Apple’s penchant for enabling high-tech security for every user across its ecosystem, is set to get a major upgrade. The Cupertino-giant, recognizing the evolving threat landscape and the emergence of quantum computing as a potential disruptor in the cybersecurity space, has unveiled its latest innovation: the PQ3 protocol for iMesages.
“Today we are announcing the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging. With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps. To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world,” Apple noted in a blog post on the matter.
Current messaging apps rely on established “classical” encryption methods, built upon complex mathematical problems currently deemed computationally intractable for traditional computers. However, quantum computing, with its potential to exponentially increase computational power, poses a formidable challenge to these traditional encryption methods. As quantum computers become more sophisticated, they could render existing encryption standards obsolete, potentially compromising the security of sensitive data. This is where the PQ3 protocol comes in with its three levels, and Apple noted that support for the same will start to roll out with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4.
At the core of Apple’s response lies the PQ3 protocol, a cutting-edge cryptographic standard designed to fortify iMessage against evolving cyber threats. Unlike conventional encryption protocols, PQ3 adopts a multi-layered approach that integrates both traditional end-to-end encryption and state-of-the-art post-quantum cryptography. The first level (Level 0) is where no end-to-end encryption (E2EE) is enabled by default, followed by Level 1 (wherein E2EE is enabled by default, much like the messaging platforms of WhatsApp and Signal, but with no quantum security). Next comes Level 2, where the post-quantum cryptography (PQC) is established, and at the final Level 3, PQC secures the initial key establishment and the ongoing message exchange alike. This enhances the resilience of iMessage while future-proofing the platform against potential quantum-based attacks.
One of the primary objectives of PQ3 is to preemptively mitigate the risks associated with “harvest now, decrypt later” attacks. In anticipation of advancements in quantum computing, adversaries may seek to collect encrypted data for decryption using future quantum-enabled techniques. PQ3 addresses this vulnerability by utilizing algorithms inherently resistant to quantum attacks for establishing the initial encryption keys of conversations. Furthermore, it incorporates the feature of automatic re-encryption – wherein encryption keys within conversations are periodically refreshed, rendering compromised keys useless for decrypting future messages. By doing so, iMessage remains impervious to the threats posed by quantum computing. To validate the efficacy of PQ3, Apple has subjected the protocol to extensive testing and scrutiny by internal security teams and external cryptography experts.
The company asserts that PQ3 boasts the strongest security among widely used messaging apps, surpassing even the privacy-focused Signal. “The systems known to exist today,” Signal warns, “do not yet have enough qubits to pose a threat to the public-key cryptography that Signal currently uses. However, if a sufficiently powerful quantum computer were built in the future, it could be used to compute a private key from a public key thereby breaking encrypted messages.”