The bcrypt algorithm runs in two phases, sketched in Figure 3. In the first phase, EksBlowfishSetup is called with the cost, the salt, and the password, to initialize eksblowfish's state. Most of bcrypt's time is spent in the expensive key schedule. Following that, the 192-bit value ``OrpheanBeholderScryDoubt'' is encrypted 64 times using eksblowfish in ECB mode with the state from the previous phase. The output is the cost and 128-bit salt concatenated with the result of the encryption loop.
In Section 3, we derived that an -secure password function should fulfill several important criteria: second preimage-resistance, a salt space large enough to defeat precomputation attacks, and an adaptable cost. We believe that Bcrypt achieves all three properties, and that it can be -secure with useful values of for years to come. Though we cannot formally prove bcrypt -secure, any flaw would likely deal a serious blow to the well-studied blowfish encryption algorithm.