Argon2id
Also known as: Argon2, Argon2id KDF, memory-hard password hash
Argon2id is the recommended variant of Argon2, the winner of the 2015 Password Hashing Competition, standardized in RFC 9106. It is a memory-hard key derivation function that turns a password or PIN into a key by forcing the computation to fill a large block of RAM. That memory cost makes large-scale GPU and ASIC brute-forcing slow and expensive.
Ordinary hashes like SHA-256 are fast — which is exactly wrong for passwords, because an attacker can try billions of guesses per second on a GPU. A password KDF deliberately makes each guess expensive. Argon2, designed by Biryukov, Dinu, and Khovratovich and standardized in RFC 9106 (2021), does this by being memory-hard: it allocates and repeatedly mixes a large array of memory, so an attacker must pay for that RAM on every single guess. RAM is far harder to parallelize cheaply than raw arithmetic, which blunts the GPU/ASIC advantage.
Argon2id is the hybrid, default-recommended variant. It runs the data-independent Argon2i mode for the first half-pass (resisting side-channel timing leaks) and the data-dependent Argon2d mode afterward (maximizing brute-force cost). RFC 9106's first-choice profile is 2 GiB of memory, but resource-constrained settings tune it down.
Three parameters set the cost: memory (m, in KiB), iterations (t, the time cost), and parallelism (p, lanes). Together with a unique random salt per user, they decide how punishing each guess is — and so how well a stolen, encrypted vault resists offline cracking. See PIN authentication for how this protects a device.
How it works
1. Inputs: the password or PIN, a unique random salt, and the cost parameters m (memory in KiB), t (iterations), p (parallelism), plus the desired output length.
2. Fill: Argon2 initializes a large memory matrix from the password and salt, then repeatedly overwrites each block by mixing it with earlier blocks using the BLAKE2b-based compression function.
3. Passes: it makes t passes over the whole matrix. In Argon2id, the first half-pass picks reference blocks independently of the data (side-channel safe); the rest picks them based on the data (trade-off resistant).
4. Output: the final memory block is hashed down to the requested key length. Because every guess must allocate and churn the full memory matrix, parallel hardware attacks stay expensive.
How RVNT uses Argon2id
RVNT derives the local database key from your PIN with Argon2id, never storing the key itself. Per the PIN authentication design, it uses Argon2id v1.3 (RFC 9106) with a 64 MB memory cost, 3 iterations, 4 lanes, a 32-byte per-device random salt, and a 32-byte output, then splits that into database, backup, and export keys via HKDF. The raw key is zeroized after derivation; lockout escalation further throttles guessing.
Frequently asked questions
What is the difference between Argon2id, Argon2i, and Argon2d?
Argon2d uses data-dependent memory access for maximum brute-force resistance but leaks timing side channels. Argon2i uses data-independent access to resist side channels at some cost to brute-force hardness. Argon2id is the hybrid: side-channel safe for the first half-pass, then data-dependent, and it is the variant RFC 9106 recommends by default.
Why is Argon2 better than SHA-256 for hashing a PIN?
SHA-256 is fast and cheap to parallelize, so a GPU can test billions of PINs per second against a stolen hash. Argon2id is deliberately slow and memory-hard, forcing an attacker to allocate megabytes of RAM per guess. That memory cost, not just CPU time, is what cripples large-scale offline attacks.
Can Argon2id make a weak PIN secure?
No. Argon2id multiplies the cost of each guess, but a 6-digit PIN only has a million possibilities, which a GPU can still exhaust quickly. The KDF buys time and raises the bar; real protection comes from combining it with a longer PIN or passphrase and lockout limits, as RVNT does.
Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.