slip-0039: small updates

parent e980e5d9
...@@ -65,7 +65,6 @@ This structure is then converted into a mnemonic passphrase by splitting it up b ...@@ -65,7 +65,6 @@ This structure is then converted into a mnemonic passphrase by splitting it up b
|---------------|-----------|------------------------| |---------------|-----------|------------------------|
| 128 bits | 144 bits | 170 bits = 17 words | | 128 bits | 144 bits | 170 bits = 17 words |
| 256 bits | 272 bits | 298 bits = 30 words | | 256 bits | 272 bits | 298 bits = 30 words |
| 512 bits | 528 bits | 544 bits = 55 words |
## Checksum ## Checksum
...@@ -73,14 +72,13 @@ For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the re ...@@ -73,14 +72,13 @@ For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the re
## Passphrase ## Passphrase
When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we suggest a following scenario. The passphrase is stretched using PBKDF2, which servers as a key to an AES encryption. The result of this encryption is the final seed to be used. If no passphrase is provided the passphrase is set to an empty string. When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we suggest a following scenario. The passphrase is stretched using a key derivation function. Output is used as an encryption key passed to a symmetric-key cipher. The result of this encryption is the final seed to be used. If no passphrase is provided the passphrase is set to an empty string.
(TODO: Use domain separation in PBKDF2)
![passphrase](slip-0039/passphrase.png) ![passphrase](slip-0039/passphrase.png)
This mechanism is intentionally symmetric to allow reconstructing the master secret from the seed in case the passphrase is known. This mechanism is intentionally symmetric to allow reconstructing the master secret from the seed in case the passphrase is known.
We propose to use 2000 rounds of PBKDF2 and one full computation of AES (TODO: which mode?). We will use PBKDF2 (PRF = HMAC-SHA256, Salt = "SLIP0039", iterations = 100000, dkLen = 256 bits) as the key derivation function and ChaCha20 as the symmetric-key cipher.
## Versioning ## Versioning
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment