Apple is adding the quantum computing-resistant PQ3 protocol to its widely used iMessage, making it the most secure mainstream messaging app. According to Apple’s Security Engineering and Architecture (SEAR) team, the updated version of iMessage will begin appearing in March in monthly releases for MacOS and iOS.
Apple’s PQ3 addition doesn’t make iMessage the first post-quantum cryptography (PQC) messaging app: Secure messaging app Signal added PQC encryption resiliency in September 2023 with an update to its Signaling protocol, called PQXDH. Apple engineers acknowledge Signal’s capabilities, but say that iMessage with PQ3 surpasses the post-quantum cryptographic capability of the Signal protocol.
Currently, iMessage offers end-end encryption by default using classic encryption, which Apple describes as Level 1 security. Apple has designated Signal’s PQC feature with PQXDH as having Level 2 security, because it is limited to creating the PQC key. The new iMessage with PQ3 is the first to achieve what Apple calls Level 3 security, because its post-quantum cryptography protects not only the initial key creation process but also the ongoing exchange of messages.
Apple says PQ3 quickly and automatically restores the cryptographic security of a message exchange, even if a specific key is compromised. “To the best of our knowledge, PQ3 has the strongest security properties of any large-scale messaging protocol in the world,” Apple’s SEAR team explained in a blog post announcing his new protocol.
The addition of PQ3 follows the October 2023 iMessage enhancement Contact key verificationdesigned to detect sophisticated attacks against Apple’s iMessage servers by allowing users to verify that they are sending messages specifically to the intended recipients.
The new iMessage with PQ3 is supported by mathematical validation from a team led by Professor David Basin, head of Cyber Security Group at ETH Zurich and co-inventor of Tamarind, a highly rated security protocol checker. Basin and his research group at ETH Zurich used Tamarin to perform a technical evaluation of PQ3, published by Apple.
Also evaluating PQ3 was University of Waterloo professor Douglas Stebila, known for his research on the post-quantum security of Internet protocols. According to Apple’s SEAR team, both research groups took divergent but complementary approaches, running different mathematical models to test the security of PQ3. Sebila noted that the assessment performed by the e the White Paper he produced was underwritten and published by Apple.
Signal disputes Apple’s comparison
Signal president Meredith Whittaker has rejected Apple’s claims of post-quantum cryptographic superiority. “We have no comment on Apple’s new hierarchical ‘levels’ structure that they apply in public-facing materials to classify various cryptographic approaches,” Whitaker says. “We recognize that companies struggle to market and describe these complex technological changes and that Apple has chosen this approach in service of that marketing.”
Whitaker points out that, thanks to Signal’s partnerships with the research community, a month after the release of PQXDH “it became the first machine-controlled post-quantum security proof of a real-world cryptographic protocol.”
Whittaker says Signal has partnered with Inria AND Crispen and “machine-verified evidence published in the formal model used for the analysis of PQ3, as well as in a more realistic computational model that includes passive quantum attacks on all aspects of the protocol. In this sense, we believe our verification goes beyond what Apple posted today. We would be interested in seeing the same formal verification tools used to validate PQ3 as well.”
Apple says the beta version of PQ3 is already in the hands of developers, and customers will begin receiving it with the expected March 2024 releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4. Apple’s engineering team says that iMessage communications between devices that support PQ3 are automatically ramping up to enable the post-quantum encryption protocol. “As we gain operational experience with PQ3 on a large global scale, iMessage will fully replace the existing protocol in all supported conversations this year.”
Renewal of the iMessage protocol
Instead of replacing iMessage’s current encryption algorithm with a new one, Apple engineers say they rebuilt the iMessage encryption protocol from scratch. Among the most important requirements was to enable post-quantum encryption from the start of a message exchange, while mitigating the effect of a key compromise by limiting the number of messages a single compromised key can decrypt.
The new iMessage is based on a hybrid design using post-quantum algorithms and existing elliptic curve algorithms, which Apple engineers say ensures “that PQ3 can never be less secure than the existing classical protocol.”
Engineers also note that, with PQ3, each device will generate PQC keys locally and transmit them to Apple servers as part of the iMessage enrollment process. For this feature, Apple says it is implementing Kyber, one of the the algorithms chosen by the National Institute of Standards (NIST) in August 2023 as a proposal for a Module Lattice-based key encapsulation mechanism (ML-KEM) standard.
Kyber allows devices to generate public keys and transmit them to Apple servers through the iMessage enrollment process.
Cryptographer Bruce Schneier gives credit to Apple for adopting the NIST standard and for its agile approach to developing PQ3. But he warns that there are still many variables and unknowns to overcome before the first quantum computer is able to crack classical cryptography. “I think their agility in crypto is more important than what they’re doing,” Schneier says. “We cryptographers have a lot to learn about the cryptanalysis of these algorithms. They are unlikely to be as robust as RSA and other public key algorithms have been, but they are the standard. So if you’re going for it, you should use the standards.”
Regarding his skepticism about the long-term capabilities of PQC algorithms, Schneier says: “There are enormous amounts of mathematics to discuss. And every year we learn more and pass more. But these are the standards. I mean, these are the principles fundamentals.” the best we have right now.”
In fact, quantum resistant algorithms today may be less critical. Like many predictions, Apple stressed that the first quantum computer capable of breaking existing encryption is not expected to appear before 2035, the year in which the Biden administration ordered federal agencies to ensure their systems are quantum resilient.
Pegging the risk a decade later at just 50%, Apple, like many cybersecurity experts, points out that threat actors steal data and store it until they can acquire quantum computing resources. The practice, known as “collect now, decrypt later,” is of particular concern to organizations such as healthcare providers, whose data will remain relevant for decades.