The blind signature scheme is traditionally defined by three algorithms: key generation algorithm, blind signature protocol and verification algorithm. The draft explicitly defines only blind signature protocol (see Section 4).
a. The key generation algorithm is not defined, it should be stated that it is the same as in the RSASSA-PSS scheme.
b. The verification algorithm is mentioned in Section 4, it is assumed that it coincides with the RSASSA-PSS-VERIFY algorithm defined in [RFC8017]. However, such verification is only possible for the client who knows the internal input_msg value. Is it assumed that the input_msg is also the output of the blind signature protocol (in case of using PrepareRandomize function)? Should the verification algorithm return an error if the input message has length less than 32 bytes in case of using randomized RSABSSA variants? In any case, the verification algorithm should be explicitly defined.
The blind signature scheme is traditionally defined by three algorithms: key generation algorithm, blind signature protocol and verification algorithm. The draft explicitly defines only blind signature protocol (see Section 4).
a. The key generation algorithm is not defined, it should be stated that it is the same as in the RSASSA-PSS scheme. b. The verification algorithm is mentioned in Section 4, it is assumed that it coincides with the RSASSA-PSS-VERIFY algorithm defined in [RFC8017]. However, such verification is only possible for the client who knows the internal input_msg value. Is it assumed that the input_msg is also the output of the blind signature protocol (in case of using PrepareRandomize function)? Should the verification algorithm return an error if the input message has length less than 32 bytes in case of using randomized RSABSSA variants? In any case, the verification algorithm should be explicitly defined.