iMessage with PQ3: How this new protocol works to defend your iPhone against Post-Quantum Attacks
Apple has secured iMessage not just with threats against today but also of the future by introducing PQ3 to protect against post-quantum attacks. In our story we aim to cover the new PQ3 protocol in depth while keeping it fun and light throughout.
Just a few months after Apple announced their decision to move to RCS messaging protocol for iMessage from MMS, we have another great news for iMessage users — securing the platform with PQ3 cryptographic algorithm(s).
But what in the name of Jobs is PQ3, you may ask?
PQ in PQ3 stands for Post-Quantum Cryptography and the 3 stands for Level 3 that the cryptography model stands at.
But what does Post-Quantum Cryptography even mean and how different is Level 3 from other levels like Level 1 and Level 2?
For that, we need to understand the security status of current messaging platforms like WhatsApp, WeChat, Skype, Signal, and even the previous version of iMessage that does not have PQ3. Let’s find out…
👉 INDEX 👈
1. Security Status of current Messaging platforms
2. Need for Post-Quantum Cryptography on Messaging Platforms
3. What does PQ3 do differently from PQC Level 2?
4. How the PQ3 is designed for quantum security?
5. When PQ3 fails…
6. ConclusionJust a quick detour… if you like such kind of tech stories, consider signing up for my email newsletter. It’s 100% FREE and will remain for all my lovely audience.
Security Status of current Messaging platforms
For understanding the security status of current messaging platforms, here’s an infographic directly shared by Apple:
According to Apple:
Classical Cryptography (No quantum secure):
- Level 0: QQ, Skype, Telegram, WeChat
- Level 1: Line, Viber, WhatsApp, Signal (previous), iMessage (previous)
Post-Quantum Cryptography (PQC):
- Level 2: Signal with PQXDH
- Level 3: iMessage with PQ3
Under the no-quantum security level, there is Level 0 which has no end-to-end encryption by default while Level 1 has end-to-end encryption by default.
End-to-end encryption is a private communication system that ensures that the conversation between the sender and recipient stays private and no one — absolutely, no one — not even the application or telecom providers nonetheless any hacker, can access the chats.
Under the post-quantum security level, there is Level 2 which involves securing the initial keys using a post-quantum cryptographic algorithm. And then we have the ultimate Level 3 that not only secures the initial keys using PQC but also involves rekeying with PQC with a certain frequency.
But what are these keys we are talking about?
We are talking about encrypted keys here. Here is what you need to know about them:
- This key is made of a bunch of bits (0s and 1s) arranged in a specific order to decipher your chats that have been encrypted using some cryptographic algorithm.
- The key helps turn the encrypted data (chat) back to plaintext just like how using the right key on the right lock helps unlock the door and access the room within.
- And just like a door key and its lock, these encrypted keys are unique and difficult to replicate.
- The amount of uniqueness and ability to not be replicated is directly proportional to how hard the cryptographic algorithm is to crack using computer resources.
Now that we have understood some of the basic key phrases like end-to-end encryption and encryption keys let’s move ahead and try to understand why post-quantum cryptography methods are necessary. And what does PQ3 even mean in the world of security?
Need for Post-Quantum Cryptography on Messaging Platforms
In very simple terms, post-quantum cryptography is more of a visionary cryptography model.
The idea is to visualize a world in which quantum computers have finally arrived and have become, if not mainstream, then somewhat accessible to a certain population. In this scenario, there would also be a bunch of malicious actors i.e. hackers who would use the power and resources of quantum computing to:
- Crack the non-quantum, current cryptographic algorithms (Level 0 and Level 1, as seen above) to decipher the encrypted data.
- Use the previously collected data (secured using Level 0 and Level 1 models) and decrypt it.
Believe it or not, scenario #2 is a current nightmare for many security experts and application developers likewise who are still using Level 0 and Level 1 encryption models. This method is known as Harvest Now, Decrypt Later.
Just like the name suggests, it involves malicious actors trying to file large amounts of today’s encrypted data secured by cryptographic algorithms in an attempt to decrypt it using the power and resources of future quantum computers, when they are available to them.
But right now, there is a need to address scenario #1 too. Without having any particular defence mechanism ready, it would be dangerous to assume that our encrypted data would be as safe when quantum computers arrive. As quantum computers would be able to handle complex computations much more efficiently than our traditional ones, it would only be a matter of time for them, until the users of these quantum computers can successfully solve the cryptographic algorithms of today that are considered hard problems.
Hence, there is a need for post-quantum cryptographic algorithms that can work such that both scenario #1 and scenario #2 become difficult to imagine or downright impossible (though impossibility is not a word in the dictionary of security experts).
What does PQ3 do differently from PQC Level 2?
iMessage wouldn’t be the first ever to have a post-quantum security mechanism in check. The messaging app Signal has already achieved Level 2 post-quantum cryptography as we saw above.
However, Signal’s PQXDH algorithm only manages to secure the initial key establishment. This means that as long as the keys are never compromised, quantum security is guaranteed. These encrypted keys are static so compromising them (in the future, when quantum computing is possible) would mean the indirect compromise of the data within too.
Level 3 of PQC aims to solve just this problem. If the keys become dynamic and keep changing periodically, it would be much more difficult to access and decrypt them. Also, with every key change, there would be a change in how much of the ongoing message exchange is encrypted, thus limiting the conversation exposure.
According to Apple’s SEAR Team, the PQ3 delivers on the following requirements:
1. Introduce post-quantum cryptography from the start of a conversation, so that all communication is protected from current and future adversaries.
2. Mitigate the impact of key compromises by limiting how many past and future messages can be decrypted with a single compromised key.
3. Use a hybrid design to combine new post-quantum algorithms with current Elliptic Curve algorithms, ensuring that PQ3 can never be less safe than the existing classical protocol.
4. Amortize message size to avoid excessive additional overhead from the added security.
5. Use formal verification methods to provide strong security assurances for the new protocol.
Going forward in this article, we shall see how the PQ3 delivers on each of these five requirements.
Just a quick detour… if you like such kind of tech stories, consider signing up for my email newsletter. It’s 100% FREE and will remain for all my lovely audience.
How the PQ3 is designed for quantum security?
1. To deliver on the very first requirement, PQ3 has a new post-quantum encryption key which will be generated by the ML-KEM algorithm. This key will be a part of the set of public keys (exchanged by sender and receiver) and will be generated locally by each device (separately for your iPhone, iPad, and Mac) and transmitted to Apple servers for iMessage registration.
Only once the registration is successfully done, the quantum security is maintained for the rest of the conversation. This registration happens even when the receiver is offline for this duration. This process is known as the initial key establishment.
A good analogy for this would be the way authentication works on our modern smartphones — FaceID makes sure that the person trying to unlock the iPhone/iPad is the owner of the device. Only after it authenticates and registers that person as the owner, will the device unlock itself.
2. However, initial key establishment using PQC is covered under Level 2 already. To build on top of it, PQ3 delivers the second requirement by the application of a periodic post-quantum rekeying mechanism. If the encrypted keys themselves change periodically, it would be difficult to get to the encrypted message within.
This offers a self-healing property for the protocol. How you may ask? If the key itself changes periodically, without the new key being computed from the previous ones, then the whole mechanism takes care of itself by never failing even if the hacker compromises the previous extracted keys.
A good analogy is that used by this mechanism itself — the three ratchets. The three ratchets have to move consecutively taking in some combination, the result generated by the previous ratchet and also remembering that forward is the only possible direction for these ratchets to move in. At the end of these three ratchets is our new periodically generated post-quantum encryption key.
3. In 2019, Apple moved from using RSA to the Elliptic Curve cryptographic algorithm for iMessage. As a result, this made the encryption much better and iMessage much safer. So for the PQ3 protocol, Apple is sticking to the algorithm and only enhancing it along the way. So to defeat the new PQ3 system, you would first have to crack the EC algorithm and then the new post-quantum primitives.
Remember, the ratchet we spoke about earlier? Apple will use one of these ratchets to protect future messages using ECDH (Elliptic Curve Diffie-Hellman). This algorithm helps with key management such that a new session update also comes with a fresh entropy.
Here’s an easy way to understand:
New Session = New Entropy = New Key Management Technique.
This way anyone who has managed to decrypt past session key(s) cannot necessarily decrypt compromised newer session keys.
Moving on to the third ratchet of our PQ3 system, as mentioned above, there is the Kyber KEM-based ratchet that compliments our ECDH ratchet to provide post-compromise security against the Harvest Now, Decrypt Later scenario.
4. Network overhead is something to worry about. With all these algorithms trying to fend off post-quantum attacks, there is a certain overhead that is bound to come. The PQ3 adds about 2kB of data overhead with each message. That could be a lot for say, a simple text message, which is usually less than a kilobyte.
So does that mean iMessage will become slower now? Not at all. The new PQ3 also uses an amortization technique. Basically, instead of encrypting a single message and burdening it with all the overhead, the protocol tries to add this overhead over a bunch of messages — approximately, every 50 messages. This way the overhead data for every message won’t be felt by the user even when there is a poor network connection. Since the rekeying mechanism takes care of the frequency there is always a guarantee that the keys will change periodically.
Apple is also said to change the frequency of rekeying and the number of messages to amortize over, if they feel that the new protocol seems to burdening the device or if they need to strengthen it to defend future quantum security attacks.
5. Contact Key Verification is the verification layer on top of this PQ3 protocol. This is independent of PQ3 and debuted a few months ago with an iOS 17 update.
Essentially, this verification requires all your Apple devices to be on the absolute latest software version (even minor ones, like iOS 17.4.1 & iPadOS 17.4.1 and so on). Once you turn this setting on, a new authentication key is generated for the device by the Secure Enclave (a hardware-based key manager) and stays only on-device.
Here is how this is important: Hackers try their best to attack the application layer and sign in with the user’s login credentials. So in this case they would attack iMessage and probably even be able to sign in using the keys of Secure Enclave. But as soon as your device reboots or the software updates, it will lose the ability to impersonate the iMessage user.
When PQ3 fails…
So with such a futuristic protocol in place, we surely don’t have anything to worry about when the age of quantum computing finally arrives, right?
NO.
There is no 100% safe protocol or encryption method in the field of cybersecurity. Every cryptographic algorithm’s compromise is only a matter of time and resources needed to solve it.
So when the age of quantum computing finally arrives, we might not face Harvest Now, Decrypt Later scenarios as much because of PQ3 being in place. However, quantum computers might be able to solve some of the hard problems in cryptography quite easily — which consequently means the failure of a few mechanisms within PQ3.
In the very first infographic Apple’s Security Team shared on its blog about PQ3, they showed the roadmap of Quantum-Secure Cryptography from Level 0 to Level 3. However, there is also an undiscovered ‘Level 4’ out there that has been marked for the future. This supposedly ‘Level 4’ adds PQC Authentication to its list.
But what does PQC Authentication even mean?
As we discussed before, Contact Key Verification is a sort of independent authentication layer on top of PQ3 to make iMessage more secure. However, my best guess would be that Apple’s Security Team is working on integrating this kind of Contact verification into PQ3 and securing the key itself with post-quantum cryptography.
It is difficult to comment on the timeline of the release of this Level 4 PQC that aims at protection against future threats from quantum computers but I do believe the Security Team at Apple is working on it diligently as we speak.
Conclusion
Apple released PQ3 for iMessage on all its devices with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 (March 5, 2024).
Apple’s implementation of post-quantum cryptography termed PQ3 (Post-Quantum Level 3) uses ongoing PQC rekeying that moves it one level ahead of Signal’s implementation of post-quantum cryptography that focuses just on PQC key establishment only. PQ3 works on encrypting ongoing messages and uses a unique rekeying mechanism along with a three-ratchet system to generate encryption keys. Network overhead is managed in PQ3 using amortization of messages while Contact Key Verification manages an independent authentication layer on top of it.
It is amazing to see this new development in the world of security and how the security team at Apple is working on quantum-secure cryptography. It was great reading the security blog on PQ3 and understanding all the different mechanisms and algorithms being used. My aim with this story was to only make things simpler for understanding with different infographics from my side, which were missing on Apple’s security blog.
If you enjoyed this story and would love to see more of such in-depth stories on tech, do consider subscribing to my free newsletter, down below:
