Cashu: Deterministic Secrets

Cashu wallet

Cashu mint

Cashu wallet

Cashu mint

random secret
random blinding factor
hashToCurve(x)=Y
r
Blinding factor: r
Secret: x

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

Blinding factor: r
Secret: x

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

blinded
signature
k
B_

= C_

Public Key: K
Private Key: k
Blinding factor: r
Secret: x

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

blinded
signature
k
B_

= C_

Public Key: K
Private Key: k
blindly signed ecash

C_

r
-

K
= C

Blinding factor: r
Secret: x

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

blinded
signature
k
B_

= C_

Public Key: K
Private Key: k
blindly signed ecash

C_

r
-

K
= C

{x,C}

Blinding factor: r
Secret: x
Blinding factor: r
Secret: x

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

blinded
signature
k
B_

= C_

Public Key: K
Private Key: k
blindly signed ecash

C_

r
-

K
= C

{x,C}

Blinding factor: r
Secret: x
Blinding factor: r
Secret: x
kY

== C

hashToCurve(x)=Y

verify

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

blinded
signature
k
B_

= C_

Public Key: K
Private Key: k
blindly signed ecash

C_

r
-

K
= C

{x,C}

Blinding factor: r
Secret: x
Blinding factor: r
Secret: x
kY

== C

hashToCurve(x)=Y

verify

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

blinded
signature
k
B_

= C_

Public Key: K
Private Key: k
blindly signed ecash

C_

r
-

K
= C

{x,C}

Blinding factor: r
Secret: x
Blinding factor: r
Secret: x
kY

== C

hashToCurve(x)=Y

verify

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
m/129372'/0'/${kID}'/${counter}'/0
m/129372'/0'/${kID}'/${counter}'/1
bip32 derivation

Cashu wallet

Cashu mint

blinded
message
Y
r
+
G
= B_

blinded
signature
k
B_

= C_

Public Key: K
Private Key: k
blindly signed ecash

C_

r
-

K
= C

{x,C}

Blinding factor: r
Secret: x
Blinding factor: r
Secret: x
kY

== C

hashToCurve(x)=Y

verify

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
m/129372'/0'/${kID}'/${counter}'/0
m/129372'/0'/${kID}'/${counter}'/1
bip32 derivation
counter
seed

Cashu wallet

Cashu mint

restore

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
derive n blinded messages

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
derive n blinded messages
blinded message blinded signature 
send and match
send and match

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
derive n blinded messages
blinded message blinded signature 
send and match
return signatures if unspent
send and match

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
derive n blinded messages
blinded message blinded signature 
send and match
return signatures if unspent
r,x
r,x
r,x
send and match
match signatures with x, r

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
derive n blinded messages
blinded message blinded signature 
send and match
return signatures if unspent
r,x
r,x
r,x
restored ecash, but doxxed our history to the mint

send and match
match signatures with x, r

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
derive n blinded messages
blinded message blinded signature 
send and match
return signatures if unspent
r,x
r,x
r,x
restored ecash, but doxxed our history to the mint

send and match
match signatures with x, r
Check if spent
spent secrets

Cashu wallet

Cashu mint

restore

security rifle eye add medal giant infant coffee balance involve naive hole
bip39 menmonic
derive n blinded messages
blinded message blinded signature 
r,x
r,x
r,x
restored ecash without doxxing, but requires large payload download

match signatures with x, r
download all and match
Check if spent
spent secrets
delayed and spread to avoid corelation