BIP-352: Limiting the number of per-group recipients (K_max)
116 views
Skip to first unread message
Sebastian Falbesoner
Feb 4, 2026, 12:21:09 PM (3 days ago) Feb 4
to Bitcoin Development Mailing List
Hi list,
In the course of working on a Silent Payments module for libsecp256k1 [1], we
discovered that the scanning approach suggested in BIP-352 [2] suffers from
very poor performance for adversarial transactions [3].
One more recent proposal to mitigate this issue is by introducing a "K_max"
protocol limit. This effectively limits the number of per-group recipients
within a single transaction, i.e. the number of recipients sharing the same
scan public key. In theory this is a backwards incompatible protocol change,
in practice we believe that none of the existing SP wallets would be affected,
for a reasonably high K_max (the example value used is K_max=1000, but this
can be seen as a placeholder).
See the following BIP change draft for more details and motivation:
https://github.com/theStack/bips/commit/961d1442139ceecd6c0cc5775ef911d69aabed4c
The discussion is on-going at the following issue:
https://github.com/bitcoin-core/secp256k1/issues/1799 [4]
If you have any concerns or feedback for this change, either for currently
existing wallets or potential future use-cases that you could think of, please
comment there. Most SP wallet developers that we are aware of have already been
pinged on the issue. We are posting this here to reach a wider audience and to
provide an alternative opportunity to comment, in case anyone doesn't want to
use GitHub.
[1] https://github.com/bitcoin-core/secp256k1/pull/1765
[2] https://github.com/bitcoin/bips/blob/5d0f70a5cf4cfc429267cd6cc246ba3bcb949cb3/bip-0352.mediawiki?plain=1#L330
[3] https://github.com/bitcoin-core/secp256k1/pull/1698#pullrequestreview-3341766084
[4] https://github.com/bitcoin-core/secp256k1/issues/1799#issuecomment-3842046237 ff. in particular
In the course of working on a Silent Payments module for libsecp256k1 [1], we
discovered that the scanning approach suggested in BIP-352 [2] suffers from
very poor performance for adversarial transactions [3].
One more recent proposal to mitigate this issue is by introducing a "K_max"
protocol limit. This effectively limits the number of per-group recipients
within a single transaction, i.e. the number of recipients sharing the same
scan public key. In theory this is a backwards incompatible protocol change,
in practice we believe that none of the existing SP wallets would be affected,
for a reasonably high K_max (the example value used is K_max=1000, but this
can be seen as a placeholder).
See the following BIP change draft for more details and motivation:
https://github.com/theStack/bips/commit/961d1442139ceecd6c0cc5775ef911d69aabed4c
The discussion is on-going at the following issue:
https://github.com/bitcoin-core/secp256k1/issues/1799 [4]
If you have any concerns or feedback for this change, either for currently
existing wallets or potential future use-cases that you could think of, please
comment there. Most SP wallet developers that we are aware of have already been
pinged on the issue. We are posting this here to reach a wider audience and to
provide an alternative opportunity to comment, in case anyone doesn't want to
use GitHub.
Best,
Sebastian
[1] https://github.com/bitcoin-core/secp256k1/pull/1765
[2] https://github.com/bitcoin/bips/blob/5d0f70a5cf4cfc429267cd6cc246ba3bcb949cb3/bip-0352.mediawiki?plain=1#L330
[3] https://github.com/bitcoin-core/secp256k1/pull/1698#pullrequestreview-3341766084
[4] https://github.com/bitcoin-core/secp256k1/issues/1799#issuecomment-3842046237 ff. in particular
Reply all
Reply to author
Forward
0 new messages