Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [scrypt]

A slow and memory-intensive hash function designed for passwords

Scrypt is a hash algorithm specially designed for passwords. It is based on the ideas of .

While performance is one of the design goals for traditional hash functions, as far as password hashes are concerned, performance is a negative property. Scrypt was designed to be slow in order to make password cracking expensive.

In addition to being expensive to calculate, it requires a significant amount of memory. The typical amount of memory available in specialized hardware is 1 KB. The default parameters of scrypt require 16 MB.

86 questions
25
votes
2 answers

What is the difference between Scrypt and PBKDF2?

After reading these two resources I am wondering am I getting all the differences between Scrypt and PBKDF2. As far as I understood, the similarity is: both are password-based key derivation functions. The difference is: Scrypt is more resource…
Salvador Dali
  • 365
  • 1
  • 3
  • 7
16
votes
4 answers

Looking at hash output – is Base64 encoding in any way better than HEX encoding?

I was wondering why most "normal/unsafe" crypto hashes like SHA-256, SHA-512, Whirlpool, RipeMD-160, MD5, etc. are HEX encoded. But most "secure" crypto hashes (KDF' ) like bcrypt and scrypt are Base64 encoded. Why? somewhere I heared that Base64…
Richard R. Matthews
  • 4,545
  • 9
  • 31
  • 49
14
votes
2 answers

How to derive two keys from one password

What is the best way to generate two independent symmetric keys from one user-entered password or passphrase? Would using both scrypt and pbkdf2 achieve this?
user1028028
  • 719
  • 5
  • 18
14
votes
1 answer

argon2 vs scrypt

It's a fact that scrypt and argon2 are the two dominant memory hard KDFs. But which one of them is more recommendable for password hashing? scrypt is older and as far as I know resistant to almost every kind of hardware based attack. But vulnerable…
Richard R. Matthews
  • 4,545
  • 9
  • 31
  • 49
11
votes
3 answers

How well does scrypt perform on different architectures / OSes?

The scrypt algorithm seems to be a prominent feature in the "CPU friendly" Bitcoin clones for the proof-of-labor part. I've heard claims that it's relatively slow on Windows and/or Intel compared to Linux/AMD. Is this true? By how much? Does anyone…
ripper234
  • 1,077
  • 1
  • 10
  • 13
11
votes
1 answer

Should I use SHA256 or Blake2 to checksum and sign scrypt headers?

I use scrypt as a key derivation function (not to store passwords). To pass around the detached key header I use the standard encoding as implemented in Colin Percival's scrypt implementation (scryptenc.c#L224). The original scrypt key header…
RobS
  • 113
  • 1
  • 1
  • 6
11
votes
2 answers

Appropriate scrypt parameters when generating an scrypt hash

What values for CPU, memory and parallel difficulty should be used when generating an scrypt hash? i.e. $N The CPU difficulty (must be a power of 2, > 1) $r The memory difficulty $p The parallel difficulty I'm using the PHP…
McJohnson
  • 243
  • 2
  • 4
8
votes
4 answers

How does Scrypt use Salsa?

Bcrypt uses Blowfish to encrypt a derived key from the passphrase, and Blowfish is a cryptographic algorithm, but here it is said that: Note that Salsa20/8 Core is not a cryptographic hash function since it is not collision-resistant. so how this…
Abdelouahab Pp
  • 271
  • 3
  • 8
8
votes
1 answer

How can scrypt be improved to counter GPU mining

I know scrypt was designed to lessen the GPU/ASIC advantage. We now have litecoin as a real-world example of this. However, it hasn't worked out perfectly. Most coins are mined by GPUs, although the advantage is probably smaller than it would have…
user239558
  • 305
  • 1
  • 7
8
votes
1 answer

GPG vs PGP vs OpenSSH and management of them

What is the main difference of the three? Can I use only one of them for everything (e.g. GPG for SSH authentication) If I encrypt my private key with a pass-phrase, is it strong enough so that if someone steals my laptop or private key, I'm…
dzervas
  • 183
  • 1
  • 1
  • 5
8
votes
1 answer

Is there any known malleability of scrypt outputs?

The scenario is single-use passphrase-based non-interactive message authentication. The obvious try to do this is to chose a random salt of the appropriate length and send: concat(workfactor, salt, message, mac(scrypt(workfactor, salt,…
user991
7
votes
2 answers

Do I need to sanitize user input to scrypt, or to PBKDF's in general?

I'd like to allow the user to supply a password as input to some PBKDF, which I will use to construct a key for file encryption (currently using aes-256-ctr. It may change as I learn more). I am considering using scrypt. Do I need to do any…
phoenixdown
  • 181
  • 4
7
votes
2 answers

Scrypt not "old enough" to be safe?

I just check all the questions with scrypt tag about that and usually it's said that scrypt is nice in theory and theoretically better than bcrypt and PKDF2, but it's too young to be "completely safe". I understant bcrypt is very old and yet…
My1
  • 340
  • 1
  • 8
6
votes
0 answers

Is Argon2 "sequential memory hard"?

The Scrypt paper here defines memory-hard and sequential memory hard functions as follows: Definition 1. A memory-hard algorithm on a Random Access Machine is an algorithm which uses $S(n)$ space and $T(n)$ operations, where $S(n) \in \Omega…
Modal Nest
  • 1,473
  • 5
  • 18
5
votes
1 answer

Key collision in scrypt and hkdf

I am developing a mostly-offline authorization system that authorizes a user using an deterministically generated AuthKey derived from a MasterKey derived from a high-entropy chunk of data (128 bits) and a low entropy data (for example, an email…
Burakkuhatto
  • 53
  • 3
1
2 3 4 5 6