AES 256 Is Now Securing All Your Encrypted Tuta Emails

We have updated to AES 256 encryption by default, the next step towards full post-quantum encryption!

AES 256 encryption secures all data in Tuta in a quantum-safe manner.

We are starting 2024 off right: With the latest update all Tuta accounts are now utilizing Argon2 and AES 256 encryption by default. This security improvement is the next step towards full post-quantum encryption!


AES 256 switched on

The new year brings a great update to Tuta Mail: We’ve now switched on AES 256 encryption by default for all new emails sent via Tuta. This is great security improvement and the next step towards quantum-safe encryption.

In addition, we have now enabled Argon2 as the standard password derivation function for all new accounts or when your change your password. Argon2 is one of the best modern key derivation process, which makes sure that your encryption keys that are derived from your password in the Tuta client are secure.

You can read more on Agron2 and why it’s best for security here.

On our road to achieve quantum security we are now updating our asymmetric cryptography (currently RSA 2048), in a next step we are focusing on rotating the existing encryption keys and key verification.

With this release we are also rolling out support for a new quantum-safe hybrid encryption protocol that we designed. We will describe this in detail in a future blog post. This protocol is not yet actively used by clients, but we will enable it for new accounts as one of the next steps. Afterwards we will work on encryption key rotation so that our existing customers can also reach quantum-safety. Once rolled out, it will be possible to replace existing AES 128 and keys with new AES 256 keys. The same will be possible with the asymmetric RSA 2048 keys which will be replaced with both X25519 and Kyber-1024 turning the protocol into a hybrid (classical and quantum-safe) public key protocol.

What is AES 256?

Advanced Encryption Standard (AES) 256 is the most secure symmetric encryption algorithm. It uses a 256-bit key to convert plain text or data into a cipher. AES 256 is a great cypher that was first introduced in 2001 by the U.S. National Institute of Standards and Technology (NIST).

To this day, AES 256 is the most capable symmetric encryption. Its benefits are

  • Fast encryption speed
  • Quantum-safe encryption
  • Encrypts large volumes of data
  • Requires less computing power for execution

How secure is AES 256?

AES 256 is the most secure encryption layer, the gold standard of encryption so to say.

Using naive brute force, an attacker would need to try 2^255 combinations on average to crack your encryption key - a ridiculously high number of combinations that one cannot even try to imagine.

To run this kind of computation is impossible with current technology and not even achievable by upcoming quantum computers.

What Are the Differences Between AES 128 and AES 256 Encryption?

First of all, encryption, also AES encryption, works by taking plain text and converting it into a code called a ciphertext with the help of an encryption algorithm. This ciphertext is unreadable so that neither humans nor computers can understand it until it is decrypted into plaintext again.

AES is a symmetric block cipher, as it splits the data into blocks of fixed size (128 bits). It is called symmetric because the same key it uses the same key to both encrypt and decrypt these blocks of data.

So what are the differences between AES 128 and AES 256? Both are based on a Substitution Permutation Network (SPN) design principle which applies a series of mathematical operations in multiple rounds to encrypt data. The first notable difference is that AES 128 has 10 of these rounds while AES 256 has 14. More importantly though, the key expansion algorithms of the two differ. This algorithm is used to derive a dedicated key for each of the 10 or 14 rounds of the cipher from the 128 or 256 bit encryption key respectively.

Why did Tuta Mail use AES 128 before?

AES 256 is the most secure of all existing AES encryption layers, but there are more: AES 128 and AES 192. There are also extremely good encryption algorithms that can securely decipher large volumes of data. Back in 2012 when we started developing Tuta, these were considered so secure that there was a debate whether AES 256 would be necessary at all given the powerful encryption of AES 128.

Based on this argument, in addition to the fact that performance on mobile devices of AES 128 was much better compared to AES 256, we opted to design our encryption protocol based on AES 128.

It’s amazing how fast things can change: Today, as we see the rise of quantum computers, the unambiguous scientific opinion is that only AES 256 can future-proof your data and protect it against upcoming attacks from quantum computers.

However, this does not mean that data protected by AES 128 is susceptible to any attacks known today.

At Tuta our main focus lies on privacy and security. We are currently working hard to future-proof the security of your emails, calendars and contacts. We’ve got some exciting updates in the pipeline on our road for quantum safe encryption, so look out for upcoming news. And check why it is important to adopt post-quantum security now!

If you want to be among the first to send quantum-safe emails, sign up for a free Tuta Mail account now.