# Scrypt > Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Scrypt > Markdown URL: https://mediated.wiki/source/Scrypt.md > Source: https://en.wikipedia.org/wiki/Scrypt > Source revision: 1332071125 > License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/) 2009 password-based key derivation function Not to be confused with [Script (disambiguation)](/source/Script_(disambiguation)). scrypt General Designers Colin Percival First published 2009 Cipher detail Digest sizes variable Block sizes variable Rounds variable In [cryptography](/source/Cryptography), **scrypt** (pronounced "ess crypt"[1]) is a password-based [key derivation function](/source/Key_derivation_function) created by [Colin Percival](/source/Colin_Percival) in March 2009, originally for the [Tarsnap](/source/Tarsnap) online backup service.[2][3] The algorithm was specifically designed to make it costly to perform large-scale [custom hardware attacks](/source/Custom_hardware_attack) by requiring large amounts of memory. In 2016, the scrypt algorithm was published by [IETF](/source/Internet_Engineering_Task_Force) as RFC 7914.[4] A simplified version of scrypt is used as a [proof-of-work](/source/Proof-of-work) scheme by a number of [cryptocurrencies](/source/Cryptocurrency), first implemented by an anonymous programmer called ArtForz in Tenebrix and followed by Fairbrix and [Litecoin](/source/Litecoin) soon after.[5] ## Introduction A password-based [key derivation function](/source/Key_derivation_function) (password-based KDF) is generally designed to be computationally intensive, so that it takes a relatively long time to compute (say on the order of several hundred milliseconds). Legitimate users only need to perform the function once per operation (e.g., authentication), and so the time required is negligible. However, a [brute-force attack](/source/Brute-force_attack) would likely need to perform the operation billions of times, at which point the time requirements become significant and, ideally, prohibitive. Previous password-based KDFs (such as the popular [PBKDF2](/source/PBKDF2) from [RSA Laboratories](/source/RSA_Laboratories)) have relatively low resource demands, meaning they do not require elaborate hardware or very much memory to perform. They are therefore easily and cheaply implemented in hardware (for instance on an [ASIC](/source/Application-specific_integrated_circuit) or even an [FPGA](/source/Field-programmable_gate_array)). This allows an attacker with sufficient resources to launch a large-scale parallel attack by building hundreds or even thousands of implementations of the algorithm in hardware and having each search a different subset of the key space. This divides the amount of time needed to complete a brute-force attack by the number of implementations available, very possibly bringing it down to a reasonable time frame. The scrypt function is designed to hinder such attempts by raising the resource demands of the algorithm. Specifically, the algorithm is designed to use a large amount of memory compared to other password-based KDFs,[6] making the size and the cost of a hardware implementation much more expensive, and therefore limiting the amount of parallelism an attacker can use, for a given amount of financial resources. ## Overview The large memory requirements of scrypt come from a large vector of [pseudorandom](/source/Pseudorandom) bit strings that are generated as part of the algorithm. Once the vector is generated, the elements of it are accessed in a pseudo-random order and combined to produce the derived key. A straightforward implementation would need to keep the entire vector in RAM so that it can be accessed as needed. Because the elements of the vector are generated algorithmically, each element could be generated *on the fly* as needed, only storing one element in memory at a time and therefore cutting the memory requirements significantly. However, the generation of each element is intended to be computationally expensive, and the elements are expected to be accessed many times throughout the execution of the function. Thus there is a significant trade-off in speed to get rid of the large memory requirements. This sort of [time–memory trade-off](/source/Space%E2%80%93time_tradeoff) often exists in computer algorithms: speed can be increased at the cost of using more memory, or memory requirements decreased at the cost of performing more operations and taking longer. The idea behind scrypt is to deliberately make this trade-off costly in either direction. Thus an attacker could use an implementation that doesn't require many resources (and can therefore be massively parallelized with limited expense) but runs very slowly, or use an implementation that runs more quickly but has very large memory requirements and is therefore more expensive to parallelize. ## Algorithm **Function** scrypt **Inputs:** *This algorithm includes the following parameters:* Passphrase: Bytes string of characters to be hashed [Salt](/source/Salt_(cryptography)): Bytes string of random characters that modifies the hash to protect against [Rainbow table](/source/Rainbow_table) attacks CostFactor (N): Integer CPU/memory cost parameter – Must be a power of 2 (e.g. 1024) BlockSizeFactor (r): Integer blocksize parameter, which fine-tunes sequential memory read size and performance. (8 is commonly used) ParallelizationFactor (p): Integer *Parallelization parameter*. (1 .. 232-1 * hLen/MFlen) DesiredKeyLen (dkLen): Integer Desired key length in bytes (Intended output length in octets of the derived key; a positive integer satisfying dkLen ≤ (232− 1) * hLen.) hLen: Integer The length in octets of the hash function (32 for SHA256). MFlen: Integer The length in octets of the output of the mixing function (*SMix* below). Defined as r * 128 in RFC7914. **Output:** DerivedKey: Bytes array of bytes, DesiredKeyLen long *Step 1. Generate expensive salt* blockSize ← 128*BlockSizeFactor *// Length (in bytes) of the SMix mixing function output (e.g. 128*8 = 1024 bytes)* Use PBKDF2 to generate initial 128*BlockSizeFactor*p bytes of data (e.g. 128*8*3 = 3072 bytes) Treat the result as an array of *p* elements, each entry being *blocksize* bytes (e.g. 3 elements, each 1024 bytes) [B0...Bp−1] ← [PBKDF2](/source/PBKDF2)HMAC-SHA256(*Passphrase*, *Salt*, 1, blockSize*ParallelizationFactor) Mix each block in **B** Costfactor times using **ROMix** function (each block can be mixed in parallel) **for** i ← 0 **to** p-1 **do** Bi ← ROMix(Bi, CostFactor) All the elements of B is our new "expensive" salt expensiveSalt ← B0∥B1∥B2∥ ... ∥Bp-1 *// where ∥ is concatenation* *Step 2. Use PBKDF2 to generate the desired number of bytes, but using the expensive salt we just generated* **return** PBKDF2HMAC-SHA256(Passphrase, expensiveSalt, 1, DesiredKeyLen); Where *PBKDF2(P, S, c, dkLen)* notation is defined in RFC 2898, where c is an iteration count. This notation is used by RFC 7914 for specifying a usage of PBKDF2 with c = 1. **Function** ROMix(Block, Iterations) Create *Iterations* copies of *X* X ← Block **for** i ← 0 **to** Iterations−1 **do** Vi ← X X ← BlockMix(X) **for** i ← 0 **to** Iterations−1 **do** j ← Integerify(X) mod Iterations X ← BlockMix(X **xor** Vj) **return** X Where RFC 7914 defines Integerify(X) as the result of interpreting the last 64 bytes of X as a *little-endian* integer A1. Since Iterations equals 2 to the power of N, only the *first* Ceiling(N / 8) bytes among the *last* 64 bytes of X, interpreted as a *little-endian* integer A2, are actually needed to compute Integerify(X) mod Iterations = A1 mod Iterations = A2 mod Iterations. **Function** BlockMix(B): *The block B is r 128-byte chunks (which is equivalent of 2r 64-byte chunks)* r ← Length(B) / 128; *Treat B as an array of 2r 64-byte chunks* [B0...B2r-1] ← B X ← B2r−1 **for** i ← 0 **to** 2r−1 **do** X ← Salsa20/8(X xor Bi) **// Salsa20/8 hashes from 64-bytes to 64-bytes** Yi ← X **return** ← Y0∥Y2∥...∥Y2r−2 ∥ Y1∥Y3∥...∥Y2r−1 Where *Salsa20/8* is the 8-round version of [Salsa20](/source/Salsa20). ## Cryptocurrency uses Scrypt is used in many cryptocurrencies as a [proof-of-work](/source/Proof-of-work) algorithm (more precisely, as the hash function in the [Hashcash](/source/Hashcash) proof-of-work algorithm). It was first implemented for Tenebrix (released in September 2011) and served as the basis for [Litecoin](/source/Litecoin) and [Dogecoin](/source/Dogecoin), which also adopted its scrypt algorithm.[7][8] Mining of [cryptocurrencies](/source/Cryptocurrencies) that use scrypt is often performed on graphics processing units ([GPUs](/source/GPUs)) since GPUs tend to have significantly more processing power (for some algorithms) compared to the CPU.[9] This led to shortages of high end GPUs due to the rising price of these currencies in the months of November and December 2013.[10] ## Utility scrypt encryption utility Developer Colin Percival Stable release 1.3.3[11] / 14 February 2025; 16 months ago (14 February 2025) Website www.tarsnap.com/scrypt.html Repository github.com/Tarsnap/scrypt The scrypt utility was written in May 2009 by Colin Percival as a demonstration of the scrypt key derivation function.[2][3] It's available in most [Linux](/source/Linux) and [BSD](/source/BSD) distributions. ## See also - [Free and open-source software portal](https://en.wikipedia.org/wiki/Portal:Free_and_open-source_software) - [Argon2](/source/Argon2) – winner of the [Password Hashing Competition](/source/Password_Hashing_Competition) in 2015 - [bcrypt](/source/Bcrypt) – blowfish-based password-hashing function - [bcrypt](/source/Crypt_(C)#Blowfish-based_scheme) – blowfish-based cross-platform file encryption utility developed in 2002[12][13][14][15] - [crypt](/source/Crypt_(C)) – Unix C library function - [crypt](/source/Crypt_(Unix)) – Unix utility - [ccrypt](/source/Ccrypt) – utility - [Key derivation function](/source/Key_derivation_function) - [Key stretching](/source/Key_stretching) - [mcrypt](/source/Mcrypt) – utility - [PBKDF2](/source/PBKDF2) – a widely used standard Password-Based Key Derivation Function 2 - [PufferFish](https://github.com/epixoip/pufferfish) – a cache-hard password hashing function based on improved bcrypt design - [Space–time tradeoff](/source/Space%E2%80%93time_tradeoff) - [yescrypt](/source/Yescrypt) – successor to scrypt ## References 1. **[^](#cite_ref-1)** ["Colin Percival"](https://twitter.com/cperciva/status/734613598383841281). *Twitter*. [Archived](https://web.archive.org/web/20190217215034/https://twitter.com/cperciva/status/734613598383841281) from the original on 17 February 2019. 1. ^ [***a***](#cite_ref-tarsnap_2-0) [***b***](#cite_ref-tarsnap_2-1) ["The scrypt key derivation function"](http://www.tarsnap.com/scrypt.html). *Tarsnap*. [Archived](https://web.archive.org/web/20190528073159/https://www.tarsnap.com/scrypt.html) from the original on 28 May 2019. Retrieved 21 January 2014. 1. ^ [***a***](#cite_ref-manpages_3-0) [***b***](#cite_ref-manpages_3-1) ["SCRYPT(1) General Commands Manual"](https://manpages.debian.org/testing/scrypt/scrypt.1.en.html). *Debian Manpages*. [Archived](https://web.archive.org/web/20220302173629/https://manpages.debian.org/testing/scrypt/scrypt.1.en.html) from the original on 2 March 2022. Retrieved 2 March 2022. 1. **[^](#cite_ref-4)** Percival, Colin; Josefsson, Simon (August 2016). ["The scrypt Password-Based Key Derivation Function"](https://datatracker.ietf.org/doc/html/rfc7914). RFC Editor. [Archived](https://web.archive.org/web/20211213142419/https://datatracker.ietf.org/doc/html/rfc7914) from the original on 13 December 2021. Retrieved 13 December 2021. 1. **[^](#cite_ref-5)** Alec Liu (29 November 2013). ["Beyond Bitcoin: A Guide to the Most Promising Cryptocurrencies"](https://www.vice.com/en/article/beyond-bitcoin-a-guide-to-the-most-promising-cryptocurrencies/). [Archived](https://web.archive.org/web/20180613111615/https://motherboard.vice.com/en_us/article/4x3ywn/beyond-bitcoin-a-guide-to-the-most-promising-cryptocurrencies) from the original on 13 June 2018. Retrieved 8 July 2017. 1. **[^](#cite_ref-6)** Percival, Colin. ["Stronger Key Derivation Via Sequential Memory-Hard Functions"](http://www.tarsnap.com/scrypt/scrypt.pdf) (PDF). [Archived](https://web.archive.org/web/20190414144147/http://www.tarsnap.com/scrypt/scrypt.pdf) (PDF) from the original on 14 April 2019. Retrieved 11 November 2022. 1. **[^](#cite_ref-7)** Andreas M. Antonopoulos (3 December 2014). [*Mastering Bitcoin: Unlocking Digital Cryptocurrencies*](https://books.google.com/books?id=IXmrBQAAQBAJ&pg=PA221). O'Reilly Media. pp. 221, 223. [ISBN](/source/ISBN_(identifier)) [9781491902646](https://en.wikipedia.org/wiki/Special:BookSources/9781491902646). 1. **[^](#cite_ref-8)** ["History of cryptocurrency"](https://web.archive.org/web/20160611133738/https://litecoin.info/History_of_cryptocurrency). *litecoin.info wiki*. 7 February 2014. Archived from [the original](https://litecoin.info/History_of_cryptocurrency) on 11 June 2016. Retrieved 27 June 2014. 1. **[^](#cite_ref-9)** Roman Guelfi-Gibbs. [*Litecoin Scrypt Mining Configurations for Radeon 7950*](https://www.amazon.com/Litecoin-Scrypt-Mining-Configurations-Radeon-ebook/dp/B00E2RT1I4). Amazon Digital Services. [Archived](https://web.archive.org/web/20161024084236/https://www.amazon.com/Litecoin-Scrypt-Mining-Configurations-Radeon-ebook/dp/B00E2RT1I4) from the original on 24 October 2016. Retrieved 11 September 2017. 1. **[^](#cite_ref-10)** Joel Hruska (10 December 2013). ["Massive surge in Litecoin mining leads to graphics card shortage"](http://www.extremetech.com/computing/172381-massive-surge-in-litecoin-mining-leads-to-radeon-shortage). ExtremeTech. [Archived](https://web.archive.org/web/20171212093559/http://www.extremetech.com/computing/172381-massive-surge-in-litecoin-mining-leads-to-radeon-shortage) from the original on 12 December 2017. Retrieved 1 January 2014. 1. **[^](#cite_ref-wikidata-d208f49d75eba3ce1fcbec7165adcbc21d7e20c4-v20_11-0)** ["Release 1.3.3"](https://github.com/Tarsnap/scrypt/releases/tag/1.3.3). 14 February 2025. Retrieved 28 February 2025. 1. **[^](#cite_ref-12)** Shelley, Johnny; Stolarczyk, Philip. ["Bcrypt – Blowfish File Encryption (homepage)"](https://bcrypt.sourceforge.net/). *Sourceforge*. [Archived](https://web.archive.org/web/20150829060804/http://bcrypt.sourceforge.net/) from the original on 29 August 2015. Retrieved 8 April 2024. 1. **[^](#cite_ref-13)** ["bcrypt APK for Android – free download on Droid Informer"](https://droidinformer.org/tools/bcrypt/). *droidinformer.org*. [Archived](https://web.archive.org/web/20200215210334/https://droidinformer.org/tools/bcrypt/) from the original on 15 February 2020. Retrieved 2 March 2022. 1. **[^](#cite_ref-14)** ["T2 package – trunk – bcrypt – A utility to encrypt files"](http://t2sde.org/packages/bcrypt.html). *t2sde.org*. [Archived](https://web.archive.org/web/20171028043502/http://t2sde.org/packages/bcrypt.html) from the original on 28 October 2017. Retrieved 2 March 2022. 1. **[^](#cite_ref-15)** ["Oracle® GoldenGate Licensing Information"](https://docs.oracle.com/goldengate/1212/gg-winux/OGGLC/ogglc_licenses.htm). *Oracle Help Center*. [Archived](https://web.archive.org/web/20240306230633/https://docs.oracle.com/goldengate/1212/gg-winux/OGGLC/ogglc_licenses.htm) from the original on 6 March 2024. Retrieved 8 April 2024. ## External links - [The scrypt page on the Tarsnap website.](https://www.tarsnap.com/scrypt.html) - [The original scrypt paper.](https://www.tarsnap.com/scrypt/scrypt.pdf) - [scrypt](https://github.com/Tarsnap/scrypt) on [GitHub](/source/GitHub) v t e Cryptographic hash functions and message authentication codes List Comparison Known attacks Common functions MD5 (compromised) SHA-1 (compromised) SHA-2 SHA-3 BLAKE2 SHA-3 finalists BLAKE Grøstl JH Skein Keccak (winner) Other functions BLAKE3 CubeHash ECOH FSB Fugue GOST HAS-160 HAVAL Kupyna LSH Lane MASH-1 MASH-2 MD2 MD4 MD6 MDC-2 N-hash RIPEMD RadioGatún SIMD SM3 SWIFFT Shabal Snefru Streebog Tiger VSH Whirlpool Password hashing/ key stretching functions Argon2 Balloon bcrypt Catena crypt LM hash Lyra2 Makwa PBKDF2 scrypt yescrypt General purpose key derivation functions HKDF KDF1/KDF2 MAC functions CBC-MAC DAA GMAC HMAC NMAC OMAC/CMAC PMAC Poly1305 SipHash UMAC VMAC Authenticated encryption modes CCM ChaCha20-Poly1305 CWC EAX GCM IAPM OCB Attacks Collision attack Preimage attack Birthday attack Brute-force attack Rainbow table Side-channel attack Length extension attack Design Avalanche effect Hash collision Merkle–Damgård construction Sponge function HAIFA construction Standardization CAESAR Competition CRYPTREC NESSIE NIST hash function competition Password Hashing Competition NSA Suite B CNSA Utilization Hash-based cryptography Merkle tree Message authentication Proof of work Salt Pepper v t e Cryptography General History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network Mathematics Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography Category v t e Cryptocurrencies Technology Blockchain Cryptocurrency tumbler Cryptocurrency wallet Cryptographic hash function Decentralized exchange Decentralized finance Distributed ledger Fork Lightning Network MetaMask Smart contract Web3 Consensus mechanisms Proof of authority Proof of space Proof of stake Proof of work Proof of work currencies SHA-256-based Bitcoin Bitcoin Cash Counterparty LBRY MazaCoin Namecoin Peercoin Titcoin Ethash-based Ethereum (1.0) Ethereum Classic Scrypt-based Auroracoin Bitconnect Coinye Dogecoin Litecoin Equihash-based Bitcoin Gold Zcash RandomX-based Monero X11-based Dash Petro Other AmbaCoin Firo IOTA Nervos Network Primecoin Verge Vertcoin Proof of stake currencies Algorand Avalanche Cardano EOS.IO Ethereum (2.0) Gridcoin ICON Injective Kin Nxt Peercoin Polkadot Solana Steem Tezos TON ERC-20 tokens Augur Aventus Basic Attention Token Chainlink Kin KodakCoin Minds Polygon Shiba Inu The DAO TRON Stablecoins Dai Diem Pax Terra Tether USD Coin Meme coins CAR Chill Guy Coinye Dogecoin LGBcoin Libra Melania Pawthereum Trump Other currencies Chia Filecoin HBAR (Hashgraph) Helium Luna MobileCoin Nano NEO SafeMoon Stellar WhopperCoin XRP Ledger Inactive currencies BitConnect Coinye KodakCoin OneCoin Petro Crypto service companies Hyperledger IQ.Wiki Initiative Q Related topics $Libra cryptocurrency scandal 2023 United States banking crisis Airdrop Bitcoin in El Salvador BitLicense Blockchain game Complementary currency Crypto-anarchy Cryptocurrency and crime Bankruptcy of FTX Trial of Sam Bankman-Fried Scam center Pig butchering scam Cryptocurrencies in Europe Cryptocurrencies in Puerto Rico Cryptocurrency bubble Cryptocurrency in Australia Cryptocurrency in Nigeria Cryptocurrency scams Digital currency Decentralized autonomous organization Decentralized application Distributed ledger technology law Double-spending Environmental impact Initial coin offering Initial exchange offering List of cryptocurrencies Non-fungible token Token money United States Strategic Bitcoin Reserve Virtual currency Voiceverse NFT plagiarism scandal Category Commons List --- Adapted from the Wikipedia article [Scrypt](https://en.wikipedia.org/wiki/Scrypt) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Scrypt?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.