From: mccoy@io.com (Jim McCoy)
Date: Thu, 8 Dec 94 12:53:00 PST
To: alex@omaha.com (Alex Strasheim)
Subject: Re: cut & choose
In-Reply-To: <199412082010.OAA00148@omaha.omaha.com>
Message-ID: <199412082052.OAA21137@pentagon.io.com>
MIME-Version: 1.0
Content-Type: text/plain


> From: Alex Strasheim <alex@omaha.com>
> 
> In Applied Cryptography, Schneier describes digital cash protocols that
> depend on the cut and choose method [...] Chaum's system uses different
> keys for different denominations. [...]
> 
> I don't understand why anyone would use the cut and choose protocol over 
> denominated keys.  Chaum's method seems a lot cleaner to me and more 
> secure.  It obviously uses less bandwidth.  What am I missing here?

Cut and choose is necessary for several protocols.  It is necessary for
cash protocols that do not use blinding, it is necessary for the cash
protocols that include identification, and in general it is necessary for
any protocol where the signer does not know the contents of what they are
signing _and_ the contents need to be formed in a particular fashion.

Denominated keys requires the user (the one accepting the packet and
verifying it) to keep track of more information, such as which keys
correspond to which denominations.  In cut and choose the end user only
needs to know one key and the other information is carried in the packet
itself.  There is a cost in each system, it is just a question of who bears
the cost and what abilities the cost gives the system...

jim