Chaumian E-Cash For Custodial Bitcoin Wallets And Services To Scale Bitcoin

4 min readDec 22, 2017


In this article I present the idea on how custodial Bitcoin wallets and services, like Xapo, CoinBase, Bitfinex and AlphaBay can improve their model to improve the privacy of their customers. It is important to note that, custodial entities violate three of the most important principles of Bitcoin, which can be derived from the economic theory on the properties of good money.

  1. Custodial entities can inflate the money supply.
  2. Custodial entities control the funds of their customers.
  3. Custodial entities know their customers’ activity.

However custodial entities provide significant off-chain scaling to Bitcoin. This scaling method of Bitcoin is often considered to be inadequate. In this article I will show how custodial entities can fix the violation of the third principle. Fixing the third principle, the privacy aspect also makes the second principle less significant. If custodial entities do not know who they are serving, they will not be able to freeze their customers’ assets selectively.
In contrast, the Lightning Network solves the first and the second principle and makes some improvements upon the third principle, too.

How Custodial Bitcoin Wallets Work

While custodial Bitcoin services, like exchanges and marketplaces are not considered to be Bitcoin wallets, they also enable instant settlements of transactions within their system, just like custodial Bitcoin wallets, the difference is that, another asset is being traded in exchange for bitcoins, direct account to account transactions are interestingly often not implemented. Such improvement however is a low hanging fruit to improve their system.

Chaumian E-Cash For Custodial Services

In order to explain how this can be applied to our situation, I will modify the following StackExchange answer.

Let’s suppose I deposit one BTC to a custodial service. Think about this custodial service as a settlement system and let’s introduce an e-cash wallet, that is the interface to this settlement system. Just like, when you think about your Bitcoin wallet as an interface to the Bitcoin network, but unlike blockchains, the centralized server is actually smart, fast and scales well.

When you deposit one BTC, your e-cash wallet will generate 1000 serial numbers. Your goal is to make the server to sign every serial number. Each signed serial number represents 0.001 BTC.

Some days later I want to send Satoshi 0.01 BTC. Satoshi registers an anonymous account to the custodial service and gives me his account number. Then I tell the custodial service: “Yo! Here’s 10 serial numbers, signed by you, each represents 0.001 BTC. Please credit Satoshi’s account with them.”

Satoshi’s e-cash wallet generates 10 serial number, marks your 10 serial numbers as used, and the server signs those serial numbers. This is an internal transaction. You can just as easily withdraw money in exchange for signed serial numbers.

There are two big problems with this:

  1. The server knows which serial numbers it signed. Therefore it knows exactly that when, for example Alice tries to spend a serial number signed by Bob.
  2. The amounts credited to the accounts are leaking information it shouldn’t.

Blind Signing

To solve the first problem we can simply apply this handy cryptographic technique. When we want a serial number to be signed, we just blind it, give the blinded serial number to the server and the server gives back to a blinded signature. We unblind a signature, that will verify against the original serial number.
Now, the server does not know who send the money to Satoshi.

Avoid Account Reuse

In Bitcoin we generate a new address every time when we receive a transaction. Similarly, every time when we receive a transaction to our custodial account we can generate a new account. But we can do even better. Why do we even have accounts? We only need signed serial numbers! With this we can work with. Here how I can send Satoshi money:

Satoshi generates 10 serial numbers, blinds it and gives me the 10 blinded serial numbers. I ask the server, “Yo! Can you sign this 10 blinded serial numbers, in exchange you can mark this other 10 signed serial number of mine as used?”
Finally I give the signatures to Satoshi, as a proof “hey, this payment happened”.

In other words, in a chaumian e-cash like custodial Bitcoin wallet a transaction is happens by the following two step interaction between Me and Satoshi. First Satoshi gives me blinded serial numbers, then I give back signatures to Satoshi. Satoshi did not even interacted with the server!

Legal Notes

I am not qualified to comment on the legalities of this service, however I believe it can be sold to regulators if the company that builds it makes sure it brands this service as a Bitcoin scaling solution, where privacy is just a side product.

Think about it this way: the users must hold their own keys, and the company is in no position to decide which Bitcoin withdrawal request to honor and which to prevent. The server is simply a settlement system, it either freezes or steals everyone’s money or nobody’s.

Since you are not in control of your customers’ funds in the traditional sense. Now you are in control of a bunch of bitcoins and whoever presents you a serial number with a valid signature you must honor their request, because you have no idea whose request you should block.

Feedbacks/Further Research