Ecash has become an inevitable topic these days. In the climate of disagreement over almost every proposal being put forward these days, electronic money stands out as a protocol that can be deployed today without any modifications or changes to the Bitcoin protocol.
The ability to deploy an application or protocol without relying on changes to Bitcoin is incredibly valuable in the current climate, so it's no surprise that the Cashu ecash protocol is quickly starting to dominate the margins. Adoption is starting to happen on platforms like Nostr, and inter-mint settlement via the Lightning Network makes Cashu wallets a viable alternative to things like the Wallet of Satoshi as easy-to-use Lightning wallets.
Ecash is likely to become an increasingly popular part of the Bitcoin ecosystem, and Cashu in particular has been incredibly successful in encouraging multiple compatible applications.
Cashu's developers have a comprehensive plan for the protocol-based ecosystem to address some of the fundamental trust model issues of e-cash, as well as different use cases and specific needs. Let's review the vision for the Cashu ecosystem.
Blind symbols
The core of all ecash protocols is a blind signature system. This is the mechanism that enables a central entity to process cash payments in a privacy-preserving manner.
To get started, users minting the token must generate a random value. This is the actual ecash code. Creating it themselves ensures that the token is kept securely in their possession and not in anyone else's possession. But this is not enough, just anyone can generate a random value. The ecash mint operator needs to authenticate the token with a signature.
The problem is that if they see the token when you sign it, they will know who signed it and can tell who made the payment when someone else comes to them to redeem it. To address this issue, a second random value, an encryption factor, is generated by the user before the Mint authenticates the token. The binding factor is basically multiplying the token value by the blinding value.
The user then submits the token value to the Mint for signing. However, this leaves you with a problem, as the Mint has signed off on the value of the encrypted token, not the value of the plaintext. Given how the underlying encryption and encryption protocol works, you can do the opposite process that was done to encrypt the token in the first place to decrypt the signature.
This leaves you with a valid signature for the value of the plaintext token, and ensures that when you redeem it, the mint has no idea when, what, or to whom you signed it. That's cash in a nutshell (get it?).
Small local mint
Cashu is intended to be a simple, lightweight protocol that is easy to implement, easy to integrate, and easy to build on. The vision is for an ecosystem of large numbers of very small mints operating locally and interconnected via the Lightning Network. Instead of focusing on larger mints with network effects that allow tokens to be transferred directly between users, incentivizing the concentration of massive amounts of Bitcoin in the hands of a few trusted counterparties, developers envision much smaller value and local operators.
This allows users to place their trust in people with whom they have closest relationships, and allows each user to rely on a communicator much closer to their social circle of trust. Lightning enables this, because instead of having to convince everyone to accept tokens from a mint, you can simply redeem them and let them receive tokens from their mint.
The strategy here attempts to rely on the truth of the Dunbar number, which is the maximum number of people with whom someone can mentally have a meaningful relationship or degree of trust.
Discover mint on Nostr
Feeding into the general idea of encouraging multiple local mints into people's circle of trust, the new Nostr discovery protocol is a huge component of the long-term performance of the Cashu ecosystem. Nostr is built around the idea of linking users' identities to self-encrypting keys, ensuring that no one other than them can broadcast messages attributed to their identity.
The primary use case for Nostr currently is social media, which, combined with its key-based identity scheme, provides a strong foundation for a very old concept in cryptography: trust networks. Cashu takes advantage of this to allow users to discover which mints they can use.
With the Nostr key, anyone using a Cashu wallet that supports this feature can locate a mint, and will be able to see which mints people know, trust, and interact with. This could form a reputation system that would allow them to make more informed decisions about what Cashu Mints to trust with their money rather than blindly guessing and hoping they won't run out at some point.
The more mints are made available online, and the more people using them have Nostr identities, the stronger the network of reputational trust becomes over time. This should naturally filter out malicious or unknown mints, and give users a strong pool of trustworthy and honest mint operators to choose from.
Use multiple mints
The basic concept of a diverse ecosystem of mints that users can choose from is a solid foundation for a market-based system with open and competitive options for users. But things can go further than that. One user can benefit from multiple mints.
Users can spread their balance across multiple mints, and using a variety of multi-path payments, they can initiate a payment across the accelerated network to a single destination with portions of the payment originating from the many different mints they have balances at. This allows the counterparty risk of storing your funds with custodians to be spread out over several of them, without sacrificing the ability to make seamless payments to people who use a different mint than you.
This is made possible by mints running custom software to enable mints to only partially pay the Lightning bill, allowing other mints you have funds at to pay other parts of the bill. As long as each mint successfully routes its payment to the final destination, the payment will be successful.
It is even possible to further customize their Lightning nodes to allow users to do this Receive Batch for a mint kit. If a mint supports a user wallet that creates the advance image to finalize payment instead of a mint, each mint used to receive funds can issue its own invoices where the receiving user controls the issuance of the advance image. As long as each participating mint receives the routed HTLC, the user can pre-image all of them and successfully distribute the received funds across the mints.
This scheme can significantly reduce the risk of losing funds due to any single minting operation, and in combination with the Nostr discovery protocol and associated trust networks can significantly improve user security.
Money programming
One of the most useful aspects of Cashu is the ability to program a script function into an electronic cash token in the same way that a real Bitcoin UTXO can be locked with a program that uses a Bitcoin script. Cashu tokens can encrypt script conditions before encrypting the token for mint authentication, and when they are later redeemed, the mint can refuse to redeem the token unless these arbitrary script conditions are met.
Currently, Cashu has implemented a public key program lock, which requires a signature from the specified public key to retrieve the token. This allows the minting of locked tokens that can only be retrieved by a specific private key holder. Once a token is minted with a public key lock, it becomes impossible for anyone else to retrieve it.
This can be used to enable secure payments when the recipient is offline. Even without an internet connection, once they receive the token from the sender, they can ensure by simply verifying the Mint's signature that no one else can redeem the token. They can safely accept it as payment knowing that they can redeem it later at a convenient time.
This introduces a bit of complexity, as the sender has to lock a particular recipient's tokens ahead of time if they do not have an internet connection at the time of spending. Given that people often don't know exactly how much they will spend somewhere, this creates the problem of potentially setting aside too much money with no way to get it back if they don't spend it.
But the script can support many things, and tokens can be generated that require a signature from a specific public key, or any person after a certain period of time has passed. Something similar to HTLC. The Cashu specification also defines the actual script for the HTLC code.
As time goes by and more use cases are desired, the scripts in which people can lock Cashu tokens can be expanded arbitrarily based on the needs of users and mint operators. I expect this to become a very strong aspect of the protocol in the long term. It can support escrow services, multi-signature tokens, and a large variety of arbitrary smart contracts. Cashu Mint can enforce any script condition that Bitcoin can, and much more.
The Big Picture
People use guardians, something people have always done, and are likely to always do no matter how much flexibility non-custodial solutions offer. It's just a fact of life that some people can't or don't want to take on the responsibility or deal with the complexity of self-care.
Cashu aims to be a radical improvement for users of filing services. Something that can provide privacy, censorship resistance, and flexibility to users who otherwise wouldn't be able to access these things the way traditional custodial services are designed.
The goal of the Cashu project is not to “scale Bitcoin” using custodians, but to offer an improved and private system for users of custodial services. I think this is a laudable goal, and in the long run has huge potential to be of great benefit to these users.