Open_Source_Enjoyer Does someone know what key derivation function is used on GrapheneOS?
Scrypt, but with nerfed parameters, so it is basically like PBKDF2.
Open_Source_Enjoyer I heard that a strong Argon2 configuration could make attempts so ressource intensive that even strong GPUs can only make a few attempts per second.
This is true, but GrapheneOS does not have a strong memory-hard key derivation function. It has scrypt, with parameters intentionally weakened to make unlocking super fast without using much RAM. So the security is comparable to PBKDF2, which was the gold standard for disk encryption key derivation 15 years ago.
This is why you need to pick at least 7 diceware words for your passphrase for it to be unbreakable. With Argon2id calibrated to 1 second unlock time and 1 GB RAM consumption, you could have gotten away with one or two words less for same security level. But GrapheneOS project have clearly stated they have no interest to implement this, as one can just add one or two more diceware words to get same security level if one has such high security needs, and for most users, the throttling done by the Titan chip will be enough, while still allowing super fast unlock without causing all background processes to be killed in the process.
natoal Not sure if this website is accurate but with the standard delays for encryption key derivation even a 6 digit PIN is quite secure?
No, that website is not accurate at all.
Here is a good site describing the security of two of the most common key derivation algorithms, and how much entropy your passphrase needs for which attacker budget.
https://tails.net/security/argon2id/index.en.html
A 6 digit PIN that is not throttled by any Secure Element will cost an attack roughly $0.00001 to break. Yeah. Not secure. Remember, an attacker can always just rent more cloud compute power to break your passphrase, including hardware specifically designed for password breaking. The only thing stopping them is how much they are going to have to pay for it all, and the above page analyses that using reasonable assumptions. Eg, 7 diceware words would cost $1 000 000 000 000 000 to break in electricity cost alone, so safe even from a very motivated state actor.
Open_Source_Enjoyer Is it right that even short passphrases like 3-4 words are reasonably secure because of strong bruteforce protection of the Titan M chip?
As long as the attacker do not know any exploit against the Titan chip, a 6 digit PIN would be way enough, as they are getting throttled heavily after 20 attempts or so, and more than a few hundred attempts are not really practical. All discussion above is purely about how strong passwords need to be to protect against an attacker that do have an exploit against the Titan chip, and can bypass its throttling.