The scrypt key derivation function
The scrypt
key derivation function was originally developed
for use in the
Tarsnap online
backup system
and is designed to be far more secure against
hardware brute-force attacks than alternative functions such as
PBKDF2
or
bcrypt.
We estimate that on modern (2009) hardware, if 5 seconds are spent
computing a derived key, the cost of a hardware brute-force attack
against scrypt
is roughly 4000 times greater than the cost
of a similar attack against bcrypt (to find the same password), and
20000 times greater than a similar attack against PBKDF2.
Details of the scrypt
key derivation function are given in:
- The Internet Engineering Task Force (IETF) RFC 7914: The scrypt Password-Based Key Derivation Function.
- The original conference paper: Colin Percival, Stronger Key Derivation via Sequential Memory-Hard Functions, presented at BSDCan'09, May 09. Conference presentation slides.
Some additional articles may be of interest:
- Filippo Valsorda presented a very well-written explanation about how the scrypt parameters impact the memory usage and CPU time of the algorithm.
-
J. Alwen, B. Chen, K. Pietrzak, L. Reyzin, S. Tessaro,
Scrypt
is Maximally Memory-Hard, Cryptology ePrint Archive: Report 2016/989.
The scrypt encryption utility
A simple password-based encryption utility is available as a
demonstration of the scrypt
key derivation function. On
modern hardware and with default parameters, the cost of cracking the
password on a file encrypted by scrypt enc
is approximately
100 billion times more than the cost of cracking the same password on
a file encrypted by openssl enc
; this means that a
five-character password using scrypt
is stronger than a
ten-character password using openssl
.
The scrypt
utility can be invoked as scrypt enc infile
[outfile]
to encrypt data (if outfile
is not
specified, the encrypted data is written to the standard output), or
as scrypt dec infile [outfile]
to decrypt data (if
outfile
is not specified, the decrypted data is written to
the standard output). scrypt
also supports three
command-line options:
-
-t maxtime
will instructscrypt
to spend at mostmaxtime
seconds computing the derived encryption key from the password; for encryption, this value will determine how secure the encrypted data is, while for decryption this value is used as an upper limit (ifscrypt
detects that it would take too long to decrypt the data, it will exit with an error message). -
-m maxmemfrac
instructsscrypt
to use at most the specified fraction of the available RAM for computing the derived encryption key. For encryption, increasing this value might increase the security of the encrypted data, depending on themaxtime
value; for decryption, this value is used as an upper limit and may causescrypt
to exit with an error. -
-M maxmem
instructsscrypt
to use at most the specified number of bytes of RAM when computing the derived encryption key.
If the encrypted data is corrupt, scrypt dec
will exit with
a non-zero status. However, scrypt dec
may produce
output before it determines that the encrypted data was corrupt,
so for applications which require data to be authenticated, you must
store the output of scrypt dec
in a temporary location and
check scrypt
's exit code before using the decrypted data.
Using scrypt as a KDF
To use scrypt as a
key derivation function
(KDF) with libscrypt-kdf
,
include scrypt-kdf.h
and use:
/** * scrypt_kdf(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen): * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, * p, buflen) and write the result into buf. The parameters r, p, and buflen * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N * must be a power of 2 greater than 1. * * Return 0 on success; or -1 on error. */ int crypto_scrypt(const uint8_t *, size_t, const uint8_t *, size_t, uint64_t, uint32_t, uint32_t, uint8_t *, size_t);
If you would rather copy our source files directly
into your project, then take a look at the
lib/crypto/crypto_scrypt.h
header, which provides crypto_scrypt()
.
The scrypt project
Development of scrypt takes place in the scrypt git repository.
Mailing list
The scrypt
key derivation function and the scrypt
encryption utility are discussed on the
[email protected]
mailing list.
Official releases
The scrypt
utility has been tested on FreeBSD, NetBSD,
OpenBSD, Linux (Slackware, CentOS, Gentoo, Ubuntu), Solaris, OS X,
Cygwin, and GNU Hurd. To build scrypt
, extract the tarball
and run ./configure && make
.
Official scrypt releases are signed with the Tarsnap 2023 code signing key, the Tarsnap 2020 code signing key, the Tarsnap 2019 code signing key, the Tarsnap 2017 code signing key, the Tarsnap 2015 code signing key, or the Tarsnap 2009 code signing key.
The following versions of scrypt are available:
Version | Release date | GPG-signed SHA256 hash |
scrypt 1.3.2 | 2023-10-01 | scrypt-sigs-1.3.2.asc |
scrypt 1.3.1 | 2020-08-27 | scrypt-sigs-1.3.1.asc |
scrypt 1.3.0 | 2019-09-12 | scrypt-sigs-1.3.0.asc |
scrypt 1.2.1 | 2017-02-11 | scrypt-sigs-1.2.1.asc |
scrypt 1.2.0 | 2015-07-30 | scrypt-sigs-1.2.0.asc |
scrypt 1.1.6 | 2010-01-16 | scrypt-sigs-1.1.6.asc |
scrypt 1.1.5 | 2009-11-06 | scrypt-sigs-1.1.5.asc |
scrypt 1.1.4 | 2009-06-15 | scrypt-sigs-1.1.4.asc |
scrypt 1.1.3 | 2009-05-25 | scrypt-sigs-1.1.3.asc |
scrypt 1.1.2 | 2009-05-20 | scrypt-sigs-1.1.2.asc |
scrypt 1.1.1 | 2009-05-16 | scrypt-sigs-1.1.1.asc |
scrypt 1.1 | 2009-05-16 | scrypt-sigs-1.1.asc |
scrypt 1.0 | 2009-05-08 | scrypt-sigs-1.0.asc |
Other scrypt software
Warning
Use in other languages
- Go scrypt package: scrypt is part of the Go standard library.
-
py-scrypt:
python scrypt bindings; supports Python 2 and 3,
and is available in
pip
. - Haskell scrypt: Haskell library providing scrypt bindings.
- node-scrypt: a native node/io C++ wrapper for scrypt.
- pbhogan's scrypt: a Ruby gem for scrypt.
Alternate implementations and uses of scrypt
- scrypt-jane: a flexible implementation of scrypt, allowing for new mixing and hash functions to be added easily.
- jkalbhenn's scrypt: uses scrypt as a KDF for base91-encoded passwords.
- npwd: uses scrypt as part of a stateless password management system, written in node.js.
- cpwd: uses scrypt as part of a stateless password management system, written in C (ported from npwd).
- scintill's scrypt: scrypt KDF in Javascript.
- litecoin uses a simplified version of scrypt.