iMessage With PQ3
Apple (via Ivan Krstić, because there is no RSS feed, Hacker News, MacRumors):
Today we are announcing the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging. With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps. To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world.
[…]
To mitigate risks from future quantum computers, the cryptographic community has been working on post-quantum cryptography (PQC): new public key algorithms that provide the building blocks for quantum-secure protocols but don’t require a quantum computer to run — that is, protocols that can run on the classical, non-quantum computers we’re all using today, but that will remain secure from known threats posed by future quantum computers.
[…]
To best protect end-to-end encrypted messaging, the post-quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single, point-in-time key compromise — both now and with future quantum computers. Therefore, we believe messaging protocols should go even further and attain Level 3 security, where post-quantum cryptography is used to secure both the initial key establishment and the ongoing message exchange, with the ability to rapidly and automatically restore the cryptographic security of a conversation even if a given key becomes compromised.
[…]
Support for PQ3 will start to roll out with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, and is already in the corresponding developer preview and beta releases. iMessage conversations between devices that support PQ3 are automatically ramping up to the post-quantum encryption protocol.
The obvious question is, but what about iCloud backups? Advanced Data Protection is off by default, and most users leave it off, so most messages are not truly end-to-end encrypted, and this won’t change that. Jason Snell implies that iCloud backup with Advanced Data Protection does support PQ3, but Apple’s blog post doesn’t mention backups or ADP at all.
Apple’s encryption may be quantum-computer-proof, but it’s not lawmaker-proof. And that’s a weak link that absolutely will be exploited, someday. E2EE is a luxury that can be snatched away in an instant, a false sense of security in an increasingly dangerous world.
Previously:
- Signal Usernames
- iCloud Advanced Data Protection Uptake
- Reminder: iMessage Not Meaningfully E2E
- Apple Dropped Plans for End-to-End Encrypted iCloud Backups After FBI Objected
Update (2024-02-23): Nick Heer:
Apple says this protocol will begin rolling out with the public releases of iOS 17.4, iPadOS 17.4, MacOS 14.4, and WatchOS 10.4 — missing from that list is VisionOS, though I am not sure I should read anything into that — but it is not clear to me if these operating systems are required for PQ3 encryption. In other words, if a device has not been updated or cannot be updated to these software versions, does that preclude messages from being encrypted using this protocol? If so, that might be true of all iMessage contacts, and it does not appear there is any way of knowing which encryption protocol is being used.
[…]
These are among the many questions I have for Apple, and I expect to hear more as this update approaches its release. However, I do not think I will get an answer to the thing I am most curious about: is a protocol similar to PQ3 going to be used by Apple to secure other end-to-end encrypted data against future threats? It would make sense.
Update (2024-02-27): Bill Toulas:
A significant innovation within PQ3 is its periodic post-quantum rekeying mechanism, a first of its kind for large-scale cryptographic messaging protocols.
This mechanism frequently regenerates new quantum-resistant keys, ensuring maximum security balanced with low impact on user experience.
[…]
Signal’s president Meredith Whittaker stated that they too considered a similar feature, but decided against implementing it until a more mature solution is devised.
One hole in iMessage’s security story is old devices — those that can’t be upgraded to the latest OS. It’s great that Apple devices tend to be useful for years after they’re no longer capable of running the current OS, but that means that iMessage communication is only as secure as the oldest device in the chat.
[…]
Another hole remains iCloud backups, which, by default, continue to include iMessage message history using keys that Apple controls — which in turn means keys that Apple can, and does, use to turn over data to law enforcement when issued a warrant.
[…]
And even if you have Advanced Data Protection enabled, there’s no way for you to know whether the people you communicate with using iMessage have it enabled.
I am of two minds about this. On the one hand, it’s probably premature to switch to any particular post-quantum algorithms. The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them—and learn a lot in the process—over the coming few years. But if you’re going to make the switch, this is an excellent choice. And Apple’s ability to do this so efficiently speaks well about its algorithmic agility, which is probably more important than its particular cryptographic design. And it is probably about the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers.
See also: Douglas Stebila.