The main difference is in how chain codes are used in hardened and non-hardened derivations.
- in Non-hardened derivativethe child is derived from. parent’s public key along with the parent’s chaincode. This means that the chain code is effectively public valueThere is no harm in making it public, since the formula assumes it will be used in public data anyway.
- in enhanced derivativethe child is derived from. parent’s private key Along with the chain code. In this case, even if you know the parent’s chain code, you cannot compute the child or reverse the process to get the parent key because the HMAC input includes the parent’s private key.
Therefore, a child derived from a hardened parent is not vulnerable to an “xpub + child private key” attack because it cannot retrieve the parent’s private key because the hardened derivation never exposes enough information.
To see more clearly:
c1 = parent chain code
I = HMAC-SHA512(key = c1, data = 0x00 || ser256(sk_parent) || ser32(n))
IL || IR = I
sk_child = (parse256(IL) + sk_parent) mod n
c2 = IR
As you can see, there is no way to know I Even if you know c1because the parent’s private key is part of the HMAC input.
This is also explained as follows:
Can the child’s private key be used to derive the parent’s private key?
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
