back to article Apple promises to protect iMessage chats from quantum computers

Apple says it's going to upgrade the cryptographic protocol used by iMessage to hopefully prevent the decryption of conversations by quantum computers, should those machines ever exist in a meaningful way. The protocol, dubbed PQ3, is intended to safeguard users' chats in some future era of quantum computing, when these …

  1. Anonymous Coward
    Anonymous Coward

    How long?

    Seriously. If anyone reads my iMessages in ten years I won't care. I'll be dead.

    If anything someone can read actually matters then the world has changed again.

    Password? Been changed.

    Door code: well, the door is probably in a skip somewhere.

    Bank login: if you are lucky the bank is still in business.

    Seriously important work login: if the company still exists and hasn't changed the login then it's there own f'ing fault.

    1. DS999 Silver badge

      Re: How long?

      Nobody is going to collect your or my encrypted messages to read later. Someone in government, journalism, activist, or just plain rich/famous, they might. And while 99.9% of their messages might be useless drivel, there might be a few things that aren't.

      Physical things (other than maybe the combination to a floor safe in your house) may change too often to matter, but some information remains "useful" to some far longer. Imagine if you had a source that gave you information proving Putin personally ordered the poisioning of and more recently the murder in prison of Navalny, and you told your editor the source's name in an encrypted message. Putin has a way of collecting that encrypted message, and holds onto it, and 10 years later he can decrypt it. Now he knows who is to blame for that proof getting out, and that guy is going to be dead soon.

      1. jmch Silver badge

        Re: How long?

        It depends on the timescale. Things that happened 10-20 years ago, there's probably actionable information in there somewhere. The further back you go, the more likely it's just going to be of interest only to historians and internet trolls looking to score points in a weird niche argument that nobody really cares about.

        "Putin has a way of collecting that encrypted message, and holds onto it, and 10 years later he can decrypt it. Now he knows who is to blame for that proof getting out, and that guy is going to be dead soon."

        Sure, I get the argument, and probably whistleblowers will want security that's going to last 50+ years. But I like the construction of your sentence in the way that "that guy" dead in 10 years could refer to Putin, who is 72 now!

        More seriously, once not only the message content but also much of the metadata can be encrypted or obscured, the attacks you describe become unfeasable. If a government doesn't know who's phone / email address / IP address belongs to whom, then it can only really target people who don't take measures to obscure these (mostly relatively easy to get e burner phone / throwaway email address / VPN), or else attempt to store every single email, instant message etc etc being sent in the world for a few decades. We're probably talking Yottabytes here. Then once you CAN decrypt them, good luck filtering through the lot for some useful info. We're not talking 'needle in a haystack', we're talking 'bacterium in a haystack'

        1. DS999 Silver badge

          Re: How long?

          the construction of your sentence in the way that "that guy" dead in 10 years could refer to Putin, who is 72 now

          He was just an example. Imagine the same example with Castro back in 1959. He finally stepped down almost exactly 50 years later!

      2. Michael Wojcik Silver badge

        Re: How long?

        Exactly. We have plenty of evidence that high-resource state or state-sponsored actors target a number of individuals and small organizations. Khashoggi is just one example. That's why malware firms like NSO Group are so successful. Their tools are expensive and operate against individual targets; there are enough individual targets of interest to justify that cost.

        Most people will never need PQC. Enough will that it's worthwhile deploying it.

        1. DS999 Silver badge

          Re: How long?

          Apple has already taken steps like Lockdown Mode that only those type of potential high value targets are likely to enable because of the features you give up when enabling it, so they are already catering to that niche crowd. I imagine quantum resistant encryption algorithms will be a requirement by the US government in less than a decade and with that US government contractors, so Apple was going to need this eventually beyond its current narrow audience.

          Since they've released several papers detailing the algorithm it'll get the "many eyes" treatment in addition to the expert evaluation it had previously undergone, so by the time those requirements for quantum resistance are in place PQ3 would be one of the algorithms approved for use and it would handily be present on all supported Apple OS versions by then. Heck they'd probably have hardware support for the algorithm in the SoC by then so it would be very efficient even for bulk data.

          1. gnasher729 Silver badge

            Re: How long?

            If they are a requirement for some folks in government, then unlike lockdown mode where I actually give up functionality, there seems to be no reason not to use this in general?

  2. Kevin McMurtrie Silver badge

    Do they bruise?

    Strong end-to-end encryption doesn't mean much if an attacker can still perform a mass attack by compromising a single codebase that is forcefully pushed to all clients.

  3. StrangerHereMyself Silver badge


    These newer post-quantum algorithms are all unproven in the real-world and several PQ ciphers have been shown to be insecure over the years.

    As long as Quantum Supremacy isn't attained, I wouldn't want to switch over to these new algorithms.

  4. ldo

    What Is A “Quantum Computer”, Anyway?

    Never understood this “quantum computer” thing. No existing computer would exist without “quantum” effects, like the quantum tunnelling that makes a transistor work. So they are already “quantum” computers!

    1. John Robson Silver badge

      Re: What Is A “Quantum Computer”, Anyway?

      Meh - they behave classically - albeit with switches that operate using the predictable elements of QM.

      A quantum computer is one which uses the superposition of states to perform calculations that are otherwise infeasible.

      1. ldo

        Re: to perform calculations that are otherwise infeasible.

        Like Shor’s algorithm? That came out in the 1990s. Yet progress towards actually implementing it since then has been precisely ... zero.

        1. Michael Wojcik Silver badge

          Re: to perform calculations that are otherwise infeasible.

          This is so extremely wrong it's almost not even worth responding to.

          We have operating quantum computers. Google, IBM, USTC, Xanadu have all demonstrated working ones. The claims of quantum advantage by Google and USTC are debatable, but even if they haven't technically achieved it, they're close. As Aaronson noted back in 2022:

          If the experimentalists care enough, they could easily regain the quantum lead, at least for a couple more years, by (say) repeating random circuit sampling with 72 qubits rather than 53-60, and hopefully circuit depth of 30-40 rather than just 20-25.

          No one's done so yet because it's not a very interesting thing to do. There are much more pressing research areas in QC, particularly in quantum error correction, in comparing various architectures, and in trying to prove that there either is or isn't any utility in some of the more fringe stuff like QAOA.

          As I've noted in previous posts, there's still reason to doubt that we'll be able to scale up to enough error-corrected qubits to use Shor's to attack RSA or DH/ECDH keys in practice, and much more reason to doubt that it will be economical for all but very occasional use (or that it will be particularly fast even for the rare application). The most interesting potential application of QC remains physics simulations. But we have most definitely made quite a lot of progress.

          1. ldo

            Re: No one's done so yet because it's not a very interesting thing to do

            You got to be kidding. A working demonstration of Shor’s algorithm would light a fire under the entire security community. Proving that factoring large integers can be done in something less than exponential time would sound the death knell of most of the encryption/authentication algorithms in common use today.

            You don’t see that as “interesting”? That’s absolutely laughable.

            1. John Robson Silver badge

              Re: No one's done so yet because it's not a very interesting thing to do

              Ok, so it can be done in only six weeks, but costs five trillion dollars for each key that you aim to factor.

              Is is still interesting?

              1. ldo

                Re: can be done in only six weeks

                Except it’s been just about 30 years, and no-one has even demonstrated it working yet.

                1. John Robson Silver badge

                  Re: can be done in only six weeks

                  Maybe not - but my point is that it still wouldn't be particularly interesting if it took astronomical amounts of resources to achieve each key (rather than just astronomical amounts for the first key)

                  1. ldo

                    Re: still wouldn't be particularly interesting ...

                    ... assuming some hypothetical situation which is just an excuse for failure.

                    1. John Robson Silver badge

                      Re: still wouldn't be particularly interesting ...

                      "Proving that factoring large integers can be done in something less than exponential time would sound the death knell"

                      You proposed a hypothetical... I suggested that it might not always sound a complete death knell...

                      It would certainly accelerate the development of other techniques - but there would be some life left.

                      1. ldo

                        Re: You proposed a hypothetical

                        The only “hypothetical” is the ability of quantum computers to perform number-theoretic calculations. So far that has just been fantasy.

                        1. John Robson Silver badge

                          Re: You proposed a hypothetical

                          You said that a working implementation would be interesting.

                          I said that it would only be interesting if it was vaguely cost effective... the demonstration would certainly be interesting, in the academic sense of the word, but it wouldn't be an instant "death knell" to all security systems unless it was a practical attack.

                2. IanRS

                  Re: can be done in only six weeks

                  Yes, it has been successfully used to demonstrate that 21=3x7. Factoring 35 failed. Other much higher numbers have been factored by QCs, but these have all been special cases that other algorithms can solve.

                  1. ldo

                    Re: 21=3x7. Factoring 35 failed.

                    Yes, I heard about that. It wasn’t even a proper factorization algorithm, just one specifically written to factorize 21. “Big whoop”, as they say.

                    If that’s all the progress we can manage after 30 years, I would say our current encryption and hashing algorithms are safe—from “quantum” computers, at any rate.

    Thumb Down

    Smoke grenade

    All this fuzz is made as a sham fight in order to distract public attention from the role iMessage played (and plays?) for zero-click infection with Pegasus and others.

  6. I am David Jones Silver badge

    Have I got this right?

    If future quantum hacker gets into a normal encrypted message of mine, they get access to the whole conversation.

    With the new system, each individual message will have to be separately hacked.

    Is that right or am I missing something fundamental?

  7. Anonymous Coward
    Anonymous Coward

    Once again we have one of these things called "assumptions".......

    .....namely an assumption that the world and their spouse will simply subcontract their own privacy to Apple (or S|ignal or Telegram or WhatsApp.....)

    Although it's a fiddly process, everyone knows that one time pads are already immune to all types of computer.....including quantum computers.

    Another fiddly process is the use of dead letter boxes (sorry.....that means paper money in it for Apple!).

    And we don't need to rely on NIST to tell us. In fact, it's probably a VERY BAD IDEA to rely on anything NIST tells us!!!

    So......maybe subcontracting privacy might just be an overall bad idea.................

  8. naive

    The silence will reveal the credibility of the encryption

    As long the three letter agencies are not publicly complaining about the new encryption being dangerous for kids, helps terrorists or president Putin (pick either one)...

    1. This post has been deleted by its author

  9. Michael Wojcik Silver badge

    I know it's just the subhead, but...

    Easy to defend against stuff that may never actually work

    This is precisely, perfectly wrong. It's intended to be humorous, but it's a disappointing display of a failure to apply security thinking.

    Stuff that will provably never work is easy to defend against. Stuff that may work is very difficult to defend against, because the defenses are speculative, and may require mechanisms that are not yet well-tested against other attacks.

    And indeed this is exactly where we are with PQC now.

  10. Anonymous Coward
    Anonymous Coward


    Who still uses iMessage these days ? Everything is WhatsApp or signal in traditional messaging terms…. God knows what the kids do, but it defo ain’t iMessage

  11. gnasher729 Silver badge

    If any of the conspiracy theories about the JFK assassination had been true, then someone might have written it down, using crypto that took 50 years to break. That information would still be very interesting 50 years later (about now).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like