Ecash & Cashu

Scaling Bitcoin Privacy


thesimplekid

Cashu Dev Kit Maintainer

A Brief History

David Chaum (1982)

The "Godfather of Privacy"

  • Invented Blind Signatures.
  • Goal: Electronic cash that preserves the anonymity of paper cash.
  • "Privacy is necessary for an open society in the electronic age."
    — Eric Hughes, A Cypherpunk's Manifesto (1993)

DigiCash (1990-1998)

The first real-world implementation.

Why did it fail?

It relied on Banks and Fiat rails.

It was ahead of its time. It needed a settlement layer like Bitcoin to truly work.

Banks vs. Mints

How is data stored?

🏛️ Traditional Bank

The "Account" Model

ID: Alice Balance: $100 History: - coffee: $5 - salary: +$200
  • Bank knows who you are.
  • Bank knows how much you have.
  • Bank sees every transaction.

🥜 Cashu Mint

The "Bearer" Model

Promissory Notes Issued: - Sig_A (Blind): 64 sats - Sig_B (Blind): 32 sats - Sig_C (Blind): 4 sats
  • Mint knows it issued a token.
  • Mint does not know who holds it.
  • Mint cannot link issuance to spend.

The Bitcoin Stack

Where does Cashu fit?

🥜 Cashu Custodial / Private / Instant
⚡ Lightning Trustless / Fast / Online
⛓️ Bitcoin Trustless / Slow / Base Layer

The Elephant in the Room

⚠️ Important Distinction

Cashu is NOT a trustless "Layer 3" (like Ark or LN).

Cashu is Chaumian Ecash, which is fundamentally custodial.

The Trade-off

  • You Give Up: Trustlessness (Mint can rug).
  • You Gain: Perfect Privacy, Instant Settlement, Offline capabilities.

Risk Mitigation

  • "Pocket Change": Only keep what you can afford to lose.
  • Multi-Mint: Spread funds across 5-10 mints.
  • Self-Custody: Move to L1/LN for long-term storage.

Cashu vs Fedimint

Different trust models, same privacy

Fedimint

Federated Custody

  • m-of-n threshold guardians.
  • Distributed trust across parties.
  • No single point of failure.
  • Higher operational complexity.
  • Best for: Communities with multiple trusted parties.

Cashu

Single Operator

  • Simple to deploy and run.
  • Lightweight protocol (NUTs).
  • Lower barrier for developers.
  • Easy integration into apps.
  • Best for: Apps, personal mints, experimentation.

They coexist! Both use blind signatures for the same privacy guarantees. Multi-mint wallets can hold tokens from Cashu mints and Fedimint federations.

How It Works: Blind Signatures

The "Carbon Paper Envelope" Analogy

  1. Blind: Alice puts a random number (token) in a carbon-paper envelope.
  2. Sign: Alice sends the closed envelope to the Mint. The Mint signs the outside.
  3. Unblind: Alice gets it back and opens the envelope.
  4. Result: Alice has the token with the Mint's signature on it.

The Mint signed it, but never saw the number inside!

Alice Mint | | | -- Envelope --> | | (M blinded) | | | | <-- Signed ---- | | Envelope | | | (Unblinds to get C) | | | | -- Token (C) -> | (Redeem later)

Privacy in Numbers: "Buckets"

If everyone requests custom amounts (e.g., "1337 sats"), they are easily trackable.

The Solution: Standard Denominations

Cashu uses powers of two: 1, 2, 4, 8, 16, 32...


Alice mints 13

8 4 1
|

Bob mints 5

4 1

When Alice and Bob spend their "4" tokens, the Mint cannot tell them apart.

"Hiding in the crowd"

The Lifecycle: Sending & Receiving

Since a token is just a text string, how do we prevent Alice from spending it after sending it to Bob?

1. The Transfer

Alice sends the token (Proof) to Bob via any channel (Signal, Nostr, QR).

Risk: Alice still has a copy!

2. The "Swap" (Redemption)

Bob immediately contacts the Mint:

Bob -> Mint: "Here is Token A (Alice's). Burn it. Give me Token B (My Secret)." Mint: "Token A is valid. Burnt. Here is Token B."

Alice's copy is now worthless. Bob has the value.

Feature: Multinut Payments

Problem: You have 500 sats in Mint A and 500 sats in Mint B. You need to pay a 1000 sat invoice.

The Solution (MPP)

Cashu wallets utilize Lightning Multi-Path Payments.

  • Mint A pays 500 sats (Part 1).
  • Mint B pays 500 sats (Part 2).
  • Receiver gets one unified payment of 1000.

This significantly reduces custodial risk by allowing you to fragment your balance.

[Invoice: 1000 sats] / \ / \ [Mint A] [Mint B] (Pays 500) (Pays 500) \ / \ / [Lightning Network] | [Receiver Node]

Real World: Accountless Apps

Routstr (AI)

Pay-per-request AI marketplace.

  • No API Keys.
  • No Credit Cards.
  • Just attach an Ecash token header to your HTTP request.
  • X-Cashu: eyJ...

Hashpool (Mining)

Mining pool shares as Ecash.

  • No user accounts.
  • "eHash" tokens represent work.
  • Instant, private payouts.
  • Eliminates minimum payout thresholds.

Real World: Chorus

Censorship-Resistant Community Building

Nostr + Cashu

  • Nostr: Decentralized communication (Identity & Social).
  • Cashu: Private funding (Value).

The Benefit

Communities can organize and raise funds without fear of de-platforming or banking censorship.

"Freedom of Speech meets Freedom of Transacting"

The Expanding Ecosystem

Wallets

  • Mobile: Minibits, eNuts.
  • iOS: Macadamia, Sovran.
  • Web: Cashu.me, Nutstash.
  • CLI: Nutshell.

Libraries & Tools

  • Core: CDK (Rust/Kotlin/Swift), cashu-ts (JS).
  • Mints: Nutshell (Python), Mintd (Rust).
  • Tools: Cashu.live (Status), Testnut.cashu.space.

Live Demo

Let's look at Cashu.me (Web Wallet) and Nutstash.


Scenario:

  1. Create a wallet (no account needed).
  2. Mint some tokens via Lightning.
  3. Send tokens to a friend via a link (Token passing).

Building on Cashu

Cashu Dev Kit (CDK)


// Rust Example: Minting Tokens
let mint_url = "https://mint.cashu.space";
let wallet = Wallet::new(mint_url, currency_unit);

let quote = wallet.mint_quote(Amount::from(1000)).await?;
// ... pay invoice ...
let tokens = wallet.mint("e.id).await?;

Available in Rust, Python, TypeScript, Go, Kotlin.

Thank You!


Learn More

cashu.space

docs.cashu.space

Get Involved

Telegram: @CashuBTC

GitHub: cashubtc


Presentation built with HTML/CSS

Ecash & Cashu Presentation
Arrow Keys to Navigate