diff --git a/src/keystore.cpp b/src/keystore.cpp
index 23a3c7730..4eee90a55 100644
--- a/src/keystore.cpp
+++ b/src/keystore.cpp
@@ -1,155 +1,175 @@
 // Copyright (c) 2009-2010 Satoshi Nakamoto
 // Copyright (c) 2009-2016 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 #include <keystore.h>
 
 #include <key.h>
 #include <pubkey.h>
 #include <util.h>
 
 bool CKeyStore::AddKey(const CKey &key) {
     return AddKeyPubKey(key, key.GetPubKey());
 }
 
+void CBasicKeyStore::ImplicitlyLearnRelatedKeyScripts(const CPubKey &pubkey) {
+    AssertLockHeld(cs_KeyStore);
+    CKeyID key_id = pubkey.GetID();
+    // We must actually know about this key already.
+    assert(HaveKey(key_id) || mapWatchKeys.count(key_id));
+    // This adds the redeemscripts necessary to detect alternative outputs using
+    // the same keys. Also note that having superfluous scripts in the keystore
+    // never hurts. They're only used to guide recursion in signing and IsMine
+    // logic - if a script is present but we can't do anything with it, it has
+    // no effect. "Implicitly" refers to fact that scripts are derived
+    // automatically from existing keys, and are present in memory, even without
+    // being explicitly loaded (e.g. from a file).
+
+    // Right now there are none so do nothing.
+}
+
 bool CBasicKeyStore::GetPubKey(const CKeyID &address,
                                CPubKey &vchPubKeyOut) const {
     CKey key;
     if (!GetKey(address, key)) {
         LOCK(cs_KeyStore);
         WatchKeyMap::const_iterator it = mapWatchKeys.find(address);
         if (it != mapWatchKeys.end()) {
             vchPubKeyOut = it->second;
             return true;
         }
         return false;
     }
     vchPubKeyOut = key.GetPubKey();
     return true;
 }
 
 bool CBasicKeyStore::AddKeyPubKey(const CKey &key, const CPubKey &pubkey) {
     LOCK(cs_KeyStore);
     mapKeys[pubkey.GetID()] = key;
+    ImplicitlyLearnRelatedKeyScripts(pubkey);
     return true;
 }
 
 bool CBasicKeyStore::HaveKey(const CKeyID &address) const {
     LOCK(cs_KeyStore);
     return mapKeys.count(address) > 0;
 }
 
 std::set<CKeyID> CBasicKeyStore::GetKeys() const {
     LOCK(cs_KeyStore);
     std::set<CKeyID> set_address;
     for (const auto &mi : mapKeys) {
         set_address.insert(mi.first);
     }
     return set_address;
 }
 
 bool CBasicKeyStore::GetKey(const CKeyID &address, CKey &keyOut) const {
     LOCK(cs_KeyStore);
     KeyMap::const_iterator mi = mapKeys.find(address);
     if (mi != mapKeys.end()) {
         keyOut = mi->second;
         return true;
     }
     return false;
 }
 
 bool CBasicKeyStore::AddCScript(const CScript &redeemScript) {
     if (redeemScript.size() > MAX_SCRIPT_ELEMENT_SIZE) {
         return error("CBasicKeyStore::AddCScript(): redeemScripts > %i bytes "
                      "are invalid",
                      MAX_SCRIPT_ELEMENT_SIZE);
     }
 
     LOCK(cs_KeyStore);
     mapScripts[CScriptID(redeemScript)] = redeemScript;
     return true;
 }
 
 bool CBasicKeyStore::HaveCScript(const CScriptID &hash) const {
     LOCK(cs_KeyStore);
     return mapScripts.count(hash) > 0;
 }
 
 std::set<CScriptID> CBasicKeyStore::GetCScripts() const {
     LOCK(cs_KeyStore);
     std::set<CScriptID> set_script;
     for (const auto &mi : mapScripts) {
         set_script.insert(mi.first);
     }
     return set_script;
 }
 
 bool CBasicKeyStore::GetCScript(const CScriptID &hash,
                                 CScript &redeemScriptOut) const {
     LOCK(cs_KeyStore);
     ScriptMap::const_iterator mi = mapScripts.find(hash);
     if (mi != mapScripts.end()) {
         redeemScriptOut = (*mi).second;
         return true;
     }
     return false;
 }
 
 static bool ExtractPubKey(const CScript &dest, CPubKey &pubKeyOut) {
     // TODO: Use Solver to extract this?
     CScript::const_iterator pc = dest.begin();
     opcodetype opcode;
     std::vector<uint8_t> vch;
     if (!dest.GetOp(pc, opcode, vch) || vch.size() < 33 || vch.size() > 65) {
         return false;
     }
     pubKeyOut = CPubKey(vch);
     if (!pubKeyOut.IsFullyValid()) {
         return false;
     }
     if (!dest.GetOp(pc, opcode, vch) || opcode != OP_CHECKSIG ||
         dest.GetOp(pc, opcode, vch)) {
         return false;
     }
     return true;
 }
 
 bool CBasicKeyStore::AddWatchOnly(const CScript &dest) {
     LOCK(cs_KeyStore);
     setWatchOnly.insert(dest);
     CPubKey pubKey;
     if (ExtractPubKey(dest, pubKey)) {
         mapWatchKeys[pubKey.GetID()] = pubKey;
+        ImplicitlyLearnRelatedKeyScripts(pubKey);
     }
     return true;
 }
 
 bool CBasicKeyStore::RemoveWatchOnly(const CScript &dest) {
     LOCK(cs_KeyStore);
     setWatchOnly.erase(dest);
     CPubKey pubKey;
     if (ExtractPubKey(dest, pubKey)) {
         mapWatchKeys.erase(pubKey.GetID());
     }
+    // Related CScripts are not removed; having superfluous scripts around is
+    // harmless (see comment in ImplicitlyLearnRelatedKeyScripts).
     return true;
 }
 
 bool CBasicKeyStore::HaveWatchOnly(const CScript &dest) const {
     LOCK(cs_KeyStore);
     return setWatchOnly.count(dest) > 0;
 }
 
 bool CBasicKeyStore::HaveWatchOnly() const {
     LOCK(cs_KeyStore);
     return (!setWatchOnly.empty());
 }
 
 CKeyID GetKeyForDestination(const CKeyStore &store,
                             const CTxDestination &dest) {
     // Only supports destinations which map to single public keys, i.e. P2PKH.
     if (auto id = boost::get<CKeyID>(&dest)) {
         return *id;
     }
     return CKeyID();
 }
diff --git a/src/keystore.h b/src/keystore.h
index ec35951fc..c4c498c1b 100644
--- a/src/keystore.h
+++ b/src/keystore.h
@@ -1,92 +1,94 @@
 // Copyright (c) 2009-2010 Satoshi Nakamoto
 // Copyright (c) 2009-2015 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 #ifndef BITCOIN_KEYSTORE_H
 #define BITCOIN_KEYSTORE_H
 
 #include <key.h>
 #include <pubkey.h>
 #include <script/script.h>
 #include <script/standard.h>
 #include <sync.h>
 
 #include <boost/signals2/signal.hpp>
 
 /** A virtual base class for key stores */
 class CKeyStore {
 protected:
     mutable CCriticalSection cs_KeyStore;
 
 public:
     virtual ~CKeyStore() {}
 
     //! Add a key to the store.
     virtual bool AddKeyPubKey(const CKey &key, const CPubKey &pubkey) = 0;
     virtual bool AddKey(const CKey &key);
 
     //! Check whether a key corresponding to a given address is present in the
     //! store.
     virtual bool HaveKey(const CKeyID &address) const = 0;
     virtual bool GetKey(const CKeyID &address, CKey &keyOut) const = 0;
     virtual std::set<CKeyID> GetKeys() const = 0;
     virtual bool GetPubKey(const CKeyID &address,
                            CPubKey &vchPubKeyOut) const = 0;
 
     //! Support for BIP 0013 : see
     //! https://github.com/bitcoin/bips/blob/master/bip-0013.mediawiki
     virtual bool AddCScript(const CScript &redeemScript) = 0;
     virtual bool HaveCScript(const CScriptID &hash) const = 0;
     virtual std::set<CScriptID> GetCScripts() const = 0;
     virtual bool GetCScript(const CScriptID &hash,
                             CScript &redeemScriptOut) const = 0;
 
     //! Support for Watch-only addresses
     virtual bool AddWatchOnly(const CScript &dest) = 0;
     virtual bool RemoveWatchOnly(const CScript &dest) = 0;
     virtual bool HaveWatchOnly(const CScript &dest) const = 0;
     virtual bool HaveWatchOnly() const = 0;
 };
 
 typedef std::map<CKeyID, CKey> KeyMap;
 typedef std::map<CKeyID, CPubKey> WatchKeyMap;
 typedef std::map<CScriptID, CScript> ScriptMap;
 typedef std::set<CScript> WatchOnlySet;
 
 /** Basic key store, that keeps keys in an address->secret map */
 class CBasicKeyStore : public CKeyStore {
 protected:
     KeyMap mapKeys;
     WatchKeyMap mapWatchKeys;
     ScriptMap mapScripts;
     WatchOnlySet setWatchOnly;
 
+    void ImplicitlyLearnRelatedKeyScripts(const CPubKey &pubkey);
+
 public:
     bool AddKeyPubKey(const CKey &key, const CPubKey &pubkey) override;
     bool GetPubKey(const CKeyID &address, CPubKey &vchPubKeyOut) const override;
     bool HaveKey(const CKeyID &address) const override;
     std::set<CKeyID> GetKeys() const override;
     bool GetKey(const CKeyID &address, CKey &keyOut) const override;
     bool AddCScript(const CScript &redeemScript) override;
     bool HaveCScript(const CScriptID &hash) const override;
     std::set<CScriptID> GetCScripts() const override;
     bool GetCScript(const CScriptID &hash,
                     CScript &redeemScriptOut) const override;
 
     bool AddWatchOnly(const CScript &dest) override;
     bool RemoveWatchOnly(const CScript &dest) override;
     bool HaveWatchOnly(const CScript &dest) const override;
     bool HaveWatchOnly() const override;
 };
 
 typedef std::vector<uint8_t, secure_allocator<uint8_t>> CKeyingMaterial;
 typedef std::map<CKeyID, std::pair<CPubKey, std::vector<uint8_t>>>
     CryptedKeyMap;
 
 /**
  * Return the CKeyID of the key involved in a script (if there is a unique one).
  */
 CKeyID GetKeyForDestination(const CKeyStore &store, const CTxDestination &dest);
 
 #endif // BITCOIN_KEYSTORE_H
diff --git a/src/wallet/crypter.cpp b/src/wallet/crypter.cpp
index 0c526cb9d..21c4d60b7 100644
--- a/src/wallet/crypter.cpp
+++ b/src/wallet/crypter.cpp
@@ -1,350 +1,351 @@
 // Copyright (c) 2009-2016 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 #include <wallet/crypter.h>
 
 #include <crypto/aes.h>
 #include <crypto/sha512.h>
 #include <script/script.h>
 #include <script/standard.h>
 #include <util.h>
 
 #include <string>
 #include <vector>
 
 int CCrypter::BytesToKeySHA512AES(const std::vector<uint8_t> &chSalt,
                                   const SecureString &strKeyData, int count,
                                   uint8_t *key, uint8_t *iv) const {
     // This mimics the behavior of openssl's EVP_BytesToKey with an aes256cbc
     // cipher and sha512 message digest. Because sha512's output size (64b) is
     // greater than the aes256 block size (16b) + aes256 key size (32b), there's
     // no need to process more than once (D_0).
     if (!count || !key || !iv) {
         return 0;
     }
 
     uint8_t buf[CSHA512::OUTPUT_SIZE];
     CSHA512 di;
 
     di.Write((const uint8_t *)strKeyData.c_str(), strKeyData.size());
     if (chSalt.size()) {
         di.Write(&chSalt[0], chSalt.size());
     }
     di.Finalize(buf);
 
     for (int i = 0; i != count - 1; i++) {
         di.Reset().Write(buf, sizeof(buf)).Finalize(buf);
     }
 
     memcpy(key, buf, WALLET_CRYPTO_KEY_SIZE);
     memcpy(iv, buf + WALLET_CRYPTO_KEY_SIZE, WALLET_CRYPTO_IV_SIZE);
     memory_cleanse(buf, sizeof(buf));
     return WALLET_CRYPTO_KEY_SIZE;
 }
 
 bool CCrypter::SetKeyFromPassphrase(const SecureString &strKeyData,
                                     const std::vector<uint8_t> &chSalt,
                                     const unsigned int nRounds,
                                     const unsigned int nDerivationMethod) {
     if (nRounds < 1 || chSalt.size() != WALLET_CRYPTO_SALT_SIZE) {
         return false;
     }
 
     int i = 0;
     if (nDerivationMethod == 0) {
         i = BytesToKeySHA512AES(chSalt, strKeyData, nRounds, vchKey.data(),
                                 vchIV.data());
     }
 
     if (i != (int)WALLET_CRYPTO_KEY_SIZE) {
         memory_cleanse(vchKey.data(), vchKey.size());
         memory_cleanse(vchIV.data(), vchIV.size());
         return false;
     }
 
     fKeySet = true;
     return true;
 }
 
 bool CCrypter::SetKey(const CKeyingMaterial &chNewKey,
                       const std::vector<uint8_t> &chNewIV) {
     if (chNewKey.size() != WALLET_CRYPTO_KEY_SIZE ||
         chNewIV.size() != WALLET_CRYPTO_IV_SIZE) {
         return false;
     }
 
     memcpy(vchKey.data(), chNewKey.data(), chNewKey.size());
     memcpy(vchIV.data(), chNewIV.data(), chNewIV.size());
 
     fKeySet = true;
     return true;
 }
 
 bool CCrypter::Encrypt(const CKeyingMaterial &vchPlaintext,
                        std::vector<uint8_t> &vchCiphertext) const {
     if (!fKeySet) {
         return false;
     }
 
     // max ciphertext len for a n bytes of plaintext is
     // n + AES_BLOCKSIZE bytes
     vchCiphertext.resize(vchPlaintext.size() + AES_BLOCKSIZE);
 
     AES256CBCEncrypt enc(vchKey.data(), vchIV.data(), true);
     size_t nLen =
         enc.Encrypt(&vchPlaintext[0], vchPlaintext.size(), &vchCiphertext[0]);
     if (nLen < vchPlaintext.size()) {
         return false;
     }
     vchCiphertext.resize(nLen);
 
     return true;
 }
 
 bool CCrypter::Decrypt(const std::vector<uint8_t> &vchCiphertext,
                        CKeyingMaterial &vchPlaintext) const {
     if (!fKeySet) {
         return false;
     }
 
     // plaintext will always be equal to or lesser than length of ciphertext
     int nLen = vchCiphertext.size();
 
     vchPlaintext.resize(nLen);
 
     AES256CBCDecrypt dec(vchKey.data(), vchIV.data(), true);
     nLen =
         dec.Decrypt(&vchCiphertext[0], vchCiphertext.size(), &vchPlaintext[0]);
     if (nLen == 0) {
         return false;
     }
     vchPlaintext.resize(nLen);
     return true;
 }
 
 static bool EncryptSecret(const CKeyingMaterial &vMasterKey,
                           const CKeyingMaterial &vchPlaintext,
                           const uint256 &nIV,
                           std::vector<uint8_t> &vchCiphertext) {
     CCrypter cKeyCrypter;
     std::vector<uint8_t> chIV(WALLET_CRYPTO_IV_SIZE);
     memcpy(&chIV[0], &nIV, WALLET_CRYPTO_IV_SIZE);
     if (!cKeyCrypter.SetKey(vMasterKey, chIV)) {
         return false;
     }
     return cKeyCrypter.Encrypt(*((const CKeyingMaterial *)&vchPlaintext),
                                vchCiphertext);
 }
 
 static bool DecryptSecret(const CKeyingMaterial &vMasterKey,
                           const std::vector<uint8_t> &vchCiphertext,
                           const uint256 &nIV, CKeyingMaterial &vchPlaintext) {
     CCrypter cKeyCrypter;
     std::vector<uint8_t> chIV(WALLET_CRYPTO_IV_SIZE);
     memcpy(&chIV[0], &nIV, WALLET_CRYPTO_IV_SIZE);
     if (!cKeyCrypter.SetKey(vMasterKey, chIV)) {
         return false;
     }
     return cKeyCrypter.Decrypt(vchCiphertext,
                                *((CKeyingMaterial *)&vchPlaintext));
 }
 
 static bool DecryptKey(const CKeyingMaterial &vMasterKey,
                        const std::vector<uint8_t> &vchCryptedSecret,
                        const CPubKey &vchPubKey, CKey &key) {
     CKeyingMaterial vchSecret;
     if (!DecryptSecret(vMasterKey, vchCryptedSecret, vchPubKey.GetHash(),
                        vchSecret)) {
         return false;
     }
 
     if (vchSecret.size() != 32) {
         return false;
     }
 
     key.Set(vchSecret.begin(), vchSecret.end(), vchPubKey.IsCompressed());
     return key.VerifyPubKey(vchPubKey);
 }
 
 bool CCryptoKeyStore::SetCrypted() {
     LOCK(cs_KeyStore);
     if (fUseCrypto) {
         return true;
     }
     if (!mapKeys.empty()) {
         return false;
     }
     fUseCrypto = true;
     return true;
 }
 
 bool CCryptoKeyStore::IsLocked() const {
     if (!IsCrypted()) {
         return false;
     }
     LOCK(cs_KeyStore);
     return vMasterKey.empty();
 }
 
 bool CCryptoKeyStore::Lock() {
     if (!SetCrypted()) {
         return false;
     }
 
     {
         LOCK(cs_KeyStore);
         vMasterKey.clear();
     }
 
     NotifyStatusChanged(this);
     return true;
 }
 
 bool CCryptoKeyStore::Unlock(const CKeyingMaterial &vMasterKeyIn) {
     {
         LOCK(cs_KeyStore);
         if (!SetCrypted()) {
             return false;
         }
 
         bool keyPass = false;
         bool keyFail = false;
         CryptedKeyMap::const_iterator mi = mapCryptedKeys.begin();
         for (; mi != mapCryptedKeys.end(); ++mi) {
             const CPubKey &vchPubKey = (*mi).second.first;
             const std::vector<uint8_t> &vchCryptedSecret = (*mi).second.second;
             CKey key;
             if (!DecryptKey(vMasterKeyIn, vchCryptedSecret, vchPubKey, key)) {
                 keyFail = true;
                 break;
             }
             keyPass = true;
             if (fDecryptionThoroughlyChecked) {
                 break;
             }
         }
         if (keyPass && keyFail) {
             LogPrintf("The wallet is probably corrupted: Some keys decrypt but "
                       "not all.\n");
             assert(false);
         }
         if (keyFail || !keyPass) {
             return false;
         }
         vMasterKey = vMasterKeyIn;
         fDecryptionThoroughlyChecked = true;
     }
     NotifyStatusChanged(this);
     return true;
 }
 
 bool CCryptoKeyStore::AddKeyPubKey(const CKey &key, const CPubKey &pubkey) {
     LOCK(cs_KeyStore);
     if (!IsCrypted()) {
         return CBasicKeyStore::AddKeyPubKey(key, pubkey);
     }
 
     if (IsLocked()) {
         return false;
     }
 
     std::vector<uint8_t> vchCryptedSecret;
     CKeyingMaterial vchSecret(key.begin(), key.end());
     if (!EncryptSecret(vMasterKey, vchSecret, pubkey.GetHash(),
                        vchCryptedSecret)) {
         return false;
     }
 
     if (!AddCryptedKey(pubkey, vchCryptedSecret)) {
         return false;
     }
     return true;
 }
 
 bool CCryptoKeyStore::AddCryptedKey(
     const CPubKey &vchPubKey, const std::vector<uint8_t> &vchCryptedSecret) {
     LOCK(cs_KeyStore);
     if (!SetCrypted()) {
         return false;
     }
 
     mapCryptedKeys[vchPubKey.GetID()] = make_pair(vchPubKey, vchCryptedSecret);
+    ImplicitlyLearnRelatedKeyScripts(vchPubKey);
     return true;
 }
 
 bool CCryptoKeyStore::HaveKey(const CKeyID &address) const {
     LOCK(cs_KeyStore);
     if (!IsCrypted()) {
         return CBasicKeyStore::HaveKey(address);
     }
     return mapCryptedKeys.count(address) > 0;
 }
 
 bool CCryptoKeyStore::GetKey(const CKeyID &address, CKey &keyOut) const {
     LOCK(cs_KeyStore);
     if (!IsCrypted()) {
         return CBasicKeyStore::GetKey(address, keyOut);
     }
 
     CryptedKeyMap::const_iterator mi = mapCryptedKeys.find(address);
     if (mi != mapCryptedKeys.end()) {
         const CPubKey &vchPubKey = (*mi).second.first;
         const std::vector<uint8_t> &vchCryptedSecret = (*mi).second.second;
         return DecryptKey(vMasterKey, vchCryptedSecret, vchPubKey, keyOut);
     }
     return false;
 }
 
 bool CCryptoKeyStore::GetPubKey(const CKeyID &address,
                                 CPubKey &vchPubKeyOut) const {
     LOCK(cs_KeyStore);
     if (!IsCrypted()) {
         return CBasicKeyStore::GetPubKey(address, vchPubKeyOut);
     }
 
     CryptedKeyMap::const_iterator mi = mapCryptedKeys.find(address);
     if (mi != mapCryptedKeys.end()) {
         vchPubKeyOut = (*mi).second.first;
         return true;
     }
 
     // Check for watch-only pubkeys
     return CBasicKeyStore::GetPubKey(address, vchPubKeyOut);
 }
 
 std::set<CKeyID> CCryptoKeyStore::GetKeys() const {
     LOCK(cs_KeyStore);
     if (!IsCrypted()) {
         return CBasicKeyStore::GetKeys();
     }
     std::set<CKeyID> set_address;
     for (const auto &mi : mapCryptedKeys) {
         set_address.insert(mi.first);
     }
     return set_address;
 }
 
 bool CCryptoKeyStore::EncryptKeys(CKeyingMaterial &vMasterKeyIn) {
     LOCK(cs_KeyStore);
     if (!mapCryptedKeys.empty() || IsCrypted()) {
         return false;
     }
 
     fUseCrypto = true;
     for (const KeyMap::value_type &mKey : mapKeys) {
         const CKey &key = mKey.second;
         CPubKey vchPubKey = key.GetPubKey();
         CKeyingMaterial vchSecret(key.begin(), key.end());
         std::vector<uint8_t> vchCryptedSecret;
         if (!EncryptSecret(vMasterKeyIn, vchSecret, vchPubKey.GetHash(),
                            vchCryptedSecret)) {
             return false;
         }
         if (!AddCryptedKey(vchPubKey, vchCryptedSecret)) {
             return false;
         }
     }
     mapKeys.clear();
     return true;
 }