Hardened and non-hardened derivation

From Trezor Wiki
Jump to: navigation, search
Trezor Wiki/Glossary/Development/Security and privacy/ Hardened and non-hardened derivation

There are two possible types of BIP32 derivation, hardened or non-hardened. In standard BIP32 path notation, hardened derivation at a particular level is indicated by an apostrophe. For example, the following example of hardened derivation is used for the first three levels, while for the last two levels non-hardened derivation is used:

m / 44' / 0' / 1' / 1 / 33

With non-hardened keys, you can prove a child public key is linked to a parent public key using just the public keys. You can also derive public child keys from a public parent key, which enables watch-only wallets. With hardened child keys, you cannot prove that a child public key is linked to a parent public key.

For security reasons, using hardened keys is safer, but there are use cases for using non-hardened keys. A parent extended public key together with a non-hardened child private key can expose the parent private key. This means that extended public keys must be treated more carefully than regular public keys. It is also the reason for the existence of hardened keys and why they are used for the account level in the tree. This way, a leak of account-specific (or below) private keys never risks compromising the master or other accounts.

Like Trezor? Get one here!