The Cashu Protocol

Cashu is an ecash protocol built for Bitcoin. It is an open protocol which means that everyone can write their own software to interact with other Cashu apps. Applications that follow the specifications will be compatible with the rest of the ecosystem.


Cashu NUTs (Notation, Usage, and Terminology) specify the Cashu protocol and can be found here.


The Blind Diffie-Hellmann Key Exchange (BDHKE) is the basic cryptographic scheme used in the Cashu protocol to sign and redeem ecash tokens. There are three actors in this model:

  • Sending user: Alice
  • Receiving user: Carol
  • Mint: Bob

Bob (mint)

  • k private key of mint (one for each amount)
  • K public key of mint
  • Q promise (blinded signature)

Alice (user)

  • x random string (secret message), corresponds to point Y on curve
  • r private key (blinding factor)
  • T blinded message
  • Z proof (unblinded signature)

Blind Diffie-Hellmann key exchange (BDHKE)

  • Mint Bob publishes public key K = kG
  • Alice picks secret x and computes Y = hash_to_curve(x)
  • Alice sends to Bob: B_ = Y + rG with r being a random blindind factor (blinding)
  • Bob sends back to Alice blinded key: C_ = kB_ (these two steps are the DH key exchange) (signing)
  • Alice can calculate the unblinded key as C_ - rK = kY + krG - krG = kY = C (unblinding)
  • Alice can take the pair (x, C) as a token and can send it to Carol.
  • Carol can send (x, C) to Bob who then checks that k*hash_to_curve(x) == C (verification), and if so treats it as a valid spend of a token, adding x to the list of spent secrets.