Scrypt is a hashing algorithm used on certain Proof of Work blockchains. It was first introduced with the launch of Tenebrix (TBX) in 2011.
Since then, Scrypt has been adopted by a number of different blockchain projects. Among the top three Scrypt-blockchains by market capitalization, the Scrypt mining algorithm secures over $3 billion in digital currencies as of the time of this writing.
In this article, we explore why Scrypt was invented and how the algorithm has been used by prominent blockchain projects. We will then assess its current effectiveness compared to other Proof of Work consensus algorithms.
Why Is Scrypt Important?
Scrypt is one of the first hashing algorithms implemented on blockchain networks. It is an attempt to improve upon an earlier hashing algorithm, specifically SHA-256.
Password-based Key Derivation Function
Scrypt is a password-based key derivation function (KDF). In cryptography, a KDF is a hash function that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. KDFs are generally efficient at preventing brute force password guessing attacks.
Prior to the development of Scrypt, however, KDFs such as Password-Based Key Derivation Function 2 (PBKDF2) were limited in their ability to resist FPGAs and ASICs. PBKDF2 and other password-based KDFs were computationally intensive but not memory intensive. Scrypt was designed to be both computationally intensive and memory intensive.
Scrypt was developed as a solution to mitigate the rise and dominance of ASIC mining rigs and subsequent centralization of cryptocurrency mining. As it relates to blockchain, Scrypt is supposed to improve upon SHA-256, which is implemented on the Bitcoin network and other Proof of Work networks supporting digital currencies.
Scrypt’s design requires miners to generate random numbers rapidly. These numbers need to be stored in the Random Access Memory (RAM) of the processor, which must be accessed on a continuous basis before submitting a result. Scrypt networks generally have a much lower hash rate than SHA-256 networks. For example, as of the time of writing, Litecoin (LTC) has a hash rate of around 138 TH/s. Bitcoin has a hashrate of around 93,000,000 TH/s.
Origins of Scrypt
Scrypt was designed to be a memory-hard algorithm for improving network security against attacks using custom hardware. Unlike other hashing algorithms like Equihash and CryptoNight, which were developed specifically for Proof of Work blockchains, Scrypt was originally developed for another use case and later implemented on blockchain networks.
Stronger Key Derivation Via Sequential Memory-Hard Functions
In May 2009, Colin Percival published a paper titled, “Stronger Key Derivation Via Sequential Memory-Hard Functions.” In this paper, Percival proposed Scrypt for Tarsnap’s online backup service. Bitcoin was still in its infancy at that time, so there wasn’t any mention of how Scrypt could potentially be used on blockchain networks that support cryptocurrencies. However, the foundational concepts of the algorithm were clearly defined.
Tenebrix (TBX) Introduces Scrypt
In 2011, Tenebrix (TBX) was developed by an anonymous programmer known as Artfortz. It was the first blockchain project to use Scrypt as a hashing algorithm. The project ultimately failed but set an important precedent by offering a CPU-friendly option for cryptocurrency miners. Today, you won’t even find Tenebrix (TBX) on sites for tracking various digital currencies. Nonetheless, it played a major role as an earlier influencer for future Scrypt-based projects as well as projects using other ASIC-resistant hashing algorithms.
Fairbrix (FBX) and Litecoin (LTC) Follow
Fairbrix (FBX) was developed by Charlie Lee as a clone of Tenebrix (TBX). This project faced two main issues. First, a bug in the coin’s client prohibited the creation of new coins. Second, a 51% attack led to approximately 1,600 stolen blocks. As a result, Fairbrix (FBX) also failed.
Charlie Lee decided not to give up on the idea of a Scrypt-based network. He took a lot of the work completed for Fairbrix, along with Bitcoin’s code to create a Bitcoin forked coin called Litecoin (LTC), which has remained the largest Scrypt coin by market cap ever since.
Prominent Projects That Use Scrypt
Litecoin (LTC), Dogecoin (DOGE), and Einsteinium (EMC2) are three well-known projects which use Scrypt. In this section, we’ll look at how each of these networks use Scrypt and the effectiveness of Scrypt at maintaining network security. We’ll also look at a few projects that originally used Scrypt but have since changed to other hashing algorithms.
Litecoin (LTC) launched in October 2011 and branded itself an ASIC-resistant network. This point is debatable. The chosen parameters for Litecoin were N=1024, r=1, p=1. Colin Percival, the creator of Scrypt, has stated that Litecoin implemented Scrypt poorly. Percival’s Scrypt paper recommends using r=8, which would require miners to use more RAM. This would theoretically make it much more difficult for ASIC to dominate the network.
According to Charlie Lee, more memory harsh parameters would have slowed down the network’s client. When testing with harsher parameters, Lee found that every time a block comes in, the client would freeze. Litecoin implemented less harsh parameters as a tradeoff. This created a better experience for the end user. Additionally, there wasn't any known GPU, ASIC, or FPGA capable of Scrypt-based mining at that time, so the network was CPU-only at launch.
In May 2014, the first ASIC Scrypt mining rigs became publicly available. Litecoin appears to have since changed its stance on ASIC resistance. Many LTC miners now support ASIC mining and argue that having ASICs helps maintain network security.
After the network’s August 2019 halving, there were some concerns about a possible 51% attack due to the hash rate dropping from 500 TH/s to just 150 TH/s. At the time of this writing, Crypto51 shows the cost of a one-hour attack on the network is $8,900, assuming a hash rate of 138 TH/s.
Luckily, the Litecoin network is only around 6% NiceHash-able, meaning that an attacker or group of attackers could rent only 6% of the hasrate necessary to launch an attack. The attacker(s) would need to buy enough Scrypt ASICs to cover the other 94% of hashpower required to launch an attack. To put this into context, some other networks are over 1,000% NiceHash-able, meaning that they can be easily controlled by renting hashpower on Nicehash and without needing to purchase ASICs.
An analysis from November 2019 shows that it would actually cost nearly $700 million to carry out a 51% attack on the Litecoin network, assuming the hash rate is 153 TH/s. This analysis includes the costs of purchasing Scrypt ASICs and electricity consumption, as well as the value of LTC. Since this figure includes the price of buying the hardware needed to launch the attack, it’s far more accurate than the Crypto51 estimate.
In December 2013, Dogecoin (DOGE) launched as a hard fork of Litecoin. Although Dogecoin was intended to be a “joke currency,” it quickly gained a massive following with a large market capitalization to match. The network’s mining parameters are different from Litecoin’s. For example, Dogecoin’s block time is 1 minute, while Litecoin’s block time is 2.5 minutes.
The threat of a potential 51% attack on the Dogecoin network led Litecoin’s Charlie Lee to propose merged mining between the two networks in April 2014. This model was adopted in July 2014 at Dogecoin block 317,337, allowing miners to mine both DOGE and LTC at the same time. As a result, both networks have had extremely high correlation coefficients for mining difficulty and hash rates since September 2014.
Einsteinium (EMC2) launched in March 2014 as a fork of the Bitcoin source code. While the Bitcoin network uses SHA-256, Einsteinium took a similar route to Litecoin by adopting Scrypt as its hashing algorithm.
To make the mining process more egalitarian, Einsteinium implemented Kimoto Gravity Well, which is a difficulty-readjustment algorithm used to prevent the rise of multipool mining. The network implements a 50% block reduction and a 60 second block time.
In October 2018, an ethical hacker known as GeoCold announced his intention to execute a one-hour attack on the Einsteinium network would reportedly only cost around $20. While this amount might have been accurate at one point in time, it actually wasn’t the case after Einsteinium implemented Komodo’s delayed Proof of Work (dPoW).
Komodo’s dPoW security mechanism adds 51% attack resistance to Einsteinium by recycling the enormous hashrate of the Bitcoin network. A process called notarization— storing backups of individual EMC2 blocks onto Bitcoin’s ledger— makes this possible. This means that the cost of a one-hour attack on the Einsteinium network is theoretically the same as an attack on the Bitcoin network, which is around $400,000 as of the time of this writing. As a result, GeoCold decided against attacking Einsteinium and chose Bitcoin Private (BTCP) instead.
Notable Projects That Previously Used Scrypt
A few major projects once used Scrypt but have since switched to other Proof of Work algorithms or other types of consensus mechanisms. Here are three notable examples.
Reddcoin (RDD): For the first six months of Reddcoin's existence, the network used Scrypt to distribute RDD in a widespread and predictable manner. At block 260,800, the network switched to Proof of Stake Velocity (PoSV), a variant of the Proof of Stake consensus mechanism.
Vertcoin (VTC): The network once used a variation of Scrypt called Scrypt-N. It later switched to Lyra2RE and switched again to Lyra2REv2. Finally, Vertcoin switched to Lyra2REv3, which serves as its current Proof of Work hashing algorithm.
Monacoin (MONA): Monacoin switched from Scrypt to Lyra2REv2 in order to prevent centralization of the network caused by advances in ASICs used for Scrypt-based mining.
How Effective Has Scrypt Been At ASIC Resistance?
Looking at Scrypt’s effectiveness at ASIC resistance requires an assessment of how Scrypt ASICs have emerged over the years and the current state of mining profitability with these units.
Scrypt ASIC Miners Emerge In 2014
With the launch of the first commercially-available ASIC rigs in May 2014, CPUs quickly began to lose their ability to mine Scrypt-based cryptocurrencies. As stated earlier, Litecoin’s implementation of Scrypt wasn’t as memory intensive as it could have potentially been. It’s difficult to say how much longer it would have taken for ASICs to become available if harsher parameters had been chosen from the start.
Scrypt-ChaCha, Scrypt-N, and Scrypt² are all variations of Scrypt that add more memory-hardness to the original Scrypt implementation. However, these designs have yet to gain significant adoption. Blockchain projects that have launched since the emergence of Scrypt ASICs have mostly chosen other Proof of Work hashing algorithms such as CryptoNight, Equihash, or Lyra2REv2.
Current Mining Profitability With ASICs
Bitmain Antminer L3++ and Innosilicon A6+ LTC Master are two popular ASIC mining rigs available for both LTC and DOGE mining. There are certainly more ASIC options for mining SHA-256 coins. This is a result of the dominance of Bitcoin and the fact that SHA-256 was never intended to achieve ASIC resistance. Thus, Scrypt has comparatively few ASIC options.
Nonetheless, you’ll likely find it necessary to have an ASIC rig in order to have a chance of competing for block rewards and reaching mining profitability for LTC, DOGE, and other Scrypt-based cryptocurrencies.
Optimizing Consensus With Antara Framework
Litecoin and Dogecoin have fared well against the threat of 51% attacks, especially after the decision by the two networks to adopt merged mining. Nonetheless, 51% attacks have threatened many other Scrypt-based networks. Additionally, Scrypt hasn't provided the level of ASIC resistance that it was initially expected to when the algorithm was first implemented on Litecoin’s network.
The centralization of cryptocurrency mining due to the emergence of ASICs and the threat of 51% attacks are common challenges for all Proof of Work blockchains. That’s why Komodo offers Bitcoin-level security to all projects that launch a Smart Chain with Komodo's technology.
With the Antara Framework, developers can launch a Komodo Smart Chain and choose their blockchain consensus mechanism. Options include Proof of Work, Proof of Stake, or any combination of the two. Projects that choose Proof of Work can select either the Equihash or the VerusHash hashing algorithm. Proof of Stake networks have the ability to incorporate Proof of Work consensus rules. Komodo developers are planning to add more algorithm options in the future.
Begin your blockchain journey with Komodo today.