- bytes_to_int and int_to_bytes:
- Convert a byte string to and from a non-negative integer. bytes_to_int and int_to_bytes are implemented as OS2IP and I2OSP -- as described in
-- respectively. Note that these functions operate on byte strings in big-endian byte order. - random_integer_uniform(M, N):
- Generate a random, uniformly distributed integer R between M inclusive and N exclusive, i.e., M <= R < N.
- bit_len(n):
- Compute the minimum number of bits needed to represent the positive integer n.
- inverse_mod(x, n):
- Compute the multiplicative inverse of x mod n or fail if x and n are not co-prime.
- is_coprime(x, n):
- Return true if x and n are co-prime, and false otherwise.
- len(s):
- The length of a byte string, in bytes.
- random(n):
- Generate n random bytes using a cryptographically secure random number generator.
- concat(x0, ..., xN):
- Concatenation of byte strings. For example, concat(0x01, 0x0203, 0x040506) = 0x010203040506.
- slice(x, i, j):
- Return bytes in the byte string
`x`starting from offset`i`and ending at offset`j`, inclusive. For example, slice(0x010203040506, 1, 5) = 0x0203040506.

- RSABSSA-SHA384-PSS-Randomized:
- This named variant uses SHA-384 as the EMSA-PSS Hash option, MGF1 with SHA-384 as the EMSA-PSS MGF option, and 48 as the EMSA-PSS sLen option (48-byte salt length); it also uses the randomized preparation function (PrepareRandomize).
- RSABSSA-SHA384-PSSZERO-Randomized:
- This named variant uses SHA-384 as the EMSA-PSS Hash option, MGF1 with SHA-384 as the EMSA-PSS MGF option, and 0 as the EMSA-PSS sLen option (0-byte salt length); it also uses the randomized preparation function (PrepareRandomize).
- RSABSSA-SHA384-PSS-Deterministic:
- This named variant uses SHA-384 as the EMSA-PSS Hash option, MGF1 with SHA-384 as the EMSA-PSS MGF option, and 48 as the EMSA-PSS sLen option (48-byte salt length); it also uses the identity preparation function (PrepareIdentity).
- RSABSSA-SHA384-PSSZERO-Deterministic:
- This named variant uses SHA-384 as the EMSA-PSS Hash option,
MGF1 with SHA-384 as the EMSA-PSS MGF option, and 0 as the EMSA-PSS sLen option (0-byte salt length); it also uses
the identity preparation function (PrepareIdentity). This is the only variant that
produces deterministic signatures over the client's input message
`msg`.

- The client has proof that the signer's public key is honestly generated.
presents some (non-interactive) honest-verifier zero-knowledge proofs of various statements about the public key. - The input message has a value that the signer is unable to guess. That is, the client has added a high-entropy component that was not available to the signer prior to them choosing their signing key.

- p, q, n, e, d:
- RSA private and public key (sk and pk) parameters, each encoded as a hexadecimal string.
- msg:
- Input message being signed, encoded as a hexadecimal string. The hash is computed using SHA-384.
- msg_prefix:
- Message randomizer prefix, encoded as a hexadecimal string. This is only present for variants that use the randomization preparation function.
- prepared_msg:
- The message actually signed. If the variant does not use the randomization preparation function, this is equal to msg.
- salt:
- Randomly generated salt used when computing the signature. The length is either 48 or 0 bytes.
- encoded_msg:
- EMSA-PSS encoded message. The mask generation function is MGF1 with SHA-384.
- inv:
- The message blinding inverse, encoded as a hexadecimal string.
- blinded_msg, blind_sig:
- The protocol values exchanged during the computation, encoded as hexadecimal strings.
- sig:
- The output message signature.