The million mint nodes would have to run a decentralized program of their own, a many-multi-sig wallet application.
Let's say a group of 192 peers coordinate to establish a mint. Some mechanism is used to be somewhat sure these are not 2 with 190 copies of the bad actor, some minimum PoW, WoT, anonymized reputation management, or combination. A 2/3 majority is needed to post on-chain, and a smaller number is needed to mint e-cash. The point is to distribute trust as wide as possible.
So everytime I redeem it's an onchain transaction, and multisig is needed for issuing/sending ecash directly? Federations are very hard things to keep honest, which is why blockstream has spent millions keeping theirs honest.
Ecash works on bitcoin because it's on LN, but then funds are on a murky node the mint can swipe.
I would say the mint would mint onion-ized e-cash to users via a member, which we can call a teller, and that member can decrypt the outer onion and send to the user's wallet. The teller issuance protocol ought to necessitate some broadcast to the other members so they know it's been issued, such as making a decrypt request to an adversarial teller, and/or making pre-minted e-cash more like a withdrawal by the teller that gets credited back once properly issued. It adds some latency, but that's a low price to pay for the federation to be able to verify issuance.
Oddbean new post about login | logout