Password hashing / KDF

scrypt

Designed by Colin Percival (BSDCan 2009, RFC 7914 in 2016). scrypt was the first widely-deployed memory-hard password hashing function; it spawned the Password Hashing Competition that eventually produced Argon2. Still a sound choice when an implementation is at hand and you want CPU + memory cost.

At a glance

Cost parameters

• N , CPU/memory cost factor; must be a power of 2. Typical: 2¹⁴–2²⁰.
• r , block size; tune so the inner loop fits in L1/L2. Typical: 8.
• p , parallelism; independent invocations. Typical: 1.

At N = 215, r = 8 scrypt uses about 32 MiB per invocation. That was enormous in 2009 and still inconvenient for GPU attackers, but Argon2id can be pushed much higher.

Where it is used

• Litecoin / Dogecoin , proof-of-work uses scrypt (ASICs eventually undid the “ASIC-resistance” argument).
• Tarsnap , Percival’s backup product, the original use case.
• Ethereum keystores , the JSON wallet format pre-2020 uses scrypt.
• 1Password (pre-Argon2) , vault key derivation.

How it works

scrypt stretches the password with PBKDF2-HMAC-SHA-256, then feeds the output into ROMix: build a large array of Salsa20/8 outputs, then read from it in a sequence determined by the latest array element. The sequential write-then-shuffle is the memory-hardness lever , you can’t trade time for space because each read depends on a value you must have already computed.

Try it

The KDF Lab includes scrypt with interactive N, r, p sliders.

References

• RFC 7914 , The scrypt Password-Based KDF
• Percival , Stronger Key Derivation via Sequential Memory-Hard Functions (BSDCan 2009)
• Argon2id · PBKDF2