Issues with scrypt for mass user authentication At low durations and decent throughput, we face two problems: Low memory usage: acceptable at 100 ms (~32 MB), way too low at 1 ms Limited scalability on multi-CPU/multi-core when we maximize RAM usage Optimized scrypt's SMix achieves a throughput of ~1500/s on a dual Xeon E5649 machine (12 cores, 24 logical CPUs) when running 24 threads (thus, latency 16 ms) at 4 MB/each A cut-down hack (Salsa20 round count reduced from 8 to 2, SMix second loop iteration count reduced from N to N/4) achieves the same at 8 MB This is sane speed and sane memory usage, but we want to do better - and we can scrypt paper recommends at least 16 MB scrypt at 128 KB (Litecoin) is ~10x faster to attack on GPU than on CPU