BIP375 extends PSBT v2 (BIP370) to support Silent Payments (BIP352). It defines new PSBT fields and workflows for coordinating silent payment transactions across multiple signers.
Silent Payments allow receiving payments to a static address without on-chain address reuse. The sender derives a unique output script using ECDH (Elliptic Curve Diffie-Hellman) with the recipient's public keys.
Creating silent payment transactions requires coordination between signers:
- Each signer must compute ECDH shares for their inputs
- Output scripts can only be computed when all ECDH shares are present
- Signers must verify each other's ECDH computations
BIP375 provides the PSBT fields and workflow to make this coordination possible in a trustless manner.
Each input contributes an ECDH share computed as private_key * recipient_scan_key. These shares are combined to derive the final output script.
Discrete Log Equality (DLEQ) proofs allow signers to prove their ECDH computation is correct without revealing their private key. This prevents malicious hardware devices from redirecting funds to attacker-controlled addresses.
See BIP374 for DLEQ proof specification.
BIP375 uses a per-input ECDH approach where:
- Each signer computes shares only for inputs they control
- ECDH coverage builds progressively across signers
- Output scripts are computed when all inputs have ECDH shares
- TX_MODIFIABLE flags prevent modification after finalization
BIP375 uses PSBT v2 roles:
- Creator: Initializes empty PSBT
- Constructor: Adds inputs and outputs
- Updater: Adds metadata and keys
- Signer: Computes ECDH shares, generates DLEQ proofs, signs inputs
- Input Finalizer: Finalizes witness data
- Extractor: Creates final transaction
For silent payments, the Signer role is extended with ECDH computation and DLEQ proof generation.
- Wallet Coordinator Creator creates PSBT, adds inputs and outputs
- Wallet Coordinator Constructor adds inputs and outputs
- Signer computes ECDH shares for all inputs
- Signer computes output scripts
- Signer signs all inputs
- Extractor creates final transaction
- First signer (Creator + Constructor) creates PSBT structure
- First signer computes ECDH shares for their inputs AND signs their inputs
- Subsequent signers verify previous DLEQ proofs
- Subsequent signers add ECDH shares for their inputs AND sign their inputs
- Final signer completes ECDH coverage, computes output scripts, AND signs their inputs
- Extractor creates final transaction
See BIP375 for complete field specifications.
All signers must verify DLEQ proofs from other signers before adding their own ECDH shares. Skipping verification allows malicious signers to redirect funds.
Output scripts must not be computed until all inputs have ECDH shares. Computing scripts early can lead to invalid transactions.
Inputs must not be signed until output scripts are computed. Otherwise signatures will be invalid.
TX_MODIFIABLE flags prevent modification after output scripts are computed. This ensures signatures remain valid.
Demonstrates three parties collaborating to create a silent payment transaction. Shows progressive ECDH coverage and cross-party DLEQ verification.
Best for understanding the multi-party workflow and ECDH share accumulation.
Demonstrates air-gapped hardware wallet workflow with attack simulation. Shows how DLEQ proof verification prevents malicious hardware from redirecting funds.
Best for understanding DLEQ proof security and air-gapped signing.