- bytes_to_int and int_to_bytes: Convert a byte string to and from a non-negative integer.
bytes_to_int and int_to_bytes are implemented as OS2IP and I2OSP as described in
, respectively. Note that these functions operate on byte strings in big-endian byte order. - random_integer_uniform(M, N): Generate a random, uniformly distributed integer R between M inclusive and N exclusive, i.e., M <= R < N.
- bit_len(n): Compute the minimum number of bits needed to represent the positive integer n.
- inverse_mod(x, n): Compute the multiplicative inverse of x mod n or fail if x and n are not co-prime.
- is_coprime(x, n): Return true if x and n are co-prime, and false otherwise.
- len(s): The length of a byte string, in bytes.
- random(n): Generate n random bytes using a cryptographically-secure random number generator.
- concat(x0, ..., xN): Concatenation of byte strings. For example, concat(0x01, 0x0203, 0x040506) = 0x010203040506.
- slice(x, i, j): Return bytes in the byte string
`x`starting from offset`i`and ending at offset`j`, inclusive. For example, slice(0x010203040506, 1, 5) = 0x0203040506.

- RSABSSA-SHA384-PSS-Randomized: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, a 48-byte salt length, and uses the randomized preparation function (PrepareRandomize).
- RSABSSA-SHA384-PSSZERO-Randomized: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, an empty PSS salt, and uses the randomized preparation function (PrepareRandomize).
- RSABSSA-SHA384-PSS-Deterministic: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, 48-byte salt length, and uses the identity preparation function (PrepareIdentity).
- RSABSSA-SHA384-PSSZERO-Deterministic: This named variant uses SHA-384 as the hash function,
MGF1 with SHA-384 as the PSS mask generation function, an empty PSS salt, and uses
the identity preparation function (PrepareIdentity). This is the only variant that
produces deterministic signatures over the client's input message
`msg`.

- The client has proof that the signer's public key is honestly generated.
presents some (non-interactive) honest-verifier zero-knowledge proofs of various statements about the public key. - The input message has a value that the signer is unable to guess. That is, the client has added a high-entropy component that was not available to the signer prior to them choosing their signing key.

- p, q, n, e, d: RSA private and public key (sk and pk) parameters, each encoded as a hexadecimal string.
- msg: Input messsage being signed, encoded as a hexadecimal string. The hash is computed using SHA-384.
- msg_prefix: Message randomizer prefix, encoded as a hexadecimal string. This is only present for variants that use the randomization preparation function.
- prepared_msg: The message actually signed. If the variant does not use the randomization preparation function, this is equal to msg.
- salt: Randomly-generated salt used when computing the signature. The length is either 48 or 0 bytes.
- encoded_msg: EMSA-PSS encoded message. The mask generation function is MGF1 with SHA-384.
- inv: The message blinding inverse, encoded as a hexadecimal string.
- blinded_msg, blind_sig: The protocol values exchanged during the computation, encoded as hexadecimal strings.
- sig: The output message signature.