Apple Security Engineering Announcement
Apple announced this week in their blog that they have:
“rebuilt the iMessage cryptographic protocol from the ground up to advance the state of the art in end-to-end encryption…”
The next step in Privacy Protection
Researchers have warned that breakthroughs in Quantum Computing could make current encryption methods obsolete and put user information at risk.
While quantum computers that can break existing cryptographic algorithms don’t yet exist, protecting the data now prevents the situation where files could be “harvested” now and retained until a quantum computer is acquired that has the capability “Harvest Now, Decrypt Later.”
With their mission for end-to-end protection of user’s messages, the Apple Security Engineering and Architecture (SEAR) team set out to build compromise-resilient encryption defenses for iMessage against such quantum attacks.
The PQ3 Encryption Algorithm
With this coming release of iMessage, Apple introduces PQ3 (Post-Quantum Cryptograph protocol which they believe to provide the:
“strongest security of any at-scale messaging protocol in the world.”
Use of the PQ3 algorithm for iMessage is additive to existing protections, layered on top of the existing Elliptic Curve Diffe-Hellman (ECDH) encryption
Of interest the algorithm was validated and “formally proven” using two mathematical techniques.
– Security Analysis of the iMessage PQ3 Protocol
– Formal Analysis of the iMessage PQ3 Messaging Protocol
PQ3 will be rolled out starting with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4.
Limitations
Does PQ3 offer protection against adversaries capable of compromising the device or unlocking it?
No. PQ3 only protects the transport layer. Once an iMessage is delivered to your iPhone or iPad device, it can still be read over your shoulder, be extracted by law enforcement after unlocking your device, or compromised by advanced hacking software.
Learn More
This new age of encryption is of interest to security researchers, mathematicians, engineers, and privacy experts alike — read more in the second half of the Apple research team blog post for deeper dive details of how PQ3 works, including “post-quantum key establishment”, “post-quantum rekeying”, “message padding”, and authentication.
