From: Alex Strasheim <alex@omaha.com>
In Applied Cryptography, Schneier describes digital cash protocols that depend on the cut and choose method [...] Chaum's system uses different keys for different denominations. [...]
I don't understand why anyone would use the cut and choose protocol over denominated keys. Chaum's method seems a lot cleaner to me and more secure. It obviously uses less bandwidth. What am I missing here?
Cut and choose is necessary for several protocols. It is necessary for cash protocols that do not use blinding, it is necessary for the cash protocols that include identification, and in general it is necessary for any protocol where the signer does not know the contents of what they are signing _and_ the contents need to be formed in a particular fashion. Denominated keys requires the user (the one accepting the packet and verifying it) to keep track of more information, such as which keys correspond to which denominations. In cut and choose the end user only needs to know one key and the other information is carried in the packet itself. There is a cost in each system, it is just a question of who bears the cost and what abilities the cost gives the system... jim