Research Division

PrivLab

Our dedicated research arm, focused on advancing encryption performance, file transfer privacy, and zero-knowledge architecture. We publish findings. We keep methods proprietary.

All research is conducted using synthetic test data in isolated environments. We never analyze, inspect, or collect data from real user activity. Our zero-knowledge architecture means we couldn't - even if we wanted to.
8
Published Studies
3
Active Projects
94%
Metadata Reduction
<50ms
Encryption Overhead

Latest Research

Peer-reviewed internally. Results published. Methodology classified.

Security 2026-06-22

The Parser Attack Surface: Dependency Footprint, CVE Volume, and Patch Latency in File Conversion

A file converter inherits the entire vulnerability history of every parsing library it links against - and exposes it on the main path. We map a representative conversion stack: 6 core engines carrying hundreds of publicly documented CVEs between them, roughly 70% in the memory-safety class. The metric that actually moves is patch latency, and why even a perfect one is only the first layer.

6 core engines
Hundreds of CVEs
~70% memory-safety
Read findings →
Privacy 2026-06-19

Telemetry Exposure of Secret Links: How Analytics Observe URL Fragments

Encrypted share links carry the decryption key in the URL fragment - hidden from the server, but readable by any script in the page. We ran a model secret link through 18 common telemetry configurations: 17 captured the link path, and 9 sent the key off the device. The only setup that leaked nothing ran no tracking at all.

18 telemetry setups
17/18 captured the path
9/18 captured the key
Read findings →
Architecture 2026-06-19

Containment Under Hostile Input: Measuring Isolation in File Conversion Workloads

We fed a synthetic adversarial corpus of 12,400 crafted files - malformed documents, decompression bombs, deeply nested structures, oversized media, and files that try to phone home - into a confined conversion workload. Every job stayed inside its own disposable boundary: no escapes, no impact on neighbouring jobs, and no successful network egress.

12,400 hostile inputs
0 sandbox escapes
0 cross-job impact
Read findings →
Encryption 2026-05-14

AES-256-GCM vs ChaCha20-Poly1305: Real-World File Transfer Benchmarks

We tested both ciphers across 10,000 file transfers (1KB-250MB) on consumer hardware. Our findings challenge common assumptions about ChaCha20's performance advantage on non-AES-NI devices, revealing a crossover point at 4MB file sizes that has implications for dynamic cipher selection.

10,247 transfers tested
6 device classes
4MB crossover point
Read findings →
Privacy 2026-04-28

Metadata Leakage in "Zero-Knowledge" File Sharing Services: A Comparative Audit

We analyzed 8 popular file sharing services claiming zero-knowledge architecture. Results show that 6 of 8 leak file size, upload timestamp, and geographic origin to their infrastructure layer. We demonstrate how PrivDrop's architecture eliminates these vectors through client-side padding and timing obfuscation.

8 services audited
94% metadata reduction
6/8 failed audit
Read findings →
Architecture 2026-03-22

Proof-of-Deletion: Cryptographic Guarantees for Ephemeral File Storage

We designed and tested a proof-of-deletion protocol that provides mathematical certainty that expired files are irrecoverable. Our implementation achieves verification in under 200ms with zero false negatives across 50,000 deletion events.

50,000 deletions verified
0 false negatives
<200ms verification
Read findings →
Privacy 2026-03-08

Timing Attack Resistance in Browser-Based File Uploads

Upload timing can reveal file size even over encrypted connections. We implemented a constant-time upload padding system that normalizes transfer duration regardless of actual file size, eliminating this side-channel with less than 3% bandwidth overhead.

<3% bandwidth overhead
Constant-time uploads
12 attack vectors mitigated
Read findings →
Encryption 2026-02-19

Key Derivation Under Pressure: PBKDF2 vs Argon2id for Client-Side Secrets

We benchmarked key derivation functions across mobile browsers where memory and CPU are constrained. Argon2id with tuned parameters achieved 4x brute-force resistance compared to PBKDF2-SHA256 at equivalent user-perceived latency of 150ms.

4x brute-force resistance
150ms target latency
8 browser engines tested
Read findings →
No studies match your search. Try a different term.

Research Focus Areas

Encryption Engineering

Cipher selection, key derivation optimization, hardware acceleration detection, and adaptive security levels based on threat models.

File Transfer Privacy

Metadata stripping, timing analysis prevention, file size obfuscation, and network-level privacy during transfer operations.

Zero-Knowledge Architecture

Server-side blindness verification, proof-of-deletion protocols, and cryptographic guarantees that operators cannot access user data.

Performance Profiling

Browser crypto benchmarks, memory pressure analysis, worker thread optimization, and device-class adaptive processing strategies.

Our Process

Every PrivLab study follows a rigorous internal protocol. We publish results and conclusions - never the implementation details that give topriv its competitive edge.

Phase 01

Hypothesis

Define the privacy or performance problem. Establish measurable success criteria.

Phase 02

Controlled Testing

Isolated environments. Real-world data sets. Statistical significance required (p < 0.05).

Phase 03

Peer Review

Internal review by at least two team members. Methodology validation before publication.

Phase 04

Publish & Implement

Findings published. Successful optimizations integrated into production systems.

Stay Updated

Get notified when we publish new research. No spam, unsubscribe anytime.