Apple has recently showcased how it integrated Post-Quantum Cryptography (#PQC) algorithms into the #encryption scheme of iMessage. What #insights can organisations take from the Apple's experience?

In a comprehensive memo, Apple elucidates the intricacies involved in this integration, highlighting that adopting PQC algorithms is far from straightforward.

1. The company opted for a hybrid approach rather than a purely PQC-based scheme, blending traditional and quantum-resistant techniques

The reliance on mathematically based cryptographic security stems from extensive testing and the community's consensus on the algorithms' resilience as underlying mathematical problems are conjectures that have not been conclusively proven. The longer the algorithm is scrutinised, the better. It is premature to fully adopt new algorithms without waiting enough time. To mitigate this problem, the cryptographic community proposed to use hybrid schemes, which Apple employed, combining ECDH-256 and Kyber-768 for classical and quantum-resistant cryptography, respectively. 

2. PQC overhead is extremely high 

The memo also sheds light on the significant network overhead introduced by PQC algorithms (post-quantum ratchet), which imposes a considerably larger burden on network resources compared to classical algorithms. "The use of a post-quantum ratchet can cause significant network overhead compared to an ECDH-based ratchet at the same security level." While the classical algorithm adds a mere 32 bytes of overhead per message, the PQC algorithm, Kyber, contributes a staggering 2048 bytes. That is 64 times more. 

Despite iMessage's being non-latency critical, non-dependent on hardware and having abundant computational resources, developers faced the following challenges:

- "A new public key based on ECDH is transmitted in line with every response. Post-quantum ratchet is performed approximately every 50 messages."

- "To avoid visible delays in message delivery when device connectivity is limited, this overheads needs to be amortised over multiple messages." 

3. iMessage is not the entirety of all components in the Apple ecosystem

Apple's PQC implementation within iMessage does not equate to a comprehensive safeguard against quantum threats across all aspects of iOS ecosystem. The myriad cryptographic operations involved in data transmission (updates, synchronisation, etc.) and processing (signatures of all sorts) require a holistic evaluation of other components to fully mitigate quantum computing risks.

4. Is crypto agility there?

Though more details are needed to claim the state of the crypto-agility in the iMessage system, I would like to underscore the importance of this concept. Unless the system is designed to readily embrace new cryptography algorithms, in times of massive cryptographic protocol transition (that is where we are now), security risk and extreme redesign costs are inevitable.

https://security.apple.com/blog/imessage-pq3/