### 19 breaking releases

0.20.0 | May 10, 2024 |
---|---|

0.19.0 | Mar 4, 2024 |

0.18.0 | Oct 10, 2023 |

0.15.0 | Jun 23, 2023 |

0.6.0 | Nov 5, 2021 |

#**1626** in Cryptography

**149** downloads per month

Used in **2** crates

**Apache-2.0**

775KB

17K
SLoC

# BBS and BBS+ signatures

Implements BBS and BBS+ signatures.

BBS+ signature according to the paper: Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited. Provides

- signature creation and verification with signature in group G1 and public key in group G2 and vice-versa.
- proof of knowledge of signature and corresponding messages in group G1 as that is more efficient.

BBS signature according to the paper: Revisiting BBS Signatures. Provides

- signature creation and verification with signature in group G1 and public key in group G2.
- proof of knowledge of signature and corresponding messages. The implemented protocols are a bit different from whats mentioned in the paper. The modifications are made in the Schnorr proof part to allow for use-cases like proving equality (in zero-knowledge) of messages among same/different signatures or proving predicates (in zero-knowledge) about messages. Check the documentation of corresponding modules for more details.

Threshold BBS and BBS+ signatures based on the paper Threshold BBS+ Signatures for Distributed Anonymous Credential Issuance The threshold signing protocol has 3 phases (not communication rounds) 1. This is the randomness generation phase 2. This is the phase where multiplications happen 3. Here the outputs of phases 1 and 2 and the messages to be signed are used to generate the signature.

Note that only 3rd phase requires the messages to be known so the first 2 phases can be treated as pre-computation
and can be done proactively. Secondly since the communication time among signers is most likely to be the bottleneck
in threshold signing, phase 1 and 2 support batching meaning that to generate

signatures only a single execution
of phase 1 and 2 needs to done, although with larger inputs. Then `n`

executions of phase 3 are done to generate
the signature.
Also its assumed that parties have done the DKG as well as the base OT and stored their results.
Both BBS and BBS+ implementations share the same multiplication phase and the base OT phase but their phase 1 is slightly different.`n`

### Modules

- BBS and BBS+ signature parameters and key generation module -

. The signature params for BBS are slightly different from BBS+ but public key is same.`setup` - BBS+ signature module -
`signature` - BBS+ proof of knowledge of signature module -
`proof` - BBS signature module -
`signature_23` - BBS proof of knowledge of signature module -
`proof_23` - BBS proof of knowledge of signature module, alternate implementation -
`proof_23_cdl` - Threshold BBS and BBS+ signatures -
`threshold`

The implementation tries to use the same variable names as the paper and thus violate Rust's naming conventions at places.

License: Apache-2.0

#### Dependencies

~8–19MB

~220K SLoC