Skip to content


Repository files navigation

Anonymous Credentials for Cashu

Experimental implementation of the core crypto behind an anonymous credentials enabled Mint.

Compile and Run Tests

cargo build && cargo test

Run Benchmarks

cargo +nightly bench

Usage Examples

Creating a AmountAttribute:

use cashu_kvac::models::AmountAttribute;

// Normal
let amount_attribute = AmountAttribute::new(10, None);

// Chosen blinding factor (e.g. derived from BIP32)
let custom_blinding_factor = b"deadbeefdeadbeefdeadbeefdeadbeef";
let amount_attribute_1 = AmountAttribute::new(10, Some(custom_blinding_factor));

Creating a ScriptAttribute:

use cashu_kvac::models::ScriptAttribute;

let script = b"38c3";

// Normal
let script_attribute = ScriptAttribute::new(script, None);

// Chosen blinding factor (derived from BIP32)
let custom_blinding_factor = b"deadbeefdeadbeefdeadbeefdeadbeef";
let script_attribute = ScriptAttribute::new(script, custom_blinding_factor);

Issuing a MAC on a AmountAttribute:

use cashu_kvac::models::{AmountAttribute, ScriptAttribute, MAC};
use cashu_kvac::secp::Scalar;

let scalars = (0..6).map(|_| Scalar::random()).collect();
let mint_privkey = MintPrivateKey::from_scalars(&scalars).unwrap();

// Client generates these
let amount_attribute = AmountAttribute::new(10, None);
let amount_commitment = amount_attribute.commitment();
let t_tag = Scalar::random();

// Mint issues the MAC on the tag `t` and the commitments (amount and possibly script)
let mac = MAC::generate(&mint_privkey, amount_commitment, None, Some(t_tag)).unwrap();

Assembling a Coin:

use cashu_kvac::models::Coin;

// Takes ownership of the arguments
let coin = Coin::new(amount_attribute, script_attribute, mac);

Randomizing a Coin into a RandomizedCoin (mandatory before perfoming a swap, mint, melt):

use cashu_kvac::models::RandomizedCoin;

let randomized_coin = RandomizedCoin::from_coin(&coin, false).unwrap();

// Randomized coin, but the script will be revealed
let randomized_coin_with_script_reveal = RandomizedCoin::from_coin(&coin, true).unwrap();

Proving the balance between inputs and outputs of a swap:

use cashu_kvac::transcript::CashuTranscript;
use cashu_kvac::models::{AmountAttribute, MAC};

let transcript = CashuTranscript::new();

let scalars = (0..6).map(|_| Scalar::random()).collect();
let mint_privkey = MintPrivateKey::from_scalars(&scalars).unwrap();

let inputs = vec![
    AmountAttribute::new(12, None),
    AmountAttribute::new(11, None),
let outputs = vec![AmountAttribute::new(23, None)];

// We assume the inputs were already issued a MAC previously
let macs: Vec<MAC> = inputs
    .map(|input| {
        MAC::generate(&privkey, input.commitment(), None, None).expect("MAC expected")

let proof = BalanceProof::create(&inputs, &outputs, &mut transcript);


It is possible to prove/verify custom statement with SchorrProver and SchnorrVerifier

KVAC Scheme

KVAC for Cashu

Definitions and Protocol explaination (WIP): HERE


  • Deterministic Recovery
  • Server/Mint can tweak the amounts encoded in the attributes: $M_a' = M_a + \delta G_\text{amount}$
  • Using the $r$ blinding factor in Pedersen Commitments as the randomizing factor as well:
    • different generators with unknown discrete log between them guarantees hiding.
    • Benefit: no $\pi_\text{serial}$ because not needed anymore.
    • $C_a$ (Randomized Amount Commitment) is chosen to be the nullifier.

Range proofs


  • BULLETPROOFS++ aritmetic circuits
  • SHARP which would improve creation/verification time tenfold. There are some different flavours of sharp, some of which make use of hidden order groups.


Every Zero-Knowledge proof uses a dedicated transcript defined in and tweaked by a domain separation byte-string for the various statements that need to be proven.


Harnessing the power of Keyed-Verification Anonymous Credentials



Security policy





No packages published