How does HD wallet protect its master public key?

Hierarchy deterministic wallets have a master public key. I fully understand elliptic curve's concept regarding to the private and public keys.
I also understand the concept that Maxwell described here to generate new public keys without knowing their corresponding private keys by only knowing the master public key. Based on Maxwell's idea if someone gets two of the children's public keys with some simple math can calculate the master public key which allows him to generate all of the user's future bitcoin addresses. So my question is

Does HD wallet use the same mechanism explained by Maxwell to generate new public keys?
How does an HD wallet protect its master public key?

bip-32-hd-wallets

abeikverdi

Posted 2015-04-15T01:05:53.597

Reputation: 784

1I don't think I've never seen an HD wallet implementation that permitted the master public key to be determined from two child public keys. – David Schwartz – 2015-04-15T06:57:04.813

Answers

In typical HD wallet implementations, some kind of hash of the master public key and the sequence number of the child key is added into the private portion of each child key. This makes the interval between private keys unpredictable to an attacker who does not know the master public key and thus the interval between public keys is likewise unpredictable. With this kind of implementation, no number of child public keys will reveal the master public key and there is no way to tell that accounts are part of the same family with only public information.

You can see the scheme I designed for Ripple here.

David Schwartz

Posted 2015-04-15T01:05:53.597

Reputation: 46 931

As outlined here, non-hardened BIP32 wallets can be compromised if:

The master public key is known
A child private key is known

This is because the unknown (offset) - the index - can be brute forced since it's a field of 2^31.

Diagram from article

Hardened-keys use a master private key and an index >0x80000000 (2^31), denoted with prime notation, k'

Wizard Of Ozzie

Posted 2015-04-15T01:05:53.597

Reputation: 4 535

I don't think the OP is asking about BIP32. I made a post on meta about this: http://meta.bitcoin.stackexchange.com/questions/661/what-should-hd-wallet-mean

– Nick ODell – 2015-04-15T07:27:30.407

The offset is generated based on the master public key so if someone has the master public key a lager offset doesn't really help. Am I correct? – abeikverdi – 2015-04-15T15:47:33.247

The offset is more like adding 12345 after a password. The "offset" isn't anything more than appended data. But essentially, yes, you're right. See the crack_bip32 function in pybitcointools – Wizard Of Ozzie – 2015-04-15T19:33:56.087