diff --git a/bip-0352.mediawiki b/bip-0352.mediawiki
index f36f3592..def4d0b2 100644
--- a/bip-0352.mediawiki
+++ b/bip-0352.mediawiki
@@ -302,6 +302,7 @@ After the inputs have been selected, the sender can create one or more outputs f
* Collect the private keys for each input from the ''[[#inputs-for-shared-secret-derivation|Inputs For Shared Secret Derivation]]'' list
* For each private key ''ai'' corresponding to a [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP341] taproot output, check that the private key produces a point with an even Y coordinate and negate the private key if not['''Why do taproot private keys need to be checked?''' Recall from [https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki BIP340] that each X-only public key has two corresponding private keys, ''d'' and ''n - d''. To maintain parity between sender and receiver, it is necessary to use the private key corresponding to the even Y coordinate when performing the ECDH step since the receiver will assume the even Y coordinate when summing the taproot X-only public keys.]
* Let ''a = a1 + a2 + ... + an'', where each ''ai'' has been negated if necessary
+** If ''a = 0'', fail
* Generate the ''input_hash'' with the smallest outpoint lexicographically and ''A = a·G'', using the method described above
* Group receiver silent payment addresses by ''Bscan'' (e.g. each group consists of one ''Bscan'' and one or more ''Bm'')
* For each group:
diff --git a/bip-0352/reference.py b/bip-0352/reference.py
index 9b35d040..7882ad1b 100755
--- a/bip-0352/reference.py
+++ b/bip-0352/reference.py
@@ -127,6 +127,9 @@ def create_outputs(input_priv_keys: List[Tuple[ECKey, bool]], outpoints: List[CO
negated_keys.append(k)
a_sum = sum(negated_keys)
+ if not a_sum.valid:
+ # Input privkeys sum is zero -> fail
+ return []
input_hash = get_input_hash(outpoints, a_sum * G)
silent_payment_groups: Dict[ECPubKey, List[ECPubKey]] = {}
for recipient in recipients:
diff --git a/bip-0352/send_and_receive_test_vectors.json b/bip-0352/send_and_receive_test_vectors.json
index f9b205b8..c0288bc5 100644
--- a/bip-0352/send_and_receive_test_vectors.json
+++ b/bip-0352/send_and_receive_test_vectors.json
@@ -2669,5 +2669,50 @@
}
}
]
+ },
+ {
+ "comment": "Input keys sum up to zero / point at infinity: sending fails, receiver skips tx",
+ "sending": [
+ {
+ "given": {
+ "vin": [
+ {
+ "txid": "3a286147b25e16ae80aff406f2673c6e565418c40f45c071245cdebc8a94174e",
+ "vout": 0,
+ "scriptSig": "",
+ "txinwitness": "024730440220085003179ce1a3a88ce0069aa6ea045e140761ab88c22a26ae2a8cfe983a6e4602204a8a39940f0735c8a4424270ac8da65240c261ab3fda9272f6d6efbf9cfea366012102557ef3e55b0a52489b4454c1169e06bdea43687a69c1f190eb50781644ab6975",
+ "prevout": {
+ "scriptPubKey": {
+ "hex": "00149d9e24f9fab4e35bf1a6df4b46cb533296ac0792"
+ }
+ },
+ "private_key": "a6df6a0bb448992a301df4258e06a89fe7cf7146f59ac3bd5ff26083acb22ceb"
+ },
+ {
+ "txid": "3a286147b25e16ae80aff406f2673c6e565418c40f45c071245cdebc8a94174e",
+ "vout": 1,
+ "scriptSig": "",
+ "txinwitness": "0247304402204586a68e1d97dd3c6928e3622799859f8c3b20c3c670cf654cc905c9be29fdb7022043fbcde1689f3f4045e8816caf6163624bd19e62e4565bc99f95c533e599782c012103557ef3e55b0a52489b4454c1169e06bdea43687a69c1f190eb50781644ab6975",
+ "prevout": {
+ "scriptPubKey": {
+ "hex": "00149860538b5575962776ed0814ae222c7d60c72d7b"
+ }
+ },
+ "private_key": "592095f44bb766d5cfe20bda71f9575ed2df6b9fb9addc7e5fdffe0923841456"
+ }
+ ],
+ "recipients": [
+ "sp1qqtrqglu5g8kh6mfsg4qxa9wq0nv9cauwfwxw70984wkqnw2uwz0w2qnehen8a7wuhwk9tgrzjh8gwzc8q2dlekedec5djk0js9d3d7qhnq6lqj3s"
+ ]
+ },
+ "expected": {
+ "outputs": [
+ []
+ ]
+ }
+ }
+ ],
+ "receiving": [
+ ]
}
-]
\ No newline at end of file
+]