From 8155e4bf2b8aaa055481e31357b8ca01dac6014f Mon Sep 17 00:00:00 2001
From: daxpedda <daxpedda@gmail.com>
Date: Sun, 14 Sep 2025 14:26:34 +0200
Subject: [PATCH] Add `VerifyingKey::compute_mu()`

---
 ml-dsa/src/lib.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ml-dsa/src/lib.rs b/ml-dsa/src/lib.rs
index 75b2a07b..9dd92fe0 100644
--- a/ml-dsa/src/lib.rs
+++ b/ml-dsa/src/lib.rs
@@ -772,6 +772,21 @@ impl<P: MlDsaParams> VerifyingKey<P> {
         }
     }
 
+    /// Computes µ according to FIPS 204 for use in ML-DSA.Sign and ML-DSA.Verify.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`Error`] if the given `Mp` returns one.
+    pub fn compute_mu<F: FnOnce(&mut Shake256) -> Result<(), Error>>(
+        &self,
+        Mp: F,
+        ctx: &[u8],
+    ) -> Result<B64, Error> {
+        let mut mu = MuBuilder::new(&self.tr, ctx);
+        Mp(mu.as_mut())?;
+        Ok(mu.finish())
+    }
+
     /// This algorithm reflects the ML-DSA.Verify_internal algorithm from FIPS 204.  It does not
     /// include the domain separator that distinguishes between the normal and pre-hashed cases,
     /// and it does not separate the context string from the rest of the message.