Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 3 March 2024

Feedback & Followups

Deep Dive — Apple’s Post-Quantum iMessage Encryption

Apple have had end-to-end encryption by default for a long time now, and it’s based on the best in class public-key cryptography certified for use today by standards bodies like the US National Institute for Standards and Technology (NIST). Today, that cryptography is extremely robust, but, it’s based on math we know would become crackable should anyone invent a practical quantum computer. That’s very unlikely in the next 5 years, but quite plausible in the five or ten after that, so the cybersecurity world is busy preparing for that likely future now.

It takes a long time to develop robust new cryptographic algorithms, so this work has already been underway for years. We now have a selection of candidate quantum-resistant algorithms in the final stages of review by NIST, so tech companies are starting to roll out their initial implementations.

If you’re wondering why roll out changes now to address a problem that’s probably a decade out, it’s because of the so-called ’Harvest Now, Decrypt Later’ attack. Large well resourced organisations like governments can hoover up encrypted messages from important or interesting people now, save them in big data farms, and then crack them in five or ten years.

Apple is by no means the first to move on this, but they do seem to have leap-frogged the rest of the pack with their announcement of changes that are coming into effect pretty much immediately!

Apple have named their solution PQ3 which they refer to as ‘level 3’ post-quantum encryption. This is not a level on some kind of standard or generally accepted scale, but a term of Apple’s own invention. It’s their way of saying “We are first to offer this comprehensive solution”.

Level 0 is no encryption at all, at least not by default, and you might expect that category to be empty in 2024, but alas not, that’s where you find Skype, QQ, Telegram & WeChat. Level 1 is end-to-end encryption that’s not quantum-safe, so where Messages is before PQ3 rolls out in a few weeks. Other apps Apple class as level 1 include Line, Viber & WhatsApp. Level 2 apps use new quantum-safe crypto algorithms, but don’t add the extra layer Apple have in PQ3, Apple put Signal at level 2.

So, what does Apple do beyond where the open source world has gotten to? They have added periodic key rotation, so even if a key were to be leaked or stolen (more likely than one being cracked), the damage would be limited to just a few messages, while the leak of a Signal private key would expose the entire conversation that key secured.

Apple’s blog post announcing PQ3 goes into an impressive amount of detail and answers all the obvious questions like which of the NIST candidate algorithms it uses (Kyber with ML-KEM). The opening few sections in particular are well worth a read, and the more detailed later sections are well worth a skim. One thing that caught my eye was Apple’s clever solution to the obvious problem that these new algorithms have not yet been subjected to decades of concerted theoretical and practical attacks like our current algorithms have been (for the obvious reason that they’re new!). Apple are chaining the new algorithms with the current ones, so an attacker needs to break both the current and the new algorithms to break into messages. The blog post also describes the mathematical proofs of their algorithm conducted by leading academics in world-class universities and research institutes.

It was also nice to see Apple repeatedly give due credit to competitors for their innovations, including in the opening line of the conclusion:

“End-to-end encrypted messaging has seen a tremendous amount of innovation in recent years, including significant advances in post-quantum cryptography from Signal’s PQXDH protocol and in key transparency from WhatsApp’s Auditable Key Directory”

From a practical POV, Apple are following Signal’s lead and phasing in PQ3 support in parallel with continued support for the current algorithms — until PQ3 is fully bedded in and until all clients have upgraded, there will be a mix of the new and the old encryption schemes in use. Given the closed nature of their system, it looks like Apple will be first to commit fully to post-quantum algorithms, with a commitment to complete the transition ‘by the end of 2024’. It seems reasonable to expect an ‘upgrade of get cut off’ warning and a final end date for support of the current system this autumn.

PQ3 support will start with the release of iOS 17.4, iPadOS 17.4, macOS 14.4 & watchOS 10.4 any day now.


❗ Action Alerts

  • Linux Desktop users and Android users (those who can anyway) need to update their OSes ASAP to get a fix for part of the WiFi stack (wpa_supplicant) that has a bug that allows attackers to trick devices into connecting to rogue access points and leaking the passwords to known WiFi networks —… (or apply the cumbersome workaround of manually configuring the CA cert for all work/school WiFi networks they use)

Worthy Warnings

Notable News

Just Because it’s Cool 😎

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top