BBS DID Scheme - Holographic Overview

System Architecture

User: The user who wants to obtain a credential (passport) to access a DApp.
Issuer: An on-chain contract deployed by the DApp on the origin chain, which can mint a soulbound token (ERC-5114 / ERC-5484, revocable by the Issuer) to the User on the destination chain.
Signer: An off-chain Trusted Third Party (TTP) service provider that verifies user information and issues BBS signatures.
Verifier: A contract deployed by the DApp/Signer that verifies the NIZK proof and triggers a callback to the Issuer contract to mint the token. Can be deployed on different chains to minimize verification costs.(Reactive Network)

Prelude

Message coding definition：

Message ID	Message contents
$m_{0}, H_{0}$	Constrain1, e.g., "Is_Adult=1"
$m_{1}, H_{1}$	Constrain2, e.g., "keccak(nationality)=keccak("CN")"
$m_{2}, H_{2}$	Constrain3, ...
$m_{3}, H_{3}$	Constrain4, ...
$m_{4}, H_{4}$	Expiration Height
$m_{null}, H_{null}$	Nullifier commitment
$m_{γ}, H_{γ}$	Blind factor

1. Init

Issuer generates unique $H_{null}$ and encodes it in the contract.
Signer runs $K e y G e n$ to get private key $x$ and publishes the public key $X$ .
Signer or Issuer deploys the Verifier contract and embeds $H_{null}$ and $X$ into the contract.

NOTE

Current status

Public: $H_{null}, X, \vec{m}$
- Signer: $x$

2. User apply

User
- Use view function to read $H_{null}$ and the requirements $(\vec{m})$ of DApp on chain.
- Sample $m_{null}, m_{γ}, λ \leftarrow Z_{p}$ , compute:
  - Nullifier hash: $N = Hash (0 x UserAddress | | m_{null})$
  - Nullifier commitment: $N^{'} = m_{null} \cdot H_{null} + m_{γ} \cdot H_{γ}$
  - Bind the commit: $C_{2} = λ \cdot (m_{null} H_{null} + m_{γ} H_{γ})$
- Send $N$ to Verifier Contract to stash it on chain (KeyExist[mapping(uint=>bool)][N]] = true) by using a new address $0 x RelayerAddr$ .
- Aggregate the constraints $\vec{m} = {m_{0}, m_{1}, m_{2}, \dots}$ .
- Send $(\vec{m}, C_{2})$ to Signer.
NOTE
Current status
- Public: $H_{null}, X, \vec{m}$
  - Verifier: $⟨ N, 0 x RelayerAddr ⟩$
- Signer: $x$ , $⟨ UserID, \vec{m}, C_{2} ⟩$
- User: $0 x UserAddr, m_{null}, m_{γ}, λ$

3. Signer gen signature

Signer
- Check whether the user's info corresponds to the constraints in $\vec{m}$ . If not, refuse to sign.
- Compute 1st commitment:
$C_{1} = G_{1} + \sum_{i = 0}^{4} m_{i} \cdot H_{i} \in G_{1}$
- Generate 1st signature $σ^{'} = (A_{1}, e)$ where:
$e \overset{$}{\leftarrow} Z_{p}, A = \frac{1}{x + e} \cdot C_{1}$
- Use same $e$ to generate 2nd signature $σ^{'} = (A_{2}^{'}, e)$ where:
$A^{'} = \frac{1}{x + e} \cdot C_{2}$
- Send signature $σ^{'} = (A_{1}, A_{2}^{'}, e)$ back to User.

NOTE

Current status

Public: $H_{null}, X, \vec{m}$
- Verifier: $⟨ N, 0 x RelayerAddr ⟩$
Signer: $x$ , $⟨ UserID, N^{'}, σ^{'} ⟩$
User: $0 x UserAddr, m_{null}, m_{γ}$ , $σ^{'}$

4. User gen NIZK proof

User
- Unnlind the $A_{2}^{'}$ :
$A_{2} = A_{2}^{'} \cdot λ^{- 1} = \frac{m_{null} \cdot H_{null} + m_{γ} \cdot H_{γ}}{x + e}$
- Reconstruct the signature $σ = (A, e)$ :
$σ = (A, e) = (A_{1} + A_{2}, e)$
- Generate NIZK proof $π$ to prove knowledge of a valid signature $σ$ for messages $(\vec{m}, m_{γ}, m_{null})$ while hiding $(m_{γ}, A, e)$ .
$π = (\overset{―}{A}, \overset{―}{B}, U, s, t, u_{γ})$
Let $J = {0, 1, 2, 3, 4, null}$ (public message indices), while $I = {γ}$ is the hidden message.
$\begin{aligned} C & = C_{J} + C_{I} \\ = G_{1} + \sum_{l \in {1, 2, 3, 4, \dots}} m_{l} \cdot H_{l} + m_{null} \cdot H_{null} + m_{γ} \cdot H_{γ} \end{aligned}$
where:
- $\overset{―}{A} = r \cdot A$ (randomized signature point)
- $\overset{―}{B} = r \cdot C - r \cdot e \cdot A$
- $C_{J} = G_{1} + \sum_{j \in J} m_{j} \cdot H_{j}$
- $U = α \cdot C_{J} + β \cdot \overset{―}{A} + δ_{γ} \cdot H_{γ}$
- $c = H (ctx | | {\vec{m}}_{J} | | \overset{―}{A} | | \overset{―}{B} | | U)$ (FS transform)
- $s = α + r \cdot c$ , $t = β - e \cdot c$ (responses for $r, e$ )
- $u_{γ} = δ_{γ} + r \cdot m_{γ} \cdot c$
- Send $(π, m_{null}, 0 x UserAddr)$ to Verifier.

NOTE

Current status

Public: $H_{null}, X, \vec{m}$
- Verifier: $⟨ N, 0 x RelayerAddr, 0 x UserAddr, m_{null}, π ⟩$
Signer: $x$ , $⟨ UserID, N^{'}, σ^{'} ⟩$
User: $⟨ 0 x UserAddr, m_{null}, σ^{'}, π ⟩$

5. Verify the Signature and mint the token

Verifier
- Compute public part commitment (pre-computed since constraints are hard-coded):
$C_{J} = G_{1} + \sum_{j \in J} m_{j} \cdot H_{j}$
where $J = {0, 1, 2, 3, 4, null}$ (public message indices).
- Verify nullifier pre-commitment:
  - Compute $N = Hash (0 x UserAddr | | m_{null})$
  - Require KeyExist[N] == true (check pre-committed in Step 2)
  - Require Used[N] == false (prevent double-spending)
- Verify the NIZK proof $π = (\overset{―}{A}, \overset{―}{B}, U, s, t, u_{γ})$ :
  1. Recompute the Fiat-Shamir challenge (note: $m_{null}$ is included in ${\vec{m}}_{J}$ as it's revealed):
  $c^{'} = H (ctx | | {\vec{m}}_{J} | | \overset{―}{A} | | \overset{―}{B} | | U)$
  1. Pairing check (verify randomized signature is valid):
  $e (\overset{―}{A}, X) \overset{?}{=} e (\overset{―}{B}, G_{2})$
  1. Homomorphic check (verify correct representation of $\overset{―}{B}$ with hidden $m_{γ}$ ):
  $U + c^{'} \cdot \overset{―}{B} \overset{?}{=} s \cdot C_{J} + t \cdot \overset{―}{A} + u_{γ} \cdot H_{γ}$
  If any check fails, revert.
- Mark nullifier as used:
  - Set Used[N] = true
- Call the Issuer's function mint(timestamp, 0xUserAddr) to issue the soulbound token to 0xUserAddr.

6. Summary

Features

[x] Unforgeability: Only the Signer with secret key $x$ can generate valid signatures.
[x] Unlinkability: The Signer cannot track where the User uses the signature because:
- The NIZK proof is randomized ( $\overset{―}{A} = r \cdot A$ with fresh $r$ each time)
- The Signer only sees $N^{'} = m_{null} H_{null} + m_{γ} H_{γ}$ , even though $m_{null}, 0 x UserAddr$ is revealed at spend time and holds the realtion of $(m_{null}, H_{null}, H_{γ})$ simutanuesly, the Signer should iterate every possible $m_{γ}$ and $λ$ to track the User.
[x] Single-use: The User cannot use the same signature multiple times because:
- $N = Hash (0 x UserAddr | | m_{null})$ is pre-committed before signing
- Verifier checks and marks $N$ as used atomically
[x] Privacy:
- $m_{γ}$ (blind factor) is hidden via zero-knowledge in the proof
- Signature $(A, e)$ is hidden via randomization
[x] Domain separation: The $ctx$ parameter in Fiat-Shamir transform prevents proof replay across different DApps.
[x] Expiration: The token could be burn after a specified block height (encoded in $m_{4}$ , e.g.) to limit the validity period of the credential, or a real-world time by aquiring the current time from a external oracle.

Extensions

[x] Multiple signatures: ...
[x] The length of the Messages: the $ℓ$ could be freely extended by adding more $H_{i}$ in the public parameters and encoding more constraints in the signature.
[x] Support Timed Encryption?: When the User gen $m_{γ}$ , the User could use RSW to encrypt $m_{γ}$ to feature and gen a zk-proof, so the Verifier could aquire $m_{γ}$ after some time delay and eventually link the VC to the exact User.
[x] Support zkvm?: The User could utilize the zkvm network to compress the proof into only one groth16 proof and minimize the on-chain verification cost.

Remaining Issues

[ ] Signature malleability: The basic BBS signature $σ = (A, e)$ is susceptible to forgery $σ^{'} = (A^{2}, e)$ for commitment $C^{2}$ . To solve this, we should consider using BBS+.
[ ] Nullifier waste: User commits $N$ before receiving signature. If Signer refuses, the nullifier is wasted.

BBS DID Scheme - Holographic Overview ​

System Architecture ​

Prelude ​

1. Init ​

2. User apply ​

3. Signer gen signature ​

4. User gen NIZK proof ​

5. Verify the Signature and mint the token ​

6. Summary ​

Features ​

Extensions ​

Remaining Issues ​

BBS DID Scheme - Holographic Overview

System Architecture

Prelude

1. Init

2. User apply

3. Signer gen signature

4. User gen NIZK proof

5. Verify the Signature and mint the token

6. Summary

Features

Extensions

Remaining Issues