0

The below is the snippet from bip-32. I do not understand under what circumstance would 'parent extended public key' be exposed? In the case of e-commerce a 'child extended public key' is derived from 'parent extended public key'. The e-commerce website only needs to know 'child extended public key' to derive public key/addresses. In such case, will knowing 'child extended public key' expose 'parent extended private key'?

"One weakness that may not be immediately obvious, is that knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it)."

Example of code snippet in Javascript

function testXPub() {
 const mnemonic = 'ddddddddddddddddddddddddddddddddddddddddddddddd'
 const seed = bip39.mnemonicToSeed(mnemonic)
 const node = bip32.fromSeed(seed)
 const xpubNode = node.neutered()
 console.log("xpubNode :%o", xpubNode)
 console.log("xpubNode (string): %o", xpubNode.toBase58())

 const xpub_m_0_node = xpubNode.derive(0)
 console.log("xpub_m_0_node :%o", xpub_m_0_node)
 console.log("xpubNode (string): %o", xpub_m_0_node.toBase58())
 const xpub_m_0_0_node = xpubNode.derive(0).derive(0)
 console.log("xpub_m_0_0_node :%o", xpub_m_0_0_node)
 console.log("xpubNode (string): %o", xpub_m_0_0_node.toBase58())
}

So instead of sharing xpubNode, i would share xpub_m_0_0_node.

brianinhk
  • 5
  • 3
  • https://bitcoin.stackexchange.com/q/55383/7272 – Raghav Sood Aug 14 '18 at 13:18
  • Not sure how is related to the suggested link? I am interested to understand as per bip32, why would anyone share the 'parent extended public key'? The use case for xpub I assume will be the 'child extended public key' derive from parent extended public key. – brianinhk Aug 14 '18 at 14:25

1 Answers1

0

I am interested to understand as per bip32, why would anyone share the 'parent extended public key'?

The purpose of sharing the parent extended public key is so that child public keys (and thus addresses) can be derived from it without needing to know about a bunch of addresses individually. This is easier for separated setups where an online computer only has the public keys as the online computer does not need to be constantly refreshed with more addresses to watch for. It can generate the addresses itself.

In such case, will knowing 'child extended public key' expose 'parent extended private key'?

No. Only knowing both the parent extended public key and a child private key derived with unhardened derivation exposes the parent private key.

Andrew Chow
  • 67,209
  • 5
  • 76
  • 149
  • For the first question, wouldn't the online computer only needs 'child extended public key' to be able to generate new addresses without need of private key? I assume 'child extended public key' will be derive from another machine by another person using 'parent chain code', 'parent public key and non hardened index. – brianinhk Aug 15 '18 at 12:00
  • A child public key cannot derive its siblings. It can only derive its own children, so it itself becomes a parent public key. – Andrew Chow Aug 15 '18 at 17:17
  • I am only interested to understand if i have a child extended public key which is derived from extended public key, will the 'child extended public key' with any non-hardened private key descending from it susceptible for someone to know super parent extended private key? i.e. 'extended **private** key' --derive--> 'extended public key' --derive--> 'extended public key' – brianinhk Aug 19 '18 at 02:46
  • No, as I said in my answer, it is impossible to derive any parent keys from just child key, extended or not, public or not. – Andrew Chow Aug 19 '18 at 03:38
  • Sorry, Andrew, I am still not getting it. I have edited my answer with a sample code in Javascript. If you see from the above, I can derive many level of extended public key. Is that not true? – brianinhk Aug 19 '18 at 03:53
  • Yes, you can derive many levels. So? Each level is derived from the key at the level immediately preceding it. The only direct relation is between that key and its parent. There is no direct relation between a key and its grandparent, only an indirect one. Because all of the keys use an algorithm which is not reversible (it uses one way functions), it is impossible to derive a parent key given a child key. In order to get a grandparent key of a key, you need to get its parent key. But because that is impossible, so is getting the grandparent key. – Andrew Chow Aug 19 '18 at 03:58
  • Exactly, it is impossible to derive a parent key given a child key. However, as per https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki **"One weakness that may not be immediately obvious, is that knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it)."**, if one share 'parent extended public key', you are susceptible for someone to hack to the 'parent extended private key'. – brianinhk Aug 19 '18 at 04:39
  • So I am curious why would someone ever share 'parent extended public key'? why don't just share xpub_m_0_0_node as per my code, which is few level down the parent, hence not susceptible to being hack? – brianinhk Aug 19 '18 at 04:39
  • It is susceptible. m/0/0 is the parent of m/0/0/i. Given any private key at m/0/0/i and the xpub at m/0/0, you can drive the private key at m/0/0. Parent key does not just refer to the key at the root. Any key can be a parent key. – Andrew Chow Aug 19 '18 at 04:58
  • Agree, m/0/0 is hackable. Can the grandparent be hackable for the code example i.e. m/0 once m/0/0 private key is disclosed? – brianinhk Aug 19 '18 at 05:06
  • 1
    No. You can only recover the private hey if you have the xpub. So you need m/0's xpub in order to get it's private key once you have m/0/0's private key. – Andrew Chow Aug 19 '18 at 05:20