- I2OSP and OS2IP: Convert a byte string to and from a non-negative integer as
described in
. Note that these functions operate on byte strings in big-endian byte order. - random_integer_uniform(M, N): Generate a random, uniformly distributed integer R such that M <= R < N.
- inverse_mod(x, n): Compute the multiplicative inverse of x mod n.
- len(s): The length of a byte string, in octets.

- Hash: hash function (hLen denotes the length in octets of the hash function output)
- MGF: mask generation function
- sLen: intended length in octets of the salt

- Blind Schnorr
: This is a three-message protocol based on the classical Schnorr signature scheme over elliptic curve groups. Although simple, the hardness problem upon which this is based - Random inhomogeneities in a Overdetermined Solvable system of linear equations, or ROS - can be broken in polynomial time when a small number of concurrent signing sessions are invoked . This can lead to signature forgeries in practice. Signers can enforce concurrent sessions, though the limit (approximately 256) for reasonably secure elliptic curve groups is small enough to make large-scale signature generation prohibitive. In contrast, the variant in this specification has no such concurrency limit. - Clause Blind Schnorr
: This is a three-message protocol based on a variant of the blind Schnorr signature scheme. This variant of the protocol is not known to be vulnerable to the attack in , though the protocol is still new and under consideration. In the future, this may be a candidate for future blind signatures based on blind signatures. However, the three-message flow necessarily requires two round trips between the client and server, which may be prohibitive for large-scale signature generation. Further analysis and experimentation with this scheme is needed. - BSA
: This is a three-message protocol based on elliptic curve groups similar to blind Schnorr. It is also not known to be vulnerable to the ROS attack in . Kastner et al. proved concurrent security with a polynomial number of sessions. For similar reasons to the clause blind Schnorr scheme above, the additional number of round trips requires further analysis and experimentation. - Blind BLS
: The Boneh-Lynn-Shacham scheme can incorporate message blinding when properly instantiated with Type III pairing group. This is a two-message protocol similar to the RSA variant, though it requires pairing support, which is not common in widely deployed cryptographic libraries backing protocols such as TLS. In contrast, the specification in this document relies upon widely deployed cryptographic primitives.

- p, q, n, e, d: RSA private and public key parameters, each encoded as a hexadecimal string.
- msg: Messsage being signed, encoded as a hexadecimal string. Its hash is computed using the hash function identified by the 'hash' test vector parameter.
- salt: Randomly-generated salt used when computing the signature.
- inv: The message blinding inverse, encoded as a hexadecimal string.
- blinded_message, blind_sig: The protocol values exchanged during the computation, encoded as hexadecimal strings.
- sig: The message signature.