Back

This is a big deal because iMessage (which gets no real attention from anyone) is one of the most widely-adopted secure communications protocols in the world. At least 1 billion people use it, all over the world. It’s the only widely-available encrypted messaging app in China.

The original iMessage protocol was launched in 2011 and was really amazing for the time, since it instantly provided e2e messaging to huge numbers of people. But cryptographically, it wasn’t very good. My students broke it in 2015: https://www.washingtonpost.com/world/national-security/johns-hopkins-researchers-discovered-encryption-flaw-in-apples-imessage/2016/03/20/a323f9a0-eca7-11e5-a6f3-21ccdbc5f74e_story.html

In 2019 Apple quietly upgraded the protocol to get rid of some obsolete cryptography, but it still wasn’t as advanced as the Signal Protocol used by WhatsApp and Signal.

A big part of the reason: iMessage lacked post-compromise security.

In the Signal protocol, your communication keys are constantly updated and “ratcheted” forwards. This means that a compromised phone/backup won’t be useful for long. You’ll replace the stolen keys within a few minutes. In iMessage this wasn’t true: public keys were long-lived.

The new update adds periodic rekeying using elliptic curve cryptography, to ensure that compromised keys quickly become useless, both in the future and for decrypting past messages. This closes an important threat vector.

Along with key transparency, this makes iMessage a state-of-the-art cryptographic protocol

Key transparency, as an aside, is now also being rolled out by Apple: https://security.apple.com/blog/imessage-contact-key-verification/

So Apple has made two changes in this update. In addition to frequent elliptic curve rekeying, they also use a second “post quantum secure” algorithm: Kyber. This algorithm rekeys as well, but a little less frequently. (This is because Kyber cophertexts are much bigger and “eat” more space on the wire.)

An important note here is that the two main encryption algorithms are arranged into a “combiner”: this means that as long as one algorithm remains secure, nobody should be able to break the encryption. This means Apple gets the safety of elliptic curves today, plus PQC in the future (maybe.)

Ok, so what? You might point out that this is overkill. Quantum computers are years away, and key compromise is rare. So why should I care about this?

(I confess this was also my initial reaction.)

The answer is you probably don’t need to care. It *is* overkill. But sometimes overkill sends a useful message, one that should be heard by people who aren’t technical at all. Specifically:

For several years (until very recently), Apple’s crypto dev was stagnant. iCloud wasn’t end-to-end encrypted. iMessage was encrypted, but wasn’t being improved.

I think a lot of this was due to Apple being nervous about political backlash from governments around the world.

And oh boy, was there a lot of backlash. In the US, UK and EU, laws were proposed mandating that companies either decrypt end-to-end encrypted messages on demand (somehow), or else scan them for “illegal material”. For varying definitions of that term! https://www.reuters.com/world/europe/uk-bill-seeks-remove-videos-migrant-crossings-2023-01-17/

In 2021 Apple appeared to knuckle to this pressure. They announced a plan to scan photos sent to iCloud *on the user’s device*, which was exactly the content scanning governments were seeking. They backed off this plan after a huge consumer backlash. https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/

What’s changed since that event is that Apple seems to have taken the leash off of their security team. Since 2022 Apple has:

* Released end-to-end encrypted backup for iCloud
* Added key transparency for iMessage
* Now seriously upgraded iMessage

In the latter two cases (key transparency, iMessage), the upgrades are more important to security experts than to average users. But they still represent a huge investment and forward motion that will drive the industry forward even faster to using strong encryption everywhere.

In the latter two cases (key transparency, iMessage), the upgrades are more important to security experts than to average users. But they still represent a huge investment and forward motion that will drive the industry forward even faster to using strong encryption everywhere.

And this is important because, for better or for worse, Apple often “sets the standard” for the rest of the industry.

(I should point out that on encryption issues, they’ve faced strong competition from WhatsApp and Meta, who are also doing amazing things.)

Anyway: that’s why I think the import of today’s news is bigger than just “Apple adopted some post quantum algorithms.” As exciting as that is for us cryptographers. //fin