We present the first threshold ML-DSA (FIPS 204) scheme achieving statistical share privacy (no computational assumptions) with arbitrary thresholds, while producing standard 3.3 KB signatures verifiable by unmodified implementations. Our primary technique, Shamir nonce DKG, jointly generates the signing nonce so that both the nonce and the long-term secret are degree-(T-1) Shamir sharings. This gives the honest party's nonce share conditional min-entropy exceeding 5x the secret-key entropy for signing sets of size at most 17. In coordinator-based profiles (P1, P3+), this removes the two-honest requirement (it suffices that the signing set size is at least T); in the fully distributed profile (P2), we additionally require at least two non-coordinator honest parties for mask-hiding. Key privacy of the aggregate signature relies on the same lattice hardness as single-signer ML-DSA (an open problem in the literature). As a secondary technique, pairwise-canceling masks handle three challenges unique to lattice-based threshold signing: the infinity-norm rejection check on z, secure r0-check evaluation without leaking cs2, and EUF-CMA security under the resulting Irwin-Hall nonce distribution. A direct shift-invariance analysis gives per-session loss below 0.013 bits (below 0.007 bits when the signing set size is at most 17); over qs signing sessions the total loss is below 0.013qs bits, eliminating the scalability gap in prior work. We give three deployment profiles with complete UC proofs: P1 (TEE, 5.8 ms for 3-of-5), P2 (MPC, 5 rounds, 22 ms), and P3+ (2PC semi-async, 22 ms). Our Rust implementation supports thresholds from 2-of-3 to 32-of-45 with sub-100 ms latency and about 21-45 percent success rates.

翻译：我们提出了首个门限ML-DSA（FIPS 204）方案，该方案在任意门限下实现了统计性份额隐私（无需计算假设），同时生成可由未修改实现验证的标准3.3 KB签名。我们的核心技术——Shamir Nonce DKG——联合生成签名随机数，使得随机数和长期秘密均成为次数为(T-1)的Shamir份额。这为诚实方的随机数份额提供了条件最小熵，当签名集合大小不超过17时，该熵值超过密钥熵的5倍。在基于协调器的配置文件（P1, P3+）中，这移除了需要两个诚实方的要求（只需签名集合大小至少为T即可）；在全分布式配置文件（P2）中，我们额外要求至少有两个非协调器诚实方以实现掩码隐藏。聚合签名的密钥隐私性依赖于与单签名者ML-DSA相同的格困难问题（此为文献中的开放问题）。作为一项辅助技术，成对抵消掩码解决了格基门限签名特有的三个挑战：对z的无穷范数拒绝检查、在不泄露cs2的情况下安全评估r0-check，以及在由此产生的Irwin-Hall随机数分布下的EUF-CMA安全性。直接的平移不变性分析表明，每会话损失低于0.013比特（当签名集合大小不超过17时低于0.007比特）；在qs个签名会话中，总损失低于0.013qs比特，从而消除了先前工作中的可扩展性差距。我们提供了三个具有完整UC证明的部署配置文件：P1（TEE，3-of-5方案耗时5.8毫秒）、P2（MPC，5轮交互，22毫秒）和P3+（2PC半异步，22毫秒）。我们的Rust实现支持从2-of-3到32-of-45的门限，延迟低于100毫秒，成功率约为21%至45%。