(a-1) (a-2) (a-2-i) (a-2-ii) (a-3) (a-4) | Only the user may reconstitute the key The encryption key will be split into shares between the user and the server The user’s share will be derived solely from a passphrase of the user’s choosing The server’s share will be derived from the user’s share and the encryption key The encryption key can only be reconstituted from both the user and server shares together Compromise of the passphrase will not compromise future encryptions of the passwords |