Show HN: TutaCrypt, post-quantum encryption protocols for securing emails [pdf]

15 points by Tutanota 1 year ago | 8 comments
Hi HN, we are the developers from Tuta (formerly Tutanota), the German end-to-end encrypted email provider, and we recently released the world's first post-quantum encryption for email.

We have included a full technical write-up of the cryptography involved in these changes and we have released it for open public review.

This document specifies TutaCrypt, a protocol designed for hybrid email encryption in Tuta Mail. The protocol combines a classical Elliptic-Curve-Diffie-Hellman key exchange with a post-quantum KEM. The goal is to replace the usage of RSA in Tuta Mail.

In the remainder of this document we describe some preliminaries such as the cryptographic primitives used. We define the core algorithms of the protocol and describe the flow of messages between the communicating parties. Finally, we discuss the security properties and some limitations of the protocol in its current form.

We are eager for your constructive feedback. All cryptography related source code is available for review and experimenting here: https://github.com/tutao/tutanota/blob/master/src/api/worker...

If you have any questions or comments related to post-quantum cryptography please let us know in the comments!

  • dvon 1 year ago
    How does Tutanota work to make sure that TutaCrypt is indeed unbroken or at least so time consuming to break that it is not worth the effort?

    Do you employ cryptographers? Do you have engineers who specialize in security?

    And do you have a process set up for a sort of recovery from a failed encryption implementation?

    edit: that is to say, what is the plan in the event your encryption is proven faulty and your customer's emails are leaked to the public due to this fault?

    • Tutanota 1 year ago
      Our core development team are trained to work in applied cryptography and we work directly with the University of Wuppertal cryptographers for cryptanalysis and testing.

      To secure our customer's emails we do not only rely on the new post-quantum algorithm but we use a post-quantum Key Encapsulation Mechanism (CRYSTALS-Kyber) in combination with an Elliptic-Curve-Diffie-Hellmann key exchange (x25519). We did choose Kyber for pq encryption because it has been chosen by NIST for standardization. However, we are aware that it still might be broken in the future. In this case our implementation allows us to replace it with a different post-quantum Key Encapsulation Mechanism. Our customer's emails will not be leaked in this case because they are still protected by the state-of-the-art Elliptic-Curve-Diffie-Hellmann key exchange.

    • dr_hooo 1 year ago
      I was all for post-quantum crypto until I heard the news about SIKE being broken with a simple computer.

      How will you make sure this does not happen to the algorithms you chose?

      • Tutanota 1 year ago
        As all post-quantum crypto is relatively new there is still the risk of it being broken in the future. This is why we combine the new algorithms with classical ones in an hybrid approach so that the encryption stays at least as secure as it is now.
        • aborsy 1 year ago
          By mixing it up with classical encryption algorithms. The implementations don’t use pure post quantum cryptography, see SSH.
          • defrost 1 year ago
            Learn some math.

            SIKE was known to be breakable since at least 1997, specific breaking algorithms were developed in 2000, and these were implemented in Magma (a symbolic algebra suite from John Cannon, Sydney Uni, second generation after the original Cayley system of the mid 1980s).

            It wasn't a choice that would have been put forward by people in the abstract algebra game - just something put forward as a 'candidate' by security researchers.

            Something something Venn diagrams.

            • dikaio 1 year ago
              Little rude, he was just asking a question.

              Learn some decency.

              • defrost 1 year ago
                Learn some math, more specifically learn abstract algebra | read current papers in the field, befriend people active in the field that have taken over from Charles Leedham-Green, George Havas, et al is good practical advice to avoid using methods already known for decades to be weak.

                It answers the question.

                > Learn some decency.

                Little rude, given the question asked was answered.

          • R_U_R 1 year ago
            [dead]