Silent Payments – Receive private payments from anyone on a single static address without requiring any interaction or extra on-chain overhead

Silent_Payments.md

Silent Payments

Receive private payments from anyone on a single static address without requiring any interaction or extra on-chain overhead.

Update: This now has a BIP and WIP implementation

Overview

The recipient generates a so-called silent payment address and makes it publicly known. The sender then takes a public key from one of their chosen inputs for the payment, and uses it to derive a shared secret that is then used to tweak the silent payment address. The recipient detects the payment by scanning every transaction in the blockchain.

Compared to previous schemes¹, this scheme avoids using the Bitcoin blockchain as a messaging layer² and requires no interaction between sender and recipient³ (other than needing to know the silent payment address). The main downsides are the scanning requirement, the lack of light client support, and the requirement to control your own input(s). An example use case would be private one-time donations.

While most of the individual parts of this idea aren't novel, the resulting protocol has never been seriously considered and may be reasonably viable, particularly if we limit ourselves to detecting only unspent payments by scanning the UTXO set. We'll start by describing a basic scheme, and then introduce a few improvements.

Basic scheme

The recipient publishes their silent payment address, a single 32 byte public key: X = x*G

The sender chooses an input containing a public key: I = i*G

The sender tweaks the silent payment address with the private key that corresponds to their chosen input: X' = hash(i*X)*G + X

Sincei*X == x*I (Diffie-Hellman Key Exchange), the recipient can detect the payment by calculating hash(x*I)*G + X for each input key I in the blockchain and seeing if it matches an output in the corresponding transaction.

Improvements

UTXO set scanning

If we forgo detection of historic transactions and only focus on the current balance, we can limit the protocol to only scanning the transactions that are part of the UTXO set when restoring from backup, which may be faster.

Jonas Nick was kind enough to go through the numbers and run a benchmark of hash(x*I)*G + X on his 3.9GHz Intel(R) Core(TM) i7-7820HQ CPU, which took roughly 72 microseconds per calculation on a single core. The UTXO set currently has 80 million entries, the average transaction has 2.3 inputs, which puts us at 2.3*80000000*72/1000/1000/60 = 221 minutes for a single core (under 2 hours for two cores).

What these numbers do not take into account is database lookups. We need to fetch the transaction of every UTXO, as well as every transaction for every subsequent input in order to extract the relevant public key, resulting in (1+2.3)*80000000 = 264 million lookups. How slow this is and what can be done to improve it is an open question.

Once we're at the tip, every new unspent output will have to be scanned. It's theoretically possible to scan e.g. once a day and skip transactions with fully spent outputs, but that would probably not be worth the added complexity. If we only scan transactions with taproot outputs, we can further limit our efforts, but this advantage is expected to dissipate once taproot use becomes more common.

Variant using all inputs

Instead of tweaking the silent payment address with one input, we could instead tweak it with the combination of all input keys of a transaction. The benefit is that this further lowers the scanning cost, since now we only need to calculate one tweak per transaction, instead of one tweak per input, which is roughly half the work, though database lookups remain unaffected.

The downside is that if you want to combine your inputs with those of others (i.e. coinjoin), every participant has to be willing to assist you in following the Silent Payment protocol in order to let you make your payment. There are also privacy considerations which are discussed in the "Preventing input linkage" section.

Concretely, if there are three inputs (I1, I2, I3), the scheme becomes: hash(i1*X + i2*X + i3*X)*G + X == hash(x*(I1+I2+I3))*G + X.

Scanning key

We can extend the silent payment address with a scanning key, which allows for separation of detecting and spending payments. We redefine the silent payment address as the concatenation of X_scan, X_spend, and derivation becomes X' = hash(i*X_scan)*G + X_spend. This allows your internet-connected node to hold the private key of X_scan to detect incoming payments, while your hardware wallet controls X_spend to make payments. If X_scan is compromised, privacy is lost, but your funds are not.

Address reuse prevention

If the sender sends more than one payment, and the chosen input has the same key due to address reuse, then the recipient address will also be the same. To prevent this, we can hash the txid and index of the input, to ensure each address is unique, resulting in X' = hash(i*X,txid,index)*G + X. Note this would make light client support harder (edit: not necessarily, see here).

Noteworthy details

Light clients

Light clients cannot easily be supported due to the need for scanning. The best we could do is give up on address reuse prevention (so we don't require the txid and index), only consider unspent taproot outputs, and download a standardized list of relevant input keys for each block over wifi each night when charging. These input keys can then be tweaked, and the results can be matched against client-side block filters. Possible, but not simple. (edit: some more ideas how to do light client support here)

Effect on BIP32 HD keys

One side-benefit of silent payments is that BIP32 HD keys⁴ won't be needed for address generation, since every address will automatically be unique. This also means we won't have to deal with a gap limit.

Different inputs

While the simplest thing would be to only support one input type (e.g. taproot key spend), this would also mean only a subset of users can make payments to silent addresses, so this seems undesirable. The protocol should ideally support any input containing at least one public key, and simply pick the first key if more than one is present.

Pay-to-(witness-)public-key-hash inputs actually end up being easiest to scan, since the public key is present in the input script, instead of the output script of the previous transaction (which requires one extra transaction lookup).

Signature nonce instead of input key

Another consideration was to tweak the silent payment address with the signature nonce⁵, but unfortunately this breaks compatibility with MuSig2 and MuSig-DN, since in those schemes the signature nonce changes depending on the transaction hash. If we let the output address depend on the nonce, then the transaction hash will change, causing a circular reference.

Sending wallet compatibility

Any wallet that wants to support making silent payments needs to support a new address format, pick inputs for the payment, tweak the silent payment address using the private key of one of the chosen inputs, and then proceed to sign the transaction. The scanning requirement is not relevant to the sender, only the recipient.

Preventing input linkage

A potential weakness of Silent Payments is that the input is linked to the output. A coinjoin transaction with multiple inputs from other users can normally obfuscate the sender input from the recipient, but Silent Payments reveal that link. This weakness can be mitigated with the "variant using all inputs", but this variant introduces a different weakness – you now require all other coinjoin users to tweak the silent payment address, which means you're revealing the intended recipient to them.

Luckily, a blinding scheme⁶ exists that allows us to hide the silent payment address from the other participants. Concretely, let's say there are two inputs, I1 and I2, and the latter one is ours. We add a secret blinding factor to the silent payment address, X + blinding_factor*G = X', then we receive X1' = i1*X' (together with a DLEQ to prove correctness, see full write-up⁶) from the owner of the first input and remove the blinding factor with X1' - blinding_factor*I1 = X1 (which is equal to i1*X). Finally, we calculate the tweaked address with hash(X1 + i2*X)*G + X. The recipient can simply recognize the payment with hash(x*(I1+I2))*G + X. Note that the owner of the first input cannot reconstruct the resulting address because they don't know i2*X.

The blinding protocol above solves our coinjoin privacy concerns (at the expense of more interaction complexity), but we're left with one more issue – what if you want to make a silent payment, but you control none of the inputs (e.g. sending from an exchange)? In this scenario we can still utilize the blinding protocol, but now the third party sender can try to uncover the intended recipient by brute forcing their inputs on all known silent payment addresses (i.e. calculate hash(i*X)*G + X for every publicly known X). While this is computationally expensive, it's by no means impossible. No solution is known at this time, so as it stands this is a limitation of the protocol – the sender must control one of the inputs in order to be fully private.

Comparison

These are the most important protocols that provide similar functionality with slightly different tradeoffs. All of them provide fresh address generation and are compatible with one-time seed backups. The main benefits of the protocols listed below are that there is no scanning requirement, better light client support, and they don't require control over the inputs of the transaction.

Payment code sharing

This is BIP47². An OP_RETURN message is sent on-chain to the recipient to establish a shared secret prior to making payments. Using the blockchain as a messaging layer like this is generally considered an inefficient use of on-chain resources. This concern can theoretically be alleviated by using other means of communicating, but data availability needs to be guaranteed to ensure the recipient doesn't lose access to the funds. Another concern is that the input(s) used to establish the shared secret may leak privacy if not kept separate.

Xpub sharing

Upon first payment, hand out a fresh xpub instead of an address in order to enable repeat payments. I believe Kixunil's recently published scheme³ is equivalent to this and could be implemented with relative ease. It's unclear how practical this protocol is, as it assumes sender and recipient are able to interact once, yet subsequent interaction is impossible.

Regular address sharing

This is how Bitcoin is commonly used today and may therefore be obvious, but it does satisfy similar privacy requirements. The sender interacts with the recipient each time they want to make a payment, and requests a new address. The main downside is that it requires interaction for every single payment.

Open questions

• Exactly how slow are the required database lookups? Is there a better approach?
• Is there any way to make light client support more viable?
• What is preferred – single input tweaking (revealing an input to the recipient) or using all inputs (increased coinjoin complexity)?
• Are there any security issues with the proposed cryptography?
• In general, compared to alternatives, is this scheme worth the added complexity?

---

Thanks to Kixunil, Calvin Kim, and Jonas Nick, holihawt and Lloyd Fournier for their help/comments, as well as all the authors of previous schemes. Any mistakes are my own.

There is also a discussion of this scheme on the bitcoin-dev mailing list.

Footnotes

1. Stealth Payments, Peter Todd: https://github.com/genjix/bips/blob/master/bip-stealth.mediawiki ↩

2. BIP47 payment codes, Justus Ranvier: https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki ↩ ↩²

3. Reusable taproot addresses, Kixunil: https://gist.github.com/Kixunil/0ddb3a9cdec33342b97431e438252c0a ↩ ↩²

4. BIP32 HD keys, Pieter Wuille: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki ↩

5. 2020-01-23 ##taproot-bip-review, starting at 18:25: https://gnusha.org/taproot-bip-review/2020-01-23.log ↩

6. Blind Diffie-Hellman Key Exchange, David Wagner: https://gist.github.com/RubenSomsen/be7a4760dd4596d06963d67baf140406 ↩ ↩²

I implemented the index in the latest commit

@w0xlt Very well done, happy to see you've taken it this far already. I'd love to play around with it, but I don't have a lot of time on my hands right now. Any chance you'd be willing to provide the numbers? What I'd be curious about is a.) how many UTXOs there are on signet and b.) how long it took you to scan them c.) on what kind of hardware. This could then be extrapolated to the Bitcoin full UTXO set.

And a question: are you currently keeping an index for taproot UTXOs only, or for all UTXOs? While technically only taproot UTXOs are required, a benchmark on the full set seems good for now.

Also, would you be open to a more direct line of communication via IRC or Telegram? I'm RubenSomsen on both.

Edit: another thing I'd be curious about: how much longer does it take to do IBD with and without this additional index.

@RubenSomsen Here are some numbers. I haven't benchmarked it before because I use a virtual machine for development, so it's not isolated enough for a reliable stat, but these numbers can be used as a rough estimate. The configuration I used is a VMWare guest machine with 8 cores of virtual processors and 20 MB of RAM. I don't think this reflects performance if the same configuration was used on the host machine.

The stat below shows the number of UTXO (on the signet and mainnet) and how long it takes. I used std::chrono::steady_clock for more accurate results. This also includes the silent payment index created from genesis block to the tip.

(on signet) silentpaymentindex is enabled at height 90627 in 5m
(on mainnet) silentpaymentindex is enabled at height 736986 in 330m (5h30min)

scantxoutset signet:
  "txouts": 1053822,
  "height": 90805,
  "silent_payment": true,
  "duration_seconds": 82,
  "keys": 1

scantxoutset mainnet:
  "txouts": 81893320,
  "height": 737045,
  "silent_payment": true,
  "duration_minutes": 18,
  "keys": 1

Wallet Rescan (Signet):
Rescan completed from block 90149 to 91029 (880 blocks): 20 minutes

Wallet Rescan (Mainnet):
Rescan completed from block 737050 to 737097 (47 blocks): 43 seconds

And a question: are you currently keeping an index for taproot UTXOs only, or for all UTXOs?

Only transactions where all outputs are Taproot.

    for (auto& vout : tx->vout) {
        std::vector<std::vector<unsigned char>> solutions;
        TxoutType whichType = Solver(vout.scriptPubKey, solutions);

        if (whichType != TxoutType::WITNESS_V1_TAPROOT) {
            return false;
        }
    }

In previous versions, there was no index but now all the above methods (except mempool transactions) use the index. If the above numbers are reasonable, a non-indexed version can be considered.

Thanks for making the contact available. I'll be in touch.

Thank you @RubenSomsen for the proposal and kudos @w0xlt for the implementation.

We were discussing this proposal with folks at Trezor and here are our takes:

• for a hardware wallet we need to use the "scanning key option" for obvious reasons
• address reuse prevention via txid:vout of input is great idea
• we should come up with an address format for silent payments so people won't accidentally send coins to void
• address format could encode different options, such as the scanning key use, address reuse prevention, etc. see the proposal below

Address format rough proposal:

• bech32m address, hrp = sp1
• encoded data
  • 00 || X_spend (don't use scanning key, don't use address reuse prevention)
  • 01 || X_spend || X_scan (use scanning key, don't use address reuse prevention)
  • 02 || X_spend (don't use scanning key, use address reuse prevention)
  • 03 || X_spend || X_scan (use scanning key, use address reuse prevention)
  • bit 0 of the first byte says whether to use the scanning key, bit 1 of the first byte says whether to use address reuse prevention

For efficient implementation of scanning it would be great if we were able to come up with a scheme where only one input pubkey is required. (In this case we could just enrich each entry of the UTXO set with one particular pubkey). It could trivially be always the first input of the TX, but this unfortunately breaks the BIP69 lexicographical ordering of inputs. Need more thoughts on this.

Nice proposal, I wonder if it's beneficial to have it configurable that much. Seems to increase complexity and going with mandatory scanning key and mandatory address reuse prevention looks fine to me. That being said, some form of feature flags/versioning would be good to have.

Nice proposal, I wonder if it's beneficial to have it configurable that much.

Yeah. For Trezor we would use both the scanning key and the address reuse prevention. If others are fine with not having these two flags configurable, so am I and we could just use 00 || X_spend || X_scan and mandate address reuse prevention.

If we forgo detection of historic transactions and only focus on the current balance, we can limit the protocol to only scanning the transactions that are part of the UTXO set when restoring from backup, which may be faster.

From the above benchmarks (and implementation requirements) it seems that detection of historical transactions (spent TXOs) is not particularly practical. The silentpaymentindex would need to support the whole blockchain and not just the UTXO set. I think this is worth noting when comparing to other protocols, for example BIP47. On the other hand, enabling hardware wallet participation using scanning keys is a nice advantage.

Unlike BIP47 however, I don't believe this scheme will be compatible with popular light client protocols such as the Electrum protocol, even if modified to support it, as the scanning burden on the server would be too great for that model of operation. This will make widespread wallet support difficult to achieve.

The silentpaymentindex would need to support the whole blockchain and not just the UTXO set.

I am not sure I understand this comment. The only thing you need is the enriched UTXO set where each UTXO also has associated public key(s) used for ECDH. If we come up with a method where it's always deterministic which public key has been used, this index will be only (32 * utxo_count) bytes big.

The only thing you need is the enriched UTXO set

I was referring to retrieving the whole transaction history (including spent TXOs), which would mean scanning beyond the UTXO set.

Thanks for the numbers @w0xlt.

Thanks for making the contact available. I'll be in touch.

Note I have seen any messages yet, in case something went wrong.

@prusnak thanks for the feedback.

it would be great if we were able to come up with a scheme where only one input pubkey is required

Other than BIP69, another issue with picking the first input is that only one coinjoin participant can make a silent payment. To summarize our options:

Using the 1st input:

• Breaks BIP69, thus leaking information
• Only one silent payment per coinjoin
• Coinjoin recipient knows which input is yours

Using a random input:

• Increases scanning cost and input database size (at least 2x)
• Coinjoin recipient knows which input is yours

Using all inputs:

• Increases coinjoin complexity to collaboratively generate the address

If others are fine with not having these two flags configurable, so am I

Yeah, minimizing the flags where possible, as @Kixunil said, seems preferable. I think reuse prevention and the scanning key can just be the default, as the downsides seem fairly minimal.

detection of historical transactions (spent TXOs) is not particularly practical. The silentpaymentindex would need to support the whole blockchain

@craigraw the index is not required if you want to find historic transactions. In that case you'd just actively scan the entire history during IBD.

And in general, we'd need to compare scanning every tx during IBD versus creating the index during IBD and then scanning the UTXO set. If the latter is not significantly faster, it should perhaps be left out of v1 to keep things simple.

Note that BIP69 is not widely implemented and I believe most developers are in favor of randomization. The main argument is that some protocols can't order the inputs/outputs so random ordering helps hide them.

In that case you'd just actively scan the entire history during IBD.

Generating a silent address before IBD, and redoing IBD for every new silent address does not seem particularly practical to me. It also seems to rule out light client support for historic transactions.

Note that BIP69 is not widely implemented

That could be said for coinjoin as well. But it seems that over 60% of transactions actually are BIP69 compliant. Source

I believe most developers are in favor of randomization

That's just an assumption.

The main argument is that some protocols can't order the inputs/outputs so random ordering helps hide them.

Could you give an example?

🚀

@pajasevi you should take into account that some transactions are compliant by accident - randomly ordering inputs/outputs that way (for 1 input, 2-output txes there's 50% chance it's compliant, for 1 input, 1 output chance is 100%...), so actual support is lower, not sure how large.

That's just an assumption.

That's my understanding of the discussion that was in bitcoin mailinglist.

Could you give an example?

I think OTS is one. Anyway I suggest you search that discussion in the ML archive and see for yourself.

I dig (haha) @1440000bytes's suggestion to use this in combination with DNS* records / .well-known URLs.

This paves the way for send-to-email setups. User enters an email address and the super smart wallet checks for bolt12, lnurl, silent payments and whatever else, picks the most suitable option and sends off the coins.

But this brings me to the Hotel California concern: since it's quite expensive to scan the chain, a user may eventually want to stop doing this. But nothing prevents people from sending coins to the stealth address. We should probably add an expiration block height to the address format (cc @prusnak). Receiver wallets should add a safety margin and e.g. scan 10K blocks more. And maybe wallets should have a feature to manually scan a specific transaction, "hey did you get my coins in TX_ID?".

DNS records and .well-known entries can relatively easily be updated, allowing for short expiration times.

• = not sure how secure DNS can be made, for .well-known you can use https

@Sjors cool ideas! Agree with everything you said. AFAIK DNSSec should be fine but I'm not deeply knowledgeable about it.

Very neat and promising concept! 🎉

The UTXO set currently has 80 million entries, the average transaction has 2.3 inputs, which puts us at 2.38000000072/1000/1000/60 = 221 minutes for a single core (under 2 hours for two cores).

Why would we need to scan the whole UTXO set for backup restoration? If the recipient creates/publishes a silent payment address at block time N, we can safely ignore all UTXO entries that were created at block height < N (or better < (N - SAFETY_MARGIN)) to take possible reorgs into account). Though we still have to iterate over all UTXOs, the number of total database lookups and calculations could be drastically reduced with that filtering. (A block height index would be helpful to skip iterating old UTXOs). For example, about ~78% of all UTXOs were created pre-Taproot currently:

$ sqlite3 ~/.bitcoin/utxos.sqlite
SQLite version 3.38.5 2022-05-06 15:25:27
Enter ".help" for usage hints.
sqlite> select count(*) from utxos where height < 709632;
64661607
sqlite> select 64661607.0/max(rowid)*100 from utxos;
78.4715574372404

(If anyone wants to try this out, the UTXO set in sqlite-Format can be created either directly with PR bitcoin/bitcoin#24952, or converted from legacy to sqlite format with my conversion tool: https://github.com/theStack/utxo_dump_tools)

Thinking even further, maybe it makes sense to save the creation/publishing block time as part of the address format, so the user doesn't have to store that extra data for faster restoring from a backup? Together with @Sjors' idea of adding an expiration block, this would lead to a block range being included in the address format. Recipients that neither want to disclose their address creation (block) time nor want to have their address expired can always simply set this interval to [0, MAX]*. In practice it would make sense though to never scan for pre-taproot-activation UTXOs, i.e. before block 709632.

*) 3 bytes for a block height should be more than enough (like done for the short_channel_id in lightning: https://github.com/lightning/bolts/blob/bc86304b4b0af5fd5ce9d24f74e2ebbceb7e2730/07-routing-gossip.md#definition-of-short_channel_id), i.e. in this case MAX would be 2^24-1

I don't think we should publish information that's not necessary for the sender. Tracking the birth date of an address can be handled by the user wallet. It's not the end of the world if they lose that part of the backup.

I don't think we should publish information that's not necessary for the sender. Tracking the birth date of an address can be handled by the user wallet. It's not the end of the world if they lose that part of the backup.

Right, on a second thought I agree that's not a good idea. If at all, the birth date would better fit into a format for backing up the silent payment private key (i.e. only used by the recipient), similar to e.g. WIF, but I guess this is absolutely not high priority at this point.

What about using a taproot change output for the sender's pubkey rather than an input? It would mean that spent TXO lookups aren't required and in many cases, I think it would require less searching than required for using an input's pubkey. I think it would also work better for coinjoins as it does not reveal which input was the senders, and change is typically considered dirty anyways so less harm there?

A few downsides is that it would make changeless coin selection impossible as a change output would always be required. This has a chain space impact, but also change outputs are often created so I'm not sure how bad that would actually be. Additionally, it would mean that only Taproot outputs could be used for the sender's pubkey, although it seems like that is already expected?

@achow101

spent TXO lookups aren't required

The change could get spent which still may require a lookup but obviously just one, not two.

it does not reveal which input was the senders

It does if one can analyze the amounts, which is likely. E.g. if CJ equal outputs are 0.1 and there's one input with 0.12345 and an output 0.02345 then those are linked unless there are other people with same inputs&changes.

However, if you CJ more sats, so that you have more equal-amount outputs you could use one of those. It'd still link them but at least not to the sender.

That being said, making lookup less costly looks very interesting! Also I think your mentioned downsides are minimal.

@achow thanks for the thoughtful suggestion.

It's something I have considered and ultimately think is a bit worse, but as you note it has upsides too so I should clarify my reasoning so it can be properly evaluated by yourself and others.

Upsides:

• Simplifies lookups (scope is limited to one tx)
• Coinjoin no longer leaks input (also not an issue with blind ECDH, but questionable how practical this is)

Downsides:

• Coinjoin leaks change output to recipient*
• Indirectly may make it easier to identify the input (thanks @Kixunil, had not previously considered this)
• Doesn't work if there are no change outputs
• Increases number of required ECDH calculations (by ~2x) compared to when you add all input keys together (1 per output vs. 1 per tx)
• Sender restricted to using taproot for change output (for coinjoins this would already be the case, otherwise the change output stands out)

So overall I think you move the coinjoin info leakage problem from the input side to the change output side, you lose the ability speed up ECDH by adding all relevant keys from the tx together prior to calculating the shared secret, and you lose the potential to at least deal with the leakage problem in theory via blind ECDH. I currently feel this does not weigh against the one upside, which is a reduction in lookups, particularly since there may be reasonable ways to deal with it, such as trading off disk IO for disk space with an additional input database.

*Note that this is a problem since the notion of dirty change outputs does not apply to all variants of coinjoin (e.g. Wasabi 2.0).

Shouldn't blind ECDH be still possible with outputs? At least if the participants are not sending to someone else (cold storage). So still worse I guess but not that much.

@Kixunil if all payments go to the participants in the coinjoin, then there would be no reason to use silent payments as you're already interacting. But there is a more fundamental problem: you'd need to add all outputs together and use that to generate the tweaked silent payment output, but that would mean you're adding the resulting output to itself – a circular reference.

Ah, yes, good point!

@prusnak wrote:

Yeah. For Trezor we would use both the scanning key and the address reuse prevention. If others are fine with not having these two flags configurable, so am I and we could just use 00 || X_spend || X_scan and mandate address reuse prevention.

I agree with this. BIP47 tried to leave too many things configurable and it created implementation complexity and fragmentation (Bitmessage notification etc.)

Regarding the payment code format, the sp1 prefix looks fine.

One issue is that neither BIP47 nor SP say anything about recipient address types. We should define a bitflag array denoting script types that the recipient is scanning for. As the number of standard script types increases with time, it'll become increasingly cumbersome to scan for all of them. If we go with two bytes for this purpose, we could have the following bitflags:

1	p2pkh
2	p2sh-p2wpkh
4	p2wpkh
8	p2tr

So in terms of byte structure the payment code format could look something like:

[0] - spend/scan flags
[1:3] - address type flag array (big endian)
[3:36] - compressed pubkey

Another issue is how a SP key is derived. I believe this shouldn't be left to individual implementations since there will be no standard way to reconstruct a SP private key on a different device. We probably need a HD path, for instance m / [BIP_NUMBER]' / 0' / 0'.

Performance considerations

While there is no way to remove the need for checking every transaction for a payment, there seems to be a way to greatly speed it up.

A SP transaction could set the nLockTime field to a low fixed constant (or some modulus), rendering it meaningless in terms of actual lock times, thereby repurposing it for scanning purposes. Since this field is at a fixed offset in a transaction, indexing into it is fast. This would limit the need to perform hash(i*X)*G + X to a small subset of transactions in a block.

The downside is that this would potentially signal that a payment is potentially a silent payment, but there would be no way to know for sure.

@alfred-hodler SP simply mandates p2tr, not need to specify. But you're onto something. We should have feature bits to enable future scripts or extensions. Version means incompatible upgrade. Perhaps some key-value extension would be useful as well.

Thanks for the clarification. I think mandating p2tr makes little sense as it's not a replacement for p2(w)pkh. Adding address type bitflags is cheap and it'll prevent the BIP from falling out of favor if p2tr ever becomes a "legacy" script.

Not having addressed this issue, BIP47 forces users to watch all address types, which is getting increasingly expensive.

@alfred-hodler I misremembered that only P2TR can technically work but others can, so yeah, it'd be nice but maybe skip some sad types and support only (native?) witness. I agree bit flags should be added anyway even if currently they only set one type.