Britsch Per-Verifier Linkability

CITATION.cff

@@ -14,6 +14,9 @@ authors:
   - given-names: Stephan
     family-names: Schmiedmayer
     affiliation: Technical University of Munich
+  - given-names: Christoph
+    family-names: Britsch
+    affiliation: Technical University of Munich
 repository-code: 'https://github.com/Fraunhofer-AISEC/libbbs'
 url: 'https://fraunhofer-aisec.github.io/libbbs/'
 abstract: >-

CMakeLists.txt

@@ -43,6 +43,6 @@ add_subdirectory(src)
 add_subdirectory(test)
 
 install(TARGETS bbs)
-install(FILES include/bbs.h TYPE INCLUDE)
+install(FILES include/bbs.h include/bbs_blind.h include/bbs_blind_with_nym.h TYPE INCLUDE)
 install(DIRECTORY doc/man3 doc/man7 TYPE MAN)
 

README.md

@@ -1,10 +1,14 @@
 # libbbs
 
-Specification-compliant and performant C implementation of the [BBS signature scheme](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/) with little to no third party dependencies.[^1]
+Specification-compliant and performant C implementation of the [BBS signature scheme](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/) and its extensions, with little to no third party dependencies.[^1]
 
-Provides a library `libbbs` implementing the `BLS12-381-SHA-256` and `BLS12-381-SHAKE-256` cipher suite.
+Provides a library `libbbs` implementing three layers of functionality:
 
-The API is documented in `include/bbs.h` and the manual. See
+- **BBS signatures** ([draft-irtf-cfrg-bbs-signatures](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/)) — multi-message signatures with selective disclosure proofs. Cipher suites: `BLS12-381-SHA-256` and `BLS12-381-SHAKE-256`.
+- **Blind BBS signatures** ([draft-irtf-cfrg-bbs-blind-signatures-02](https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-blind-signatures-02.html)) — extends BBS to allow messages unknown to the signer to be included in the signature via a commitment. Cipher suites: `BLS12-381-BLIND-SHA-256` and `BLS12-381-BLIND-SHAKE-256`.
+- **BBS with per-verifier pseudonyms** ([draft-irtf-cfrg-bbs-per-verifier-linkability-02](https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-per-verifier-linkability-02.html)) — extends blind BBS to bind prover-controlled secrets into the signature, enabling stable per-verifier pseudonyms without revealing the prover's identity across contexts. Cipher suites: `BLS12-381-BLIND-NYM-SHA-256` and `BLS12-381-BLIND-NYM-SHAKE-256`.
+
+The API is documented in `include/bbs.h`, `include/bbs_blind.h`, `include/bbs_blind_with_nym.h`, and the manual. See
 [**bbs**(7)](https://fraunhofer-aisec.github.io/libbbs/).
 
 [^1]: The calling application needs to provide a source of randomness via

doc/man3/bbs_blind_commit.3

@@ -0,0 +1,107 @@
+.TH bbs_blind_commit 3 2026-03-10 libbbs
+.SH NAME
+bbs_blind_commit \- create a commitment for blind BBS signatures
+.SH LIBRARY
+BBS Signatures
+.RI ( libbbs ,\~ \-lbbs )
+.SH SYNOPSIS
+.nf
+.B #include <bbs_blind.h>
+.P
+.BR "int bbs_blind_commit(" "size_t num_messages;"
+.BI "                     const bbs_ciphersuite * " ciphersuite ","
+.BI "                     void * " commitment_with_proof ","
+.BI "                     uint8_t " secret_prover_blind "[BBS_BLIND_SECRET_PROVER_BLIND_LEN],"
+.BI "                     size_t " num_messages ","
+.BI "                     const void *const " messages [ num_messages "],"
+.BI "                     const size_t " message_lens [ num_messages "]);"
+.fi
+.SH DESCRIPTION
+The
+.BR bbs_blind_commit ()
+function creates a commitment over the
+.I num_messages
+messages in
+.I messages,
+whose lengths in bytes are given in
+.I message_lens.
+The commitment is the first step of the blind BBS protocol and is performed by
+the prover before requesting a signature from the signer.
+.P
+The function produces two outputs.
+The
+.I commitment_with_proof
+is sent to the signer as input to
+.BR bbs_blind_sign (3).
+It does not reveal the committed messages.
+The caller must allocate
+.I BBS_BLIND_COMMITMENT_LEN(num_messages)
+bytes for this buffer.
+.P
+The
+.I secret_prover_blind
+is a
+.B BBS_BLIND_SECRET_PROVER_BLIND_LEN
+byte value that must be kept secret by the prover.
+It is required later by
+.BR bbs_blind_proof_gen (3)
+and must be erased with
+.BR memset_explicit (3)
+after proof generation is complete.
+Disclosing the
+.I secret_prover_blind
+allows recovery of the committed messages from the blind signature.
+.P
+This function takes a pointer to a
+.BR bbs_ciphersuite (3type)
+to use, which determines several parameters for the scheme.
+This function is compatible with
+.B bbs_blind_sha256_ciphersuite
+and
+.B bbs_blind_shake256_ciphersuite
+only.
+Using a ciphersuite from
+.I <bbs.h>
+or
+.I <bbs_blind_with_nym.h>
+will produce an error.
+Keys generated with any ciphersuite may be used here; see
+.BR bbs_keygen (3).
+.SH RETURN VALUE
+Returns
+.B BBS_OK
+on success.
+All other return values denote an error, the exact meaning of which may change
+in the future.
+.SH ATTRIBUTES
+For an explanation of the terms used in this section, see
+.BR attribute (7).
+.TS
+allbox;
+lbx lb lb
+l l l.
+Interface	Attribute	Value
+T{
+.na
+.nh
+.BR bbs_blind_commit ()
+T}	Thread safety	MT-Safe
+.TE
+.SH STANDARDS
+The
+.BR bbs_blind_commit ()
+function implements the algorithm from
+.I draft-irtf-cfrg-bbs-blind-signatures-02.
+.SH CAVEATS
+The
+.BR bbs_blind_commit ()
+function emits a call to the POSIX 2024.1-2024 function
+.BR getentropy (3).
+On non-POSIX systems, this function has to be provided by the application at
+link-time.
+.SH SEE ALSO
+.BR bbs_blind (7),
+.BR bbs_ciphersuite (3type),
+.BR bbs_blind_sign (3),
+.BR bbs_blind_proof_gen (3),
+.BR getentropy (3)

doc/man3/bbs_blind_commit_with_nym.3

@@ -0,0 +1,112 @@
+.TH bbs_blind_commit_with_nym 3 2026-03-14 libbbs
+.SH NAME
+bbs_blind_commit_with_nym \- create a commitment for blind BBS signatures with pseudonyms
+.SH LIBRARY
+BBS Signatures
+.RI ( libbbs ,\~ \-lbbs )
+.SH SYNOPSIS
+.nf
+.B #include <bbs_blind_with_nym.h>
+.P
+.BR "int bbs_blind_commit_with_nym(" "size_t num_messages, num_prover_nyms;"
+.BI "                              const bbs_ciphersuite * " ciphersuite ","
+.BI "                              void * " commitment_with_proof ","
+.BI "                              uint8_t " secret_prover_blind "[BBS_BLIND_SECRET_PROVER_BLIND_LEN],"
+.BI "                              size_t " num_messages ","
+.BI "                              const void *const " messages [ num_messages "],"
+.BI "                              const size_t " message_lens [ num_messages "],"
+.BI "                              size_t " num_prover_nyms ","
+.BI "                              const void *const " prover_nyms [ num_prover_nyms "]);"
+.fi
+.SH DESCRIPTION
+The
+.BR bbs_blind_commit_with_nym ()
+function extends
+.BR bbs_blind_commit (3)
+by additionally committing to one or more prover-controlled pseudonym values.
+The
+.I num_prover_nyms
+values in
+.I prover_nyms
+are committed alongside the
+.I num_messages
+regular committed messages.
+The signer never learns either.
+For a description of the commitment mechanism, the outputs, and the
+sensitivity of the
+.IR secret_prover_blind ,
+see
+.BR bbs_blind_commit (3).
+.P
+The caller must allocate
+.I BBS_BLIND_COMMITMENT_LEN(num_messages + num_prover_nyms)
+bytes for
+.IR commitment_with_proof .
+.P
+If no regular committed messages are needed,
+.I num_messages
+may be zero and
+.I messages
+and
+.I message_lens
+may be NULL.
+.I num_prover_nyms
+must be at least one.
+.P
+This function takes a pointer to a
+.BR bbs_ciphersuite (3type)
+to use, which determines several parameters for the scheme.
+This function is compatible with
+.B bbs_blind_nym_sha256_ciphersuite
+and
+.B bbs_blind_nym_shake256_ciphersuite
+only.
+Using a ciphersuite from
+.I <bbs.h>
+or
+.I <bbs_blind.h>
+will produce an error.
+Keys generated with any ciphersuite may be used here; see
+.BR bbs_keygen (3).
+.SH RETURN VALUE
+Returns
+.B BBS_OK
+on success.
+All other return values denote an error, the exact meaning of which may change
+in the future.
+.SH ATTRIBUTES
+For an explanation of the terms used in this section, see
+.BR attribute (7).
+.TS
+allbox;
+lbx lb lb
+l l l.
+Interface	Attribute	Value
+T{
+.na
+.nh
+.BR bbs_blind_commit_with_nym ()
+T}	Thread safety	MT-Safe
+.TE
+.SH STANDARDS
+The
+.BR bbs_blind_commit_with_nym ()
+function implements the
+.I CommitWithNym
+algorithm from
+.IR draft-irtf-cfrg-bbs-per-verifier-linkability-02 .
+.SH CAVEATS
+The
+.BR bbs_blind_commit_with_nym ()
+function emits a call to the POSIX 2024.1-2024 function
+.BR getentropy (3).
+On non-POSIX systems, this function has to be provided by the application at
+link-time.
+.SH SEE ALSO
+.BR bbs_blind_with_nym (7),
+.BR bbs_blind (7),
+.BR bbs_ciphersuite (3type),
+.BR bbs_blind_commit (3),
+.BR bbs_blind_sign_with_nym (3),
+.BR bbs_blind_proof_gen_with_nym (3),
+.BR getentropy (3)