The important thing distinction lies in how chain codes are utilized in hardened vs non-hardened derivation.
- In non-hardened derivation, the kid is derived from the father or mother’s public key along with the father or mother’s chain code. This implies the chain code is successfully a public worth, exposing it’s not an issue, as a result of the formulation assumes it will likely be used with public information anyway.
- In hardened derivation, the kid is derived from the father or mother’s non-public key along with the chain code. On this case, even when you already know the father or mother’s chain code, you can’t compute the kid or invert the method to get the father or mother key, as a result of the HMAC enter consists of the father or mother’s non-public key.
That’s why kids derived from a hardened father or mother are usually not susceptible to the “xpub + little one non-public key” assault as you can’t retrieve the father or mother’s non-public key, because the hardened derivation by no means exposes sufficient info.
To see it clearer:
c1 = father or mother chain code
I = HMAC-SHA512(key = c1, information = 0x00 || ser256(sk_parent) || ser32(n))
IL || IR = I
sk_child = (parse256(IL) + sk_parent) mod n
c2 = IR
As could be seen, there isn’t any technique to know I even when you already know c1, as a result of the father or mother’s non-public key’s a part of the HMAC enter.
That is additionally defined right here:
Can we derive father or mother’s non-public key utilizing little one’s non-public key?
