eCash for Better Bitcoin Privacy
I’ve heard a fair bit of discussion about Fedimint and eCash lately, but I only recently dove in to understand and try eCash using Cashu, which is one implementation of eCash on Bitcoin. If you only have time to read one paragraph, here’s the short version:
With Lightning, we can take sats “off-chain” into a Lightning channel. Users can route Lightning payments through a network of channels, and take their sats back “on-chain” at any time. Of course, the sats never really leave the chain, but the system works through some cryptographic slight-of-hand. Lightning is fast, cheap, and secure. Privacy is better than normal Bitcoin transactions, but still not perfect. With eCash, users can withdraw their sats “offline” entirely. Once offline, they can be transferred any way you please. You could send them over email or SMS. You could print them out in a QR code and pass them along in person. The possibilities are endless. The recipient can deposit the sats back “online” as soon as they receive the eCash, and withdraw them directly into any Lightning wallet. There does not need to be any traceable connection between the two parties to a transaction, which means that privacy can be very robust. There is one catch, of course: after receipt of the eCash and before depositing them back “online” to the Lightning network, the recipient needs to trust a third party server, called a mint. For that reason, taking received eCash back online should be done before providing any goods or services in exchange.
In the rest of this post, I will explain all of these concepts in more detail, and provide a brief walkthrough if you want to try it out.
Chaumian eCash
Wikipedia has all of the basic info, as well as the original 1983 paper by David Chaum. For our purposes, it is important to know that eCash uses blind signatures to make payments totally untraceable. Chaum explains blind signatures by way of analogy to a secret ballot. Each voter fills out their ballot and places it in a plain, unmarked, carbon-copy envelope. They place that envelope in a mailing envelope, write their personal details (i.e. name and return address) on it, and send it off. The election authority verifies the voter information on the outer envelope. They then remove the unmarked carbon-copy inner envelope and sign it—without opening it—blindly transferring the signature to the ballot. The inner envelope is mailed back to the voter, who verifies that it was not opened. Finally, ballots may be collected anonymously on election day, opened, and displayed publicly. This somewhat roundabout process achieves the following goals:
The election authority knows that all ballots were cast by registered voters (by verifying the information on the outer envelope)
Voters know that the authority did not see their vote (it was returned in the original sealed envelope)
Voters know that their ballot was counted (all ballots are displayed publicly, and they could write some secret identifying mark on theirs)
Voters know that all ballots were verified by the election authority (by checking the blind signature on each ballot)
Chaum took this process and designed a simple cryptographic scheme that works in much the same way, resulting in blind digital signatures. This blind signature scheme is also used in Cashu’s implementation of eCash:
A user picks a secret (the secret ballot), and encrypts it (places it in the inner envelope).
They send this encrypted secret with some sats to an eCash issuer, called a mint (the election authority).
The mint takes the sats and puts them aside, then signs the encrypted secret (the blind signature) and sends the result back to the user.
The user combines the mint’s signature with their unencrypted initial secret (the ballot) to make a complete eCash token.
The token can then be passed around by any means and redeemed through the mint at any time. Since the token includes both the user’s initial secret and the mint’s own signature, the mint can use some cryptographic functions to verify that it previously received a deposit for the specified amount. This verification does not require or reveal any information about who the deposit came from or who is redeeming it. The mint is responsible for ensuring that a token is only redeemed once, so there is some trust involved.
A short walkthrough of an eCash wallet will hopefully make all of this very clear.
eCash By Example
Start by opening Cashu wallet. Add the default mint shown by pressing the plus button:
Now deposit some sats with the mint. Press the “Create Invoice” button at the bottom. Make an invoice for 50 sats, and pay it from your Lightning wallet.
You can now create an eCash token using the mint’s blind signature. Press “Send eCash” and enter 25 sats, then make the token:
You will also see that your balance has dropped to 25 sats:
This token can be shared however you like. You can email it to someone, send it in a private message, an SMS, or convert it to a QR code and print it out. Whoever has this token can redeem it for 25 sats. Here’s the full token:
eyJwcm9vZnMiOlt7ImlkIjoiSTJ5TitpUllma3pUIiwiYW1vdW50IjoxLCJDIjoiMDJlN2Y5YWYzMzliNmJiNWZiMGZmNzVjZGY0MTAzZDIyNDc1NjMyZWMyMzYyNmJmOGNlNTg5ZjhiYjIyMWMwNzUxIiwic2VjcmV0IjoiZkE0MHVQQWQ5azVXZkFCUUJHTjdiM2ZiOFBvMGROSjBuNlAwUmhpbDV5TT0ifSx7ImlkIjoiSTJ5TitpUllma3pUIiwiYW1vdW50Ijo4LCJDIjoiMDM5MTQ5ZTg3N2Q3MzQ3YjliYzEwYTUyNGYyMmNhZmRhNjUwZWQ2NThjZTAzMWY4Zjg4MjQxODgyOTI4OWRjMWIyIiwic2VjcmV0IjoiaEs5c0FsaXpCYW5pakF2VU9pQTVOaG5yV3lIelBmbUJwM3AxNVFyUVJKTT0ifSx7ImlkIjoiSTJ5TitpUllma3pUIiwiYW1vdW50IjoxNiwiQyI6IjAzNTcwODRlNzRjOTBmYmQ1YzZiZWNmNDJmMjI1YWM4NTk3MWRjYmU4MDZjNmVjMDg1ZjYwMjkwZTYzYTMzYjVlMiIsInNlY3JldCI6InRQbkUzNEZzS3k2NFB5aW1OdGNkaTJSUXpJU044S0lmeEorc0dFbEwxVUU9In1dLCJtaW50cyI6W3sidXJsIjoiaHR0cHM6Ly84MzMzLnNwYWNlOjMzMzgiLCJpZHMiOlsiTDN6eHhSQi9JOHVFIiwiSTJ5TitpUllma3pUIl19XX0=
To redeem a token, press the “Get eCash” button and paste it in.
After that you will see that your balance goes back to 50 sats. You can try minting and depositing tokens in any denomination. When you’re done, you can bring the tokens back into your Lightning wallet. Simply press “Pay Invoice” and paste an invoice from your wallet. I could only pay 48 sats back, with 2 sats kept by the mint. (I’m not sure how exactly the fees work for this mint, but 2 sats appears to be the minimum fee for a Lightning transfer.)
Ideally, if you are using Cashu, you will want to run your own mint. If you receive a token from another mint, you can use the wallet’s “Multimint Swaps” feature to move sats between mints (or to your own mint) without withdrawing them to your Lightning wallet. First, add a second mint. I’m using https://legend.lnbits.com/cashu/api/v1/4gr9Xcmz3XEkUNwiBiQGoC, which is a mint hosted by another Cashu wallet developer, but let’s pretend it’s mine:
I’ve deposited another 50 sats to demonstrate. Now I can perform the swap. The swap happens over Lightning mint-to-mint, so don't forget the 2 sat minimum fee.
At this point, I can see that my sats are with the new mint:
And of course, I can now use that mint to make eCash tokens and send them out. If I swap into my own mint, then I don’t need to trust any third parties. Or, I can withdraw them back to my own Lightning wallet at any time.
Who Would Do This?
For now, at least, this is still experimental technology and should probably not be used with any significant amount of sats. But there are many reasons we might want to use it. First and foremost, by sending eCash tokens instead of doing Lightning transfers directly, transactions become almost entirely untraceable. The mint has no information about the payer or the payee, and the Lightning Network sees only transfers to and from the mint. For a large mint with many users, and with eCash tokens being minted in all different denominations, it would be difficult if not impossible to trace funds going into and out of the mint.
Beyond privacy, eCash could be an ideal way to transact in sats within a trusted community. For example, parents could run a family mint and provide the children with allowances in the form of eCash tokens. Small, tight-knit, or largely offline communities could do day-to-day business with eCash tokens, only going online when there was a need to send or receive sats from the outside. In fact, that is exactly the scenario that Fedimint has in mind, and they are working on a protocol for shared custody of mint funds to support this type of use case. Fedimint and Cashu are separate protocols, but the eCash concepts are very similar if not identical.
I’m sure there are many other scenarios we can think of where the trade-offs of the Cashu / eCash system would make sense. The only caveat we must keep in mind is that if the mint is not controlled by a known, trusted entity, tokens should be swapped to a trusted mint or redeemed into a Lightning wallet before providing any goods or services in exchange. However, since the redemption process is simple and straightforward, that should not be too much of a problem.
Bonus: eCash via Nostr
If you haven’t yet read my previous article on nostr, you might want to do that first. Another Cashu wallet called nutstash provides a very useful nostr integration. Nutstash offers very similar functionality to the lnbits wallet I used above in the demonstration. If you log in with a nostr browser extension like Alby, you will see an option to send eCash tokens directly to an npub:
The recipient will receive the token as a DM via nostr. If they also log in to nutstash using their nostr account, they will see the tokens appear in their wallet “inbox” automatically, ready for deposit or redemption.
Thanks for reading, and I hope you’ll take a few minutes to try out eCash to see what all the fuss is about. Next time you want to zap, try sending some eCash tokens and see what happens! If they don’t get redeemed, you can always take them back yourself.
Find me or zap me on nostr: maxmoney@nostrplebs.com.
Below are three eCash tokens for 100 sats each. Please don’t redeem more than one of them, so a few people will have a chance to get them. Good luck!
Token 1 (100 sats):
Token 2 (100 sats):
Token 3 (100 sats):
