Karl Barrus posted this, and I've been meaning to respond to it. Basically Karl's scheme doesn't work. With any cut-and-choose protocol, there must be some assurance that the two things offered

What? It doesn't work? Care to elaborate? I mean, a person can satisfy to any degree desired that the last unblinded document is of a particular value. I agree that it becomes real expensive to do so, and for digital banking purposes, there are several alternatives: 1) all cash is of same denomination, 2) different exponents for different denominations, 3) different keys for different denominations. I think I mentioned the application towards digital cash is a bit forced because of the above. The real point is in avoiding signing a blinded document that is later unblinded to reveal something undesirable, in which case the signature and the document signed have value. The application of cut-and-choose I described applies best when for some reason (poor choices of the bank?) the document itself contains value, like the denomination it represents. -- Karl L. Barrus: klbarrus@owlnet.rice.edu keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5 3D F3 93 7E 81 B5 CC 32 "One man's mnemonic is another man's cryptography" - my compilers prof discussing file naming in public directories