Mithril: Efficient Threshold ML-DSA from Secret Sharing with Short Shares

"Preview Talk" (by Team Mithril) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. This talk will present Mithril, an efficient threshold signature protocol for the Module-Lattice-based Digital Signature Algorithm (ML-DSA/FIPS 204). It is based on the paper “Efficient Threshold ML-DSA”, to appear at USENIX Security ’26, and we plan to submit Mithril as a proposal to the NIST MPTC Call. The proposed scheme resolves the core incompatibility between ML-DSA’s rejection sampling and multi-party computation by using replicated secret sharing with short shares. This enables local, per-party rejection sampling, thus avoiding the need for a costly global abort multi-party computation. The protocol supports both distributed key generation (DKG) and a posteriori sharing of an existing ML-DSA key, preserving the original public key. It is proven to be as secure as ML-DSA in the dishonest majority model and is fully compatible with verifiers for the ML-DSA standard. Our evaluation demonstrates practicality for any threshold T with at least up to N=6 parties, with per-party communication under 1 MB. Signing latency is under 20 ms locally, while it stays under 1s in a global WAN setting.

Joint work: Sofia Celi, Gustavo Delerue, Rafael del Pino, Guilhem Niot, Thomas Espitau, Thomas Prest.

[Slides] Suggested readings:

• Preview Writeup: Mithril: Efficient Threshold ML-DSA from Secret Sharing with Short Shares
• Efficient Threshold ML-DSA (ia.cr/2026/013)