Index: b/cipher/Makefile.am
===================================================================
--- b/cipher/Makefile.am
+++ b/cipher/Makefile.am
@@ -39,7 +39,7 @@
 libcipher_la_SOURCES = \
 cipher.c cipher-internal.h \
 cipher-cbc.c cipher-cfb.c cipher-ofb.c cipher-ctr.c cipher-aeswrap.c \
-pubkey.c md.c kdf.c \
+pubkey.c md.c kdf.c scrypt.c memxor.c \
 hmac-tests.c \
 bithelp.h  \
 bufhelp.h  \
Index: b/cipher/kdf.c
===================================================================
--- b/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -26,6 +26,7 @@
 #include "g10lib.h"
 #include "cipher.h"
 #include "ath.h"
+#include "scrypt.h"
 
 
 /* Transform a passphrase into a suitable key of length KEYSIZE and
@@ -267,6 +268,9 @@
       ec = pkdf2 (passphrase, passphraselen, subalgo,
                   salt, saltlen, iterations, keysize, keybuffer);
       break;
+    case GCRY_KDF_SCRYPT:
+      ec = scrypt (passphrase, passphraselen, subalgo,
+                   salt, saltlen, iterations, keysize, keybuffer);
 
     default:
       ec = GPG_ERR_UNKNOWN_ALGORITHM;
Index: b/cipher/scrypt.c
===================================================================
--- b/cipher/scrypt.c
+++ b/cipher/scrypt.c
@@ -230,7 +230,6 @@
 }
 
 /**
- * TODO: subalgo and iterations parameters should be used to determine N/r/p!
  */
 gcry_err_code_t
 scrypt (const uint8_t * passwd, size_t passwdlen,
@@ -239,15 +238,16 @@
 	unsigned long iterations,
 	size_t dkLen, uint8_t * DK)
 {
+  /* XXX sanity-check parameters */
+  uint64_t N = subalgo; /* CPU/memory cost paramter */
+  uint32_t r = 8; /* block size, should be sane enough */
+  uint32_t p = iterations; /* parallelization parameter */
+
   uint32_t i;
   uint8_t *B;
   uint8_t *tmp1;
   uint8_t *tmp2;
 
-  /* XXX sanity-check parameters */
-  uint64_t N = 42;
-  uint32_t r = 42;
-  uint32_t p = 42;
 
   B = malloc (p * 128 * r);
   if (B == NULL)
Index: b/doc/gcrypt.texi
===================================================================
--- b/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -2359,7 +2359,8 @@
 Where @var{r-mpi} and @var{s-mpi} are the result of the DSA sign
 operation.  For Elgamal signing (which is slow, yields large numbers
 and probably is not as secure as the other algorithms), the same format is
-used with "elg" replacing "dsa".
+used with "elg" replacing "dsa"; for ECDSA signing, the same format is used 
+with "ecdsa" replacing "dsa".
 @end deftypefun
 @c end gcry_pk_sign
 
@@ -3171,6 +3172,12 @@
 @item GCRY_KDF_PBKDF2
 The PKCS#5 Passphrase Based Key Derivation Function number 2.
 
+@item GCRY_KDF_SCRYPT
+The SCRYPT Key Derivation Function.  The subalgorithm is used to specify
+the CPU/memory cost paramter N, and the number of iterations
+is used for the parallelization parameter p.  The block size is fixed
+at 8 in the current implementation.
+
 @end table
 @end deftypefun
 
Index: b/src/gcrypt.h.in
===================================================================
--- b/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -1193,7 +1193,8 @@
     GCRY_KDF_SALTED_S2K = 17,
     GCRY_KDF_ITERSALTED_S2K = 19,
     GCRY_KDF_PBKDF1 = 33,
-    GCRY_KDF_PBKDF2 = 34
+    GCRY_KDF_PBKDF2 = 34,
+    GCRY_KDF_SCRYPT = 35
   };
 
 /* Derive a key from a passphrase.  */