Ecash has become an unavoidable topic of conversation lately, and in the climate of controversy surrounding just about every proposal floating around these days, ecash stands out as a protocol that could be deployed today without any tinkering or changes to the Bitcoin protocol.
Being able to deploy applications and protocols without relying on changes to Bitcoin is extremely valuable in the current climate, so it’s no wonder the Cashu ecash protocol is starting to gain popularity quickly. Adoption is beginning to ramp up on platforms like Nostr, and mint-to-mint settlement over the Lightning Network makes the Cashu wallet a viable alternative to easy-to-use Lightning wallets such as Wallet of Satoshi.
Ecash is expected to become increasingly popular within the Bitcoin ecosystem, and Cashu in particular has been incredibly successful in facilitating multiple compatible implementations.
Cashu developers have comprehensive plans for an ecosystem built around their protocol to address some of the problems with ecash’s fundamental trust model, as well as the specific needs of various use cases. Let’s take a look at their vision for the Cashu ecosystem.
Blind Tokens
At the core of all ecash protocols is a blind signature scheme, a mechanism that allows a centralized entity to process ecash payments while preserving privacy.
First, the user minting the token needs to generate a random value – this is the actual ecash token. Doing it yourself ensures that the token is kept safe in your possession and not in the possession of anyone else. But that’s not enough – anyone can generate a random value. The ecash minting operator needs to notarize the token with their signature.
The problem is that by looking at the token at the time of signing, it is possible to see who signed it, and therefore who paid for it when someone comes to redeem it. To address this, before having the token notarized at the mint, the user generates a second random value (the blinding factor). This binding factor is essentially the token value multiplied by the blinding value.
The user then provides the blinded token value to the mint to be signed. However, because the mint signed the blinded token value instead of the plain text, a problem arises: the blinding protocol and the underlying cryptography allow the mint to unblind the signature by performing the reverse operation that was performed to blind the token in the first place.
This leaves you with a valid signature over the plaintext token value, and when the token is redeemed, the mint has no idea when, what, or who it was signed for – which is the whole point of ecash (get it?).
A small local mint
Cashu’s goal is to be a lean, lightweight protocol that is easy to implement, integrate, and build upon. The vision is an ecosystem of many very small, locally run mints interconnected via the Lightning Network. Rather than focusing on large mints with network effects that allow users to transfer tokens directly between each other, and encouraging the concentration of large amounts of Bitcoin in the hands of a few trusted counterparties, the developers envision smaller, more local operators with smaller amounts of value.
This allows users to place their trust in those with whom they are closer, and each user can rely on operators who are closer to them in their own social trust circle. Lightning allows this because you don’t have to convince everyone to accept tokens from your mint, you just redeem your tokens to receive tokens from your own mint.
The strategy here is to lean into the reality of Dunbar’s Number, the maximum number of people with whom a person can have psychologically meaningful relationships or levels of trust.
Mint discovery surpasses Nostra
In line with the general idea of encouraging multiple mints around people’s trust relationships, the relatively new Nostr discovery protocol is a big component of the long-term functionality of the Cashu ecosystem. Nostr is built around the idea of tying a user’s identity to a self-managed cryptographic key, ensuring that no one other than the user can broadcast messages associated with that identity.
Nostr’s main use case today is social media, which, combined with its key-based identity scheme, provides a strong foundation for a very old concept in cryptography: the Web of Trust, which Cashu leverages to help users discover potential mints they can use.
Nostr keys allow anyone using a Cashu wallet that supports this feature to find mints and see which mints are used by people they know, trust and interact with. This forms a reputation system that allows people to make more informed decisions about which Cashu mints to deposit their funds with, rather than blindly guessing and hoping they won’t lose out someday.
As more mints come online and users with Nostr ID use them, this network of reputational trust will become stronger over time, naturally sifting out malicious or unknown mints and giving users a choice of honest mint operators they can trust.
Using Multiple Mints
The basic concept of an ecosystem of diverse mints from which users can choose is a solid foundation for a market-based system that provides open, competitive choice for users. But we can go even further: a single user can have access to multiple mints.
Users can spread their balance across multiple mints and utilize a variation of multi-path payments to initiate payments over the Lightning Network with portions of payments from the various mints where they have a balance, to a single destination. This allows users to spread the counterparty risk of storing funds with a custodian across multiple custodians without sacrificing the ability to make smooth payments to those using different mints than themselves.
This is made possible by mints running customized software that allows them to pay only a portion of a Lightning invoice, while other mints that have deposited funds with them pay the remaining portion of the invoice. As long as each mint successfully routes the payment to its final destination, the payment will be successful.
By further customizing the Lightning node, users can receive Payments to multiple mints. If a mint supports user wallets generating pre-images and finalizing payments on behalf of the mint, then each mint being used to receive funds can issue its own invoice where the receiving user controls the release of the pre-image. As long as each participating mint receives the routed HTLC, users can release pre-images to all mints and successfully distribute received funds across mints.
This scheme significantly reduces the risk of funds being lost by a single mint and, combined with the Nostr detection protocol and associated web of trust, can significantly improve security for users.
Programming your money
One of the most useful things about Cashu is that ecash tokens can have scripted functionality programmed into them, just as actual Bitcoin UTXOs can be programmatically locked using Bitcoin script. Cashu tokens can have script conditions encoded into them before they are blinded so that the mint can notarize them, and later when the token is redeemed the mint can refuse to redeem the token unless those arbitrary script conditions are met.
Currently, Cashu implements a public key locking script, which requires a signature from a specified public key to redeem a token. This allows you to create tokens that are locked and redeemable only by the holder of a specific private key. After a token is created with a public key lock, no one else can redeem it.
It allows for secure payments even when the recipient is offline. Even if you don’t have an internet connection, when you receive a token from the sender, you can verify the mint’s signature and be assured that no one else can cash it. You can safely accept it as payment, knowing that you can cash it later at your convenience.
This adds a bit of complexity: the sender must pre-lock tokens to specific recipients in case they don’t have an internet connection at the time of spending. This creates the problem that people often don’t know exactly how much they’ll spend at any one time, so they can allocate large amounts of money with no way to get it back if they don’t spend it.
But scripts can support a lot of things: you can create tokens that require a signature from a specific public key, or that require a signature from someone after a certain amount of time has passed, something similar to HTLC. The Cashu spec also defines the actual HTLC token script.
Over time, as more use cases emerge, the scripts that Cashu tokens can be locked in can be expanded arbitrarily based on the needs of users and mint operators. In the long term, we expect this to be a very powerful aspect of the protocol. It can support escrow services, multi-signature tokens, and a wide variety of arbitrary smart contracts. Cashu mints can execute any script condition that Bitcoin can.
The Big Picture
People will use custodians. That’s what people have always done and probably always will, regardless of how much flexibility non-custodian solutions offer. It’s just a fact of life that some people can’t or don’t want to take on the responsibility or deal with the complexities of self-custody.
Cashu aims to be a fundamental improvement for users of custody services – bringing privacy, censorship-resistance, and flexibility to users who don’t have access to it the way traditional custody services are designed.
The goal of the Cashu project is not to “extend Bitcoin” with custodians, but to provide an improved and private system for users of custody services. This is a laudable goal, and one that we believe has the potential to be of great benefit to these users in the long run.
