scrypt time-memory trade-off scrypt deliberately allows for a time-memory trade-off "The design of scrypt puts a lower bound on the area-time product - you can use less memory and more CPU time, but the ratios stay within a constant factor of each other, so for the worst-case attacker (ASICs) the cost per password attempted stays the same" Colin Percival, crypt-dev mailing list posting, 2011 Litecoin miners on GPU use this scrypt may be revised to defeat the trade-off Pros: fewer pre-existing hardware devices (GPUs, etc.) are efficient in an attack Cons: not official scrypt anymore, some defensive uses may be impacted as well (e.g., client-side hashing on mobile devices)