MultiversX Tracker is Live!

Why non-hardened private key is unsafe? [duplicate]

Bitcoin Stack Exchange

Bitcoin News / Bitcoin Stack Exchange 216 Views

First we must understand how BIP 32 derives non-hardened private and public keys.

From BIP 32, deriving a child private key from an extended parent private key:

let I = HMAC-SHA512(Key = cpar, Data = serP(point(kpar))) || ser32(i)).

Split I into two 32-byte sequences, IL and IR.

The returned child key Ki is parse256(IL) + kpar (mod n).

The private key is thus the parent private key plus the first 256 bits of the HMAC-SHA512 function where the key is the chaincode of the parent private key and the hashed data is the concatenation of the serialization of the public key that corresponds to the extended private key and the child key index. The important thing here to note is that the HMAC-SHA512 hash is a hash of the public key, not the private key.

From BIP 32, deriving a child public key from an extended parent public key:

let I = HMAC-SHA512(Key = cpar, Data = serP(Kpar) || ser32(i)).

Split I into two 32-byte sequences, IL and IR.

The returned child key Ki is point(parse256(IL)) + Kpar.

The child public key is the parent public key added with the public key generated from the first 256 bits of the HMAC-SHA512 function where the key is the chaincode of the parent key and data is the concatenation of the parent public key with the index of the child public key.

Notice how when deriving the child private key and the child public key you are actually hashing the same thing? You are performing the HMAC-SHA512 function with the same key (the chaincode of the parent keys) and the same data (the concatenation of the parent public key and the index of the child key). The first 256 bits of that hash become a private key of sorts, and that private key is added to the master private key to become the actual child private key. Its public key is calculated and added with the parent public key to become the child public key.

So to get the master private key, all we need to do is take the child private key that we now have, and subtract from it the private key produced by the HMAC-SHA512 function. To do that, we need three things, the chaincode, the parent public key, and the child key index.

The chaincode and parent public key come from the extended parent public key (xpub) as it encodes both the chaincode and the public key in it.

The child key index can be trivially found by deriving child public keys from the parent public key until we get the public key which corresponds to the child private key that we have and save the key index.

With these three things, we can perform the HMAC-SHA512 function and get the 512 bit hash. Now we can take the child private key and subtract from it the integer that is the first 256 bits of the hash we just generated. Our result is the parent private key. Combine that with the chaincode that we retrieved from the extended parent public key and we have ourselves the extended parent private key.


This technique only applies to non-hardened derivation. Hardened derivation protects against this because it generates the child private key by hashing the parent private key. However this also means that you cannot generate the child public key from the parent public key.


Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments