How does the wallet recovery phrase work? What is the private key generation algorithm?


When you backup your Brave Payments wallet, it gives you a recovery phrase (16 or so English words).

I am guessing that these words are used as a seed in some algorithm that generates a private key (the private key associated with the address that’s managed by the Brave wallet).

Is this algorithm standardized or known to the public?



I would have to cc @mrose on that


It derives an ed25519 keypair from that seed and a salt, please see for details.


Thanks. If we have the mnemonic for private key recovery, then wouldn’t that mean the Brave payments wallet (In early Mercury) isn’t really unidirectional? That is, although there may not be a way to withdraw your funds with a GUI, you could in principle just use the mnemonic to recover the private key (since we know the algorithm), and then use that private key with another non-Brave wallet software (like MyEtherWallet) to transfer BAT out.

Let me know if anything prevents me from doing that. (Perhaps the salt value is unknown to the user?)