@theqrl/mldsa87 2.0.1 → 2.1.0

package/README.md

@@ -26,10 +26,13 @@ const pk = new Uint8Array(CryptoPublicKeyBytes);  // 2592 bytes
 const sk = new Uint8Array(CryptoSecretKeyBytes);  // 4896 bytes
 cryptoSignKeypair(null, pk, sk);  // null = random seed
 
-// Sign a message
+// Sign a message (hedged by default per FIPS 204 §3.4 — recommended).
+// Pass `false` only when deterministic signatures are themselves a
+// protocol requirement (e.g. RANDAO-style verifiable beacon
+// contributions); for that case use `cryptoSignDeterministic`.
 const message = new TextEncoder().encode('Hello, quantum world!');
 const ctx = new Uint8Array([0x5a, 0x4f, 0x4e, 0x44]);  // "ZOND"
-const signedMessage = cryptoSign(message, sk, false, ctx);  // false = deterministic
+const signedMessage = cryptoSign(message, sk, true, ctx);  // true = hedged (recommended)
 
 // Verify and extract (context must match)
 const extracted = cryptoSignOpen(signedMessage, pk, ctx);
@@ -46,7 +49,7 @@ ML-DSA-87 requires a context parameter for domain separation (FIPS 204 feature).
 ```javascript
 // With application-specific context
 const ctx = new TextEncoder().encode('my-app-v1');
-const signed = cryptoSign(message, sk, false, ctx);
+const signed = cryptoSign(message, sk, true, ctx);  // hedged (recommended)
 const extracted = cryptoSignOpen(signed, pk, ctx);
 
 // Context must match for verification
@@ -164,6 +167,7 @@ See [SECURITY.md](../../SECURITY.md) for important information about:
 
 - JavaScript memory security limitations
 - Constant-time verification
+- **Signing timing variability** — signing is not constant-time due to the algorithm's rejection sampling loop; see SECURITY.md for measured impact and deployment mitigations
 - Secure key handling recommendations
 
 ## Requirements

package/dist/cjs/mldsa87.d.cts

@@ -0,0 +1,385 @@
+/**
+ * TypeScript definitions for @theqrl/mldsa87
+ * ML-DSA-87 (FIPS 204) post-quantum digital signature scheme
+ */
+
+// Constants
+export const Shake128Rate: number;
+export const Shake256Rate: number;
+export const Stream128BlockBytes: number;
+export const Stream256BlockBytes: number;
+export const SeedBytes: number;
+export const CRHBytes: number;
+export const TRBytes: number;
+export const RNDBytes: number;
+export const N: number;
+export const Q: number;
+export const QInv: number;
+export const D: number;
+export const K: number;
+export const L: number;
+export const ETA: number;
+export const TAU: number;
+export const BETA: number;
+export const GAMMA1: number;
+export const GAMMA2: number;
+export const OMEGA: number;
+export const CTILDEBytes: number;
+export const PolyT1PackedBytes: number;
+export const PolyT0PackedBytes: number;
+export const PolyETAPackedBytes: number;
+export const PolyZPackedBytes: number;
+export const PolyVecHPackedBytes: number;
+export const PolyW1PackedBytes: number;
+export const CryptoPublicKeyBytes: number;
+export const CryptoSecretKeyBytes: number;
+export const CryptoBytes: number;
+export const PolyUniformNBlocks: number;
+export const PolyUniformETANBlocks: number;
+export const PolyUniformGamma1NBlocks: number;
+export const zetas: readonly number[];
+
+// Core signing functions
+
+/**
+ * Generate an ML-DSA-87 key pair
+ * @param seed - Optional 32-byte seed for deterministic key generation (null for random)
+ * @param pk - Output buffer for public key (must be CryptoPublicKeyBytes length)
+ * @param sk - Output buffer for secret key (must be CryptoSecretKeyBytes length)
+ * @returns The seed used for key generation
+ * @throws Error if pk/sk buffers are wrong size or null
+ */
+export function cryptoSignKeypair(
+  seed: Uint8Array | null,
+  pk: Uint8Array,
+  sk: Uint8Array
+): Uint8Array;
+
+/**
+ * Create a signature for a message
+ * @param sig - Output buffer for signature (must be CryptoBytes length minimum)
+ * @param m - Message to sign (hex string or Uint8Array; strings are parsed as hex only)
+ * @param sk - Secret key
+ * @param randomizedSigning - If true, use random nonce; if false, deterministic
+ * @param ctx - Context string (max 255 bytes)
+ * @returns 0 on success
+ * @throws Error if sk is wrong size or context too long
+ */
+export function cryptoSignSignature(
+  sig: Uint8Array,
+  m: Uint8Array | string,
+  sk: Uint8Array,
+  randomizedSigning: boolean,
+  ctx: Uint8Array
+): number;
+
+/**
+ * Sign a message, returning signature concatenated with message
+ * @param msg - Message to sign
+ * @param sk - Secret key
+ * @param randomizedSigning - If true, use random nonce; if false, deterministic
+ * @param ctx - Context string (max 255 bytes)
+ * @returns Signed message (signature || message)
+ * @throws Error if signing fails
+ */
+export function cryptoSign(
+  msg: Uint8Array | string,
+  sk: Uint8Array,
+  randomizedSigning: boolean,
+  ctx: Uint8Array
+): Uint8Array;
+
+/**
+ * Create a deterministic ML-DSA-87 detached signature
+ * (FIPS 204 §3.5 — `randomizedSigning = false` wrapper).
+ *
+ * **Use only when the deterministic property is itself a requirement**
+ * — RANDAO-style verifiable beacon contributions, ACVP / KAT vector
+ * reproduction. For general-purpose signing prefer `cryptoSignSignature`
+ * with `randomizedSigning = true` (hedged, FIPS 204 §3.4 recommended).
+ * (TOB-QRLLIB-6.)
+ */
+export function cryptoSignSignatureDeterministic(
+  sig: Uint8Array,
+  m: Uint8Array | string,
+  sk: Uint8Array,
+  ctx: Uint8Array
+): number;
+
+/**
+ * Attached-form deterministic ML-DSA-87 signing
+ * (FIPS 204 §3.5 — `randomizedSigning = false` wrapper for `cryptoSign`).
+ * Same recommendation as `cryptoSignSignatureDeterministic`.
+ * (TOB-QRLLIB-6.)
+ */
+export function cryptoSignDeterministic(
+  msg: Uint8Array | string,
+  sk: Uint8Array,
+  ctx: Uint8Array
+): Uint8Array;
+
+/**
+ * Verify a signature
+ * @param sig - Signature to verify
+ * @param m - Message that was signed (hex string or Uint8Array; strings are parsed as hex only)
+ * @param pk - Public key
+ * @param ctx - Context string (max 255 bytes)
+ * @returns true if signature is valid, false otherwise
+ */
+export function cryptoSignVerify(
+  sig: Uint8Array,
+  m: Uint8Array | string,
+  pk: Uint8Array,
+  ctx: Uint8Array
+): boolean;
+
+/**
+ * Open a signed message (verify and extract message)
+ * @param sm - Signed message (signature || message)
+ * @param pk - Public key
+ * @param ctx - Context string (max 255 bytes)
+ * @returns Message if valid, undefined if verification fails (or if
+ *   sm is null / undefined / non-Uint8Array / shorter than
+ *   CryptoBytes — see `cryptoSignOpenWithReason` for distinct
+ *   failure-mode reporting)
+ */
+export function cryptoSignOpen(
+  sm: Uint8Array,
+  pk: Uint8Array,
+  ctx: Uint8Array
+): Uint8Array | undefined;
+
+/**
+ * Failure-mode discriminator returned by `cryptoSignOpenWithReason`.
+ * (TOB-QRLLIB-14: distinct failure modes for Open.)
+ */
+export type CryptoSignOpenReason =
+  | 'invalid-ctx-type'
+  | 'invalid-ctx-length'
+  | 'invalid-sm-type'
+  | 'invalid-sm-length'
+  | 'invalid-pk'
+  | 'verification-failed';
+
+/**
+ * Open a signed message with a typed failure-mode report.
+ * (TOB-QRLLIB-14.) Behavioural twin of `cryptoSignOpen` that
+ * distinguishes API-shape problems (input wrong type / length /
+ * shape) from genuine verification failures.
+ *
+ * `cryptoSignOpen` is kept unchanged and continues to return
+ * `undefined` for any failure mode. Use this variant when you need
+ * to log or route on specific failure modes.
+ *
+ * @param sm - Signed message (signature || message)
+ * @param pk - Public key
+ * @param ctx - Context string (max 255 bytes)
+ */
+export function cryptoSignOpenWithReason(
+  sm: Uint8Array,
+  pk: Uint8Array,
+  ctx: Uint8Array
+):
+  | { ok: true; message: Uint8Array }
+  | { ok: false; reason: CryptoSignOpenReason };
+
+// Utility functions
+
+/**
+ * Zero out a buffer (best-effort, see SECURITY.md for limitations)
+ * @param buffer - Buffer to zero
+ * @throws TypeError if buffer is not Uint8Array
+ */
+export function zeroize(buffer: Uint8Array): void;
+
+/**
+ * Check if buffer is all zeros using constant-time comparison
+ * @param buffer - Buffer to check
+ * @returns true if all bytes are zero
+ * @throws TypeError if buffer is not Uint8Array
+ */
+export function isZero(buffer: Uint8Array): boolean;
+
+// Internal classes (exported but primarily for internal use)
+
+export class Poly {
+  coeffs: Int32Array;
+  constructor();
+  copy(poly: Poly): void;
+}
+
+export class PolyVecK {
+  vec: Poly[];
+  constructor();
+}
+
+export class PolyVecL {
+  vec: Poly[];
+  constructor();
+  copy(polyVecL: PolyVecL): void;
+}
+
+export class KeccakState {
+  constructor();
+}
+
+// Internal functions (exported but primarily for internal use)
+export function polyNTT(a: Poly): void;
+export function polyInvNTTToMont(a: Poly): void;
+export function polyChallenge(c: Poly, seed: Uint8Array): void;
+export function ntt(a: Int32Array): void;
+export function invNTTToMont(a: Int32Array): void;
+export function montgomeryReduce(a: bigint): bigint;
+export function reduce32(a: number): number;
+export function cAddQ(a: number): number;
+export function decompose(a0: Int32Array, i: number, a: number): number;
+export function power2round(a0: Int32Array, i: number, a: number): number;
+export function makeHint(a0: number, a1: number): number;
+export function useHint(a: number, hint: number): number;
+export function packPk(pk: Uint8Array, rho: Uint8Array, t1: PolyVecK): void;
+export function packSk(
+  sk: Uint8Array,
+  rho: Uint8Array,
+  tr: Uint8Array,
+  key: Uint8Array,
+  t0: PolyVecK,
+  s1: PolyVecL,
+  s2: PolyVecK
+): void;
+export function packSig(
+  sig: Uint8Array,
+  c: Uint8Array,
+  z: PolyVecL,
+  h: PolyVecK
+): void;
+export function unpackPk(rho: Uint8Array, t1: PolyVecK, pk: Uint8Array): void;
+export function unpackSk(
+  rho: Uint8Array,
+  tr: Uint8Array,
+  key: Uint8Array,
+  t0: PolyVecK,
+  s1: PolyVecL,
+  s2: PolyVecK,
+  sk: Uint8Array
+): void;
+export function unpackSig(
+  c: Uint8Array,
+  z: PolyVecL,
+  h: PolyVecK,
+  sig: Uint8Array
+): number;
+
+// FIPS 202 SHAKE primitives (low-level XOF interface, primarily internal)
+export function shake128Init(state: KeccakState): void;
+export function shake128Absorb(state: KeccakState, input: Uint8Array): void;
+export function shake128Finalize(state: KeccakState): void;
+export function shake128SqueezeBlocks(
+  out: Uint8Array,
+  outputOffset: number,
+  nBlocks: number,
+  state: KeccakState
+): void;
+export function shake256Init(state: KeccakState): void;
+export function shake256Absorb(state: KeccakState, input: Uint8Array): void;
+export function shake256Finalize(state: KeccakState): void;
+export function shake256SqueezeBlocks(
+  out: Uint8Array,
+  outputOffset: number,
+  nBlocks: number,
+  state: KeccakState
+): void;
+
+// ML-DSA-specific stream initializers
+export function mldsaShake128StreamInit(
+  state: KeccakState,
+  seed: Uint8Array,
+  nonce: number
+): void;
+export function mldsaShake256StreamInit(
+  state: KeccakState,
+  seed: Uint8Array,
+  nonce: number
+): void;
+
+// Polynomial operations (internal)
+export function polyReduce(a: Poly): void;
+export function polyCAddQ(a: Poly): void;
+export function polyAdd(c: Poly, a: Poly, b: Poly): void;
+export function polySub(c: Poly, a: Poly, b: Poly): void;
+export function polyShiftL(a: Poly): void;
+export function polyPointWiseMontgomery(c: Poly, a: Poly, b: Poly): void;
+export function polyPower2round(a1: Poly, a0: Poly, a: Poly): void;
+export function polyDecompose(a1: Poly, a0: Poly, a: Poly): void;
+export function polyMakeHint(h: Poly, a0: Poly, a1: Poly): number;
+export function polyUseHint(b: Poly, a: Poly, h: Poly): void;
+export function polyChkNorm(a: Poly, b: number): number;
+export function rejUniform(
+  a: Int32Array,
+  aOffset: number,
+  len: number,
+  buf: Uint8Array,
+  bufLen: number
+): number;
+export function polyUniform(a: Poly, seed: Uint8Array, nonce: number): void;
+export function rejEta(
+  a: Int32Array,
+  aOffset: number,
+  len: number,
+  buf: Uint8Array,
+  bufLen: number
+): number;
+export function polyUniformEta(a: Poly, seed: Uint8Array, nonce: number): void;
+export function polyZUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
+export function polyUniformGamma1(a: Poly, seed: Uint8Array, nonce: number): void;
+export function polyEtaPack(r: Uint8Array, rOffset: number, a: Poly): void;
+export function polyEtaUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
+export function polyT1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
+export function polyT1Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
+export function polyT0Pack(r: Uint8Array, rOffset: number, a: Poly): void;
+export function polyT0Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
+export function polyZPack(r: Uint8Array, rOffset: number, a: Poly): void;
+export function polyW1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
+
+// Polynomial vector operations (internal)
+export function polyVecMatrixExpand(mat: PolyVecL[], rho: Uint8Array): void;
+export function polyVecMatrixPointWiseMontgomery(
+  t: PolyVecK,
+  mat: PolyVecL[],
+  v: PolyVecL
+): void;
+export function polyVecLUniformEta(v: PolyVecL, seed: Uint8Array, nonce: number): void;
+export function polyVecLUniformGamma1(v: PolyVecL, seed: Uint8Array, nonce: number): void;
+export function polyVecLReduce(v: PolyVecL): void;
+export function polyVecLAdd(w: PolyVecL, u: PolyVecL, v: PolyVecL): void;
+export function polyVecLNTT(v: PolyVecL): void;
+export function polyVecLInvNTTToMont(v: PolyVecL): void;
+export function polyVecLPointWisePolyMontgomery(
+  r: PolyVecL,
+  a: Poly,
+  v: PolyVecL
+): void;
+export function polyVecLPointWiseAccMontgomery(
+  w: Poly,
+  u: PolyVecL,
+  v: PolyVecL
+): void;
+export function polyVecLChkNorm(v: PolyVecL, bound: number): number;
+export function polyVecKUniformEta(v: PolyVecK, seed: Uint8Array, nonce: number): void;
+export function polyVecKReduce(v: PolyVecK): void;
+export function polyVecKCAddQ(v: PolyVecK): void;
+export function polyVecKAdd(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
+export function polyVecKSub(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
+export function polyVecKShiftL(v: PolyVecK): void;
+export function polyVecKNTT(v: PolyVecK): void;
+export function polyVecKInvNTTToMont(v: PolyVecK): void;
+export function polyVecKPointWisePolyMontgomery(
+  r: PolyVecK,
+  a: Poly,
+  v: PolyVecK
+): void;
+export function polyVecKChkNorm(v: PolyVecK, bound: number): number;
+export function polyVecKPower2round(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
+export function polyVecKDecompose(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
+export function polyVecKMakeHint(h: PolyVecK, v0: PolyVecK, v1: PolyVecK): number;
+export function polyVecKUseHint(w: PolyVecK, u: PolyVecK, h: PolyVecK): void;
+export function polyVecKPackW1(r: Uint8Array, w1: PolyVecK): void;

package/dist/cjs/mldsa87.js

@@ -1356,6 +1356,12 @@ function packSig(sigP, ctilde, z, h) {
   for (let i = 0; i < K; ++i) {
     for (let j = 0; j < N; ++j) {
       if (h.vec[i].coeffs[j] !== 0) {
+        if (h.vec[i].coeffs[j] !== 1) {
+          throw new Error('hint coefficients must be binary (0 or 1)');
+        }
+        if (k >= OMEGA) {
+          throw new Error(`hint count exceeds OMEGA (${OMEGA})`);
+        }
         sig[sigOffset + k++] = j;
       }
     }
@@ -1659,11 +1665,31 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
  * Uses the ML-DSA-87 (FIPS 204) signing algorithm with rejection sampling.
  * The context parameter provides domain separation as required by FIPS 204.
  *
+ * # Signing-mode recommendation (TOB-QRLLIB-6)
+ *
+ * **Hedged signing (`randomizedSigning = true`) is the recommended mode**
+ * per FIPS 204 §3.4: the per-signature nonce mixes fresh `crypto.getRandomValues`
+ * randomness, which frustrates the fault-injection attack class against
+ * deterministic signing where an adversary who can flip a single bit during
+ * the `z` computation can differentiate two same-message signatures and
+ * recover `s1`/`s2` by lattice differential analysis. Verification is
+ * unchanged — hedged and deterministic signatures verify under the same
+ * public key.
+ *
+ * **Use deterministic signing (`randomizedSigning = false`) only when the
+ * deterministic property is itself a security or protocol requirement** —
+ * e.g. RANDAO-style verifiable beacon contributions where each validator
+ * must produce the same signature for the same input, or test-vector
+ * reproduction. Consider the [cryptoSignDeterministic] convenience wrapper
+ * for those cases.
+ *
  * @param {Uint8Array} sig - Output buffer for signature (must be at least CryptoBytes = 4627 bytes)
  * @param {string|Uint8Array} m - Message to sign (hex string, optional 0x prefix, or Uint8Array)
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
- * @param {boolean} randomizedSigning - If true, use random nonce for hedged signing.
- *   If false, use deterministic nonce derived from message and key.
+ * @param {boolean} randomizedSigning - **Recommended: `true` (hedged, FIPS 204 §3.4).**
+ *   If true, mix fresh `crypto.getRandomValues` randomness into the
+ *   per-signature nonce. If false, use a deterministic nonce derived from
+ *   message and key (FIPS 204 §3.5).
  * @param {Uint8Array} ctx - Context string for domain separation (required, max 255 bytes).
  *   Pass an empty Uint8Array for no context.
  * @returns {number} 0 on success
@@ -1733,6 +1759,7 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
     // rhoPrime = SHAKE256(key || rnd || mu)
     const rnd = randomizedSigning ? randomBytes(RNDBytes) : new Uint8Array(RNDBytes);
     rhoPrime = shake256.create({}).update(key).update(rnd).update(mu).xof(CRHBytes);
+    zeroize(rnd);
 
     polyVecMatrixExpand(mat, rho);
     polyVecLNTT(s1);
@@ -1810,6 +1837,31 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
   }
 }
 
+/**
+ * Create a **deterministic** ML-DSA-87 detached signature
+ * (FIPS 204 §3.5 — `randomizedSigning = false`).
+ *
+ * Convenience wrapper that hard-wires the deterministic mode so callers
+ * who *need* byte-identical signatures for the same `(sk, ctx, message)`
+ * — RANDAO-style verifiable beacon contributions, ACVP / KAT vector
+ * reproduction, deterministic-test fixtures — get a clearly-named
+ * entry point rather than passing a bare boolean.
+ *
+ * **Use only when the deterministic property is itself a requirement.**
+ * For general-purpose signing prefer [cryptoSignSignature] with
+ * `randomizedSigning = true` (FIPS 204 §3.4 hedged, the recommended
+ * mode). (TOB-QRLLIB-6.)
+ *
+ * @param {Uint8Array} sig - Output buffer for signature (must be at least CryptoBytes bytes)
+ * @param {string|Uint8Array} m - Message to sign
+ * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes bytes)
+ * @param {Uint8Array} ctx - Context string for domain separation (required, max 255 bytes)
+ * @returns {number} 0 on success
+ */
+function cryptoSignSignatureDeterministic(sig, m, sk, ctx) {
+  return cryptoSignSignature(sig, m, sk, /* randomizedSigning */ false, ctx);
+}
+
 /**
  * Sign a message, returning signature concatenated with message.
  *
@@ -1850,6 +1902,26 @@ function cryptoSign(msg, sk, randomizedSigning, ctx) {
   return sm;
 }
 
+/**
+ * Attached-form **deterministic** ML-DSA-87 signing
+ * (FIPS 204 §3.5 — `randomizedSigning = false`).
+ *
+ * Convenience wrapper that hard-wires the deterministic mode for the
+ * attached `signature || message` form. Same recommendation as
+ * [cryptoSignSignatureDeterministic]: use only when determinism is a
+ * protocol requirement; for general-purpose signing prefer
+ * [cryptoSign] with `randomizedSigning = true` (FIPS 204 §3.4 hedged).
+ * (TOB-QRLLIB-6.)
+ *
+ * @param {string|Uint8Array} msg - Message to sign
+ * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes bytes)
+ * @param {Uint8Array} ctx - Context string for domain separation (required, max 255 bytes)
+ * @returns {Uint8Array} Signed message (signature || message)
+ */
+function cryptoSignDeterministic(msg, sk, ctx) {
+  return cryptoSign(msg, sk, /* randomizedSigning */ false, ctx);
+}
+
 /**
  * Verify a detached signature with context.
  *
@@ -1974,7 +2046,12 @@ function cryptoSignOpen(sm, pk, ctx) {
   if (!(ctx instanceof Uint8Array)) {
     throw new TypeError('ctx is required and must be a Uint8Array');
   }
-  if (sm.length < CryptoBytes) {
+  // Type-guard `sm` so callers passing `null` / `undefined` / non-Uint8Array
+  // get a clean `undefined` return rather than a `Cannot read properties of
+  // null (reading 'length')` thrown deep in the call chain. Mirrors the
+  // existing `pk` / `sig` instanceof checks in `cryptoSignVerify`.
+  // (TOB-QRLLIB-11.)
+  if (!(sm instanceof Uint8Array) || sm.length < CryptoBytes) {
     return undefined;
   }
 
@@ -1987,6 +2064,53 @@ function cryptoSignOpen(sm, pk, ctx) {
   return msg;
 }
 
+/**
+ * Open a signed message with a typed failure-mode report.
+ *
+ * Behavioural twin of [cryptoSignOpen], but returns a discriminated
+ * union so callers can distinguish between API-shape problems (input
+ * was the wrong type / length / shape) and genuine cryptographic
+ * verification failures. Use this when you need to log or route on
+ * specific failure modes — e.g. an attestation pipeline that wants to
+ * alarm on "input shape valid but signature did not verify" but
+ * silently reject "input shape was wrong".
+ *
+ * The legacy [cryptoSignOpen] returns `undefined` for every failure
+ * mode and is kept unchanged for backward compatibility. Both helpers
+ * call into the same underlying verifier — they only differ in how
+ * the failure modes are reported.
+ *
+ * (TOB-QRLLIB-14: distinct failure modes for Open.)
+ *
+ * @param {Uint8Array} sm Signed message (signature || message).
+ * @param {Uint8Array} pk Public key.
+ * @param {Uint8Array} ctx FIPS 204 context (max 255 bytes).
+ * @returns {{ok: true, message: Uint8Array} | {ok: false, reason: 'invalid-ctx-type'|'invalid-ctx-length'|'invalid-sm-type'|'invalid-sm-length'|'invalid-pk'|'verification-failed'}}
+ */
+function cryptoSignOpenWithReason(sm, pk, ctx) {
+  if (!(ctx instanceof Uint8Array)) {
+    return { ok: false, reason: 'invalid-ctx-type' };
+  }
+  if (ctx.length > 255) {
+    return { ok: false, reason: 'invalid-ctx-length' };
+  }
+  if (!(sm instanceof Uint8Array)) {
+    return { ok: false, reason: 'invalid-sm-type' };
+  }
+  if (sm.length < CryptoBytes) {
+    return { ok: false, reason: 'invalid-sm-length' };
+  }
+  if (!(pk instanceof Uint8Array) || pk.length !== CryptoPublicKeyBytes) {
+    return { ok: false, reason: 'invalid-pk' };
+  }
+  const sig = sm.slice(0, CryptoBytes);
+  const msg = sm.slice(CryptoBytes);
+  if (!cryptoSignVerify(sig, msg, pk, ctx)) {
+    return { ok: false, reason: 'verification-failed' };
+  }
+  return { ok: true, message: msg };
+}
+
 exports.BETA = BETA;
 exports.CRHBytes = CRHBytes;
 exports.CTILDEBytes = CTILDEBytes;
@@ -2026,9 +2150,12 @@ exports.TAU = TAU;
 exports.TRBytes = TRBytes;
 exports.cAddQ = cAddQ;
 exports.cryptoSign = cryptoSign;
+exports.cryptoSignDeterministic = cryptoSignDeterministic;
 exports.cryptoSignKeypair = cryptoSignKeypair;
 exports.cryptoSignOpen = cryptoSignOpen;
+exports.cryptoSignOpenWithReason = cryptoSignOpenWithReason;
 exports.cryptoSignSignature = cryptoSignSignature;
+exports.cryptoSignSignatureDeterministic = cryptoSignSignatureDeterministic;
 exports.cryptoSignVerify = cryptoSignVerify;
 exports.decompose = decompose;
 exports.invNTTToMont = invNTTToMont;