Tuta Launches Post Quantum Cryptography for Email (2024) (opens in new tab)

(tuta.com)

48 pointskarlzt1y ago29 comments

29 comments

What many miss is that updating your encryption algorithm now means decrypting all your previous data and then reencrypting it with the new algo. This is very expensive, time consuming and is something that you must do before encryption is broken or before your encrypted data is stored for later decryption.

This move, hopefully, promises to avoid this headache if the algo is actually post-quantum.

mjl-1y ago

I'm not so sure it's expensive (in general at least, not sure about their case). I think the typical approach for encrypting data is: Use asymmetric crypto to protect a master symmetric key. Then use that master key to get per-data (eg per file) symmetric keys. Then encrypt all the data with the data symmetric keys.

You can just replace the non-pq asymmetric protection with pq asymmetric protection.

Out_of_Characte1y ago

I would agree with you if the risk was only the in-flight asymmetric crypto data. But as I understand it, when you use non-pq asymmetric crypto to roll the symmetric key in, then you would still risk the unbreakable symmetric encryption when the carrier protocol gets broken. Reusing the same key would be an amateur mistake. Now, 'just replace the asymmetric crypto' becomes, 'your data is only safe in-flight because everyone knows our shared symmetric key'

All of this is very low risk but anyone wishing to have post quantum encryption probaly wouldn't appreciate three letter agencies having all of the symmetric keys if you ever used the weaker algo versions in a post quantum world.

>You can just replace the non-pq asymmetric protection with pq asymmetric protection.

Would you really feel safe with that?

GrantMoyer1y ago

Last time I checked, while tutanota's emails are ostensibly E2E encrypted, all public keys are provided by their server and there's no way to pin keys or verify them over a side channel, so a compromised server could trivially send its own public keys and MITM attack all encrypted emails.

This completely defeats the purpose and guarantees of E2E encryption, but for some reason, it hasn't seemed to be a priority for them. The article passingly mentions key verification, so hopefully that's changed.

https://github.com/tutao/tutanota/issues/768

Tutanota1y ago

Hey there, Tuta team here. We are aware of this issue and we are working on key verification as we speak. The release is scheduled for the coming month.

mjl-1y ago

I browsed through the article, but it's not clear to me if they're only encrypting data at rest (that you open up with a login session, but then: their referenced docs mention alice and bob exchanging messages, so that can't be it), or that they're encrypting messages and sending them out (i.e. it is similar to openpgp, but then their own custom thing? how would that interoperate with anyone else?).

Perhaps it makes more sense if you already know how they operate technically. There's a chance I browsed too quickly and missed the explanation... The article reads a bit confusing with the mixing of (a)symmetric concepts.

NewJazz1y ago

They can interoperate with regular email if you share the password for the email out of band. Basically they get a link to a specialized tuta web client, and enter their password there.

https://www.reddit.com/r/tutanota/comments/i3f6j6/stupid_que...

timeflex1y ago

I like Tuta but they are just not competitively priced. Proton purchased SimpleLogin & their $4/mo. premium plan includes unlimited aliases & custom domains. Tuta charges €8/mo. and you only get 30 aliases & 500GB of storage. Just doesn't make a lot of sense to me.

n00bskoolbus1y ago

Do SimpleLogin's aliases use your custom domain and/or does it use sub-addressing (plus addressing)? I wonder how much longer they'll offer that price given Proton's plan for those features is $10/mo, limited to 15 email addresses and the unlimited aliases are randomly generated.

timeflex1y ago

They can use whatever custom domain you want & either have them generated randomly, or you can have them be unique as well. I hope they offer that price indefinitely. Good thing it is open source as well.

Tutanota1y ago

Hi there, Tuta Team here. This is not correct, the price for Tuta Revolutionary is €3/mth with 20 GB of storage and 15 aliases - plus unlimited aliases when using your own domain. It's a very good deal.

timeflex1y ago

Okay, it appears maybe the addresses for custom domains was inaccurate because you list custom addresses & aliases separately for some odd reason. Why do you do that rather than saying unlimited aliases with a bullet point about only allowing 15 for domains you own?

The Revolutionary plan still only offers 3 custom domains. Furthermore, SimpleLogin provides unlimited aliases (custom domain or not) for $4/mo & unlimited custom domains. So SimpleLogin still appears to be more competitively priced overall.

EmilyHATFIELD1y ago

I pay 3$ / month (with the annual plan) and I get 10Gb of storage + 5 aliases

rob_c1y ago

Given the massive bottlenecks that will likely remain in quantum for the next 10yr+ (Would love to see a change here obviously but c'est la vie)

I doubt anyone is blanket decrypting everyone's email just to see what people had for lunch even if it's "only" encrypted with rsa4096...

427728271y ago

People who use this type of service, will you share your threat model? I am interested in the technology but have not had sufficient reason to make the jump from Fastmail.

NewJazz1y ago

I don't have a threat model per se. Tuta offers affordable email service and nice web and android clients.

imiric1y ago

Whenever I hear the phrase "post quantum", I associate it with snake oil. So this marketing article made me less likely to become a Tuta customer.

AlgebraFox1y ago

Signal has implemented too. https://signal.org/blog/pqxdh/

"Post quantum" or "quantum resistance" are common terms used to describe crypto that is harder to crack by quantum computers. I don't see any snake oil here.

timmb1y ago

Post quantum - as in designed to resist quantum computer based attacks under which rsa would quickly crumble. Why do you associate this with snake oil?

close041y ago

It does sound a bit like the famous "military grade encryption" and it's equally (ab)used by snake oil salesmen.

I can't say anything about TutaCrypt's long-term effectiveness except that CRYSTALS-Kyber is touted as being at the forefront of post-quantum cryptography.

mossTechnician1y ago

I wouldn't call it snake oil, but right now it appears quantum encryption cracking is only theoretical. I'm not sure how anyone can promise to mitigate attacks that haven't yet arrived.

Global Risk Institute... found that the majority of cryptography experts it surveyed believe quantum computers, more broadly, will be able to break anything encrypted with RSA-2048 within 24 hours within the next 30 years.

https://www.pcmag.com/news/chinese-researchers-reportedly-cr...

1 more reply

upofadown1y ago

If an entity says they support a new security feature then the assumption is that they are doing so for some actual reason. So if you throw in that feature then all your competition is instantly at a disadvantage. Few will care enough to do enough research to evaluate the implied claim.

So all that is needed in this case is for potential customers to have the idea in the back of their minds that there might be an issue. The hyperbolic articles about the quantum threat serve that purpose.

So Tuta can be seen to be both a victim and a cause here.

delfinom1y ago

Tuta once ranted in a blog post that Microsoft was out to get them.

Because they used tutanova.com for their internal corporate use but they also let public users signup for emails @tutanova.com. And no shocker, MS won't let you have public users create MS accounts when a fucking AD org with that domain exists.

They are incompetent.

DyslexicAtheist1y ago

seconded. It doesn't sound like practical security that would help anyone, but like a bunch of snake-oil mumbo-jumbo written by "growth-hackers" without a clue.

I get the theory but until there is actually a quantum computer that can break it it would be more helpful to talk about threat-models or operational security. because crypto is hardly what anyone with brains will try to break to steal your memes.

much more worried about terrible security of MIME parsing.

ls655361y ago

> until there is actually a quantum computer that can break it

There isn't one yet (at least that the general public knows about), but that doesn't mean we don't need to do anything about it right now. See this problem, for example, which would potentially affect today's encrypted data if it were harvested and saved to storage for the long term: https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later

fxwin1y ago

What would you like them to call it instead?

thadt1y ago

Post Physics-Experiment Cryptography [1]

[1] https://news.ycombinator.com/item?id=43046631

1 more reply

j / k navigate · click thread line to collapse

29 comments

Out_of_Characte1y ago

This move, hopefully, promises to avoid this headache if the algo is actually post-quantum.

mjl-1y ago

You can just replace the non-pq asymmetric protection with pq asymmetric protection.

Out_of_Characte1y ago

>You can just replace the non-pq asymmetric protection with pq asymmetric protection.

Would you really feel safe with that?

GrantMoyer1y ago

https://github.com/tutao/tutanota/issues/768

Tutanota1y ago

Hey there, Tuta team here. We are aware of this issue and we are working on key verification as we speak. The release is scheduled for the coming month.

mjl-1y ago

NewJazz1y ago

They can interoperate with regular email if you share the password for the email out of band. Basically they get a link to a specialized tuta web client, and enter their password there.

https://www.reddit.com/r/tutanota/comments/i3f6j6/stupid_que...

timeflex1y ago

n00bskoolbus1y ago

timeflex1y ago

Tutanota1y ago

timeflex1y ago

EmilyHATFIELD1y ago

I pay 3$ / month (with the annual plan) and I get 10Gb of storage + 5 aliases

rob_c1y ago

Given the massive bottlenecks that will likely remain in quantum for the next 10yr+ (Would love to see a change here obviously but c'est la vie)

I doubt anyone is blanket decrypting everyone's email just to see what people had for lunch even if it's "only" encrypted with rsa4096...

427728271y ago

People who use this type of service, will you share your threat model? I am interested in the technology but have not had sufficient reason to make the jump from Fastmail.

NewJazz1y ago

I don't have a threat model per se. Tuta offers affordable email service and nice web and android clients.

imiric1y ago

Whenever I hear the phrase "post quantum", I associate it with snake oil. So this marketing article made me less likely to become a Tuta customer.

AlgebraFox1y ago

Signal has implemented too. https://signal.org/blog/pqxdh/

"Post quantum" or "quantum resistance" are common terms used to describe crypto that is harder to crack by quantum computers. I don't see any snake oil here.

timmb1y ago

Post quantum - as in designed to resist quantum computer based attacks under which rsa would quickly crumble. Why do you associate this with snake oil?

close041y ago

It does sound a bit like the famous "military grade encryption" and it's equally (ab)used by snake oil salesmen.

I can't say anything about TutaCrypt's long-term effectiveness except that CRYSTALS-Kyber is touted as being at the forefront of post-quantum cryptography.

mossTechnician1y ago

I wouldn't call it snake oil, but right now it appears quantum encryption cracking is only theoretical. I'm not sure how anyone can promise to mitigate attacks that haven't yet arrived.

https://www.pcmag.com/news/chinese-researchers-reportedly-cr...

1 more reply

upofadown1y ago

So Tuta can be seen to be both a victim and a cause here.

delfinom1y ago

Tuta once ranted in a blog post that Microsoft was out to get them.

They are incompetent.

DyslexicAtheist1y ago

seconded. It doesn't sound like practical security that would help anyone, but like a bunch of snake-oil mumbo-jumbo written by "growth-hackers" without a clue.

much more worried about terrible security of MIME parsing.

ls655361y ago

> until there is actually a quantum computer that can break it

fxwin1y ago

What would you like them to call it instead?

thadt1y ago

Post Physics-Experiment Cryptography [1]

[1] https://news.ycombinator.com/item?id=43046631

1 more reply

j / k navigate · click thread line to collapse