This makes it easy to link Proofs together, and removes privacy - especially if the Proof is linked to a long-lived public key, such as a Nostr NPUB.
Discussion
The solution is to "blind" the public keys cryptographically, in a way that only the sender and receiver can reverse.
Pay to Blinded Key (P2BK) uses Elliptic Curve Diffie-Hellman (ECDH) to establish a shared secret key over a public or insecure channel.
Here's how it works... in layman's terms.
The magic of ECDH is possible because a person's Public key (eg: NPUB) is their Private key multiplied by the curve base point G.
It's a calculation that simple to do, but pretty much impossible to reverse engineer.
In other words, you can easily calculate a public key (P) given its private key (p), but crucially, you can't calculate a private key from the public key!
To start with, Alice obtains Bob's public key (eg from his Nostr profile)...
She then generates a random, temporary keypair (Public Key: E, Private Key: e) known as her "ephemeral key pair".
She then calculates a "shared secret" by point-multiplying her ephemeral private key (e) with Bob's public key (P). This gives a shared point (known as "Z").
Here's the magic... this shared point (Z) is the SAME as if she had multiplied her private key (e), Bob's private key (p) and the cryptographic Generator point (G).
But she calculated it using Bob's PUBLIC key.
Having calculated the shared secret and blinded the public keys using it, she then send Bob the ecash token, including the ephemeral PUBLIC KEY (E) that she created.
Now Bob can use the magic of ECDH... he takes his private key (p) and the ephemeral public key that Alice sent with the ecash (E), and he can calculate the SAME shared secret!
He can now use that shared secret to derive a private key to unlock the ecash.
The beauty of P2BK is that it provides perfect privacy. Alice and Bob do not need to communicate at all to set it up - all Alice needs is Bob's public key.
The ecash is locked to totally unique blinded public key(s), keeping the receiver's identity private from anyone who views the ecash. This means tokens can be published securely in public.
The sender's identity is also protected, because Alice uses an ephemeral keypair to create the shared secret, and throws it away afterwards. All Bob needs is the ephemeral Public Key!
You can read the draft specification for NUT-26 here:
https://github.com/cashubtc/nuts/pull/300
You can also play with P2BK (though don't be reckless).
P2BK Lock Tokens with Cashu NutLock:
https://nostrly.com/cashu-nutlock/
P2BK Unlock Tokens with Cashu Witness:
https://nostrly.com/cashu-witness/
or Cashu Redeem: