BIP32 private key derivation edge case about pycoin HOT 5 CLOSED

Alternatively, what about raising an error instead? I know this is not standards-compliant, but if someone really needs that functionality they can just increment the value themselves and try again, I believe.

👍 for raising an exception in this case.

The caller should probably know whether the subkey at a particular index is invalid and be responsible for skipping it. (By the way, I'm pretty sure this is exactly what the standard calls for.) Consider the case where index x is invalid if one didn't raise an exception:

i = x - 1
subkey = node.subkey(i) # returns subkey for x -1
i = x
subkey = node.subkey(i) # silently returns subkey for x + 1
i = x + 1
subkey = node.subkey(i) # returns already-seen subkey

If one were to silently move onto the next valid key, then the caller has to perform at least one look-ahead to make sure a distinct subkey is returned for every single call to subkey. This is probably not what you want.

UPDATE: I misspoke. A look-ahead is unnecessary, since one could look at child_node of the derived key, but this means that the caller would still need to check whether child_node == i for every derivation. This is still probably not what you want (but see the update in my next comment).

from pycoin.

Note that there's a similar edge condition for public parent key to public child key derivation. From https://github.com/bitcoin/bips/blob/2ea19daaa0380fed7a2b053fd1f488fadba28bda/bip-0032.mediawiki#public-parent-key--public-child-key:

In case parse₂₅₆(I_L) ≥ n or K_i is the point at infinity, the resulting key is invalid, and one should proceed with the next value for i.

I haven't yet investigated how pycoin's ECDSA implementation represents K_i "at infinity"....

UPDATE: I took a look at how bitcoinj does this, and it looks like it has a helper method that silently consumes the offending subkey, but otherwise it raises an exception (see private and public derivation). Keep in mind that each DeterministicKey in bitcoinj stores its entire derivation path as well as a pointer to its parent key. pycoin keeps track fo the child index and the parent fingerprint, so additional work is required by the caller to traverse the tree.

from pycoin.

Has anyone found a test vector for these cases yet? 😏 Just for fun, I checked around. BIP32 has none. The bitcoin reference implementation only uses the original test vectors, as does bitcoinj.

from pycoin.

I'm thinking the right approach is to either raise exceptions from subkey_secret_exponent_chain_code_pair and subkey_public_pair_chain_code_pair, or return (None, None) from those functions, and then raise exceptions from BIP32Node._subkey(...) when observing that return value.

from pycoin.

@kanzure, check out PR #108. As far as skipping bad keys is concerned, I didn't add any convenience functions to BIP32Node, but I did augment the ku script to keep trying in the (incredibly unlucky) event of stumbling onto a bad subkey.

Anyway, let me know what you think.

from pycoin.