Many thanks to Chloe Martindale for a thorough review.
All comments have been addressed in the text, except:
a subsection discussing pros and cons of RSAVRF vs. ECVRF.
This one falls in the broader discussion of EC-based vs RSA-based cryptography. The pros and cons are somewhat ambiguous and the discussion would be lengthy, needlessly controversial, and not specific to the VRF.
- I appreciate you don't want to repeat things from elsewhere, but I think it would add to the readability of the document if you added a subsection / appendix briefly recalling the RSASP1 and RSAVP1 primitives.
and
definition of I2OSP: personally I would say what both inputs are here.
These were both addresssed with simple changes to the text where these functions are first mentioned. Thanks for the suggestion.
5.6.1. I think that the definition of (this) cofactor is not mentioned above anywhere.
Actually, it is defined at the very top of Section 5, together with other notation
7.2. for the second bullet point, do you have / know of a reference to point readers towards where this is worked out in more detail?
Unfortunately not specifically for these VRFs. There are many discussions of the tightness of security reductions in the cryptographic papers, but this is already more disucssion of the tightness of security reductions than most standards ever get.