scrypt: why dklen must be > 9?

[feymartynov]

I wonder why Params constructor requires dklen to be > 9? Is this really necessary?

The RFC doesn't define minimal value for dklen parameter. Other implementations like Python's hashlib or Golang's standard lib don't define it either.

Moreover, the low level scrypt function doesn't use this parameter at all. We can just pass a shorter output buffer and it works perfectly fine.

[tarcieri]

This is effectively a duplicate of #449

The length field is only used when constructing PHC hash strings, otherwise you're free to pass whatever sized output buffer you want to the low-level scrypt::scrypt API.

For PHC hash strings, the minimum length of 10 bytes (80 bits) comes from the PHC string format specification (which I maintain, as it were):

https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md#function-duties

Function implementations SHOULD NOT allow outputs of less than 80 bits to be used for password verification.

We've gotten enough questions about this (#415, #596) I should probably actually address it with an API change that gets the length out of the Params constructor.