Taking a few steps back, it’s helpful to remember that a taproot “address” is just a bech32m encoding of a public key. The majority of wallets today generate these public keys using BIP32, where child keys are derived from a master key. This is likely where you’re getting the number “4 billion addresses.” It’s important to point out, however, all you need to create a taproot output is a valid public key.
BIP352 (Silent payments) is different in that there is no derivation or pre-generation of addresses by the recipient. The sender creates a public key for the recipient and encodes it as a taproot output. For details on how the sender creates this public key for the recipient, I’d recommend reading the overview section of BIP352. At a high level, however, the important details are:
- The sender first creates a shared secret between them and the recipient by multiplying the sum of their private keys with the recipient’s scan public key (i.e., Elliptic Curve Diffie-Hellman key exchange)
- This shared secret is turned into a public key and added to the sender’s spend public key, ensuring the resulting output is only spendable by the recipient
- The resulting public key (shared secret + recipient’s spend public key) is encoded as a taproot output in the transaction
The resulting public key is unique to this transaction. If the sender sends again to the same recipient silent payment address, they will necessarily have to use different UTXOs, which in turn guarantees each silent payment output is unique to the transaction it is in.
