In
BIP 0032 two key derivation functions are introduced. These functions can be used to derive deterministically private keys k
i knowing an extended private key denoted (k
par, c
par) and correspondingly public keys K
i from extended public key (K
par, c
par).
Knowing extended public key it is not possible to generate private keys however this BIP briefly mentions that knowing extended public key (K
par, c
par) and a derived private key k
i (could be at any depth since public keys can be derived to any depth but let's say it's at depth 1) allows recovering private key k
par which is terrible (security-wise).
I tried analyzing how is that possible and i can't see how (isn't the HMAC-SHA512 function supposed to make it impossible to go 'back the chain')?
On a side note how can we teach a random newbie (apart from posting on newbie board) about that security risk before they start using deterministic wallets? (or should we even care?)
