BBS signatures

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

README.md

@@ -9,7 +9,7 @@ Library providing privacy enhancing cryptographic primitives.
 ## Primitives
 
 1. [Schnorr proof of knowledge protocol](./schnorr_pok) to prove knowledge of discrete log. [This](https://crypto.stanford.edu/cs355/19sp/lec5.pdf) is a good reference. 
-2. [BBS+ signature](./bbs_plus) for anonymous credentials. Based on the paper [Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited](https://eprint.iacr.org/2016/663)
+2. [BBS and BBS+ signatures](./bbs_plus) for anonymous credentials. BBS+ is based on the paper [Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited](https://eprint.iacr.org/2016/663) and BBS is based on the paper [Revisiting BBS Signatures](https://eprint.iacr.org/2023/275).
 3. [Dynamic accumulators, both positive and universal](./vb_accumulator). Based on the paper [Dynamic Universal Accumulator with Batch Update over Bilinear Groups](https://eprint.iacr.org/2020/777)
 4. [Composite proof system](./proof_system) that combines above primitives for use cases like 
    - prove knowledge of a BBS+ signature and the corresponding messages
@@ -53,7 +53,7 @@ For running tests faster, run `cargo test --release`
 
 [Criterion](https://github.com/bheisler/criterion.rs) benchmarks [here](./benches)
 
-Some tests also print time consumed by the operations, run `cargo test --release -- --nocapure [test name]`
+Some tests also print time consumed by the operations, run `cargo test --release -- --nocapture [test name]`
 
 ## WASM wrapper
 

bbs_plus/Cargo.toml

@@ -5,7 +5,7 @@ edition.workspace = true
 authors.workspace = true
 license.workspace = true
 repository.workspace = true
-description = "BBS+ signature and protocol for proof of knowledge of signature"
+description = "BBS and BBS+ signatures and protocols for proof of knowledge of signature"
 
 [lib]
 doctest = false

bbs_plus/README.md

@@ -1,20 +1,35 @@
-# bbs_plus
+# BBS and BBS+ signatures
+
+<!-- cargo-rdme start -->
+
+Implements BBS and BBS+.
 
 BBS+ signature according to the paper: [Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited](https://eprint.iacr.org/2016/663).
 Provides
-- signature creation and verification in both groups G1 and G2.
+- signature creation and verification with signature in group G1 and public key in group G2 and vice-versa.
 - proof of knowledge of signature and corresponding messages in group G1 as that is more efficient.
 
+BBS signature according to the paper: [Revisiting BBS Signatures](https://eprint.iacr.org/2023/275).
+Provides
+- signature creation and verification with signature in group G1 and public key in group G2.
+- proof of knowledge of signature and corresponding messages.
+
 ### Modules
 
-1. Signature parameters and key generation module - [`setup`]
-2. Signature module - [`signature`]
-3. Proof of knowledge of signature module - [`proof`]
+1. BBS and BBS+ signature parameters and key generation module - [`setup`]
+2. BBS+ signature module - [`signature`]
+3. BBS+ proof of knowledge of signature module - [`proof`]
+4. BBS signature module - [`signature_23`]
+5. BBS proof of knowledge of signature module - [`proof_23`]
 
 The implementation tries to use the same variable names as the paper and thus violate Rust's naming conventions at places.
 
-[`setup`]: crate::setup
-[`signature`]: crate::signature
-[`proof`]: crate::proof
+[`setup`]: https://docs.rs/bbs_plus/latest/bbs_plus/setup/
+[`signature`]: https://docs.rs/bbs_plus/latest/bbs_plus/signature/
+[`proof`]: https://docs.rs/bbs_plus/latest/bbs_plus/proof/
+[`signature_23`]: https://docs.rs/bbs_plus/latest/bbs_plus/signature_23/
+[`proof_23`]: https://docs.rs/bbs_plus/latest/bbs_plus/proof_23/
+
+<!-- cargo-rdme end -->
 
 License: Apache-2.0

bbs_plus/src/lib.rs

@@ -1,34 +1,50 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 #![allow(non_snake_case)]
 
+//! Implements BBS and BBS+.
+//!
 //! BBS+ signature according to the paper: [Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited](https://eprint.iacr.org/2016/663).
 //! Provides
-//! - signature creation and verification in both groups G1 and G2.
+//! - signature creation and verification with signature in group G1 and public key in group G2 and vice-versa.
 //! - proof of knowledge of signature and corresponding messages in group G1 as that is more efficient.
 //!
+//! BBS signature according to the paper: [Revisiting BBS Signatures](https://eprint.iacr.org/2023/275).
+//! Provides
+//! - signature creation and verification with signature in group G1 and public key in group G2.
+//! - proof of knowledge of signature and corresponding messages.
+//!
 //! ## Modules
 //!
-//! 1. Signature parameters and key generation module - [`setup`]
-//! 2. Signature module - [`signature`]
-//! 3. Proof of knowledge of signature module - [`proof`]
+//! 1. BBS and BBS+ signature parameters and key generation module - [`setup`]. The signature params for BBS are slightly
+//! different from BBS+ but public key is same.
+//! 2. BBS+ signature module - [`signature`]
+//! 3. BBS+ proof of knowledge of signature module - [`proof`]
+//! 4. BBS signature module - [`signature_23`]
+//! 5. BBS proof of knowledge of signature module - [`proof_23`]
 //!
 //! The implementation tries to use the same variable names as the paper and thus violate Rust's naming conventions at places.
 //!
 //! [`setup`]: crate::setup
 //! [`signature`]: crate::signature
 //! [`proof`]: crate::proof
+//! [`signature_23`]: crate::signature_23
+//! [`proof_23`]: crate::proof_23
 
 pub mod error;
 pub mod proof;
+pub mod proof_23;
 pub mod setup;
 pub mod signature;
+pub mod signature_23;
 
 pub mod prelude {
     pub use crate::{
         error::BBSPlusError,
-        proof::{PoKOfSignatureG1Proof, PoKOfSignatureG1Protocol},
+        proof::{MessageOrBlinding, PoKOfSignatureG1Proof, PoKOfSignatureG1Protocol},
+        proof_23::{PoKOfSignature23G1Proof, PoKOfSignature23G1Protocol},
         setup::*,
         signature::{SignatureG1, SignatureG2},
+        signature_23::Signature23G1,
     };
 }
 

bbs_plus/src/proof.rs

@@ -1,4 +1,4 @@
-//! Proof of knowledge of the signature and corresponding messages as per section 4.5 of the paper
+//! Proof of knowledge of BBS+ signature and corresponding messages as per section 4.5 of the BBS+ paper
 //! # Examples
 //!
 //! Creating proof of knowledge of signature and verifying it:
@@ -58,7 +58,7 @@
 use crate::{
     error::BBSPlusError,
     prelude::PreparedPublicKeyG2,
-    setup::{PreparedSignatureParamsG1, SignatureParamsG1},
+    setup::{MultiMessageSignatureParams, PreparedSignatureParamsG1, SignatureParamsG1},
     signature::SignatureG1,
 };
 use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup, Group, VariableBaseMSM};
@@ -83,7 +83,7 @@ use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
-/// Proof of knowledge of BBS+ signature in group G1
+/// Protocol to prove knowledge of BBS+ signature in group G1.
 /// The BBS+ signature proves validity of a set of messages {m_i}, i in I. This stateful protocol proves knowledge of such
 /// a signature whilst selectively disclosing only a subset of the messages, {m_i} for i in a disclosed set D. The
 /// protocol randomizes the initial BBS+ signature, then conducts 2 Schnorr PoK protocols to prove exponent knowledge
@@ -124,7 +124,7 @@ pub struct PoKOfSignatureG1Protocol<E: Pairing> {
     sc_wits_2: Vec<E::ScalarField>,
 }
 
-/// Proof of knowledge of the signature in G1. It contains the randomized signature, commitment (Schnorr step 1)
+/// Proof of knowledge of BBS+ signature in G1. It contains the randomized signature, commitment (Schnorr step 1)
 /// and response (Schnorr step 3) to both Schnorr protocols in `T_` and `sc_resp_`
 #[serde_as]
 #[derive(
@@ -245,6 +245,7 @@ impl<E: Pairing> PoKOfSignatureG1Protocol<E> {
         // Knowledge of all unrevealed messages `m_j` need to be proven in addition to knowledge of `-r3` and `s'`. Thus
         // all `m_j`, `-r3` and `s'` are the witnesses, while all `h_j`, `d`, `h_0` and `-g1 + \sum_{i \in D}(h_i*{-m_i})` is the instance.
 
+        // Iterator of tuples of form `(h_i, blinding_i, message_i)`
         let h_blinding_message = indexed_blindings
             .into_iter()
             .map(|(idx, blinding)| (params.h[idx], blinding, messages[idx]));