slip-0039: small updates

slip-0039.md

@@ -65,7 +65,6 @@ This structure is then converted into a mnemonic passphrase by splitting it up b
 |---------------|-----------|------------------------|
 | 128 bits      | 144 bits  | 170 bits = 17 words    |
 | 256 bits      | 272 bits  | 298 bits = 30 words    |
-| 512 bits      | 528 bits  | 544 bits = 55 words    |
 
 ## Checksum
 
@@ -73,14 +72,13 @@ For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the re
 
 ## Passphrase
 
-When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we suggest a following scenario. The passphrase is stretched using PBKDF2, which servers as a key to an AES encryption. The result of this encryption is the final seed to be used. If no passphrase is provided the passphrase is set to an empty string.
-(TODO: Use domain separation in PBKDF2)
+When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we suggest a following scenario. The passphrase is stretched using a key derivation function. Output is used as an encryption key passed to a symmetric-key cipher. The result of this encryption is the final seed to be used. If no passphrase is provided the passphrase is set to an empty string.
 
 ![passphrase](slip-0039/passphrase.png)
 
 This mechanism is intentionally symmetric to allow reconstructing the master secret from the seed in case the passphrase is known.
 
-We propose to use 2000 rounds of PBKDF2 and one full computation of AES (TODO: which mode?).
+We will use PBKDF2 (PRF = HMAC-SHA256, Salt = "SLIP0039", iterations = 100000, dkLen = 256 bits) as the key derivation function and ChaCha20 as the symmetric-key cipher.
 
 ## Versioning