RFC Errata
RFC 7914, "The scrypt Password-Based Key Derivation Function", August 2016
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 5972
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Tobias Nießen
Date Reported: 2020-02-02
Section 5 says:
Input: r Block size parameter. B Input octet vector of length 128 * r octets. N CPU/Memory cost parameter, must be larger than 1, a power of 2, and less than 2^(128 * r / 8).
It should say:
Input: r Block size parameter. B Input octet vector of length 128 * r octets. N CPU/Memory cost parameter, must be larger than 1, and a power of 2.
Notes:
The presented limit on N was incorrectly derived from the original scrypt publication. The correct theoretical upper limit on N is 2^(128 * r) for r < 5, and 2^512 for all other values of r. Thus, the least upper bound is 2^128, which far exceeds all possible values for N in the foreseeable future, making the limit irrelevant for current implementations.