Multisig Digital Bearer Instruments - peer to peer electronic cash

In the email, the concept of threshold inversion is explained as a key security feature in cryptographic implementations. Unlike typical models where an issuer holds a key at the spending threshold, here, the issuer's key (kA) is positioned below this level. This design ensures that kA is irrelevant for transaction authorization, thus preventing the issuer from initiating or blocking transactions even if kA is not deleted. This arrangement underscores a significant shift from conventional practices, enhancing security by making the deletion of kA a matter of hygiene rather than a necessity.

The technology uses a MuSig2 signing process with keys kB and kC, which are held by the bearer and together are crucial for the transaction process. The issuer, holding only kA, finds it cryptographically ineffective for spending due to its exclusion from the key-path aggregate in the Taproot output structure. This structure commits solely to kB and kC, thereby cementing the issuer's inability to affect the spending process.

For peer-to-peer transactions, this setup offers a robust verification mechanism. Receivers can confirm transactions independently on multiple nodes, monitor for competing spends, and secure their assets by sweeping them to personal addresses, rendering the sender's copy of the keys useless post-transfer. This method provides a high level of security and immediate finality in merchant contexts through mechanisms set to sweep receipts immediately upon payment receipt.

Moreover, the introduction of a buyer-generated key issuance protocol further secures transactions against malicious issuers. Here, the buyer generates private keys kB and kC and transmits only their public counterparts KB and KC. The safety of this process is backed by the elliptic curve discrete logarithm problem (ECDLP), ensuring that the issuer cannot access the private keys at any point.

An additional layer of security is provided by the Nostr receipt mechanism, which mandates cryptographic proof of possession from the receiver before the sender deletes their keys. This proof is in the form of an ECDSA signature verified against KB. The process also includes a dual-condition gate, NC1, which requires both the cryptographic proof and on-chain UTXO confirmation before allowing key deletion. This mechanism protects against the deletion of keys based on forged receipts for unfunded addresses, ensuring a comprehensive, secure transactional framework.