Cashu
Status
Mainnet
Type
Chaumian Ecash Protocol
TVL
₿0
Associated Layers
Lightning Network, nostr
The concept of blind signatures and electronic cash was first introduced by David Chaum in 1982 in his paper titled “Blind Signatures for Untraceable Payments“. Cashu is an Ecash protocol based on David Wagner’s variant of Chaumian blinding which uses the Blind Diffie-Hellman Key Exchange (blind ecash) scheme. It was first introduced in 2022 by its creator Calle, a pseudonymous Bitcoin and Lightning Network developer. Cashu is an open-source protocol with well-defined specifications, called NUTs (Notation, Usage, and Terminology), which are followed by mints and wallets. An Ecash system consists of two parts, the mint and the Ecash wallet that stores digital bearer tokens. Anyone can run a mint for their application, be it a wallet, a web paywall, paid streaming services or a voucher and rewards system. There are several libraries that allow developers to build their respective services. Using blind signatures assures users’ privacy towards the mint when transacting with Ecash tokens. This functionality allows building custodial Bitcoin services that provide a superior user experience and privacy.
Risk Bits
Bridge custody: One mint, one entity - a single point of failure
A Cashu mint is operated by a single entity that custodies users’ funds in return for issuing bearer Ecash tokens. If the mint gets hacked, becomes unresponsive or turns malicious, token redemption is at risk.
Fractional reserve banking due to challenging liabilities audit
Ecash tokens represent a claim on bitcoin held by the mint. Due to the blinded mechanism the mint uses during the token issuance process, an audit of its liabilities towards the users remains a challenge. A Proof of Liabilities scheme has been proposed, without open source code of an implementation being available to date. Such a scheme would introduce a UX tradeoff with a liveness requirement of the user in the defined key rotation period.
Core Technology Components
Chaumian blinding
Chaumian blinding works by allowing a message to be signed without revealing its content to the signer itself. The process involves a blinding factor that obscures the message. The signed blinded message is unblinded by the creator of the message using the original blinding factor. This process was broken down in an easy-to-understand video explainer by Rijndael.
Mint module
In the context of Cashu, a mint is a trusted entity that is responsible for issuing (“minting”) and redeeming (“melting”) Ecash tokens. Those tokens act as IOUs and are backed by BTC. It can be thought of as “free banking”, where the bank issued their own bank notes that are backed by gold for example. Having mints hold users’ funds, requires the user to trust the mint to redeem their Ecash when they wish to convert back to BTC. Peg-ins and peg-outs to and from a Cashu mint happen through the Lightning Network. The LN infrastructure is run by the mints themselves or by public and untrusted Lightning gateways (Cashu wallets are not LN wallets). The blinding mechanism ensures that the mint operator remains unaware of users’ account balance or transaction data. While the mint stays unaware of its user base in the current implementation, an optional authentication protocol will be added to the protocol that allows mints to control access to its services. This authentication protocol enables KYC/AML integration with Ecash. Every entity running a Lightning node can run a mint using one of the available implementations. The easiest way to do so is via Nutshell.
Token Issuance
While Ecash itself is an IOU from the mint towards the user, Ecash tokens itself are bearer instruments, which means that the holder of the bearer instrument - in this case a mere data string - is presumed to be the owner of the asset. To receive Cashu tokens, the user has two choices: 1. The user can pay a Lightning invoice issued by its mint of choice, which hands out the Ecash tokens in return. 2. The user receives Ecash from another user. Each mint issues their own tokens.
Token Transfer
The mentioned data string (aka Cashu token) can be sent via any Cashu-enabled wallet (even offline) or via any messaging-supportive medium (e.g. telegram, nostr protocol, .., even radio). To prevent double-spending, the recipient needs to immediately swap its token for a new one with the help of the respective mint. However, if it’s a P2PK locked token, the sender can’t double-spend; the receiver can even be offline and swap at a later point in time. Using a Cashu wallet, and the sender and recipient are using the same mint (a user can use as many mints as desired), results in a seamless process where the mint simply melts the senders’ token and mints a new one for the recipient. Inter-mint transfers are facilitated through the “Multimint Swap functionality”, which operates via Lightning invoices under the hood. A Lightning MPP (Multi-Path Payment) equivalent, called “Multinut Payments” has recently been implemented in Cashu via NUT15. Cashu also offers Cashu addresses, an LNURL service.
Wallets
Cashu wallets manage Ecash transactions. Unlike traditional Lightning wallets, Cashu wallets do not operate a Lightning node. Instead, they leverage the Cashu protocol to interact with Cashu mints, which handle the Lightning infrastructure and custody users’ funds. This setup requires users to trust the mint with the redemption of their Ecash back to Lightning. Numerous Cashu wallets are available: native app wallets, web wallets and headless CLI wallets. They all adhere to the mandatory Cashu NUTs to ensure standardization and security. They differ for example in Tor support, nostr integration and add different of the optional NUT specifications. For easy integration of Cashu payments into any application, a CDK is being developed. Cashu-ts is the most popular wallet library to date.
Backups
Cashu tokens are bearer asset tokens, meaning the data stored in the wallet (browser local storage) represents the actual money. Consequently, if this storage gets wiped, funds will be lost. Backups all support the same seed phrase mechanism. Cashu.me has the additional option to exported the backup and Minibits offers a local append-only backup of all ecash in a database separate from the wallet storage. To move your Cashu tokens to another wallet implementation, you can make a wallet-to-wallet transfer or melt and re-mint via LN.
Use Cases
Better custodial experience through enhanced users’ privacy
Cashu aims at providing a better custodial experience by enhancing privacy and therefore protecting users’ data: the custodian would not - in contrast to the current state - learn about users’ account balances, nor about their transaction history or spending habits.
Censorship resistance against a particular user
The custodian can deny a peg-out to BTC, but cannot do so against a specific user, as the mint doesn’t know who redeems the Cashu token for BTC, making Ecash custodial, but censorship-resistant. Moreover, users benefit from the ability to easily choose between different mints, without going through a cumbersome registration process. Mints will be able to limit access to their mint through an optional authentication protocol.
Cashu as credit tokens to unlock toll gates
Cashu tokens carry voucher-like properties. Those tokens can be used to get (privacy-preserving) and accountless access to online services through toll gates: be it an internet connection, anonymous API access, a VPN service, pay-per-request for LLM prompts.
Programmable Ecash
The token can furthermore carry additional spending restrictions (NUT11) by using P2PK. This enables time-locked payments, multi-sig transactions or conditional payments.
Submarine nuts? (Submarine Swap equivalent)
Ecash-based HTLCs can be atomically linked to Ecash HTLCs (Calle). This might enable a submarine swap-equivalent (BTC-LN), called “submarine nuts” (Cashu <--> LN), meaning LN nodes can assist one another in receiving funds even if they lack any channels or inbound liquidity.
Cashu via nostr
Cashu tokens can be sent via nostr, an open protocol that enables a truly censorship-resistant and global social network. The message is an encrypted NIP-04 DM. Nostr Wallet Connect (NWC) will further enable users to zap other users with Cashu tokens. A new zap protocol for nostr based on Cashu ecash was recently proposed.
Stablenuts: USD Ecash, backed by BTC (Stablesats equivalent)
Stablenuts was tested as a Cashu USD mint supported by a Strike Lightning BTC wallet. It enables the conversion of Lightning BTC to Ecash USD and back to Lightning BTC, potentially running on DLCs, USDT, LNMarkets, Stablesats, or any fiat-stable Bitcoin rails. A non-Strike-based version was introduced in March 2024, with its first tests in April 2024. Boardwalk introduced the first dollar-based Cashu wallet built on Bitcoin and connected to nostr shortly after.
Free City monetary unit
Seemingly there has already been an attempt in the 1990s to use a form of Chaumian Ecash, called “DMT” in Costa Rica. Current tests are aiming at the (much) smaller version of a Free City, which is a private event, like a conference or a festival.
Additional Considerations
Privacy chokepoints (user-inflicted) (Cashu FAQ)
While Cashu token transfers provide the transacting entity with an incomparable degree of privacy, there’s some chokepoints to bear in mind: not using a VPN/Tor/mixnet, etc, when interacting with the mint, may leak network metadata. The mint might collect network data such as access time, IP addresses and or other metadata users might leak information when melting their tokens with the mint and receiving Bitcoin via LN in return. The privacy characteristics of a recipient on LN apply in this case.
Source Code
Code is open source
All code related to the Cashu project is free and open source.
Knowledge Bits
Learn more