We present masked Lagrange reconstruction, a technique that enables threshold ML-DSA (FIPS 204) with arbitrary thresholds $T$ while producing standard 3.3 KB signatures verifiable by unmodified FIPS 204 implementations. Concurrent approaches have limitations: Bienstock et al. (ePrint 2025/1163) achieve arbitrary $T$ but require honest-majority and 37-136 rounds; Celi et al. (ePrint 2026/013) achieve dishonest-majority but are limited to $T \leq 6$. Our technique addresses the barrier that Lagrange coefficients grow as $Θ(q)$ for moderate $T$, making individual contributions too large for ML-DSA's rejection sampling. Unlike ECDSA threshold schemes where pairwise masks suffice for correctness, ML-DSA requires solving three additional challenges absent in prior work: (1) rejection sampling on $\|z\|_\infty$ must still pass after masking, (2) the $r_0$-check exposes $c s_2$ enabling key recovery if unprotected, and (3) the resulting Irwin-Hall nonce distribution must preserve EUF-CMA security. We solve all three. We instantiate this technique in three deployment profiles with full security proofs. Profile P1 (TEE-assisted) achieves 3-round signing with a trusted coordinator, with EUF-CMA security under Module-SIS. Profile P2 (fully distributed) eliminates hardware trust via MPC in 8 rounds, achieving UC security against malicious adversaries corrupting up to $n-1$ parties. Profile P3 (2PC-assisted) uses lightweight 2PC for the $r_0$-check in 3-5 rounds, achieving UC security under a 1-of-2 CP honest assumption with the best empirical performance (249ms). Our scheme requires $|S| \geq T+1$ signers and achieves success rates of 23-32%, matching single-signer ML-DSA.

翻译：本文提出掩码拉格朗日重构技术，该技术能够实现支持任意阈值$T$的阈值ML-DSA（FIPS 204）方案，同时生成可由未经修改的FIPS 204实现验证的标准3.3 KB签名。现有并行方案存在局限：Bienstock等人（ePrint 2025/1163）实现了任意$T$但需要诚实多数假设且需37-136轮交互；Celi等人（ePrint 2026/013）支持不诚实多数假设但仅限于$T \leq 6$。我们的技术突破了拉格朗日系数在中等$T$值时以$Θ(q)$增长带来的障碍，该增长会导致个体贡献值过大而无法通过ML-DSA的拒绝采样。与ECDSA阈值方案中仅需成对掩码即可保证正确性不同，ML-DSA需要解决先前工作中未涉及的三个额外挑战：（1）掩码处理后仍需通过基于$\|z\|_\infty$的拒绝采样；（2）$r_0$校验会暴露$c s_2$，若未加保护将导致密钥恢复；（3）最终形成的Irwin-Hall随机数分布必须保持EUF-CMA安全性。我们成功解决了所有三个挑战。我们在三种部署配置中实例化了该技术并提供了完整的安全性证明。配置P1（TEE辅助）通过可信协调器实现3轮签名，在Module-SIS假设下达到EUF-CMA安全。配置P2（完全分布式）通过8轮MPC消除了硬件信任假设，在恶意敌手可腐化至多$n-1$参与方的情况下实现UC安全。配置P3（2PC辅助）采用轻量级2PC处理$r_0$校验，通过3-5轮交互在1-of-2 CP诚实假设下实现UC安全，并获得最佳实证性能（249ms）。本方案要求签名者集合$|S| \geq T+1$，成功率达到23-32%，与单签名者ML-DSA保持一致。