BIP: 375
Layer: Applications
Title: Sending Silent Payments with PSBTs
Authors: Andrew Toth <andrewstoth@gmail.com>
Ava Chow <me@achow101.com>
josibake <josibake@protonmail.com>
Status: Draft
Type: Specification
Assigned: 2025-01-08
License: BSD-2-Clause
Discussion: https://groups.google.com/g/bitcoindev/c/5G5wzqUXyk4
Version: 0.1.1
Requires: 352, 370, 374
This document proposes additional fields and updated role responsibilities for BIP370 PSBTv2 which adds support for sending to silent payments as described in BIP352.
This BIP is licensed under the 2-clause BSD license.
Partially Signed Bitcoin Transaction Version 2 as described in BIP370 is not compatible with sending to silent payments as described in BIP352. In particular, the output script of a silent payment cannot be computed until after all transaction inputs have been added. Additionally, the silent payment outputs computed by a signer must be verifiable by other entities, otherwise funds could be sent to an incorrect output script. Therefore, new fields and role responsibilities must be added to carry, compute, and verify the silent payment data.
This document specifies new fields and new field inclusion/exclusion requirements.
The new global types are defined as follows:
| Name | <keytype> | <keydata> | <keydata> Description | <valuedata> | <valuedata> Description | Versions Requiring Inclusion | Versions Requiring Exclusion | Versions Allowing Inclusion |
|---|---|---|---|---|---|---|---|---|
| Silent Payment Global ECDH Share | PSBT_GLOBAL_SP_ECDH_SHARE = 0x07 | <33 byte scan key> | The scan key that this ECDH share is for. | <33 byte share> | An ECDH share for a scan key. The ECDH shared is computed with a * B_scan, where a is the sum of all private keys of all eligible inputs, and B_scan is the scan key of a recipient. | 0 | 2 | |
| Silent Payment Global DLEQ Proof | PSBT_GLOBAL_SP_DLEQ = 0x08 | <33 byte scan key> | The scan key that this proof covers. | <64-byte proof> | A BIP374 DLEQ proof computed for the matching ECDH share. | 0 | 2 |
The new per-input types are defined as follows:
| Name | <keytype> | <keydata> | <keydata> Description | <valuedata> | <valuedata> Description | Versions Requiring Inclusion | Versions Requiring Exclusion | Versions Allowing Inclusion |
|---|---|---|---|---|---|---|---|---|
| Silent Payment Input ECDH Share | PSBT_IN_SP_ECDH_SHARE = 0x1d | <33 byte scan key> | The scan key that this ECDH share is for. | <33 byte share> | An ECDH share for a scan key. The ECDH shared is computed with a * B_scan, where a is the private key of the corresponding prevout public key, and B_scan is the scan key of a recipient. | 0 | 2 | |
| Silent Payment Input DLEQ Proof | PSBT_IN_SP_DLEQ = 0x1e | <33 byte scan key> | The scan key that this proof covers. | <64-byte proof> | A BIP374 DLEQ proof computed for the matching ECDH share. | 0 | 2 |
The new per-output types are defined as follows:
| Name | <keytype> | <keydata> | <keydata> Description | <valuedata> | <valuedata> Description | Versions Requiring Inclusion | Versions Requiring Exclusion | Versions Allowing Inclusion |
|---|---|---|---|---|---|---|---|---|
| Silent Payment Data | PSBT_OUT_SP_V0_INFO = 0x09 | None | No key data | <33 byte scan key> <33 byte spend key> | The scan and spend public keys from the silent payments address. | 0 | 2 | |
| Silent Payment Label | PSBT_OUT_SP_V0_LABEL = 0x0a | None | No key data | <32-bit little endian uint label> | The label to use to compute the spend key of the silent payments address to verify change. | 0 | 2 |
PSBT_OUT_SCRIPT is modified to be optional for outputs in silent payments capable PSBTs. If this field is not included in the output, then the field PSBT_OUT_SP_V0_INFO must be included. If a PSBT_OUT_SCRIPT is not present for an output, then that output is being sent to a silent payment address represented by PSBT_OUT_SP_V0_INFO but the script has not yet been computed. If both PSBT_OUT_SCRIPT and PSBT_OUT_SP_V0_INFO are present for an output, then the PSBT_OUT_SCRIPT is the computed output script corresponding to the silent payment address in PSBT_OUT_SP_V0_INFO. If only PSBT_OUT_SCRIPT is present for an output, then the output is not being sent to a silent payment address.
Silent payment capable PSBTs can be uniquely identified the same way as PSBTv2s, except when including silent payment outputs. If an output contains the PSBT_OUT_SP_V0_INFO field, it must use that field instead of PSBT_OUT_SCRIPT as the output script when creating the unsigned transaction used for unique identification.[1] The PSBT_OUT_SP_V0_INFO should be serialized as a zero byte for the version, followed by the 33 bytes of the scan key and then 33 bytes for the spend key.
This document modifies some existing roles.
All rules must be followed from PSBTv2 for this role, with the following exception: When an output is added, it must have either PSBT_OUT_SCRIPT or PSBT_OUT_SP_V0_INFO, or both, set.
Additionally to PSBTv2, the Constructor must also follow additional rules:
Inputs spending an output with script using Segwit version > 1 may only be added if there are no outputs with PSBT_OUT_SP_V0_INFO set. Outputs with PSBT_OUT_SP_V0_INFO set may only be added if there are no inputs spending an output script using Segwit version > 1.
The updater should add a PSBT_IN_BIP32_DERIVATION for any p2wpkh, p2sh-p2wpkh, or p2pkh input so the public key is available for creating the ecdh_shared_secret when the private key is not known. If the updater does not want to reveal the fingerprint or derivation path, it can set the value of the field to zero.
Updaters may add two PSBT_OUT_BIP32_DERIVATION key-value-pairs with the corresponding derivation path of both the scan and spend keys. A label can be specified in PSBT_OUT_SP_V0_LABEL. The Signer can then use these fields to verify that the silent payment code is change.
All rules must be followed from PSBTv2 for this role. If there are any outputs with PSBT_OUT_SP_V0_INFO set, then the following additional rules must also be adhered to:
If any input is spending an output with script using Segwit version > 1, the Signer must fail.
For each output with PSBT_OUT_SP_V0_INFO set, the Signer should:
- Compute and set an ECDH share and DLEQ proof for each eligible input it has the private key for, or set a global ECDH share and DLEQ proof if it has private keys for all eligible inputs.
- Verify the DLEQ proofs for all inputs it does not have the private keys for, or the global DLEQ proof if it is set.
- If all eligible inputs have an ECDH share or the global ECDH share is set, compute and set the PSBT_OUT_SCRIPT.
If any output does not have PSBT_OUT_SCRIPT set, the Signer must not yet add a signature.
The Signer should additionally compute the silent payment addresses, optionally showing this data to the user instead of the computed segwit v1 addresses.
If a sighash type is provided and there are silent payment outputs present, the signer must fail if the sighash type is not SIGHASH_ALL. If a sighash type is not provided and there are silent payment outputs present, the signer must sign using SIGHASH_ALL.[2]
For each output with PSBT_OUT_SP_V0_INFO set, the Signer may generate a proof for other entities to generate the output scripts and verify that the output scripts were generated correctly.
If the Signer has the private keys for all eligible inputs, the Signer should generate a global ECDH share for each scan key Bscan as follows:
Using the notation from BIP352
- Let an be the sum of the private keys a of all eligible inputs
- Let C = an·Bscan
Compute the DLEQ proof for C using BIP374 GenerateProof and passing an as a and Bscan as B. Set the key as Bscan and the value as the proof for the PSBT_GLOBAL_SP_DLEQ field.
If the Signer has the private keys for some eligible inputs or does not want to create a global ECDH share, the Signer should generate a per-input ECDH share for each scan key Bscan as follows:
Using the notation from BIP352, for each eligible input:
- Let a be the private key of the input
- Let C = a·Bscan
Compute the DLEQ proof for C using BIP374 GenerateProof and passing Bscan as B. Set the key as Bscan and the value as the proof for the PSBT_IN_SP_DLEQ field of the input.
For each output with PSBT_OUT_SP_V0_INFO set, the Signer should verify the ECDH shares for all eligible inputs it does not have the private key for using the proofs provided by other Signers.
If PSBT_GLOBAL_SP_ECDH_SHARE and PSBT_GLOBAL_SP_DLEQ are set, verify as follows:
- Let An be the sum of the public keys A of all eligible inputs
If PSBT_IN_SP_ECDH_SHARE and PSBT_IN_SP_DLEQ are set for a particular input, verify as follows:
Using BIP374 VerifyProof and passing A as the public key of the input, B as Bscan, C as the value of PSBT_IN_SP_ECDH_SHARE, and proof as the value of PSBT_IN_SP_DLEQ.
Compute the PSBT_OUT_SCRIPT using the procedure in BIP352 but substituting a·Bscan with the PSBT_GLOBAL_SP_ECDH_SHARE for that scan key if available, or the sum of all PSBT_IN_SP_ECDH_SHAREs from eligible inputs for that scan key. If there are multiple silent payment codes with the same scan key, sort the codes lexicographically in ascending order to determine the ordering of the k value. If there are multiple silent payment codes with both the same scan and spend keys, sort the subgroup by output index in ascending order.
For silent payment capable PSBTs, the transaction extractor should compute all output scripts for silent payment codes and verify they are correct using the ECDH shares and DLEQ proofs, otherwise fail.
Silent payment capable PSBTs are backwards compatible with PSBTv2 once all outputs have PSBT_OUT_SCRIPT set. Otherwise they are not backwards compatible.
A collection of test vectors in JSON format is provided. Each test vector contains a base64-encoded PSBT string, which alone can be used to verify sending Silent Payments with PSBTs. Validation is performed in 4 sequential checks. This Python implementation demonstrates the validation logic for each:
- PSBT Structure - Verify BIP375 field requirements
- ECDH Coverage - Verify ECDH share presence and correctness using BIP374 DLEQ
- Input Eligibility - Verify input constraints when silent payment outputs are present
- Output Scripts - Verify output scripts match silent payment derivation
- Can Finalize - Signed and ready to finalize
- In Progress - Incomplete but valid
| Category | Description |
|---|---|
| PSBT Structure | missing PSBT_OUT_SP_V0_INFO field when PSBT_OUT_SP_V0_LABEL set |
| PSBT Structure | incorrect byte length for PSBT_OUT_SP_V0_INFO field |
| PSBT Structure | incorrect byte length for PSBT_IN_SP_ECDH_SHARE field |
| PSBT Structure | incorrect byte length for PSBT_IN_SP_DLEQ field |
| PSBT Structure | PSBT_GLOBAL_TX_MODIFIABLE field is non-zero when PSBT_OUT_SCRIPT set for sp output |
| PSBT Structure | missing PSBT_OUT_SCRIPT field when sending to non-sp output |
| ECDH Coverage | only one ineligible P2SH multisig input when PSBT_OUT_SCRIPT set for sp output |
| ECDH Coverage | missing PSBT_IN_SP_ECDH_SHARE field for input 0 when PSBT_OUT_SCRIPT set for sp output |
| ECDH Coverage | missing PSBT_IN_SP_DLEQ field for input when PSBT_IN_SP_ECDH_SHARE set |
| ECDH Coverage | missing PSBT_GLOBAL_SP_DLEQ field when PSBT_GLOBAL_SP_ECDH_SHARE set |
| ECDH Coverage | invalid proof in PSBT_IN_SP_DLEQ field |
| ECDH Coverage | invalid proof in PSBT_GLOBAL_SP_DLEQ field |
| ECDH Coverage | missing PSBT_IN_BIP32_DERIVATION field for input when PSBT_IN_SP_DLEQ set |
| ECDH Coverage | output 1 missing ECDH share for scan key with one input / three sp outputs (different scan keys) |
| ECDH Coverage | input 1 missing ECDH share for output 1 with two inputs / two sp outputs (different scan keys) |
| ECDH Coverage | input 1 missing ECDH share for scan key with two inputs / one sp output |
| Input Eligibility | segwit version greater than 1 in transaction inputs with sp output |
| Input Eligibility | non-SIGHASH_ALL signature on input with sp output |
| Output Scripts | P2TR input with NUMS internal key cannot derive sp output |
| Output Scripts | PSBT_OUT_SCRIPT does not match derived sp output |
| Output Scripts | two sp outputs (same scan / different spend keys) not sorted lexicographically by spend key |
| Output Scripts | k values assigned to wrong output indices with three sp outputs (same scan / spend keys) |
| State | Description |
|---|---|
| Can Finalize | one P2PKH input single-signer |
| Can Finalize | two inputs single-signer using global ECDH share |
| Can Finalize | two inputs single-signer using per-input ECDH shares |
| Can Finalize | two inputs / two sp outputs with mixed global and per-input ECDH shares |
| Can Finalize | one input / one sp output with both global and per-input ECDH shares |
| Can Finalize | three sp outputs (different scan keys) with multiple global ECDH shares |
| Can Finalize | one P2WPKH input / two mixed outputs - labeled sp output and BIP 32 change |
| Can Finalize | one input / two sp outputs - output 0 has no label / output 1 uses label=0 convention for sp change |
| Can Finalize | two sp outputs - output 0 uses label=3 / output 1 uses label=1 |
| Can Finalize | two inputs using per-input ECDH shares - only eligible inputs contribute shares (P2SH excluded) |
| Can Finalize | two inputs using global ECDH share - only eligible inputs contribute shares (P2SH excluded) |
| Can Finalize | two mixed input types - only eligible inputs contribute ECDH shares (NUMS internal key excluded) |
| Can Finalize | three sp outputs (same scan key) - each output has distinct k value |
| Can Finalize | three sp outputs (same scan key) / two regular outputs - k values assigned independently of output index |
| In Progress | two P2TR inputs, neither is signed |
| In Progress | one P2TR input / one sp output with no ECDH shares when PSBT_OUT_SCRIPT field is not set |
| In Progress | two inputs / one sp output, input 1 missing ECDH share when PSBT_OUT_SCRIPT field is not set |
| In Progress | one input / two sp outputs, input 0 missing ECDH share for output 0 when PSBT_OUT_SCRIPT field is not set |
| In Progress | large PSBT with nine mixed inputs / six outputs - some inputs signed |
- 0.1.1 (2026-04-16):
- Add test vectors and reference for validating Sending Silent Payments with PSBTs.
- 0.1.0 (2025-01-13):
- Initial version, merged as BIP-375.
- ^ Why use PSBT_OUT_SP_V0_INFO when serializing for a unique identifier? Since the same silent payment capable PSBT is valid whether or not a PSBT_OUT_SCRIPT is included in an output that has PSBT_OUT_SP_V0_INFO set, using the PSBT_OUT_SCRIPT if present for the unique identifier will cause malleability. The identifier will be different depending on whether PSBT_OUT_SCRIPT is present, so always using PSBT_OUT_SP_V0_INFO if it exists makes sure the PSBT is always identified uniquely.
- ^ Why use only SIGHASH_ALL? BIP352 allows signing with SIGHASH_NONE and SIGHASH_SINGLE. However, silent payment capable PSBTs compute the output scripts deterministically based on the number and position of silent payment codes with the same scan key. SIGHASH_NONE and SIGHASH_SINGLE allow changing the amount or position of silent payment codes with the same scan and spend keys, which would invalidate computed output scripts.
Todo