BBS is a simple pairing-based signature scheme that has emerged as a favored instantiation of the paradigm of signatures with efficient protocols for anonymous credentials. It enables both lightweight credential presentation proofs and blind issuance, and now sits at the center of several standardization efforts.

The goal of this talk is to review the somewhat unusual history of BBS signatures, with a particular focus on recent works that revisit their security, clarify their concrete security guarantees, and have helped guide standardization. The talk will also discuss pairing-free instantiations of BBS, including in the server-aided setting, and compare BBS to alternatives.

This talk is based on joint work with Rutchathon Chairattana-Apirom, Franklin Harding, Dennis Hofheinz, Anna Lysyanskaya, and Chenzhi Zhu.

The European Digital Identity (EUDI) Wallet, with a planned release in 2026, aims to provide user-centric, secure authentication for citizens across the EU. Its underlying regulation mandates strong privacy features, such as selective disclosure and unlinkable, unobservable authentication — requirements that map naturally onto anonymous credential schemes. While such schemes are well understood in academia and would efficiently deliver these properties, the first version of the wallet does not employ them. Instead, it relies on batch issuance of ECDSA signatures. This talk examines why anonymous credentials have not yet been adopted for the EUDI Wallet, identifies the gaps between theory and practice that have hindered their deployment and surveys ongoing efforts to close them.

A keynote perspective on the design and deployment of zero-knowledge techniques in a post-quantum setting, with an emphasis on practical constructions and emerging applications.

Zero-Knowledge Authorization systems promise privacy-preserving credential checks, and are now being proposed as the backbone of government-mandated age verification. In this talk, we show why that promise is fragile.

Drawing on our analysis of zkLogin, the most widely deployed ZKA system to date, we demonstrate that its security does not reduce to the underlying ZKP: it hinges on non-cryptographic assumptions about JWT parsing, issuer trust, and architectural binding that fail in practice, enabling cross-application impersonation and quiet identity leakage to outsourced provers, without breaking any cryptography.

We connect these findings to the policy debate around age verification, showing how the same design choices reappear in current proposals, and what protocol-level properties any real-world deployment must enforce to deliver the privacy it advertises.