Apple rolls out quantum-resistant cryptography for iMessage

At some point in coming decades, advances in quantum computing are expected to break most forms of contemporary cryptography, and now Apple is taking steps to protect its flagship messaging platform against this post-quantum future. 

On Wednesday, Apple said it is integrating cryptographic protocols in iMessage that are resistant to attack from quantum computers of the future. While quantum computers capable of breaking today’s widely deployed cryptography don’t yet exist, the company said it is rolling out quantum-resistant cryptography in order to protect against the possibility that iMessage data collected and stored by an attacker today might be decrypted at a later date, when quantum computers are capable of trivially breaking current encryption technology. 

The upgraded cryptography is currently being tested in beta, and Apple expects the update to be rolled out to its users with iOS 17.4. In order for post-quantum cryptography to be used to transmit messages, both users in a conversation will need to have updated their software. 

Apple’s move to integrate post-quantum cryptography into iMessage comes at a time when policymakers in Washington are grappling with how to prepare for a time when quantum computers break current forms of cryptography. It is widely assumed that intelligence agencies are collecting encrypted data of interest and harvesting it in anticipation of being able to decrypt it once powerful quantum computers come online.

This phenomenon — referred to in security circles as “harvest now, decrypt later” — has created urgency around shifting away from classical cryptography and toward post-quantum cryptography. In 2022, the National Institute of Standards and Technology announced an initial set of quantum-resistant algorithms, but integrating these systems into highly complex computational systems represents a massive undertaking. 

In the United States, the National Security Agency and the Cybersecurity and Infrastructure Security Agency are pushing government agencies to adopt post-quantum cryptography, but that effort hasn’t gotten further than establishing “roadmaps” for how to do so. 

While the exact number of iMessage users is unknown, Apple’s deployment of post-quantum cryptography on the platform is likely one of the largest such deployments anywhere in the world. Apple’s design relies on the Kyber algorithm — one of the systems tapped by NIST for its quantum-resistant initiative — for key exchange and combines it with a classical elliptic curve algorithm. 

Experts are divided on when a quantum computer powerful enough to crack classical cryptography will arrive, but recent technical advances — particularly around error correction — means that quantum computers might finally surpass classical computers. Classical cryptography relies on mathematical problems that are highly time-consuming for classical computers to solve. But quantum computers, once they are powerful enough, are expected to be able to solve these problems, such as factoring very large numbers, easily. 

Against that backdrop, a growing number of organizations are deploying cryptography that is resistant to attack by quantum computers. Just as classical cryptography relies on math problems that classical computers struggle to solve, post-quantum cryptography is built on math problems that quantum computers struggle with. 

Now, major technology vendors are beginning to incorporate the technology in their products. In September, the encrypted messaging platform Signal announced that it is using post-quantum cryptography to carry out key exchange. A year earlier, Cloudflare said it would make post-quantum cryptography a default in their products. 

In an indication of how major messaging platforms are competing on security and privacy features, Apple claims that its post-quantum security features go beyond those of Signal’s. According to Apple, it has achieved a higher level of security than Signal by continually rotating the keys used as part of its post-quantum cryptographic system.

In an instance where a key is stolen, this key rotation regime is supposed to limit the amount of data that an attacker might decrypt. According to Apple, keys are rotated every 50 messages at most and at least every seven days. 

Separately, Signal announced on Tuesday that users of the platform will be able to select usernames, allowing them to communicate with others on the platform without having to share their phone number. The change allows users to maintain greater privacy of their phone number. 

Correction: This article initially misstated the days in which Apple and Signal announced their new initiatives.