From: Karl Lui Barrus <klbarrus@owlnet.rice.edu>
Date: Sun, 3 Oct 93 19:04:34 PDT
To: cypherpunks@toad.com
Subject: Re: Single Value Pseudonyms
Message-ID: <9310040200.AA12533@flammulated.owlnet.rice.edu>
MIME-Version: 1.0
Content-Type: text/plain


> Karl Barrus posted this, and I've been meaning to respond to it.
> Basically  Karl's scheme doesn't work.  With any cut-and-choose
> protocol, there must be some assurance that the two things offered

What?  It doesn't work?  Care to elaborate?

I mean, a person can satisfy to any degree desired that the last
unblinded document is of a particular value.

I agree that it becomes real expensive to do so, and for digital
banking purposes, there are several alternatives: 1) all cash is of
same denomination, 2) different exponents for different
denominations, 3) different keys for different denominations.

I think I mentioned the application towards digital cash is a bit
forced because of the above.  The real point is in avoiding signing
a blinded document that is later unblinded to reveal something
undesirable, in which case the signature and the document signed
have value.  The application of cut-and-choose I described applies
best when for some reason (poor choices of the bank?) the document
itself contains value, like the denomination it represents.

-- 
Karl L. Barrus: klbarrus@owlnet.rice.edu         
keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5  3D F3 93 7E 81 B5 CC 32 

"One man's mnemonic is another man's cryptography" 
  - my compilers prof discussing file naming in public directories