Silent Payment Scan Key

The silent payment scan key is one half of the two-key design that makes BIP352 silent payments practical. A silent payment address encodes two public keys: the scan key (Bscan) and the spend key (Bm, derived from the spend key). The corresponding private scan key (bscan) is the detection key, while the private spend key (bspend) authorises spending. Splitting these roles lets a wallet keep the spend key in cold storage while exposing only the scan key to an always-online device.

What the scan key does

Silent payments require no notification transaction; instead the recipient continuously scans the chain. For each candidate transaction the wallet computes ecdh_shared_secret = input_hash · bscan · A, where A is the sum of the sender's input public keys. That secret regenerates the exact output the sender created as Bspend + tk·G; if it matches an on-chain output, an incoming payment is detected. Crucially, the scan key can only find coins, not move them.

Why the split matters

Scanning is computationally ongoing and must run on a connected machine, which is precisely where key exposure is most dangerous. By giving the watch-only scanner only bscan, a compromise of the online device reveals incoming payments but cannot authorise a single spend, because signing needs the offline spend key. This mirrors the watch-only-versus-hardware separation sovereign Bitcoiners already use, applied at the protocol layer.

The unlinkability this scheme delivers is detailed under output linking resistance, and the broader static-address pattern it shares appears under reusable payment address.