Security News

Apple announced PQ3, its post-quantum encryption standard based on the Kyber secure key-encapsulation protocol, one of the post-quantum algorithms selected by NIST in 2022. There's a lot of detail in the Apple blog post, and more in Douglas Stabila's security analysis.

Apple is adding to the iMessage instant messaging service a new post-quantum cryptographic protocol named PQ3, designed to defend encryption from quantum attacks. Quantum computing threatens the existing encryption schemas with nearly instant cracking.

Apple has announced a new post-quantum cryptographic protocol called PQ3 that it said will be integrated into iMessage to secure the messaging platform against future attacks arising from the...

Apple says it's going to upgrade the cryptographic protocol used by iMessage to hopefully prevent the decryption of conversations by quantum computers, should those machines ever exist in a meaningful way. The protocol, dubbed PQ3, is intended to safeguard users' chats in some future era of quantum computing, when these computers may be able to break classical encryption methods and render today's messaging security obsolete.

"Leading experts forecast that cyber security risks associated with quantum will materialize in the coming decade," reasoned [PDF] the MAS. Cryptographically relevant quantum computers "Would break commonly used asymmetric cryptography, while symmetric cryptography could require larger key sizes to remain secure," it added. The monetary authority warned that the security of financial transactions and sensitive data financial institutions process could be at risk, thanks to quantum computers that can "Break some of the commonly used encryption and digital signature algorithms."

In today's increasingly automated operational environment, crypto agility-i.e., an organization's ability to switch rapidly and seamlessly between certificate authorities, encryption standards and keys and certificates with minimal disruption to one's digital infrastructure-becomes essential to business. In 2020, Apple reduced the lifespan certificates to a year, pushing others to match them, and in March 2023, Google announced a proposal to reduce TLS certificate validity to 90 days.

I am also skeptical that we are going to see useful quantum computers anytime soon. Since at least 2019, I have been saying that this is hard.

Some popular projects using implementations of Kyber are Mullvad VPN and Signal messenger. The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption.

Researchers are exploring promising quantum computing applications across various domains, from cryptography and optimization problems to drug discovery and artificial intelligence. Quantum computers, with their ability to perform complex calculations at speeds unattainable by classical counterparts, possess the potential to crack widely used encryption methods, posing a significant threat to the privacy and security of sensitive information.

NIST, the US National Institute of Standards and Technology, is leading a process to create and standardize new encryption algorithms to replace RSA and ECC. The new algorithms rely on mathematical approaches that are not easily broken by quantum or classical computers. In December of 2022, US President Joe Biden signed into law the Quantum Computing Cybersecurity Preparedness Act which mandates timelines for moving government systems to PQC algorithms.