FIPS 204-Compatible Threshold ML-DSA via Shamir Nonce DKG

We present the first threshold ML-DSA (FIPS 204) scheme achieving nonce share privacy (conditional min-entropy guarantee; no computational assumptions) with arbitrary thresholds, while producing standard 3.3 KB signatures verifiable by unmodified implementations. Our primary technique, Shamir nonce DKG, generates the signing nonce as a degree-$(T-1)$ Shamir sharing, matching the structure of the long-term secret. This gives each honest party's nonce share conditional min-entropy exceeding $5\times$ the secret-key entropy for signing sets of size at most 17. In coordinator-based profiles (P1, P3+), this removes the two-honest requirement ($|S| \geq T$ suffices); in the fully distributed profile (P2), mask-hiding additionally requires $|S \setminus C| \geq 2$. Key privacy of the aggregate signature is an open problem, analogous to single-signer ML-DSA. As a secondary technique, pairwise-canceling PRF masks handle three challenges unique to lattice-based threshold signing: commitment binding, the r0-check predicate, and response aggregation.