New iMessage PQ3 Encryption Protocol Protects Against Post-Quantum Attacks

Originally published at: New iMessage PQ3 Encryption Protocol Protects Against Post-Quantum Attacks - TidBITS

In the upcoming iOS 17, iPadOS 17.4, macOS 14.4 Sonoma, and watchOS 10.4, Apple will start rolling out the PQ3 encryption protocol for iMessage conversations to protect them against attacks made possible by future quantum computers.

I’m glad to hear this. Although quantum computers are still very experimental and most don’t have a lot of capability, there are three that are surprisingly robust:

• Atom Computing has a system with 1180 qubits. (A qubit is the fundamental building blocks of quantum computers, as they are currently being designed.)

  New Scientist: Record-breaking quantum computer has more than 1000 qubits. (October 2023)

• IBM has their Condor system with 1121 qubits and their Heron with 133 qubits based on a newer and more reliable technology (claimed to outperform the Condor).

  The Heron is of particular interest, because “traditional” qubit technology can get very noisy (producing fuzzy results). So systems may use multiple qubits in parallel to average out the noise and get better results. If IBM’s tech in Heron works as advertised, it means good results with much fewer qubits.

It’s also worth noting that IBM’s systems are available via a cloud service (I assume a very expensive service ).

The quantum computing tech may not yet be advanced enough to go cracking everybody’s encrypted content, but given the current rate of advancement, it seems plausible that in 5-10 years, large corporations and governments may be able to buy sufficient tech. So I’m glad Apple is working on countermeasures today, rather than wait for doomsday.

Meredith Whittaker, President of the Signal Foundation, which makes the Signal app and messaging service, posted this Mastodon thread yesterday reacting to Apple’s announcement.

With your warning about the post being complicated and not wanting my mind to be boggled, I didn’t read it. However, I have a question about backwards compatibility. My iMac is supposedly maxed out at MacOS 10.13.6, my MacBook Pro at 12.7.2, and I have an iPad that is at iOS 14.4.2. Will iMessage on those three still be able to read messages sent from PQ3-updated iMessage apps?

I also didn’t read the ugly details, but if this is in any way going to be useful, it has to be relatively straightforward for devices with the keys to encrypt/decrypt, but difficult for a quantum computer to attack without keys.

The first condition should make it usable on any PC, Mac or phone. If not, then I’d say it fails a key requirement, since none of us are likely to have quantum processors on our phones any time soon.

Whether or not Apple will release the software for older systems is another question altogether.

A key paragraph:

To mitigate risks from future quantum computers, the cryptographic community has been working on post-quantum cryptography (PQC): new public key algorithms that provide the building blocks for quantum-secure protocols but don’t require a quantum comput to run — that is, protocols that can run on the classical, non-quantum computers we’re all using today, but that will remain secure from known threats posed by future quantum computers.

This protocol combines standard elliptic-curve keying that iMessage has already been using with Kyber quantum-safe keying. The kyber protocol supposedly can be run in environments with as little as 4 kilobytes of memory according to the Wikipedia entry. That entry links to a research paper that has math that’s way over my head. That said, the reference processor for testing quantum-resistant protocols when NIST was evaluating contest entries was an ARM Cortex M4 with 32 bit registers with 192 kb of RAM and 1 GB of flash storage. Knowing that, I think this protocol will be fine.

As I understand it, yes, but there won’t be any PQ3 encryption going on. All devices in the set have to be running a PQ3-savvy version of the operating system, which means iOS 17.4, macOS 14.4, and so on.

Gruber touches on this briefly.

Overall –without getting into the (highly!) technical details– I can’t see this as anything but a good thing Apple are doing here, in protecting current comms from future analysis by quantum computing systems, which would be able to break previously stored comms for monetary/political gain.

Of course, there are loads of political forces pushing govt data access under CSAM reasoning, but IMO they’ll fail under basic parliamentary scrutiny – at least in democratic countries.