‘iMessage With PQ3: The New State of the Art in Quantum-Secure Messaging at Scale’
Apple:
Historically, messaging platforms have used classical public key
cryptography, such as RSA, Elliptic Curve signatures, and
Diffie-Hellman key exchange, to establish secure end-to-end
encrypted connections between devices. All these algorithms are
based on difficult mathematical problems that have long been
considered too computationally intensive for computers to solve,
even when accounting for Moore’s law. However, the rise of quantum
computing threatens to change the equation. A sufficiently
powerful quantum computer could solve these classical mathematical
problems in fundamentally different ways, and therefore — in
theory — do so fast enough to threaten the security of end-to-end
encrypted communications.
Although quantum computers with this capability don’t exist yet,
extremely well-resourced attackers can already prepare for their
possible arrival by taking advantage of the steep decrease in
modern data storage costs. The premise is simple: such attackers
can collect large amounts of today’s encrypted data and file it
all away for future reference. Even though they can’t decrypt any
of this data today, they can retain it until they acquire a
quantum computer that can decrypt it in the future, an attack
scenario known as Harvest Now, Decrypt Later.
To mitigate risks from future quantum computers, the cryptographic
community has been working on post-quantum cryptography (PQC): new
public key algorithms that provide the building blocks for
quantum-secure protocols but don’t require a quantum computer to
run — that is, protocols that can run on the classical,
non-quantum computers we’re all using today, but that will remain
secure from known threats posed by future quantum computers.
A remarkably cogent layman’s overview of some remarkably advanced cryptography. Slots right in with two recent themes here at DF:
iMessage is inarguably an advanced, wholly independent messaging platform. It speaks only to the ease-of-use of Apple’s Messages app — the only iMessage client — that so many people mistakenly think iMessage is merely SMS with different-colored text bubbles and higher-quality image and video attachments.
Apple has good reasons not to allow unauthorized third-party clients like Beeper.
Neatest of all is that Apple is rolling out this upgrade to iMessage encryption in the next round of OS updates (iOS/iPadOS 17.4, MacOS 14.4, and WatchOS 10.4 — VisionOS isn’t mentioned in the post) automatically. iMessage users don’t need to do anything other than update their software, and their communications will use the new PQ3 encryption.
One hole in iMessage’s security story is old devices — those that can’t be upgraded to the latest OS. It’s great that Apple devices tend to be useful for years after they’re no longer capable of running the current OS, but that means that iMessage communication is only as secure as the oldest device in the chat. I’m pretty sure the only reason Beeper was able to work at all was exploiting loopholes that existed for supporting older devices.
Another hole remains iCloud backups, which, by default, continue to include iMessage message history using keys that Apple controls — which in turn means keys that Apple can, and does, use to turn over data to law enforcement when issued a warrant. Only using Advanced Data Protection are Messages backups encrypted using only keys stored only on your personal devices. But even amongst Daring Fireball readers — which I think is fair to describe as a savvy audience — only a minority have Advanced Data Protection enabled.
And even if you have Advanced Data Protection enabled, there’s no way for you to know whether the people you communicate with using iMessage have it enabled.
★
Apple:
Historically, messaging platforms have used classical public key
cryptography, such as RSA, Elliptic Curve signatures, and
Diffie-Hellman key exchange, to establish secure end-to-end
encrypted connections between devices. All these algorithms are
based on difficult mathematical problems that have long been
considered too computationally intensive for computers to solve,
even when accounting for Moore’s law. However, the rise of quantum
computing threatens to change the equation. A sufficiently
powerful quantum computer could solve these classical mathematical
problems in fundamentally different ways, and therefore — in
theory — do so fast enough to threaten the security of end-to-end
encrypted communications.
Although quantum computers with this capability don’t exist yet,
extremely well-resourced attackers can already prepare for their
possible arrival by taking advantage of the steep decrease in
modern data storage costs. The premise is simple: such attackers
can collect large amounts of today’s encrypted data and file it
all away for future reference. Even though they can’t decrypt any
of this data today, they can retain it until they acquire a
quantum computer that can decrypt it in the future, an attack
scenario known as Harvest Now, Decrypt Later.
To mitigate risks from future quantum computers, the cryptographic
community has been working on post-quantum cryptography (PQC): new
public key algorithms that provide the building blocks for
quantum-secure protocols but don’t require a quantum computer to
run — that is, protocols that can run on the classical,
non-quantum computers we’re all using today, but that will remain
secure from known threats posed by future quantum computers.
A remarkably cogent layman’s overview of some remarkably advanced cryptography. Slots right in with two recent themes here at DF:
iMessage is inarguably an advanced, wholly independent messaging platform. It speaks only to the ease-of-use of Apple’s Messages app — the only iMessage client — that so many people mistakenly think iMessage is merely SMS with different-colored text bubbles and higher-quality image and video attachments.
Apple has good reasons not to allow unauthorized third-party clients like Beeper.
Neatest of all is that Apple is rolling out this upgrade to iMessage encryption in the next round of OS updates (iOS/iPadOS 17.4, MacOS 14.4, and WatchOS 10.4 — VisionOS isn’t mentioned in the post) automatically. iMessage users don’t need to do anything other than update their software, and their communications will use the new PQ3 encryption.
One hole in iMessage’s security story is old devices — those that can’t be upgraded to the latest OS. It’s great that Apple devices tend to be useful for years after they’re no longer capable of running the current OS, but that means that iMessage communication is only as secure as the oldest device in the chat. I’m pretty sure the only reason Beeper was able to work at all was exploiting loopholes that existed for supporting older devices.
Another hole remains iCloud backups, which, by default, continue to include iMessage message history using keys that Apple controls — which in turn means keys that Apple can, and does, use to turn over data to law enforcement when issued a warrant. Only using Advanced Data Protection are Messages backups encrypted using only keys stored only on your personal devices. But even amongst Daring Fireball readers — which I think is fair to describe as a savvy audience — only a minority have Advanced Data Protection enabled.
And even if you have Advanced Data Protection enabled, there’s no way for you to know whether the people you communicate with using iMessage have it enabled.