- bytes_to_int and int_to_bytes: Convert a byte string to and from a non-negative integer.
bytes_to_int and int_to_bytes are implemented as OS2IP and I2OSP as described in
, respectively. Note that these functions operate on byte strings in big-endian byte order. - random_integer_uniform(M, N): Generate a random, uniformly distributed integer R such that M <= R < N.
- inverse_mod(x, n): Compute the multiplicative inverse of x mod n. This function fails if x and n are not co-prime.
- len(s): The length of a byte string, in octets.
- random(n): Generate n random octets using a cryptographically-secure pseudorandom number generator.

- Hash: hash function
- MGF: mask generation function
- sLen: intended length in octets of the salt

- One-more-forgery polynomial security. This means the adversary, interacting with the server (signer) as a client, cannot output n+1 valid message and signature tuples after only interacting with the server n times, for some n which is polynomial in the protocol's security parameter.
- Concurrent polynomial security. This means that servers can engage in polynomially many invocations of the protocol without compromising security.

- The client has proof that the signer's public key is honestly generated.
presents some (non-interactive) honest-verifier zero-knoweldge proofs of various statements about the public key. - The client input message has high entropy.

- RSA key and signature sizes are larger than those of alternative blind signature protocols;
- No evaluation batching support, which means that the cost of the protocol scales linearly with the number of invocations; and
- Extensions for features such as threshold signing are more complex to instantiate compared to other protocols based on, for example, Schnorr signatures.

- Blind Schnorr
: This is a three-message protocol based on the classical Schnorr signature protocol over elliptic curve groups. Although simple, the hardness problem upon which this is based -- Random inhomogeneities in a Overdetermined Solvable system of linear equations, or ROS -- can be broken in polynomial time when a small number of concurrent signing sessions are invoked , leading to signature forgeries. Even with small concurrency limits, Wagner's generalized attack leads to subexponential forgery speedup. For example, a limit of 15 parallel sessions yields an attack runtime of approximately 2^55, which is substantially lower than acceptable security levels. In contrast, the variant in this specification has no such concurrency limit. - Clause Blind Schnorr
: This is a three-message protocol based on a variant of the blind Schnorr signature protocol. This variant of the protocol is not known to be vulnerable to the attack in , though the protocol is still new and under consideration. In the future, this may be a candidate for future blind signatures based on blind signatures. However, the three-message flow necessarily requires two round trips between the client and server, which may be prohibitive for large-scale signature generation. Further analysis and experimentation with this protocol is needed. - BSA
: This is a three-message protocol based on elliptic curve groups similar to blind Schnorr. It is also not known to be vulnerable to the ROS attack in . Kastner et al. proved concurrent security with a polynomial number of sessions. For similar reasons to the clause blind Schnorr protocol above, the additional number of round trips requires further analysis and experimentation. - Blind BLS
: The Boneh-Lynn-Shacham protocol can incorporate message blinding when properly instantiated with Type III pairing group. This is a two-message protocol similar to the RSA variant, though it requires pairing support, which is not common in widely deployed cryptographic libraries backing protocols such as TLS. In contrast, the specification in this document relies upon widely deployed cryptographic primitives.

- p, q, n, e, d: RSA private and public key parameters, each encoded as a hexadecimal string.
- msg: Messsage being signed, encoded as a hexadecimal string. The hash is computed using SHA-384.
- salt: Randomly-generated salt used when computing the signature. The length (sLen) is either 48 or 0 bytes.
- inv: The message blinding inverse, encoded as a hexadecimal string.
- encoded_msg: EMSA-PSS encoded message. The mask generation function is MGF1 with SHA-384.
- blinded_msg, blind_sig: The protocol values exchanged during the computation, encoded as hexadecimal strings.
- sig: The output message signature.