ProtonMail now offers elliptic curve cryptography for advanced security and faster speeds

For several months, we have been working to implement support for new cryptographic methods in ProtonMail that give users a faster experience with equal or better security. Today, we’re excited to announce that elliptic curve cryptography is now available in all our applications for web, mobile, and desktop (Bridge).

For reasons we explain below, elliptic curves are rapidly replacing RSA as the gold standard for public-key cryptography. You may already be using it in other services, such as WhatsApp; Chrome, Firefox, and Opera browsers; and Tor. In March 2018, we released elliptic curve cryptography in OpenPGPjs, the open-source encryption library we maintain, allowing hundreds of apps to take advantage of next-generation cryptography. In August, OpenPGPjs passed an independent security audit, paving the way for implementation in ProtonMail.

Why switch to elliptic curve cryptography?

For decades, RSA was the only game in town, rooted in a powerful mathematical concept: multiplying large prime numbers is easy, but factoring the product is hard. But as computers get faster, RSA encryption requires bigger and bigger numbers to stay secure. Large numbers slow things down, especially on mobile devices with less computing power.  

So, over the last few years, more products and protocols have been implementing a more efficient cryptographic system called elliptic curve cryptography. ECC also relies on a mathematical equation, but it requires much smaller numbers to accomplish the same level of security. For a more detailed explanation of how this kind of cryptography works, Ars Technica has published a useful summary.

Using elliptic curve cryptography, the processes of key generation, encryption, and decryption become dramatically faster. That saves processing power (allowing you to log in and load emails faster), memory (freeing up space for other apps to work), and energy (giving you longer battery life).

Elliptic curve cryptography is very secure

Public key cryptography — both high-bit RSA and elliptic curves — is extremely safe. As with any encrypted system, the only practical way to backdoor it is to exploit weaknesses in its implementation, not the math itself. With ECC, there are only two known attacks, one that takes advantage of random number generators and another that exploits things like device power consumption to glean clues about the keys. Both of these are well understood and were mitigated years ago.

We have chosen a particular elliptic curve system known as X25519, which is fast, secure, and particularly resistant to timing attacks. It’s simple to implement and, for what it’s worth, isn’t the subject of any patent claims. (For advanced users, you can find a technical explanation of this decision at the bottom of this article.)

Some users may also be curious about quantum computers, which will be insanely fast and promise to upend existing encryption systems. Elliptic curve cryptography in its current form would not stand a chance against a quantum computer. But such technology is still at least several years away, and just as ProtonMail has adapted to the new ECC standard, we will continue to evolve alongside new challenges. There is active research today into quantum-resistant encryption algorithms which we are following closely.

How to use the new keys in ProtonMail

Over time, ECC keys will become the default for all new addresses in ProtonMail. If you already have a ProtonMail account, you can upgrade your RSA keys for each email address now. (You will still be able read emails encrypted with the old keys, provided you do not delete them.)

Log in to your account at, click on Settings, and open the Keys page. Click on the “Add New Key” button and select the address for which you want to add ECC keys.

Then select:

State-of-the-art X25519 (Modern, fastest, secure)

And click on “Generate Keys”. You will be asked to enter your account password.

Next, click on the arrow next to your email address to reveal the key details. In the ECC key row, click on the dropdown menu and select “Make Primary.” This will make your new ECC the default key for this email address.

It is extremely important that you DO NOT DELETE YOUR OLD RSA KEYS. If you do, you will lose the ability to decrypt all your existing emails. Simply leave your old keys active; they will be used to decrypt old messages.

If you wish to continue using RSA encryption, your emails will still be safe, but your mailbox might move slower, especially on mobile devices. For the vast majority of users, ECC is the better method. (Some advanced users who receive PGP emails from non-ProtonMail users may decide to stay with RSA keys for a particular email address.)

We are excited to give you access to the latest advances in cryptography, and we look forward to hearing your feedback. You can find us on Twitter or engage with our community on our subreddit. For help with your account, our support team is always available.

Best Regards,
The ProtonMail Team

Technical note

We are aware of the issues brought up here and here. As mentioned in this one here, we are already considering to switch to an implementation in WebAssembly to mitigate the possibility of timing attacks.

However, it is important to note that Curve25519 is a Montgomery curve and therefore these potential timing differences are far less trivial to exploit, as mentioned in the links above.

In our mobile and desktop apps, where timing attack resistance is easier to achieve, the X25519 implementation is already constant-time.

As some people have pointed out, the NIST P-256 curve is supported by Web Crypto, which should be constant-time. However, Curve25519 is considered to be more modern, safer, and less prone to implementation errors than P-256, which is particularly important because many of our users receive email encrypted by implementations outside of our control.

Once they are generated, keys are controlled by our users and not easily updated, so we wanted to make a future-proof choice of curve. Once we have X25519 in WebAssembly, we’ll have the best of both worlds: the best curve available, in constant time.

Get a free secure email account from ProtonMail.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Ben Wolford

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

25 comments on “ProtonMail now offers elliptic curve cryptography for advanced security and faster speeds

  • What about switching Contacts to the newly generated key? There does not seem to be an option in Settings-Keys for that – or is it a non-issue?


    • Hi, it is not yet available for contact keys but will be introduced for contact keys also in the future. Thank you for your patience.

    • VPN clients by default already should use ECC to encrypt the tunnel at least in most cases, as the favored ciphers are all ECC.

    • Should be compatible with most of the other services, but this depends on whether you have implemented this support.

  • If you are with a repressive government, anywhere in the world, please use elliptic curve cryptography to expose your government’s unethical spying practices on citizens.

    Governments who spy on their own citizens are only made up of individuals who need to have control over others. Those people are surprisingly weak, if you met them on the street. In fact, we’ve already won. Unbreakable encryption means any document can go anywhere in the world secretly, instantly.

    If you’re with an abusive government, the person next to you right now is probably reporting your illegal actions…..

  • Will “Contacts” encryption keys be also upgraded to ECC? I do not see the option to switch from RSA to ECC for contacts.

    • Hi, it is not yet available for contact keys but will be introduced for contact keys also in the future. Thank you for your patience.

  • Hi…

    Just to clarify, if we create a new ECC key and make it the default (or primary,) will we still be able to send PGP encrypted mail to non-Protonmail contacts without issue? Or will we have to make the old RSA key the default?

    Thank you for the article and upgrade. 🙂


  • Hello
    Is RSA really THAT slow, even on 5y old phones or mobile devices ?
    Was all this development time worth against calendar, proper linux products (bridge and app), or a one click mailbox backup ?
    Thank you

  • I don’t understand why Protonmail chooses to use a cipher that is not part of the openpgp standard. There are no plans for ed25519 to become part of the standard..

    • Curve25519 is more popular and more widely implemented, so it makes it more likely that people outside ProtonMail’s system can send encrypted email to our users with curve25519 keys. It’s also faster, and still meets security standards, so it’s just the best trade-off between security, performance, and compatibility. that being said, we may offer it in the future.

  • Why don’t use X448 instead of X25519 ?

    It seems that X448 is safer than X25519 because X448 is 256bit and X25519 only 128bit.

    • curve25519 is more popular and more widely implemented, so it makes it more likely that people outside protonmail’s system can send encrypted email to our users with curve25519 keys. it’s also faster, and still meets security standards, so it’s just the best tradeoff between security, performance, and compatibility. that being said, we may offer it in the future.

  • Can you generate ECC keys for non-primary users? I don’t see the option on the admin or user’s settings. Also for the organization key?

    • Hi! All of this will come eventually but for now we wanted to roll out ECC keys gradually. Thank you for your patience.

  • Hey, I’m trying to figure out if protonmail still requires WebAssembly to login and read emails for example. I’m using 76.0.3809.12 (Official Build) (64-bit) on ArchLinux and protonmail login and emails reading still works even if I attempt to disable webassembly via `–disable-asm-webassembly –js-flags=–noexpose_wasm –disable-features=AsmJsToWebAssembly –disable-features=WebAssembly,WebAssemblyStreaming`.
    So, either that doesn’t disable webassembly which means protonmail still requires it and thus works fine, OR, protonmail now works fine without webassembly support in browser! The latter of which I find unlikely.

    I’m trying to get an answer here
    Any help would be appreciated! Thanks!

    • ProtonMail does not currently use WebAssembly, although we do use asm.js. Perhaps your command previously disabled asm.js via AsmJsToWebAssembly and now doesn’t?
      However, we want to caution that not using WebAssembly and asm.js with AsmJsToWebAssembly comes with its own risks, particularly when doing cryptography in the browser. Regular old JavaScript is more prone to timing attacks, which can leak your private key. Therefore, we recommend enabling WebAssembly, and updating your browser often to patch any potential sandbox escapes.

  • If we want to re-encrypt old emails with a new algorithm (let’s say switching from RSA to ED25519), could that be done using the import/export tool (provided we have a paid account)? Generate the new key, export all emails, delete them, and re-import? Would they be encrypted with the new key on import?