We present the first threshold ML-DSA (FIPS 204) scheme achieving information-theoretic share privacy with arbitrary thresholds while producing standard 3.3 KB signatures verifiable by unmodified implementations. Our primary technique is Shamir nonce DKG: parties jointly generate the signing nonce via a distributed key generation protocol, so that both the nonce and the long-term secret are degree-$(T-1)$ Shamir sharings. This yields statistical distance zero between the adversary's view and a uniform distribution, eliminating the two-honest requirement for response privacy ($|S| \geq T$ suffices, not $|S| \geq T+1$) and requiring no computational assumptions. As a secondary technique, we introduce pairwise-canceling masks (requiring $|S \setminus C| \geq 2$) for commitment and r0-check values, addressing the three challenges unique to lattice-based threshold signing: the $\lVert \mathbf{z} \rVert_\infty$ rejection sampling check, secure evaluation of the r0-check without leaking $c\mathbf{s}_2$, and EUF-CMA security under the resulting Irwin-Hall nonce distribution. We instantiate these techniques in three deployment profiles with complete UC proofs. Profile P1 uses a TEE coordinator (3 online rounds plus 1 offline preprocessing round, 6ms). Profile P2 eliminates hardware trust via MPC (5 rounds, 22ms for small thresholds). Profile P3+ uses lightweight 2PC with semi-asynchronous signing (2 logical rounds, 22ms), where signers precompute nonces offline and respond within a time window. Our Rust implementation scales from 2-of-3 to 32-of-45 thresholds with sub-100ms latency (P1 and P3+) and success rates of $\approx$21-45%, comparable to single-signer ML-DSA.

翻译：我们提出了首个门限ML-DSA（FIPS 204）方案，该方案在产生可由未修改实现验证的标准3.3 KB签名的同时，实现了任意门限下的信息论份额隐私。我们的核心技术是Shamir临时数分布式密钥生成：参与方通过分布式密钥生成协议共同生成签名临时数，使得临时数与长期密钥均为$(T-1)$次Shamir秘密共享。这导致敌手视图与均匀分布之间的统计距离为零，从而消除了响应隐私对两个诚实方的要求（仅需$|S| \geq T$而非$|S| \geq T+1$），且无需计算假设。作为辅助技术，我们针对承诺值与r0校验值引入了成对抵消掩码（要求$|S \setminus C| \geq 2$），以解决格基门限签名特有的三个挑战：$\lVert \mathbf{z} \rVert_\infty$拒绝采样检验、在不泄露$c\mathbf{s}_2$的前提下安全计算r0校验、以及在所得Irwin-Hall临时数分布下的EUF-CMA安全性。我们在三个部署配置中实例化了这些技术并提供了完整的UC证明。配置P1使用可信执行环境协调器（3个在线轮次加1个离线预处理轮次，6ms）。配置P2通过安全多方计算消除硬件信任（5个轮次，小门限下22ms）。配置P3+采用轻量级两方计算与半异步签名（2个逻辑轮次，22ms），其中签名者离线预计算临时数并在时间窗口内响应。我们的Rust实现支持从2-of-3到32-of-45的门限范围，延迟低于100ms（P1与P3+），成功率约21-45%，与单签名者ML-DSA相当。