Silent payments: how BIP-352 enhances Bitcoin users’ anonymity

In 2024, developers of Cake Wallet, Blue Wallet and the BitBox02 hardware wallet added support for Silent Payments—a protocol for static payment addresses that preserves privacy on the Bitcoin network.

Together with the team from the bitcoin mixer Mixer.Money, we examine how Silent Payments work, and their advantages and drawbacks.

What are Silent Payments

The concept of Silent Payments was described by developer Ruben Somsen in March 2022. A year later he standardised it in Bitcoin improvement proposal BIP-352 together with Josie Bake.

The main goal of Silent Payments is to avoid address reuse. The protocol allows new public keys to be generated for each transaction, improving UX while maintaining a high level of privacy.

“Generating a new address is a crucial aspect of maintaining privacy. However, this requires secure communication between the sender and the receiver, so that the receiver can provide an unused address, multiple addresses, or a method that allows the sender to generate addresses, e.g. xpub,” BIP-352 says.

Silent Payments solve this: they provide static addresses that can be reused. Only senders and recipients can identify the transactions.

If an organisation collects funds on a website, nobody can determine who donated or how much bitcoin they contributed. Support for the protocol will also improve the privacy of crypto-exchange customers: platforms typically assign a single deposit address.

“If you have had to receive bitcoin several times from the same person, you face a simple choice: generate a new address every time (and somehow communicate it) or ask the sender to reuse the same address? If you generate a new address each time, you will have to pass it to the sender and hope they copy it correctly. If you decide that they should reuse one address, you will compromise the privacy of both participants in the transaction,” says the Silent Payments website.

How they work

Implementing BIP-352 requires no consensus changes, so any Bitcoin wallet can adopt it. Silent-payment addresses have the sp1 prefix and look like this:

sp1qqvvnsd3xnjpmx8hnn2ua0e9sllm34t9jydf8qfesgc7nhdxgzksjwqlrxx37nfzsg6rure5vwa92fksd6f5a6rk05kr07twhd55u3ahquy2v7t6s

The recipient publishes such an address without interacting with the sender, who then selects one or more UTXOs. At that point the protocol generates a new Taproot address to receive the funds. It uses the sender’s private key, the recipient’s sp1 address and a shared secret created via ECDH (Elliptic Curve Diffie–Hellman).

The recipient has two key pairs:

• scan keys—used to detect a payment by monitoring transactions on the blockchain and performing ECDH computations;
• spend keys—used to move coins from the Taproot address.

The main drawback is the need for continuous network scanning. It demands more computation and bandwidth than, say, using an Electrum Server.

“You can have a full node at home; in that case the UX of silent payments will be no different—there are no compromises here, since roughly as many resources will be spent on ECDH computation as on signature verification. Your node is already tracking all transactions, and now the protocol will require one more signature verification to check for a silent payment,” said Josie Bake.

A Blue Wallet mobile user (or any client that can connect to their own node) can provide the node with the scan key.

“That is the ideal option. If you cannot run a full node, then in my opinion you still cannot use mobile wallets privately, although there are proposals like BIP-158, but they have not reached mass adoption. Nevertheless, the Cake Wallet developers proposed an interesting solution, essentially a fork of electrs, which scans the blockchain for silent payments. When the mobile wallet connects to the server, it simply returns all unspent SP in the blocks since the last scan. In this case the server knows only about the data request,” he concluded.

A key advantage of Silent Payments is that such transactions are indistinguishable on-chain. A third party cannot link them to a specific sp1 address or even tell that the protocol was used.

Comparison with other approaches

As of October 2024 the developers of Silent Payments highlight two competing approaches:

• BIP-47—reusable payment codes, also known as PayNyms. Proposed in 2015 by developer Peter Todd as an implementation of stealth addresses. They create a transaction that notifies the recipient of a transfer to a specific public key (and thus a set of addresses) instead of including a signal in every payment;
• BIP-351—private payments. A relatively new concept proposed in July 2022 by Alfred Hodler and Clark Moody. It sits somewhere between BIP-47 and BIP-352.

Example for BIP-47. Bob gives Alice a reusable payment code, and she sends him bitcoin. Alice’s wallet generates a unique shared secret by combining:

• a private key;
• a public key from Bob’s payment code;
• a blinding message that lets him interpret the secret.

The wallet encrypts this data and inserts it into the OP_RETURN field of a notification transaction. The code is visible on the blockchain, but only Bob can compute the addresses used for its generation. All subsequent payments by Alice will be known only to him.

This approach eases scanning but also reveals the use of PayNym.

Example for BIP-351. Each time Alice sends funds to Bob, her wallet combines the public key from Bob’s payment code with a shared secret. The protocol generates a unique notification code for OP_RETURN, used once.

An outside observer will not see links between transactions, but will note the use of the protocol.

Conclusions

Silent Payments improve UX and privacy on the Bitcoin network by removing the need to pass new addresses for each transaction.

In the view of the Mixer.Money team, they can increase the anonymity of Bitcoin users, but will require broader community adoption:

“BIP-47 was introduced nine years ago, but has so far been implemented by only a few wallets such as Sparrow Wallet and Samourai Wallet. The latter, however, already does not work due to accusations against the founders of facilitating money laundering.

BIP-352 significantly improves the user experience, yet its future depends on support from application developers and major crypto exchanges. Without integration with popular services, mass adoption will not happen: bitcoin mixers will remain a universal and more straightforward solution for anonymising transactions.”

Experience with the rollout of SegWit addresses suggests that mass adoption of such upgrades can take years. Until then, participants will likely continue to anonymise transactions using more familiar methods such as bitcoin mixers.