Apple's New iMessage, Signal, and Post-Quantum Cryptography
Published 05/17/2024
Written by Denis Mandich, Member of the CSA Quantum-Safe Security Working Group and CTO of Qrypt.
Apple recently updated their iMessage application with stronger security features, adopting cryptography believed to be secure against attack by quantum computers. They use common end-to-end encryption techniques, but there are aspects unique to their platform. Although they have not explained the justifications for the design decisions, they are cryptographically sound if implemented correctly and there are no bugs in the libraries and software dependencies. Let’s take a look under the hood to understand the new version and what it means for privacy and confidentiality.
Apple’s iMessage PQ3 upgrade to post-quantum cryptography (PQC) has similarities to the Signal messaging app. Both companies use the “double ratchet” template (described in more detail below) of the original Signal protocol, but add certain additional protection against sufficiently-capable quantum computers. Both works were presented at the Real-World Cryptography Symposium in 2024. Apple additionally published several papers proving the security of some abstractions of PQ3. First, a cryptographic proof by Stebila (extending the 2017 paper “A formal security analysis of the Signal messaging protocol” by Cohn-Gordon et al to account for post-quantum protection added). Second, a formal verification paper “A Formal Analysis of the iMessage PQ3 Messaging Protocol”, by Basin et al.
This was Apple’s third attempt at improvement after going from RSA to ECC to achieve better performance and lower mobile power consumption, despite NSA’s 2015 warning to bypass ECC altogether. While the last change lowered costs for this free service, PQ3 is motivated by improvements in communications security for users against the threat of quantum computers, but not anonymity, as is commonly believed. In fact, Apple explicitly replaced the message authentication component of Signal (called Message Authentication Code, --- MAC, --- which has certain limited anonymity built-in) by a Digital Signature, which has no anonymity. This was done because Apple has an excellent secure enclave for signing, which is likely more secure than their application storage system (where a MAC key would have been stored).
Beyond the PQC security guarantees against quantum computers, these protocols are founded on the concept of “double ratcheting”, which encrypts each message with new symmetric keys based on a continuously running asymmetric key exchange. Each new symmetric key is derived from the previous symmetric key (i.e., “symmetric ratchet”), irrespective of the direction of the messages. Additionally, when the direction of messages changes (e.g., Alice receives a reply to her several messages sent to Bob), a new asymmetric key is derived, which causes the advancement of the “public-key ratchet”, called an epoch, and also contributes to the symmetric key change.
Note: The double ratchet paradigm was abstracted and formally analyzed by the 2018 work of Alwen et al “The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol”.
To add additional protection against quantum computers, both Signal and Apple added a new post-quantum component to the derivation of the original symmetric key which feeds into the double ratchet protocol. After this initial key hardening, Signal currently did not add more post-quantum protection into their protocol, although they are working on more changes. Namely, there is no post-quantum protection (i.e., post-quantum re-keying) during epochs. In contrast, Apple’s PQ3 protocol adds additional post-quantum protection during epochs, even after initialization.
Namely, a new post-quantum key is mixed into key derivation after every 50 epochs. This limits the number of messages that could be decrypted by a quantum computer, even if the user’s state is compromised during the protocol (“post-compromise security”, or PCS). In other words, while Signal only provides PCS against classical computers (by classical re-keying every epoch), Apple achieves post-quantum PCS (albeit every 50 epochs). As mentioned above, PQ3 also achieves authentication using a static signing key (using signatures instead of MACs). Despite having weaker PCS properties for authentication, since the signing key is static, Apple believes their secure enclave storing the signing key is more secure than their application storage, resulting in overall better security, despite weaker PCS.
While some distinctions are subtle in these end-to-end encrypted protocols, they have important tradeoffs between security and performance. For example, PQ3 does not explicitly state message repudiation as a property while Signal does – the ability to prevent a third party from proving a message was sent from a specific user, even though the parties involved are sure among themselves. This appears unnecessary to Apple because they have a closed ecosystem designed to protect their registered user base, but not to obfuscate them from the parent company. Signal minimizes data and visibility into user relationships by actively deleting metadata and details, using cryptography for security.
While some companies and applications have already started transitioning to PQC, achieving widespread availability and interoperability will take several years, even decades. Closed systems like Apple may adopt PQC faster and stand out with their privacy and security features when there is little else to differentiate them. Assuming PQC proves to be a reliable technology, iMessage has eliminated the “harvest now, decrypt later” threat for its users. Their private communications cannot be compromised by quantum computers in the future. Kudos to the Apple team for having their priorities straight and incurring this expensive upgrade for a free application. The cost of running a global iMessage service was already high, and this expensive action is a clear signal to their users.
Related Resources
Related Articles:
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024