pull down to refresh

I think this is all right. Correct me if I'm wrong...
It took me a long time to wrap my brain around bitcoin (and I'm still wrapping). Lately, I've been taking some time to wrap my brain around Cashu. When I first heard of Cashu, I thought it was merely yet another altcoin...something to leach some of the thunder from bitcoin sats and bolster up Cashu "nuts." With it's 8-bit cartoonish logo and talk of keeping your nuts hidden, it all sounded rather sophomoric, meme sunglasses and all. That was at first and on the surface. Digging in, it's not an altcoin, or juvenile, or a meme. It's a protocol and it's clever.
Cashu info and docs: https://cashu.space

In a sentence or two...

Cashu is an implementation of "Chaumian eCash." It's a way to send bitcoin sats via the Lightning Network (LN), except not actually over Lightning all the time, but instead as ecash over the Cashu protocol.
Alice sends Bob ecash tokens over Cashu, then Bob can hodl the ecash, send the ecash, or redeem those ecash tokens for bitcoin sats at any time if he wishes.
Is this just another solution without a problem? I don't think so. It's true that bitcoin sats can be sent without using ecash via the Cashu protocol. Alice could just send Bob sats over Lightning. Why, then, use Cashu at all?
Cashu seems to have a couple of added benefits:
  1. better privacy - Users, wallets, and wallet amounts are unseen thanks to "blind signatures." In this way, ecash is like regular paper money.
  2. "handability" - Like handing a friend a dollar or a silver coin, or like leaving a $20 bill on the table and walking away, a Cashu token can be handed over. It can be given in any way you can send data...wallet-to-wallet, or a QR scan, an email or text message, or even the Cashu token handwritten on paper (if you want to go through the trouble of scribbling out a long list of characters).
Example of what an ecash token looks like.

Background

Cashu is an implementation of "Chaumian ecash." To understand Cashu, a little pre-bitcoin digital money history is helpful.
David Chaum wrote about "ecash" in 1982, a long time before normal folks used the internet and far before bitcoin. The goal was to allow for digital micropayments. Ahead of its time and ahead of what we might call value-for-value today, the idea was that you might wish to pay a penny or two to read an article: "Good article, here's two cents." There were a few weaknesses however: (1) it had to work with big tech companies to make it fly (and did in fact get huge partnerships), (2) Chaum's company made mistakes, and (3) Chaum's managerial style did it in. Sources: decrypt, https://learn.saylor.org/mod/book/view.php?id=30735, next magazine.
For quite some time, ecash was largely forgotten.
When Bitcoin came along, and especially the Lightning Network, the idea of tiny, fast digital payments became possible. With bitcoin and the LN, Cashu is now resurrecting ecash.
ecash uses bitcoin, the Lightning Network, and the Cashu protocol
People often mistakenly think "bitcoin is anonymous." However, bitcoin transactions are recorded forever and can easily be traced by block explorers. In this way, one's coins and transactions can be followed and possibly reveal a lot of unexpected information about the person.
With Cashu, bitcoin addresses can't be linked back via a series of transactions. There are no breadcrumbs to trace backward. In this way, ecash (and Cashu tokens) are more like the dollar bills in your wallet. No one has any idea where the dollar bill in your wallet came from, where it's been, what it purchased, what the person who held it prior to you did with it, and the owner before that, etc. You just know that dollar bill there in your wallet and it can be used in the future if you wish.

How it works, conceptually

In its essence, there are a couple of players with Cashu: you and a "mint" (think of a mint simply as a bank). You have bitcoin sats. You deposit them in a mint/bank, and the mint issues you Cashu tokens saying you have X amount deposited. You can then pass the Cashu (ecash) tokens around to others, just like passing around cash dollar bills. Or, if you choose, you can redeem those Cashu (ecash) tokens back with the mint/bank whenever you wish and receive bitcoin sats.
This site and its animation helped me better understand Cashu and how it works: https://lconf.gandlaf.com
To start with Cashu, you set up a new wallet (several are listed at https://cashu.space). Thus far, I've only looked at the web-based wallets https://cashu.me and https://nutstash.app. Set it up, save your seed words safely, then play from there.
Notably, Cashu.me seems to be doing big things. This announcement is for a new, overhauled version.
Conceptually, ecash is just better money when compared to fiat. Fiat money is paper, backed by nothing other than the decree that it is money combined with the trust that in fact it actually has value because of this decree. It is circular logic. In fact, "fiat" derives from the Latin meaning "it shall be" or "let it be done" - fiat is money solely due to the decree, "It is money."
Think of how money was supposed to work. The paper was simply a physical representation of an actual, physical something, usually gold. That gold has been acknowledged to be of value by humans throughout history. Gold-backed money meant that swapping the paper for gold was possible...the money actually worked.
Of course, fiat money is no longer backed by anything, so this point is now moot.
But, then came bitcoin.
Instead of gold as the backing agent to paper money, imagine substituting bitcoin. It has all of the qualities of gold, but adds the benefits that it can also be transferred globally, digitally, and quickly. And, instead of paper fiat money, substitute a Cashu token...a string of digital characters. Just as paper money used to represent the physical gold backing it (and could be swapped for it), that Cashu token represents the bitcoin backing it (and can be swapped for it). Like turning back the clock to gold-backed paper money, ecash (via Cashu protocol) is now bitcoin-backed digital money.
  • During the gold-backed money days, you could pass around green papers with George Washington's picture to your friends and neighbors. Then at any point, anyone could take those papers to the bank and exchange them for gold (at least in theory).
  • Now in the bitcoin-backed ecash days, you can pass around cashu tokens with a sunglassed cashew's picture to your friends and neighbors. Then at any point, anyone could take those tokens to the mint/bank and exchange them for bitcoin sats.
It's early still and Cashu is still being developed, so it's probably best to only play around with small amounts of sats. Who knows how far this will pan out? I certainly don't. But, it's fun to play and learn.
The biggest thing people seem to misunderstand with Cashu is that it is simply a strict improvement over "custodial LN", like Alby/CoinOS/Blink/WoS. That is it. If you dont like the tradeoffs you do not have to use it.
Similarities: -rug risk! -hidden slow/fast inflation (although there are people working on addressing this)
Improvements: -privacy -individual censorship resistance -offline send/receive
reply
129 sats \ 1 reply \ @anon 14 May
I used cashu to upvote you.
reply
This is the way
reply
Nice breakdown. Thanks
reply
You as well! Yours was way more structured haha, I just wanted to give a tldr
reply
Alby/CoinOS/Blink/WoS have brand names, web sites and known founders. People will get to them if rugged.
Mints are all anonymous scammers.
reply
Ideally those services all run mints in the future. They can then advertise their inability to individually censor users and improved privacy, while already having an established reputation. Win-win.
reply
Better than anonyms, yes. But they will still be custodians and money transmitters in the eye of the law. They just gave their clients bearer IOUs while holding on to bitcoins. I doubt this will make a difference. Their Cashus are redeemable only back at the issuer. So may add the unlicensed securities issuance offense.
reply
Sure, but by that logic they're already custodians and money transmitters. They can't be any worse off operating as a Cashu mint.
reply
Unless cashus will be labeled securities one day.
reply
deleted by author
reply
Meme saved for later use
reply
the best part about this is all the haters don't have to use it. people have freedom to do what they want with their own money
reply
This. Except I wouldn't say "haters" personally, just folks making their own decision. Plus, it's OK to change ones mind too along the journey.
reply
If you're running your own node with Lightning there is little reason to use something like Cashu since it's custodial.
I would much rather use Phoenix than Cashu.
reply
For spending I would much rather use Cashu, because I don't want my transaction history stored in some company database
reply
10 sats \ 2 replies \ @kevin 14 May
If you don't like Phoenix then use something else that doesn't route to an LSP. Many options exist: Blixt, Zeus come to mind.
You need to understand the tradeoff that you're making here - in Cashu (and other ecash solutions) the mint can take your money at any point and run away with it. With Phoenix you expose information about your transactions to a third party. Would you rather have your money or your perfect privacy?
reply
For everyday spending, I'd much prefer perfect privacy, given the very low risk of a rug.
Agreed on your point that users need to understand the tradeoffs though.
Also, not every user can (or will be able to) afford the on-chain fees necessary to open a lightning channel.
Nicely put. Someone in economics said, "There are no wins and losses, only tradeoffs."
reply
I use cashu all the time to help give other people anonymity. The more people who use it the better.
Also a good reason to regularly use the anon reply feature!
reply
I'm really not sure why this concept is so hard to grasp
reply
Cashu privacy is way better than using Phoenix
reply
Yes, but it is custodial and the mint can run away with your money at any time. Would you rather have your money or your "perfect" privacy?
reply
If you have some friends using your node as a custodian node, you're better off with cashu. If you are providing custodial services on lightning, you're better off with cashu. Clearly not every LN node will be a mint because economically it makes no sense. But there are use cases
reply
I understand and that's certainly your call. I've never used Phoenix, but I know it's a great wallet and totally self-custody. Some folks might find Cashu worthwhile in instances. Choices are nice to have, right?!
reply
10 sats \ 0 replies \ @kevin 14 May
Choices are great, but it's important that people understand that Cashu (and Fedi) is custodial. That means you do not have control over your money.

The mint can run away with your money at any time.

I feel like this risk is very often understated. It should be front and center. Not mentioned in a footnote.
Literally any non-custodial solution (Phoenix, Blixt, Mutiny, Zeus, etc.) is better if you can afford to do it, at the moment setting up a lightning channel is not that expensive.
reply
The big risk of eCash is the mint can debase everyone silently (ie. every time someone buys in for 100 sats, they mint 105 sats and send 5 sats to themselves).
Its very difficult to detect this.
Here is a chart I made that roughly ranks the risk profile of the various BTC offerings.
Least RiskGreatest Risk
BTCLNArk/MercuryLiquidFedimintseCashBitcoin Bank/CEX
reply
118 sats \ 3 replies \ @cascdr 13 May
I'd argue eCash beats the Bitcoin Bank/CEX in some ways.
If some anon eCash person rugs you, wtf you gonna do?
At least there is the Proof of Violence algorithm the legal system can impose on Bitcoin Banks if they piss enough people off. I don't know if we've seen a big eCash rug yet but if we did I bet you the person doing it would have the sense to stay anon.
reply
Yes, the "anonymous mint" aspect of eCash is both its strength and weakness.
This is also whats behind the series of reasoning that I think bolsters Liquid:
  • Individual mints can rug you
  • Therefore Fedimints are better, since you can distribute power and judge reputations
  • Liquid is already an existing Federation of known pro-Bitcoin companies that has been operating for 6 years without any claims of censorship / rugging.
reply
If some anon eCash person rugs you, wtf you gonna do?
Precisely why Cashu is for small amounts
reply
500 sats \ 0 replies \ @anon 14 May
I keep ~500,000sats in cashu, because I can afford to lose that. And me keeping that amount helps make an anonymity pool for all cashu users, as funds they spend could have come from the sats I keep deposited.
reply
The big risk is them taking your money, not debasing it.
reply
Fedimints issue ecash as well. You're using ecash in this chart when you mean Cashu.
reply
Yes, Cashu is just a "marketing name" for Chaumian eCash
reply
Did not know this, thanks for the info. My first thoughts: (1) there's a tradeoff for everything (TINSTAAFL) and (2) I'm okay with services that add value making a profit. It's best if things are up front and clear though (as you suggest they're not right now).
reply
31 sats \ 1 reply \ @freetx 13 May
(2) I'm okay with services that add value making a profit.
At the current time, proponents of eCash are somehow thinking very altruistically and they sort think people are going to run mints for free for friends / family. I'm doubtful if it works out like that.
Regardless, the simple way to protect yourself from debasement is to "dip in / dip out" of eCash....that is don't hold it for more than a few days....it should just be a "transactional currency" and not something you hold. This way any secret debasement will not affect you during that short period.
reply
Yes. Cashu the “Monero killer”.
reply
Wow, we have created fractional banking but cryptographically! They will be real angry!
Can cashu from one mint be redemeemed for bitcoin in another mint? If yes, anonymous scammers will flood the market with fake unbacked cashus. If not, cushus are non-fungible and the rugpull risk is huge. When I get paid with one, how do I know which mint to go to? What if I can't or don't want to deal with them? I will never accept cashus as payment, they are shitcoins.
Proper non-custodial lightning is already anonymous, decentralized and fungible. A node is not that hard to set up, or anyone can use liquid instead, such as Aqua wallet.
reply
I would suggest trying out cashu.me, Minibits, or Enuts. You'll find answers to your questions by using the protocol.
reply
I went, the only mint at cashu.me is https://www.whois.com/whois/8333.space
Will I send them lightning sats? No.
reply
reply
still, anonymous sites with anonymous ratings. no, thanks, do it without me.
reply
reply
Anon spends zero seconds understanding a thing and gets angry. The literal mascot of our times.
reply
In my bio I have a link to a public node of the same name and 4 btc capacity, I understand more than an average bitcoiner. Did you, actual anon, read the disclaimer at the source, since you spent over 0 seconds? https://github.com/cashubtc/nutshell
Here it is:
Disclaimer: The author is NOT a cryptographer and this work has not been reviewed. This means that there is very likely a fatal flaw somewhere. Cashu is still experimental and not production-ready.
99% sure the answer to your first question is yes. Picking mints does require trust, like trusting your local bank will be open tomorrow. Don't want to deal with them, then don't. If someone gave you a nice sized ecash tip, you could ignore it. No harm. Or you could tap redeem and receive the sats. In that sense, you're not really using ecash so much as just accepting says.
Either way, it's fine to not use ecash. We each do our thing as we choose.
reply
I just tested, no. Cashus include the mint url inside them. So you force the receiver of the coins to trust the mint that issued them.
The https://testnut.cashu.space mint issued me coins WITHOUT waiting for the lighting payment (not even with testnet bitcoin). So there is nothing in the protocol that forces the mint to lock up any real sats. Cashus are fiat by definition, worthless unless redeemed.
reply
The receiving wallet can swap the token from the sender's mint to a token from the receiver's mint trustlessly via LN, with all the complexity hidden from the user.
reply
I've been reading and thinking about it. You are the receiving wallet, you try to swap, but the original mint does not respond. Now what? You display an error to the client and reject his cashu coins? Does he have a recourse to the guy who sent him these coins?
reply
This would mean you never received the payment.
reply
So it is not really a bearer asset. It is rather a key to access your bitcoin at a custodial mint. If you give this key to another person he must immediately exchange for his own key or reject the payment. Accepting a lightning payment right away is better UX.
reply
Kinda. It is a bearer asset in that if you lose the token you lose the (claim to the) money.
Accepting a LN payment right away requires online access and interactivity. If you have that then you also can settle the e-cash payment immediately.
Tap redeem where? I need to connect the wallet to a mint beforehand? All mints honor unsolicited redemptions? As I said, they will quickly run out of real bitcoin due to scams. This is a nonsense idea.
"99% sure” does not cut it if you are the one pitching this to others.
reply
"Tap redeem..." not sure exactly and it likely depends on a few factors: which ecash wallet, which nostr client if used, but I did it yesterday. Someone sent me a generous tip, it appeared on Amethyst as a message, I tapped redeem, the sats immediately appeared in my Alby wallet (yes, I know, Alby is custodial too...things likely can to be set up to go to whatever wallet is preferred). I'm not sure the mechanics on your question about unsolicited redemptions? My guess is that the mints trust the Cashu token is truly backed by sats. By "trust" I mean that the mint knows that the cryptography behind the protocol ensures that any ecash token is legit, therefore it's accepted.
I can appreciate your skepticism...that's the bitcoin way and it's healthy. I think most of us are still learning, I certainly am. Maybe someone out there can help me out on the question of whether mint B will redeem a Cashu token from mint A and get me from 99% sure to 100%.
reply
This says it all:
Disclaimer: The author is NOT a cryptographer and this work has not been reviewed. This means that there is very likely a fatal flaw somewhere. Cashu is still experimental and not production-ready.
reply
Awesome write up! How does double spending work? If I have a token, what stops me from giving it to two people?
reply
The double spending is solved by the presence of a central server. Once you send the token to someone, that someone shall query the mint to understand if the token has been already spent or not. If so, then the token is invalid. If the token is not present in the mint database of spent coins, then the token is valid, the mint collects the token and returns to you a new token of the same value.
Actually a "token" is a bunch of tokens, like $100 in cash can be made up by some banknotes. A cashu ecash token can be of value 2^n, thus 1, 2, 4, 8, 16, ....
reply
Ah okay, thanks for the explanation 😊
reply
The cryptography behind cashu is fascinating, and the protocol seems not too hard to understand. Here's a very good non-technical article: https://bitcoinmagazine.com/culture/genesis-files-how-david-chaums-ecash-spawned-cypherpunk-dream
Please note that you don't have to use lightning as gateway, you could also use stripe, PayPal etc.
reply
31 sats \ 0 replies \ @tolot 13 May
Please note that you don't have to use lightning as gateway, you could also use stripe, PayPal etc
This is true indeed. A project called GNU Taler is already in place to use ecash (a variant that is less privacy oriented) with classical financial institutions. I can see some major tech issues (other then the obvious other issues related to the more "idealistic" views on privacy):
  1. LN is a protocol and the "glue" between mints, thus the intra-mint transfers go as smooth as oil. The financial system does not have this kind of standards for small amounts, moreover minting and melting of tokens with LN can be done in seconds and does not need burocracy or other guarantees, which is good because if I mint a barer token to a user and I dunno the users at all, how can I reverse the financial payment that generated the minting of tokens in case of a fraud? With LN there is no such a problem: if the invoice is payed it means that the payer had the cryptographical right to sign that transaction, so we are fine with the immediate minting of ecash
  2. LN can execute multi path payments, meaning that if I have 100 sats with mint A and 50 with mint B, I can send 130 sats on the LN to a mint (or user) C simply by requesting a MPP from mint A and B at the same time. This is not possible with the classical financial tools at all, so for fiat ecash every user would be limited to spend at maximum the biggest amount of ecash that he/she has with the same mint.
  3. Because of the willingness to keep AML procedures in place (and to be able to extract taxes) ecash proposals with fiat all have one thing in common: privacy is not actually in place. For example, in GNU Taler the receiver does not have privacy and this """"feature"""" has been implemented to enable tax monitoring and AML. This means that the transaction cannot happen offline, leading to a HUGE limit in terms of technology. May be an implementation issue with GNU Taler and not a general problem, but I highly doubt that governments would allow a perfect privacy-oriented ecash system without even blinking an eye.
reply
Great write-up and equally keen to continue playing with this as it evolves and see where it goes. Certainly the pace of development and change is astounding.
I value the privacy and the interoperability and that it requires no L1 softfork of any kind.
The three key points I'm thinking about at the moment with eCash:
  1. Unilateral exit: Redeem-ability .. at any point you choose, you can send all your eCash to any lightning invoice, node, address you control. Super important feature, and imo, one which places eCash as a Layer 3 and not some type of quasi-L2 (sorry @PeteFedi we're going to agree to disagree on this point). So this means you're never a hostage .. except that ..
  2. Fast RugRisk - mints by definition are custodial As with lightning, you can run your own mint, or mitigate the risk of a rug-pull by concurrently using multiple mints. But typically you'll be trusting someone else who is operating a mint. The concurrent use of multiple mints is a different way of achieving a similar risk mitigation that Fedi achieves by having a quorum of custodians for each mint. Bottom line though is that the mint operator can just take the underlying bitcoin and shut the mint at any point. That's the big fast rugpull .. whereas the other rugpull is the ..
  3. Slow RugRisk The mint operator could fork the open source code and start slowly debasing the eCash that's initially 1:1 matched by sats. There are a few proposals about how this could be checked (comparing sats held in the mint vs eCash tokens issued) .. but at it's core this is probably an unsolvable risk, prima facie
Potential mitigations Part of the way to mitigate these risks, to varying extents, is to consider operating mints with a defined lifespan, and in the absence of action, to provide an address/invoice/eCash mint where your eCash is redeemed on shutdown. This forces the mint operator to deliver on the tokens issued, and validates for all users, that the sats are (were) there. A final fail-fallback in that circumstance (eg: provided LN URL no longer exists) could be to send to bitcoin charitable entities like OpenSats, Brink, HRF etc
reply
You must be a scammer who has a vested interest to shill this shit. Here are the steps you would do:
  1. Create a forked mint that will accept real lightning sats but issue cashus from a fake wallet (MINT_BACKEND_BOLT11_SAT=FakeWallet).
  2. Gain reputation and post fake reviews for some time, redeeming your own fake cashus for real lighting sats.
  3. Rug pull when the accumulated balance gets high enough.
reply
Cashu might have lot of use cases but so does LN. Do we really require it? That's what we need to figure out first.
reply
I thought cashu would be good for sites like stacker news, exchange platforms and maybe bitcoin mixers, but I think it's actually bigger than that. Mints being able to prove that their reserves match or exceed liabilities is kind of a game changer for a universal, completely private, yet federated, interchangeable, unlinkable mintbuck denominated in sats with constant solvency proofs and automated bank runs to ensure as little damage as possible from any bad actors.
reply