Yes, that's indeed the standard protocol. The receiver immediately swaps the token against a new one with the mint.
The alternative flow is to lock a token to your pubkey and send it to you. Then, nobody can spend it except you so it can't be double-spent.
I'm not sure I quite understand yet, with p2pk it seems like asking a sender to lock a token to your pubkey would mean you can't spend your token without redeeming it. Unless you can chain these proofs? So if you have proof that the token was locked to the senders (b) key and in turn to yours (a), you know that the sender isn't double-spending, even if the person they received the token from (c) may have? But it basically increases the duration that the intermediary (b) would have to be working offline in order to get a double spend, and only the original sender (c) would be able to rug you.
It works very similar to Bitcoin. A Bitcoin address is essentially a public key and only its owner can spend coins on that address.
With ecash:
- the receiver shares a public key P with the sender
- sender locks ecash to P and sends locked ecash to receiver
- receiver looks at the ecash and sees "the ecash is signed by the mint and it's locked to P" -> it can only be spent by the owner of P (which is the receiver)
"locking" is like creating smart contract and attaching it to the token (it can't be detached). Not sure I understand your question but you don't need a proof, you just look at the contract to see the spending condition: pay to pubkey locked to P
Even if the sender would send it to anyone else, nobody can spend it except for the receiver. That's how publicly-verifiable nutzaps (NIP-61) work: I can post a token that's locked to your npub, everyone can see it, only you can spend it.
Does that answer your questions?
Here is the spec: https://github.com/cashubtc/nuts/blob/main/11.md
So locking has to happen online? I read the spec but am having a hard time grokking it all.
Yep, to lock a coin, you must burn one that you have, and in turn you create one that is locked – you must be online and communicate with the mint to do that.
Similar to sending your bitcoin into an address (that's only spendable by the receiver).
Interesting detail: the mint doesn't see what you're locking the token to, the token (and its locking script) is blinded when you do. Upon spending the coin (i.e. unlocking it), the mint sees the script it's locked to.
Soon TM we want to add zk-scripts so that the mint doesn't even see the unlocking script anymore. 2 weeks
Cool, so fully offline use basically depends on trusting the counterparty not to rug you for as long as you're offline. Do you see this impacting adoption in developing countries or low-trust scenarios?
Not exactly the case. One of the parties needs to be online to make a payment:
- if the receiver is online, send a normal token and receiver swaps
- if the sender is online, lock to receiver's pubkey and send
both transactions are final and can't be double-spent.
