cashubtc · a1denvalu3 · May 2, 2025
diff --git a/00.md b/00.md
@@ -93,7 +93,7 @@ A `Proof` is also called an _input_ and is generated by `Alice` from a `BlindSig
 }
 ```
 
-`amount` is the amount of the `Proof`, `secret` is the secret message and is a utf-8 encoded string (the use of a 64 character hex string generated from 32 random bytes is recommended to prevent fingerprinting), `C` is the unblinded signature on `secret` (hex string), `id` is the [keyset id][02] of the mint public keys that signed the token (hex string).
+`amount` is the amount of the `Proof`, `secret` is the secret message and is string of 64 hex characters generated from 32 random bytes, `C` is the unblinded signature on `secret` (hex string), `id` is the [keyset id][02] of the mint public keys that signed the token (hex string).
 
 ## 0.2 - Protocol
 

diff --git a/10.md b/10.md
@@ -49,6 +49,8 @@ kind <str>,
 - `data` expresses the spending condition specific to each kind
 - `tags` hold additional data committed to and can be used for feature extensions
 
+Since it contains structured data, `Proof.secret` may be longer than the 64 hex character limit imposed in [NUT-00][00]. However, well-known `Secret` is still subject to contraints, which are decided on a case-by-case basis depending on the use case.
+
 ## Examples
 
 Example use cases of this secret format are

diff --git a/11.md b/11.md
@@ -65,6 +65,15 @@ Supported tags are:
 
 **Note:** The tag serialization type is `[<str>, <str>, ...]` but some tag values are `int`. Wallets and mints must cast types appropriately for de/serialization.
 
+#### Limits
+
+The following tags allow multiple entries:
+
+- `pubkeys: <hex_str>`
+- `refund: <hex_str>`
+
+The combined length of their **value** entries may not exceed 10 (e.g. `len(pubkeys[1:]) + len(refund[1:]) <= 10`).
+
 #### Signature flags
 
 Signature flags are defined in the tag `Secret.tags['sigflag']`. Currently, there are two signature flags.

diff --git a/14.md b/14.md
@@ -43,6 +43,8 @@ Here is a concrete example of a `Secret` of kind `HTLC`:
 
 A `Proof` with this `Secret` can be spent in two ways. To spend the hash lock, the witness in `Proof.witness` includes the preimage to `Secret.data` and a signature from the key in `Secret.tag.pubkeys`. Additionally, if the current system time is later than `Secret.tag.locktime`, the `Proof` can be spent if `Proof.witness` includes a signature from the key in `Secret.tags.refund`.
 
+The combined length of the **value** entries of `Secret.tag.pubkeys` and `Secret.tag.refund` may not exceed 10 (e.g. `len(pubkeys[1:]) + len(refund[1:]) <= 10`).
+
 The hash lock in `Secret.data` and the preimage in `Proof.witness.preimage` is treated as 32 byte data encoded as 64 character hex strings.
 
 See [NUT-11][11] for a description of the signature scheme, the additional use of signature flags, and how to require signature from multiple public keys (multisig).
-Original file line number
+Diff line change
@@ Expand Up @@
     }
     ```
-    `amount` is the amount of the `Proof`, `secret` is the secret message and is a utf-8 encoded string (the use of a 64 character hex string generated from 32 random bytes is recommended to prevent fingerprinting), `C` is the unblinded signature on `secret` (hex string), `id` is the [keyset id][02] of the mint public keys that signed the token (hex string).
+    `amount` is the amount of the `Proof`, `secret` is the secret message and is string of 64 hex characters generated from 32 random bytes, `C` is the unblinded signature on `secret` (hex string), `id` is the [keyset id][02] of the mint public keys that signed the token (hex string).
     ## 0.2 - Protocol
@@ Expand Down @@