Root Causes 369: iMessage to Be PQC Enabled

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

March 15, 2024

Apple has announced that iMessage will employ post-quantum cryptography (PQC). We explain the implications of this announcement.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanSo we're going to talk about something that is all over the news. If you are reading any kind of tech news at all, you've probably seen this. So I'm not going to cite an article, because there's articles everywhere. But it was recently announced by Apple that iMessage is going to be post-quantum cryptography enabled. And this is - - I believe it is going to be in iOS 17.4. So Jason, what's happening here?

Jason SorokoHoly smokes.

Tim CallanHoly smokes.

Jason SorokoiMessage, which is like anybody who lives in the Apple ecosystem - I'm one of those people - iMessage is going to be protected with post-quantum algorithms and isn't that interesting, Tim?

Tim CallanIsn't that interesting. So we've talked a lot about the difficulty with implementing PQC in open environments, and how the first places that you would see it showing up would be in walled garden, completely owned and controlled kind of environments. And the first one that I was aware of was Cloudflare, which makes sense. They own their own network. They can do this. But the Apple stack makes perfect sense, too because they have their own network. They have a great deal of control. And they can do this as well. And sure enough, we see Apple is.

Jason SorokoThey certainly are. And so, first of all, we always like to point people to where the news item is really coming from. There is a blog by the Apple security research team and the title that you should look up is iMessage with PQ3: The new state of the art in quantum secure messaging at scale. And it's interesting, Tim. Let's go through the history a little bit here.

iMessage was launched in 2011. And it was the first - - Apple is claiming the first end to end encrypted by default messaging app. And they moved, you know, this is perfect for this podcast because they talk about it in this - - paragraph one, they talk about being very proud of switching from the RSA algorithm to ECC, elliptic curve cryptography, in 2019. And now, what they're announcing is that they are actually going to be the very first wide scale messaging platform to actually use post-quantum. Now Signal has the PQXDH protocol but let's talk about PQ3 protocol, which is there's going to be a key establishment with PQ3, and also an ongoing rekeying.

Tim CallanOh.

Jason SorokoYes. Which is actually different. That's what differentiates it from Signal. So for those of you who are curious, Signal’s implementation of post- quantum as a messaging app, they established - - like PQC is only used at the - - the key establishment has a PQ establishment only. iMessage is actually going to do an ongoing rekeying with the PQ3 algorithm

Tim CallanAn ongoing - - at what cadence?

Jason SorokoYou know what? I will leave that to Apple to answer because who knows if they may change things through time. And, you know, let's let them say that within their blog, and I'll invite people to read it. But I think what is interesting here, Tim, is that remember a recent podcast, I believe it was episode - - It was the attack on CRYSTALS-Kyber now called ML-KEM.

Tim CallanRight.

Jason SorokoAnd remember, one of the best practices that you and I talked about in that recent podcast was if you're going to introduce a PQC algorithm, pre-quantum apocalypse, then you really should marry together a classic either RSA or ECC algorithm, along with your PQC algorithm usage. We said that.

Tim CallanYeah.

Jason SorokoAnd this is what to know. Apple is actually bringing together both classic ECC as well as a PQC algorithm together. In other words, they obviously followed our advice, Tim.

Tim CallanThere you go. I'm sure that's exactly what it was. I think they were probably listening to our podcast and said, that's a good idea. Let's do that. I can't come up with any other possible explanation.

Jason SorokoObviously, you know, the reality is I just like repeating the fact that they're doing that because it's the state of the art. And I think that what they're doing here, really, they claim to be state of the art and I think that they really are, and everybody should read this blog about how to do it because to me, we're living in this world before the deprecation of RSA and ECC. It still has enormous value. In fact, so much value, you're crazy not to still use it.

Tim CallanAnd if you want to talk about in general, like really savvy, effective use of cryptography and PKI, in a technology stack, Apple over the last several years has been flawless. I mean, they, you know, think about what they did last year with WebAuthn. Think about, you know, just having, you know, early adoption of end-to-end encryption on a variety of applications; think about holding the line when they've come under government pressure to, you know, weaken or mitigate their encryption. You know, I'm not surprised to see Apple as a company. They’re clearly very committed to this conceptually, and philosophically, and I'm not surprised to see them once again, putting their money where their mouth is on this one.

Jason SorokoYeah. They're doing a really, really good job. In fact, if you take a look at what's going on underneath this, it is they are using Kyber. They are using ML-KEM along with elliptic curve, right. And, in fact, they even talk about exactly the key length that they've chosen here. This is all stuff that you and I are used to seeing. Here's what we're not used to seeing that everybody should get to know better because if you take a look - - we recently podcasted about Rust-based ML-KEM implementations, Tim, and some of those were using things like formal verification.

Tim CallanRight.

Jason SorokoAnd so this is also a requirement of iMessages PQ3 protocol is formal verification and so they've actually sent that out to mathematicians who've already kicked the tires on it and it's just so impressive what they've done here. This is the state of the art.

Tim CallanSo Jason, one thing I'm not clear about in this story and maybe you can help clarify for the listeners is, is this released by Apple? Is this coming? And if it's coming, when?

Jason SorokoI think it might be as early as iOS 17.4.

Tim CallanOkay. Yeah. That's the number they've been throwing around. Right?

Jason SorokoExactly. And so, you know, I mean, I don't run their product team. I’ve got my own. So I will leave it to Apple to make these kinds of determinations about when they put it out, but it doesn't look like we're going to be waiting an awfully long time.

Tim CallanRight. Which is great. And, of course, you know, we all understand the value of getting on PQC as early as we can because of the harvest and decrypt threat. So even if you don't think there's a quantum computer today that is going to be available to steal your secrets today, that doesn't mean that you're out of the woods, right, because harvest and decrypt can basically - - people can steal blobs that they consider to be valuable, that will be valuable in the future, or just steal lots of blobs and figure out which ones are valuable. And some way or down the road, these things may be cracked open. And again, you know, if you and I are talking about, you know, some press release, that's going to come out in a month and nobody cares because that information is going to be known by the time it gets decrypted but there are lots of secrets that will still want to be secret in 5 years, or 10 or 20 and for those secrets, we definitely do care.

And so getting - - this the reason to move to PQC as fast as you possibly can, not just to get comfortable with it and shake out the bugs and make sure it works correctly and those are all great reasons too, but also because everything that is PQC encrypted, starting now or starting a year ago, is going to be immune to the harvest and decrypt scenario and the more of all of our conversations and data and information exchanges that we get into PQC, the more we reduce that risk service for the quantum computer harvest and decrypt scenario.

Jason SorokoTim, I think there's a paragraph in here I'm going to read in its entirety because for those of us who listen to this podcast, this is like just gold for understanding what they're really doing here. And, I'm going to propose right now, we should not talk about post-quantum without talking about harvest now and decrypt later scenarios.

Tim CallanOkay.

Jason SorokoIt's the basis for why we are doing this. So let's do it. Let me read it out. This is Apple's words:

“With PQ3, iMessage continues to rely on classical cryptographic algorithms to authenticate the sender and verify the contact key verification account key because these mechanisms cannot be attacked retroactively with future quantum computer.”

So that isn't like - - basically - -

Tim CallanThat's not the risk point. Yeah.

Jason SorokoThe authentication of the sender is not the risk point, right?

“To attempt to insert themselves into the middle of an iMessage conversation, an adversary would require a quantum computer capable of breaking one of the authentication keys before or at the time the communication takes place. In other words, these attacks cannot be performed in a harvest now decrypt later scenario. They require the existence of a quantum computer capable of performing the attacks contemporaneously with the communication being attacked. We believe any such capability is still many years away but as the threat of quantum computers evolve, we will continue to assess the need for post quantum authentication to thwart such attacks.”

Tim CallanYeah. That’s a good point.

Jason SorokoSo, there it is.

Tim CallanSo the point is, if you imagine far enough in the future, far enough in the future, a quantum computer based real time attack does seem like it is in our future. And that will be a thing that the world of computing will have to deal with. However, it is zero threat today. And the harvest now encrypt decrypt later scenario, on the other hand, is a real threat today.

So what Apple has done is it's focused its attention on the area where the risk actually exists. And you can imagine lots of reasons why they wouldn't do it all at once, like just reduce the scope of the engineering challenge. And therefore the scope of the, you know, of the risk for flaws and whatnot. There's a lot of probably great reasons to chunk this up and do the things you need to do now now, and then deal with the other things as separate projects and I fully expect they will and the language in that suggests that eventually they will, but they recognize that it's not an urgent priority right now.

Jason SorokoExactly right. But, on the other hand, it makes us think about what are the people who are at the top of their game, what are they thinking about?

Tim CallanYeah.

Jason SorokoAnd I think it's, you know, as we are talking to our own customers, Tim, it's about just that stream of communication. It's not even about the authentication yet. It's about the stream. So, you know, just in case anybody's wondering, you know, has anybody kicked the tires on this? Well, none less than Professor Douglas Stebila himself has done one of the early, or I think the first mathematical analysis of this. Let me just read off a quote that they include from Professor Stebila, which is:

“I confirmed the PQ3 protocol provides post-quantum confidentiality, which can give users confidence in the privacy of their communication, even in the face of potential improvements in quantum computing technology.” That's a heck of a statement, Tim, from a guy who is like - - this is like the most pedantic of pedantic and pedantic gentleman you'll ever meet. And that's a compliment because if look, if Doug says so, guess what? You can take that to the bank.

Tim CallanYeah. And you can imagine, again, if you're Apple, just with the size of the stakes, just based on the usage of your technology stack, and the need and the desire to really get this right, you can imagine that you would be able to, and you would be willing to get the involvement and advice of the most expert experts in the world. And it's not really surprising to see that happening here.

Jason SorokoSo Tim, the purpose of this podcast, right, we're not advertising Apple, we're not advertising iMessage. We wanted to go a little deeper than the early journalism on this and show you what's going on underneath. And also, what can we learn? I think if you read that blog from Apple, you can learn about what is the state of the art. When you're thinking about your own potential early post-quantum implementations - learn from this. There's a lot here.

Tim CallanI agree. That's great. So big announcement. Great announcement. Exciting.

The last thing I'll say about this is you and I talked right at the end of 2023 when we're doing our predictions for 2024. One of the things we said was that 2023 was the year that industry finally woke up to PQC. And 2024 was going to be the year that the enterprises and you know, the broader public was going to wake up to PQC. And we're really seeing that play out. And this is a perfect example like that. A major announcement from a major technology stack that got picked up all over the place in the media just shows where the zeitgeist is on PQC. And I think this is great. I think not a moment too soon.

Jason SorokoTim, post-quantum algorithms are going to be in my mom's hands by some point this year. There it is.

Tim CallanYeah. There you are. I like that. What a great statement there. So, excellent. Thank you very much, Jason.

Jason SorokoThank you, Tim.

Tim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!