Bls traceable secure threshold signature method and system based on distributed key generation
The BLS traceable security threshold signature method generated by distributed keys solves the problems of communication bandwidth redundancy and dynamic topology adaptability in the vehicle-to-everything (V2X) environment, achieves compact signature and traceability, improves system efficiency and security, and is suitable for highly dynamic distributed networks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ZHEJIANG SCI-TECH UNIV
- Filing Date
- 2026-05-11
- Publication Date
- 2026-06-05
AI Technical Summary
Existing threshold signature technology has shortcomings in terms of communication bandwidth consumption, identity information security protection, dynamic topology adaptability and system efficiency in the Internet of Vehicles environment, making it difficult to meet the needs of real-time authentication and efficient expansion.
We adopt the BLS traceable security threshold signature method based on distributed key generation. By utilizing bilinear pairing and symmetric balanced incomplete block design, and through active key share refreshing and non-interactive zero-knowledge proof, we achieve compactness, traceability and anti-hijacking capability of the signature, while reducing computational complexity and communication overhead.
It significantly reduces the size of signature data packets and communication overhead, improves authentication throughput and response speed, ensures forward security and identity privacy protection in dynamic environments, and is suitable for highly dynamic and decentralized distributed topology deployments.
Smart Images

Figure CN122160071A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of information security technology, specifically relating to a BLS traceable security threshold signature method and system based on distributed key generation. Background Technology
[0002] With the exponential growth of data volume, verifying the authenticity of data sources has become a critical bottleneck that urgently needs to be overcome in distributed network environments. Threshold signatures, as the cornerstone of establishing decentralized trust, have been extensively studied in distributed systems in recent years.
[0003] In existing technologies, threshold signatures in distributed environments face the dual technical challenges of signature proof size redundancy and low key synchronization efficiency under dynamic topologies. Especially in Internet of Vehicles (IoV) and vehicular ad hoc networks, vehicles exchange safety and traffic information in real time through vehicle-to-vehicle and vehicle-to-infrastructure communication to support core applications such as collision warning, cooperative driving, and real-time traffic optimization. However, its actual deployment still faces severe security and performance challenges.
[0004] To address the issues of protecting the identity information of signers and tracing malicious behavior, existing technologies mainly employ traceable threshold signature methods built upon cryptographic primitives such as EdDSA signatures and Non-Interactive Zero-Knowledge Proofs (NIZKP). However, these methods suffer from the following technical drawbacks: The complex operational mechanism of the EdDSA algorithm on the distorted Edwards curve leads to significant data redundancy when aggregating proofs from multiple nodes, with the total size of the signature and proof typically exceeding 480 bytes. This poses a risk of bandwidth constraints in high-frequency interaction scenarios. Furthermore, the high computational complexity and communication overhead necessitate the generation and verification of complex non-interactive proofs, significantly increasing the computational load on the verification end and making it difficult to meet the stringent real-time authentication requirements of connected vehicles.
[0005] To address the issue of proactive secret sharing updates that resist long-term attacks, existing technologies primarily employ proactive secret sharing (PSS) mechanisms based on full node interaction. However, traditional update mechanisms cannot guarantee protocol robustness in situations where node online states are unstable, and there is a risk of logical deadlock due to the failure or delay of a single node. Existing key refresh schemes require all nodes to participate in the process. Inter-node communication Complex, fully connected communication and data verification are difficult to scale efficiently in distributed systems with a large number of nodes, and their communication overhead increases exponentially with the number of nodes, severely limiting the system's survivability. In real-world vehicle-to-everything (V2X) scenarios, the high-speed movement of vehicle nodes and frequent changes in topology further amplify these communication and synchronization bottlenecks.
[0006] In summary, existing threshold signature technologies have shortcomings in terms of communication bandwidth consumption, identity information security protection, dynamic topology adaptability, and system efficiency in the context of vehicle-to-everything (V2X) environments. There is an urgent need to provide an improved privacy-preserving threshold signature scheme based on BLS (Bilinear Mapping) that can simultaneously ensure signature compactness, effectively resist long-term node hijacking attacks, and achieve traceability. Summary of the Invention
[0007] This invention aims to overcome the technical bottlenecks of existing threshold signature schemes in practical deployment, such as communication bandwidth redundancy and poor adaptability to dynamic environments. It provides a BLS traceable security threshold signature method and system based on distributed key generation that can simultaneously ensure signature compactness, effectively resist long-term node hijacking attacks, and achieve traceability.
[0008] To achieve the above-mentioned objectives, the present invention adopts the following technical solution:
[0009] The BLS traceable security threshold signature method based on distributed key generation includes the following steps;
[0010] S1, generate a bilinear pairing environment and initialize common safety parameters;
[0011] S2, Based on the public security parameters, the block mapping relationship is determined based on the symmetric balanced incomplete block design. Each participant interacts within the block to generate their respective key share and the system's global public key.
[0012] S3, the signer performs a partial signature on the message and a non-interactive zero-knowledge proof corresponding to the partial signature based on the corresponding key share;
[0013] S4, the aggregator collects and verifies some signatures, filters out the set of valid signatures, aggregates them to generate the final signature, and generates a commitment ciphertext containing threshold value information;
[0014] S5, the verifier verifies the final signature, and if the verification passes, the signature is confirmed to be valid;
[0015] S6. When verification fails and a dispute arises, the tracking mechanism is activated, and the tracker tracks the group of signatories.
[0016] S7. Based on the block mapping relationship in step S2, the key share is actively refreshed periodically.
[0017] Preferably, step S1 includes the following steps:
[0018] S11, Select security parameters, generate bilinear pairing environment and its bilinear mapping, and determine the independent generators and message mapping functions of the first group, the second group and the target group;
[0019] S12, preset system threshold and node size, and calculate the parameters of the symmetric balanced incomplete block design through an adaptive parameter selection algorithm. The parameters include the number of blocks, the number of nodes in each block and the intersection constant.
[0020] S13, output public safety parameters including the bilinear pairing parameters, threshold values, node size, and block design parameters.
[0021] Preferably, step S2 includes the following steps:
[0022] S21, each node selects a random polynomial and broadcasts the Feldman commitments for the corresponding coefficients;
[0023] S22, determine the block mapping relationship, each node in the block calculates the key share for other nodes in the block, encrypts it and sends it to the block leader; the block leader aggregates the ciphertext using the additive homomorphic property and sends it back to the target node; the target node decrypts to obtain the aggregated share, and calculates the final private key share in combination with its own generated share, thereby generating the identity binding commitment and the node public key; all nodes jointly contribute to generate the system global public key;
[0024] S23, the tracker randomly selects a tracking private key and generates a corresponding public key.
[0025] Preferably, step S3 includes the following steps:
[0026] S31, the signing node uses its private key share to calculate a partial signature on the message; the signing node defines a Σ-protocol relationship for proving the validity of the private key, the consistency of the commitment, and the correctness of the partial signature, and generates a non-interactive zero-knowledge proof;
[0027] S32, the signing node sends the partial signature, zero-knowledge proof, and corresponding public key to the aggregator.
[0028] Preferably, step S4 includes the following steps:
[0029] S41, the aggregator verifies the validity of the collected partial signatures, filters out the valid signature set, selects the subset of signatures that meet the threshold number, and generates a signer index vector with a length equal to the number of blocks;
[0030] S42, calculate the Lagrange interpolation coefficients based on the signature subset, and aggregate to generate a global aggregate signature; the aggregator uses the ElGamal encapsulation mechanism, an asymmetric encryption system based on the discrete logarithm problem, to encapsulate the threshold value into ciphertext, and outputs the aggregate signature and the signer index vector after encryption by the key derivation function;
[0031] S43, the aggregator generates a corresponding non-interactive zero-knowledge proof based on the aggregate signature, threshold value, and signer index vector. The non-interactive zero-knowledge proof is used to verify the correctness of the ciphertext encapsulated content.
[0032] Preferably, step S5 includes the following steps:
[0033] S51, the verifier uses public parameters to perform logical verification on the output signature and proof; if the verification passes, the signature is confirmed to be valid; if the verification fails and a dispute occurs, the tracking mechanism is triggered.
[0034] Preferably, step S6 includes the following steps:
[0035] S61, when a dispute arises during the verification phase, the tracking mechanism is activated. The tracker calculates the shared key based on the tracking private key it holds and uses the key derivation function KDF to recover the mask. By restoring the signer index vector, the specific node identity participating in the signing is located based on the position marked as the participation status in the index vector.
[0036] Preferably, step S7 includes the following steps:
[0037] S71, based on the generated initial state, the system periodically starts the refresh process; each node selects a random polynomial with a constant term of zero;
[0038] S72, nodes exchange polynomial fragments only within the local topology of the symmetric balanced incomplete block design. The receiving node collects all fragments received within its block and updates the corresponding private key share, while keeping the system's global public key unchanged.
[0039] This invention also provides a BLS-based traceable security threshold signature system based on distributed key generation, comprising:
[0040] The initialization module is used to generate a bilinear pairing environment and initialize common safety parameters;
[0041] The key generation module is used to determine the block mapping relationship based on the public security parameters and the symmetric balanced incomplete block design. Each participant interacts within the block to generate their own key share and the system's global public key.
[0042] The signature module is used by the signer to partially sign the message according to the corresponding key share and to generate a non-interactive zero-knowledge proof corresponding to the partial signature;
[0043] The aggregation module enables aggregators to collect and verify partial signatures, filter out the set of valid signatures, aggregate them to generate the final signature, and generate a commitment ciphertext containing threshold value information.
[0044] The verification module is used to enable verifiers to verify the final signature. If the verification passes, the signature is confirmed to be valid.
[0045] The traceability module is used to activate the traceability mechanism when verification fails and a dispute arises, allowing the tracer to track the signature group.
[0046] The key refresh module is used to periodically refresh the key share based on the block mapping relationship.
[0047] Compared with existing technologies, the beneficial effects of this invention are: (1) In terms of security: the active private key share refresh mechanism is constructed to ensure that the forward security, anti-hijacking capability and long-term architectural stability of the system are effectively guaranteed in dynamic adversarial environments; the threshold value and signer set are hidden by ciphertext encapsulation and Lagrange interpolation technology, which effectively prevents attackers from obtaining accurate signer identity information and protects the decision privacy of the system; through the deep integration of decentralized tracing technology and BLS threshold signature algorithm, malicious nodes can be accurately located and traced without relying on a single trusted third party, thereby improving the overall interactive credibility of the system; (2) In terms of system efficiency: the symmetric balanced incomplete block design (SBIBD) mechanism and bilinear pairing linear homomorphic technology are used to significantly reduce the computational complexity and communication overhead of the system; through the synergistic effect of the above technical means, the communication complexity of the nodes is reduced from Reduce to And the size of the proof data packet is compressed from 480 bytes in the traditional scheme to 172 bytes, which greatly improves the authentication throughput and response speed in the scenario of large-scale node concurrency; (3) In terms of applicability: the technical solution of the present invention can not only provide extremely high bandwidth utilization, but also is applicable to highly dynamic, decentralized distributed topology deployment. Under the premise of ensuring user privacy and identity anonymity, it achieves a deep balance between regulatory traceability and system performance, and solves the technical problems of traditional threshold signature in terms of bandwidth redundancy, insufficient scalability and information leakage. Attached Figure Description
[0048] Figure 1 This is a flowchart of a BLS traceable security threshold signature method based on distributed key generation in this invention; Figure 2 A comparative diagram of the communication overhead of the present invention and the prior art under different vehicle numbers, provided for an embodiment of the present invention; Figure 3This is a comparative diagram showing the time consumption delay of the present invention and the prior art under different vehicle numbers, provided for an embodiment of the present invention. Detailed Implementation
[0049] To more clearly illustrate the embodiments of the present invention, specific implementation methods will be described below with reference to the accompanying drawings. Obviously, the drawings described below are merely some embodiments of the present invention. For those skilled in the art, other drawings and other implementation methods can be obtained based on these drawings without any creative effort.
[0050] like Figure 1 As shown, this invention provides a BLS-based traceable security threshold signature method based on distributed key generation. The method comprises a complete workflow of seven independent stages: initialization, key generation, signature, aggregation, verification, tracing, and key update. The detailed process for each stage is as follows:
[0051] Step 1: Generate a bilinear pairing environment and initialize common safety parameters. The specific process is as follows:
[0052] 1-1, Select safety parameters Generate bilinear pairing environment and its corresponding bilinear mapping , It is a cyclic group. (This is confirmed.) The independent generators are respectively , The independent generators are Message mapping function ;
[0053] 1-2, the system preset threshold value is Preset node size The optimal SBIBD parameters are calculated using an adaptive parameter selection algorithm. And map all nodes to the association matrix, where This represents the number of blocks, and also the total node capacity. The number of nodes in each block group Ensure that any two nodes intersect within one and only one block; initialize Number of virtual nodes ; Calculate the initial block size Find the smallest integer. Such that there exists a prime power. ;according to Calculate total node capacity ; Calculate the number of virtual nodes that need to be added And output the final parameters ( );
[0054] 1-3, The system outputs common safety parameters. .
[0055] Step 2: Based on the public security parameters, determine the block mapping relationship using a symmetric balanced incomplete block design. Each participant interacts within the block to generate their respective key share and the system's global public key. The specific process is as follows:
[0056] 2-1, each node Selecting a random polynomial ,in express The coefficients of the selected random polynomial, Variables representing polynomials of Power of 1 It represents the order of prime numbers.
[0057] And broadcast the corresponding Feldman commitments. ;
[0058] 2-2, Determine the block mapping relationship; Node For the district group Other nodes Calculate shares and use Encryption using a homomorphic public key yields the ciphertext. ,in This represents an encryption operation. Representative node The homomorphic public key is sent to the block leader. District / Group Leader Ciphertext aggregation using additive homomorphic properties and send back to .node Decrypt the received aggregated ciphertext to obtain , It is a node For its district group The aggregated share is obtained by decrypting the received aggregated ciphertext, and the final private key share is calculated. Node computation identity binding commitment and its public key The global public key is .
[0059] 2-3, The tracker randomly selects a tracking private key. Generate its corresponding public key .
[0060] Step 3: The signer, based on the corresponding key share, performs a partial signature on the message and generates a non-interactive zero-knowledge proof corresponding to the partial signature. The specific process is as follows:
[0061] 3-1, based on the obtained private key share ,node Regarding the message Calculate partial signature At the same time, node definition -Protocol Relationship Generate non-interactive zero-knowledge proofs Selecting a random blinding factor , For the order of Finite field; compute commitment tuple Calculate the challenge value ; Calculate the response value Output proof This proves that the signature was generated by a legitimate private key; where r is a random number, i.e., the randomization factor mentioned earlier.
[0062] 3-2, Node triplet Send it to the aggregator for subsequent signature aggregation.
[0063] Step 4: The aggregator collects and verifies partial signatures, filters out the valid signature set, aggregates them to generate the final signature, and generates a commitment ciphertext containing threshold value information. The specific process is as follows:
[0064] 4-1, Verify the collected partial signatures The validity of the signatures is used to filter out the valid signature sets. Aggregator selects a subset of signatures (in ), generating a length of Signer index vector ,like ,but ,otherwise ;
[0065] 4-2, Calculate the Lagrange interpolation coefficients ,like ,but ;like ,but Global aggregate signatures are aggregated using interpolation. The aggregator selects a random number. Using system parameters threshold Encapsulated as a ciphertext pair The aggregator uses the ElGamal encapsulation mechanism to encrypt it and selects a random number. Calculate ciphertext and ,in For the tracker's public key;
[0066] 4-3, Define the protocol relationship Generate non-interactive zero-knowledge proofs Random selection , It is a random factor used for blinding encrypted random numbers and threshold-related values. For each node The selected random value is used to construct the commitment associated with the signer index vector, and the commitment value is calculated: , ; ; ; ;
[0067] Calculate the challenge value ,in These are respectively message encapsulation and encrypted random numbers. Related commitments, These are the threshold values respectively. Encapsulation and random numbers Related commitments, It is aimed at the first Intermediate commitment values generated by each node The pairwise verification commitment of the aggregate signature is used to prove that the aggregate signature is correctly synthesized from the corresponding partial signatures; stmt represents the statement that the prover wants to prove to the verifier. In zero-knowledge proof, the prover needs to use an algorithm to convince the verifier that "the prover knows certain secret information (witness) that makes this statement (Statement) true, but the prover will not reveal the secret information itself."
[0068] Calculate the response value: , ; , ;
[0069] Output proof ,in This is a value calculated based on a random factor, a challenge value, and the original secret, used for validator verification. These are intermediate parameters used to assist in verifying the contents of the encrypted package; Represents secret random numbers Encapsulated ElGamal ciphertext.
[0070] Step 5: The verifier verifies the final signature. If the verification passes, the signature is confirmed as valid. The specific process is as follows:
[0071] 5-1. The verifier uses public parameters to perform logical verification on the output signature and proof; if the verification passes, the signature is confirmed to be valid; if the verification fails and a dispute occurs, the tracking mechanism is triggered.
[0072] Step 6: When verification fails and a dispute arises, the tracking mechanism is activated, and the tracker tracks the signature group. The specific process is as follows:
[0073] 6-1. If a dispute arises during the verification phase, the tracking mechanism is activated, and the tracker uses the tracking private key they hold. Calculate the shared key The mask is then recovered using a Key Derivation Function (KDF). This is achieved by executing... Reconstruct the feature vector ,according to The position marked with 1 indicates the identity of the specific node participating in the signature.
[0074] Step 7: Based on the block mapping relationship in step S2, periodically refresh the key share. The specific process is as follows:
[0075] 7-1, Based on the generated initial state, the system periodically initiates a refresh process; Node Choose a random polynomial , Represents a node The coefficients of the zero constant term random polynomial generated during the refresh phase, and its constant term ;
[0076] 7-2, Node Local topological exchange fragmentation in symmetric equilibrium incomplete block design (SBIBD) defined only in stage 1 ,node Collect all fragments received within the collection group and update their private keys. This stage ensures that, without changing the system's global public key, the fragments stolen by attackers in the old cycle become invalid, thus guaranteeing the long-term security of the system.
[0077] In addition, the present invention also provides a BLS traceable security threshold signature system based on distributed key generation, comprising:
[0078] The initialization module is used to generate a bilinear pairing environment and initialize common safety parameters;
[0079] The key generation module is used to determine the block mapping relationship based on the public security parameters and the symmetric balanced incomplete block design. Each participant interacts within the block to generate their own key share and the system's global public key.
[0080] The signature module is used by the signer to partially sign the message according to the corresponding key share and to generate a non-interactive zero-knowledge proof corresponding to the partial signature;
[0081] The aggregation module enables aggregators to collect and verify partial signatures, filter out the set of valid signatures, aggregate them to generate the final signature, and generate a commitment ciphertext containing threshold value information.
[0082] The verification module is used to enable verifiers to verify the final signature. If the verification passes, the signature is confirmed to be valid.
[0083] The traceability module is used to activate the traceability mechanism when verification fails and a dispute arises, allowing the tracer to track the signature group.
[0084] The key refresh module is used to periodically refresh the key share based on the block mapping relationship.
[0085] Based on the technical solution of this invention, the following case scenario illustrates the implementation process of this invention in practical applications. The specific application implementation scheme is as follows:
[0086] Simulation experiments were conducted to assess the communication overhead and latency of this invention. The experiments used the PBC (Pairing-Based Cryptography) library (version 0.5.14) for performance evaluation of the core bilinear pairing operation and the GMP (GNU Multiple Precision) arithmetic library for handling high-concurrency large number operations. Furthermore, the communication efficiency was tested in a vehicular ad hoc network scenario using the NS-3 (version 3.37) network simulator.
[0087] All tests were run on a laptop equipped with an 11th Gen Intel® Core™ i5-11400H @ 2.70GHz (2.69GHz) processor and 16 GB of memory. The experimental environment was deployed in a virtual machine running Ubuntu 22.04 LTS (64-bit).
[0088] Through theoretical analysis and simulation experiments, Figure 2 This paper presents a comparison of the communication overhead between the present invention and existing technologies such as the actively refreshed traceable anonymous threshold signature TAPS-PR and the traceable anonymous threshold signature Schnorr-TAPS based on the Schnorr mechanism.
[0089] Experimental results show that the present invention is significantly superior to the comparative scheme. At different threshold values... and number of participants In this scenario, because the present invention fully utilizes the linear homomorphic aggregation characteristic of BLS signatures, it successfully compresses the redundant identity and qualification proofs in traditional schemes. Analysis data shows that as the number of participating vehicles increases, the bandwidth consumption of existing schemes increases linearly and significantly, while the aggregated signature proof packet generated by the present invention maintains extremely high compactness (reduced from 480 bytes to 172 bytes), improving bandwidth efficiency by more than 60%.
[0090] Figure 3 This paper presents a comparison of the time consumption and latency of the present invention at different functional stages (signing, verification, tracking, and refreshing). Experimental data shows that the present invention significantly outperforms TAPS-PR and Schnorr-TAPS in both response speed for single signature generation and identity tracking efficiency in complex scenarios. Particularly in the key refresh stage, thanks to the SBIBD communication optimization mechanism introduced in this invention, the system reduces the traditional... The complexity of full node interaction is refactored into The localized interaction ensures that even with 100 nodes, the refresh latency remains low at the millisecond level, effectively avoiding communication congestion in large-scale distributed networks. Through comprehensive comparative analysis with existing technologies, this invention significantly reduces the resource load on the system in terms of computation and communication while guaranteeing decentralized traceability and identity anonymity. This innovative design provides a highly efficient and practical optimized solution for large-scale distributed authentication environments (such as vehicle-to-everything (V2X) networks).
[0091] The innovative aspects of this invention are as follows:
[0092] 1. This invention constructs a threshold-traceable privacy-preserving signature scheme based on the BLS framework. This scheme achieves deep functional integration of signer anonymity, threshold value concealment, traceability, and proactive refresh within the BLS signature architecture. Leveraging the short signature characteristic and linear homomorphic aggregation advantage of BLS signatures, it overcomes the performance bottleneck of traditional non-linear signature schemes (such as EdDSA) in large-scale message batch processing, significantly improving the system's processing efficiency in complex authentication scenarios.
[0093] 2. This invention proposes a communication topology optimization mechanism based on Symmetric Balanced Incomplete Block Design (SBIBD). This mechanism addresses the broadcast storm problem in large-scale distributed node environments by mapping participating nodes to a block association matrix, thus reducing the traditional... The fully connected distributed key generation process is transformed into a sparse intra-block interaction pattern. This design successfully reduces the communication complexity and peak bandwidth consumption of a single node from... Reduce to This greatly enhances the protocol's scalability and dynamic adaptability in environments with a large number of nodes.
[0094] 3. This invention proposes an optimized method for information security protection and traceability. This method constructs efficient non-interactive verification logic by combining bilinear pairing technology and ElGamal encrypted encapsulation mechanism. It also conceals the threshold value from the public. and specific signature node set At the same time, it ensures that the tracker has a definite decryption and accountability capability; that is, the tracker does not need to go through complex brute-force matching, but can directly restore the signer's identity through the private key. Experimental data shows that this method improves bandwidth efficiency by more than 60% compared to existing EdDSA schemes while maintaining high security strength.
[0095] The above description is merely a detailed explanation of preferred embodiments and principles of the present invention. For those skilled in the art, there may be changes in specific implementation methods based on the ideas provided by the present invention, and these changes should also be considered within the scope of protection of the present invention.
Claims
1. A BLS-based traceable security threshold signature method based on distributed key generation, characterized in that, Includes the following steps; S1, generate a bilinear pairing environment and initialize common safety parameters; S2, Based on the public security parameters, the block mapping relationship is determined based on the symmetric balanced incomplete block design. Each participant interacts within the block to generate their respective key share and the system's global public key. S3, the signer performs a partial signature on the message and a non-interactive zero-knowledge proof corresponding to the partial signature based on the corresponding key share; S4, the aggregator collects and verifies some signatures, filters out the set of valid signatures, aggregates them to generate the final signature, and generates a commitment ciphertext containing threshold value information; S5, the verifier verifies the final signature, and if the verification passes, the signature is confirmed to be valid; S6. When verification fails and a dispute arises, the tracking mechanism is activated, and the tracker tracks the group of signatories. S7. Based on the block mapping relationship in step S2, the key share is actively refreshed periodically.
2. The BLS traceable security threshold signature method based on distributed key generation according to claim 1, characterized in that, Step S1 includes the following steps: S11, Select security parameters, generate bilinear pairing environment and its bilinear mapping, and determine the independent generators and message mapping functions of the first group, the second group and the target group; S12, preset system threshold and node size, and calculate the parameters of the symmetric balanced incomplete block design through an adaptive parameter selection algorithm. The parameters include the number of blocks, the number of nodes in each block and the intersection constant. S13, output public safety parameters including the bilinear pairing parameters, threshold values, node size, and block design parameters.
3. The BLS traceable security threshold signature method based on distributed key generation according to claim 2, characterized in that, Step S2 includes the following steps: S21, each node selects a random polynomial and broadcasts the Feldman commitments for the corresponding coefficients; S22, determine the block mapping relationship, each node in the block calculates the key share for other nodes in the block, encrypts it and sends it to the block leader; the block leader aggregates the ciphertext using the additive homomorphic property and sends it back to the target node; the target node decrypts to obtain the aggregated share, and calculates the final private key share in combination with its own generated share, thereby generating the identity binding commitment and the node public key; All nodes contribute to generating the system's global public key; S23, the tracker randomly selects a tracking private key and generates a corresponding public key.
4. The BLS traceable security threshold signature method based on distributed key generation according to claim 3, characterized in that, Step S3 includes the following steps: S31, the signing node uses its private key share to calculate a partial signature on the message; the signing node defines a Σ-protocol relationship for proving the validity of the private key, the consistency of the commitment, and the correctness of the partial signature, and generates a non-interactive zero-knowledge proof; S32, the signing node sends the partial signature, zero-knowledge proof, and corresponding public key to the aggregator.
5. The BLS traceable security threshold signature method based on distributed key generation according to claim 4, characterized in that, Step S4 includes the following steps: S41, the aggregator verifies the validity of the collected partial signatures, filters out the valid signature set, selects the subset of signatures that meet the threshold number, and generates a signer index vector with a length equal to the number of blocks; S42, Calculate the Lagrange interpolation coefficients based on the signature subset, and aggregate them to generate a global aggregate signature; The aggregator uses the ElGamal encapsulation mechanism, an asymmetric encryption system based on the discrete logarithm problem, to encapsulate the threshold value into ciphertext, and outputs the aggregated signature and the signer index vector after encrypting them using a key derivation function; S43, the aggregator generates a corresponding non-interactive zero-knowledge proof based on the aggregate signature, threshold value, and signer index vector. The non-interactive zero-knowledge proof is used to verify the correctness of the ciphertext encapsulated content.
6. The BLS traceable security threshold signature method based on distributed key generation according to claim 5, characterized in that, Step S5 includes the following steps: S51, the verifier uses public parameters to perform logical verification on the output signature and proof; if the verification passes, the signature is confirmed to be valid; if the verification fails and a dispute occurs, the tracking mechanism is triggered.
7. The BLS traceable security threshold signature method based on distributed key generation according to claim 6, characterized in that, Step S6 includes the following steps: S61, when a dispute arises during the verification phase, the tracking mechanism is activated. The tracker calculates the shared key based on the tracking private key it holds and uses the key derivation function KDF to recover the mask. By restoring the signer index vector, the specific node identity participating in the signing is located based on the position marked as the participation status in the index vector.
8. The BLS traceable security threshold signature method based on distributed key generation according to claim 7, characterized in that, Step S7 includes the following steps: S71, based on the generated initial state, the system periodically starts the refresh process; each node selects a random polynomial with a constant term of zero; S72, nodes exchange polynomial fragments only within the local topology of the symmetric balanced incomplete block design. The receiving node collects all fragments received within its block and updates the corresponding private key share, while keeping the system's global public key unchanged.
9. A BLS-based traceable security threshold signature system based on distributed key generation, used to implement the BLS-based traceable security threshold signature method based on distributed key generation as described in any one of claims 1-8, characterized in that, The BLS traceable security threshold signature system based on distributed key generation includes: The initialization module is used to generate a bilinear pairing environment and initialize common safety parameters; The key generation module is used to determine the block mapping relationship based on the public security parameters and the symmetric balanced incomplete block design. Each participant interacts within the block to generate their own key share and the system's global public key. The signature module is used by the signer to partially sign the message according to the corresponding key share and to generate a non-interactive zero-knowledge proof corresponding to the partial signature; The aggregation module enables aggregators to collect and verify partial signatures, filter out the set of valid signatures, aggregate them to generate the final signature, and generate a commitment ciphertext containing threshold value information. The verification module is used to enable verifiers to verify the final signature. If the verification passes, the signature is confirmed to be valid. The traceability module is used to activate the traceability mechanism when verification fails and a dispute arises, allowing the tracer to track the signature group. The key refresh module is used to periodically refresh the key share based on the block mapping relationship.