RFC 7914, "The scrypt Password-Based Key Derivation Function", August 2016Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec
Errata ID: 5971
Publication Format(s) : TEXT
Reported By: Tobias Nießen
Date Reported: 2020-02-02
Section 2 says:
The CPU/Memory cost parameter N ("costParameter") must be larger than 1, a power of 2, and less than 2^(128 * r / 8).
It should say:
The CPU/Memory cost parameter N ("costParameter") must be larger than 1, and a power of 2.
The presented limit on N was incorrectly derived from the original scrypt publication. The correct theoretical upper limit on N is 2^(128 * r) for r < 5, and 2^512 for all other values of r. Thus, the least upper bound is 2^128, which far exceeds all possible values for N in the foreseeable future, making the limit irrelevant for current implementations.