The Cashu Protocol

Cashu is an open source ecash protocol built for Bitcoin. It is an open protocol which means that everyone can write their own software to interact with other Cashu apps. Applications that follow the specifications will be compatible with the rest of the ecosystem.


The Blind Diffie-Hellmann Key Exchange (BDHKE) is the basic cryptographic scheme used in the Cashu protocol to sign and redeem ecash tokens. There are three actors in this model:

  • Sending user: Alice
  • Receiving user: Carol
  • Mint: Bob

Bob (mint)

  • k private key of mint (one for each amount)
  • K public key of mint
  • Q promise (blinded signature)

Alice (user)

  • x random string (secret message), corresponds to point Y on curve
  • r private key (blinding factor)
  • T blinded message
  • Z proof (unblinded signature)

Blind Diffie-Hellmann key exchange (BDHKE)

  • Mint Bob publishes public key K = kG
  • Alice picks secret x and computes Y = hash_to_curve(x)
  • Alice sends to Bob: B_ = Y + rG with r being a random blindind factor (blinding)
  • Bob sends back to Alice blinded key: C_ = kB_ (these two steps are the DH key exchange) (signing)
  • Alice can calculate the unblinded key as C_ - rK = kY + krG - krG = kY = C (unblinding)
  • Alice can take the pair (x, C) as a token and can send it to Carol.
  • Carol can send (x, C) to Bob who then checks that k*hash_to_curve(x) == C (verification), and if so treats it as a valid spend of a token, adding x to the list of spent secrets.


Cashu NUTs (Notation, Usage, and Terminology) specify parts of the Cashu protocol. They can be found here.

Wallet specs

A description of the steps of the protocol is given in the Cashu wallet specs.