Chaumian E-Cash on Bitcoin: Banks in Cyberspace or Regulatory Capture?
Cashu is an open protocol enabling users to take advantage of Chaumian e-cash on top of Bitcoin.
What is Cashu and what are its benefits and trade-offs?
Remember: It's an IOU, Not Real Bitcoin!
Cashu transactions are instant and free, and they add a lot of privacy to Bitcoin (and Lightning) transactions.
They can also be transacted offline!
However, BTC "minted" with Cashu are custodial IOUs, and are therefore generally only suitable for small value, short duration transactions, NOT for saving purposes!
So if you're allergic to custodians, this thread may contain NUTS (pun intended!)
Open-Source Protocol Inspired by Chaumian E-cash
Cashu was created by a pseudonymous Bitcoin and Lightning Network developer @calle, and has been in active development since October 2022.
Calle took inspiration for Cashu from David Chaum's DigiCash Chaumian e-cash system, conceptualized already in the 1980s.
How Do Cashu "Mints" Work?
A "mint" means placing sats on a Lightning node that operates the mint.
In return, users get sat-denominated IOUs.
Users can then transfer those IOUs between each other without fees (if their IOUs are within the same mint).
"Bitcoin Banks"
You can think of Cashu mints as "Bitcoin banks" serving users who can't afford or don't want to pay any transaction fees when transacting with BTC as a medium of exchange.
Instead of financial markets, Cashu "banks" interact with the Bitcoin protocol.
Cashu mint operators custody the BTC sent to the mint all the time.
However, mint users can send and receive these e-cash IOU tokens ("nuts") without the mint operators' permission (between the mint users).
Digital Bearer Token
There are no accounts or account balances in Cashu.
Neither is any personal information required.
The e-cash tokens that users receive after depositing to a mint are digital bearer tokens that exist on the user's device!
E-cash tokens are files stored on your device.
When you want to send e-cash tokens, you will copy a string of characters (representing the tokens) on your wallet interface supporting the Cashu protocol, and then send that string of characters to the recipient.
The recipient will paste that string to receive the tokens.
The transaction is instant and without fees because it happened within the mint issuer's Lightning node.
The sender can also redeem the tokens to himself by pasting the string.
In a way, you can think of e-cash tokens as a check, money order, or as gift cards.
Privacy Through Blind Signatures
Cashu uses "blind signatures" to add privacy to transactions and to prevent double-spend.
Other users or the node operating the mint can't see users' e-cash balances or who they're transacting with.
Without going to cryptographic details, you can think of blind signatures this way:
You're voting in an election and writing the number of your chosen candidate on carbon paper and sealing the paper in an envelope.
After that, you bring the envelope to an election official who stamps it.
In the context of Chaumian e-cash, the stamped approval is the Chaumian mint approving that your e-cash is valid without knowing anything about the transaction (without knowing who you voted for!)
Tokens can't be double-spent because the file containing the tokens is destroyed cryptographically "at the mint" before new ones of equal value are issued by the mint to the recipient!
E-cash Is Always Custodial
E-cash is custodial because the mint always holds the BTC.
If there was no BTC backing them, the tokens would have no value.
You can think of it as the free banking system in the United States in the mid-1800s: banks issue their own paper notes that are backed by gold.
Interoperable with the Bitcoin Lightning Network
E-cash tokens can be exchanged between different mints using the Lightning Network.
Lightning is the connecting tissue that brings e-cash mints together, and gives their users access to the Bitcoin ecosystem.
Imagine the Bitcoin blockchain transactions as huge freight trains carrying a heavy load.
Now imagine the Lightning Network as trucks driving that cargo along the highway.
And to reach the last mile to the end consumers along rural country roads, couriers are using e-cash as a messaging layer for transactions.
Visa and Mastercard don't move money either.
They just act as messengers between banks.
Without Lightning, e-cash wouldn't have much use since you couldn't send between mints.
Many e-cash wallets available now support paying Lightning invoices from the e-cash "balance".
However, e-cash wallets are not Lightning wallets.
You deposit with Lightning, get e-cash, transact with e-cash privately within a mint, withdraw to Lightning etc.
Maybe in the future you can withdraw directly to on-chain too?
It's possible to swap between mints, but since more than one Lightning node is now involved, the transaction will inherit Lightning's privacy, not the privacy of the e-cash protocol.
Use Cases: Custodial Wallets, Paywalls, Reward Systems..
Anyone can create a mint, whether it's for a wallet, paid streaming service, web paywall, or a voucher or a reward system for a supermarket.
There is no reason why you should reveal your bank information and identity if you're reading a paywalled newspaper article (especially if it's a political article).
E-cash could be useful for people in countries with less developed banking infrastructure or where dissidents and political activists can't use digital money.
You could pay a VPN subscription with e-cash without revealing your identity.
Or maybe AI agents could make micropayments to each other with it!
Choose Your Mint Wisely!
Users can choose from different mints they want to join.
bitcoinmints.com has a list of mints with accompanying reviews.
Mints can rug pull users so it's important to choose a mint you can trust, or treat the sats you're minting as funds you're willing to lose.
Use it like a wallet in your pocket.
If you lose it in a bar with a few small bills inside, it's not a big deal!
There are plans to add a proof-of-liabilities scheme for e-cash mints to mitigate the rug pull threat.
Epochs of e-cash could expire, force "bank runs" and thus encourage auditability for the mints.
Considering Only Minting Sats You're OK to Lose!
The Cashu protocol is still in its early stages.
Funds can also be lost due to software bugs, so tread carefully!
If you delete your browser history, tokens will be lost unless you back them up.
It's advisable not to use a private browser (cache might get cleared).
Nostr as a Social Layer for E-cash
E-cash users can use Nostr as web of trust for mints.
You can e.g. choose mints that people you follow have interacted with.
This could eventually weed out malicious mints.
If you're unfamiliar with Nostr, check out my earlier introductory post with some resources: #558629
It's also possible to send e-cash via Nostr DMs!
For some reason during my testing I managed to send the tokens but didn't get the DM.
Maybe not all Nostr clients support the feature?
NUTs as the Protocol Spec
Cashu the protocol is governed by NUTs (Notation, Usage, and Terminology).
NUTs are protocol specs for the functioning of the protocol, similar to BIPs in Bitcoin, BOLTs in Lightning, or NIPs in Nostr.
NUTs from 1 to 7 are mandatory, and the rest are optional.
It's possible to add programmability to the Cashu protocol.
It enforces any scripting condition that the Bitcoin protocol allows.
Spending conditions, multisigs, timelocks, atomic swaps, HTLCs...
The Renaissance of E-cash
Bitcoin doesn't need e-cash, but e-cash needs Bitcoin.
E-cash was invented already in 1982 way before the birth of Bitcoin in 2008.
E-cash was waiting for Bitcoin to emerge and to operate as its foundational layer.
With Cashu, e-cash is witnessing a renaissance.
E-cash didn't take off with DigiCash in the 1990s, even though the company had made promising partnerships with major banks.
Microsoft was also interested in integrating e-cash with every sold copy of Windows 95, but the two companies couldn't reach a deal.
DigiCash eventually filed for bankruptcy in 1998, and e-commerce was taken over by credit cards.
Privacy Trade-off: Small Anonymity Sets
Besides the obvious custody trade-offs, there are also privacy trade-offs depending on the anonymity set of users.
Cashu uses fixed (power-of-2) token denominations to create a hide-in-a-crowd effect.
Cashu tokens come in denominations of 1,2,4,8,16, 32 etc.
Larger amounts could more easily be distinguishable from the crowd and thus erode privacy.
If there is only one token of specific denomination, it can always be linked backed to its creation.
Although e-cash payments within a mint give a large degree of privacy, a mint could identify a receiver getting paid out to Lightning via the mint.
Mints can also see users' IP addresses, access time and other metadata, so it's best practice to use Tor or VPN with Cashu.
Possible Regulatory Capture?
It's uncertain whether the anon set will be large enough for good privacy if large banks and exchanges stay away from becoming e-cash issuers.
But, if they will become issuers, concerns of centralized chokepoints and regulatory capture could increase.
An e-cash issuer could slowly collect a large amount of sats to its mint, and then through regulatory pressure or not, start performing KYC of its users and telling them that withdrawal to Lightning is not possible without account verification.
Could Cashu be used for a CBDC-system interoperable with Bitcoin?
There is a window for a compliant use of e-cash.
The European Central Bank, Bank for International Settlement, and Swiss National bank have shown interest in using e-cash technology in their CBDC designs.
The United States Congress also has an e-cash act proposal in the works.
Is this their way to fight Bitcoin? By flooding the network with government-controlled IOU tokens?
Just like what happened with gold (the IOU became money)?
In any case, e-cash is an interesting experiment to make the custodial Bitcoin Lightning experience easier and more private.
With Cashu wallets, you don't even need an email... just start sending and receiving sats!
But remember not to get caught in the IOU trap!
Some wallets you can use to get started with deez nuts!
What's your opinion on Cashu?
Is it a good privacy and scaling improvement for Bitcoin?
Thank you for reading this far!
Here's 210 Cashu sats for you (if you're the first one reading this!)
Additional Resources
"Cashu: Chaumian E-Cash protocol for Bitcoin", presentation by Cashu developer Calle at Baltic Honeybadger 2023 @calle
"Blinding custodians with Cashu - Calle - Adopting Bitcoin Day 1 - Galoy Stage", presentation by Cashu developer Calle at Adopting Bitcoin 2022" @calle
"Ecash Makes Bitcoin (And Fiat) Private With Calle’s Cashu", Bitcoin Magazine article by Frank Corvahttps://bitcoinmagazine.com/business/ecash-makes-bitcoin-and-fiat-private-with-calle-cashu