Scrypt proof of work

From Bitcoin Wiki
Revision as of 03:26, 3 April 2014 by Luke-jr (talk | contribs)
Jump to: navigation, search

Scrypt adds memory-intensive algorithms to reduce the efficiency of logic circuits. It has been less widely used and analyzed than the SHA2 hashing algorithm used in Bitcoin, so there is some concern about possible weaknesses in its cryptographic scheme being discovered in the future.


Originally introduced as part of the altcoin "Tenebrix" by ArtForz and Lolcust, it was claimed to be resistant to GPU, FPGA, and ASIC implementation[1]. Around mid-2012, GPU-based mining began to become widespread anyway, and in late 2013 ASICs began shipping.


Vulnerability to mining monopoly

"51% attacks" become more difficult to launch and maintain as the hash rate of the network grows. However, this argument posits that since scrypt is designed to be inefficient on all common computer components (both CPUs and GPUs), a malicious entity need only produce a small batch of specialized/custom hardware to overtake all the commodity mining systems combined.

Memory bandwidth refutation

Some attempt to refute this by arguing that scrypt is not designed to be inefficient, but is instead designed to be highly dependent on memory bandwidth. Since the high-speed cache RAM on modern processors already takes up most of the die space, no sizeable improvement could then be made by creating custom chips. If we accept this argument we then estimate the cost of attack utilizing GPUs that are available today.

To do so we start with an estimated cost of hardware at $400 per megahash per second and a reasonable network hashrate of 30 gigahashes per second. The total amount of equipment necessary to match and takeover this network via 51% attack would then be an estimated $12M USD (or about 45,000 AMD HD 7950s).


In mid-2013, a user nicknamed pocopoco introduced an altcoin ("YACoin") using scrypt with an adaptive "N-factor"[2].