From Bitcoin Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search
Scrypt logo

Scrypt is the encryption method that is using a big memory volume and requires a lot of time for selection. The Scrypt algorithm is implemented for the cryptocurrency mining, which allows making it more complicated for the specialized ASIC miners.

The Scrypt coins differ from Bitcoin as the latter uses the SHA-256 algorithm. Unlike the scrypt cryptocurrency, Bitcoin and other currencies on this algorithm are easily mined on ASIC (the devices that are specifically developed only for solving the mining tasks). It often causes a negative feedback by the creators of the scrypt cryptocurrencies, since it gives an advantage to the miners with large resources and violates the decentralization.

Bitcoin that isn’t using the Scrypt is just one example. Which is why the scrypt coins enjoy popularity among miners that are using processors (CPU) or video cards (GPU) for mining. Let’s review the scrypt algorithm, its peculiarities and advantages.

How Scrypt works?[edit]

Scrypt algorithm

Before we review the scrypt algorithm coins in relation of mining, let’s have a look at the system itself.

The scrypt algorithm was invented by Colin Percival as the cryptoprotection of the online service to keep the backup copies of UNIX-like OS. The working principle of the scrypt algorithm lies in the fact that it artificially complicates the selection of options to solve a cryptographic task by filling it with “noise”. This noise are randomly generated numbers to which the scrypt algorithm refers, increasing the work time.

If the scrypt checks the user’s key, this delay will be almost invisible. However, if a fraudster tries to break down the core using the exhaustive search method, the Scrypt complicates it: together, all operations take a lot of time.

For any scrypt coin it means that its mining will require a big number of participants in the network, and each of them will do a part of work.

Scrypt mining[edit]

When choosing a cryptocurrency using the scrypt algorithm, it is also very important to know where to mine it.

Unlike SHA-256, the scrypt mining needs fewer resources, thanks to which the currencies using the scrypt algorithm can be successfully mined with various tools. These are the scrypt pool, and the scrypt miner CPU and GPU, and even scrypt asic miner: the manufacturers of ASIC equipment also look for the ways to “open” the algorithm’s mining scrypt and implement the scrypt function.

When a newcomer starts studying the scrypt algoritm, the main question appears – what to use for mining. The main parameter when choosing it becomes the scrypt hash rate, i.e. the performance required from the equipment, which will allow to mine the cryptocurrency.

To calculate the scrypt hash, i.e. find that very solution that will allow to create a new block in the blockchain, the experienced miners recommend to use GPU. Video cards have more performance than processors, moreover, they are also better at the performing of one operation. Scrypt miner AMD will suit best: these video cards possess a bigger performance than Nvidia, and assembling a farm of them is cheaper. Scrypt mining also requires bigger memory volumes.

By the way, the manufacturers of ASIC miners also don’t stand still. Today, ASIC can cope with the Scrypt algorithm, but the developers continue this technolofical war to let the miner that selected the scrypt algorithm with the less productive equipment also have the possibility to mine.

However, quite large resources are required to start the scrypt solo mining. An alternative way are the scrypt pools. These are the communities, where you provide the power of your equipment to join the forces. Such an approach gives a better result than the solo mining, but the reward becomes lower.

To find the best pools for the scrypt mining of the cryptocurrencies, you have to pay attention to their orientation. There are pools customized to only one coin, and there are the multicurrency ones, where one can switch from one cryptocurrency to another. In relation to the stability of the income, the best scrypt pools belong to the first category.

Cryptocurrency on Scrypt[edit]

The main question after you’ve understood what the scrypt algorithm is, is what to mine on it. The first cryptocurrency using the scrypt algorithm is Litecoin. All forks of Litecoin also work on it. For example, the less popularity is on the algorithm of the scrypt coin Dogecoin.

Among other cryptocurrencies using the scrypt algorithm there are the coins ProsperCoin, CashCoin, MonaCoin, Mooncoin and many others.


The algorithm includes the following parameters:

  • Passphrase - The string of characters to be hashed.
  • Salt - A string of characters that modifies the hash to protect against Rainbow table attacks
  • N - CPU/memory cost parameter.
  • p - Parallelization parameter; a positive integer satisfying p ≤ (232− 1) * hLen / MFLen.
  • dkLen - Intended output length in octets of the derived key; a positive integer satisfying dkLen ≤ (232− 1) * hLen.
  • r - The blocksize parameter, which fine-tunes sequential memory read size and performance. 8 is commonly used.
  • hLen - The length in octets of the hash function (32 for SHA256).
  • MFlen - The length in octets of the output of the mixing function (SMix below). Defined as r * 128 in RFC7914.
Function scrypt
Passphrase: Bytes string of characters to be hashed
Salt: Bytes random salt
CostFactor (N): Integer CPU/memory cost parameter
BlockSizeFactor (r): Integer blocksize parameter (8 is commonly used)
ParallelizationFactor (p): Integer Parallelization parameter. (1..232-1 * hLen/MFlen)
DesiredKeyLen: Integer Desired key length in bytes
DerivedKey: Bytes array of bytes, DesiredKeyLen long

Step 1. Generate expensive salt
blockSize ← 128*BlockSizeFactor //Length (in bytes) of the SMix mixing function output (e.g. 128*8 = 1024 bytes)

Use PBKDF2 to generate initial 128*BlockSizeFactor*p bytes of data (e.g. 128*8*3 = 3072 bytes)
Treat the result as an array of p elements, each entry being blocksize bytes (e.g. 3 elements, each 1024 bytes)
[B0...Bp−1] ← PBKDF2HMAC-SHA256(Passphrase, Salt, 1, blockSize*ParallelizationFactor)

Mix each block in B 2CostFactor times using ROMix function (each block can be mixed in parallel)
for i ← 0 to p-1 do
Bi ← ROMix(Bi, 2CostFactor)

All the elements of B is our new "expensive" salt
expensiveSalt ← B0∥B1∥B2∥ ... ∥Bp-1 //where ∥ is concatenation

Step 2. Use PBKDF2 to generate the desired number of bytes, but using the expensive salt we just generated
return PBKDF2HMAC-SHA256(Passphrase, expensiveSalt, 1, DesiredKeyLen);
Function ROMix(Block, Iterations)

Create Iterations copies of X
X ← Block
for i ← 0 to Iterations−1 do
Vi ← X
X ← BlockMix(X)

for i ← 0 to Iterations−1 do
//Convert first 8-bytes of the last 64-byte block of X to a UInt64, assuming little endian (Intel) format
j ← Integerify(X) mod N 
X ← BlockMix(X xor Vj)

return X

Where Integerify is a bijective function from {0, 1}k to {0,...,2k− 1}.

Function BlockMix(B):

The block B is r 128-byte chunks (which is equivalent of 2r 64-byte chunks)
r ← Length(B) / 128;

Treat B as an array of 2r 64-byte chucks
[B0...B2r-1] ← B

X ← B2r−1
for i ← 0 to 2r−1 do
X ← Salsa20/8(X xor Bi) //Salsa20/8 hashes from 64-bytes to 64-bytes
Yi ← X

return ← Y0∥Y2∥...∥Y2r−2 ∥ Y1∥Y3∥...∥Y2r−1

Where Salsa20/8 is the 8-round version of Salsa20.

External links[edit]

See also[edit]

  • Key derivation function
  • Argon2, winner of the Password Hashing Competition
  • crypt, password storage and verification scheme
  • PBKDF2, a widely used standard password-based key derivation function
  • bcrypt, password hashing function using Blowfish