BIP-352: Limiting the number of per-group recipients (K_max)
441 views
Skip to first unread message
Sebastian Falbesoner
Feb 4, 2026, 12:21:09 PMFeb 4
to Bitcoin Development Mailing List
Hi list,
In the course of working on a Silent Payments module for libsecp256k1 [1], we
discovered that the scanning approach suggested in BIP-352 [2] suffers from
very poor performance for adversarial transactions [3].
One more recent proposal to mitigate this issue is by introducing a "K_max"
protocol limit. This effectively limits the number of per-group recipients
within a single transaction, i.e. the number of recipients sharing the same
scan public key. In theory this is a backwards incompatible protocol change,
in practice we believe that none of the existing SP wallets would be affected,
for a reasonably high K_max (the example value used is K_max=1000, but this
can be seen as a placeholder).
See the following BIP change draft for more details and motivation:
https://github.com/theStack/bips/commit/961d1442139ceecd6c0cc5775ef911d69aabed4c
The discussion is on-going at the following issue:
https://github.com/bitcoin-core/secp256k1/issues/1799 [4]
If you have any concerns or feedback for this change, either for currently
existing wallets or potential future use-cases that you could think of, please
comment there. Most SP wallet developers that we are aware of have already been
pinged on the issue. We are posting this here to reach a wider audience and to
provide an alternative opportunity to comment, in case anyone doesn't want to
use GitHub.
[1] https://github.com/bitcoin-core/secp256k1/pull/1765
[2] https://github.com/bitcoin/bips/blob/5d0f70a5cf4cfc429267cd6cc246ba3bcb949cb3/bip-0352.mediawiki?plain=1#L330
[3] https://github.com/bitcoin-core/secp256k1/pull/1698#pullrequestreview-3341766084
[4] https://github.com/bitcoin-core/secp256k1/issues/1799#issuecomment-3842046237 ff. in particular
In the course of working on a Silent Payments module for libsecp256k1 [1], we
discovered that the scanning approach suggested in BIP-352 [2] suffers from
very poor performance for adversarial transactions [3].
One more recent proposal to mitigate this issue is by introducing a "K_max"
protocol limit. This effectively limits the number of per-group recipients
within a single transaction, i.e. the number of recipients sharing the same
scan public key. In theory this is a backwards incompatible protocol change,
in practice we believe that none of the existing SP wallets would be affected,
for a reasonably high K_max (the example value used is K_max=1000, but this
can be seen as a placeholder).
See the following BIP change draft for more details and motivation:
https://github.com/theStack/bips/commit/961d1442139ceecd6c0cc5775ef911d69aabed4c
The discussion is on-going at the following issue:
https://github.com/bitcoin-core/secp256k1/issues/1799 [4]
If you have any concerns or feedback for this change, either for currently
existing wallets or potential future use-cases that you could think of, please
comment there. Most SP wallet developers that we are aware of have already been
pinged on the issue. We are posting this here to reach a wider audience and to
provide an alternative opportunity to comment, in case anyone doesn't want to
use GitHub.
Best,
Sebastian
[1] https://github.com/bitcoin-core/secp256k1/pull/1765
[2] https://github.com/bitcoin/bips/blob/5d0f70a5cf4cfc429267cd6cc246ba3bcb949cb3/bip-0352.mediawiki?plain=1#L330
[3] https://github.com/bitcoin-core/secp256k1/pull/1698#pullrequestreview-3341766084
[4] https://github.com/bitcoin-core/secp256k1/issues/1799#issuecomment-3842046237 ff. in particular
Sebastian Falbesoner
Feb 19, 2026, 6:36:08 PMFeb 19
to Bitcoin Development Mailing List
Thanks for all the feedback left on the secp256k1 issue [1].
As no objections were raised to the proposed K_max protocol change, I've opened a corresponding PR in the BIPs repository, where the discussion can be continued:
Best, Sebastian
Sebastian Falbesoner
Mar 4, 2026, 5:38:06 AM (5 days ago) Mar 4
to Bitcoin Development Mailing List
Update: the proposed BIP-352 protocol change [1] was merged, setting K_max = 2323.
This limit was chosen intentionally, as it represents the maximum number of taproot
Consequently, any transaction that adheres to the current transaction size
policy rule [3] is guaranteed to also comply with the K_max protocol limit. It
is therefore extremely unlikely that any wallet would ever encounter this limit
in practice, as such a transaction would not propagate on the network.
Thanks to everyone involved in proposing, discussing and reviewing this change.
The secp256k1 silentpayments module PR [4] will be updated and taken out of
draft state shortly.
Best,
Sebastian
[1] https://github.com/bitcoin/bips/pull/2106
[2] a 1-in-2323-out P2TR transaction has a vsize of 99959 vbytes, see e.g. https://jlopp.github.io/bitcoin-transaction-size-calculator/ or https://bitcoinops.org/en/tools/calc-size/ (note that the latter calculator doesn't account the two extra bytes needed for the output-count compactSize encoding); adding one more taproot output (taking 43) vbytes would result in 100002 vbytes
[3] `MAX_STANDARD_TX_WEIGHT` in Bitcoin Core (expressed in WUs): https://github.com/bitcoin/bitcoin/blob/2702711c3a54b2ba9ae3781b61c90d28ee951de6/src/policy/policy.cpp#L110-L114
[4] https://github.com/bitcoin-core/secp256k1/pull/1765
This limit was chosen intentionally, as it represents the maximum number of taproot
outputs that can fit within a <= 100 kvB transaction with the smallest Silent Payments
eligible input (a taproot key-path spend) [2].
Consequently, any transaction that adheres to the current transaction size
policy rule [3] is guaranteed to also comply with the K_max protocol limit. It
is therefore extremely unlikely that any wallet would ever encounter this limit
in practice, as such a transaction would not propagate on the network.
Thanks to everyone involved in proposing, discussing and reviewing this change.
The secp256k1 silentpayments module PR [4] will be updated and taken out of
draft state shortly.
Best,
Sebastian
[1] https://github.com/bitcoin/bips/pull/2106
[2] a 1-in-2323-out P2TR transaction has a vsize of 99959 vbytes, see e.g. https://jlopp.github.io/bitcoin-transaction-size-calculator/ or https://bitcoinops.org/en/tools/calc-size/ (note that the latter calculator doesn't account the two extra bytes needed for the output-count compactSize encoding); adding one more taproot output (taking 43) vbytes would result in 100002 vbytes
[3] `MAX_STANDARD_TX_WEIGHT` in Bitcoin Core (expressed in WUs): https://github.com/bitcoin/bitcoin/blob/2702711c3a54b2ba9ae3781b61c90d28ee951de6/src/policy/policy.cpp#L110-L114
[4] https://github.com/bitcoin-core/secp256k1/pull/1765
Reply all
Reply to author
Forward
0 new messages