The important thing distinction lies in how chain codes are utilized in hardened vs non-hardened derivation.
- In non-hardened derivation, the kid is derived from the guardian’s public key along with the guardian’s chain code. This implies the chain code is successfully a public worth, exposing it’s not an issue, as a result of the system assumes it will likely be used with public information anyway.
- In hardened derivation, the kid is derived from the guardian’s personal key along with the chain code. On this case, even when the guardian’s chain code, you can not compute the kid or invert the method to get the guardian key, as a result of the HMAC enter contains the guardian’s personal key.
That’s why kids derived from a hardened guardian are usually not weak to the “xpub + baby personal key” assault as you can not retrieve the guardian’s personal key, because the hardened derivation by no means exposes sufficient data.
To see it clearer:
c1 = guardian chain code
I = HMAC-SHA512(key = c1, information = 0x00 || ser256(sk_parent) || ser32(n))
IL || IR = I
sk_child = (parse256(IL) + sk_parent) mod n
c2 = IR
As could be seen, there isn’t any technique to know I even when c1, as a result of the guardian’s personal secret’s a part of the HMAC enter.
That is additionally defined right here:
Can we derive guardian’s personal key utilizing baby’s personal key?
