | Yes | No (same signature each time) |
| BBS signatures | Yes | Yes (re-randomized proofs) |
BBS is not free. It is more complex to implement correctly, relies on pairing-friendly curves that are less universally supported than the curves behind everyday signatures, and the proof generation is heavier than computing a hash. There is also an honest open question around post-quantum security: pairing-based schemes like BBS are not quantum-resistant, and the post-quantum replacements for anonymous credentials are still maturing. For credentials meant to last decades, that matters.
Where You Will Meet It
BBS is moving from research into deployment in the digital-identity world. It is a candidate signature suite for W3C Verifiable Credentials and is being looked at for digital ID wallets, including some of the mobile driver's license and EU digital identity efforts. The appeal for regulators and privacy advocates alike is that it can satisfy a verification requirement while structurally preventing the verifier from building a profile, which is exactly the property that decides whether a national ID wallet becomes a convenience or a surveillance system.
The broader lesson reaches past credentials. The pattern BBS embodies, prove the minimum and reveal nothing reusable, is the same instinct that should govern any system handling sensitive data. The strongest privacy designs are the ones that make over-collection cryptographically impossible rather than merely against policy. Whether the question is "are you over 21," "do you hold a valid subscription," or "are you a member of this group," the right answer is a proof that says yes and leaves no trail. For more on the building block underneath, our explainer on zero-knowledge proofs covers the core idea that makes all of this possible.