does extended public key derivation go both directions

Is the reverse also true -- can a parent extended public key be derived from a child extended public key?

No. BIP 32 uses hash functions in order to derive the child keys. In order to be able to derive the parent key from the child key, you should need to be able to reverse the hash function, which is currently impossible (I say currently because some vulnerability could be discovered which allows it to be reversed, but that is unlikely to happen).

Furthermore, the child key derivation also involves calculating a public key from a private key (that private key is basically temporary and doesn't actually reveal anything about the child private key). You would need to reverse that too, but doing so is also currently impossible (it is theoretically possible with a quantum computer).

Andrew Chow

Posted 2018-02-20T21:59:49.153

Reputation: 40 910

Thanks for this. I don't understand then how is it that an unhardened pub key + any child private key could compromise the entire tree all the way back to root -- wouldn't the ability to derive a parent pub key from its child be needed? – Magnus – 2018-02-21T15:46:10.970

1The issue is when you have the parent pub key and any child private key. That lets you derive the parent private key. – Andrew Chow – 2018-02-21T15:57:24.743

Ah OK. But still now that you have a parent pub key and have derived the parent priv key, is that enough to then break into the grandparent layer, ie the parents of the parents? In other words, can a parent key be derived from a child pub + child priv? What I'm hearing described here is more of a sibling derivation at the same level. – Magnus – 2018-02-21T16:04:26.380

1No, the parent key cannot be derived using only child keys. But once you get the parent private key, you can derive all child keys, and, from there, any descendants of those child keys. – Andrew Chow – 2018-02-21T16:58:21.100

does extended public key derivation go both directions

Answers