In an effort to secure communications against the potential future threat posed by quantum computing, Apple has announced an upgrade to its iMessage cryptographic protocol. The new protocol, termed PQ3, aims to ensure the privacy of users' conversations against the decryption capabilities of quantum computers, a technology that, while not yet realized, could eventually break classical encryption methods. Fears have been raised that entities might be stockpiling encrypted data with the intent to decrypt it once quantum computing becomes feasible. Apple's PQ3 is designed to provide a bulwark against such scenarios, making it the first messaging protocol of its level, according to the company.
PQ3: A Leap in Encryption Technology
PQ3 is lauded by Apple as achieving Level 3 security status, a distinction that purportedly surpasses the protective measures of all other widely deployed messaging applications. Prior to the introduction of PQ3, iMessage and other platforms like WhatsApp operated under what is known as Level 1 security, which included strong end-to-end encryption (E2EE) but lacked defenses against the quantum threat. The upgrade employs post-quantum cryptography for both the initial establishment of keys and subsequent rekeying sessions, making use of Kyber post-quantum public keys, a mechanism recommended by the US National Institute of Standards and Technology (NIST) for its robust post-quantum data protection qualities.
Technical Mastery and Security Assurance
On a technical level, each device under a user's account with PQ3 registers two public encryption keys, consistently replacing them to maintain security integrity. The implementation involves a combination of a post-quantum Kyber-1024 key encapsulation mechanism and a classical P-256 Elliptic Curve key, facilitating continuous rekeying. This process introduces new entropy periodically, detached from the ongoing state of the conversation, thereby embedding self-healing properties into the protocol's structure.
Apple has subjected PQ3 to rigorous testing both internally and externally, receiving validation from leading cryptography experts. Among the external validators were Professor David Basin of ETH Zürich and Professor Douglas Stebila of the University of Waterloo, neither of whom identified security vulnerabilities in the protocol.
Available in developer previews and betas of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, PQ3 is slated for full deployment by year-end, marking a significant step in securing digital communication against the nascent yet formidable power of quantum computing. This move by Apple not only sets a new benchmark in digital security but also demonstrates a proactive stance in countering future digital threats well ahead of their manifestation.
