We present masked Lagrange reconstruction, a technique enabling threshold ML-DSA (FIPS 204) with arbitrary thresholds while producing standard 3.3 KB signatures verifiable by unmodified implementations. Existing approaches face fundamental limitations: noise flooding yields 5x larger signatures breaking FIPS compatibility, while compact schemes are restricted to small thresholds (T <= 8) due to the Ball-Cakan-Malkin bound on binary-coefficient secret sharing. Our technique overcomes the barrier that Lagrange coefficients grow as Theta(q) for moderate T, making individual contributions too large for rejection sampling. We introduce pairwise-canceling masks that hide these coefficients while preserving correctness. Unlike ECDSA threshold schemes, ML-DSA presents three additional challenges: the ||z||_inf check must pass after masking, the r0-check must not leak cs_2, and the resulting Irwin-Hall nonce distribution must preserve EUF-CMA security. We solve all three with complete UC proofs. We instantiate this technique in three deployment profiles. Profile P1 uses a TEE coordinator (3 rounds, 6ms). Profile P2 eliminates hardware trust via MPC (5 rounds, 22ms for small thresholds, up to 194ms for T=16). Profile P3+ uses lightweight 2PC with semi-asynchronous signing where signers precompute nonces offline and respond within a time window (2 logical rounds, 22ms), similar to FROST. Our Rust implementation scales from 2-of-3 to 32-of-45 thresholds. P1 and P3+ achieve sub-100ms latency for all configurations; P2 trades higher latency for eliminating hardware trust. Success rates of approximately 21-45% are comparable to single-signer ML-DSA's approximately 20-25%.
翻译:我们提出了掩码拉格朗日重构技术,该技术能够实现具有任意阈值的阈值ML-DSA(FIPS 204),同时生成可由未修改实现验证的标准3.3 KB签名。现有方法面临根本性限制:噪声泛洪方法产生的签名体积增大5倍,破坏了FIPS兼容性;而紧凑方案由于Ball-Cakan-Malkin对二进制系数秘密共享的界限限制,仅限于小阈值(T <= 8)。我们的技术克服了拉格朗日系数在中等T值时以Theta(q)增长的障碍,该障碍导致个体贡献对于拒绝采样而言过大。我们引入了成对抵消掩码,在隐藏这些系数的同时保持正确性。与ECDSA阈值方案不同,ML-DSA提出了三个额外挑战:掩码后||z||_inf检查必须通过,r0检查不得泄露cs_2,并且由此产生的Irwin-Hall随机数分布必须保持EUF-CMA安全性。我们通过完整的UC证明解决了所有三个挑战。我们在三种部署配置中实例化了该技术。配置P1使用TEE协调器(3轮,6ms)。配置P2通过MPC消除硬件信任(5轮,小阈值需22ms,T=16时最多需194ms)。配置P3+采用轻量级2PC与半异步签名,签名者离线预计算随机数并在时间窗口内响应(2个逻辑轮次,22ms),类似于FROST。我们的Rust实现支持从2-of-3到32-of-45的阈值范围。P1和P3+在所有配置下实现了低于100ms的延迟;P2以更高的延迟为代价消除了硬件信任。成功率约为21-45%,与单签名者ML-DSA的约20-25%相当。