@@ -74,15 +74,13 @@ For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the re
## Passphrase
When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we suggest a following scenario. The passphrase is stretched using a key derivation function. Output is used as an encryption key passed to a symmetric-key cipher. The result of this encryption is the final seed to be used. If no passphrase is provided the passphrase is set to an empty string.
This mechanism is intentionally symmetric to allow reconstructing the master secret from the seed in case the passphrase is known.
When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase.
Passphrase should contain only ASCII characters to achieve the best interoperability among various operating systems and wallet implementations.
We will use PBKDF2 (PRF = HMAC-SHA256, Salt = "SLIP0039", iterations = 100000, dkLen = 256 bits) as the key derivation function and ChaCha20 as the symmetric-key cipher.
We will use PBKDF2 (PRF = HMAC-SHA256, Password = master_secret, Salt = "SLIP0039" + passphrase, iterations = 20000, dkLen = 256 bits) as the key derivation function.
