If the classical addition of the left 256 bits of the hash consequence to the non-public key of the dad or mum is carried out, then it’s going to result in a 512-bit non-public key of the kid, which isn’t appropriate (the non-public key ought to be 256-bit).
As Michael Folkson explains in that reply you linked:
There may be concatenation the place 256 bits positioned subsequent to a different 256 bits makes 512 bits. Nonetheless, what you’re referring to is scalar addition. A 256 bit quantity (256 bit dad or mum non-public key) is added to a different 256 bit quantity (left 256 bits of the SHA512) and the consequence modulo p (p = 2^256-2^32-977) is one other 256 bit quantity.
It in some sense will behave like classical addition (earlier than the modulo operation).
Though I’m not 100% certain the place p is particularly outlined, the modulo p operation the place p = 2^256-2^32-977 is the related operation that can shorten the ensuing key to 256 bit. (as a result of p is a 256 bit quantity)
So that you add the left 256 bits to the dad or mum non-public key to get the ( massive 512 bit ) baby non-public key, then you definately modulo p to shorten the consequence to 256 bit.
Okay, as an example you and Michael are proper. How will the dad or mum’s non-public key be obtained realizing the kid’s non-public key? If the module’s operations are actually used to acquire a 256-bit key, then inversion and acquiring the dad or mum’s non-public key can’t be carried out in any respect… Within the e book, they are saying that it’s “comparatively straightforward” to acquire the dad or mum’s non-public key from realizing the kid’s non-public key.
This was mentioned partially right here Xpriv might be calculated from the xpub + baby non-public key?
in response to: https://medium.com/@blainemalone01/hd-wallets-why-hardened-derivation-matters-89efcdc71671#cc82
the equation for deriving the dad or mum key from baby is:
baby non-public key = (left 32 bytes + dad or mum non-public key) % n
Bob solves for dad or mum non-public key:
dad or mum non-public key = (baby non-public key - left 32 bytes) % n
Be aware right here we’re utilizing modulo n which is the Secp256k1 curve order, it is a widespread operation in ECC. It’s attainable Michael meant modulo n however I can not verify this.