Apple promises to protect iMessage chats from quantum computers

Easy to defend against stuff that may never actually work – oh there we go again, being all cynical like

Apple says it's going to upgrade the cryptographic protocol used by iMessage to hopefully prevent the decryption of conversations by quantum computers, should those machines ever exist in a meaningful way.

The protocol, dubbed PQ3, is intended to safeguard users' chats in some future era of quantum computing, when these computers may be able to break classical encryption methods and render today's messaging security obsolete. While the technology isn't there yet, the fear is that, for one thing, government spies are already hoarding people's end-to-end encrypted conversations and other data observed in transit now to decrypt later if and when quantum computers have the ability to crack today's encryption systems.

Various developers are starting to use quantum-resistant algorithms to prevent this from happening, and Apple is joining them, using an approach it's called PQ3 to secure iMessages against future unauthorized decoding.

"PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps," Apple boasted in an announcement today. "To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world."

iMessage with PQ3 is available now in developer previews and betas of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, which are due to be released to the public with that protocol support. Apple expects PQ3 to fully replace its existing end-to-end messaging protocol by the end of the year.

Here's how Apple breaks down the various security levels: Level 0 has no end-to-end encryption (E2EE) while Level 1 has strong E2EE turned on by default. Level 1 is what WhatsApp and iMessage uses prior to PQ3. Neither of these security levels protect against quantum attacks, Apple reckons.

Moving into post-quantum cryptographic (PQC) protocols: There's Level 2 security, which establishes a PQC key for encryption. Signal reached this level in September when it added support for the PQXDH protocol. "This is a welcome and critical step that, by our scale, elevated Signal from Level 1 to Level 2 security," Cupertino sniffed.

Apple just so happens to put its new iMessage protocol at Level 3, using post-quantum cryptography in both the initial key establishment and the ongoing rekeying of the session.

In designing PQ3, Apple opted to continue using the Elliptic Curve cryptography (ECC) it employs today with iMessage but with Kyber post-quantum public keys during key establishment and rekeying. Kyber is one of the cryptographic mechanisms NIST in the US has recommended for post-quantum data protection.

The announcement has more technical details if you're into that – including an interesting aside that iMessage switched from RSA to ECC in 2019 – though here's an important part:

iMessage allows a user to register multiple devices on the same account. Each device generates its own set of encryption keys, and the private keys are never exported to any external system ... Each device with PQ3 registers two public encryption keys and replaces them regularly with fresh ones:

  1. A post-quantum Kyber-1024 key encapsulation public key
  2. A classical P-256 Elliptic Curve key agreement public key

And it goes on:

Ongoing rekeying of the cryptographic session is designed such that keys used to encrypt past and future messages cannot be recomputed even by a powerful hypothetical attacker who is able to extract the cryptographic state of the device at a given point in time.

The protocol generates a new unique key for each message, which periodically includes new entropy that is not deterministically derived from the current state of the conversation, effectively providing self-healing properties to the protocol. Our rekeying approach is modeled after ratcheting, a technique that consists of deriving a new session key from other keys and ensuring the cryptographic state always moves forward in one direction.

PQ3 combines three ratchets to achieve post-quantum encryption.

Cupertino says it has verified PQ3, both internally by its Security Engineering and Architecture (SEAR) team, as well as externally with cryptography experts.

These outside boffins included Professor David Basin, head of the Information Security Group at ETH Zürich and one of the inventors of Tamarin, and Professor Douglas Stebila at the University of Waterloo.

None of the experts found any security holes with PQ3, we're told. ®

More about


Send us news

Other stories you might like