diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c
index cb322b75b..1a84f25bc 100644
--- a/mldsa/src/sign.c
+++ b/mldsa/src/sign.c
@@ -692,8 +692,10 @@ __contract__(
    * Consequently, any value that can be computed from the signature and public
    * key is considered public.
    * w0 and w1 are public as they can be computed from Az - ct = \alpha w1 + w0.
-   * h=c*t0 is public as both c and t0 are public.
-   * For a more detailed discussion, refer to https://eprint.iacr.org/2022/1406.
+   * h=c*t0 is public as both c and t0 are considered public.
+   * While t0 is not part of the public key, it can be reconstructed from
+   * a small number of signatures and need not be regarded as secret
+   * (see @[FIPS204, Section 6.1]).
    */
   MLD_CT_TESTING_DECLASSIFY(w0, sizeof(*w0));
   MLD_CT_TESTING_DECLASSIFY(w1, sizeof(*w1));
@@ -964,7 +966,10 @@ int mld_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen,
   }
   ret = mld_sign_signature(sm, smlen, sm + MLDSA_CRYPTO_BYTES, mlen, ctx,
                            ctxlen, sk, context);
-  *smlen += mlen;
+  if (ret == 0)
+  {
+    *smlen += mlen;
+  }
   return ret;
 }
 #endif /* !MLD_CONFIG_NO_RANDOMIZED_API */