Disclaimer: I haven't actually read Chaum's original paper yet. My knowledge is derived from reading the cashu specs [(called 'NUTs')](https://github.com/cashubtc/nuts). So I can't speak to Chaum's original design.

In Cashu though, the proof `Z` is *not verifiable* by anyone but the mint itself. In order to prove a token was indeed issued by the mint, either:

- the recipient of `Z` must ask the mint to swap the ecash out, thus verifying its authenticity in the process
- the mint must supply some extra information to allow offline verification of `Z`. See [NUT-12](https://github.com/cashubtc/nuts/blob/main/12.md) for that. 

conduition

bitcoin

Discreet Log Contracts settled with Chaumian ECash

I like your articles, thanks! I am trying to understand the first part now - Ecash.

I am missing at least one feature that puzzles me. The Z = Q - rM. How can anybody proof that the Q (or Z) comes from the Mint? Also, I am missing the undeniability that this token comes from the particular Mint. Is this a part of the trust layer here?

(When briefly skimming over the paper Blind signatures for untracable payments from D. Chaum, I found the property "anybody can check that signature was formed using signer's private key".)
