Nostr Web Client

very cool idea, haven't seen anyone think about this yet. generally, unidirectional channels make everything a lot easier.

here is how it might work with the current protocol:

- user A wants to open a channel to tollgate B with 1000 sats capacity

- user A obtains B's public key

- user A mints a 1000 sat coin with 2-of-2 multisig and SIG_ALL signature flag that requires signatures from and B also on the outputs

- outputs are the BlindedMessage's that are created when this coin (input) is swapped with the mint

- thus, the outputs determine the channel state (distribution of funds), so to make payments, we need to update the outputs and sign them again

- to open the channel, the initial state is A=1000 and B=0 (sats), A signs both, the input (the coin itself) and two outputs (the enforced distribution) and sends all this to B.

- B signs the input+outputs as well. now B could close the channel.

- to make a 10 sat payment, A creates new outputs A=990 and B=10 and signs them, sends them over to B. now B can enforce the new state.

- when they're both done with the channel, B can close the channel with the latest state (the one where she gets most).

some notes:

- after closing the channel, B should be nice enough send A her remaining channel balance after /v1/swap'ing them and receiving new BlindSignature's. B can't use these BlindSignature, only A can unblind them. if she isn't nice, A would have to /v1/restore the BlindSignature's.

- B should never send back her signatures to A, otherwise A might close the channel with an earlier state.

- to allow A to close the channel uncooperatively (in case B stops operating for example), the initial coin can have a second "refund" spend path with a time lock which also determine the channel's maximum lifetime.

I just sketched this out after reading your post, so there might issues or better ways of doing this. you can checkout spillman channels, they are much simpler than the lightning channels we're using today. but I think the idea above here is pretty close to how they work.

ManyKeys 2mo ago

Why not just omit the mints and try something like this:

A Lightning-inspired multisig pool protocol allowing N participants to collaborate in a pooled channel, locking funds in an N-of-N multisig.

Each participant deposits a standardized amount (or variable, with careful balance tracking). Off-chain transfers use collective signing of updated pool balances, enforced by Bitcoin script and advanced cryptographic privacy (e.g., blinded signatures or zero-knowledge proofs to unlink payers and recipients).

Withdrawals trigger on-chain collaborative signatures, preserving privacy and enabling flexible outputs. Dispute resolution leverages timeout or penalty transactions, similar to Lightning, but extended for multi-party exit.

This model offers native privacy, pooled liquidity, and pure P2P scaling without gatekeepers and custodians, advancing the Lightning and CoinJoin concepts into a native Bitcoin P2P pool.

Reply to this note

Please Login to reply.

Discussion

SatsAndSports 2mo ago

> locking funds in an N-of-N multisig

you mean an on-chain multisig? I'm not against that exactly, but it's getting further away from Cashu

Also, your proposal kinda sounds like the Ark Protocol to me, although I don't know as much about about Ark as I would like. It seems to be generating a lot of interest and I want to know much more.

I feel like the general idea of Cashu is to trust the mint for "settlement", instead of using the blockchain, partly because it's much faster than the chain.

ManyKeys 2mo ago

> you mean an on-chain multisig? I'm not against that exactly, but it's getting further away from Cashu

Funds stay inside an on-chain N-of-N multisig pool and you get instant, Lightning-like balance updates among participants with a final on-chain exit. No single custodian; disputes resolve via multi-party mechanisms. This preserves Bitcoin-native security but requires sophisticated exit, dispute, and privacy design.

> I feel like the general idea of Cashu is to trust the mint for "settlement", instead of using the blockchain, partly because it's much faster than the chain.

in my limited understanding, adopting a Cashu mint-based settlement layer the off-chain settlement is accelerated by trusted mint attestations, but at the cost of introducing trust in the mint and potential liquidity constraints. In a Cashu-like arrangement, per-user liquidity is bound by the mint’s token liquidity and the ability to redeem; Lightning liquidity becomes a practical constraint because token minting/redemption must be backed by lightning liquidity so someone has to open the channels on chain anyhow. This can cap the effective throughput and affect routing of payments within the pool.