There are some egregious distinctions.
- Attacker identifies his own UXTO which the community can then decide to blacklist with a checkpointed fork. Thus taking away the attackers income and causing the attack to be a loss.
- Attacker will have a very difficult time purchasing things at sufficient scale that doesn't identify him in the real world. Whereas stealing balances will be impossible to prove for cut & choose
- The victims can prove they were double-spent by long-range chain reorganization. This isn't an absolute proof of an attack, but community evidence gathering at any sufficient scale of attack should come to a consensus about the existence of an attack.
- There is no way for any user to opt-out of this attack. Whereas, users can decide to not use a DE which exhibits being a risk, and/or to not use a block chain which enables such scripting. Thus in contrast, the community's diligence against this attack in existential. Meaning that the DE (and the general form of scripting that enables it) is likely to be shunned by users/investors once (in theory) the attacks occur. Whereas, a 51% attack is likely to be dealt with by community action by increasing hashrate and/or checkpointing.
(Again, I don't see how this attack is specific to cut and choose.)
The problem is fundamental to block chain crypto-currencies. They inherently use a single validation (POW) to cover lots of transactions. The security assumption is that no one attacker can controls enough of the transactions to make roll back worth it.
I will repeat again that the reason is that cut & choose (in theory) alters the economics of a 51% attack and thus (in theory) alters the security of the entire block chain where cut & choose is deployed (
or other similar script ... which is why I have posited that multi-sig and for sure Turing-complete scripting is a generalized block chain security hole and scripts in zero knowledge may be the only way to close to hole).
Agreed that the security of block chains is predicated on there no being one (or coordinated) attacker with sufficient resources to perform a sufficiently long-range, lie-in-wait block reorganization. And this is predicated on the cost of the attack AND the potential gain from the attack. Cut & choose alters the economics of the plausibility of the gain from an attack. Mining concentration into pools (which may even be Sybil attacked so we don't know which pools are controlled by the same entity or which cooperate nefariously) coupled with hashrate rental capacities means that an attack is plausible except that these attackers don't want to be identified on a well established block chain (e.g. Bitcoin), because they don't want the community to fight them or otherwise destroy the viability of the block chain (e.g. the Chinese mining cartel allegedly controls 65% of Bitcoin's hashrate). With cut & choose, the 51% attacker can resign the DE transactions on the altcoin to pay to himself, but there is no way to prove which transactions were the attacker and which were the victim. Propagation is not proof, because nodes can lie about propagation and even be a Sybil attacked on the veracity of reported propagation.
The only unequivocal proof is the longest chain rule (LCR).
Thus although we can't prove which of the double-spends are the victim, the victims can provably indicate that they took an order for a good or service from an attacker whom they can identify. Because if the attacker can't receive the good or service, then the attacker can't gain any income from the 51% attack. But with cut & choose, the attacker can't be identified.
Please understand the salient distinction. One general problem that I've observed numerous times in the block chain arena, is the very smart coders and mathematicians/cryptographers seem to have blind spots on economics (and even on the
importance of degrees-of-freedom in design).
P.S. note I added a 4th bulleted point as quoted above.