Apple has announced a major upgrade to its iMessage encryption with the launch of PQ3, a post-quantum cryptographic protocol that aims to protect the messaging platform from future quantum attacks. PQ3 is the first messaging protocol to achieve Level 3 security, which means it offers stronger protection than any other widely used messaging app.
What is post-quantum cryptography and why does it matter?
Post-quantum cryptography (PQC) is a branch of cryptography that develops algorithms that are resistant to quantum computers. Quantum computers are hypothetical machines that could use quantum physics to solve certain problems much faster than classical computers. One of these problems is breaking the encryption that secures most of the internet today, such as RSA, Elliptic Curve, and Diffie-Hellman.
If a powerful quantum computer becomes a reality, it could pose a serious threat to the security and privacy of end-to-end encrypted communications, such as iMessage, Signal, WhatsApp, and others. An attacker with a quantum computer could intercept and store encrypted messages today, and decrypt them later when they have the quantum computing power to do so. This is known as a “harvest now, decrypt later” attack.
To prevent this scenario, PQC algorithms use different mathematical techniques that are believed to be hard for both classical and quantum computers. By implementing PQC in iMessage, Apple is preparing for the future and ensuring that its users’ messages remain secure even if quantum computers become a reality.
How does PQ3 work and what makes it different?
PQ3 is the name of Apple’s PQC protocol for iMessage. It combines two types of encryption: Elliptic Curve cryptography (ECC), which is the current standard for iMessage, and Kyber, which is a PQC algorithm that was chosen by the National Institute of Standards and Technology (NIST) as one of the finalists for its PQC standardization project.
PQ3 uses ECC and Kyber together to create a hybrid encryption scheme that offers the best of both worlds: the efficiency and compatibility of ECC, and the quantum-resistance of Kyber. PQ3 also introduces a new concept of Level 3 security, which means that it provides protection against both the initial key exchange and the ongoing message exchange, and that it can automatically restore the security of a conversation even if a key is compromised.
PQ3 achieves Level 3 security by using a combination of techniques, such as:
- Compromise-resilient encryption: PQ3 encrypts each message with a unique key that is derived from the combination of ECC and Kyber keys. This way, even if one of the keys is compromised, the attacker cannot decrypt past or future messages without the other key.
- Key rotation: PQ3 rotates the keys every 50 messages or every seven days, whichever comes first. This limits the amount of messages that can be decrypted with a single key, and provides cryptographic self-healing in case of a key compromise.
- Forward secrecy: PQ3 ensures that the keys are not stored on the device or on the server, but are generated on the fly and discarded after use. This prevents an attacker from obtaining the keys by accessing the device or the server, and ensures that the messages cannot be decrypted retroactively.
- Backward secrecy: PQ3 also ensures that the keys are not reused across different devices or sessions. This prevents an attacker from decrypting messages from a different device or session, even if they have the same key.
When will PQ3 be available and how to use it?
Apple said that PQ3 will be integrated into iMessage with the release of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, which are expected to be available next month. Users will not need to do anything to enable PQ3, as it will be activated by default for all iMessage conversations.
Apple also said that PQ3 will be compatible with older versions of iMessage, and that it will fall back to the previous encryption protocol if the other party does not support PQ3. However, Apple recommended that users update their devices to the latest software versions to enjoy the full benefits of PQ3.
Apple claimed that PQ3 is the most significant cryptographic security upgrade in iMessage history, and that it has the strongest security properties of any at-scale messaging protocol in the world. Apple also said that it has formally verified the security of PQ3 by using symbolic evaluation, a best practice that provides strong assurances of the correctness of cryptographic protocols.