Sunday, May 19, 2024

How are kids’s non-public keys in HD wallets obtained and the way can understanding them reveal the dad or mum’s non-public key?


If the classical addition of the left 256 bits of the hash outcome to the non-public key of the dad or mum is carried out, then it’s going to result in a 512-bit non-public key of the kid, which isn’t right (the non-public key ought to be 256-bit).

As Michael Folkson explains in that reply you linked:

There may be concatenation the place 256 bits positioned subsequent to a different 256 bits makes 512 bits. Nonetheless, what you might be referring to is scalar addition. A 256 bit quantity (256 bit dad or mum non-public key) is added to a different 256 bit quantity (left 256 bits of the SHA512) and the outcome modulo p (p = 2^256-2^32-977) is one other 256 bit quantity.

It in some sense will behave like classical addition (earlier than the modulo operation).

Though I’m not 100% certain the place p is particularly outlined, the modulo p operation the place p = 2^256-2^32-977 is the related operation that may shorten the ensuing key to 256 bit. (as a result of p is a 256 bit quantity)

So that you add the left 256 bits to the dad or mum non-public key to get the ( giant 512 bit ) baby non-public key, then you definitely modulo p to shorten the outcome to 256 bit.

Okay, as an instance you and Michael are proper. How will the dad or mum’s non-public key be obtained understanding the kid’s non-public key? If the module’s operations are actually used to acquire a 256-bit key, then inversion and acquiring the dad or mum’s non-public key can’t be carried out in any respect… Within the e book, they are saying that it’s “comparatively straightforward” to acquire the dad or mum’s non-public key from understanding the kid’s non-public key.

This was mentioned partially right here Xpriv could be calculated from the xpub + baby non-public key?

in response to: https://medium.com/@blainemalone01/hd-wallets-why-hardened-derivation-matters-89efcdc71671#cc82

the equation for deriving the dad or mum key from baby is:

baby non-public key = (left 32 bytes + dad or mum non-public key) % n

Bob solves for dad or mum non-public key:

dad or mum non-public key = (baby non-public key - left 32 bytes) % n

Be aware right here we’re utilizing modulo n which is the Secp256k1 curve order, it is a widespread operation in ECC. It’s potential Michael meant modulo n however I can’t verify this.

The identical components you supplied can also be talked about right here. However right here they use G as a substitute of n. I do know that G is a generic level (some extent on an elliptic curve) used to generate a public key from a non-public key. So is n truly G?)

On this part you’ll discover p is getting used and is defined to be a worldwide fixed in Bitcoin software program however nothing extra is claimed about it:
https://developer.bitcoin.org/devguide/wallets.html#hierarchical-deterministic-key-creation

This part G is getting used:
https://developer.bitcoin.org/devguide/wallets.html#id5

I do know for sure G is used to derive public from non-public keys by way of scalar multiplication.

I don’t need to state any incorrect details concerning the utilization of those values, my opinion is that on this circumstance it makes extra sense that the modulo operation is finished through n due to this article that appears to element it extraordinarily effectively however since I do not know for sure I can solely try to supply researched context.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles