4 releases (2 breaking)

0.4.1 Jul 7, 2020
0.4.0 May 18, 2020
0.3.0 Apr 29, 2020
0.2.0 Apr 20, 2020

#142 in Magic Beans

Download history 713/week @ 2021-02-23 703/week @ 2021-03-02 526/week @ 2021-03-09 428/week @ 2021-03-16 796/week @ 2021-03-23 1084/week @ 2021-03-30 818/week @ 2021-04-06 111/week @ 2021-04-13 46/week @ 2021-04-20 40/week @ 2021-04-27 226/week @ 2021-05-04 249/week @ 2021-05-11 948/week @ 2021-05-18 278/week @ 2021-05-25 162/week @ 2021-06-01 307/week @ 2021-06-08

2,116 downloads per month
Used in 3 crates (2 directly)


3.5K SLoC

Short group signatures by Boneh, Boyen, and Shachum and later improved in ASM as BBS+ and touched on again in section 4.3 in CDL.

This crate implements the BBS+ signature scheme which allows for signing many committed messages.

BBS+ signatures can be created in typical cryptographic fashion where the signer and signature holder are the same party or where they are two distinct parties. BBS+ signatures can also be used to generate signature proofs of knowledge and selective disclosure zero-knowledge proofs. To start, all that is needed is to add this to your Cargo.toml.

bbs = "0.4"

Add in the main section of code to get all the traits, structs, and functions needed.

use bbs::prelude::*;


BBS+ supports two types of public keys. One that is created as described in the paper where the message specific generators are randomly generated and a deterministic version that looks like a BLS public key and whose message specific generators are computed using IETF's Hash to Curve algorithm which is also constant time combined with known inputs.

generate(message_count: usize) - returns a keypair used for creating BBS+ signatures

PublicKey - w ⟵ 𝔾2, h0, (h1, ... , hL) ⟵ 𝔾1L

DeterministicPublicKey - w ⟵ 𝔾2. This can be converted to a public key by calling the to_public_key method.

There is a convenience class Issuer that can be used for this as well.

let (pk, sk) = Issuer::new_keys(5).unwrap();


let (dpk, sk) = Issuer::new_short_keys(None);
let pk = dpk.to_public_key(5).unwrap();


Signing can be done where the signer knows all the messages or where the signature recipient commits to some messages beforehand and the signer completes the signature with the remaining messages.

To create a signature:

let (pk, sk) = Issuer::new_keys(5).unwrap();
let messages = vec![
    SignatureMessage::hash(b"message 1"),
    SignatureMessage::hash(b"message 2"),
    SignatureMessage::hash(b"message 3"),
    SignatureMessage::hash(b"message 4"),
    SignatureMessage::hash(b"message 5"),

let signature = Signature::new(messages.as_slice(), &sk, &pk).unwrap();

assert!(signature.verify(messages.as_slice(), &pk).unwrap());


// Generated by the issuer
let (pk, sk) = Issuer::new_keys(5).unwrap();

// Done by the signature recipient

let message = SignatureMessage::hash(b"message_0");

let signature_blinding = Signature::generate_blinding();

let commitment = &pk.h[0] * &message + &pk.h0 * &signature_blinding;

// Completed by the signer
// `commitment` is received from the recipient
let messages = sm_map![
    1 => b"message_1",
    2 => b"message_2",
    3 => b"message_3",
    4 => b"message_4"

let blind_signature = BlindSignature::new(&commitment, &messages, &sk, &pk).unwrap();

// Completed by the recipient
// receives `blind_signature` from signer
// Recipient knows all `messages` that are signed

let signature = blind_signature.to_unblinded(&signature_blinding);

let mut msgs = messages
    .map(|(_, m)| m.clone())
msgs.insert(0, message.clone());

let res = signature.verify(msgs.as_slice(), &pk);

This by itself is considered insecure without the signer completing a proof of knowledge of committed messages generated by the recipient and sent with the commitment. It is IMPORTANT that the signature issuer complete this step. For simplicity, the Issuer and Prover structs can be used as follows to handle this.

let (pk, sk) = Issuer::new_keys(5).unwrap();
let signing_nonce = Issuer::generate_signing_nonce();

// Send `signing_nonce` to holder

// Recipient wants to hide a message in each signature to be able to link
// them together
let link_secret = Prover::new_link_secret();
let mut messages = BTreeMap::new();
messages.insert(0, link_secret.clone());
let (ctx, signature_blinding) =
    Prover::new_blind_signature_context(&pk, &messages, &signing_nonce).unwrap();

// Send `ctx` to signer
let messages = sm_map![
    1 => b"message_1",
    2 => b"message_2",
    3 => b"message_3",
    4 => b"message_4"

// Will fail if `ctx` is invalid
let blind_signature = Issuer::blind_sign(&ctx, &messages, &sk, &pk, &signing_nonce).unwrap();

// Send `blind_signature` to recipient
// Recipient knows all `messages` that are signed
let mut msgs = messages
    .map(|(_, m)| m.clone())
msgs.insert(0, link_secret.clone());

let res =
    Prover::complete_signature(&pk, msgs.as_slice(), &blind_signature, &signature_blinding);


Verifiers ask a Prover to reveal some number of signed messages (from zero to all of them), while and the remaining messages are hidden. If the Prover agrees, she completes a signature proof of knowledge and proof of committed values. These messages could be combined in other zero-knowledge proofs like zkSNARKs or Bulletproofs like bound checks or set memberships. If this is the case, the hidden messages will need to linked to the other proofs using a common blinding factor. This crate provides three message classifications for proofs to accommodate this flexibility.

  • ProofMessage::Revealed: message will become known to the verifier. Caveat: cryptography operates on integers and not directly on strings. Usually the hash of the string is signed. The verifier will learn the revealed hash and not the message content. The prover must send the preimage so the verifier can check if the hashes are equal after verifying the signature.
  • ProofMessage::Hidden: message is not shown to the verifier. There are two kinds of hidden messages.
    • HiddenMessage::ProofSpecificBlinding: message is hidden and not used in any other proof, the blinding is specific to this signature only.
    • HiddenMessage::ExternalBlinding: message is hidden but is also used in another proof. For example, to show two messages are the same across two signature or 'linked', the same blinding factor must be used for both proofs. This kind groups the blinding factor and the message.

To begin a zero-knowledge proof exchange, the verifier indicates which messages to be revealed and provides a nonce limit the prover's ability to cheat i.e. create a valid proof without knowing the actual messages or signature.

The Verifier must trust the signer of the credential and know the message structure i.e. what message is at index 1, 2, 3, ... etc.

let (pk, sk) = Issuer::new_keys(5).unwrap();
let messages = vec![

let signature = Signature::new(messages.as_slice(), &sk, &pk).unwrap();

let nonce = Verifier::generate_proof_nonce();
let proof_request = Verifier::new_proof_request(&[1, 3], &pk).unwrap();

// Sends `proof_request` and `nonce` to the prover
let proof_messages = vec![

let pok = Prover::commit_signature_pok(&proof_request, proof_messages.as_slice(), &signature)

// complete other zkps as desired and compute `challenge_hash`
// add bytes from other proofs

let mut challenge_bytes = Vec::new();

let challenge = ProofNonce::hash(&challenge_bytes);

let proof = Prover::generate_signature_pok(pok, &challenge).unwrap();

// Send `proof` and `challenge` to Verifier

match Verifier::verify_signature_pok(&proof_request, &proof, &nonce) {
    Ok(_) => assert!(true),   // check revealed messages
    Err(_) => assert!(false), // Why did the proof failed


~102K SLoC