iMessage Enhances Encryption to Withstand Quantum Computing Threats
In a major update, iMessage is taking steps to enhance its encryption capabilities, making it one of the most secure messaging apps in preparation for the advent of quantum computing. Apple announced on Wednesday that messages sent through iMessage will now be protected by two forms of end-to-end encryption (E2EE), a significant improvement from the previous single encryption method. The new encryption being added, known as PQ3, is an implementation of a new algorithm called Kyber, which is resistant to quantum computing attacks. Apple is not replacing the older quantum-vulnerable algorithm but instead augmenting it, requiring attackers to crack both algorithms to break the encryption.
Preparing for the future
This update comes five months after the Signal Foundation, creator of the Signal Protocol used by over a billion people, also updated its open standard to be ready for post-quantum computing (PQC). Signal incorporated Kyber into X3DH, the algorithm it previously used, resulting in a combination known as PQXDH. Both iMessage and Signal provide end-to-end encryption, ensuring that only the sender and recipient can read messages in decrypted form. iMessage introduced E2EE in 2011, while Signal became available in 2014.
The threat of quantum computing
Quantum computing poses a significant threat to many encryption methods. The strength of algorithms used in messaging apps relies on mathematical problems that are easy to solve in one direction but extremely difficult to solve in the other. Quantum computers, with sufficient resources, can solve these problems much faster than traditional computers. While it is uncertain when quantum computing will become a reality, experts estimate that a quantum computer with 20 million qubits could crack a single 2,048-bit RSA key in about eight hours. The largest known quantum computer currently has 433 qubits. Cryptography engineers anticipate that adversaries may collect and stockpile encrypted data now, decrypting it once quantum advances allow for it. The addition of Kyber to iMessage and Signal aims to defend against this eventuality.
Ratcheting up resiliency
In addition to the encryption upgrade, iMessage also includes an automatic key refreshing mechanism. By regularly changing the encryption key as messages are exchanged, the app becomes more resilient in the event of a compromise. If an adversary obtains a static key, only messages sent with that key can be decrypted. Signal has always provided key refreshing through a protocol innovation called ratcheting. Apple’s key refresh mechanism is modeled on ratcheting and replaces the elliptic-curve cryptography used since 2019 with Elliptic-curve Diffie-Hellman.
Apple’s advancements
The changes announced by Apple bring iMessage on par with Signal in terms of PQC hardening and key refresh through ratcheting. However, Apple goes one step further by applying ratcheting not only to the quantum-vulnerable Elliptic-curve Diffie-Hellman algorithm but also to the newly added PQ3. This improvement does come with some limitations, as refreshing keys for PQC algorithms incurs significant overhead. As a result, key updates cannot occur with every message exchange, unlike with Elliptic-curve Diffie-Hellman. Apple mitigates this by stepping up the ratchet every ~50 messages. While this design lessens the security guarantees provided by the post-quantum ratchet, it still ensures that each individual message is protected by the ECDH ratchet.
Signal’s approach
Signal, on the other hand, will limit ratcheting to the X3DH part of its messaging app for now. The company is exploring methods that would allow more frequent quantum rekeying, aiming to achieve a similar level of security as non-quantum re-keying. However, implementing this approach at Signal’s scale requires solving existing problems and is currently the subject of ongoing research with the cryptographic community.
Privacy considerations
Privacy-conscious users should be aware that iMessage, by default, backs up messages within iCloud without E2EE. Advanced encryption will not protect users in this scenario. Users should either disable iCloud backups or enable E2EE in iCloud. In contrast, Signal does not back up messages at all.
Apple’s security measures
To ensure the security of PQ3, Apple enlisted two external cryptography teams to verify its security. Both teams provided mathematical proofs, titled “Security Analysis of the iMessage PQ3 Protocol” and “A Formal Analysis of the iMessage PQ3 Messaging Protocol.” The iMessage changes are already available in developer preview and beta releases and will take effect with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4.
With these enhancements, iMessage is poised to withstand the threats posed by quantum computing, providing users with a secure messaging experience. As the race to defend against quantum advances continues, Apple and Signal are at the forefront, ensuring that their encryption methods