New Masked Lagrange Reconstruction Enables Arbitrary-Threshold ML-DSA Signatures with Standard Size

Global: New Masked Lagrange Reconstruction Enables Arbitrary-Threshold ML-DSA Signatures with Standard Size

A research team has introduced a technique called masked Lagrange reconstruction that allows threshold implementations of the ML‑DSA algorithm (specified in FIPS 204) to support any threshold T while producing the standard 3.3 KB signatures compatible with unmodified FIPS 204 verifiers. The method preserves the signature format and verification process, addressing a longstanding barrier in post‑quantum threshold cryptography.

Background

Prior attempts at threshold ML‑DSA have faced notable constraints. Bienstock et al. (ePrint 2025/1163) achieved arbitrary thresholds but required an honest‑majority assumption and a communication complexity of 37–136 rounds. Celi et al. (ePrint 2026/013) removed the honest‑majority requirement but limited thresholds to six or fewer signers. These limitations have hindered broader deployment of threshold signatures in quantum‑resistant contexts.

Technical Challenges

The authors identify three specific obstacles that differentiate ML‑DSA from earlier threshold schemes such as ECDSA. First, rejection sampling on the infinity norm of the intermediate value z must remain successful after applying masks. Second, the r₀‑check reveals the product c·s₂, which can enable key recovery if left unprotected. Third, the resulting Irwin‑Hall distribution of nonces must retain EUF‑CMA security guarantees. Additionally, Lagrange coefficients grow on the order of Θ(q) for moderate thresholds, inflating individual contributions beyond acceptable limits for ML‑DSA’s rejection sampling.

Proposed Technique

Masked Lagrange reconstruction resolves the identified challenges by integrating masking operations that preserve the statistical properties required for secure signing while keeping Lagrange coefficients within acceptable bounds. The approach works with any threshold T, provided that the number of participants |S| is at least T + 1, and it does not alter the final signature format.

Deployment Profiles

The paper describes three concrete deployment configurations. Profile P1 employs a trusted execution environment (TEE) as a coordinator, achieving a three‑round signing protocol with EUF‑CMA security under the Module‑SIS assumption. Profile P2 eliminates hardware trust by using multi‑party computation (MPC) across eight rounds, delivering universal composability (UC) security against malicious adversaries that may corrupt up to n − 1 parties. Profile P3 combines lightweight two‑party computation (2PC) for the r₀‑check with three to five rounds, attaining UC security under a one‑of‑two honest‑majority assumption and reporting an empirical signing latency of 249 ms.

Performance and Security

Across all profiles, the scheme maintains success rates between 23 % and 32 %, which aligns with the performance of single‑signer ML‑DSA. The security proofs cover EUF‑CMA for the TEE‑assisted variant and UC security for the fully distributed and 2PC‑assisted variants, addressing both honest‑ and dishonest‑majority threat models.

Implications

By enabling arbitrary‑threshold signing without expanding signature size or requiring protocol‑specific verification changes, masked Lagrange reconstruction broadens the practical applicability of post‑quantum threshold signatures. Organizations that rely on FIPS‑204 compliance can adopt the technique without modifying existing verification infrastructure, potentially accelerating the integration of quantum‑resistant cryptography into distributed systems.

Future Directions

The authors note that the TEE‑assisted profile depends on hardware trust assumptions, while the fully distributed profile incurs higher communication overhead. Ongoing work may focus on reducing round complexity for the MPC‑only variant and exploring alternative masking strategies that further improve success rates.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.