We present masked Lagrange reconstruction, a technique that enables threshold ML-DSA (FIPS 204) with arbitrary thresholds $T$ while producing standard 3.3 KB signatures verifiable by unmodified FIPS 204 implementations. Concurrent approaches have limitations: Bienstock et al. (ePrint 2025/1163) achieve arbitrary $T$ but require honest-majority and 37--136 rounds; Celi et al. (ePrint 2026/013) achieve dishonest-majority but are limited to $T \leq 6$. Our technique addresses the barrier that Lagrange coefficients grow as $Θ(q)$ for moderate $T$, making individual contributions too large for ML-DSA's rejection sampling. Unlike ECDSA threshold schemes where pairwise masks suffice for correctness, ML-DSA requires solving three additional challenges absent in prior work: (1) rejection sampling on $\|z\|_\infty$ must still pass after masking, (2) the $r_0$-check exposes $c s_2$ enabling key recovery if unprotected, and (3) the resulting Irwin-Hall nonce distribution must preserve EUF-CMA security. We solve all three. We instantiate this technique in three deployment profiles with full security proofs. Profile P1 (TEE-assisted) achieves 3-round signing with a trusted coordinator, with EUF-CMA security under Module-SIS. Profile P2 (fully distributed) eliminates hardware trust via MPC in 8 rounds, achieving UC security against malicious adversaries corrupting up to $n-1$ parties. Profile P3 (2PC-assisted) uses lightweight 2PC for the $r_0$-check in 3--5 rounds, achieving UC security under a 1-of-2 CP honest assumption with the best empirical performance (249ms). Our scheme requires $|S| \geq T+1$ signers and achieves success rates of 23--32\%, matching single-signer ML-DSA.

翻译：本文提出掩蔽拉格朗日重构技术，该技术能够实现支持任意门限值$T$的门限ML-DSA（FIPS 204），同时生成可由未经修改的FIPS 204实现验证的标准3.3 KB签名。现有并行方案存在局限性：Bienstock等人（ePrint 2025/1163）实现了任意$T$，但需要诚实多数假设且需37–136轮交互；Celi等人（ePrint 2026/013）实现了不诚实多数容忍，但仅限于$T \leq 6$。我们的技术解决了拉格朗日系数在中等$T$下以$Θ(q)$增长带来的障碍，该增长导致个体贡献值过大而无法通过ML-DSA的拒绝采样。与ECDSA门限方案中仅需成对掩码即可保证正确性不同，ML-DSA需要解决先前工作中未涉及的三个额外挑战：（1）掩蔽后对$\|z\|_\infty$的拒绝采样仍需通过，（2）$r_0$校验会暴露$c s_2$，若无保护将导致密钥恢复，（3）由此产生的Irwin-Hall随机数分布必须保持EUF-CMA安全性。我们成功解决了所有三个挑战。我们在三种部署配置中实例化了该技术，并提供了完整的安全性证明。配置P1（TEE辅助）通过可信协调器实现3轮签名，在Module-SIS假设下达到EUF-CMA安全。配置P2（完全分布式）通过8轮MPC消除了硬件信任假设，在恶意敌手可腐化多达$n-1$方的情况下实现UC安全。配置P3（2PC辅助）使用轻量级2PC处理$r_0$校验，在3–5轮内完成，在1-of-2 CP诚实假设下实现UC安全，并具有最佳实证性能（249ms）。本方案要求签名者集合$|S| \geq T+1$，成功率为23–32%，与单签名者ML-DSA相当。