{"id":20135979,"url":"https://github.com/openwall/yescrypt","last_synced_at":"2025-04-05T10:08:10.500Z","repository":{"id":41867771,"uuid":"328225284","full_name":"openwall/yescrypt","owner":"openwall","description":"Password-based key derivation function and password hashing scheme building upon scrypt","archived":false,"fork":false,"pushed_at":"2025-03-09T02:23:06.000Z","size":420,"stargazers_count":152,"open_issues_count":2,"forks_count":11,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-03-29T09:09:57.907Z","etag":null,"topics":["hash","hashing","kdf","password","pbkdf","scrypt","security"],"latest_commit_sha":null,"homepage":"https://www.openwall.com/yescrypt/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openwall.png","metadata":{"files":{"readme":"README","changelog":"CHANGES","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-09T18:56:49.000Z","updated_at":"2025-03-19T01:23:05.000Z","dependencies_parsed_at":"2022-07-16T18:46:11.155Z","dependency_job_id":null,"html_url":"https://github.com/openwall/yescrypt","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fyescrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fyescrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fyescrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fyescrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openwall","download_url":"https://codeload.github.com/openwall/yescrypt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247318744,"owners_count":20919484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hash","hashing","kdf","password","pbkdf","scrypt","security"],"created_at":"2024-11-13T21:17:12.919Z","updated_at":"2025-04-05T10:08:10.482Z","avatar_url":"https://github.com/openwall.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"\tWhat is yescrypt?\n\nyescrypt is a password-based key derivation function (KDF) and password\nhashing scheme.  It builds upon Colin Percival's scrypt.  This\nimplementation is able to compute native yescrypt hashes as well as\nclassic scrypt.\n\nAs of this writing, yescrypt is the default password hashing scheme on\nrecent ALT Linux, Arch Linux, Debian 11+, Fedora 35+, Kali Linux 2021.1+,\nand Ubuntu 22.04+.  It is also supported in Fedora 29+, RHEL 9+, and\nUbuntu 20.04+, and is recommended for new passwords in Fedora CoreOS.\n\n\n\tWhy yescrypt?\n\nLike it or not, password authentication remains relevant (including as\none of several authentication factors), password hash database leaks\nhappen, the leaks are not always detected and fully dealt with right\naway, and even once they are many users' same or similar passwords\nreused elsewhere remain exposed.  To mitigate these risks (as well as\nthose present in other scenarios where password-based key derivation or\npassword hashing is relevant), computationally expensive (bcrypt,\nPBKDF2, etc.) and more recently also memory-hard (scrypt, Argon2, etc.)\npassword hashing schemes have been introduced.  Unfortunately, at high\ntarget throughput and/or low target latency their memory usage is\nunreasonably low, up to the point where they're not obviously better\nthan the much older bcrypt (considering attackers with pre-existing\nhardware).  This is a primary drawback that yescrypt addresses.\n\nMost notable for large-scale deployments is yescrypt's optional\ninitialization and reuse of a large lookup table, typically occupying\nat least tens of gigabytes of RAM and essentially forming a\nsite-specific ROM.  This limits attackers' use of pre-existing hardware\nsuch as botnet nodes.\n\nyescrypt's other changes from scrypt additionally slow down GPUs and to\na lesser extent FPGAs and ASICs even when its memory usage is low and\neven when there's no ROM, and provide extra knobs and built-in features.\n\nTechnically, yescrypt is the most scalable password hashing scheme so\nfar, providing near-optimal security from offline password cracking\nacross the whole range from kilobytes to terabytes and beyond.  However,\nthe price for this is complexity, and we recognize that complexity is a\nmajor drawback of any software.  Thus, at this time we focus on\nlarge-scale deployments, where the added complexity is relatively small\ncompared to the total complexity of the authentication service setup.\nFor smaller deployments, bcrypt with its simplicity and existing library\nsupport is a reasonable short-term choice (although we're making\nprogress towards more efficient FPGA attacks on bcrypt under a separate\nproject).  We might introduce a cut-down yescrypt-lite later or/and\nyescrypt might become part of standard or popular libraries, making it\nmore suitable for smaller deployments as well.\n\n\n\tParameter selection.\n\nPlease refer to PARAMETERS for guidelines on parameter selection and the\ncurrently recommended parameter sets by use case (password hashing with\nor without a ROM, and KDF).\n\n\n\tPerformance.\n\nPlease refer to PERFORMANCE for example setup and benchmarks relevant to\nthe mass user authentication use case.\n\nThe test system is a server (kindly provided by Packet.net) with dual\nXeon Gold 5120 CPUs (2.2 GHz, turbo to up to 3.2 GHz) and 384 GiB RAM\n(12x DDR4-2400 ECC Reg).  These CPUs have 14 cores and 6 memory channels\neach, for a total of 28 physical cores, 56 logical CPUs (HT is enabled),\nand 12 memory channels.\n\nSome highlights: initialization of a 368 GiB ROM takes 22 seconds (to\nbe done on server bootup), and while using the ROM we're able to compute\nover 21k, over 10k, or around 1200 hashes per second with per-hash RAM\nusage of 1.4375 MiB, 2.875 MiB, or 23 MiB, respectively.\n\nWhen not using a ROM, we're able to compute over 21k, over 10k, or\naround 1200 hashes per second with per-hash RAM usage of 2 MiB, 4 MiB,\nor 32 MiB, respectively.\n\n\n\tComparison to scrypt and Argon2.\n\nyescrypt's advantages:\n\n + Greater resistance to offline attacks\n + Extra optional built-in features\n + Cryptographic security provided by NIST-approved primitives\n + SHA-256, HMAC, PBKDF2, and scrypt are usable from the same codebase\n\nyescrypt's drawbacks:\n\n - Complex\n - Cache-timing unsafe (like scrypt and Argon2d, but unlike Argon2i)\n - Not the PHC winner (Argon2 is), but is merely a \"special recognition\"\n - Supported in fewer third-party projects\n\nPlease refer to COMPARISON for a lot more detail and other observations.\n\n\n\tA note on cryptocurrencies.\n\nFor historical reasons, multiple CPU mining focused cryptocurrencies use\nyescrypt 0.5'ish as their proof-of-work (PoW) scheme.  We currently have\na separate project for the PoW use case: yespower.  Thus, rather than\nmisuse yescrypt 1.0+ for PoW, those and other projects are advised to\nuse yespower 1.0+ instead.  The yespower homepage is:\n\n    https://www.openwall.com/yespower/\n\n\n\tHow to test yescrypt for proper operation.\n\nOn a Unix-like system, invoke \"make check\".  This will build and run a\nprogram called \"tests\", and check its output against the supplied file\nTESTS-OK.  It will also build a program called \"phc-test\", and if a file\ncalled PHC-TEST-OK-SHA256 is present will run that program and check its\noutput against that file's contents.  If everything matches, each of\nthese two sets of tests prints one word \"PASSED\", so there will be two\nsuch lines among \"make check\" output, one of them being the final line\nof output.\n\nWe do most of our testing on Linux systems with gcc.  The supplied\nMakefile assumes that you use gcc.\n\n\n\tROM in SysV shared memory demo and benchmark.\n\nAlso included with this version of yescrypt are \"initrom\" and \"userom\"\ndemo programs.  They're built by simply typing \"make\".  Please refer to\nPERFORMANCE for their usage.\n\n\n\tAlternate code versions and make targets.\n\nTwo implementations of yescrypt are included: reference and optimized.\nBy default, the optimized implementation is built.  Internally, the\noptimized implementation uses conditional compilation to choose between\nusage of various SIMD instruction sets where supported and scalar code.\n\nThe reference implementation is unoptimized and is very slow, but it has\nsimpler and shorter source code.  Its purpose is to provide a simple\nhuman- and machine-readable specification that implementations intended\nfor actual use should be tested against.  It is deliberately mostly not\noptimized, and it is not meant to be used in production.\n\nSimilarly to \"make check\", there's \"make check-ref\" to build and test\nthe reference implementation.  There's also \"make ref\" to build the\nreference implementation and have the \"initrom\" and \"userom\" programs\nuse it.\n\n\"make clean\" may need to be run between making different builds.\n\n\n\tDevelopment status.\n\nThis yescrypt distribution is a work-in-progress.  Its interfaces other\nthan crypto_scrypt() are subject to change in future revisions, however\nno incompatible changes to the yescrypt algorithm are expected.\n\n\n\tCredits.\n\nscrypt has been designed by Colin Percival.  yescrypt has been designed\nby Solar Designer building upon scrypt.\n\nThe following other people and projects have also indirectly helped make\nyescrypt what it is:\n\n - Bill Cox\n - Rich Felker\n - Anthony Ferrara\n - Christian Forler\n - Taylor Hornby\n - Dmitry Khovratovich\n - Samuel Neves\n - Marcos Simplicio\n - Ken T Takusagawa\n - Jakob Wenzel\n - Christian Winnerlein\n\n - DARPA Cyber Fast Track\n - Password Hashing Competition\n\n\n\tContact info.\n\nFirst, please check the yescrypt homepage for new versions, etc.:\n\n    https://www.openwall.com/yescrypt/\n\nIf you have anything valuable to add or a non-trivial question to ask,\nyou may join and post to the yescrypt mailing list (referenced on the\nyescrypt homepage above) or contact the maintainer of yescrypt at:\n\n    Solar Designer \u003csolar at openwall.com\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenwall%2Fyescrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenwall%2Fyescrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenwall%2Fyescrypt/lists"}