Because the mint never learns how the secret (which is the crucial spending condition of a regular token) looks like. The signature is blinded. It can not correlate a mint and the act of redeeming a token.
You can read more about this here: https://github.com/cashubtc/nuts/blob/main/00.md
so, it confirms two things: the amount and the truth of if it spent it in the first place?
so it is a simple form of zero knowledge proof with one small associated value, ie, the amount, plus one bit of truth
well, if that's exactly how it works, and i believe it could be, i never read deep into blinded signatures, then very cool, and that also means chaumian mints act as perfect mixers, because what goes in cannot be traced to what goes out in as far as the amounts differ
Yes, that’s exactly right. The amount is set in stone, as the mint has a different signing key for each amount. So only by verifying the signature the mint knows the amount is valid. And because the mint only signs notes that have been paid for, it can also trust that this token is actually spendable.
When the mint creates a new output, it doesn’t actually know what the output looks like. So when I use that output as an input it can only verify that it’s valid, nothing more
ok, next question, so when it issues a token, does it do this on the prompt of a spender or does it do this independently and issue it to a spender upon the amount
because that IP address is a trace, as is the spender who can verify spending it, how is this handled?
the amounts can definitely be correlated, is my point, i buy 2000 sats precisely, and then anyone who redeems 2000 sats could be my counterparty? no?
That’s why there is fixed amounts (imagine notes / coins) and the lower the amount you choose the better your anon set is
so, i correctly understood it... the mint can track the size of the token to the input and output IP addresses
that is kinda important information for users of these things, isn't it?
it means you can't have anon ecash without having a tor proxy or similar
i get it that you can mitigate some of that with breaking the spend into pieces but it's still pretty strong metadata
Thanks to Multi Mint Payments you can not only split the token across multiple amounts, but also multiple custodians reducing metadata leaks even further.
The mint only creates tokens when prompted for. The token receiver has to provide a blinded message to “receive” the token on in order to make it work.
That does indeed mean that a mint can use metadata to trace. However that can be mitigated by privacy enhancing tools like Tor or a simple VPN.
