- bytes_to_int and int_to_bytes: Convert a byte string to and from a non-negative integer.
bytes_to_int and int_to_bytes are implemented as OS2IP and I2OSP as described in
, respectively. Note that these functions operate on byte strings in big-endian byte order. - random_integer_uniform(M, N): Generate a random, uniformly distributed integer R such that M <= R < N.
- inverse_mod(x, n): Compute the multiplicative inverse of x mod n. This function fails if x and n are not co-prime.
- len(s): The length of a byte string, in bytes.
- random(n): Generate n random bytes using a cryptographically-secure pseudorandom number generator.

- Blind(pkS, msg): encodes an input message
`msg`and blinds it with a randomly generated blinding factor using the server's public key`pkS`, producing a blinded messsage for the server and the inverse of the blind. - BlindSign(skS, blinded_msg): performs the raw RSA private key operation using private key
`skS`on the client's blinded message`blinded_msg`, and returns the output. - Finalize(pkS, msg, blinded_sig, inv): unblinds the server's response
`blinded_sig`using the inverse`inv`to produce a signature, verifies it for correctness using message`msg`and public key`pkS`, and outputs the signature upon success.

- RSABSSA-SHA384-PSS-Randomized: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, a 48-byte salt length, and uses message randomization.
- RSABSSA-SHA384-PSSZERO-Randomized: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, an empty PSS salt, and uses message randomization.
- RSABSSA-SHA384-PSS-Deterministic: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, 48-byte salt length, and does not use message randomization.
- RSABSSA-SHA384-PSSZERO-Deterministic: This named variant uses SHA-384 as the hash function, MGF1 with SHA-384 as the PSS mask generation function, an empty PSS salt, and does not use message randomization. This is the only variant that produces deterministic signatures over the input message.

- One-more-forgery polynomial security. This means the adversary, interacting with the server (signer) as a client, cannot output n+1 valid message and signature tuples after only interacting with the server n times, for some n which is polynomial in the protocol's security parameter.
- Concurrent polynomial security. This means that servers can engage in polynomially many invocations of the protocol without compromising security.

- The client has proof that the signer's public key is honestly generated.
presents some (non-interactive) honest-verifier zero-knoweldge proofs of various statements about the public key. - The client input message has high entropy.

- RSA key and signature sizes are larger than those of alternative blind signature protocols;
- No evaluation batching support, which means that the cost of the protocol scales linearly with the number of invocations; and
- Extensions for features such as threshold signing are more complex to instantiate compared to other protocols based on, for example, Schnorr signatures.

- Blind Schnorr
: This is a three-message protocol based on the classical Schnorr signature protocol over elliptic curve groups. Although simple, the hardness problem upon which this is based -- Random inhomogeneities in a Overdetermined Solvable system of linear equations, or ROS -- can be broken in polynomial time when a small number of concurrent signing sessions are invoked , leading to signature forgeries. Even with small concurrency limits, Wagner's generalized attack leads to subexponential forgery speedup. For example, a limit of 15 parallel sessions yields an attack runtime of approximately 2^55, which is substantially lower than acceptable security levels. In contrast, the variant in this specification has no such concurrency limit. - Clause Blind Schnorr
: This is a three-message protocol based on a variant of the blind Schnorr signature protocol. This variant of the protocol is not known to be vulnerable to the attack in , though the protocol is still new and under consideration. The three-message flow necessarily requires two round trips between the client and server, which may be prohibitive for large-scale signature generation. Further analysis and experimentation with this protocol is needed. - BSA
: This is a three-message protocol based on elliptic curve groups similar to blind Schnorr. It is also not known to be vulnerable to the ROS attack in . Kastner et al. proved concurrent security with a polynomial number of sessions. For similar reasons to the clause blind Schnorr protocol above, the additional number of round trips requires further analysis and experimentation. - WFROS-based Schemes
: This work contains four proposed schemes, each of which are three-message protocols based on a variant of the blind Schnorr signature protocol. Security of these schemes depend on the Weighted Fractional ROS problem, for which the authors prove an exponential and unconditional lower bound, and therefore have tighter security bounds than the Clause Blind Schnorr schemes. The performance of the scheme is similar to Clause Blind Schnorr, yet signing is more efficient. Similarly to Clause Blind Schnorr schemes, the two round trips required by three-message flows need further analysis and experimentation. - Blind BLS
: The Boneh-Lynn-Shacham protocol can incorporate message blinding when properly instantiated with Type III pairing group. This is a two-message protocol similar to the RSA variant, though it requires pairing support, which is not common in widely deployed cryptographic libraries backing protocols such as TLS. In contrast, the specification in this document relies upon widely deployed cryptographic primitives.

- p, q, n, e, d: RSA private and public key parameters, each encoded as a hexadecimal string.
- msg: Input messsage being signed, encoded as a hexadecimal string. The hash is computed using SHA-384.
- msg_prefix: Message randomizer prefix, encoded as a hexadecimal string. This is only present for variants that use message randomization.
- random_msg: The message actually signed. If the variant does not use message randomization, this is equal to msg.
- salt: Randomly-generated salt used when computing the signature. The length is either 48 or 0 bytes.
- encoded_msg: EMSA-PSS encoded message. The mask generation function is MGF1 with SHA-384.
- inv: The message blinding inverse, encoded as a hexadecimal string.
- blinded_msg, blind_sig: The protocol values exchanged during the computation, encoded as hexadecimal strings.
- sig: The output message signature.