I feel like we should be doing something with accumulators in Cashu. Accumulators are just so darn efficient. 

Say the mint would offer an accumulator of all spent ecash tokens (a bloom filter for example). The wallet could download that few-hundred-byte accumulator and immediately check all ecash for its spent state. If the accumulator check says "not spent" – we're good. If the accumulator says "spent", the wallet can't be certain that it's not a false positive and would do the usual check with /checkstate.

This isn't the best thing you can do with accumulators. There might also be an avenue for checking the spent state of ecash when you receive it while being offline. Suppose a user has a relatively up-to-date accumular downlaodded from the mint. This accumulator can be used to check all ecash produced before the accumulator for its spent state. Would be super useful for offline transactions. Downside: it can't cover ecash minted after the accumulator update. It might need some additional fancy crypto to prove that the user is receiving ecash that was minted before a certain date, so the receiving user can be sure that it would be covered by the accumulator. 

(Edit: I think you could also prove the creation date of a token without too much crypto magic. if the mint would give the user a signature on the message "I signed the blinded message Y on date `date`" this signature could be transferred from user to user as a proof of mint-date)

#justAccumulatorThings 

 Could just put the date right in the token to, so every signature from the mint commits to the date. 

 Problem is the mint doesn't see what it's signing (the user could put anything in there). Would need crypto magic to put it in there and still prove some (zk) property of the blinded message (Pedersen commitments). 

The cleartext signature sounds like an easy way to achieve the same thing without changing too much in the protocol, probably can be done backwards compatible. 

 I might be wrong here:

 wouldn't this be an excellent use for adaptor signatures? that way in theory you could verify when it was produced?  

 Could you expand? My knowledge on adaptor sigs is pretty basic. 

 I just gave it a little bit more thought and I think I'm wrong on this.
 
 I'm not a cryptographer so bear with me.
 
 my thought was this:
 
 my thought was to basically convert the blinding key into an adaptor signature:
 
 you would calculate the normal blinding factor and then append a timestamp to it as the digest of the adaptor signature.
 
``` blinded_factor + timestamp ```
  
the mint would sign this digest and encrypted to a public key that you control control. 
 
the mint would need to  tell you separately  about the contents of the digest that it used. (I think this is a problem)

In theory you could then verify with the mint's public key that the message inside the adaptor signature is correct  with out decrypting the signature. (as I understand this is the magic of adaptor signatures)

When you want to pay somebody with Ecash you would then need to pass them the digest from the mint and the private key from the corresponding public key. So they could decrypt the signature used.

problem I see: 
		We don't actually need to do anything with this signature we only need the content it references so the adaptor signature might not be the tool for the job. 
 
 sorry for the horrible explanation  
  

 Wondering what @waxwing thinks about this. 

 Does this prove anything other than the cash you receive hasn't already been spent? Couldn't someone just spend it basically right when they give it to you? I thought the only way to really *know* the cash is yours only is to redeem-reissue.