New algorithm: Ethereum Scrypt

Use: Currently in use by Ethereum wallets to secure the wallet encryption password.

The algorithm design is explained very well here: https://github.com/ethereum/wiki/wiki/Web3-Secret-Storage-Definition

The page does not go quite into the same detail regarding the Scrypt variant, however it is almost identical to the PBKDF2 variant, with Scrypt in place for the initial password hashing.

To summarize, the password is hashed with Scrypt, then the "second leftmost 16 bytes" of the derived hash are concatenated with the ciphertext, which is then hashed with SHA3-256. The SHA3-256 hash is then directly compared to the "mac" value to verify whether or not the password is correct. If the SHA3 hashes match, the password is correct and the decryption of the ciphertext/wallet proceeds.

The page linked above includes this example of a valid wallet:password pair:

Test Vectors

Details:

• Address: 008aeeda4d805471df9b2a5b0f38a0c3bcba786b
• ICAP: XE542A5PZHH8PYIZUBEJEO0MFWRAPPIL67
• UUID: 3198bc9c-6672-5ab3-d9954942343ae5b6
• Password: testpassword
• Secret: 7a28b5ba57c53603b0b07b56bba752f7784bf506fa95edc395f5cf6c7514fe9d

Scrypt

Test vector using AES-128-CTR and Scrypt:

{
    "crypto" : {
        "cipher" : "aes-128-ctr",
        "cipherparams" : {
            "iv" : "83dbcc02d8ccb40e466191a123791e0e"
        },
        "ciphertext" : "d172bf743a674da9cdad04534d56926ef8358534d458fffccd4e6ad2fbde479c",
        "kdf" : "scrypt",
        "kdfparams" : {
            "dklen" : 32,
            "n" : 262144,
            "r" : 1,
            "p" : 8,
            "salt" : "ab0c7876052600dd703518d6fc3fe8984592145b591fc8fb5c6d43190334ba19"
        },
        "mac" : "2103ac29920d71da29f15d75b4a16dbe95cfd7ff8faea1056c33131d846e3097"
    },
    "id" : "3198bc9c-6672-5ab3-d995-4942343ae5b6",
    "version" : 3
}

Intermediates:

• Derived key: fac192ceb5fd772906bea3e118a69e8bbb5cc24229e20d8766fd298291bba6bd
• MAC Body bb5cc24229e20d8766fd298291bba6bdd172bf743a674da9cdad04534d56926ef8358534d458fffccd4e6ad2fbde479c
• MAC: 2103ac29920d71da29f15d75b4a16dbe95cfd7ff8faea1056c33131d846e3097
• Cipher key: fac192ceb5fd772906bea3e118a69e8b

I have written ether2hashcat to extract the relevant information from the json blobs and present it in a proposed hash format for hashcat. The proposed format would be as follows:

$ethereum$s*n*r*p*salt*mac*ciphertext

Using the example data from the test wallet above, we would get the following hash:

$ethereum$s*262144*1*8*ab0c7876052600dd703518d6fc3fe8984592145b591fc8fb5c6d43190334ba19*2103ac29920d71da29f15d75b4a16dbe95cfd7ff8faea1056c33131d846e3097*d172bf743a674da9cdad04534d56926ef8358534d458fffccd4e6ad2fbde479c

This would be cracked as testpassword

Because there are multiple KDF variations, one using PBKDF2 and one using Scrypt, the format includes a P or S to denote the different versions. The PBKDF2 variant is addressed in a separate issue, as it is technically a different algorithm.

Both algorithms were previously discussed on this forum thread and example code for cracking both algorithms was written by @philsmd

This was previously requested in issue #262, however that issue/request did not seem to be completed with the required information.

The sister algorithm request for the PBKDF2 variant is issue #1227