Similar to weak-BB, proof of knowledge of BB signature that does not require the prover to do pairings.
A keyed-verification protocol for proving knowledge of weak-BB signature. Here the verifier is assumed to have the secret key and the protocol does not require pairings.
Threshold issuance protocol for weak-BB signatures
Proof of knowledge of BB signature. Adapted from the construction in section 4.2 of the paper Proof-of-Knowledge of Representation of Committed Value and Its Applications
Specifically the adaptation is of SPK_1 of construction pi_m in section 4.2 as following:
For BB signature, secret key = (x, y), public key = (w1=g2*x, w2=g2*y), message = m and signature = (A = g*{1/{m + x + e*y}}, e)
As part of setup params, generators u, v and h og group G1 exist.
Proof of knowledge of BB signature. This is not published in any paper but is an adaptation of similar protocol for proving
knowledge of weak-BB signature. The advantage of this variation is that the prover does not need to compute any pairings.
Following is a description
For BB signature, secret key = (x, y), public key = (w1=g2*x, w2=g2*y), message = m and signature = (A = g*{1/{m + x + e*y}}, e)
As part of setup params, generators u, v and h og group G1 exist.
Proofs of knowledge of weak-BB signature with keyed-verification, i.e. the verifier needs to know the secret key to verify the proof.
g1 is generator of group G1, secret key = x, message = m, signature = A = g1 * 1/(x + m)