The important thing distinction lies in how chain codes are utilized in hardened vs non-hardened derivation.
- In non-hardened derivationthe kid is derived from the guardian’s public key along with the guardian’s chain code. This implies the chain code is successfully a public worthexposing it isn’t an issue, as a result of the formulation assumes it will likely be used with public knowledge anyway.
- In hardened derivationthe kid is derived from the guardian’s personal key along with the chain code. On this case, even when you understand the guardian’s chain code, you can not compute the kid or invert the method to get the guardian key, as a result of the HMAC enter consists of the guardian’s personal key.
That’s why youngsters derived from a hardened guardian should not susceptible to the “xpub + youngster personal key” assault as you can not retrieve the guardian’s personal key, because the hardened derivation by no means exposes sufficient data.
To see it clearer:
c1 = guardian chain code
I = HMAC-SHA512(key = c1, knowledge = 0x00 || ser256(sk_parent) || ser32(n))
IL || IR = I
sk_child = (parse256(IL) + sk_parent) mod n
c2 = IR
As will be seen, there isn’t a strategy to know I even when you understand c1as a result of the guardian’s personal secret is a part of the HMAC enter.
That is additionally defined right here:
Can we derive guardian’s personal key utilizing youngster’s personal key?
