Threshold ML-DSA

A Practical, ML-DSA-Compatible Threshold Signature Scheme

Abstract

Threshold signatures enable multiple participants to collaboratively produce a digital signature, ensuring both fault tolerance and decentralization. These schemes have seen a growing adoption in classical cryptography, notably thanks to their compatibility with existing signature standards such RSA, Shnorr, ECDSA. This compatibility facilitates seamless integration into existing systems, and enhances trust in the deployed solutions as the cryptographic community has long vetted these standards. It appears crucial to also achieve such compatibility in the post-quantum setting, and obtain distributed variants of the recent NIST post-quantum standards.

This work introduces the first practical ML-DSA-compatible threshold signature scheme, which supports up to 6 users and requires only 3 rounds of communication per signing attempt. The protocol is computationally efficient, with transcripts computed in milliseconds and communication costs ranging from 10.5 kB to 525 kB. This allows for a full signing execution in a few hundred milliseconds, even in a WAN setting. Our construction leverages recent results from the Finally! signature scheme, performs per-party rejection-based signing, and uses critical optimizations to adhere to ML-DSA parameters while maintaining high efficiency. A full implementation with benchmarks is provided to demonstrate its real-world practicality.

Performance Highlights

Our scheme demonstrates excellent performance in both local and distributed environments. The benchmarks below are for the Threshold ML-DSA-44 security level.

Communication Costs (ML-DSA-44)

N ↓ | T → 2 3 4 5 6
2 10.5 kB
3 15.8 kB 21.0 kB
4 15.8 kB 36.8 kB 42.0 kB
5 15.8 kB 73.5 kB 157.4 kB 84.0 kB
6 21.0 kB 99.8 kB 388.4 kB 524.8 kB 194.2 kB
Total communication costs for a success probability of 1/2.

We also measured signing latency in LAN and WAN networks, demonstrating a network-bound protocol. Even in geographically distributed settings, a signing attempt consistently concluded under 1s, showing the practicality of our protocol for real-world applications.

Meet the Team

This work is the result of a collaboration between researchers from leading institutions in academia and industry.

  • Sofia Celi (Brave Research & University of Bristol)
  • Gustavo Delerue (PQShield)
  • Rafael del Pino (PQShield)
  • Thomas Espitau (PQShield)
  • Guilhem Niot (PQShield & Univ Rennes, CNRS, IRISA)
  • Thomas Prest (PQShield)

Resources & Implementation

Explore the full details of our scheme and access the open-source proof-of-concept implementation.

Read the Full Paper View on GitHub