How does the wallet recovery phrase work? What is the private key generation algorithm?


When you backup your Brave Payments wallet, it gives you a recovery phrase (16 or so English words).

I am guessing that these words are used as a seed in some algorithm that generates a private key (the private key associated with the address that’s managed by the Brave wallet).

Is this algorithm standardized or known to the public?



I would have to cc @mrose on that


It derives an ed25519 keypair from that seed and a salt, please see for details.


Thanks. If we have the mnemonic for private key recovery, then wouldn’t that mean the Brave payments wallet (In early Mercury) isn’t really unidirectional? That is, although there may not be a way to withdraw your funds with a GUI, you could in principle just use the mnemonic to recover the private key (since we know the algorithm), and then use that private key with another non-Brave wallet software (like MyEtherWallet) to transfer BAT out.

Let me know if anything prevents me from doing that. (Perhaps the salt value is unknown to the user?)

Edit from 2 years later: When I originally posted this, I was not yet an employee at Brave Software and was still learning about the platform from the outside. I now am on the Brave team, and better understand how this system works.

In short, the private key inside your browser does in fact sign transactions, and allows you to control your funds in an anonymous way. However, the private key is not part of a private key/public key pair on the blockchain. Instead, it’s part of a private key/public key scheme that works with Uphold’s private infrastructure. Remember: private key/public key schemes may exist outside the blockchain context, just like “forking” does too!