The important thing distinction lies in how chain codes are utilized in hardened vs non-hardened derivation.
- In non-hardened derivation, the kid is derived from the father or mother’s public key along with the father or mother’s chain code. This implies the chain code is successfully a public worth, exposing it’s not an issue, as a result of the method assumes it will likely be used with public information anyway.
- In hardened derivation, the kid is derived from the father or mother’s non-public key along with the chain code. On this case, even when you already know the father or mother’s chain code, you can’t compute the kid or invert the method to get the father or mother key, as a result of the HMAC enter consists of the father or mother’s non-public key.
That’s why kids derived from a hardened father or mother aren’t susceptible to the “xpub + youngster non-public key” assault as you can’t retrieve the father or mother’s non-public key, for the reason that hardened derivation by no means exposes sufficient info.
To see it clearer:
c1 = father or mother chain code
I = HMAC-SHA512(key = c1, information = 0x00 || ser256(sk_parent) || ser32(n))
IL || IR = I
sk_child = (parse256(IL) + sk_parent) mod n
c2 = IR
As may be seen, there is no such thing as a method to know I even when you already know c1, as a result of the father or mother’s non-public secret’s a part of the HMAC enter.
That is additionally defined right here:
Can we derive father or mother’s non-public key utilizing youngster’s non-public key?
