Skip to main content

The scrypt Password-Based Key Derivation Function
RFC 7914

Revision differences

Document history

Date Rev. By Action
2020-01-21
05 (System) Received changes through RFC Editor sync (added Verified Errata tag)
2019-10-09
05 (System) Received changes through RFC Editor sync (added Errata tag)
2016-08-17
05 (System) RFC published
2016-08-17
05 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2016-06-24
05 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2016-06-02
05 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2016-05-23
05 (System) RFC Editor state changed to EDIT
2016-05-23
05 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2016-05-23
05 (System) Announcement was received by RFC Editor
2016-05-20
05 (System) IANA Action state changed to No IC from In Progress
2016-05-20
05 (System) IANA Action state changed to In Progress
2016-05-20
05 Amy Vezza IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2016-05-20
05 Amy Vezza IESG has approved the document
2016-05-20
05 Amy Vezza Closed "Approve" ballot
2016-05-20
05 Amy Vezza Ballot approval text was generated
2016-05-20
05 Amy Vezza IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup
2016-05-20
05 Amy Vezza Ballot writeup was changed
2016-05-18
05 Colin Percival IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2016-05-18
05 Colin Percival New version available: draft-josefsson-scrypt-kdf-05.txt
2016-04-14
04 Jari Arkko
[Ballot comment]
I think we are making progress, and I have released my Discuss. However, I do think the text is unnecessarily context dependent and …
[Ballot comment]
I think we are making progress, and I have released my Discuss. However, I do think the text is unnecessarily context dependent and hard to read. As a result, I have a couple of suggested edits below.

> > 1. In Section 6, scryptROMix is called with B[i] as the second parameter
> >
> >          B[i] = scryptROMix (r, B[i], N)
> >
> > Yet, per scryptROMix is supposed to take a 128*r sequence of octets as its second parameter.
> > What am I missing? Do I understand the notation correctly? I may be confused by the
> > same issue that Paul noted in his review, that same identifiers are used for different purposes.
>
> In the description of the scrypt algorithm, each of the p values B[i] is 128*r
> octets in length.  (Thus this matches the PBKDF2-HMAC-SHA256 call
> in step 1 of the algorithm, which produces p*128*r octets of output.)

Ok, but could Section 6 perhaps explain the type of the variable B that is used in the algorithm? And maybe similarly for the other variables that are used in the algorithms. The context dependency makes the algorithm hard to read. I might be dense, but I usually can read these things, but now I had trouble.

> > 2. In Section 4, the scryptBlockMix takes an input parameter which is defined as
> >
> >          B[0] || B[1] || ... || B[2 * r - 1]
> >                  Input octet string (of size 128 * r octets),
> >
> > Yet, B[0] ... B[2*r-1] would seem to be an octet string of size 2*r. What am I missing?
>
> As the line following that quote indicates
>                  "treated as 2 * r 64-octet blocks."
> B[0] .. B[2r-1] is 128*r octets, interpreted as a sequence of 64-octet blocks.

Ok, and maybe I’m being dense but this is difficult to understand :-)

Could you consider making this change to be very explicit about all this:

OLD:
                  treated as 2 * r 64-octet blocks.
NEW:
                  treated as 2 * r 64-octet blocks,
                  where each element in B is a 64-octet block.

> > The only issue I know of which is
> > outstanding is that the Integerify function is defined wrong in the
> > latest draft and needs to be reverted to its previous version.  (But I
> > don't know how to edit this.)
> >
> > What change is needed for that?
>
> Revert step 3 in the description of scryptROMix to what appeared in
> draft-josefsson-scrypt-kdf-03.

Ok for this.
2016-04-14
04 Jari Arkko [Ballot Position Update] Position for Jari Arkko has been changed to No Objection from Discuss
2016-01-18
04 Gunter Van de Velde Closed request for Last Call review by OPSDIR with state 'No Response'
2016-01-14
04 Tero Kivinen Closed request for Telechat review by SECDIR with state 'No Response'
2016-01-07
04 Jari Arkko
[Ballot discuss]
Thank you for writing this important document.

I would like to recommend its approval, but before doing so I had some questions. These …
[Ballot discuss]
Thank you for writing this important document.

I would like to recommend its approval, but before doing so I had some questions. These relate to issues that I had trouble understanding in the algorithm. And they have been inspired by Paul Kyzivat's Gen-ART review.

I'm probably missing something very obvious, but wanted to raise these questions just make sure there are no mistakes.

1. In Section 6, scryptROMix is called with B[i] as the second parameter

          B[i] = scryptROMix (r, B[i], N)

Yet, per scryptROMix is supposed to take a 128*r sequence of octets as its second parameter.
What am I missing? Do I understand the notation correctly? I may be confused by the
same issue that Paul noted in his review, that same identifiers are used for different purposes.

2. In Section 4, the scryptBlockMix takes an input parameter which is defined as

            B[0] || B[1] || ... || B[2 * r - 1]
                  Input octet string (of size 128 * r octets),

Yet, B[0] ... B[2*r-1] would seem to be an octet string of size 2*r. What am I missing?
2016-01-07
04 Jari Arkko [Ballot Position Update] New position, Discuss, has been recorded for Jari Arkko
2016-01-07
04 Benoît Claise [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise
2016-01-07
04 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2016-01-06
04 Ben Campbell
[Ballot comment]
The first sentence in the abstract needs a comma before "scrypt". Or even better "... derivation function, known as scrypt".

(I spent some …
[Ballot comment]
The first sentence in the abstract needs a comma before "scrypt". Or even better "... derivation function, known as scrypt".

(I spent some time working out that this was not a misspelling of "... derivation function script")
2016-01-06
04 Ben Campbell [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell
2016-01-06
04 Martin Stiemerling [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling
2016-01-06
04 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2016-01-06
04 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2016-01-05
04 Kathleen Moriarty [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty
2016-01-05
04 Paul Kyzivat Request for Telechat review by GENART Completed: Ready. Reviewer: Paul Kyzivat.
2016-01-05
04 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2015-12-31
04 Jean Mahoney Request for Telechat review by GENART is assigned to Paul Kyzivat
2015-12-31
04 Jean Mahoney Request for Telechat review by GENART is assigned to Paul Kyzivat
2015-12-29
04 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2015-12-17
04 Tero Kivinen Request for Telechat review by SECDIR is assigned to Joseph Salowey
2015-12-17
04 Tero Kivinen Request for Telechat review by SECDIR is assigned to Joseph Salowey
2015-12-14
04 (System) IANA Review state changed to IANA OK - No Actions Needed from Version Changed - Review Needed
2015-12-10
04 Stephen Farrell IESG state changed to IESG Evaluation::AD Followup from Waiting for Writeup::AD Followup
2015-12-10
04 Stephen Farrell Ballot has been issued
2015-12-10
04 Stephen Farrell [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell
2015-12-10
04 Stephen Farrell Created "Approve" ballot
2015-12-10
04 Stephen Farrell Ballot writeup was changed
2015-12-10
04 Stephen Farrell Placed on agenda for telechat - 2016-01-07
2015-12-10
04 Stephen Farrell Changed consensus to Yes from Unknown
2015-11-20
04 (System) Sub state has been changed to AD Followup from Revised ID Needed
2015-11-20
04 Simon Josefsson IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2015-11-20
04 Simon Josefsson New version available: draft-josefsson-scrypt-kdf-04.txt
2015-10-14
03 (System) Notify list changed from simon@josefsson.org, cperciva@tarsnap.com, draft-josefsson-scrypt-kdf.shepherd@ietf.org, rsalz@akamai.com, draft-josefsson-scrypt-kdf.ad@ietf.org, draft-josefsson-scrypt-kdf@ietf.org to (None)
2015-09-17
03 Tero Kivinen Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Joseph Salowey.
2015-09-14
03 Stephen Farrell IESG state changed to Waiting for Writeup::Revised I-D Needed from Waiting for Writeup
2015-09-08
03 (System) IESG state changed to Waiting for Writeup from In Last Call
2015-08-28
03 Paul Kyzivat Request for Last Call review by GENART Completed: On the Right Track. Reviewer: Paul Kyzivat.
2015-08-13
03 Jean Mahoney Request for Last Call review by GENART is assigned to Paul Kyzivat
2015-08-13
03 Jean Mahoney Request for Last Call review by GENART is assigned to Paul Kyzivat
2015-08-13
03 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Suzanne Woolf
2015-08-13
03 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Suzanne Woolf
2015-08-13
03 Tero Kivinen Request for Last Call review by SECDIR is assigned to Joseph Salowey
2015-08-13
03 Tero Kivinen Request for Last Call review by SECDIR is assigned to Joseph Salowey
2015-08-12
03 (System) IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed
2015-08-12
03 Amanda Baber
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-josefsson-scrypt-kdf-03, which is currently in Last Call, and has the following comments:

We understand that this …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-josefsson-scrypt-kdf-03, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.
2015-08-10
03 Cindy Morgan IANA Review state changed to IANA - Review Needed
2015-08-10
03 Cindy Morgan
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (The scrypt Password-Based Key Derivation Function) …
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (The scrypt Password-Based Key Derivation Function) to Informational RFC


The IESG has received a request from an individual submitter to consider
the following document:
- 'The scrypt Password-Based Key Derivation Function'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-09-07. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document specifies the password-based key derivation function
  scrypt.  The function derives one or more secret keys from a secret
  string.  It is based on memory-hard functions which offer added
  protection against attacks using custom hardware.  The document also
  provides an ASN.1 schema.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-josefsson-scrypt-kdf/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-josefsson-scrypt-kdf/ballot/


No IPR declarations have been submitted directly on this I-D.


2015-08-10
03 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2015-08-10
03 Stephen Farrell Last call was requested
2015-08-10
03 Stephen Farrell Ballot approval text was generated
2015-08-10
03 Stephen Farrell Ballot writeup was generated
2015-08-10
03 Stephen Farrell IESG state changed to Last Call Requested from Publication Requested
2015-08-10
03 Stephen Farrell Last call announcement was generated
2015-08-10
03 Stephen Farrell IESG state changed to Publication Requested from AD is watching
2015-07-04
03 Rich Salz
1. This is an informational RFC, as indicated in the page header. It is documenting an algorithm in common use; having it as an informational …
1. This is an informational RFC, as indicated in the page header. It is documenting an algorithm in common use; having it as an informational RFC removes a barrier to more widespread IETF adoption.

2a Technical Summary: This document specifies the password-based key derivation function scrypt.  The function derives one or more secret keys from a secret string.  It is based on memory-hard functions which offer added protection against attacks using custom hardware.
2B Working Group Summary: This was an individual effort to document an external algorithm. It was presented at the CFRG in IETF-92; there is no controversy.
2C Document Quality: It is a good, well-written document; it includes test vectors.  An interoperable implementation was written for OpenSSL based on this document.
2D Personal: Stephen Farrell is AD; Rich Salz is the shepherd

3. I did a careful reading of the document.  I examined an ran the OpenSSL code.  I did not very all the test vectors for all the crypto suites.

4. I strongly believe this document is ready to be published and doing so will be of benefit to the IETF community.

5. The algorithm is fairly well known, and no other review is needed. The primary concern is if the document is sufficient to write an implementation, and we have proof of that.

6. I am not aware of any concerns.

7. There are no outstanding IPR issues.

8. There are no IPR disclosures related to this document.

9. Those who have an opinion are in favor; no objections have been brought forth.

10. I am not aware of any discontent.

11.  idnits flagged the use of some RFC 2119 keywords, but that is mistaken
since they are part of the ASN.1  There are no other errors.

12.  There are no formal review criteria that need to be met.

13.  All references are properly identified as normative or informative.

14.  Of the normative references, two are RFC's, and two are PDF's of crypto papers, with links.  At some point, a diligent author may want to perform a similar activity to "RFC'ize the algorithm" of those papers, but this is not required.

15. There are no downward normative references.

16. No existing RFC is impacted by the publication of this document.

17. The "IANA Considerations" says "None"

18. There are no new registries.

19.  The only potential machine-readable part of the document is the ASN.1, which was carefully reviewed by hand.  I would object to the inconsistent placement of the curly braces, but that is all. :)
2015-06-29
03 Stephen Farrell IESG process started in state AD is watching
2015-06-29
03 Stephen Farrell Shepherding AD changed to Stephen Farrell
2015-06-29
03 Stephen Farrell Intended Status changed to Informational from None
2015-06-29
03 Stephen Farrell Stream changed to IETF from None
2015-06-29
03 Stephen Farrell Notification list changed to "Rich Salz" <rsalz@akamai.com>
2015-06-29
03 Stephen Farrell Document shepherd changed to Rich Salz
2015-05-12
03 Simon Josefsson New version available: draft-josefsson-scrypt-kdf-03.txt
2015-01-26
02 Simon Josefsson New version available: draft-josefsson-scrypt-kdf-02.txt
2012-09-24
01 Simon Josefsson New version available: draft-josefsson-scrypt-kdf-01.txt
2012-09-17
00 Simon Josefsson New version available: draft-josefsson-scrypt-kdf-00.txt