Abstract
We benchmark two key derivation functions - PBKDF2-SHA256 and Argon2id - across eight browser engines on mobile and desktop hardware, targeting a uniform 150ms latency budget representative of user-acceptable delay during file encryption initialization. Under equivalent perceived latency, Argon2id achieves approximately 4x greater resistance to GPU-accelerated brute-force attacks due to its memory-hard design. We present per-engine performance data, analyze memory consumption on constrained devices, and describe PrivDrop's adaptive KDF selection mechanism that chooses the optimal function based on runtime device capability detection.
Background
Key derivation functions transform user-provided secrets (passwords, passphrases) into cryptographic keys suitable for symmetric encryption. The security of this transformation is critical: if the KDF is too fast, an attacker with commodity hardware can enumerate candidate passwords at rates that render even moderately complex passphrases vulnerable. If the KDF is too slow, users experience perceptible delay that degrades the experience and incentivizes weaker passwords.
PBKDF2 (Password-Based Key Derivation Function 2), standardized in RFC 8018, iterates a pseudorandom function (typically HMAC-SHA256) over the password and salt. Its security parameter is the iteration count: more iterations mean more CPU work per derivation. However, PBKDF2 is trivially parallelizable and requires minimal memory, making it vulnerable to GPU and ASIC-based attacks that can evaluate millions of candidates per second.
Argon2id, winner of the 2015 Password Hashing Competition, is a memory-hard function that requires both CPU time and a configurable amount of RAM to compute each derivation. The memory-hardness property means that parallel evaluation on GPUs - which have abundant compute but limited per-core memory - is dramatically less efficient than sequential CPU evaluation. Argon2id combines the data-dependent memory access patterns of Argon2d (resisting GPU attacks) with the data-independent patterns of Argon2i (resisting side-channel attacks).
For browser-based encryption systems like PrivDrop, the KDF operates in a uniquely constrained environment: WebAssembly or JavaScript execution, shared memory with browser tabs, mobile devices with as little as 2GB RAM, and thermal throttling under sustained computation. The theoretical advantages of Argon2id must be validated against these real-world constraints.
Test Environment
We tested across eight browser engine configurations spanning mobile and desktop platforms:
- Chrome 122 (Blink/V8) - Desktop Linux, Windows 11, macOS 14
- Firefox 123 (Gecko/SpiderMonkey) - Desktop Linux, Windows 11, macOS 14
- Safari 17.3 (WebKit/JSC) - macOS 14, iOS 17
- Chrome Mobile 122 - Android 14 (Pixel 8, Samsung S24)
- Samsung Internet 24 - Android 14 (Samsung S24, A54)
- Firefox Mobile 123 - Android 14 (Pixel 8)
- Safari Mobile (WebKit) - iOS 17 (iPhone 15, iPhone SE 3rd gen)
- WebView (Chromium) - Android 14 embedded (budget devices, 3GB RAM)
Each engine was tested at multiple parameter configurations tuned to achieve the target 150ms derivation latency (±10ms). For PBKDF2-SHA256, this meant adjusting the iteration count. For Argon2id, this meant adjusting the memory parameter (m), parallelism degree (p), and iteration count (t) in concert. All implementations used WebAssembly where available, with JavaScript fallback for engines lacking WASM SIMD support.
Memory-Constrained Test Devices
To evaluate behavior under real-world memory pressure, we included three budget Android devices with 3GB total RAM (approximately 800MB available to the browser process after OS and background app allocation):
- Samsung Galaxy A14 (MediaTek Helio G80, 3GB RAM)
- Xiaomi Redmi 12C (MediaTek Helio G85, 3GB RAM)
- Nokia G21 (Unisoc T606, 3GB RAM)
Results
The following table presents the core comparison: PBKDF2-SHA256 versus Argon2id, both tuned to 150ms derivation latency on each platform, with resulting brute-force resistance metrics.
KDF Performance at 150ms Latency Budget
| Metric | PBKDF2-SHA256 | Argon2id |
|---|---|---|
| Iterations (desktop median) | 310,000 | 3 (t=3, m=64MB, p=4) |
| Iterations (mobile median) | 142,000 | 2 (t=2, m=32MB, p=2) |
| GPU attack rate (RTX 4090) | 2.8M hashes/s | 148 hashes/s |
| ASIC attack rate (estimated) | ~45M hashes/s | ~890 hashes/s |
| Memory per derivation | ~160 bytes | 32-64 MB |
| Brute-force resistance ratio | 1x (baseline) | ~4.1x |
Key finding: At equivalent 150ms perceived latency, Argon2id provides approximately 4x greater resistance to brute-force attacks. An attacker with a single RTX 4090 GPU can evaluate 2.8 million PBKDF2 candidates per second but only 148 Argon2id candidates - a 18,900x reduction in raw attack throughput, translating to roughly 4x additional bits of effective password entropy after accounting for Argon2id's higher per-evaluation cost.
Per-Engine Derivation Latency (150ms Target)
| Browser Engine | PBKDF2 (actual) | Argon2id (actual) | Argon2id Memory |
|---|---|---|---|
| Chrome 122 (Desktop) | 148 ms | 152 ms | 64 MB |
| Firefox 123 (Desktop) | 151 ms | 147 ms | 64 MB |
| Safari 17.3 (macOS) | 146 ms | 158 ms | 64 MB |
| Chrome Mobile (Pixel 8) | 149 ms | 153 ms | 32 MB |
| Safari Mobile (iPhone 15) | 147 ms | 156 ms | 32 MB |
| Samsung Internet (S24) | 152 ms | 149 ms | 32 MB |
| Safari Mobile (iPhone SE) | 153 ms | 162 ms | 24 MB |
| WebView (Budget Android) | 151 ms | 171 ms | 16 MB |
On budget Android devices with 3GB RAM, Argon2id with a 16MB memory parameter exceeded the 150ms target by 14% (171ms median). Reducing the memory parameter to 8MB brought latency within budget but diminished the brute-force resistance advantage to approximately 2.3x - still a meaningful improvement over PBKDF2 but below the 4x threshold observed on capable hardware.
Implementation Notes
Based on these results, PrivDrop employs an adaptive KDF selection mechanism that runs during the first encryption operation on each device:
- Capability probe. The system executes a calibration derivation using Argon2id at a conservative memory parameter (16MB). If the derivation completes within 200ms and available memory exceeds the threshold, the device is classified as Argon2id-capable.
- Parameter tuning. For Argon2id-capable devices, the system performs a binary search over the memory parameter to find the maximum value that completes within the 150ms latency budget. This result is cached for subsequent operations.
- Fallback path. Devices that fail the capability probe fall back to PBKDF2-SHA256 with an iteration count calibrated to the same 150ms target. This ensures consistent user experience across all hardware.
- Ongoing adaptation. The cached parameters are periodically re-evaluated (every 50 encryption operations) to account for changing device conditions - thermal throttling, memory pressure from other applications, or browser updates that affect WebAssembly performance.
In production telemetry, 87% of PrivDrop users are routed to Argon2id with memory parameters between 24MB and 64MB. The remaining 13% use PBKDF2-SHA256, predominantly on budget Android devices and older iOS hardware. No user-visible latency regression was observed during the rollout compared to the prior PBKDF2-only implementation.
The specific capability probe thresholds, parameter tuning algorithms, fallback decision logic, and production telemetry infrastructure referenced in this study are proprietary to topriv. The implementation description above is simplified for publication. Actual selection logic includes additional heuristics and device fingerprinting techniques not disclosed here.
Limitations
Browser-based Argon2id implementations via WebAssembly incur overhead compared to native execution. Our measurements reflect this overhead but may not generalize to future browser versions with improved WASM performance or native Argon2 support in the Web Crypto API (currently under discussion in W3C). Additionally, the GPU attack rate estimates are based on publicly available benchmarks for hashcat and john-the-ripper; adversaries with custom FPGA or ASIC implementations may achieve different throughput characteristics. The 150ms latency target was chosen based on user experience research within our platform and may not be appropriate for all applications.