Apple is set to revolutionize the landscape of secure messaging with the addition of the quantum-computing resistant PQ3 protocol to its iMessage platform. This move will make iMessage the most secure mainstream messaging app in the industry, according to Apple’s Security Engineering and Architecture (SEAR) team. The upgraded version of iMessage is scheduled to start appearing in March as part of the monthly MacOS and iOS releases.
Although Apple is not the first to integrate post-quantum cryptographic (PQC) encryption into its messaging app, the company’s engineers believe that iMessage with PQ3 surpasses the capabilities of the Signal Protocol, which added PQC encryption resilience in September 2023 through an upgrade called PQXDH. The new iMessage with PQ3 is the first to achieve what Apple labels Level 3 security, as it secures both the initial key establishment process and the continuous message exchange.
Apple’s decision to introduce PQ3 comes on the heels of the Contact Key Verification enhancement in October 2023, aimed at detecting sophisticated attacks against iMessage servers while allowing users to verify their intended recipients. The mathematical validation for PQ3 comes from a team led by Professor David Basin of ETH Zürich, who used the Tamarin security protocol verification tool for this purpose. Additionally, University of Waterloo professor Douglas Stebila also evaluated PQ3, further bolstering Apple’s confidence in the new protocol.
Despite Apple’s claims of post-quantum cryptographic superiority, Signal president Meredith Whittaker disputes these assertions. Whitaker emphasizes that Signal’s partnerships with the research community have enabled the platform to achieve significant milestones in post-quantum security. While Apple believes that PQ3 represents the highest standard of security in the messaging industry, Whitaker remains unconvinced and highlights Signal’s own verification efforts.
The beta version of PQ3 is already in the hands of developers, and customers can expect to receive it with the upcoming releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 in March 2024. Apple’s engineering team assures users that iMessage communications will gradually transition to support PQ3, ultimately replacing the existing protocol within all supported conversations by the end of the year.
Rather than simply swapping out the current encryption algorithm, Apple engineers rebuilt the iMessage cryptographic protocol from the ground up to incorporate post-quantum encryption seamlessly. The hybrid design of the new iMessage combines post-quantum algorithms with existing Elliptic Curve algorithms to ensure maximum security. Each device generates PQC keys locally, which are then transmitted to Apple servers during the registration process, utilizing the Kyber algorithm as part of the National Institute of Standards’ proposed ML-KEM standard.
Cryptographer Bruce Schneier commends Apple for adopting the NIST standard and its agile approach to developing PQ3 but cautions against overestimating the capabilities of PQC algorithms. Schneier emphasizes the importance of crypto agility and notes that the landscape of encryption algorithms continues to evolve in response to emerging threats. Despite uncertainties surrounding the timeline for the emergence of quantum computers capable of breaking classical encryption, Apple remains steadfast in its commitment to enhancing the security of iMessage.
Looking ahead, Apple’s integration of the quantum-computing resistant PQ3 protocol represents a significant milestone in the realm of secure messaging. By prioritizing user privacy and data protection, Apple aims to set a new standard for secure communication in an increasingly digital world. As technology continues to evolve, the implementation of advanced cryptographic protocols like PQ3 underscores the importance of staying ahead of potential threats and ensuring the privacy and security of user data across all platforms.