Recommending larger values in 2021

I have noticed the values kept being from 2017, despite single-core performance getting faster, for example with Apple's ARM M1 offering. So, I re-tested the N parameter, with the code from here https://blog.filippo.io/the-scrypt-parameters/ The results, on M1 Macbook Air: N = 2^14 26ms N = 2^15 53ms N = 2^16 108ms N = 2^17 219ms N = 2^18 441ms N = 2^19 901ms N = 2^20 1778ms N = 2^21 3675ms N = 2^22 7530ms strictly speaking, it should be 2^15, but this is an entry-level laptop and 108 ms is almost 100, so I increased N. I do not really understand r, but, according to this discussion https://news.ycombinator.com/item?id=25660467 M1 has double cache line size, so I doubled r. I don't really expect this to be accepted I guess - IETF still recommends the lower values, in 2021 - https://tools.ietf.org/id/draft-ietf-kitten-password-storage-01.html - but I guess to open a discussion?
golang · May 17, 2021 · 1785640 · 1785640
1 parent c07d793
commit 1785640
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/scrypt/example_test.go b/scrypt/example_test.go
@@ -17,10 +17,10 @@ func Example() {
 	// a good length.
 	salt := []byte{0xc8, 0x28, 0xf2, 0x58, 0xa7, 0x6a, 0xad, 0x7b}
 
-	dk, err := scrypt.Key([]byte("some password"), salt, 1<<15, 8, 1, 32)
+	dk, err := scrypt.Key([]byte("some password"), salt, 1<<16, 16, 1, 32)
 	if err != nil {
 		log.Fatal(err)
 	}
 	fmt.Println(base64.StdEncoding.EncodeToString(dk))
-	// Output: lGnMz8io0AUkfzn6Pls1qX20Vs7PGN6sbYQ2TQgY12M=
+	// Output: SN1H87PQBv+kqA/tgX2P3rTpjTAle3RvdIewISgjWM8=
 }
diff --git a/scrypt/scrypt.go b/scrypt/scrypt.go
@@ -186,9 +186,9 @@ func smix(b []byte, r, N int, v, xy []uint32) {
 // For example, you can get a derived key for e.g. AES-256 (which needs a
 // 32-byte key) by doing:
 //
-//      dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32)
+//      dk, err := scrypt.Key([]byte("some password"), salt, 65536, 16, 1, 32)
 //
-// The recommended parameters for interactive logins as of 2017 are N=32768, r=8
+// The recommended parameters for interactive logins as of 2021 are N=65536, r=16
 // and p=1. The parameters N, r, and p should be increased as memory latency and
 // CPU parallelism increases; consider setting N to the highest power of 2 you
 // can derive within 100 milliseconds. Remember to get a good random salt.