@@ -38,7 +38,7 @@ The value to be encoded as the master secret must be a multiple of 8 bits. This
| master secret | 16-bit master secret checksum |
|---------------|-------------------------------|
From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to a_7, the last bit maps to a_0). For each field element (S), the N share-elements are generated and mapped back to bytes. Each participating party receives the following data:
From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to a_7, the last bit maps to a_0). For each such field element, N-share field elements are generated and mapped back to bytes. Each participating party receives the following data:
| 5-bit index | 5-bit M threshold | variable-bit SSSS part | 16-bit checksum |
@@ -76,10 +76,10 @@ For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the re
When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we suggest a following scenario. The passphrase is stretched using a key derivation function. Output is used as an encryption key passed to a symmetric-key cipher. The result of this encryption is the final seed to be used. If no passphrase is provided the passphrase is set to an empty string.
Passphrase should only contain ASCII characters to achieve best interoperability among various operating systems and wallet implementations.
This mechanism is intentionally symmetric to allow reconstructing the master secret from the seed in case the passphrase is known.
Passphrase should contain only ASCII characters to achieve the best interoperability among various operating systems and wallet implementations.
![passphrase](slip-0039/passphrase.png)
We will use PBKDF2 (PRF = HMAC-SHA256, Salt = "SLIP0039", iterations = 100000, dkLen = 256 bits) as the key derivation function and ChaCha20 as the symmetric-key cipher.