BIP-352: introduce per-group recipient limit K_max (=2323)

In theory this is a backwards incompatible protocol change. Practically, no existing Silent Payments wallets out there supports sending to such a high quantity of recipients (not even in terms of _total_ number of recipients), so the K_max limit should be safe to introduce, without any negative effects in the wallet ecosystem.
2026-05-18 16:59:30 +00:00 · 2026-01-30 01:46:35 +01:00
parent bd56416786
commit f665c2c142
2 changed files with 14 additions and 0 deletions
--- a/bip-0352/reference.py
+++ b/bip-0352/reference.py
@@ -26,6 +26,9 @@ from bitcoin_utils import (
    )


+K_max = 2323  # per-group recipient limit
+
+
 def get_pubkey_from_input(vin: VinInfo) -> ECPubKey:
    if is_p2pkh(vin.prevout):
        # skip the first 3 op_codes and grab the 20 byte hash
@@ -144,6 +147,10 @@ def create_outputs(input_priv_keys: List[Tuple[ECKey, bool]], outpoints: List[CO
        else:
            silent_payment_groups[B_scan] = [B_m]

+    # Fail if per-group recipient limit (K_max) is exceeded
+    if any([len(group) > K_max for group in silent_payment_groups.values()]):
+        return []
+
    outputs = []
    for B_scan, B_m_values in silent_payment_groups.items():
        ecdh_shared_secret = input_hash * a_sum * B_scan
@@ -175,6 +182,8 @@ def scanning(b_scan: ECKey, B_spend: ECPubKey, A_sum: ECPubKey, input_hash: byte
    k = 0
    wallet = []
    while True:
+        if k == K_max:  # Don't look further than the per-group recipient limit (K_max)
+            break
        t_k = TaggedHash("BIP0352/SharedSecret", ecdh_shared_secret.get_bytes(False) + ser_uint32(k))
        P_k = B_spend + t_k * G
        for output in outputs_to_check: