What are the consequences from the leak of xpub and child private key?


Let's say the following keys are leaked:

  • Extended public key derived from path 44'/60'/4'
  • Leaked child private key from path 44'/60'/4'/0

Does that imply all the child private keys of the root 44'/60'/4' can be computed? Looking and reading at the BIP32 and BIP44 - that doesn't seem to be the case. But wanted to confirm.

Also, if we know that it doesn't cause the sibling keys to be derived, then can I go and safely use the following public key of path 44'/60'/4'/1 without any worries?


Posted 2019-09-24T12:20:21.293

Reputation: 135



If the above two keys are leaked, then your master private key at the account level (m/44'/60'/4') can be back-calculated. That means, any private key (both receiving and change) that you derive from that account is compromised.

To elaborate, BIP 44 uses non-hardened derivation to derive private keys after the account level. The child private key derivation equation is kchild = kpar + hash(Kpar, cpar, i). Here k represents private key, K represents public key, c is chain code and i is the index. Now, since your xpub at m/44'/60'/4' is leaked, the attacker has Kpar (first 256 bits of xpub) and chain code, c (latter 256 bits of the xpub). Since your child private key (m/44'/60'/4'/0) is also leaked, that means the attacker has kchild. Using the above equation the attacker can simply back-calculate kpar. Even if he doesn't know the index number (0 in your case), the attacker can simply run an iteration (just a space of 231 to exhaust).

Since your parent private key at the account level is compromised, you cannot use any addresses derived from the m/44'/60'/4' account unless you want to lose your bitcoins. However, you can safely use m/44'/60'/5' or other accounts.

Ugam Kamat

Posted 2019-09-24T12:20:21.293

Reputation: 6 378