#bbs #zero-knowledge-proofs #signature #schnorr-signature #proof #group #phase

no-std bbs_plus

BBS and BBS+ signatures and protocols for proof of knowledge of signature

19 breaking releases

0.20.0 May 10, 2024
0.19.0 Mar 4, 2024
0.18.0 Oct 10, 2023
0.15.0 Jun 23, 2023
0.6.0 Nov 5, 2021

#1626 in Cryptography

Download history 36/week @ 2024-02-17 31/week @ 2024-02-24 138/week @ 2024-03-02 28/week @ 2024-03-09 9/week @ 2024-03-16 18/week @ 2024-03-23 101/week @ 2024-03-30 29/week @ 2024-04-06 12/week @ 2024-04-13 6/week @ 2024-04-20 2/week @ 2024-04-27 91/week @ 2024-05-04 45/week @ 2024-05-11 11/week @ 2024-05-18 2/week @ 2024-05-25

149 downloads per month
Used in 2 crates

Apache-2.0

775KB
17K SLoC

BBS and BBS+ signatures

Implements BBS and BBS+ signatures.

BBS+ signature according to the paper: Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited. Provides

  • signature creation and verification with signature in group G1 and public key in group G2 and vice-versa.
  • proof of knowledge of signature and corresponding messages in group G1 as that is more efficient.

BBS signature according to the paper: Revisiting BBS Signatures. Provides

  • signature creation and verification with signature in group G1 and public key in group G2.
  • proof of knowledge of signature and corresponding messages. The implemented protocols are a bit different from whats mentioned in the paper. The modifications are made in the Schnorr proof part to allow for use-cases like proving equality (in zero-knowledge) of messages among same/different signatures or proving predicates (in zero-knowledge) about messages. Check the documentation of corresponding modules for more details.

Threshold BBS and BBS+ signatures based on the paper Threshold BBS+ Signatures for Distributed Anonymous Credential Issuance The threshold signing protocol has 3 phases (not communication rounds) 1. This is the randomness generation phase 2. This is the phase where multiplications happen 3. Here the outputs of phases 1 and 2 and the messages to be signed are used to generate the signature.

Note that only 3rd phase requires the messages to be known so the first 2 phases can be treated as pre-computation and can be done proactively. Secondly since the communication time among signers is most likely to be the bottleneck in threshold signing, phase 1 and 2 support batching meaning that to generate n signatures only a single execution of phase 1 and 2 needs to done, although with larger inputs. Then n executions of phase 3 are done to generate the signature. Also its assumed that parties have done the DKG as well as the base OT and stored their results. Both BBS and BBS+ implementations share the same multiplication phase and the base OT phase but their phase 1 is slightly different.

Modules

  1. BBS and BBS+ signature parameters and key generation module - setup. The signature params for BBS are slightly different from BBS+ but public key is same.
  2. BBS+ signature module - signature
  3. BBS+ proof of knowledge of signature module - proof
  4. BBS signature module - signature_23
  5. BBS proof of knowledge of signature module - proof_23
  6. BBS proof of knowledge of signature module, alternate implementation - proof_23_cdl
  7. Threshold BBS and BBS+ signatures - threshold

The implementation tries to use the same variable names as the paper and thus violate Rust's naming conventions at places.

License: Apache-2.0

Dependencies

~8–19MB
~220K SLoC