[BLOCKER for EU] BBS+ signatures not eIDAS 2.0 compliant - consider BBS# for EU Digital Identity Wallet compatibility

[kolesarp1]

Problem Description

Guardian currently uses BBS+ signatures for Verifiable Credentials with selective disclosure. While BBS+ provides excellent privacy properties (unlinkability, selective disclosure), it cannot achieve eIDAS 2.0 Level of Assurance High certification required for EU Digital Identity Wallets.

The European Commission has explicitly rejected BBS/BBS+ for eIDAS compliance due to two critical issues:

1. Pairing-friendly curves not SOG-IS certified: BBS+ relies on BLS12-381 curve with bilinear pairings. Current certified secure hardware (HSMs, Secure Enclaves, Android StrongBox, TPMs) required for eIDAS LoA High does not support pairing operations or pairing-friendly curves.

2. Non-SOG-IS compliant holder binding: The holder binding mechanism in BBS+ uses BBS-native operations rather than approved signature schemes like ECDSA or EC-Schnorr (ISO/IEC 14888-3).

This means Guardian-issued credentials using BBS+ cannot be used in EU Digital Identity Wallet ecosystems targeting November 2026 deployment deadline.

Reference

Orange Innovation has developed BBS# (BBS Sharp), a variant that solves these compliance issues while retaining all BBS+ privacy features:

• NIST WPEC 2024 presentation: https://csrc.nist.gov/csrc/media/presentations/2024/wpec2024-3b3/images-media/wpec2024-3b3-slides-antoine-jacques--BBS-sharp-eIDAS2.pdf
• ePrint paper: https://eprint.iacr.org/2025/619
• Orange documentation: https://github.com/Orange-OpenSource/BBS-SHARP-doc-eudi-wallet

---

Steps to Reproduce

1. Issue a Verifiable Credential using Guardian with BBS+ signatures
2. Attempt to use this credential in an eIDAS 2.0 compliant EU Digital Identity Wallet
3. Credential cannot be verified by certified WSCD (Wallet Secure Cryptographic Device) because:
   • Hardware lacks pairing operation support
   • Holder binding doesn't use SOG-IS approved algorithms

---

Expected Behavior

Guardian should support credential formats that are compliant with eIDAS 2.0 Architecture Reference Framework (ARF), enabling:

• Issuance of credentials usable in EU Digital Identity Wallets
• Verification using standard certified hardware (HSMs, Secure Enclaves)
• SOG-IS compliant holder binding (ECDSA/EC-Schnorr on secp256r1)

---

Actual Behavior

Guardian uses BBS+ with BLS12-381 pairing-friendly curves, which:

• Cannot be verified on certified secure hardware
• Uses non-compliant holder binding
• Is explicitly rejected by European Commission for LoA High

---

Proposed Solution

Consider implementing BBS# as an alternative/additional signature scheme. Key advantages:

Feature	BBS+ (current)	BBS# (proposed)
Unlinkability	✅	✅
Selective Disclosure	✅	✅
Everlasting Privacy	✅	✅
Uses classic curves (secp256r1)	❌	✅
SOG-IS compliant holder binding	❌	✅ (ECDSA/EC-Schnorr)
Works with existing HSMs/SE	❌	✅
eIDAS 2.0 LoA High certifiable	❌	✅
ISO mDL compatible	❌	✅

BBS# achieves this by:

• Replacing pairing verification with ZKP discrete log equality proofs
• Using ECDSA/EC-Schnorr for holder binding with secure key splitting
• Operating on classic elliptic curves (secp256r1) supported by all certified hardware

---

Impact

Organizations using Guardian for:

• Islamic finance credentials (requiring EU cross-border recognition)
• Supply chain attestations in EU markets
• Any regulated use case requiring eIDAS compliance

...will be blocked from EU Digital Identity Wallet interoperability without this change.

---

Additional Context

• EU Digital Identity Wallet deployment deadline: November 2026
• Orange has tested BBS# on smartphones with ~50ms performance on SIM cards and Android StrongBox
• The cryptographic security of BBS# is proven (inherits BBS security from Eurocrypt 2023, plus Oblivious Issuance Proofs from Crypto 2024)