pull down to refresh

Chaumian E-Cash on Bitcoin: Banks in Cyberspace or Regulatory Capture?

Cashu is an open protocol enabling users to take advantage of Chaumian e-cash on top of Bitcoin.
What is Cashu and what are its benefits and trade-offs?

Remember: It's an IOU, Not Real Bitcoin!

Cashu transactions are instant and free, and they add a lot of privacy to Bitcoin (and Lightning) transactions.
They can also be transacted offline!
However, BTC "minted" with Cashu are custodial IOUs, and are therefore generally only suitable for small value, short duration transactions, NOT for saving purposes!
So if you're allergic to custodians, this thread may contain NUTS (pun intended!)

Open-Source Protocol Inspired by Chaumian E-cash

Cashu was created by a pseudonymous Bitcoin and Lightning Network developer @calle, and has been in active development since October 2022.
Calle took inspiration for Cashu from David Chaum's DigiCash Chaumian e-cash system, conceptualized already in the 1980s.

How Do Cashu "Mints" Work?

A "mint" means placing sats on a Lightning node that operates the mint.
In return, users get sat-denominated IOUs.
Users can then transfer those IOUs between each other without fees (if their IOUs are within the same mint).

"Bitcoin Banks"

You can think of Cashu mints as "Bitcoin banks" serving users who can't afford or don't want to pay any transaction fees when transacting with BTC as a medium of exchange.
Instead of financial markets, Cashu "banks" interact with the Bitcoin protocol.
Cashu mint operators custody the BTC sent to the mint all the time.
However, mint users can send and receive these e-cash IOU tokens ("nuts") without the mint operators' permission (between the mint users).

Digital Bearer Token

There are no accounts or account balances in Cashu.
Neither is any personal information required.
The e-cash tokens that users receive after depositing to a mint are digital bearer tokens that exist on the user's device!
E-cash tokens are files stored on your device.
When you want to send e-cash tokens, you will copy a string of characters (representing the tokens) on your wallet interface supporting the Cashu protocol, and then send that string of characters to the recipient.
The recipient will paste that string to receive the tokens.
The transaction is instant and without fees because it happened within the mint issuer's Lightning node.
The sender can also redeem the tokens to himself by pasting the string.
In a way, you can think of e-cash tokens as a check, money order, or as gift cards.

Privacy Through Blind Signatures

Cashu uses "blind signatures" to add privacy to transactions and to prevent double-spend.
Other users or the node operating the mint can't see users' e-cash balances or who they're transacting with.
Without going to cryptographic details, you can think of blind signatures this way:
You're voting in an election and writing the number of your chosen candidate on carbon paper and sealing the paper in an envelope.
After that, you bring the envelope to an election official who stamps it.
In the context of Chaumian e-cash, the stamped approval is the Chaumian mint approving that your e-cash is valid without knowing anything about the transaction (without knowing who you voted for!)
Tokens can't be double-spent because the file containing the tokens is destroyed cryptographically "at the mint" before new ones of equal value are issued by the mint to the recipient!

E-cash Is Always Custodial

E-cash is custodial because the mint always holds the BTC.
If there was no BTC backing them, the tokens would have no value.
You can think of it as the free banking system in the United States in the mid-1800s: banks issue their own paper notes that are backed by gold.

Interoperable with the Bitcoin Lightning Network

E-cash tokens can be exchanged between different mints using the Lightning Network.
Lightning is the connecting tissue that brings e-cash mints together, and gives their users access to the Bitcoin ecosystem.
Imagine the Bitcoin blockchain transactions as huge freight trains carrying a heavy load.
Now imagine the Lightning Network as trucks driving that cargo along the highway.
And to reach the last mile to the end consumers along rural country roads, couriers are using e-cash as a messaging layer for transactions.
Visa and Mastercard don't move money either.
They just act as messengers between banks.
Without Lightning, e-cash wouldn't have much use since you couldn't send between mints.
Many e-cash wallets available now support paying Lightning invoices from the e-cash "balance".
However, e-cash wallets are not Lightning wallets.
You deposit with Lightning, get e-cash, transact with e-cash privately within a mint, withdraw to Lightning etc.
Maybe in the future you can withdraw directly to on-chain too?
It's possible to swap between mints, but since more than one Lightning node is now involved, the transaction will inherit Lightning's privacy, not the privacy of the e-cash protocol.

Use Cases: Custodial Wallets, Paywalls, Reward Systems..

Anyone can create a mint, whether it's for a wallet, paid streaming service, web paywall, or a voucher or a reward system for a supermarket.
There is no reason why you should reveal your bank information and identity if you're reading a paywalled newspaper article (especially if it's a political article).
E-cash could be useful for people in countries with less developed banking infrastructure or where dissidents and political activists can't use digital money.
You could pay a VPN subscription with e-cash without revealing your identity.
Or maybe AI agents could make micropayments to each other with it!

Choose Your Mint Wisely!

Users can choose from different mints they want to join.
bitcoinmints.com has a list of mints with accompanying reviews.
Mints can rug pull users so it's important to choose a mint you can trust, or treat the sats you're minting as funds you're willing to lose.
Use it like a wallet in your pocket.
If you lose it in a bar with a few small bills inside, it's not a big deal!
There are plans to add a proof-of-liabilities scheme for e-cash mints to mitigate the rug pull threat.
Epochs of e-cash could expire, force "bank runs" and thus encourage auditability for the mints.

Considering Only Minting Sats You're OK to Lose!

The Cashu protocol is still in its early stages.
Funds can also be lost due to software bugs, so tread carefully!
If you delete your browser history, tokens will be lost unless you back them up.
It's advisable not to use a private browser (cache might get cleared).

Nostr as a Social Layer for E-cash

E-cash users can use Nostr as web of trust for mints.
You can e.g. choose mints that people you follow have interacted with.
This could eventually weed out malicious mints.
If you're unfamiliar with Nostr, check out my earlier introductory post with some resources: #558629
It's also possible to send e-cash via Nostr DMs!
For some reason during my testing I managed to send the tokens but didn't get the DM.
Maybe not all Nostr clients support the feature?

NUTs as the Protocol Spec

Cashu the protocol is governed by NUTs (Notation, Usage, and Terminology).
NUTs are protocol specs for the functioning of the protocol, similar to BIPs in Bitcoin, BOLTs in Lightning, or NIPs in Nostr.
NUTs from 1 to 7 are mandatory, and the rest are optional.
It's possible to add programmability to the Cashu protocol.
It enforces any scripting condition that the Bitcoin protocol allows.
Spending conditions, multisigs, timelocks, atomic swaps, HTLCs...

The Renaissance of E-cash

Bitcoin doesn't need e-cash, but e-cash needs Bitcoin.
E-cash was invented already in 1982 way before the birth of Bitcoin in 2008.
E-cash was waiting for Bitcoin to emerge and to operate as its foundational layer.
With Cashu, e-cash is witnessing a renaissance.
E-cash didn't take off with DigiCash in the 1990s, even though the company had made promising partnerships with major banks.
Microsoft was also interested in integrating e-cash with every sold copy of Windows 95, but the two companies couldn't reach a deal.
DigiCash eventually filed for bankruptcy in 1998, and e-commerce was taken over by credit cards.

Privacy Trade-off: Small Anonymity Sets

Besides the obvious custody trade-offs, there are also privacy trade-offs depending on the anonymity set of users.
Cashu uses fixed (power-of-2) token denominations to create a hide-in-a-crowd effect.
Cashu tokens come in denominations of 1,2,4,8,16, 32 etc.
Larger amounts could more easily be distinguishable from the crowd and thus erode privacy.
If there is only one token of specific denomination, it can always be linked backed to its creation.
Although e-cash payments within a mint give a large degree of privacy, a mint could identify a receiver getting paid out to Lightning via the mint.
Mints can also see users' IP addresses, access time and other metadata, so it's best practice to use Tor or VPN with Cashu.

Possible Regulatory Capture?

It's uncertain whether the anon set will be large enough for good privacy if large banks and exchanges stay away from becoming e-cash issuers.
But, if they will become issuers, concerns of centralized chokepoints and regulatory capture could increase.
An e-cash issuer could slowly collect a large amount of sats to its mint, and then through regulatory pressure or not, start performing KYC of its users and telling them that withdrawal to Lightning is not possible without account verification.
Could Cashu be used for a CBDC-system interoperable with Bitcoin?
There is a window for a compliant use of e-cash.
The European Central Bank, Bank for International Settlement, and Swiss National bank have shown interest in using e-cash technology in their CBDC designs.
The United States Congress also has an e-cash act proposal in the works.
Is this their way to fight Bitcoin? By flooding the network with government-controlled IOU tokens?
Just like what happened with gold (the IOU became money)?
In any case, e-cash is an interesting experiment to make the custodial Bitcoin Lightning experience easier and more private.
With Cashu wallets, you don't even need an email... just start sending and receiving sats!
But remember not to get caught in the IOU trap!
Some wallets you can use to get started with deez nuts!
What's your opinion on Cashu?
Is it a good privacy and scaling improvement for Bitcoin?
Thank you for reading this far!
Here's 210 Cashu sats for you (if you're the first one reading this!)

Additional Resources

Great write up! If you don't mind, I'm going to add it to my ecash resources page.
reply
Sure, thanks. Awesome page! Didn't know about it during my research.
reply
Beautiful resource page.👌
The menu is hard to read btw.
reply
Thanks for the heads up. I've been meaning to change that up a bit.
reply
No prob. 🤙
reply
I don't understand what this is about, why would I want to use ecash in a mint where someone else has to guard my funds, assuming that the person who tells me that they can't be hacked or become dishonest and take the funds is honest. We have bitcoin onchain, if we don't want to pay a lot of commission we use Lightning; but always in a self-custodial manner. That principle must prevail in bitcoin.
reply
Nobody is forcing you to use e-cash. You can always use Bitcoin or Lightning in a self-sovereign way. Maybe you can become the "honest banker" for others then with a Lightning node.
However, there will always be Bitcoin users (especially when Bitcoin becomes more popular) who would rather give custody of their sats to someone else, no matter how smooth the self-custody tools will be.
reply
E cash sounds like a solution in search of a problem at least partially
reply
How many sats do you trust the SN wallet to hold before sending it to your lightning node?
reply
Good point.
SN zaps are a bit like e-cash.
Maybe if they really were e-cash, it could solve some possible future regulatory issues related to holding users’ funds.
reply
103 sats \ 11 replies \ @k00b 17 Sep
It doesn't solve regulatory problems. It merely obfuscates them. Someone has to custody the bitcoin and we can't.
Ecash makes usage of these "banks" private. It doesn't solve custodial regulations.
reply
Hey Koob,
Should the SN wallet be a cashu wallet with NWC?
I know you've put a huge amount of time and thought into the wallet, and I'm half retarded so you'll need to excuse some of my ignorance.
Shouldn't all these bitcoin apps with wallets just be e-cash wallets. Especially with that unified nostr wallet thing. Wouldn't it be a step in the right direction as far as interoperability, privacy and security tradeoffs.
Speak some sense into me koob. I'm sure I'm missing something, just not sure what it is. Probably me being to trusting or misunderstanding some aspect of the tech.
reply
72 sats \ 8 replies \ @k00b 17 Sep
Who holds the bitcoin, wildhustle? That’s the problem that Cashu doesn’t magically solve. Someone has to hold the bitcoin and we can’t.
We can build an ecash note storage system into SN (it’d be another kind of attached wallet), and we plan to add it as an option, but stackers would have to choose and trust a Cashu custodian.
reply
Should you guys just remove the wallet entirely and use NWC? Sucks for new users but at least they aren't trusting a custodian with their corn.
reply
10 sats \ 1 reply \ @k00b 17 Sep
That’s what the attached wallets are.
Apologies Koob, feels like I'm being slightly difficult. Hectic morning.
reply
Ah, you guys dont want to be responsible for holding anyone's corn.
If my e-cash balance is saved on multiple relays, and SN gives me the option to use the NIP 60 wallet. Would it still be considered as SN holding corn?
And I dont mind putting 1k sats in products that I use on a daily basis, if it gives me some sort of value or benefit.
But i guess as SN scales it would be better to move completely away from anything that might be considered custody. Do you think all bitcoin apps should aspire to the same?
reply
10 sats \ 0 replies \ @k00b 17 Sep
Other businesses should do what suites their customers and risk tolerance. Serving US customers as a custodian requires millions of dollars of licenses and kycing customers.
I don’t think KYC and social should be mixed. And I don’t think KYC is moral, period.
We won't always have self-custodial solutions, simply because it's not feasible in all cases, just like you say you can put 1k in something that might give you benefits. A good wallet should pursue self-custody for the sake of its users; but for example I don't think SN needs something like that, it's enough that it provides more ways to withdraw funds.
Obfuscation is a pseudo solution
reply
sir, SN cowboy credits is the Bitcoin L3 😂😂😂😂
reply
But no unilateral exit!
reply
reply
e-cash works directly on Bitcoin layer 1?
reply
deleted by author
reply
It’s all about utxos. E-cash is just a tool for those who want to use trust. If you don’t trust the mint don’t use it or use how ever much you are comfortable losing .
reply
If you think this is cool. I mint a fresh nut 🌰 in the saloon every day
reply
The infamous saloon nut dropper
reply
Nut job
reply
What can I say I love to nut 🌰
reply
Great write-up! You emphasized from the get-go that Cashu represents custodial IOUs and is not the same as "real" Bitcoin. This is a critical distinction, and by stating it upfront, you manage expectations about how and when users should rely on the tech.
reply
Thanks! Yes, I think it’s important especially for newbies to make these things clear.
reply
in conclusion i believe the interplay between Chaumian e-cash and Bitcoin raises questions about the future of banking and regulation in a digital world. Balancing privacy, innovation, and compliance will be crucial in shaping this landscape
reply