Fedimint vs Cashu: Bitcoin Ecash Implementation Comparison

Fedimint vs Cashu Overview

Fedimint and Cashu are the two leading ecash implementations for Bitcoin. Both use blind signatures to give users strong transaction privacy, but they differ fundamentally in architecture: Fedimint distributes custody across a federation of guardians, while Cashu runs on a single-operator mint that anyone can deploy in minutes. This comparison breaks down the technical tradeoffs between the two protocols across custody, privacy, Lightning integration, backup mechanisms, and real-world deployments.

For background on the cryptographic foundations shared by both protocols, see our research on Chaumian ecash mints on Bitcoin and the dedicated Fedimint federated ecash deep dive.

Technical Comparison

The following table summarizes the core architectural differences between Fedimint and Cashu. Both protocols issue ecash tokens backed by Bitcoin, but they make different design choices at nearly every layer.

Architecture and Custody

The most significant difference between Fedimint and Cashu is the custody model. Both are custodial systems where users deposit Bitcoin and receive ecash tokens in return, but how custody is structured determines the risk profile.

Fedimint: Federated Custody

Fedimint distributes custody across a group of guardians who collectively manage funds using threshold signatures. Guardians run the AlephBFT consensus protocol, an asynchronous Byzantine fault-tolerant algorithm that requires no leader election and no synchronized clocks. A federation of 3m+1 guardians can tolerate m Byzantine (malicious or offline) nodes: a 4-guardian federation survives 1 fault, a 7-guardian federation survives 2, and so on.

Each guardian node runs three parallel components: an API server for client requests, the AlephBFT protocol for inter-guardian communication, and a consensus processing engine that applies agreed-upon transactions. Bitcoin deposits are held in a federated multisig wallet. No single guardian can unilaterally access or move funds. The signing layer uses threshold BLS signatures on the BLS12-381 curve: during federation setup, a distributed key generation ceremony produces key shares for each guardian, and partial signatures are combined via Lagrange interpolation without any single guardian ever holding the full private key.

Cashu: Single-Operator Mints

Cashu mints are operated by a single entity. The operator controls the signing keys, the Lightning node, and the Bitcoin backing the issued tokens. This makes deployment trivial: a Cashu mint can run on a single VPS with minimal configuration. The tradeoff is that users must fully trust the mint operator not to steal deposits or selectively deny redemptions. If the mint goes offline or the operator disappears, there is no fallback mechanism for recovering deposited Bitcoin.

This simplicity is also Cashu's strength. The project envisions an ecosystem of many small mints running locally, all interconnected over the Lightning Network, rather than a few large centralized services. Users can freely choose which mints to interact with, and wallets support connecting to multiple mints simultaneously. The protocol intentionally avoids federation complexity: different mints are independent and do not coordinate with each other.

Privacy Properties

Both protocols provide strong transaction privacy through blind signatures, a cryptographic technique invented by David Chaum in 1982. When a user deposits Bitcoin and receives ecash tokens, the mint signs the tokens without seeing their content. Later, when the tokens are redeemed, the mint can verify its own signature but cannot link the redemption back to the original deposit. This breaks the transaction graph entirely within the mint.

Fedimint uses threshold BLS blind signatures on the BLS12-381 curve, where the blinding operation is distributed across guardians. Each guardian produces a partial blind signature using their key share, and these are combined into a full signature. No single guardian sees the unblinded token. Cashu uses Blind Diffie-Hellman Key Exchange (BDHKE) on the secp256k1 curve, a variant of Chaumian blinding originally described by David Wagner in a 1996 cypherpunk mailing list post. In BDHKE, the wallet computes Y = hash_to_curve(secret), blinds it as B_ = Y + rG, and sends the blinded point to the mint. The mint signs with its private key (C_ = kB_), and the wallet unblinds to obtain C = kY: a valid token the mint cannot correlate to the original request.

Both systems also support DLEQ (Discrete Logarithm Equality) proofs, which let wallets verify that the mint signed tokens correctly without trusting the mint's honesty. In Cashu, this is specified as NUT-12 and enables offline token verification between users. Fedimint includes DLEQ verification as part of its threshold signing protocol.

For a broader view of Bitcoin privacy techniques, see our Bitcoin privacy tools comparison.

Lightning Network Integration

Both Fedimint and Cashu integrate with the Lightning Network to enable payments beyond the mint's internal ecash system. The integration approaches reflect each protocol's architectural philosophy.

Fedimint uses a dedicated Lightning gateway daemon. In earlier versions, this required running both a Lightning node and the gateway software separately. As of v0.6, the gateway consolidates into a single daemon (gatewayd) that can service multiple federations simultaneously. The LNv2 module, stabilized in v0.5, handles the mechanics of converting ecash to Lightning payments and vice versa. Gateway operators earn routing fees for bridging between the federation and the broader Lightning Network.

Cashu mints connect to Lightning through a node operated by the mint itself. Minting (NUT-04) works through a two-phase flow: the wallet requests a quote, the mint returns a Lightning invoice, the user pays it, and the wallet submits blinded messages to receive signed tokens. Melting (NUT-05) reverses this: the wallet submits ecash proofs and a Lightning invoice, and the mint burns the proofs and pays the invoice. If the actual Lightning routing fee is less than the quoted fee reserve, the difference is returned as new ecash tokens (NUT-08). This is simpler than Fedimint's gateway model but concentrates the Lightning routing role in the same single operator who controls custody.

Backup and Recovery

Ecash tokens are bearer instruments: whoever holds the token data can spend it. Losing access to your tokens means losing your funds. Both protocols have developed backup mechanisms, though with different approaches.

Fedimint Backup

Fedimint offers two recovery paths. Users can back up their wallet using a standard seed phrase (12 or 24 words), which allows deterministic regeneration of ecash secrets. Additionally, the Fedi app supports encrypted backups stored with the federation guardians themselves. If a user loses their device, a quorum of guardians can assist with recovery. This social recovery model works well for community-oriented deployments where guardians and users know each other. Fedimint's v0.6 release added a mnemonic setup screen for gateway operators, replacing the previous auto-generation flow.

Cashu Backup (NUT-13)

Cashu implements deterministic secret derivation via NUT-13. Wallets derive ecash secrets from a BIP-39 mnemonic using key derivation paths. For each token, the wallet increments a counter and derives both the secret and the blinding factor deterministically. During recovery, the wallet regenerates these blinded messages and queries the mint's restore endpoint (NUT-09) to retrieve the corresponding blind signatures. Recovery proceeds in batches of 100 tokens, stopping after three consecutive empty batches indicate no more tokens exist. This lets users recover their full balance from a 12-word seed phrase, provided the mint is still operational.

The limitation: recovery depends on the mint being online and cooperative. If the mint disappears, neither the seed phrase nor any other mechanism can recover the deposited Bitcoin. Cashu also supports NUT-27, which enables encrypted backup of mint configuration to Nostr relays.

Protocol Specifications

The two projects take different approaches to protocol standardization.

Cashu defines its protocol through 30 NUTs (Notation, Usage, and Terminology specifications), of which 7 are mandatory and 23 are optional. Each NUT covers a discrete feature. Key NUTs include:

• NUT-00: Cryptographic primitives (BDHKE), data models, and token serialization
• NUT-01/02: Mint public key exchange and keyset management
• NUT-03: Token swapping (splitting and merging denominations)
• NUT-04/05: Minting and melting (deposit and withdrawal via Lightning)
• NUT-07: Token state checks (spent/unspent verification)
• NUT-11: Pay-to-Pubkey (P2PK) conditional spending with Schnorr signatures
• NUT-12: DLEQ proofs for mint honesty verification and offline token transfer
• NUT-13: Deterministic secrets for seed-based backup and recovery
• NUT-14: Hash Time-Locked Contracts for atomic swaps
• NUT-18: Payment requests (HTTP and Nostr compatible)
• NUT-21/22: Clear and blind mint authentication
• NUT-23/25/30: Payment methods for BOLT11, BOLT12, and on-chain Bitcoin

Fedimint uses a modular architecture where functionality is organized into consensus modules (wallet, mint, Lightning). The protocol is defined through its Rust implementation and technical documentation rather than a numbered specification system. Custom modules can be added to extend federation functionality beyond core ecash operations, and the Fedi platform uses this extensibility for "Fedi Mods": mini-apps that run within the federation context.

Token Format and Interoperability

Cashu tokens are serialized as compact strings designed for easy transfer. The current V4 format uses a cashuB prefix followed by CBOR-encoded binary data (base64url-encoded), replacing the older V3 cashuA format that used JSON encoding. V4 tokens are roughly 40% smaller than V3. Each token contains the mint URL, a unit identifier, and an array of proofs, where each proof includes an amount, keyset ID, secret, and the unblinded signature point. Tokens use power-of-2 denominations: representing 13 sats requires three separate proofs (8 + 4 + 1). Tokens are portable via copy-paste, messaging apps, QR codes, or even NFC, but are only valid at the specific mint that issued them.

Fedimint ecash notes use a custom consensus encoding (binary serialization) and are primarily designed for use within the Fedimint client ecosystem rather than standalone transfer. Like Cashu, they use power-of-2 denominations denominated in millisatoshis.

Cross-mint or cross-federation transfers in either protocol require routing through the Lightning Network: the sender redeems ecash for a Lightning payment at one mint, and the recipient deposits the incoming payment at another. The process takes a few seconds but incurs Lightning routing fees.

Real-World Deployments

Fedimint's deployment model targets communities that can coordinate multiple guardians. The Fedi app introduced G-bot, a chatbot interface that helps new federation creators find trusted anonymous guardians and set up a mint with minimal technical knowledge. Fedimint federations have been piloted in community banking contexts similar to Bitcoin Beach in El Salvador, where a local group collectively manages Bitcoin holdings for its members. Recent releases added Iroh networking for running federations on home servers without public IP addresses, and v0.7 introduced LNURL support for recurring Lightning payments.

Cashu's ecosystem is more fragmented by design. Multiple independent mint implementations exist across different programming languages, and several wallet projects compete on features. Nutshell, the reference Python implementation, shipped version 0.20.0 in early 2026 with improved P2PK and HTLC validation. The Cashu Development Kit (CDK) provides Rust-based mint and wallet libraries with mobile support through CDK Swift and CDK Kotlin, enabling native iOS and Android wallet development. Additional integrations include a BTCPayServer plugin and Nostr-based payment flows.

The Privacy-Custody Tradeoff

Both Fedimint and Cashu require users to give up self-custody of their Bitcoin in exchange for privacy. This is the fundamental tradeoff of all ecash systems: the mint holds your Bitcoin, and you hold bearer tokens that are unlinkable to your identity. If the mint (or federation) is compromised, exits, or loses funds, users have no on-chain recourse.

Fedimint mitigates this risk through distribution: stealing funds requires compromising a threshold of guardians, not just one operator. Cashu accepts the risk in exchange for simplicity and permissionless deployment. A malicious Cashu mint operator can rug-pull (drain all reserves), inflate the supply by issuing unbacked tokens, or selectively refuse redemptions. However, due to blind signatures, even a malicious mint cannot link deposit and redemption events or track individual user balances. Both protocols are best understood as tools for specific privacy needs, not as general-purpose Bitcoin custody solutions.

Protocols like Spark take a different approach to this tradeoff entirely. As a Bitcoin Layer 2 built on FROST threshold signing, Spark provides self-custodial ownership where users retain control of their keys while still gaining privacy benefits and instant, low-cost transfers. This avoids the custodial requirement of ecash systems while maintaining many of the same UX advantages.

When to Use Which

The right choice depends on your trust model, community structure, and deployment requirements:

• Fedimint is better suited for established communities, organizations, or platform providers who can coordinate 4+ trusted guardians and want stronger custodial guarantees through distributed trust
• Cashu is better suited for individual operators, small friend groups, or developers who want a lightweight ecash system that can be deployed quickly and iterated on freely
• For use cases where self-custody is non-negotiable, neither ecash protocol is appropriate: consider self-custodial Layer 2 solutions that preserve user key ownership

Frequently Asked Questions

Is ecash on Bitcoin the same as Chaumian ecash?

Both Fedimint and Cashu implement variants of David Chaum's 1982 blind signature scheme, so they are correctly described as Chaumian ecash. The key adaptation is that they use Bitcoin (and Lightning) as the settlement layer rather than traditional banking rails. Users deposit Bitcoin into a mint and receive blinded ecash tokens in return, with the same unlinkability properties Chaum originally proposed. Cashu specifically uses David Wagner's 1996 elliptic curve variant (BDHKE) rather than Chaum's original RSA-based construction.

Can a Cashu mint operator steal user funds?

Yes. A Cashu mint operator has full control over the deposited Bitcoin. The operator could refuse redemptions, shut down the mint, or drain the reserves. They can also silently inflate the ecash supply by issuing unbacked tokens, which is undetectable by users without a proof-of- liabilities mechanism. Users should only deposit amounts they are comfortable losing and should choose mint operators they trust. Fedimint reduces this risk by requiring a threshold of guardians to collude before funds can be stolen.

How does Fedimint prevent guardian collusion?

Fedimint's Byzantine fault tolerance means that compromising funds requires corrupting more than one-third of guardians. For a 7-guardian federation, at least 3 would need to collude. The protocol does not prevent collusion cryptographically: it relies on the social assumption that guardians are selected from independent, trusted community members who are unlikely to coordinate an attack. The more diverse and geographically distributed the guardian set, the stronger this assumption.

Can I transfer ecash tokens between different mints?

Not directly. Ecash tokens are only valid at the mint (or federation) that issued them. To move value between mints, users redeem tokens at the source mint via a Lightning payment and then deposit into the destination mint by paying a Lightning invoice. Both Fedimint and Cashu support this flow through their Lightning integrations. The process takes a few seconds but incurs Lightning routing fees.

Which ecash protocol has better privacy?

Privacy within the mint is equivalent: both use blind signatures that make transactions unlinkable. The privacy difference lies in the trust model. In Cashu, the single operator sees all deposit and withdrawal requests (though not which tokens correspond to which deposit). In Fedimint, this information is distributed across guardians, and no single guardian has a complete view. For interactions outside the mint (Lightning payments), both protocols inherit the privacy properties of the Lightning Network itself. See also our Lightning Network privacy analysis.

Are ecash mints legal?

The legal status of ecash mints varies by jurisdiction and is still evolving. Because mints hold user funds and issue bearer instruments, they may be classified as money services businesses or money transmitters in some jurisdictions. Operators should seek legal counsel before running a mint that serves the public. Community mints serving known members in a closed group may face different regulatory considerations than public-facing mints.

How do ecash systems compare to self-custodial Bitcoin wallets?

Ecash systems trade self-custody for privacy and UX. In a self-custodial wallet, you control your keys but your transactions are visible on the blockchain. In an ecash mint, you give up key control but gain unlinkable transactions within the mint. For users who want both self-custody and privacy, solutions like Spark offer a middle ground: self-custodial ownership with built-in privacy features, without requiring trust in a mint operator.

This tool is for informational purposes only and does not constitute financial advice. Data is approximate and based on publicly available information as of mid-2026. Protocol specifications and features change frequently. Always verify current documentation before making decisions.