[BLOCKER for EU] BBS+ signatures not eIDAS 2.0 compliant - consider BBS# for EU Digital Identity Wallet compatibility #5666
Description
Problem Description
Guardian currently uses BBS+ signatures for Verifiable Credentials with selective disclosure. While BBS+ provides excellent privacy properties (unlinkability, selective disclosure), it cannot achieve eIDAS 2.0 Level of Assurance High certification required for EU Digital Identity Wallets.
The European Commission has explicitly rejected BBS/BBS+ for eIDAS compliance due to two critical issues:
-
Pairing-friendly curves not SOG-IS certified: BBS+ relies on BLS12-381 curve with bilinear pairings. Current certified secure hardware (HSMs, Secure Enclaves, Android StrongBox, TPMs) required for eIDAS LoA High does not support pairing operations or pairing-friendly curves.
-
Non-SOG-IS compliant holder binding: The holder binding mechanism in BBS+ uses BBS-native operations rather than approved signature schemes like ECDSA or EC-Schnorr (ISO/IEC 14888-3).
This means Guardian-issued credentials using BBS+ cannot be used in EU Digital Identity Wallet ecosystems targeting November 2026 deployment deadline.
Reference
Orange Innovation has developed BBS# (BBS Sharp), a variant that solves these compliance issues while retaining all BBS+ privacy features:
- NIST WPEC 2024 presentation: https://csrc.nist.gov/csrc/media/presentations/2024/wpec2024-3b3/images-media/wpec2024-3b3-slides-antoine-jacques--BBS-sharp-eIDAS2.pdf
- ePrint paper: https://eprint.iacr.org/2025/619
- Orange documentation: https://github.com/Orange-OpenSource/BBS-SHARP-doc-eudi-wallet
Steps to Reproduce
- Issue a Verifiable Credential using Guardian with BBS+ signatures
- Attempt to use this credential in an eIDAS 2.0 compliant EU Digital Identity Wallet
- Credential cannot be verified by certified WSCD (Wallet Secure Cryptographic Device) because:
- Hardware lacks pairing operation support
- Holder binding doesn't use SOG-IS approved algorithms
Expected Behavior
Guardian should support credential formats that are compliant with eIDAS 2.0 Architecture Reference Framework (ARF), enabling:
- Issuance of credentials usable in EU Digital Identity Wallets
- Verification using standard certified hardware (HSMs, Secure Enclaves)
- SOG-IS compliant holder binding (ECDSA/EC-Schnorr on secp256r1)
Actual Behavior
Guardian uses BBS+ with BLS12-381 pairing-friendly curves, which:
- Cannot be verified on certified secure hardware
- Uses non-compliant holder binding
- Is explicitly rejected by European Commission for LoA High
Proposed Solution
Consider implementing BBS# as an alternative/additional signature scheme. Key advantages:
| Feature | BBS+ (current) | BBS# (proposed) |
|---|---|---|
| Unlinkability | ✅ | ✅ |
| Selective Disclosure | ✅ | ✅ |
| Everlasting Privacy | ✅ | ✅ |
| Uses classic curves (secp256r1) | ❌ | ✅ |
| SOG-IS compliant holder binding | ❌ | ✅ (ECDSA/EC-Schnorr) |
| Works with existing HSMs/SE | ❌ | ✅ |
| eIDAS 2.0 LoA High certifiable | ❌ | ✅ |
| ISO mDL compatible | ❌ | ✅ |
BBS# achieves this by:
- Replacing pairing verification with ZKP discrete log equality proofs
- Using ECDSA/EC-Schnorr for holder binding with secure key splitting
- Operating on classic elliptic curves (secp256r1) supported by all certified hardware
Impact
Organizations using Guardian for:
- Islamic finance credentials (requiring EU cross-border recognition)
- Supply chain attestations in EU markets
- Any regulated use case requiring eIDAS compliance
...will be blocked from EU Digital Identity Wallet interoperability without this change.
Additional Context
- EU Digital Identity Wallet deployment deadline: November 2026
- Orange has tested BBS# on smartphones with ~50ms performance on SIM cards and Android StrongBox
- The cryptographic security of BBS# is proven (inherits BBS security from Eurocrypt 2023, plus Oblivious Issuance Proofs from Crypto 2024)