ML-DSA · threshold signing · 3 of 3

The abort comes too late

A single signer checks |z| ≤ bound and, on failure, aborts and resamples before z is ever sent — the leaky value never leaves. In the threshold setting the bound can only be checked on the combined z = Σ z_i, so the partials must go out first. If the combined z then fails, aborting can't unsend them.
Each partial z_i = y_i + c·s_i is correlated with that signer's share s_i — the previous visualisation showed leaking a secret. Single-signer safety relies on discarding a failing z before anyone sees it; once the partials are combined they have already been revealed, so the discard protects nothing. This is why threshold ML-DSA needs extra machinery (masking / noise flooding, or a commit-then-open round) rather than a plain sum-and-check.