seems to be stronger than scrypt against ASIC
ASIC and FPGAyescrypt with (at least) the YESCRYPT_PWXFORM flag set performs rapid random lookups (as described above),
typically from a CPU’s L1 cache, along with 32x32 to 64-bit integer multiplications. Both of these operations have
latency that is unlikely to be made much lower in specialized hardware than it is in CPUs. (This is in contrast
with bitwise operations and additions found in Salsa20/8, which is the only type of computation performed by
classic scrypt in its SMix and below. Those allow for major latency reduction in hardware.) For each sub-block of
data processed in BlockMix, yescrypt computes multiple sequential rounds of pwxform, thereby imposing a lower
bound on how quickly BlockMix can proceed, even if a given hardware platform’s memory bandwidth would
otherwise permit for much quicker processing.
yescrypt with (at least) the YESCRYPT_RW flag set additionally discourages time-memory tradeoffs (TMTO),
thereby reducing attackers’ flexibility. Perhaps more importantly, yescrypt’s YESCRYPT_RW increases the area-
time cost of attacks, and this higher cost of attacks is achieved at a lower (defensive) running time. Specifically,
scrypt achieves its optimal area-time cost at 2*N combined iterations of the loops in SMix, whereas yescrypt
achieves its optimal area-time cost at 4/3*N iterations (thus, at 2/3 of classic scrypt’s running time) and, considering
the 2x area-time reduction that occurs along with exploitation of TMTO in classic scrypt, that cost is higher by one
third (+33%). Normalized for the same running time (which lets yescrypt use 1.5 times higher N), the area-time
cost of attacks on yescrypt is 3 times higher than that on scrypt.
Like with GPU attacks, setting both flags at once achieves the best effect also against specialized hardware
also from openwall
http://www.openwall.com/presentations/PHDays2014-Yescrypt/