-snip- but I'm assuming the kangaroo method wouldn't be able to extend past the public and private key and take advantage of the 128bit seed.
Correct, kangaroo is utilizing ECDLP for secp256k1 curve which computes the private key from its public key
pairso it's not applicable to compute the seed from the public key which doesn't directly involve secp256k1.
In this example the 256bit private key is derived from a 128bit seed so the 256bit private key is effectively 128bits of entropy.
The "
master private key" derived from the seed is calculated with
HMAC-SHA512 which outputs 256-bit private key and 256-bit chain code regardless if the seed is 128bits.
So still an overall of 128-bit security: it requires 128-bit operations to compute the (
master) private key from (
master) public key via ECDLP or 128-bit operations to blindly bruteforce the seed.