TALUS: Threshold ML-DSA with One-Round Online Signing via Boundary Clearance and Carry Elimination

Abstract

Deploying ML-DSA (FIPS 204) in threshold settings has remained an open problem: the scheme's inherently non-linear rounding step defeats the additive share techniques that underpin practical threshold schemes for elliptic-curve signatures such as FROST. We present TALUS, the first threshold ML-DSA construction that achieves one-round online signing with >99% online success, while producing standard signatures verifiable by any unmodified ML-DSA verifier. We formalise this as the Lattice Threshold Trilemma, proving that no group homomorphism from the ML-DSA nonce space into any abelian group can simultaneously be hiding and binding, ruling out all possible homomorphic commitment schemes. TALUS overcomes this barrier with two techniques. The Boundary Clearance Condition (BCC) identifies nonces whose rounding residuals lie far enough from modular boundaries that the secret key component s2 has no effect on the signature; such nonces (approximately 31.7% of attempts) are filtered during offline preprocessing. The Carry Elimination Framework (CEF) then enables parties to compute the commitment hash input distributedly, without reconstructing the full nonce product. Together, BCC and CEF reduce online signing to a single broadcast round: each party sends one message and the coordinator assembles a valid FIPS 204 signature. We instantiate TALUS in two deployment profiles: TALUS-TEE (trusted execution environment, T-of-N) and TALUS-MPC (fully distributed, malicious security with identifiable abort for T >= 2). Security of both variants reduces to ML-DSA EUF-CMA. A Rust implementation across all three FIPS 204 security levels (ML-DSA-44, ML-DSA-65, ML-DSA-87) shows that TALUS-TEE completes a signing operation in 0.62--1.94 ms and TALUS-MPC in 2.27--5.02 ms (amortised, T=3), competitive with the fastest concurrent threshold ML-DSA proposals.

Figures (3)

• Figure 1: High-level architecture comparison. (a) TALUS-TEE: a trusted coordinator holds $\mathbf{s}_2$ and $\mathbf{t}_0$, computes $\mathbf{w}_1 = \mathsf{HighBits}(\mathbf{A}\hat{\mathbf{y}})$ centrally, and pre-filters nonces offline via BCC. (b) TALUS-MPC: all $N$ parties are equal; $\mathbf{w}_1$ is computed distributedly via the Carry-Safe Comparison Protocol (CSCP) in $3{+}$ offline rounds. Both variants share an identical 1-round online phase producing a FIPS 204-valid signature $\sigma = (\tilde{c}, \mathbf{z}, \mathbf{h})$.
• Figure 2: Geometry of the Boundary Clearance Condition. Each coefficient $r_{0,j}$ of $\mathbf{r}_0$ lives in a stripe $[-\gamma_2, +\gamma_2)$ of width $\alpha = 2\gamma_2$. The gray boundary zones of width $\beta$ at each end are where $c\mathbf{s}_2$ may push $r_{0,j}$ across a rounding boundary; the white safe zone guarantees $\mathsf{HighBits}$ is preserved. BCC holds when every coefficient lies in the safe zone ($\|\mathbf{r}_0\|_\infty < \gamma_2 - \beta$), occurring with probability $p_{\mathsf{BCC}} \approx 31.7\%$ per nonce.
• Figure 3: TALUS-MPC protocol flow for $N{=}3$ parties. Offline (3 rounds): Round 1 broadcasts nonce shares and CSA-compressed masks; Rounds 2--3 run the CSCP prefix cascade to recover the carry $c$ and correction $\delta$. Each party then computes $\mathbf{w}_1$ locally. Online (1 round): upon message arrival, the designated party computes the challenge $\tilde{c}$, each signer returns $\mathbf{z}_i$, and the assembler forms the final signature $\sigma = (\tilde{c}, \mathbf{z}, \mathbf{h})$.

Theorems & Definitions (124)

• definition 1: $(T,N)$-Threshold Signature
• definition 2: EUF-CMA
• definition 3: Privacy
• remark 1: Security Model
• theorem 1: Lattice Threshold Trilemma
• proof
• remark 2: Role of prime $q$
• remark 3: Perfect vs. computational binding
• remark 4: Why discrete-log escapes the trilemma
• corollary 1: Carry Resolution is Necessary