Apple Beefs Up iMessage With Quantum-Resistant Encryption

Apple is adding the quantum-computing resistant PQ3 protocol to its widely used iMessage, making it the most secure mainstream messaging app. The upgraded version of iMessage will start appearing in March in its monthly MacOS and iOS releases, according to Apple's Security Engineering and Architecture (SEAR) team.

Apple's PQ3 addition doesn't make iMessage the first messaging app with post-quantum cryptographic (PQC) encryption — the Signal secure messaging app added PQC encryption resilience in September 2023 with an upgrade to its Signal Protocol, called PQXDH. Apple's engineers acknowledge Signal's capabilities but say that iMessage with PQ3 leapfrogs the Signal Protocol's post-quantum cryptographic capability.

Currently, iMessage offers end-to-end encryption by default using classical cryptography, which Apple describes as Level 1 security. Apple designated Signal's PQC capability with PQXDH as having Level 2 security because it's limited to PQC key establishment. The new iMessage with PQ3 is the first to achieve what Apple labels Level 3 security because its post-quantum cryptography secures not only the initial key establishment process, but also the continuous message exchange.

Apple says PQ3 quickly and automatically restores the cryptographic security of a message exchange, even if a specific key is compromised.

"To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world," Apple's SEAR team explained in a blog post announcing the new protocol.

The addition of PQ3 follows iMessage's October 2023 enhancement featuring Contact Key Verification, designed to detect sophisticated attacks against Apple's iMessage servers while letting users verify they are messaging specifically with their intended recipients.

IMessage with PQ3 is backed by mathematical validation from a team led by professor David Basin, head of the Information Security Group at ETH Zürich and co-inventor of Tamarin, a well-regarded security protocol verification tool. Basin and his research team at ETH Zürich used Tamarin to perform a technical evaluation of PQ3, published by Apple.

Also evaluating PQ3 was University of Waterloo professor Douglas Stebila, known for his research on post-quantum security for Internet protocols. According to Apple's SEAR team, both research groups undertook divergent but complementary approaches, running different mathematical models to test the security of PQ3. Stebila noted that the evaluation the team performed and the white paper it produced was underwritten and published by Apple.

Signal Disputes Apple's Comparison

Signal president Meredith Whittaker dismisses Apple's claims of post-quantum cryptographic superiority.

"We don't have a comment on Apple's novel hierarchical 'levels' framework that they apply in their public-facing materials to rank various cryptographic approaches," Whitaker says. "We recognize that companies struggle to market and describe these complex technological changes and that Apple chose this approach in service of such marketing."

Thanks to Signal's own partnerships with the research community, a month after publishing PQXDH it "became the first machine-checked post-quantum security proof of a real-world cryptographic protocol," Whitaker emphasizes.

Signal partnered with Inria and Cryspen and "published machine-verified proofs in the formal model used for the analysis of PQ3, as well as in a more realistic computational model that includes passive quantum attacks on all aspects of the protocol," Whittaker says. "In that sense, we believe that our verification goes beyond what Apple published today. We'd be interested to see the same formal verification tools used to validate PQ3 as well."

Apple says the beta version of PQ3 is already in the hands of developers; customers will start receiving it with the anticipated March releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4. The Apple engineering team says iMessage communications between devices that support PQ3 are automatically ramping to enable the post-quantum encryption protocol.

"As we gain operational experience with PQ3 at the massive global scale of iMessage, it will fully replace the existing protocol within all supported conversations this year," they stated in the post.

Revamping the iMessage Protocol

Instead of swapping out the current encryption algorithm in iMessage with a new one, the Apple engineers say they rebuilt the iMessage cryptographic protocol from scratch. Among their most important requirements were enabling post-quantum encryption from the beginning of a message exchange while mitigating the effect of a compromise to a key by restricting how many messages a single key that has been compromised can decrypt.

The new iMessage is based on a hybrid design that uses post-quantum algorithms and existing Elliptic Curve algorithms, which Apple's engineers say ensures "that PQ3 can never be less safe than the existing classical protocol."

The engineers also note that, with PQ3, each device will generate PQC keys locally and transmit them to Apple servers as part of the iMessage registration process. For this function, Apple says it is implementing Kyber, one of the algorithms chosen by the National Institute of Standards (NIST) in August 2023 as a proposed Module-Lattice-based Key-Encapsulation Mechanism (ML-KEM) standard.

Kyber enables devices to generate public keys and transmit them to Apple servers through the iMessage registration process.

Cryptographer Bruce Schneier credits Apple for adopting the NIST standard and for its agile approach to developing PQ3. But he warns that there are still many variables and unknowns to overcome before the first quantum computer is capable of breaking classical encryption.

"I think their crypto agility is more important than what they are doing," Schneier says. "Between us cryptographers, we have a lot to learn about the cryptanalysis of these algorithms. It is unlikely that they will be as resilient as RSA and other public-key algorithms have been, but they're the standards. So if you're going to do it, you should use the standards."

About his skepticism of the long-term capabilities of PQC algorithms, Schneier says, "There's enormous amounts of mathematics to be discussed. And every year we are learning more and breaking more. But these are the standards. I mean, these are the best we have right now."

Indeed, quantum-resistant algorithms may be less critical today. Like many forecasts, Apple pointed to reports that the first quantum computer capable of breaking existing encryption isn't expected to appear before 2035, the year the Biden administration ordered federal agencies to ensure their systems are quantum-resilient.

Pegging the risk a decade later at just 50%, Apple, like many cybersecurity experts, is underscoring that threat actors are stealing data and holding onto it until they can acquire quantum computing resources. The practice, known as "harvest now, decrypt later," is especially concerning to organizations such as health care providers, whose data will remain relevant for decades.