Tarsnap - Online backups for the truly paranoid

Navigation menu

The scrypt key derivation function

The scrypt key derivation function was originally developed for use in the Tarsnap online backup system and is designed to be far more secure against hardware brute-force attacks than alternative functions such as PBKDF2 or bcrypt.

We estimate that on modern (2009) hardware, if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against PBKDF2.

Details of the scrypt key derivation function are given in:

Some additional articles may be of interest:

  • Filippo Valsorda presented a very well-written explanation about how the scrypt parameters impact the memory usage and CPU time of the algorithm.
  • J. Alwen, B. Chen, K. Pietrzak, L. Reyzin, S. Tessaro, Scrypt is Maximally Memory-Hard, Cryptology ePrint Archive: Report 2016/989.

The scrypt encryption utility

A simple password-based encryption utility is available as a demonstration of the scrypt key derivation function. On modern hardware and with default parameters, the cost of cracking the password on a file encrypted by scrypt enc is approximately 100 billion times more than the cost of cracking the same password on a file encrypted by openssl enc; this means that a five-character password using scrypt is stronger than a ten-character password using openssl.

The scrypt utility can be invoked as scrypt enc infile [outfile] to encrypt data (if outfile is not specified, the encrypted data is written to the standard output), or as scrypt dec infile [outfile] to decrypt data (if outfile is not specified, the decrypted data is written to the standard output). scrypt also supports three command-line options:

  • -t maxtime will instruct scrypt to spend at most maxtime seconds computing the derived encryption key from the password; for encryption, this value will determine how secure the encrypted data is, while for decryption this value is used as an upper limit (if scrypt detects that it would take too long to decrypt the data, it will exit with an error message).
  • -m maxmemfrac instructs scrypt to use at most the specified fraction of the available RAM for computing the derived encryption key. For encryption, increasing this value might increase the security of the encrypted data, depending on the maxtime value; for decryption, this value is used as an upper limit and may cause scrypt to exit with an error.
  • -M maxmem instructs scrypt to use at most the specified number of bytes of RAM when computing the derived encryption key.

If the encrypted data is corrupt, scrypt dec will exit with a non-zero status. However, scrypt dec may produce output before it determines that the encrypted data was corrupt, so for applications which require data to be authenticated, you must store the output of scrypt dec in a temporary location and check scrypt's exit code before using the decrypted data.

Using scrypt as a KDF

To use scrypt as a key derivation function (KDF), take a look at the lib/crypto/crypto_scrypt.h header, which provides:

 * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
 * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
 * p, buflen) and write the result into buf.  The parameters r, p, and buflen
 * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
 * must be a power of 2 greater than 1.
 * Return 0 on success; or -1 on error.
int crypto_scrypt(const uint8_t *, size_t, const uint8_t *, size_t, uint64_t,
    uint32_t, uint32_t, uint8_t *, size_t);

The scrypt project

Development of scrypt takes place in the scrypt git repository.

Mailing list

The scrypt key derivation function and the scrypt encryption utility are discussed on the scrypt@tarsnap.com mailing list.

Official releases

The scrypt utility has been tested on FreeBSD, NetBSD, OpenBSD, Linux (Slackware, CentOS, Gentoo, Ubuntu), Solaris, OS X, Cygwin, and GNU Hurd. To build scrypt, extract the tarball and run ./configure && make.

Official scrypt releases are signed with the Tarsnap 2017 code signing key, the Tarsnap 2015 code signing key, or the Tarsnap 2009 code signing key.

The following versions of scrypt are available:

Version Release date GPG-signed SHA256 hash
scrypt 1.2.1 2017-02-11 scrypt-sigs-1.2.1.asc
scrypt 1.2.0 2015-07-30 scrypt-sigs-1.2.0.asc
scrypt 1.1.6 2010-01-16 scrypt-sigs-1.1.6.asc
scrypt 1.1.5 2009-11-06 scrypt-sigs-1.1.5.asc
scrypt 1.1.4 2009-06-15 scrypt-sigs-1.1.4.asc
scrypt 1.1.3 2009-05-25 scrypt-sigs-1.1.3.asc
scrypt 1.1.2 2009-05-20 scrypt-sigs-1.1.2.asc
scrypt 1.1.1 2009-05-16 scrypt-sigs-1.1.1.asc
scrypt 1.1 2009-05-16 scrypt-sigs-1.1.asc
scrypt 1.0 2009-05-08 scrypt-sigs-1.0.asc

Other scrypt software


These lists are provided for informational purposes and inclusion in these lists do not constitute an endorsement by Tarsnap Backup Inc. Use at your own risk!

Use in other languages

Alternate implementations and uses of scrypt

  • scrypt-jane: a flexible implementation of scrypt, allowing for new mixing and hash functions to be added easily.
  • jkalbhenn's scrypt: uses scrypt as a KDF for base91-encoded passwords.
  • npwd: uses scrypt as part of a stateless password management system, written in node.js.
  • cpwd: uses scrypt as part of a stateless password management system, written in C (ported from npwd).
  • scintill's scrypt: scrypt KDF in Javascript.
  • litecoin uses a simplified version of scrypt.