scrypt - Memory-Hard Key Derivation

About 2 min read

scrypt is a memory-hard password hash function that resists parallel attacks by GPUs and ASICs by consuming large amounts of memory. It was designed by Colin Percival in 2009 for key derivation in the online backup service Tarsnap. Whereas bcrypt is CPU-bound, scrypt demands memory-bound computation, raising the cost of attacks by orders of magnitude. It is also widely known as the Proof of Work algorithm of the cryptocurrency Litecoin.

Historical Background

In the late 2000s, general-purpose computing on GPUs (GPGPU) spread rapidly, and brute-force attacks against CPU-bound hash functions like bcrypt became a realistic threat. To address this, Colin Percival designed scrypt around the idea that "if you force the consumption of large amounts of memory in addition to computation, you can neutralize the parallelism of GPUs." It was adopted for Tarsnap's backup encryption in 2009 and standardized as RFC 7914 in 2012. When Litecoin, which appeared in 2011, adopted scrypt, it also became widely recognized within the cryptocurrency community.

How the ROMix Algorithm Works

The core of scrypt is an algorithm called ROMix. The processing is broadly divided into two phases.

Phase 1: Memory Filling

Generate N pseudo-random blocks from an initial value and store them in a huge array. When N = 2^20 (about 1 million), it consumes more than 1 GB of memory. You cannot proceed to the next phase without holding this entire array.

Phase 2: Memory-Dependent Mixing

Mix the values while referencing random positions in the array N times. Because each reference target depends on the immediately preceding computation result, it cannot be predicted in advance. Reducing memory forces recomputation, causing the time cost to rise sharply.

This property, where "cutting memory makes the computation time explode," is the essence of scrypt's memory-hardness. When an attacker tries to save memory to increase parallelism, the computation time per instance increases quadratically, so the total attack cost does not go down.

Comparison with Argon2 and bcrypt

Property	bcrypt	scrypt	Argon2id
Year introduced	1999	2009	2015
Memory-hard	✗	✓	✓
Side-channel resistance	High	Low (data-dependent access)	High (Argon2id hybrid mode)
Parameter intuitiveness	Simple with a single cost	The relationship of N, r, p is complex	Memory, time, and parallelism are independent
OWASP recommendation rank	2nd	3rd	1st
Adoption in cryptocurrencies	None	Litecoin, Dogecoin, etc.	Some mining-resistant designs

Parameter Design (N, r, p)

scrypt has three parameters, and it is important to understand the role of each and their interrelationships.

N (CPU/memory cost): Specified as a power of 2. Memory usage ≈ 128 × N × r bytes

r (block size): The size of the internal block. Typically 8 is used

p (parallelism): The number of lanes that can be computed independently. Typically 1

Recommended settings (OWASP 2025): N = 2^17 (131072), r = 8, p = 1 → about 128 MB of memory

Doubling N doubles both memory usage and computation time. Because the interdependence of the parameters is complex, tuning is somewhat more difficult compared with algorithms like Argon2id that allow memory, time, and parallelism to be adjusted independently. Use a salt of at least 16 bytes and store it following the basic principles of password hashing.

Adoption in Litecoin

Litecoin, which appeared in 2011, adopted scrypt as its Proof of Work algorithm in place of Bitcoin's SHA-256. The aim at the time was to "prevent the oligopolization of mining by ASICs and allow ordinary PCs to participate in mining." However, scrypt-compatible ASICs appeared around 2014, and the original goal was not achieved. This experience leaves the lesson that even a memory-hard function cannot withstand dedicated hardware without a sufficient memory requirement. We explain cryptocurrency security in cryptocurrency wallet security.

Common Misconceptions

Some argue that "scrypt is old, so it should not be used," but when operated with appropriate parameters, it still provides sufficient security as of 2025. OWASP also recommends it as the third option after Argon2id and bcrypt. However, the practical approach is to make Argon2id the first choice for new systems and to select scrypt when compatibility with existing systems is required. For the fundamentals of cryptography, see the basics of encryption, and for the overall picture of password management, also refer to the secure password management guide.cryptography books on Amazon to learn even more deeply.

Related Terms

Was this article helpful?

← Back to Glossary