1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package scrypt implements the scrypt key derivation function as defined in
6 // Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
7 // Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf).
8 package scrypt // import "golang.org/x/crypto/scrypt"
14 "golang.org/x/crypto/pbkdf2"
17 const maxInt = int(^uint(0) >> 1)
19 // blockCopy copies n numbers from src into dst.
20 func blockCopy(dst, src []uint32, n int) {
24 // blockXOR XORs numbers from dst with n numbers from src.
25 func blockXOR(dst, src []uint32, n int) {
26 for i, v := range src[:n] {
31 // salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in,
32 // and puts the result into both both tmp and out.
33 func salsaXOR(tmp *[16]uint32, in, out []uint32) {
44 w10 := tmp[10] ^ in[10]
45 w11 := tmp[11] ^ in[11]
46 w12 := tmp[12] ^ in[12]
47 w13 := tmp[13] ^ in[13]
48 w14 := tmp[14] ^ in[14]
49 w15 := tmp[15] ^ in[15]
51 x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8
52 x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15
54 for i := 0; i < 8; i += 2 {
56 x4 ^= u<<7 | u>>(32-7)
58 x8 ^= u<<9 | u>>(32-9)
60 x12 ^= u<<13 | u>>(32-13)
62 x0 ^= u<<18 | u>>(32-18)
65 x9 ^= u<<7 | u>>(32-7)
67 x13 ^= u<<9 | u>>(32-9)
69 x1 ^= u<<13 | u>>(32-13)
71 x5 ^= u<<18 | u>>(32-18)
74 x14 ^= u<<7 | u>>(32-7)
76 x2 ^= u<<9 | u>>(32-9)
78 x6 ^= u<<13 | u>>(32-13)
80 x10 ^= u<<18 | u>>(32-18)
83 x3 ^= u<<7 | u>>(32-7)
85 x7 ^= u<<9 | u>>(32-9)
87 x11 ^= u<<13 | u>>(32-13)
89 x15 ^= u<<18 | u>>(32-18)
92 x1 ^= u<<7 | u>>(32-7)
94 x2 ^= u<<9 | u>>(32-9)
96 x3 ^= u<<13 | u>>(32-13)
98 x0 ^= u<<18 | u>>(32-18)
101 x6 ^= u<<7 | u>>(32-7)
103 x7 ^= u<<9 | u>>(32-9)
105 x4 ^= u<<13 | u>>(32-13)
107 x5 ^= u<<18 | u>>(32-18)
110 x11 ^= u<<7 | u>>(32-7)
112 x8 ^= u<<9 | u>>(32-9)
114 x9 ^= u<<13 | u>>(32-13)
116 x10 ^= u<<18 | u>>(32-18)
119 x12 ^= u<<7 | u>>(32-7)
121 x13 ^= u<<9 | u>>(32-9)
123 x14 ^= u<<13 | u>>(32-13)
125 x15 ^= u<<18 | u>>(32-18)
144 out[0], tmp[0] = x0, x0
145 out[1], tmp[1] = x1, x1
146 out[2], tmp[2] = x2, x2
147 out[3], tmp[3] = x3, x3
148 out[4], tmp[4] = x4, x4
149 out[5], tmp[5] = x5, x5
150 out[6], tmp[6] = x6, x6
151 out[7], tmp[7] = x7, x7
152 out[8], tmp[8] = x8, x8
153 out[9], tmp[9] = x9, x9
154 out[10], tmp[10] = x10, x10
155 out[11], tmp[11] = x11, x11
156 out[12], tmp[12] = x12, x12
157 out[13], tmp[13] = x13, x13
158 out[14], tmp[14] = x14, x14
159 out[15], tmp[15] = x15, x15
162 func blockMix(tmp *[16]uint32, in, out []uint32, r int) {
163 blockCopy(tmp[:], in[(2*r-1)*16:], 16)
164 for i := 0; i < 2*r; i += 2 {
165 salsaXOR(tmp, in[i*16:], out[i*8:])
166 salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:])
170 func integer(b []uint32, r int) uint64 {
172 return uint64(b[j]) | uint64(b[j+1])<<32
175 func smix(b []byte, r, N int, v, xy []uint32) {
181 for i := 0; i < 32*r; i++ {
182 x[i] = uint32(b[j]) | uint32(b[j+1])<<8 | uint32(b[j+2])<<16 | uint32(b[j+3])<<24
185 for i := 0; i < N; i += 2 {
186 blockCopy(v[i*(32*r):], x, 32*r)
187 blockMix(&tmp, x, y, r)
189 blockCopy(v[(i+1)*(32*r):], y, 32*r)
190 blockMix(&tmp, y, x, r)
192 for i := 0; i < N; i += 2 {
193 j := int(integer(x, r) & uint64(N-1))
194 blockXOR(x, v[j*(32*r):], 32*r)
195 blockMix(&tmp, x, y, r)
197 j = int(integer(y, r) & uint64(N-1))
198 blockXOR(y, v[j*(32*r):], 32*r)
199 blockMix(&tmp, y, x, r)
202 for _, v := range x[:32*r] {
203 b[j+0] = byte(v >> 0)
204 b[j+1] = byte(v >> 8)
205 b[j+2] = byte(v >> 16)
206 b[j+3] = byte(v >> 24)
211 // Key derives a key from the password, salt, and cost parameters, returning
212 // a byte slice of length keyLen that can be used as cryptographic key.
214 // N is a CPU/memory cost parameter, which must be a power of two greater than 1.
215 // r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the
216 // limits, the function returns a nil byte slice and an error.
218 // For example, you can get a derived key for e.g. AES-256 (which needs a
219 // 32-byte key) by doing:
221 // dk, err := scrypt.Key([]byte("some password"), salt, 16384, 8, 1, 32)
223 // The recommended parameters for interactive logins as of 2009 are N=16384,
224 // r=8, p=1. They should be increased as memory latency and CPU parallelism
225 // increases. Remember to get a good random salt.
226 func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) {
227 if N <= 1 || N&(N-1) != 0 {
228 return nil, errors.New("scrypt: N must be > 1 and a power of 2")
230 if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
231 return nil, errors.New("scrypt: parameters are too large")
234 xy := make([]uint32, 64*r)
235 v := make([]uint32, 32*N*r)
236 b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)
238 for i := 0; i < p; i++ {
239 smix(b[i*128*r:], r, N, v, xy)
242 return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil