https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki#confirmation-codeConfirmation code
The party generating the Bitcoin address has the option to return a confirmation code back to owner which allows owner to independently verify that he has been given a Bitcoin address that actually depends on his passphrase, and to confirm the lot and sequence numbers (if applicable). This protects owner from being given a Bitcoin address by the second party that is unrelated to the key derivation and possibly spendable by the second party. If a Bitcoin address given to owner can be successfully regenerated through the confirmation process, owner can be reasonably assured that any spending without the passphrase is infeasible. This confirmation code is 75 characters starting with "cfrm38".
To generate it, we need flagbyte, ownerentropy, factorb, derivedhalf1 and derivedhalf2 from the original encryption operation.
ECMultiply factorb by G, call the result pointb. The result is 33 bytes.
The first byte is 0x02 or 0x03. XOR it by (derivedhalf2[31] & 0x01), call the resulting byte pointbprefix.
Do AES256Encrypt(block = (pointb[1...16] xor derivedhalf1[0...15]), key = derivedhalf2) and call the result pointbx1.
Do AES256Encrypt(block = (pointb[17...32] xor derivedhalf1[16...31]), key = derivedhalf2) and call the result pointbx2.
Concatenate pointbprefix + pointbx1 + pointbx2 (total 33 bytes) and call the result encryptedpointb.
The result is a Base58Check-encoded concatenation of the following:
0x64 0x3B 0xF6 0xA8 0x9A + flagbyte + addresshash + ownerentropy + encryptedpointb
A confirmation tool, given a passphrase and a confirmation code, can recalculate the address, verify the address hash, and then assert the following: "It is confirmed that Bitcoin address address depends on this passphrase". If applicable: "The lot number is lotnumber and the sequence number is sequencenumber."
To recalculate the address:
Derive passfactor using scrypt with ownerentropy and the user's passphrase and use it to recompute passpoint
Derive decryption key for pointb using scrypt with passpoint, addresshash, and ownerentropy
Decrypt encryptedpointb to yield pointb
ECMultiply pointb by passfactor. Use the resulting EC point as a public key and hash it into address using either compressed or uncompressed public key methodology as specifid in flagbyte.
Decryption
Collect encrypted private key and passphrase from user.
Derive passfactor using scrypt with ownersalt and the user's passphrase and use it to recompute passpoint
Derive decryption key for seedb using scrypt with passpoint, addresshash, and ownerentropy
Decrypt encryptedpart2 using AES256Decrypt to yield the last 8 bytes of seedb and the last 8 bytes of encryptedpart1.
Decrypt encryptedpart1 to yield the remainder of seedb.
Use seedb to compute factorb.
Multiply passfactor by factorb mod N to yield the private key associated with generatedaddress.
Convert that private key into a Bitcoin address, honoring the compression preference specified in the encrypted key.
Hash the Bitcoin address, and verify that addresshash from the encrypted private key record matches the hash. If not, report that the passphrase entry was incorrect.
