BIP-32 - how can parent extended public key exposed parent extended private key?

0

The below is the snippet from bip-32. I do not understand under what circumstance would 'parent extended public key' be exposed? In the case of e-commerce a 'child extended public key' is derived from 'parent extended public key'. The e-commerce website only needs to know 'child extended public key' to derive public key/addresses. In such case, will knowing 'child extended public key' expose 'parent extended private key'?

"One weakness that may not be immediately obvious, is that knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it)."

Example of code snippet in Javascript

function testXPub() {
 const mnemonic = 'ddddddddddddddddddddddddddddddddddddddddddddddd'
 const seed = bip39.mnemonicToSeed(mnemonic)
 const node = bip32.fromSeed(seed)
 const xpubNode = node.neutered()
 console.log("xpubNode :%o", xpubNode)
 console.log("xpubNode (string): %o", xpubNode.toBase58())

 const xpub_m_0_node = xpubNode.derive(0)
 console.log("xpub_m_0_node :%o", xpub_m_0_node)
 console.log("xpubNode (string): %o", xpub_m_0_node.toBase58())
 const xpub_m_0_0_node = xpubNode.derive(0).derive(0)
 console.log("xpub_m_0_0_node :%o", xpub_m_0_0_node)
 console.log("xpubNode (string): %o", xpub_m_0_0_node.toBase58())
}

So instead of sharing xpubNode, i would share xpub_m_0_0_node.

brianinhk

Posted 2018-08-14T11:33:32.833

Reputation: 3

Not sure how is related to the suggested link? I am interested to understand as per bip32, why would anyone share the 'parent extended public key'? The use case for xpub I assume will be the 'child extended public key' derive from parent extended public key.brianinhk 2018-08-14T14:25:50.623

Answers

0

I am interested to understand as per bip32, why would anyone share the 'parent extended public key'?

The purpose of sharing the parent extended public key is so that child public keys (and thus addresses) can be derived from it without needing to know about a bunch of addresses individually. This is easier for separated setups where an online computer only has the public keys as the online computer does not need to be constantly refreshed with more addresses to watch for. It can generate the addresses itself.

In such case, will knowing 'child extended public key' expose 'parent extended private key'?

No. Only knowing both the parent extended public key and a child private key derived with unhardened derivation exposes the parent private key.

Andrew Chow

Posted 2018-08-14T11:33:32.833

Reputation: 40 910

For the first question, wouldn't the online computer only needs 'child extended public key' to be able to generate new addresses without need of private key? I assume 'child extended public key' will be derive from another machine by another person using 'parent chain code', 'parent public key and non hardened index.brianinhk 2018-08-15T12:00:37.343

A child public key cannot derive its siblings. It can only derive its own children, so it itself becomes a parent public key.Andrew Chow 2018-08-15T17:17:12.187

I am only interested to understand if i have a child extended public key which is derived from extended public key, will the 'child extended public key' with any non-hardened private key descending from it susceptible for someone to know super parent extended private key? i.e. 'extended private key' --derive--> 'extended public key' --derive--> 'extended public key'brianinhk 2018-08-19T02:46:23.403

No, as I said in my answer, it is impossible to derive any parent keys from just child key, extended or not, public or not.Andrew Chow 2018-08-19T03:38:19.620

Sorry, Andrew, I am still not getting it. I have edited my answer with a sample code in Javascript. If you see from the above, I can derive many level of extended public key. Is that not true?brianinhk 2018-08-19T03:53:09.983

Yes, you can derive many levels. So? Each level is derived from the key at the level immediately preceding it. The only direct relation is between that key and its parent. There is no direct relation between a key and its grandparent, only an indirect one. Because all of the keys use an algorithm which is not reversible (it uses one way functions), it is impossible to derive a parent key given a child key. In order to get a grandparent key of a key, you need to get its parent key. But because that is impossible, so is getting the grandparent key.Andrew Chow 2018-08-19T03:58:45.130

Exactly, it is impossible to derive a parent key given a child key. However, as per https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki "One weakness that may not be immediately obvious, is that knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it).", if one share 'parent extended public key', you are susceptible for someone to hack to the 'parent extended private key'.

brianinhk 2018-08-19T04:39:41.333

So I am curious why would someone ever share 'parent extended public key'? why don't just share xpub_m_0_0_node as per my code, which is few level down the parent, hence not susceptible to being hack?brianinhk 2018-08-19T04:39:46.263

It is susceptible. m/0/0 is the parent of m/0/0/i. Given any private key at m/0/0/i and the xpub at m/0/0, you can drive the private key at m/0/0. Parent key does not just refer to the key at the root. Any key can be a parent key.Andrew Chow 2018-08-19T04:58:17.450

Agree, m/0/0 is hackable. Can the grandparent be hackable for the code example i.e. m/0 once m/0/0 private key is disclosed?brianinhk 2018-08-19T05:06:32.330

No. You can only recover the private hey if you have the xpub. So you need m/0's xpub in order to get it's private key once you have m/0/0's private key.Andrew Chow 2018-08-19T05:20:04.757