@kwantam mentioned that counting may bias the prime depending on the distribution of primes, i.e. counting does not result in a uniform distribution of chosen primes. An attacker gains some information about what the prime is likely to be through this method.
This goes hand-in-hand with #3. The verification can be optimized to one primality test as long as the signer includes their current PRNG state in the signature.
@kwantam mentioned that counting may bias the prime depending on the distribution of primes, i.e. counting does not result in a uniform distribution of chosen primes. An attacker gains some information about what the prime is likely to be through this method.
This goes hand-in-hand with #3. The verification can be optimized to one primality test as long as the signer includes their current PRNG state in the signature.