Apple announced a new quantum-resistant encryption protocol that will be used to secure iMessage communications, PQ3 against attack scenarios known as "harvest now, decrypt later".
To classify different encryption algorithms used in messaging applications based on their properties, Apple researchers defined their own taxonomy. At Level 0, they say, we find protocols that do not ensure end-to-end encryption nor quantum security; at Level 1, end-to-end secure algorithms with no quantum security; at Level 2, end-to-end secure ciphers which are post-quantum ready in the initial key establishment; and finally, at Level 3, end-to-end secure ciphers that use post-quantum crypto for initial key establishment as well as for message exchange.
According to Apple, their PQ3 protocol is the first messaging protocol that has attained Level 3 security. Additionally, PQ3 is able to automatically restore cryptographic security of a conversation even if a given key becomes compromised. As a comparison, say Apple researchers, the recently introduced PQXHD protocol that is used by Signal operates at Level 2.
PQ3 uses a hybrid design combining post-quantum algorithms with current Elliptic Curve algorithms to ensure it is at least as secure as current encryption algorithms.
We chose to use Kyber post-quantum public keys, an algorithm that received close scrutiny from the global cryptography community, and was selected by NIST as the Module Lattice-based Key Encapsulation Mechanism standard, or ML-KEM. This enables sender devices to obtain a receiver’s public keys and generate post-quantum encryption keys for the very first message, even if the receiver is offline. We refer to this as initial key establishment.
PQ3 is designed to meet several requirements, such as using post-quantum cryptography from the start of a conversation; limiting how many past and future messages can be decrypted with a single key to limit the impact of a key being compromised; and reducing message size to reduce overhead.
Interestingly, Apple used formal verification methods to ensure PQ3 delivers strong security guarantees both from their internal Security Engineering and Architecture (SEAR) team, as well as from a team led by Professor David Basin, head of the Information Security Group at ETH Zürich and one of the inventors of Tamarin, a security protocol verification tool.
According to Professor Basin, PQ3 is designed to function securely in post-quantum scenarios:
We prove the properties even when the protocol operates in the presence of very strong adversaries who can corrupt parties or possess quantum computers and therefore defeat classical cryptography. PQ3 goes beyond Signal with regards to post-quantum defenses. In PQ3, a post-quantum secure algorithm is part of the ratcheting and used repeatedly, rather than only once in the initialization as in Signal.
If you are interested in getting the full details on PQ3, do not miss Apple's original article.
PQ3 will be rolled out starting with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4.