- bytes_to_int and int_to_bytes: Convert a byte string to and from a non-negative integer.
bytes_to_int and int_to_bytes are implemented as OS2IP and I2OSP as described in
, respectively. Note that these functions operate on byte strings in big-endian byte order. - random_integer_uniform(M, N): Generate a random, uniformly distributed integer R between M inclusive and N exclusive, i.e., M <= R < N.
- bit_len(n): Compute the minimum number of bits needed to represent the positive integer n.
- inverse_mod(x, n): Compute the multiplicative inverse of x mod n or fail if x and n are not co-prime.
- is_coprime(x, n): Return true if x and n are co-prime, and false otherwise.
- len(s): The length of a byte string, in bytes.
- random(n): Generate n random bytes using a cryptographically-secure random number generator.
- concat(x0, ..., xN): Concatenation of byte strings. For example, concat(0x01, 0x0203, 0x040506) = 0x010203040506.
- slice(x, i, j): Return bytes in the byte string
`x`starting from offset`i`and ending at offset`j`, inclusive. For example, slice(0x010203040506, 1, 5) = 0x0203040506. - random_prime(b): Return a random prime number of length b bits.
- is_prime(p): Return true if the input integer p is prime, and false otherwise.

- sk = (n, p, q, phi, d), where phi = (p - 1)(q - 1), n = p * q, and d is the private exponent
- pk = (n, e), where n = p * q, and e is hte public exponent such that d * e == 1 mod phi

- Compute
`pk_derived = DerivePublicKey(pk, info)`. - Compute
`msg_prime = concat("msg", int_to_bytes(len(info), 4), info, msg)`. - Invoke and output the result of RSASSA-PSS-VERIFY (
) with `(n, e)`as`pk_derived`, M as`msg_prime`, and`S`as`sig`.

- RSAPBSSA-SHA384-PSS-Randomized: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, a 48-byte salt length, and uses the randomized preparation function (PrepareRandomize).
- RSAPBSSA-SHA384-PSSZERO-Randomized: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, an empty PSS salt, and uses the randomized preparation function (PrepareRandomize).
- RSAPBSSA-SHA384-PSS-Deterministic: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, 48-byte salt length, and uses the identity preparation function (PrepareIdentity).
- RSAPBSSA-SHA384-PSSZERO-Deterministic: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, an empty PSS salt, and uses the identity preparation function (PrepareIdentity). This is the only variant that produces deterministic signatures over the client's input message msg.

- One-more-unforgeability: For any adversary interacting with the server (i.e., the signer) as a client
that interacts with the server at most
`n`times is unable to output`n+1`valid message and signature tuples (i.e., the signature verifies for the corresponding message). This holds for any`n`that is polynomial in the security parameter of the scheme. - Concurrent one-more-unforgeability: The above holds even in the setting when an adversarial client is interacting with multiple servers (signers) simultaneously.
- Unlinkability: Consider any adversary acting as the server (signer) interacting with
`n`clients using the same public metadata. Afterwards, the adversary randomly receives one of the`n`resulting signatures as a challenge. Then, the adversary cannot guess which of the`n`interactions created the challenge signature better than a random guess.

- p, q, d, e, N: RSA private and public key parameters, each encoded as a hexadecimal string.
- msg: Input messsage being signed, encoded as a hexadecimal string. The hash is computed using SHA-384.
- info: Public metadata bound to the signature, encoded as a hexadecimal string.
- eprime: The augmented public key exponent corresponding to e and metadata, encoded as a hexadecimal string.
- blind: The message blinding value, encoded as a hexadecimal string.
- salt: Randomly-generated salt used when computing the signature. The length is 48 bytes.
- blinded_msg, blinded_sig: The protocol values exchanged during the computation, encoded as hexadecimal strings.
- sig: The output message signature.