Ecash on Bitcoin is private, custodial digital cash. Using Chaumian blind signatures, a mint issues bearer tokens backed by Bitcoin and Lightning, but cannot see who holds them, how much any one person holds, or how tokens move between users — it never stores account balances or transaction history. Cashu is a protocol where anyone runs a single mint; Fedimint spreads that same role across a federation of M-of-N guardians so no one operator holds the funds alone. Both trade self-custody for strong payment privacy, instant settlement, and cheap small payments, which makes ecash a tool for spending money — not a replacement for self-custody of savings.
What is Chaumian ecash, and why is it private?
Ecash is an idea from cryptographer David Chaum in the 1980s, revived for the Bitcoin era. The mechanism is the blind signature. When you fund an ecash wallet, your software generates secret tokens and “blinds” them — cryptographically masks them — before handing them to the mint to sign. The mint signs the blinded tokens without ever seeing their real contents, the wallet then “unblinds” the signatures, and you are left with valid, spendable tokens the mint has never directly observed. This is sometimes called Blind Diffie-Hellman Key Exchange (BDHKE).
The privacy follows directly from the math. Because the mint signs blinded values, it cannot link the token it later sees redeemed to the moment it was issued. As the Cashu documentation puts it, “a mint does not store a database of user accounts and their activity,” which protects users from leaks or hacks and can provide stronger censorship resistance than account-based payment systems. There are no usernames, no balances on the server, and no ledger of who paid whom.
An ecash token is a bearer instrument, exactly like a physical banknote: whoever holds the token can spend it, transfers between users are instant and final, and there is no “reverse” button. That bearer nature is the source of both ecash’s best property (cash-like privacy and speed) and its sharpest risk (lose the token data and the value is gone, just like losing a wallet of cash). This is why ecash belongs in the spending layer of a sovereignty stack, alongside — not instead of — the self-custody you anchor with Bitcoin signing devices.
Cashu: single-mint ecash
Cashu is a free, open-source Chaumian ecash protocol built on Bitcoin. It has two moving parts: mints, which anyone can run, and wallets, the client apps that hold your tokens on your own device. Peer-to-peer transfers of Cashu tokens are instant and final, and payments between different mints route over the Lightning Network.
How a Cashu mint works: minting and melting
You get ecash into a Cashu wallet by paying a Lightning invoice to the mint, which then issues you tokens of equal value — this is minting. To exit, you do the reverse: the wallet hands tokens back to the mint, which pays out a Lightning invoice for you — this is melting. The mint holds the underlying bitcoin and Lightning liquidity; your tokens are claims against that reserve. Between minting and melting, tokens move privately and offline between users with no involvement from the mint at all.
The NUT specifications
Cashu is defined by a set of open specs called NUTs (Notation, Usage, and Terminology). The rule is simple: wallets and mints MUST implement the mandatory NUTs and CAN implement the optional ones, which keeps implementations interoperable while allowing room to experiment. A few load-bearing specs:
- NUT-00 — the cryptography and data models, including the blind-signature (BDHKE) scheme. Mandatory.
- NUT-04 — minting tokens by paying the mint over Lightning. Mandatory.
- NUT-05 — melting tokens back out to Lightning. Mandatory.
- NUT-11 — Pay-to-Public-Key (P2PK), locking a token so only a specific key can spend it. Optional.
- NUT-13 — deterministic secrets, so a wallet can be restored from a seed rather than relying solely on a token backup. Optional.
Cashu wallets and Nostr / NWC
Several independent wallets implement the protocol. Cashu.me is the reference web wallet; Nutstash is a feature-rich web wallet with multi-mint support and the ability to send and receive tokens over Nostr; Minibits is a mobile wallet that adds a Nostr-based identity and contacts; and eNuts is another mobile option. Because ecash payments ultimately settle in Lightning, Cashu wallets can plug into Nostr Wallet Connect (NWC, defined in NIP-47), letting a Nostr app trigger payments from your ecash wallet. Minibits supports remote wallet control over NWC, and bridge services such as NUTbits translate between a Cashu mint’s NUTs and the NWC interface. If you are new to that side of the stack, our Nostr Wallet Connect guide and the Nostr NIPs reference explain how NIP-47 wiring works.
The custodial trust model
Here is the honest part: a Cashu mint is custodial. The operator holds the bitcoin that backs your tokens, so you are trusting that one party to stay online, stay solvent, and honor redemptions. Privacy is excellent — the mint genuinely cannot profile you — but custody is concentrated in a single operator who could, in principle, vanish or refuse to pay out. The practical mitigation is to treat any single mint like cash in your pocket: keep only small, spendable amounts there, prefer mints run by people or communities you trust, and spread balances across more than one mint.
Fedimint: federated ecash
Fedimint keeps the same Chaumian-ecash privacy but removes the single-operator weak point. It is open-source federated e-cash for Bitcoin, where the mint is run not by one person but by a federation of guardians using a threshold (M-of-N) signature scheme — the ecash module uses threshold blind signatures, the federated cousin of the single-server blind signature.
Guardians and the federation
Guardians are the operators who collectively run the federation. Each one holds a single key in a shared multi-signature Bitcoin wallet, runs a Fedimint node next to their own Bitcoin node, and helps validate and process transactions. No single guardian holds enough key material to move funds alone. The federation tolerates faulty or offline guardians using Byzantine-fault-tolerant consensus, and the official guidance gives concrete numbers: a robust setup uses a minimum of 4 guardians (tolerating 1 fault), 7 guardians tolerate 2, and 10 tolerate 3 — roughly one more tolerated failure for every 3 guardians added, up to a maximum of 20 guardians (a limit tied to pre-Taproot Bitcoin multisig). This is what “community custody” means in practice: trust is distributed, so the federation keeps working even if some guardians fail or turn malicious.
The Lightning gateway and the Fedi app
A federation talks to the outside world through a Lightning gateway, a service that swaps between the federation’s internal ecash and ordinary Lightning payments so members can pay anyone on the wider network. You deposit bitcoin to receive privacy-preserving ecash notes, spend them instantly and privately inside the federation, and withdraw later over Lightning or on-chain. The Fedi app is the consumer-facing wallet most people use to join a federation, hold notes, and transact, while a developer SDK lets others build on top.
The federated trust model
Fedimint is still custodial — your bitcoin is held by the federation, not by you — but the trust is shared rather than singular. To rug or freeze members, a threshold of guardians would have to collude or fail at once, which is much harder than trusting one operator. The trade-off is added complexity and coordination, and the reality that a federation is only as trustworthy as the people who run it. Like Cashu, it is best understood as private, shared community money for everyday amounts.
Cashu vs Fedimint at a glance
| Dimension | Cashu | Fedimint |
|---|---|---|
| Trust model | Trust one mint operator | Trust a threshold (M-of-N) of guardians |
| Custody | Custodial: a single mint holds the backing bitcoin | Custodial: backing bitcoin held in a guardian multisig |
| Federation | None; mitigate by spreading across multiple mints | Yes; typically 4 to 20 guardians, tolerates faults |
| Privacy | Blind signatures; mint sees no balances or history | Threshold blind signatures; guardians see no balances or history |
| Lightning | Mint mints/melts directly over Lightning | A Lightning gateway bridges ecash to the network |
| Recovery | Bearer tokens; optional seed restore via NUT-13 | Notes recoverable from the federation; no single guardian can seize funds |
| Best-fit use | Lightweight tips, paywalls, small instant payments | Community banks and shared everyday balances |
Where ecash fits in a sovereignty stack
Ecash is the friendliest private-payments tool in the Bitcoin toolbox: instant, cheap for tiny amounts, hard to surveil, and easy enough for newcomers. But the privacy comes from handing your sats to a mint or a federation, so the cardinal rule is to never confuse spending money with saved money. Keep your long-term holdings in self-custody, verified on your own hardware, and treat ecash like the cash in your jacket — useful, private, and intentionally limited in size. Used that way, Cashu and Fedimint slot neatly beside the rest of a resilient setup: self-custody anchored by signing devices, censorship-resistant identity and messaging through Nostr and our NWC guide, off-grid connectivity via the Reticulum network, and a privacy-respecting phone as covered in our GrapheneOS and CalyxOS sovereignty guide. For deeper definitions, see our glossary entries on ecash, Cashu, and Fedimint, and explore the open data hub for the rest of the reference.
Frequently asked questions
Is ecash the same as having bitcoin in self-custody?
No. With self-custody you hold the private keys to your bitcoin directly. With ecash you hold tokens that are claims against bitcoin held by a mint (Cashu) or a federation (Fedimint). You gain strong privacy and instant, low-cost payments, but you give up direct custody, so ecash is for spending small amounts, not for storing savings.
Can a Cashu mint see my balance or who I pay?
No. Because tokens are issued with blind signatures, the mint cannot link a redeemed token back to its issuance, and it keeps no database of user accounts or activity. It knows how much total bitcoin it backs, but not which user holds which tokens or how they were spent.
How is Fedimint different from a single Cashu mint?
They use the same Chaumian-ecash privacy, but Cashu concentrates custody in one operator while Fedimint spreads it across a federation of guardians. In Fedimint, a threshold of guardians (for example, at least 3 of 4) must cooperate to move funds, so it removes the single point of failure that a lone Cashu mint represents — at the cost of more setup and coordination.
What happens to my ecash if a mint or federation disappears?
That is the core custodial risk. If a single Cashu mint goes offline or refuses redemptions, tokens backed only by that mint can become unspendable. A Fedimint federation is more resilient because a threshold of guardians would all have to fail or collude. In both cases the safeguard is the same: keep only small, spendable amounts in ecash and back up your wallet seed where the wallet supports deterministic recovery (NUT-13 in Cashu).
Can I use ecash with Nostr and Lightning apps?
Yes. Cashu wallets settle in Lightning and several support Nostr Wallet Connect (NIP-47), so a Nostr client can trigger payments from your ecash wallet. Wallets such as Minibits add Nostr identity and NWC remote control, and bridge tools translate between a Cashu mint and the NWC interface. See our Nostr Wallet Connect guide and Nostr NIPs reference for the wiring details.
Are Cashu and Fedimint open source and free to use?
Yes. Both are open-source protocols with public specifications and multiple independent implementations. Anyone can run a Cashu mint or operate as a Fedimint guardian, and the wallets are free to download. As always, credit goes to David Chaum’s original blind-signature research and to the open-source developers who brought these systems to Bitcoin.
