I like your articles, thanks! I am trying to understand the first part now - Ecash.
I am missing at least one feature that puzzles me. The Z = Q - rM. How can anybody proof that the Q (or Z) comes from the Mint? Also, I am missing the undeniability that this token comes from the particular Mint. Is this a part of the trust layer here?
(When briefly skimming over the paper Blind signatures for untracable payments from D. Chaum, I found the property "anybody can check that signature was formed using signer's private key".)
Disclaimer: I haven't actually read Chaum's original paper yet. My knowledge is derived from reading the cashu specs (called 'NUTs'). So I can't speak to Chaum's original design.
In Cashu though, the proof Z is not verifiable by anyone but the mint itself. In order to prove a token was indeed issued by the mint, either:
  • the recipient of Z must ask the mint to swap the ecash out, thus verifying its authenticity in the process
  • the mint must supply some extra information to allow offline verification of Z. See NUT-12 for that.
reply