iMessage Encryption Standard to Be Updated to Protect Against Quantum Computing

Apple, in a post credited to Security Engineering and Architecture:

Today we are announcing the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging. With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps. To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world.

Do note, as you read through this post, that the different security levels shown are an Apple invention, not an industry standard.

This sounds like a huge leap forward — a way of cryptographically securing today’s data on today’s devices against future threats from future computers. It is both an affirmation of Apple’s dedication to even hypothetical security threats, and a political statement.

Yet I am left with many questions. Apple says this protocol will begin rolling out with the public releases of iOS 17.4, iPadOS 17.4, MacOS 14.4, and WatchOS 10.4 — missing from that list is VisionOS, though I am not sure I should read anything into that — but it is not clear to me if these operating systems are required for PQ3 encryption. In other words, if a device has not been updated or cannot be updated to these software versions, does that preclude messages from being encrypted using this protocol? If so, that might be true of all iMessage contacts, and it does not appear there is any way of knowing which encryption protocol is being used.

Furthermore, is this protocol defeated by regular iCloud backups — those to an account without Advanced Data Protection — through the same loophole as existing iMessage end-to-end encryption? It does not seem to me that Apple’s goal has ever been to entirely prevent law enforcement access. But it is notable if all this protection against quantum computer decoding is also capable of being defeated by legal demand or, indeed, legal threat. Even so, I have a hunch how this news will be received by anti-encryption authorities.

These are among the many questions I have for Apple, and I expect to hear more as this update approaches its release. However, I do not think I will get an answer to the thing I am most curious about: is a protocol similar to PQ3 going to be used by Apple to secure other end-to-end encrypted data against future threats? It would make sense.