├── AUTHORS ├── CONTRIBUTORS ├── LICENSE ├── README ├── scrypt.go └── scrypt_test.go /AUTHORS: -------------------------------------------------------------------------------- 1 | # This source code refers to The Go Authors for copyright purposes. 2 | # The master list of authors is in the main Go distribution, 3 | # visible at http://tip.golang.org/AUTHORS. 4 | -------------------------------------------------------------------------------- /CONTRIBUTORS: -------------------------------------------------------------------------------- 1 | # This source code was written by the Go contributors. 2 | # The master list of contributors is in the main Go distribution, 3 | # visible at http://tip.golang.org/CONTRIBUTORS. 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2009-2013 The Go Authors. All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are 5 | met: 6 | 7 | * Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above 10 | copyright notice, this list of conditions and the following disclaimer 11 | in the documentation and/or other materials provided with the 12 | distribution. 13 | * Neither the name of Google Inc. nor the names of its 14 | contributors may be used to endorse or promote products derived from 15 | this software without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 20 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 21 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 23 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | !!! NOTE !!! 2 | 3 | Official go.crypto repository now includes scrypt implementation. 4 | (http://code.google.com/p/go/source/detail?r=ad8a96e038bb&repo=crypto) 5 | Please use it instead of this one, as it will be supported there. 6 | 7 | Link: http://code.google.com/p/go/source/browse?repo=crypto 8 | 9 | It is compatible with this implementation, so to switch to it, 10 | just change the import path to "code.google.com/p/go.crypto/scrypt". 11 | 12 | !!! 13 | 14 | Go implementation of scrypt key derivation function. 15 | (http://www.tarsnap.com/scrypt.html) 16 | 17 | INSTALLATION 18 | 19 | $ go get github.com/dchest/scrypt 20 | 21 | PACKAGE 22 | import "github.com/dchest/scrypt" 23 | 24 | Package scrypt implements the scrypt key derivation function as defined 25 | in Colin Percival's paper "Stronger Key Derivation via Sequential 26 | Memory-Hard Functions". 27 | 28 | FUNCTIONS 29 | 30 | func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) 31 | 32 | Key derives a key from the password, salt and cost parameters, returning 33 | a byte slice of length keyLen that can be used as cryptographic key. 34 | 35 | N is a CPU/memory cost parameter, must be a power of two greater than 1. 36 | r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the 37 | limits, the function returns a nil byte slice and an error. 38 | 39 | For example, you can get a derived key for e.g. AES-256 (which needs a 40 | 32-byte key) by doing: 41 | 42 | dk := scrypt.Key([]byte("some password"), salt, 16384, 8, 1, 32) 43 | 44 | The recommended parameters for interactive logins as of 2009 are N=16384, 45 | r=8, p=1. They should be increased as memory latency and CPU parallelism 46 | increases. Remember to get a good random salt. 47 | 48 | KEYWORDS 49 | 50 | go, golang, scrypt, kdf 51 | 52 | -------------------------------------------------------------------------------- /scrypt.go: -------------------------------------------------------------------------------- 1 | // Copyright 2012 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // Package scrypt implements the scrypt key derivation function as defined in 6 | // Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard 7 | // Functions" (http://www.tarsnap.com/scrypt/scrypt.pdf). 8 | package scrypt 9 | 10 | import ( 11 | "crypto/sha256" 12 | "errors" 13 | 14 | "code.google.com/p/go.crypto/pbkdf2" 15 | ) 16 | 17 | const maxInt = int(^uint(0) >> 1) 18 | 19 | // blockCopy copies n numbers from src into dst. 20 | func blockCopy(dst, src []uint32, n int) { 21 | copy(dst, src[:n]) 22 | } 23 | 24 | // blockXOR XORs numbers from dst with n numbers from src. 25 | func blockXOR(dst, src []uint32, n int) { 26 | for i, v := range src[:n] { 27 | dst[i] ^= v 28 | } 29 | } 30 | 31 | // salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in, 32 | // and puts the result into both both tmp and out. 33 | func salsaXOR(tmp *[16]uint32, in, out []uint32) { 34 | w0 := tmp[0] ^ in[0] 35 | w1 := tmp[1] ^ in[1] 36 | w2 := tmp[2] ^ in[2] 37 | w3 := tmp[3] ^ in[3] 38 | w4 := tmp[4] ^ in[4] 39 | w5 := tmp[5] ^ in[5] 40 | w6 := tmp[6] ^ in[6] 41 | w7 := tmp[7] ^ in[7] 42 | w8 := tmp[8] ^ in[8] 43 | w9 := tmp[9] ^ in[9] 44 | w10 := tmp[10] ^ in[10] 45 | w11 := tmp[11] ^ in[11] 46 | w12 := tmp[12] ^ in[12] 47 | w13 := tmp[13] ^ in[13] 48 | w14 := tmp[14] ^ in[14] 49 | w15 := tmp[15] ^ in[15] 50 | 51 | x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8 52 | x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15 53 | 54 | for i := 0; i < 8; i += 2 { 55 | u := x0 + x12 56 | x4 ^= u<<7 | u>>(32-7) 57 | u = x4 + x0 58 | x8 ^= u<<9 | u>>(32-9) 59 | u = x8 + x4 60 | x12 ^= u<<13 | u>>(32-13) 61 | u = x12 + x8 62 | x0 ^= u<<18 | u>>(32-18) 63 | 64 | u = x5 + x1 65 | x9 ^= u<<7 | u>>(32-7) 66 | u = x9 + x5 67 | x13 ^= u<<9 | u>>(32-9) 68 | u = x13 + x9 69 | x1 ^= u<<13 | u>>(32-13) 70 | u = x1 + x13 71 | x5 ^= u<<18 | u>>(32-18) 72 | 73 | u = x10 + x6 74 | x14 ^= u<<7 | u>>(32-7) 75 | u = x14 + x10 76 | x2 ^= u<<9 | u>>(32-9) 77 | u = x2 + x14 78 | x6 ^= u<<13 | u>>(32-13) 79 | u = x6 + x2 80 | x10 ^= u<<18 | u>>(32-18) 81 | 82 | u = x15 + x11 83 | x3 ^= u<<7 | u>>(32-7) 84 | u = x3 + x15 85 | x7 ^= u<<9 | u>>(32-9) 86 | u = x7 + x3 87 | x11 ^= u<<13 | u>>(32-13) 88 | u = x11 + x7 89 | x15 ^= u<<18 | u>>(32-18) 90 | 91 | u = x0 + x3 92 | x1 ^= u<<7 | u>>(32-7) 93 | u = x1 + x0 94 | x2 ^= u<<9 | u>>(32-9) 95 | u = x2 + x1 96 | x3 ^= u<<13 | u>>(32-13) 97 | u = x3 + x2 98 | x0 ^= u<<18 | u>>(32-18) 99 | 100 | u = x5 + x4 101 | x6 ^= u<<7 | u>>(32-7) 102 | u = x6 + x5 103 | x7 ^= u<<9 | u>>(32-9) 104 | u = x7 + x6 105 | x4 ^= u<<13 | u>>(32-13) 106 | u = x4 + x7 107 | x5 ^= u<<18 | u>>(32-18) 108 | 109 | u = x10 + x9 110 | x11 ^= u<<7 | u>>(32-7) 111 | u = x11 + x10 112 | x8 ^= u<<9 | u>>(32-9) 113 | u = x8 + x11 114 | x9 ^= u<<13 | u>>(32-13) 115 | u = x9 + x8 116 | x10 ^= u<<18 | u>>(32-18) 117 | 118 | u = x15 + x14 119 | x12 ^= u<<7 | u>>(32-7) 120 | u = x12 + x15 121 | x13 ^= u<<9 | u>>(32-9) 122 | u = x13 + x12 123 | x14 ^= u<<13 | u>>(32-13) 124 | u = x14 + x13 125 | x15 ^= u<<18 | u>>(32-18) 126 | } 127 | x0 += w0 128 | x1 += w1 129 | x2 += w2 130 | x3 += w3 131 | x4 += w4 132 | x5 += w5 133 | x6 += w6 134 | x7 += w7 135 | x8 += w8 136 | x9 += w9 137 | x10 += w10 138 | x11 += w11 139 | x12 += w12 140 | x13 += w13 141 | x14 += w14 142 | x15 += w15 143 | 144 | out[0], tmp[0] = x0, x0 145 | out[1], tmp[1] = x1, x1 146 | out[2], tmp[2] = x2, x2 147 | out[3], tmp[3] = x3, x3 148 | out[4], tmp[4] = x4, x4 149 | out[5], tmp[5] = x5, x5 150 | out[6], tmp[6] = x6, x6 151 | out[7], tmp[7] = x7, x7 152 | out[8], tmp[8] = x8, x8 153 | out[9], tmp[9] = x9, x9 154 | out[10], tmp[10] = x10, x10 155 | out[11], tmp[11] = x11, x11 156 | out[12], tmp[12] = x12, x12 157 | out[13], tmp[13] = x13, x13 158 | out[14], tmp[14] = x14, x14 159 | out[15], tmp[15] = x15, x15 160 | } 161 | 162 | func blockMix(tmp *[16]uint32, in, out []uint32, r int) { 163 | blockCopy(tmp[:], in[(2*r-1)*16:], 16) 164 | for i := 0; i < 2*r; i += 2 { 165 | salsaXOR(tmp, in[i*16:], out[i*8:]) 166 | salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:]) 167 | } 168 | } 169 | 170 | func integer(b []uint32, r int) uint64 { 171 | j := (2*r - 1) * 16 172 | return uint64(b[j]) | uint64(b[j+1])<<32 173 | } 174 | 175 | func smix(b []byte, r, N int, v, xy []uint32) { 176 | var tmp [16]uint32 177 | x := xy 178 | y := xy[32*r:] 179 | 180 | j := 0 181 | for i := 0; i < 32*r; i++ { 182 | x[i] = uint32(b[j]) | uint32(b[j+1])<<8 | uint32(b[j+2])<<16 | uint32(b[j+3])<<24 183 | j += 4 184 | } 185 | for i := 0; i < N; i += 2 { 186 | blockCopy(v[i*(32*r):], x, 32*r) 187 | blockMix(&tmp, x, y, r) 188 | 189 | blockCopy(v[(i+1)*(32*r):], y, 32*r) 190 | blockMix(&tmp, y, x, r) 191 | } 192 | for i := 0; i < N; i += 2 { 193 | j := int(integer(x, r) & uint64(N-1)) 194 | blockXOR(x, v[j*(32*r):], 32*r) 195 | blockMix(&tmp, x, y, r) 196 | 197 | j = int(integer(y, r) & uint64(N-1)) 198 | blockXOR(y, v[j*(32*r):], 32*r) 199 | blockMix(&tmp, y, x, r) 200 | } 201 | j = 0 202 | for _, v := range x[:32*r] { 203 | b[j+0] = byte(v >> 0) 204 | b[j+1] = byte(v >> 8) 205 | b[j+2] = byte(v >> 16) 206 | b[j+3] = byte(v >> 24) 207 | j += 4 208 | } 209 | } 210 | 211 | // Key derives a key from the password, salt, and cost parameters, returning 212 | // a byte slice of length keyLen that can be used as cryptographic key. 213 | // 214 | // N is a CPU/memory cost parameter, which must be a power of two greater than 1. 215 | // r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the 216 | // limits, the function returns a nil byte slice and an error. 217 | // 218 | // For example, you can get a derived key for e.g. AES-256 (which needs a 219 | // 32-byte key) by doing: 220 | // 221 | // dk := scrypt.Key([]byte("some password"), salt, 16384, 8, 1, 32) 222 | // 223 | // The recommended parameters for interactive logins as of 2009 are N=16384, 224 | // r=8, p=1. They should be increased as memory latency and CPU parallelism 225 | // increases. Remember to get a good random salt. 226 | func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) { 227 | if N <= 1 || N&(N-1) != 0 { 228 | return nil, errors.New("scrypt: N must be > 1 and a power of 2") 229 | } 230 | if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r { 231 | return nil, errors.New("scrypt: parameters are too large") 232 | } 233 | 234 | xy := make([]uint32, 64*r) 235 | v := make([]uint32, 32*N*r) 236 | b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New) 237 | 238 | for i := 0; i < p; i++ { 239 | smix(b[i*128*r:], r, N, v, xy) 240 | } 241 | 242 | return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil 243 | } 244 | -------------------------------------------------------------------------------- /scrypt_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2012 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | package scrypt 6 | 7 | import ( 8 | "bytes" 9 | "testing" 10 | ) 11 | 12 | type testVector struct { 13 | password string 14 | salt string 15 | N, r, p int 16 | output []byte 17 | } 18 | 19 | var good = []testVector{ 20 | { 21 | "password", 22 | "salt", 23 | 2, 10, 10, 24 | []byte{ 25 | 0x48, 0x2c, 0x85, 0x8e, 0x22, 0x90, 0x55, 0xe6, 0x2f, 26 | 0x41, 0xe0, 0xec, 0x81, 0x9a, 0x5e, 0xe1, 0x8b, 0xdb, 27 | 0x87, 0x25, 0x1a, 0x53, 0x4f, 0x75, 0xac, 0xd9, 0x5a, 28 | 0xc5, 0xe5, 0xa, 0xa1, 0x5f, 29 | }, 30 | }, 31 | { 32 | "password", 33 | "salt", 34 | 16, 100, 100, 35 | []byte{ 36 | 0x88, 0xbd, 0x5e, 0xdb, 0x52, 0xd1, 0xdd, 0x0, 0x18, 37 | 0x87, 0x72, 0xad, 0x36, 0x17, 0x12, 0x90, 0x22, 0x4e, 38 | 0x74, 0x82, 0x95, 0x25, 0xb1, 0x8d, 0x73, 0x23, 0xa5, 39 | 0x7f, 0x91, 0x96, 0x3c, 0x37, 40 | }, 41 | }, 42 | { 43 | "this is a long \000 password", 44 | "and this is a long \000 salt", 45 | 16384, 8, 1, 46 | []byte{ 47 | 0xc3, 0xf1, 0x82, 0xee, 0x2d, 0xec, 0x84, 0x6e, 0x70, 48 | 0xa6, 0x94, 0x2f, 0xb5, 0x29, 0x98, 0x5a, 0x3a, 0x09, 49 | 0x76, 0x5e, 0xf0, 0x4c, 0x61, 0x29, 0x23, 0xb1, 0x7f, 50 | 0x18, 0x55, 0x5a, 0x37, 0x07, 0x6d, 0xeb, 0x2b, 0x98, 51 | 0x30, 0xd6, 0x9d, 0xe5, 0x49, 0x26, 0x51, 0xe4, 0x50, 52 | 0x6a, 0xe5, 0x77, 0x6d, 0x96, 0xd4, 0x0f, 0x67, 0xaa, 53 | 0xee, 0x37, 0xe1, 0x77, 0x7b, 0x8a, 0xd5, 0xc3, 0x11, 54 | 0x14, 0x32, 0xbb, 0x3b, 0x6f, 0x7e, 0x12, 0x64, 0x40, 55 | 0x18, 0x79, 0xe6, 0x41, 0xae, 56 | }, 57 | }, 58 | { 59 | "p", 60 | "s", 61 | 2, 1, 1, 62 | []byte{ 63 | 0x48, 0xb0, 0xd2, 0xa8, 0xa3, 0x27, 0x26, 0x11, 0x98, 64 | 0x4c, 0x50, 0xeb, 0xd6, 0x30, 0xaf, 0x52, 65 | }, 66 | }, 67 | 68 | { 69 | "", 70 | "", 71 | 16, 1, 1, 72 | []byte{ 73 | 0x77, 0xd6, 0x57, 0x62, 0x38, 0x65, 0x7b, 0x20, 0x3b, 74 | 0x19, 0xca, 0x42, 0xc1, 0x8a, 0x04, 0x97, 0xf1, 0x6b, 75 | 0x48, 0x44, 0xe3, 0x07, 0x4a, 0xe8, 0xdf, 0xdf, 0xfa, 76 | 0x3f, 0xed, 0xe2, 0x14, 0x42, 0xfc, 0xd0, 0x06, 0x9d, 77 | 0xed, 0x09, 0x48, 0xf8, 0x32, 0x6a, 0x75, 0x3a, 0x0f, 78 | 0xc8, 0x1f, 0x17, 0xe8, 0xd3, 0xe0, 0xfb, 0x2e, 0x0d, 79 | 0x36, 0x28, 0xcf, 0x35, 0xe2, 0x0c, 0x38, 0xd1, 0x89, 80 | 0x06, 81 | }, 82 | }, 83 | { 84 | "password", 85 | "NaCl", 86 | 1024, 8, 16, 87 | []byte{ 88 | 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, 0x78, 89 | 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, 0x7c, 0x6a, 90 | 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, 0xe7, 0x73, 0x76, 91 | 0x63, 0x4b, 0x37, 0x31, 0x62, 0x2e, 0xaf, 0x30, 0xd9, 92 | 0x2e, 0x22, 0xa3, 0x88, 0x6f, 0xf1, 0x09, 0x27, 0x9d, 93 | 0x98, 0x30, 0xda, 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 94 | 0xee, 0x6d, 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 95 | 0x40, 96 | }, 97 | }, 98 | { 99 | "pleaseletmein", "SodiumChloride", 100 | 16384, 8, 1, 101 | []byte{ 102 | 0x70, 0x23, 0xbd, 0xcb, 0x3a, 0xfd, 0x73, 0x48, 0x46, 103 | 0x1c, 0x06, 0xcd, 0x81, 0xfd, 0x38, 0xeb, 0xfd, 0xa8, 104 | 0xfb, 0xba, 0x90, 0x4f, 0x8e, 0x3e, 0xa9, 0xb5, 0x43, 105 | 0xf6, 0x54, 0x5d, 0xa1, 0xf2, 0xd5, 0x43, 0x29, 0x55, 106 | 0x61, 0x3f, 0x0f, 0xcf, 0x62, 0xd4, 0x97, 0x05, 0x24, 107 | 0x2a, 0x9a, 0xf9, 0xe6, 0x1e, 0x85, 0xdc, 0x0d, 0x65, 108 | 0x1e, 0x40, 0xdf, 0xcf, 0x01, 0x7b, 0x45, 0x57, 0x58, 109 | 0x87, 110 | }, 111 | }, 112 | /* 113 | // Disabled: needs 1 GiB RAM and takes too long for a simple test. 114 | { 115 | "pleaseletmein", "SodiumChloride", 116 | 1048576, 8, 1, 117 | []byte{ 118 | 0x21, 0x01, 0xcb, 0x9b, 0x6a, 0x51, 0x1a, 0xae, 0xad, 119 | 0xdb, 0xbe, 0x09, 0xcf, 0x70, 0xf8, 0x81, 0xec, 0x56, 120 | 0x8d, 0x57, 0x4a, 0x2f, 0xfd, 0x4d, 0xab, 0xe5, 0xee, 121 | 0x98, 0x20, 0xad, 0xaa, 0x47, 0x8e, 0x56, 0xfd, 0x8f, 122 | 0x4b, 0xa5, 0xd0, 0x9f, 0xfa, 0x1c, 0x6d, 0x92, 0x7c, 123 | 0x40, 0xf4, 0xc3, 0x37, 0x30, 0x40, 0x49, 0xe8, 0xa9, 124 | 0x52, 0xfb, 0xcb, 0xf4, 0x5c, 0x6f, 0xa7, 0x7a, 0x41, 125 | 0xa4, 126 | }, 127 | }, 128 | */ 129 | } 130 | 131 | var bad = []testVector{ 132 | {"p", "s", 0, 1, 1, nil}, // N == 0 133 | {"p", "s", 1, 1, 1, nil}, // N == 1 134 | {"p", "s", 7, 8, 1, nil}, // N is not power of 2 135 | {"p", "s", 16, maxInt / 2, maxInt / 2, nil}, // p * r too large 136 | } 137 | 138 | func TestKey(t *testing.T) { 139 | for i, v := range good { 140 | k, err := Key([]byte(v.password), []byte(v.salt), v.N, v.r, v.p, len(v.output)) 141 | if err != nil { 142 | t.Errorf("%d: got unexpected error: %s", i, err) 143 | } 144 | if !bytes.Equal(k, v.output) { 145 | t.Errorf("%d: expected %x, got %x", i, v.output, k) 146 | } 147 | } 148 | for i, v := range bad { 149 | _, err := Key([]byte(v.password), []byte(v.salt), v.N, v.r, v.p, 32) 150 | if err == nil { 151 | t.Errorf("%d: expected error, got nil", i) 152 | } 153 | } 154 | } 155 | 156 | func BenchmarkKey(b *testing.B) { 157 | for i := 0; i < b.N; i++ { 158 | Key([]byte("password"), []byte("salt"), 16384, 8, 1, 64) 159 | } 160 | } 161 | --------------------------------------------------------------------------------