Hardened Derivation

Hardened derivation is a BIP32 safety mechanism used when deriving child keys at indices 2^31 and above. In wallet paths these indices are written with an apostrophe or an "h" (for example m/84'/0'/0'). Hardened derivation exists to close a specific and dangerous leak in non-hardened derivation.

The vulnerability it prevents

With normal (non-hardened) derivation, child keys are derived using the parent public key. The trade-off is stark: if an attacker holds a parent extended public key (xpub) and just one non-hardened child private key, they can algebraically recover the parent private key, and from there every sibling and descendant. BIP32 states this plainly: knowing a parent xpub plus any non-hardened child private key is equivalent to knowing the parent extended private key.

How hardening closes it

Hardened derivation instead mixes the parent private key into the HMAC-SHA512 computation. As a result, you cannot derive hardened children from an xpub alone, and crucially the leak above no longer works: a compromised hardened child reveals nothing about its parent. The cost is that hardened branches cannot be used for watch-only public derivation, which is why wallets typically harden the upper levels (purpose, coin type, account) and leave only the final change and address-index levels non-hardened.

This is why a shared extended public key (xpub) exposes addresses but not spending keys, and it is a core guarantee of the BIP32 HD wallet design that sovereign Bitcoiners rely on.