A non-hardened personal secret is derived utilizing the equations proven beneath. Right here small case letter represents personal keys and huge case represents public keys. G is the generator level, c is the chain code and that i is the index variety of the important thing generated. Kpar and cpar collectively characterize the prolonged public key. kpar and cpar collectively represents the prolonged privat key.
ok(i) = kpar + hash(Kpar, cpar, i)
rearranging you get, kpar = ok(i) - hash(Kpar, cpar, i)
Now, allow us to say the attacker will get his fingers on ok(i) and xpub. You’ll be able to generate public keys with out the necessity of personal keys utilizing the xpub with the next equation: Ok(i) = Kpar + hash(Kpar, cpar, i)*G (examine why this equation holds beneath in Appendix). The attacker goes to increment the index (i) in a loop till it generates the general public key related to ok(i). When Ok(i) = ok(i) * G the attacker is aware of the index quantity.
Thus with the index in his hand, he can simply calculate the kpar from the equation kpar = ok(i) - hash(Kpar, cpar, i).
Hardened keys stop this through the use of the equation: ok(i) = kpar + hash(kpar, cpar, i). So, though you get your fingers on the xpub and the ok(i), you won’t be able to reverse engineer kpar as that variable is within the hash operate which is one-way.
Appendix:
we noticed above that ok(i) = kpar + hash(Kpar, cpar, i)
=> ok(i) *G = kpar*g + hash(Kpar, cpar, i)*G
=> Ok(i) = Kpar + hash(Kpar, cpar, i)*G