🔥 https://fountain.fm/show/lMPJwZjJkDlElgdx8sxY

Cashu is simple. Don't trust, verify: MATH TIME LFG Alice generate random values x, and r. She then calculate public keys from this secrets Y=h'(x) R=rG Now she do a aggregate public key, by adding the previous two public keys together. x is the secret and r is called private blinding factor. T = Y + R Then she sends T to Bob, the mint. He cannot tell how T was generated because he doesn't know the other values and multiplication in a elliptic curve is what we call "a random walk". This mathematical puzzle is known as Discrete Logarithm Problem (DLP). Bob has a special keyring, holding private and public key pairs, one for each amount power of 2. Let's say Alice is minting 1 sat so than Bob pick the 1-sat-key-pair. B=bG Now he mix his private key with the public key he just received. Q = bT And then he sends back to Alice this new point on the curve. But look! She knows T already, right? She can do a process that we call unbliding, by subtracting the mix of the little r and Bob's public key. Z = Q - rB Let's replace the variables here to know what the result of this means: Z = bT - rB Z = bT - rbG Z = b(Y + R) - rbG Z = bY + bR - rbG Z = bY + brG - rbG So, we actually have the same number here, brG equals rbG, cancelling each other. So then Z = bY Now Alice holds a value that means Y multiplied by Bob's private key. Alice have no idea what little b is and Bob have never seen Y!!! B.D.H.K.E. is really cool, huh? How Alice knows for sure that Y is mixed with bob's private key tho, because she can't see little b, remember, DLP? Bob will also send a fiat-shammir commitment for Alice, that is a schnorr signature. --- Pause to talk about schnorr signatures. signature = private nonce + commitment * private key. P = dG Where little d is the private key, P is the public key J = jG Where little j is the private nonce, J is the public nonce So we have s = j + ed Where little e is the hash of the stuff we want to "prove" against our private key e = h(J|P|m) Where m would be any message. How do we verify that is is a valid signature? We know that the public key is the little private key d times the generator point G. P = dG So, what if the verifier do the same math but with the public key instead? Let's multiply everything by G then. sG = jG + edG sG = J + eP If the left side of the equation is equal to the right side, everything is good. You just did the same math that the signer did, but with public information! --- Back to Bob now! He wants to prove to Alice that he actually did Q = bT, without showing to her his private key, little b. What if he do a signature? s = j + eb mmmmm 🤔 this proves shit, nothing. BUT WAIT. do you see that little b is in the formula? And we want bT. Right? What if we multiply everything by T then? sT = jT + ebT sT = jT - eQ Cool. Let's call J1 = jG and J2 = jT Could Alice recompute both values with public information? Yes! if J1 is j multiplied by G, then s = j + eb - j = -s + eb j = s - eb jG = sG - ebG J1 = sG - eB What about J2? Same as above, but multiplying everything for T. j = s - eb jT = sT - ebT J2 = sT - eQ Now, if sG = J1 + e(J1|J2|B|Q)Q Then she knows that Bob indeed used his private key little b. This is a zero knowledge proof, DLEQ (BIP374), because Bob was able to show to Alice he used the private key b without showing it to her. Now the final piece. If she wants to spend the token or sended to someone.. The person needs to show to Bob (x, Z) Bob will verify the following, does this value, used in the hash_to_curve function, combined with my private key, equals the proof Z? h'(x) * b = Z Yb = Z If so, I've mixed this value I've never seen with my private key?? Yes. Wuuut. So Bob will accept this as a valid token, marking it as spend (or, now seen). He has no idea that the T has any relation with this (x, Z) e-Cash solves privacy, not custody/trust. Math is beautiful and privacy is not a crime.

His nostr profile btw: