Ecash is becoming an inevitable topic these days. In a climate of discord over virtually all proposals circulating today, ecash stands out as a protocol that can be implemented today without any alteration or change to the bitcoin protocol.
The ability to deploy an application or protocol without relying on changes to bitcoin is something incredibly valuable in the current climate, so it's no surprise that the Cashu ecash protocol is quickly starting to gain a foothold on the margins. Adoption is starting to happen on platforms like Nostr, and cross-mint settlement on the Lightning Network makes Cashu wallets a viable alternative to things like Wallet of Satoshi, which are easy-to-use Lightning wallets.
Ecash is likely to become an increasingly popular piece of the bitcoin ecosystem, and Cashu in particular has been incredibly successful in encouraging multiple compatible implementations.
The Cashu developers have a comprehensive plan for an ecosystem built around the protocol to address some of the fundamental problems of the ecash trust model, as well as different specific use case needs. Let's review the vision of the Cashu ecosystem.
blind chips
The core of all cash protocols is a blind signature scheme. This is the mechanism that allows a centralized entity to process cash payments while preserving privacy.
To begin, users who mint a token must generate a random value. This is the actual cash token. Generating it themselves ensures that the token is kept safely in their possession and no one else's. But that is not enough, anyone can generate a random value. The ecash mint operator must notarize the token with a signature.
The problem is that if they see the token when they sign it, they will know who they signed it for and they will be able to tell who made a payment when someone else approaches them to redeem it. To address this, the user generates a second random value, a blinding factor, before the mint notarizes a token. The binding factor is essentially multiplying the token value by the blind value.
The user then provides the value of the blind token to the mint to sign. However, this leaves you with a problem: the mint signed the blind token value, not the plaintext one. Because of how the blinding protocol and underlying cryptography works, you can perform the reverse operation of blinding the token in the first place to unlock the signature.
This leaves you with a valid signature for the token's value in plain text and ensures that when it is redeemed, the mint has no idea when, what, or who you signed it for. That's money in a nutshell (get it?).
Small local mints
Cashu's goal is to be a simple, lightweight protocol that is easy to implement, integrate, and develop. The vision is an ecosystem of a large number of very small, locally run mints, all interconnected via the Lightning Network. Instead of focusing on larger mints with network effects that allow direct transfers of tokens between users, incentivizing the concentration of massive amounts of bitcoins in the hands of a few trusted counterparties, developers envision much smaller value, localized operators. .
This allows users to trust people with whom they have closer relationships and for each user to depend on an operator much closer to their trusted social circle. Lightning allows this, because instead of having to convince everyone to accept tokens from its mint, it simply redeems them and allows them to receive tokens from its own mint.
The strategy here attempts to rely on the reality of Dunbar's number, the maximum number of people with whom someone can mentally have a meaningful relationship or degree of trust.
Discovery of mint on Nostr
Feeding into the general idea of fostering numerous local mints in people's circle of trust, the new Nostr discovery protocol is a huge component of the long-term functioning of a Cashu ecosystem. Nostr is based on the idea of users' identities being linked to self-custodied cryptographic keys, ensuring that no one but them can transmit messages attributed to their identity.
Nostr's current main use case is social media, which combined with the key-based identity scheme provides a powerful foundation for a very old concept in cryptography: trust networks. Cashu is taking advantage of this to allow users to discover mints they could possibly use.
With your Nostr key, anyone using a Cashu wallet that supports the feature can locate mints and will be able to see which mints are used by people they know, trust, and interact with. This can form a reputation system that allows them to make more informed decisions about which Cashu Mints to trust with their funds rather than blindly guessing and hoping they don't get burned at some point.
The more mints that are online and the more people that use them and have Nostr identities, the stronger this reputational network of trust will become over time. Naturally, this should detect malicious or unknown mints and provide users with a solid set of honest and trustworthy mint traders to choose from.
Use several mints
The basic concept of a diverse ecosystem of mints for users to choose from is a solid foundation for a market-based system of open and competitive optionality for users. But things can go even further. A single user can use multiple mints.
Users can distribute their balance across multiple mints and, using a variant of multi-path payments, can initiate a payment over the Lightning Network to a single destination with portions of the payment originating from many different mints with the that have balances. This allows the counterparty risk of storing your funds with custodians to be spread across many of them, without sacrificing the ability to make seamless payments to people who use different mints than you.
This is made possible by mints running custom software to allow one mint to only partially pay a Lightning invoice, allowing other mints it has funds with to pay other parts of the invoice. As long as each mint successfully routes your payment to the final destination, the payment will be successful.
It is even possible with further customization of your Lightning nodes to allow users receive a payment to multiple mints. If mints support a user's wallet generating the preimage to finalize the payment instead of the mint, each mint used to receive funds can issue its own invoices where the receiving user controls the release of the preimage. As long as each participating mint receives the routed HTLC, the user can release the preimage to all of them and successfully distribute the received funds between the mints.
This scheme can greatly reduce the risk of loss of funds due to any minting and, in combination with the Nostr discovery protocol and associated trust networks, can dramatically improve user security.
Scheduling money
One of the most useful aspects of Cashu is the ability to program script functionality into a Cash token in the same way that a real bitcoin UTXO can be locked with a program that uses a bitcoin script. Cashu tokens may encode script conditions before blinding the token for notarization by the mint, and when redeemed later, the mint may refuse to redeem the token unless those script conditions are met. arbitrary script.
Currently, Cashu has implemented a public key lock script, which requires a signature of the specified public key in order to redeem the token. This allows tokens to be minted that are locked and can only be redeemed by the holder of a specific private key. Once the token is minted with the public key lock, it is impossible for anyone else to redeem it.
This can be used to enable secure payments when the recipient is offline. Even without an internet connection, as soon as they receive the token from the sender, they can be sure once they verify the mint's signature that no one else can redeem the token. They can safely accept it as payment knowing that they can redeem it later at a convenient time.
This introduces a bit of complexity, as a sender has to lock tokens to a specific receiver in advance if they don't have an internet connection at the time of spending. Since very often people don't know exactly how much they will spend somewhere, this creates the problem of potentially allocating too much money with no chance of getting it back if they don't spend it.
But the script can support many things, tokens could be created that require the signature of a specific public key, or anyone after a certain time has passed. Something analogous to an HTLC. The Cashu specification also defines an actual HTLC token script.
As time goes on and more use cases are desired, the scripts with which people can lock Cashu tokens can be expanded arbitrarily based on the needs of users and currency operators. I hope this becomes a very powerful aspect of the protocol in the long term. It could support escrow services, multi-signature tokens, and a wide variety of arbitrary smart contracts. Cashu Mints can enforce any script conditions that bitcoin can, and much more.
The panorama
People use custodians, it's something they always have done and probably always will do, regardless of how much flexibility non-custodial solutions offer. It is simply a reality that some people cannot or do not want to take responsibility or deal with the complexity of self-custody.
Cashu aims to be a radical improvement for users of custody services. Something that can provide privacy, censorship resistance, and flexibility to users who otherwise wouldn't have access to these things with the way traditional escrow services are designed.
The goal of the Cashu project is not to “scale bitcoin” using custodians, but to offer an improved and private system for users of custodial services. I think this is a laudable goal and, in the long term, has enormous potential to be a great benefit to these users.