If the classical addition of the left 256 bits of the hash consequence to the personal key of the guardian is applied, then it’s going to result in a 512-bit personal key of the kid, which isn’t appropriate (the personal key ought to be 256-bit).
As Michael Folkson explains in that reply you linked:
There may be concatenation the place 256 bits positioned subsequent to a different 256 bits makes 512 bits. Nevertheless, what you might be referring to is scalar addition. A 256 bit quantity (256 bit guardian personal key) is added to a different 256 bit quantity (left 256 bits of the SHA512) and the consequence modulo p (p = 2^256-2^32-977) is one other 256 bit quantity.
It in some sense will behave like classical addition (earlier than the modulo operation).
Though I’m not 100% positive the place p is particularly outlined, the modulo p operation the place p = 2^256-2^32-977 is the related operation that may shorten the ensuing key to 256 bit. (as a result of p is a 256 bit quantity)
So that you add the left 256 bits to the guardian personal key to get the ( massive 512 bit ) little one personal key, you then modulo p to shorten the consequence to 256 bit.
Okay, as an example you and Michael are proper. How will the guardian’s personal key be obtained realizing the kid’s personal key? If the module’s operations are actually used to acquire a 256-bit key, then inversion and acquiring the guardian’s personal key can’t be carried out in any respect… Within the e-book, they are saying that it’s “comparatively straightforward” to acquire the guardian’s personal key from realizing the kid’s personal key.
This was mentioned partially right here Xpriv could be calculated from the xpub + little one personal key?
in line with: https://medium.com/@blainemalone01/hd-wallets-why-hardened-derivation-matters-89efcdc71671#cc82
the equation for deriving the guardian key from little one is:
little one personal key = (left 32 bytes + guardian personal key) % n
Bob solves for guardian personal key:
guardian personal key = (little one personal key - left 32 bytes) % n
Notice right here we’re utilizing modulo n which is the Secp256k1 curve order, it is a frequent operation in ECC. It’s potential Michael meant modulo n however I can not verify this.
The identical method you offered can also be talked about right here. However right here they use G as a substitute of n. I do know that G is a generic level (some extent on an elliptic curve) used to generate a public key from a personal key. So is n really G?)
On this part you’ll discover p is getting used and is defined to be a world fixed in Bitcoin software program however nothing extra is alleged about it:
https://developer.bitcoin.org/devguide/wallets.html#hierarchical-deterministic-key-creation
This part G is getting used:
https://developer.bitcoin.org/devguide/wallets.html#id5
I do know for sure G is used to derive public from personal keys by way of scalar multiplication.
I don’t need to state any incorrect details in regards to the utilization of those values, my opinion is that on this circumstance it makes extra sense that the modulo operation is finished by way of n due to this article that appears to element it extraordinarily effectively however since I do not know for sure I can solely try to supply researched context.
