Jungle Mesh is a hybrid payment architecture designed to enable trust-minimized, fully offline commerce

Every week, I go to the local farmer’s market here in Uvita, Costa Rica to spend some of my hard-earned bitcoin and it almost always works beautifully. Once every couple weeks, though, we hit a wall - no data. Maybe the vendor’s prepaid account is empty, maybe the reception under the roof is spotty or dead and when this happens we stand there for a minute or two, smile politely, awkwardly, and I begrudgingly pull out some paper bills. I paid more in ATM fees last month than my electricity bill.

I have mentioned to a few vendors that it sure would be cool if we could pay offline, just a phone to phone fist bump and boom, payment made. They agreed. So I started researching how this could be done while preventing theft and requiring as little trust as possible. I think I have a design that achieves this well by combining Ark, Cashu, and Bluetooth mesh networking like Bitchat. This is the Jungle Mesh.

The hard part of enabling offline commerce is preventing double-spending… classic. By trading off short-term redeemability and keeping a shared community ledger of tokens that have been spent that day, we can confidently prevent fraud. Here is how:

• Before going to the market, a shopper loads up on Cashu tokens locked to their Public Key (P2PK) from the community mint. The shopper will prepare lots of “small bills” (redundant liquidity) to be able to pay unknown totals exactly without expecting change (we won’t be able to “break bills” offline). These specific tokens are programmed to allow two spending timelines:

1. Default state - the token is time locked and cannot be melted until the following day
2. If the token has a Witness signature from a Pylon (more on them next) it can bypass the time lock and be melted right away.

• At the farmer’s market, we install a network of solar-powered hardware nodes (Pylons) that maintain a constant Bluetooth mesh, keep a simple ledger of spent tokens, and add a Witness signature when a token is spent. This prevents double-spending at the market. If a shopper buys some pineapples, the shopper will sign the token over to the vendor and the Pylons will add the token id to the shared ledger and sign as a witness of the transaction. If the shopper tries to use this token again within range of the mesh, it will be rejected as already spent and the shopper will be shamed vigorously. If the shopper sends this token to their friend back home, it will be un-redeemable until the day after the market, by which time the pineapple vendor will have re-connected to wifi and melted the token themselves.
• When Cashu tokens are melted, they are converted to Ark VTXOs to allow the vendors maximum sovereignty over their funds. If the community hub goes down, if a corrupt government raids the hub offices, if the hub managers decide they should rug their neighbors, the vendors will have a unilateral exit option to claim their savings on Layer 1.
• The wallet derives new keys for every batch of tokens (HD Keys). This ensures that the tomato vendor cannot see if you are the same person who just bought cheese, preserving cash-like privacy.

We must acknowledge this is not a trustless system. Shoppers and vendors must both trust the mint to redeem their Cashu tokens. Vendors must trust that the Pylons are working as desired and not allowing double-spends. Vendors must be able to get online before the Cashu time lock allows the shoppers to melt the tokens. Still, in a community setting such as Uvita, these are challenges that can be overcome.

I would love any feedback and/or to have holes poked in this architecture. What am I missing?