top | item 39741877

Show HN: TutaCrypt, post-quantum encryption protocols for securing emails [pdf]

15 points| Tutanota | 1 year ago |tuta.com

Hi HN, we are the developers from Tuta (formerly Tutanota), the German end-to-end encrypted email provider, and we recently released the world's first post-quantum encryption for email.

We have included a full technical write-up of the cryptography involved in these changes and we have released it for open public review.

This document specifies TutaCrypt, a protocol designed for hybrid email encryption in Tuta Mail. The protocol combines a classical Elliptic-Curve-Diffie-Hellman key exchange with a post-quantum KEM. The goal is to replace the usage of RSA in Tuta Mail.

In the remainder of this document we describe some preliminaries such as the cryptographic primitives used. We define the core algorithms of the protocol and describe the flow of messages between the communicating parties. Finally, we discuss the security properties and some limitations of the protocol in its current form.

We are eager for your constructive feedback. All cryptography related source code is available for review and experimenting here: https://github.com/tutao/tutanota/blob/master/src/api/worker...

If you have any questions or comments related to post-quantum cryptography please let us know in the comments!

8 comments

dvon|1 year ago

How does Tutanota work to make sure that TutaCrypt is indeed unbroken or at least so time consuming to break that it is not worth the effort?

Do you employ cryptographers? Do you have engineers who specialize in security?

And do you have a process set up for a sort of recovery from a failed encryption implementation?

edit: that is to say, what is the plan in the event your encryption is proven faulty and your customer's emails are leaked to the public due to this fault?

Tutanota|1 year ago

Our core development team are trained to work in applied cryptography and we work directly with the University of Wuppertal cryptographers for cryptanalysis and testing.

To secure our customer's emails we do not only rely on the new post-quantum algorithm but we use a post-quantum Key Encapsulation Mechanism (CRYSTALS-Kyber) in combination with an Elliptic-Curve-Diffie-Hellmann key exchange (x25519). We did choose Kyber for pq encryption because it has been chosen by NIST for standardization. However, we are aware that it still might be broken in the future. In this case our implementation allows us to replace it with a different post-quantum Key Encapsulation Mechanism. Our customer's emails will not be leaked in this case because they are still protected by the state-of-the-art Elliptic-Curve-Diffie-Hellmann key exchange.

dr_hooo|1 year ago

I was all for post-quantum crypto until I heard the news about SIKE being broken with a simple computer.

How will you make sure this does not happen to the algorithms you chose?

Tutanota|1 year ago

As all post-quantum crypto is relatively new there is still the risk of it being broken in the future. This is why we combine the new algorithms with classical ones in an hybrid approach so that the encryption stays at least as secure as it is now.

aborsy|1 year ago

By mixing it up with classical encryption algorithms. The implementations don’t use pure post quantum cryptography, see SSH.

defrost|1 year ago

Learn some math.

SIKE was known to be breakable since at least 1997, specific breaking algorithms were developed in 2000, and these were implemented in Magma (a symbolic algebra suite from John Cannon, Sydney Uni, second generation after the original Cayley system of the mid 1980s).

It wasn't a choice that would have been put forward by people in the abstract algebra game - just something put forward as a 'candidate' by security researchers.

Something something Venn diagrams.

R_U_R|1 year ago

[deleted]