If the classical addition of the left 256 bits of the hash outcome to the personal key of the mother or father is carried out, then it would result in a 512-bit personal key of the kid, which isn’t right (the personal key must be 256-bit).
As Michael Folkson explains in that reply you linked:
There may be concatenation the place 256 bits positioned subsequent to a different 256 bits makes 512 bits. Nevertheless, what you’re referring to is scalar addition. A 256 bit quantity (256 bit mother or father personal key) is added to a different 256 bit quantity (left 256 bits of the SHA512) and the outcome modulo p (p = 2^256-2^32-977) is one other 256 bit quantity.
It in some sense will behave like classical addition (earlier than the modulo operation).
Though I’m not 100% certain the place p is particularly outlined, the modulo p operation the place p = 2^256-2^32-977 is the related operation that can shorten the ensuing key to 256 bit. (as a result of p is a 256 bit quantity)
So that you add the left 256 bits to the mother or father personal key to get the ( giant 512 bit ) baby personal key, then you definitely modulo p to shorten the outcome to 256 bit.
Okay, as an example you and Michael are proper. How will the mother or father’s personal key be obtained understanding the kid’s personal key? If the module’s operations are actually used to acquire a 256-bit key, then inversion and acquiring the mother or father’s personal key can’t be carried out in any respect… Within the guide, they are saying that it’s “comparatively simple” to acquire the mother or father’s personal key from understanding the kid’s personal key.
This was mentioned partially right here Xpriv could be calculated from the xpub + baby personal key?
in accordance with: https://medium.com/@blainemalone01/hd-wallets-why-hardened-derivation-matters-89efcdc71671#cc82
the equation for deriving the mother or father key from baby is:
baby personal key = (left 32 bytes + mother or father personal key) % n
Bob solves for mother or father personal key:
mother or father personal key = (baby personal key - left 32 bytes) % n
Be aware right here we’re utilizing modulo n which is the Secp256k1 curve order, this can be a widespread operation in ECC. It’s attainable Michael meant modulo n however I can not verify this.
The identical method you offered can also be talked about right here. However right here they use G as a substitute of n. I do know that G is a generic level (a degree on an elliptic curve) used to generate a public key from a non-public key. So is n really G?)
On this part you’ll discover p is getting used and is defined to be a worldwide fixed in Bitcoin software program however nothing extra is alleged about it:
https://developer.bitcoin.org/devguide/wallets.html#hierarchical-deterministic-key-creation
This part G is getting used:
https://developer.bitcoin.org/devguide/wallets.html#id5
I do know for sure G is used to derive public from personal keys by scalar multiplication.
I don’t need to state any incorrect information concerning the utilization of those values, my opinion is that on this circumstance it makes extra sense that the modulo operation is finished by way of n due to this article that appears to element it extraordinarily effectively however since I do not know for sure I can solely try to offer researched context.
