## What are the consequences from the leak of xpub and child private key?

2

Let's say the following keys are leaked:

• Extended public key derived from path 44'/60'/4'
• Leaked child private key from path 44'/60'/4'/0

Does that imply all the child private keys of the root 44'/60'/4' can be computed? Looking and reading at the BIP32 and BIP44 - that doesn't seem to be the case. But wanted to confirm.

Also, if we know that it doesn't cause the sibling keys to be derived, then can I go and safely use the following public key of path 44'/60'/4'/1 without any worries?

To elaborate, BIP 44 uses non-hardened derivation to derive private keys after the account level. The child private key derivation equation is kchild = kpar + hash(Kpar, cpar, i). Here k represents private key, K represents public key, c is chain code and i is the index. Now, since your xpub at m/44'/60'/4' is leaked, the attacker has Kpar (first 256 bits of xpub) and chain code, c (latter 256 bits of the xpub). Since your child private key (m/44'/60'/4'/0) is also leaked, that means the attacker has kchild. Using the above equation the attacker can simply back-calculate kpar. Even if he doesn't know the index number (0 in your case), the attacker can simply run an iteration (just a space of 231 to exhaust).