Using Bcrypt rather than Scrypt ?

arthaud

Hi, thanks for Spectre !

I'm asking myself, what are reasons to use scrypt rather than bcrypt or argon2 ?

(I'm coding the spectre algorithm on Php, and I found that scrypt wasn't supported by default, but bcrypt yes)

lhunath

Thanks for asking. The reason is that scrypt is a KDF designed specifically to be memory-hard, rather than CPU-hard. When choosing a KDF, you are deliberately making the process more expensive; the question is how. Typically, this is done by making the process last longer through using a deliberate excessive amount of CPU time. The down-side of CPU time is that it is quite cheap to scale up. An attacker can purchase additional hardware to scale up in an attempt to overcome the security bottleneck relatively inexpensively. Scrypt was designed to be deliberately both CPU and memory hard. As such, the requirement for attempting to overcome the security bottleneck is much higher, especially in light of memory being more expensive than processing.

arthaud

Thank you for your reply !

I understand now. Moreover a friend explained to me how to bruteforce low memory KDF with FPGA, made my day to learn all this stuff !

I read some comparisons and I found that that argon2 is memory hard too. Could it replace scrypt in this case ?
(eg of comparison https://libpasta.github.io/technical-details/algorithm-choice/)

If yes, what made you choose scrypt at master password creation ?

lhunath

[unknown] Argon2 is a great solution too, I'd choose it primarily for non-interactive applications where the performance of the algorithm at the moment of demand is less important. It may matter less in present-day chips, but was a noteworthy concern when the algorithm was developed in 2011.