The important thing distinction lies in how chain codes are utilized in hardened vs non-hardened derivation.
- In non-hardened derivation, the kid is derived from the dad or mum’s public key along with the dad or mum’s chain code. This implies the chain code is successfully a public worth, exposing it isn’t an issue, as a result of the system assumes it is going to be used with public information anyway.
- In hardened derivation, the kid is derived from the dad or mum’s non-public key along with the chain code. On this case, even when you realize the dad or mum’s chain code, you can not compute the kid or invert the method to get the dad or mum key, as a result of the HMAC enter consists of the dad or mum’s non-public key.
That’s why kids derived from a hardened dad or mum aren’t weak to the “xpub + youngster non-public key” assault as you can not retrieve the dad or mum’s non-public key, because the hardened derivation by no means exposes sufficient info.
To see it clearer:
c1 = dad or mum chain code
I = HMAC-SHA512(key = c1, information = 0x00 || ser256(sk_parent) || ser32(n))
IL || IR = I
sk_child = (parse256(IL) + sk_parent) mod n
c2 = IR
As may be seen, there isn’t a technique to know I even when you realize c1, as a result of the dad or mum’s non-public secret is a part of the HMAC enter.
That is additionally defined right here:
Can we derive dad or mum’s non-public key utilizing youngster’s non-public key?
