The key difference lies in how chain codes are used in hardened vs non-hardened derivation.
- In non-hardened derivation, the child is derived from the parent’s public key together with the parent’s chain code. This means the chain code is effectively a public value, exposing it is not a problem, because the formula assumes it will be used with public data anyway.
- In hardened derivation, the child is derived from the parent’s private key together with the chain code. In this case, even if you know the parent’s chain code, you cannot compute the child or invert the process to get the parent key, because the HMAC input includes the parent’s private key.
That’s why children derived from a hardened parent are not vulnerable to the “xpub + child private key” attack as you cannot retrieve the parent’s private key, since the hardened derivation never exposes enough information.
To see it clearer:
c1 = parent chain code
I = HMAC-SHA512(key = c1, data = 0x00 || ser256(sk_parent) || ser32(n))
IL || IR = I
sk_child = (parse256(IL) + sk_parent) mod n
c2 = IR
As can be seen, there is no way to know I even if you know c1, because the parent’s private key is part of the HMAC input.
This is also explained here:
Can we derive parent’s private key using child’s private key?
