Scrypt proof of work

From Bitcoin Wiki
Jump to: navigation, search

Scrypt proof of work denotes the Hashcash proof of work using scrypt as underlying hash function. By using a memory-intensive hash function designed to reduce the efficiency of logic circuits, this was claimed to make only CPU mining remain profitable, even with the advent of GPU mining, and completely failed in that goal.

It has been less widely used and analyzed than the SHA2 hashing algorithm used in Bitcoin, so there is some concern about possible weaknesses in its cryptographic scheme being discovered in the future.


Originally introduced as part of the altcoin Tenebrix (TBX) by ArtForz and Lolcust, it was claimed to be resistant to GPU, FPGA, and ASIC implementation.

Specialized hardware

Around mid-2012, GPU-based scrypt mining began to become widespread, and by late 2013 scrypt ASICs had began shipping. As scrypt is not GPU-resistant, FPGA-resistant nor ASIC-resistant, it has failed to meet its stated goals entirely.


Vulnerability to mining monopoly

"51% attacks" become more difficult to launch and maintain as the hash rate of the network grows. However, this argument posits that since scrypt is designed to be inefficient on all common computer components (both CPUs and GPUs), a malicious entity need only produce a small batch of specialized/custom hardware to overtake all the commodity mining systems combined.

Memory bandwidth refutation

Some attempt to refute this by arguing that scrypt is not designed to be inefficient, but is instead designed to be highly dependent on memory bandwidth. Since the high-speed cache RAM on modern processors already takes up most of the die space, no sizeable improvement could then be made by creating custom chips. If we accept this argument we then estimate the cost of attack utilizing GPUs that are available today.

To do so we start with an estimated cost of hardware at $400 per megahash per second and a reasonable network hashrate of 30 gigahashes per second. The total amount of equipment necessary to match and takeover this network via 51% attack would then be an estimated $12M USD (or about 45,000 AMD HD 7950s).


In mid-2013, a user nicknamed pocopoco introduced an altcoin ("YACoin") using scrypt with an adaptive "N-factor"[1].


  1. BitcoinTalk discussion thread for the "YACoin" altcoin