eCash (Chaumian eCash)

What Is eCash?

eCash is a digital cash system that uses blind signatures to enable private, untraceable payments. Invented by cryptographer David Chaum in his 1983 paper "Blind Signatures for Untraceable Payments," eCash allows a central issuer (called a mint) to sign digital tokens without knowing their contents. The result: the mint can verify that a token is legitimate when it is spent, but cannot determine who originally received it.

Chaum founded DigiCash in 1990 to commercialize the technology, and the first electronic eCash payment was sent in 1994 during a pilot program. DigiCash filed for bankruptcy in 1998, but the cryptographic foundations it established became a cornerstone of digital privacy research. Today, eCash is experiencing a resurgence through Bitcoin-native implementations that combine Chaum's privacy model with Bitcoin's monetary properties.

How It Works

The core mechanism behind eCash is the blind signature: a cryptographic technique that lets one party sign a message without seeing its contents. Think of it like signing a document through carbon paper inside a sealed envelope. The signer's signature transfers through, but they never see what they signed.

The Blind Signature Process

An eCash transaction follows four steps:

1. The user generates a unique token (a random secret) and applies a blinding factor to it, producing a "blinded" version that hides the original value
2. The user sends the blinded token to the mint, which signs it without seeing the underlying secret. The mint deducts the corresponding amount from the user's balance
3. The user removes the blinding factor from the signed token (unblinds it), revealing a valid mint signature on the original secret
4. When spending, the user presents the unblinded token to the mint. The mint verifies its signature and checks that the token's serial number has not been spent before

Because the mint signed the blinded version, it cannot correlate the signed token it sees during redemption with the blinded token it signed during issuance. This unlinkability is what gives eCash its privacy properties.

Token Denominations

Rather than issuing a single token for an arbitrary amount, eCash systems use fixed denominations. In Cashu, tokens are issued in powers of two (1, 2, 4, 8, 16, 32, and so on). A payment of 13 sats would consist of three tokens: one 8-sat token, one 4-sat token, and one 1-sat token. This denomination structure is necessary because the mint's signing keys are tied to specific values.

// Simplified eCash token structure (Cashu NUT-00)
{
  "token": [{
    "mint": "https://mint.example.com",
    "proofs": [
      {
        "amount": 8,
        "id": "009a1f293253e41e",
        "secret": "407915bc212be61a77e...",
        "C": "02bc9097997d81afb2cc7346..."
      },
      {
        "amount": 4,
        "id": "009a1f293253e41e",
        "secret": "fe15109314e61d7756b...",
        "C": "029e8e5050b890a7d6c04b..."
      },
      {
        "amount": 1,
        "id": "009a1f293253e41e",
        "secret": "d341ee4b8f37d9402e4...",
        "C": "02a9acc1e48c25eeeb9289..."
      }
    ]
  }]
}

DLEQ Proofs

A key security feature in modern eCash is the Discrete Log Equality (DLEQ) proof, specified in Cashu's NUT-12. DLEQ proofs allow wallets to verify that the mint used the correct private key when signing a token, without the mint learning which specific token is being verified. This prevents a malicious mint from issuing tokens signed with a different key that only it could detect, which would break unlinkability.

Modern Implementations on Bitcoin

Two major projects have brought Chaumian eCash to Bitcoin, each with a different trust model and architecture.

Cashu

Cashu is an open-source Chaumian eCash protocol created by the pseudonymous developer "calle." It uses a Blind Diffie-Hellman Key Exchange (BDHKE) scheme, designed by David Wagner, for its blind signature implementation. Users deposit Bitcoin via Lightning and receive eCash tokens in return. To withdraw, users "melt" tokens back into a Lightning payment.

The protocol is account-less: the mint does not know how many users it serves, what their balances are, or who transacts with whom. The specification is defined through NUTs (Notation, Usage, and Terminology), currently covering NUT-00 through NUT-22. These specs define everything from the core cryptographic model and minting operations to spending conditions, pay-to-public-key locking, and DLEQ proofs.

Cashu wallets include the browser-based Cashu.me (with NFC tap-to-pay and multi-mint support), the Cashu Development Kit (CDK) with mobile bindings for iOS and Android, and several community-built wallets. The project is funded by OpenSats and has seen adoption in the Nostr ecosystem for privacy-preserving payments.

Fedimint

Fedimint takes a different approach by distributing mint custody across a federation of "guardians" using threshold signatures. Instead of a single mint operator, a Fedimint federation might require 3-of-4 guardians to agree on operations. The system uses AlephBFT, an asynchronous Byzantine fault-tolerant consensus protocol, for guardian coordination.

The federation model follows the 3m+1 formula for Byzantine fault tolerance: a federation of 4 guardians can tolerate 1 malicious actor. This significantly reduces single-point-of-failure risk compared to a solo Cashu mint. Fedimint is natively interoperable with the Lightning Network, and the commercial implementation Fedi targets communities, cooperatives, and NGOs who want to run their own federated banking infrastructure.

Privacy Properties

eCash provides a specific and well-defined set of privacy guarantees, distinct from other Bitcoin privacy techniques like CoinJoin:

• Sender privacy (strong): the mint cannot link who funded a token to who spent it. Blind signatures make issuance and redemption cryptographically unlinkable
• Receiver privacy (weaker): when receiving payments through the mint via Lightning, the mint can potentially identify the recipient and could censor incoming payments
• Amount privacy (limited): because tokens use power-of-2 denominations, large or unusual amounts have smaller anonymity sets. A 1-sat token blends with many others, but a 65,536-sat token is far rarer
• Off-mint transfers (strong): tokens can be transferred peer-to-peer without involving the mint at all. The mint only sees tokens when they are minted or redeemed

For a broader look at how eCash fits into the Bitcoin privacy landscape, see the deep dive on Bitcoin privacy in 2026.

Why It Matters

eCash addresses a fundamental tension in digital payments: the need for privacy without sacrificing verifiability. Traditional digital payment systems create permanent records of every transaction. Physical cash provides privacy but cannot work digitally without a mechanism to prevent double-spending. Blind signatures solve this by letting the mint enforce uniqueness (each token can only be spent once) without learning who spent it.

When built on Bitcoin and Lightning, eCash inherits Bitcoin's monetary policy (fixed supply, no inflation at the protocol level) while adding a privacy layer that Bitcoin's base chain does not provide. This makes it particularly useful for everyday transactions where full on-chain transparency is neither necessary nor desirable. Layer 2 solutions like Spark can complement eCash by providing the underlying payment infrastructure that mints connect to for deposits and withdrawals.

Use Cases

• Private everyday payments: users can transact within a mint without creating a public record, similar to spending physical cash but in digital form
• Community banking: Fedimint federations allow communities, cooperatives, or friend groups to run their own private banking infrastructure backed by Bitcoin
• Tipping and micropayments: eCash tokens can be embedded in messages, sent over Nostr, or transferred via QR codes for small, casual payments where on-chain fees would be prohibitive
• Privacy-preserving Lightning access: users who want Lightning functionality without revealing their transaction patterns to a single Lightning service provider can use a mint as an intermediary
• Offline transfers: since eCash tokens are bearer instruments (whoever holds the token owns the value), they can be transferred in environments with limited connectivity. The double- spend check only happens when the token is finally redeemed at the mint

Risks and Considerations

Custodial Trust

The mint holds all deposited funds. Unlike self-custodial Bitcoin wallets, eCash users must trust that the mint has not issued more tokens than it has backing for. A malicious or compromised mint could perform a fractional reserve: issuing unbacked eCash tokens that appear valid until too many users try to redeem at once. There is no on-chain mechanism to audit a mint's reserves in real time.

Mint Availability

If a Cashu mint goes offline permanently, all tokens issued by that mint become worthless. Users can mitigate this by spreading funds across multiple mints, but this introduces complexity. Fedimint reduces this risk through its federated model: the system continues operating as long as a threshold of guardians remains online.

Regulatory Uncertainty

eCash mints operate in a legally ambiguous space. Depending on jurisdiction, running a mint could be classified as operating a money transmitter or e-money issuer. The privacy features, while valuable for users, may attract regulatory scrutiny. Operators should understand local compliance requirements before running a mint.

Anonymity Set Limitations

Privacy in eCash depends on the anonymity set: how many other users hold tokens of the same denomination from the same mint. A small mint with few users provides weaker privacy than a large mint with thousands of active users. High-denomination tokens always have smaller anonymity sets because fewer users hold them.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.