Mithril
A Practical, ML-DSA-Compatible Threshold Signature Scheme
- First practical ML-DSA-compatible threshold scheme (up to 6 parties).
- 3 rounds per signing attempt.
- Executes in milliseconds and WAN-friendly.
Summary
Threshold signatures enable multiple participants to collaboratively produce a digital signature, ensuring both fault tolerance and decentralization. These schemes have seen a growing adoption in classical cryptography, notably thanks to their compatibility with existing signature standards such RSA, Shnorr, ECDSA. This compatibility facilitates seamless integration into existing systems, and enhances trust in the deployed solutions as the cryptographic community has long vetted these standards. It appears crucial to also achieve such compatibility in the post-quantum setting, and obtain distributed variants of the recent NIST post-quantum standards.
This work introduces the first practical ML-DSA-compatible threshold signature scheme, which supports up to 6 users and requires only 3 rounds of communication per signing attempt. The protocol is computationally efficient, with transcripts computed in milliseconds and communication costs ranging from 10.5 kB to 525 kB. This allows for a full signing execution in a few hundred milliseconds, even in a WAN setting. Our construction leverages recent results from the Finally! signature scheme, performs per-party rejection-based signing, and uses critical optimizations to adhere to ML-DSA parameters while maintaining high efficiency. A full implementation with benchmarks is provided to demonstrate its real-world practicality.
Performance Highlights
Our scheme demonstrates excellent performance in both local and distributed environments. The benchmarks below are for Mithril, parameter set 44 of ML-DSA.
Communication Costs (Mithril-44)
| N ↓ | T → | 2 | 3 | 4 | 5 | 6 |
|---|---|---|---|---|---|
| 2 | 10.5 kB | ||||
| 3 | 15.8 kB | 21.0 kB | |||
| 4 | 15.8 kB | 36.8 kB | 42.0 kB | ||
| 5 | 15.8 kB | 73.5 kB | 157.4 kB | 84.0 kB | |
| 6 | 21.0 kB | 99.8 kB | 388.4 kB | 524.8 kB | 194.2 kB |
Total communication costs for a success probability of 1/2.
We also measured signing latency in LAN and WAN networks, demonstrating a network-bound protocol. Even in geographically distributed settings, a signing attempt consistently concluded under 1s, showing the practicality of our protocol for real-world applications.
Meet the Team
This work is the result of a collaboration between researchers from leading institutions in academia and industry.