1994-12-08 - Re: cut & choose

Header Data

From: mccoy@io.com (Jim McCoy)
To: alex@omaha.com (Alex Strasheim)
Message Hash: 94ca39682bf1cb88f8aef2e9424043e23e37065e8fe93349fc5544ea7969f8b0
Message ID: <199412082052.OAA21137@pentagon.io.com>
Reply To: <199412082010.OAA00148@omaha.omaha.com>
UTC Datetime: 1994-12-08 20:53:00 UTC
Raw Date: Thu, 8 Dec 94 12:53:00 PST

Raw message

From: mccoy@io.com (Jim McCoy)
Date: Thu, 8 Dec 94 12:53:00 PST
To: alex@omaha.com (Alex Strasheim)
Subject: Re: cut & choose
In-Reply-To: <199412082010.OAA00148@omaha.omaha.com>
Message-ID: <199412082052.OAA21137@pentagon.io.com>
MIME-Version: 1.0
Content-Type: text/plain


> From: Alex Strasheim <alex@omaha.com>
> 
> In Applied Cryptography, Schneier describes digital cash protocols that
> depend on the cut and choose method [...] Chaum's system uses different
> keys for different denominations. [...]
> 
> I don't understand why anyone would use the cut and choose protocol over 
> denominated keys.  Chaum's method seems a lot cleaner to me and more 
> secure.  It obviously uses less bandwidth.  What am I missing here?

Cut and choose is necessary for several protocols.  It is necessary for
cash protocols that do not use blinding, it is necessary for the cash
protocols that include identification, and in general it is necessary for
any protocol where the signer does not know the contents of what they are
signing _and_ the contents need to be formed in a particular fashion.

Denominated keys requires the user (the one accepting the packet and
verifying it) to keep track of more information, such as which keys
correspond to which denominations.  In cut and choose the end user only
needs to know one key and the other information is carried in the packet
itself.  There is a cost in each system, it is just a question of who bears
the cost and what abilities the cost gives the system...

jim




Thread