FIPS 204-Compatible Threshold ML-DSA via Shamir Nonce DKG

TL;DR

This paper introduces a threshold ML-DSA scheme compatible with FIPS 204 that ensures nonce share privacy using Shamir nonce DKG, producing standard signatures verifiable by existing implementations.

Contribution

It presents the first threshold ML-DSA scheme with nonce share privacy and arbitrary thresholds, utilizing Shamir nonce DKG for enhanced security and privacy guarantees.

Findings

Achieves nonce share privacy with min-entropy guarantees

Produces standard 3.3 KB signatures compatible with existing systems

Removes two-honest requirement in certain profiles

Abstract

We present the first threshold ML-DSA (FIPS 204) scheme achieving nonce share privacy (conditional min-entropy guarantee; no computational assumptions) with arbitrary thresholds, while producing standard 3.3 KB signatures verifiable by unmodified implementations. Our primary technique, Shamir nonce DKG, generates the signing nonce as a degree-$(T-1)$ Shamir sharing, matching the structure of the long-term secret. This gives each honest party's nonce share conditional min-entropy exceeding $5\times$ the secret-key entropy for signing sets of size at most 17. In coordinator-based profiles (P1, P3+), this removes the two-honest requirement ($|S| \geq T$ suffices); in the fully distributed profile (P2), mask-hiding additionally requires $|S \setminus C| \geq 2$. Key privacy of the aggregate signature is an open problem, analogous to single-signer ML-DSA. As a secondary technique, pairwise-canceling PRF masks handle three challenges unique to lattice-based threshold signing: commitment binding, the r0-check predicate, and response aggregation.