RFC Errata
RFC 7914, "The scrypt Password-Based Key Derivation Function", August 2016
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 6452
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: John Comeau
Date Reported: 2021-03-05
Section 5 says:
3. for i = 0 to N - 1 do
j = Integerify (X) mod N
where Integerify (B[0] ... B[2 * r - 1]) is defined
as the result of interpreting B[2 * r - 1] as a
little-endian integer.
It should say:
3. for i = 0 to N - 1 do
j = Integerify (X) mod N
where Integerify (B[0] ... B[2 * r - 1]) is defined
as the result of interpreting B[r] ... B[r + 3] as a
little-endian integer.
Notes:
The original description of Integerify looks, to a programmer, as though a single byte (the final octet) is being converted to an integer (as with the Python `ord` operation). But that wouldn't make sense with the term "little-endian", which has meaning only with multiple-byte words. So the likely conclusion would be that this was a typographical error, and that the entire string X (or B) should be treated as an integer [e.g., Python3 int.from_bytes(b'\xff\xff\xff\xff\xff\xff\xff\xff', 'little')]. However, this interpretation of Integerify gives results that do not match the test vectors.
By looking at other people's code (https://github.com/ricmoo/pyscrypt in particular) I found that using the 4 bytes beginning halfway through the octet string gives results which do match the test vectors.