The Privacy Properties of Cashu (Compared to On-Chain Bitcoin)

Cashu’s privacy properties are different from on-chain Bitcoin’s privacy properties in specific ways. The differences matter because the realistic privacy outcomes depend on which observer you care about. This post is the technical comparison: what each protocol protects, what each leaks, and how they compose for users seeking strong privacy.

On-Chain Bitcoin Privacy

The baseline.

Transactions are public. Every Bitcoin transaction is broadcast to the network and stored in the blockchain. Anyone can observe the flow of value across addresses.

Addresses are pseudonymous. Bitcoin addresses are not tied to identity by default, but they can be linked to identity through behavioral analysis, exchange KYC, or self-disclosure.

Address reuse compromises privacy. Once an address is linked to identity, all transactions to and from that address are visible.

Chain analysis tools exist. Companies like Chainalysis and Elliptic build commercial tools for tracing Bitcoin flows. Government agencies use them for compliance and investigation.

Mixing tools have legal complications. CoinJoin and similar tools improve privacy but have faced regulatory pressure in some jurisdictions.

The privacy floor is partial. With operational security and mixing tools, on-chain Bitcoin can be made more private. Without them, transactions are easily traceable.

For most casual on-chain Bitcoin use in 2026, privacy is partial at best.

Lightning Network Privacy

The middle layer.

Channel openings and closings are on-chain. Visible to chain analysis. Reveals participants in channels.

Routed payments are partially private. Each routing node sees only the immediately adjacent hop, not the full path. The source and destination are obscured to intermediaries through onion routing.

Destination is visible to itself. The recipient knows who sent the payment (or at least the immediate predecessor in the routing chain).

Channel balances are partially observable. Active channels reveal capacity and approximate balance to participants.

Privacy depends on network topology. Payments routed through dense parts of the network are more private than payments routed through sparse parts.

Network analysis is a research area. Lightning privacy properties are studied; deanonymization techniques exist for some scenarios.

Lightning is more private than on-chain Bitcoin for most casual observers but has its own observable surface.

Cashu Privacy

The blinded-signature layer.

Token issuance involves blinded signatures. When a user deposits sats at a mint, the mint signs a token using a blinded version of the token data. The mint sees the signature request but cannot see the unblinded token contents.

Token redemption uses the unblinded version. The user holds the unblinded token after issuance. When they redeem, they present the unblinded version. The mint verifies the signature without being able to link it to the original issuance.

Result: the mint cannot link issuance to redemption. Two operations happen (someone deposited; someone redeemed); the mint cannot tell which deposit produced which redemption.

Cryptographic property is strong. The blinded-signature property is mathematically rigorous, not just operationally hard to defeat.

The mint sees its own operations. It knows the total deposited and redeemed; it knows individual deposits and individual redemptions; it cannot connect them.

Privacy is against the mint specifically. External observers see less than the mint; the mint sees less than what it would see in a non-blinded system.

For users seeking issuance-redemption unlinkability, Cashu provides it cryptographically.

What Cashu Privacy Does Not Protect

The honest limits.

The mint sees its own operations. A malicious mint that logs all operations could perform timing analysis to correlate (though the cryptographic property limits what timing reveals).

Network-level metadata. IP addresses, timing, frequency are observable to anyone monitoring network traffic. Tor or similar networks address this; Cashu alone does not.

Token transfer to other parties. When the user gives a token to someone (e.g., embeds it in an email), the recipient now holds the token and can correlate it. The cryptographic property protects against the mint; not against the recipient.

User behavior. If the user mints a specific amount and immediately melts a similar amount, the timing correlation is visible. Privacy-aware behavior helps; cryptography alone does not.

Mint compromise. If the mint’s signing key is stolen, the blinded-signature property degrades for affected tokens.

Cross-mint correlation. Tokens from different mints have different issuance traces. Using a single mint exclusively limits the cross-correlation surface but introduces single-point-of-failure risk.

The cryptographic property is strong; the operational security determines the realistic privacy outcome.

Composition With Lightning

How the layers combine.

Cashu mint operations involve Lightning. A user depositing sats at a mint sends a Lightning payment to the mint. A user redeeming tokens receives a Lightning payment from the mint. Both Lightning payments are subject to Lightning’s own privacy properties.

Cashu adds an unlinkable layer above Lightning. The Lightning hops are visible to themselves; the Cashu issuance-redemption is not. The combined privacy is stronger than Lightning alone.

Mint sees Lightning operations. The mint knows the Lightning channel that funded a deposit and the Lightning invoice it paid for a redemption. The mint cannot link these to specific tokens (cryptographic property), but it can see the Lightning side.

Network-level observers. A passive observer of the user’s network traffic sees Lightning payments and the mint URLs queried. They do not see token contents or unblinded operations.

Combined privacy. Reasonable for typical use; not absolute. For highest-strength privacy, Tor + ephemeral mints + careful operational practices.

What This Means for Cover Charge Privacy

For Rythm specifically.

Sender’s payment to mint is private. The sender mints a token. The mint sees the deposit but cannot link it to the eventual recipient.

Token in email reveals destination. The email body contains the token. Anyone who sees the email (the sender’s outbox, the mail server, the recipient) sees the token. Privacy is between the mint and the network observers.

Recipient’s redemption is private from the mint’s perspective. The mint sees a redemption but cannot link it to the original issuance. The mint sees the destination Lightning address (the user’s wallet) but does not learn the original sender.

Network-level observers see Lightning operations. A network observer can see the mint operations and the melt operations but cannot link them to specific tokens.

The recipient knows the sender. The email body reveals the sender (from the mail headers); the cover charge payment is part of the email. The recipient learns who paid them, just as they would for any email.

The sender does not know the recipient’s wallet beyond the Lightning address. The Lightning address is the destination; the underlying wallet’s specific properties (custody, keys) are not visible to the sender.

The privacy posture is reasonable for typical use cases. The cryptographic property protects against mint correlation; the email’s natural transparency limits sender-recipient unlinkability (which is fine, because the sender wants to be known to the recipient).

When Cashu Privacy Is The Right Tool

The use cases.

Users who want unlinkable per-payment privacy. Casual payments where each transaction should not correlate to a broader profile.

Use cases where the recipient can be public but the issuance pattern should be private. Cover charges fit this; the recipient receives the payment, but the recipient’s broader pattern of receiving (which mints, when, from whom) should not be exposed.

Use cases where the mint’s view should be limited. Cashu’s whole point is that the mint sees less than it would in a non-blinded system. For users who care about that property specifically, Cashu is the right tool.

Use cases involving small amounts where chain analysis is not the primary concern. For larger amounts or strategic transactions, additional privacy infrastructure may be appropriate.

When Other Privacy Tools Are More Appropriate

The honest limits.

Use cases requiring strong sender-recipient unlinkability. Cashu does not provide this; the recipient learns the sender from the email itself. For unlinkable communication, encrypted messaging or mix networks are appropriate.

Use cases requiring full transaction-level privacy. A full privacy-preserving system would also address Lightning-level metadata, network-level observation, and timing correlation. Cashu addresses one layer; full privacy requires multiple layers.

Use cases involving regulated entities. KYC and compliance regimes may require visibility that Cashu’s privacy properties do not provide. Custodial alternatives or different infrastructure may be more appropriate.

A Specific Honest Note

Cashu’s privacy properties are real, cryptographically grounded, and meaningful. They are different from on-chain Bitcoin’s properties; in some dimensions Cashu is stronger (mint cannot link issuance to redemption); in others it is comparable or weaker.

For Rythm cover charge payments, the realistic privacy outcome is that the mint cannot correlate sender to recipient through the token. Network-level observers see Lightning operations but not token contents. The recipient learns the sender from the email itself, which is appropriate for the use case.

For the related guides, see the cashu protocol explained for email use cases, why bearer tokens are the right primitive for email payments, the economics of a Cashu mint, and LNURL standards: a practical reference. For the broader frame, see non-custodial architecture and end-to-end encryption vs non-custodial architecture. Rythm is $1.65 per month, cancel anytime.