Cashu: A Vision For A Bitcoin Powered Ecash Ecosystem

Ecash is becoming an unavoidable topic these days. In a climate of contention over pretty much every proposal floating around these days ecash stands out as a protocol that can be deployed today without any alterations or changes to the Bitcoin protocol.

The ability to deploy an application or protocol without depending on changes to Bitcoin is an incredibly valuable thing in the current climate, so it is no surprise that the Cashu ecash protocol is starting to rapidly take hold on the fringes. Adoption is starting to occur on platforms like Nostr, and inter-mint settlement across the Lightning Network makes Cashu wallets a viable alternative to things like Wallet of Satoshi as easy to use Lightning wallets.

Ecash is likely going to become an increasingly popular piece of the Bitcoin ecosystem, and Cashu in particular has been incredibly successful at encouraging multiple compatible implementations.

Cashu developers have a comprehensive plan for an ecosystem built around the protocol to address some of the fundamental trust model issues of ecash, as well as different use cases specific needs. Let’s go through the vision for the Cashu ecosystem.

Blinded Tokens

The core of all ecash protocols is a blind signature scheme. This is the mechanism that enables a centralized entity to process ecash payments in a privacy preserving manner.

To start, users minting a token must generate a random value. This is the actual ecash token. Generating it themselves ensures that the token is securely held in their possession and no one else’s. But that isn’t enough, anyone can just generate a random value. The ecash mint operator needs to notarize the token with a signature.

The problem is if they see the token when they sign it, then they will know who they signed it for and can know who made a payment when someone else comes to them to redeem it. To address this, a second random value, a blinding factor, is generated by the user before having the mint notarize a token. The binding factor is essentially multiplying the token value by the blinding value.

The user then provides the blinded token value to the mint to sign it. This leaves you with a problem though, the mint signed the blinded token value, not the plaintext one. Because of how the blinding protocol and underlying cryptography works, you can do the reverse operation done to blind the token in the first place to unblind the signature.

This leaves you with a valid signature for the plaintext token value, and ensures that when it is redeemed the mint has no idea when, what, or for whom it signed it. That’s ecash in a nutshell (get it?).

Small Local Mints

The goal of Cashu is to be a lean and lightweight protocol that is easy to implement, easy to integrate, and easy to build on. The vision is an ecosystem of large numbers of very small mints running locally all interconnected over the Lightning Network. Rather than focus on larger mints with network effects allowing direct token transfers between users, incentivizing the concentration of massive amounts of bitcoin in the hands of a few trusted counterparties, the developers envision much more small value and localized operators.

This allows users to place trust in people they have closer relationships with, and each user to depend on an operator much closer in their social circle of trust. Lightning enables this, because rather than having to convince everyone to accept tokens from your mint, you simply redeem them and allow them to receive tokens form their own mint.

The strategy here tries to lean into the reality of Dunbar’s number, the maximum number of people someone can mentally have a meaningful relationship or degree of trust with.

Mint Discovery Over Nostr

Feeding into the general idea of encouraging numerous mints local to people’s circle of trust, the newish Nostr discovery protocol is a huge component of the long term functioning of a Cashu ecosystem. Nostr is built around the idea of users' identities being tied to self-custodied cryptographic keys, guaranteeing that no one else but them can broadcast messages attributed to their identity.

Nostr’s primary use case currently is social media, which combined with the key based identity scheme provides a powerful foundation for a very old concept in cryptography: webs of trust. Cashu is leveraging this to allow users to discover mints that they could possibly use.

With their Nostr key, anyone using a Cashu wallet supporting the feature can locate mints, and will be able to see what mints people they know, trust, and interact with use. This can form a reputational system allowing them to make more informed decisions on which Cashu mints to trust their funds with rather than blindly guessing and hoping that they don’t get burned at some point.

The more mints that come online, and the more people using them who have Nostr identities, the stronger this reputational web of trust will become overtime. This should naturally sift out malicious or unknown mints, and give users a solid set of trustworthy and honest mint operators to choose from.

Using Multiple Mints

The basic concept of a diverse ecosystem of mints for users to choose from is a solid foundation for a market based system of open and competitive optionality for users. But things can be taken even further. A single user can make use of multiple mints.

Users can have their balance spread across multiple mints, and utilizing a variant of multipath payments, can initiate a payment over the Lightning Network to a single destination with pieces of the payment originating from many different mints they have balances with. This allows the counterparty risk of storing your funds with custodians to be spread across many of them, without sacrificing the ability to make smooth payments to people using different mints than you.

This is made possible by the mints running customized software to enable a mint to only partially pay a Lightning invoice, allowing other mints you have funds with to pay other chunks of the invoice. As long as each mint successfully routes their payment to the final destination, the payment will succeed.

It is even possible with further customization of their Lightning nodes to allow users to receive a payment to multiple mints. If the mints support a users wallet generating the preimage to finalize the payment instead of the mint, each mint being used to receive funds can issue their own invoices where the receiving user controls the preimage release. As long as each participating mint receives the routed HTLC, the user can release the preimage to all of them and successfully distribute their received funds across the mints.

This scheme can massively reduce the risk of fund loss due to any one mint, and in combination with the Nostr discovery protocol and associated webs of trust can drastically improve user security.

Programming The Money

One of the most useful aspects of the Cashu is the ability to program script functionality into an ecash token the same way that a real bitcoin UTXO is lockable with a program using Bitcoin script. Cashu tokens can encode script conditions before blinding the token for the mint to notarize, and when they are later redeemed the mint can refuse to redeem the token unless those arbitrary script conditions are fulfilled.

Currently Cashu has implemented a lock to public key script, requiring a signature from the specified public key in order to redeem the token. This enables minting tokens that are locked and only redeemable by the holder of a specific private key. Once the token is minted with the public key lock, it is impossible for anyone else to redeem it.

This can be used to enable secure payments where the receiver is offline. Even without an internet connection, as soon as they receive the token from the sender they can be sure once they verify the mint’s signature that no one else can redeem the token. They can safely accept it as payment knowing they can redeem it later at a convenient time.

This introduces a bit of complexity, as a sender has to lock tokens to a specific receiver ahead of time if they do not have an internet connection at the moment of spending. Given that people very frequently don’t know exactly how much they will spend somewhere, this creates a problem of potentially allocating too much money with no way to take it back if they don’t spend it.

But script can support many things, tokens could be created that require a signature from a specific public key, or anyone after a certain amount of time has passed. Something analogous to an HTLC. The Cashu spec also defines an actual HTLC token script.

As time goes on and more use cases are desired, the scripts that people can lock Cashu tokens with can be expanded arbitrarily based on the needs of users and mint operators. I expect this to become a very powerful aspect of the protocol in the long term. It could support escrow services, multisignature tokens, and a large variety of arbitrary smart contracts. Cashu mints can enforce any script condition that Bitcoin can, and much more.

The Big Picture

People use custodians, it is something people have always done, and will likely always do regardless of how much flexibility is offered by non-custodial solutions. It’s just a fact of life that some people can’t or don’t want to take the responsibility or deal with the complexity of self custody.

Cashu aims to be a radical improvement for users of custodial services. Something that can bring privacy, censorship resistance, and flexibility to users who otherwise would not have access to these things with the way traditional custodial services are architected.

The goal of the Cashu project is not to “scale Bitcoin” using custodians, but to offer an improved and private system for users of custodial services. I think this is a laudable goal, and one that in the long term has massive potential to be a huge benefit for these users.