New iMessage PQ3 Encryption Protocol Protects Against Post-Quantum Attacks
Apple Security Research writes:
Today we are announcing the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging.
This post is mind-bogglingly complicated, but the practical upshot is that Apple’s security team is concerned that future quantum computers could solve the difficult mathematical problems on which public key cryptography is based, enabling them to decrypt previously collected encrypted data. Apple designed iMessage’s new PQ3 encryption protocol to protect against such a scenario.
Although quantum computers with this capability don’t exist yet, extremely well-resourced attackers can already prepare for their possible arrival by taking advantage of the steep decrease in modern data storage costs. The premise is simple: such attackers can collect large amounts of today’s encrypted data and file it all away for future reference. Even though they can’t decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future, an attack scenario known as Harvest Now, Decrypt Later.
Again, the details are primarily of interest to security researchers, engineers, and cryptographers, but the important takeaway for the rest of us is that the cryptographic community considers quantum computing a plausible threat and is working to block future attacks. PQ3 encryption will start to roll out with iOS 17.4, iPadOS 17.4, macOS 14.4 Sonoma, and watchOS 10.4, and Apple says it will fully replace the existing protocol for conversations between supported devices this year.
I’m glad to hear this. Although quantum computers are still very experimental and most don’t have a lot of capability, there are three that are surprisingly robust:
Atom Computing has a system with 1180 qubits. (A qubit is the fundamental building blocks of quantum computers, as they are currently being designed.)
New Scientist: Record-breaking quantum computer has more than 1000 qubits. (October 2023)
IBM has their Condor system with 1121 qubits and their Heron with 133 qubits based on a newer and more reliable technology (claimed to outperform the Condor).
The Heron is of particular interest, because “traditional” qubit technology can get very noisy (producing fuzzy results). So systems may use multiple qubits in parallel to average out the noise and get better results. If IBM’s tech in Heron works as advertised, it means good results with much fewer qubits.
It’s also worth noting that IBM’s systems are available via a cloud service (I assume a very expensive service
).
The quantum computing tech may not yet be advanced enough to go cracking everybody’s encrypted content, but given the current rate of advancement, it seems plausible that in 5-10 years, large corporations and governments may be able to buy sufficient tech. So I’m glad Apple is working on countermeasures today, rather than wait for doomsday.
Meredith Whittaker, President of the Signal Foundation, which makes the Signal app and messaging service, posted this Mastodon thread yesterday reacting to Apple’s announcement.
With your warning about the post being complicated and not wanting my mind to be boggled, I didn’t read it. However, I have a question about backwards compatibility. My iMac is supposedly maxed out at MacOS 10.13.6, my MacBook Pro at 12.7.2, and I have an iPad that is at iOS 14.4.2. Will iMessage on those three still be able to read messages sent from PQ3-updated iMessage apps?
I also didn’t read the ugly details, but if this is in any way going to be useful, it has to be relatively straightforward for devices with the keys to encrypt/decrypt, but difficult for a quantum computer to attack without keys.
The first condition should make it usable on any PC, Mac or phone. If not, then I’d say it fails a key requirement, since none of us are likely to have quantum processors on our phones any time soon.
Whether or not Apple will release the software for older systems is another question altogether.
A key paragraph:
This protocol combines standard elliptic-curve keying that iMessage has already been using with Kyber quantum-safe keying. The kyber protocol supposedly can be run in environments with as little as 4 kilobytes of memory according to the Wikipedia entry. That entry links to a research paper that has math that’s way over my head. That said, the reference processor for testing quantum-resistant protocols when NIST was evaluating contest entries was an ARM Cortex M4 with 32 bit registers with 192 kb of RAM and 1 GB of flash storage. Knowing that, I think this protocol will be fine.
As I understand it, yes, but there won’t be any PQ3 encryption going on. All devices in the set have to be running a PQ3-savvy version of the operating system, which means iOS 17.4, macOS 14.4, and so on.
Gruber touches on this briefly.
Overall –without getting into the (highly!) technical details– I can’t see this as anything but a good thing Apple are doing here, in protecting current comms from future analysis by quantum computing systems, which would be able to break previously stored comms for monetary/political gain.
Of course, there are loads of political forces pushing govt data access under CSAM reasoning, but IMO they’ll fail under basic parliamentary scrutiny – at least in democratic countries.