• Lightning has a privacy problem
• What ecash actually is
• How the tokens work
• The trust model you’re accepting
• What Lightning reveals vs what Cashu hides
• NIP-61: nutzaps on Nostr
• The ecosystem right now
• What Cashu doesn’t solve
• Use it for what it’s good at

§Lightning has a privacy problem

The #lightning Network made #bitcoin usable for payments. Fast settlement, low fees, no waiting for block confirmations. For moving sats from point A to point B, it works. But it was designed for speed, not for hiding who’s paying whom.

The channel graph is public. Every node, every channel, every capacity is visible to anyone running a Lightning node or checking a network explorer. When you route a payment, every intermediate hop sees the HTLC value and the timing. They don’t see the full path, but they see their slice of it. A well-positioned routing node that handles enough traffic can start correlating senders and receivers through timing analysis.

If you’re using a custodial Lightning wallet — and most people are — the privacy picture is worse. The provider sees every payment you send and receive, the amounts, the timestamps, the counterparties. They know your balance. They could share this data if compelled or if their database leaks.

This is the gap that #cashu fills. Not by fixing Lightning, but by adding a layer on top of it where privacy is the default instead of an afterthought.

§What ecash actually is

In 1982, David Chaum published a paper describing blind signatures — a cryptographic scheme where a signer can sign a message without seeing its content. He realized this could be used to build digital cash. A bank could issue signed tokens without knowing which tokens it signed for which customer. When the tokens came back for redemption, the bank could verify its own signature but had no way to link the token to the original issuance.

This is the core idea. The mint signs something it cannot see. Later, when that signed thing comes back, the mint can confirm it’s genuine but has no record of when or to whom it was issued. Unlinkability between minting and spending is built into the math, not enforced by policy.

Cashu implements this using Wagner’s variant of Chaumian blinding, adapted for Bitcoin. The protocol was created by Calle (callebtc) and first released in 2022. It uses Lightning as the rails for depositing and withdrawing sats, with ecash tokens as the private layer in between.

§How the tokens work

You send sats to a Cashu mint via a Lightning invoice. The mint issues ecash tokens in return. These tokens live on your device — your phone, your laptop, wherever your wallet runs. They are bearer instruments. Whoever holds the token data can spend it, like physical cash.

When you want to pay someone, you hand them tokens. They redeem the tokens at the mint, which checks its signature, marks them as spent (to prevent double-spending), and issues new tokens or settles the value over Lightning. The whole cycle can happen without the mint knowing who you are, what your balance is, or who you’re paying.

The blind signature means the mint sees two separate events: someone deposited sats and got tokens, and later someone redeemed tokens. It cannot connect the two. Even if the mint operator wanted to track you, the cryptography doesn’t give them the data to do it.

Tokens are denominated in powers of two. A 21 sat payment might be represented as tokens worth 16 + 4 + 1. This prevents the mint from identifying transactions by their exact amounts, since the same denominations appear in many different transactions.

§The trust model you’re accepting

Here’s the part you have to sit with: Cashu mints are custodial. When you deposit sats and receive ecash, the mint holds your #bitcoin. The tokens on your device are IOUs backed by the mint’s reserves. If the mint operator disappears, your tokens are worthless.

Two failure modes exist. A fast rug-pull, where the operator drains the Bitcoin reserves in a single transaction and vanishes. And a slow rug-pull, where the operator gradually issues more tokens than the reserves back, inflating the supply until redemption requests exceed what’s available.

There’s no on-chain mechanism to prevent either scenario. A proof-of-liabilities scheme is under development, where mints periodically publish lists of all issued and redeemed tokens so users can verify solvency. But it’s not deployed as a standard yet, and it has its own tradeoff: contesting a fraudulent proof requires revealing a DLEQ proof that breaks your token’s unlinkability. You sacrifice privacy to prove the mint is lying.

The practical mitigation is straightforward: don’t keep large amounts on a mint. Treat ecash the way you’d treat cash in your pocket. Enough for daily spending, not your savings. Use mints operated by people you trust or that have a reputation in the community. Spread across multiple mints if you’re concerned about any single one.

This is a real tradeoff, not a theoretical one. It’s the price of the privacy guarantees. Lightning without a custodial wallet gives you self-custody but leaks metadata. Cashu gives you privacy but requires trusting a mint. Pick the tradeoff that matches your situation.

§What Lightning reveals vs what Cashu hides

It helps to compare the two side by side.

With Lightning, the channel graph is public knowledge. Routing nodes can see payment HTLCs passing through. On-chain observers can see channel opens and closes, which reveals the UTXOs involved. A custodial provider has full visibility into every transaction. Timing analysis across the network can correlate payments even without seeing the full route.

With Cashu, there’s no routing. A token transfer is between a wallet and a mint, or peer-to-peer between two wallets. No channel graph to analyze. No multi-hop path to correlate. The mint sees deposits and redemptions but can’t link them to each other thanks to blind signatures. It doesn’t know your balance, because tokens live on your device. It doesn’t know who you paid, because the recipient redeems independently.

The gap is real. Lightning gives you fast payments with moderate #privacy against outside observers but minimal privacy from your own infrastructure providers. Cashu gives you strong privacy from the mint itself, at the cost of trusting it with your funds.

§NIP-61: nutzaps on Nostr

If you’ve read my article on what happens when you zap someone, you know that regular NIP-57 zaps route through the recipient’s LNURL server. That server generates the invoice, receives the payment, signs the zap receipt, and publishes it to relays. You trust it for the entire chain. If the server lies about the payment, there’s no proof to contradict it.

NIP-61 nutzaps replace that trust model with ecash. The payment is the receipt. No intermediary signs anything on your behalf.

Here’s how it works. The recipient publishes a Kind 10019 event listing three things: which Cashu mints they trust, which relays they want nutzaps delivered to, and a P2PK public key for locking tokens. This P2PK key is separate from their #nostr identity key — a dedicated key used only for Cashu operations, which prevents correlation between nutzaps and their broader Nostr activity.

When you nutzap someone, your client reads their Kind 10019, mints a Cashu token at one of their trusted mints, and locks that token to their P2PK public key using Cashu’s P2PK scheme (NUT-11). Then it publishes a Kind 9321 event containing the locked token proofs.

The recipient’s client picks up the Kind 9321 event, extracts the token, and redeems it at the mint. Only the holder of the matching P2PK private key can unlock and spend the token. The mint verifies the signature and issues fresh tokens.

The key difference from zaps: there’s no LNURL server in the middle deciding whether to create a receipt. The Cashu token on the relay is the proof of payment. Anyone can verify the token is real by checking the DLEQ proof. No server needs to be honest about what happened.

The tradeoff is that both sender and recipient need to trust at least one common mint. If you only trust Mint A and the recipient only trusts Mint B, nutzaps won’t work between you. Client support is growing but still limited compared to regular zaps.

§The ecosystem right now

Cashu wallets have matured considerably. Minibits runs on both Android and iOS (TestFlight), with support for offline payments and multi-mint management. eNuts provides a clean mobile experience on both platforms. Cashu.me and Nutstash are web-based options. Nutstash added multi-mint payments in 2025, where a single Lightning invoice can be paid from tokens across several mints.

On the developer side, the Cashu Development Kit (CDK) released Swift and Kotlin bindings in 2025. This means wallet developers can build native mobile apps with Cashu support without reimplementing the protocol from scratch. eNuts is rebuilding on CDK, and new wallets like Macadamia and Sovran shipped native iOS versions using these bindings.

The protocol itself keeps evolving. NUT-19 added cached requests and responses so wallets can safely retry failed operations. NUT-20 added signatures on mint quotes to prevent token hijacking. Binary token serialization, introduced in 2025, reduced token sizes by roughly a third, which matters for QR codes and token strings passed through messaging apps.

The ecosystem has also had its growing pains. In October 2025, a critical denial-of-service vulnerability was found in the Nutshell reference implementation and patched within three days. In July 2025, a NUT-13 seed vulnerability affected most major wallets including Minibits, Cashu.me, and Nutstash. Both were handled through coordinated disclosure, but they demonstrate that protocol-level bugs can ripple across the entire ecosystem when most wallets share the same core libraries.

§What Cashu doesn’t solve

Blind signatures hide your transactions from the mint. They don’t hide your IP address. Without Tor or a VPN, the mint can see your network address on every request. If you deposit sats via Lightning and immediately mint tokens, the mint can correlate the deposit with the minting request even though the signatures are blind — because the timing matches and the IP is the same.

The mint also sees incoming Lightning payments. When you deposit, the mint knows a Lightning invoice was paid for a certain amount. It can’t link that to specific tokens later, but it knows someone deposited. If only one person deposits 5000 sats at 3:14 AM, the anonymity set is thin.

Regulatory pressure on mint operators is an open question. Running a Cashu mint looks a lot like operating a money transmitter in many jurisdictions. No major regulatory action has happened yet, but the possibility shapes how operators think about running public mints.

Cashu is not a replacement for Lightning. It’s a complementary layer. Lightning is for moving sats quickly across the network. Cashu is for moving sats privately within a trust relationship with a mint. The two work together — Lightning is the rail that connects Cashu mints to the broader #bitcoin economy.

§Use it for what it’s good at

Cashu gives you something Lightning can’t: real transaction #privacy at the protocol level. Not privacy-by-policy, where you hope your provider doesn’t log. Privacy-by-cryptography, where the mint literally cannot link your deposit to your spending.

The cost is trusting a mint with your funds. That’s a real cost. But for small amounts — daily spending, tips, nutzaps on Nostr — the tradeoff is reasonable. You’re not storing your life savings. You’re carrying pocket cash that happens to be private.

If you’re on Nostr, set up NIP-61 nutzaps. Pick one or two mints you trust, publish your Kind 10019, and start accepting ecash payments that don’t route through anyone’s LNURL server. The setup is five minutes. The privacy improvement is structural.

Keep your Lightning wallet for larger payments and self-custodial holdings. Use Cashu for the transactions where privacy matters more than custody guarantees. And don’t keep more on a mint than you’d carry in your wallet on the street.

#nostr #bitcoin #lightning #privacy #cashu