Here’s the blog post. TLDR every device shares (?) an ECDSA signing key synced by iCloud key vault, all public keys go into CONIKS, encryption keys are authenticated by signing keys. So many little details unknown. https://security.apple.com/blog/imessage-contact-key-verification/