Tuta Launches Post Quantum Cryptography for Email (2024)
30 comments
·February 21, 2025Out_of_Characte
mjl-
I'm not so sure it's expensive (in general at least, not sure about their case). I think the typical approach for encrypting data is: Use asymmetric crypto to protect a master symmetric key. Then use that master key to get per-data (eg per file) symmetric keys. Then encrypt all the data with the data symmetric keys.
You can just replace the non-pq asymmetric protection with pq asymmetric protection.
Out_of_Characte
I would agree with you if the risk was only the in-flight asymmetric crypto data. But as I understand it, when you use non-pq asymmetric crypto to roll the symmetric key in, then you would still risk the unbreakable symmetric encryption when the carrier protocol gets broken. Reusing the same key would be an amateur mistake. Now, 'just replace the asymmetric crypto' becomes, 'your data is only safe in-flight because everyone knows our shared symmetric key'
All of this is very low risk but anyone wishing to have post quantum encryption probaly wouldn't appreciate three letter agencies having all of the symmetric keys if you ever used the weaker algo versions in a post quantum world.
>You can just replace the non-pq asymmetric protection with pq asymmetric protection.
Would you really feel safe with that?
GrantMoyer
Last time I checked, while tutanota's emails are ostensibly E2E encrypted, all public keys are provided by their server and there's no way to pin keys or verify them over a side channel, so a compromised server could trivially send its own public keys and MITM attack all encrypted emails.
This completely defeats the purpose and guarantees of E2E encryption, but for some reason, it hasn't seemed to be a priority for them. The article passingly mentions key verification, so hopefully that's changed.
Tutanota
Hey there, Tuta team here. We are aware of this issue and we are working on key verification as we speak. The release is scheduled for the coming month.
mjl-
I browsed through the article, but it's not clear to me if they're only encrypting data at rest (that you open up with a login session, but then: their referenced docs mention alice and bob exchanging messages, so that can't be it), or that they're encrypting messages and sending them out (i.e. it is similar to openpgp, but then their own custom thing? how would that interoperate with anyone else?).
Perhaps it makes more sense if you already know how they operate technically. There's a chance I browsed too quickly and missed the explanation... The article reads a bit confusing with the mixing of (a)symmetric concepts.
NewJazz
They can interoperate with regular email if you share the password for the email out of band. Basically they get a link to a specialized tuta web client, and enter their password there.
https://www.reddit.com/r/tutanota/comments/i3f6j6/stupid_que...
timeflex
I like Tuta but they are just not competitively priced. Proton purchased SimpleLogin & their $4/mo. premium plan includes unlimited aliases & custom domains. Tuta charges €8/mo. and you only get 30 aliases & 500GB of storage. Just doesn't make a lot of sense to me.
n00bskoolbus
Do SimpleLogin's aliases use your custom domain and/or does it use sub-addressing (plus addressing)? I wonder how much longer they'll offer that price given Proton's plan for those features is $10/mo, limited to 15 email addresses and the unlimited aliases are randomly generated.
timeflex
They can use whatever custom domain you want & either have them generated randomly, or you can have them be unique as well. I hope they offer that price indefinitely. Good thing it is open source as well.
Tutanota
Hi there, Tuta Team here. This is not correct, the price for Tuta Revolutionary is €3/mth with 20 GB of storage and 15 aliases - plus unlimited aliases when using your own domain. It's a very good deal.
timeflex
Okay, it appears maybe the addresses for custom domains was inaccurate because you list custom addresses & aliases separately for some odd reason. Why do you do that rather than saying unlimited aliases with a bullet point about only allowing 15 for domains you own?
The Revolutionary plan still only offers 3 custom domains. Furthermore, SimpleLogin provides unlimited aliases (custom domain or not) for $4/mo & unlimited custom domains. So SimpleLogin still appears to be more competitively priced overall.
EmilyHATFIELD
I pay 3$ / month (with the annual plan) and I get 10Gb of storage + 5 aliases
rob_c
Given the massive bottlenecks that will likely remain in quantum for the next 10yr+ (Would love to see a change here obviously but c'est la vie)
I doubt anyone is blanket decrypting everyone's email just to see what people had for lunch even if it's "only" encrypted with rsa4096...
42772827
People who use this type of service, will you share your threat model? I am interested in the technology but have not had sufficient reason to make the jump from Fastmail.
NewJazz
I don't have a threat model per se. Tuta offers affordable email service and nice web and android clients.
imiric
Whenever I hear the phrase "post quantum", I associate it with snake oil. So this marketing article made me less likely to become a Tuta customer.
AlgebraFox
Signal has implemented too. https://signal.org/blog/pqxdh/
"Post quantum" or "quantum resistance" are common terms used to describe crypto that is harder to crack by quantum computers. I don't see any snake oil here.
timmb
Post quantum - as in designed to resist quantum computer based attacks under which rsa would quickly crumble. Why do you associate this with snake oil?
close04
It does sound a bit like the famous "military grade encryption" and it's equally (ab)used by snake oil salesmen.
I can't say anything about TutaCrypt's long-term effectiveness except that CRYSTALS-Kyber is touted as being at the forefront of post-quantum cryptography.
mossTechnician
I wouldn't call it snake oil, but right now it appears quantum encryption cracking is only theoretical. I'm not sure how anyone can promise to mitigate attacks that haven't yet arrived.
Global Risk Institute... found that the majority of cryptography experts it surveyed believe quantum computers, more broadly, will be able to break anything encrypted with RSA-2048 within 24 hours within the next 30 years.
https://www.pcmag.com/news/chinese-researchers-reportedly-cr...
DennisP
Most cryptography experts are probably not experts in quantum computers as well.
We already know the algorithm to break RSA with a quantum computer. We just don't have the hardware yet. Nobody knows when the hardware will be available but a lot of entities are working on it.
It's common in cryptography to mitigate attacks that are known but not feasible without further advances in hardware or algorithms. Nobody wants to wait until an attack is successful. That's why NIST is already working on post-quantum cryptography standardization:
https://csrc.nist.gov/projects/post-quantum-cryptography/pos...
upofadown
If an entity says they support a new security feature then the assumption is that they are doing so for some actual reason. So if you throw in that feature then all your competition is instantly at a disadvantage. Few will care enough to do enough research to evaluate the implied claim.
So all that is needed in this case is for potential customers to have the idea in the back of their minds that there might be an issue. The hyperbolic articles about the quantum threat serve that purpose.
So Tuta can be seen to be both a victim and a cause here.
delfinom
Tuta once ranted in a blog post that Microsoft was out to get them.
Because they used tutanova.com for their internal corporate use but they also let public users signup for emails @tutanova.com. And no shocker, MS won't let you have public users create MS accounts when a fucking AD org with that domain exists.
They are incompetent.
DyslexicAtheist
seconded. It doesn't sound like practical security that would help anyone, but like a bunch of snake-oil mumbo-jumbo written by "growth-hackers" without a clue.
I get the theory but until there is actually a quantum computer that can break it it would be more helpful to talk about threat-models or operational security. because crypto is hardly what anyone with brains will try to break to steal your memes.
much more worried about terrible security of MIME parsing.
ls65536
> until there is actually a quantum computer that can break it
There isn't one yet (at least that the general public knows about), but that doesn't mean we don't need to do anything about it right now. See this problem, for example, which would potentially affect today's encrypted data if it were harvested and saved to storage for the long term: https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later
null
What many miss is that updating your encryption algorithm now means decrypting all your previous data and then reencrypting it with the new algo. This is very expensive, time consuming and is something that you must do before encryption is broken or before your encrypted data is stored for later decryption.
This move, hopefully, promises to avoid this headache if the algo is actually post-quantum.