What Is Post-Quantum Cryptography and Apple’s PQ3?

post quantum cryptography featured

The existence of quantum computers on the horizon has shaken the cryptography world, and researchers and scientists have received a massive response to build feasible Post-Quantum Cryptography (PCQ). Recently, Apple has taken an enormous step forward by announcing their own PCQ systems, PQ3, in Apple devices. 

Learn more about PCQ and Apple’s announcement and the more significant impact of post-quantum encryption.


What Is Apple’s PQ3 Protocol?

Apple devices have been heralded as well-defended from data exposure, including strong encryption and biometric security for consumer devices. Their recent announcement of the PQ3 represents a significant upgrade in cryptographic security, aiming to provide the highest level of protection against current and future threats (specifically against threats to the iMessage app), including those posed by quantum computing. 

Some of the goals of PQ3 include:

  • Post-Quantum Cryptography: PQ3 is designed to be secure against attacks from quantum computers, a significant concern as quantum computing technology advances.
  • Post-Quantum Key Establishment: PQ3 introduces a new post-quantum encryption key as part of the public keys each device generates, using the Kyber post-quantum public keys algorithm.
  • Periodic Post-Quantum Rekeying: The protocol includes a mechanism for periodic rekeying with post-quantum keys, enhancing security by limiting the potential impact of a compromised key.
  • Hybrid Cryptographic Approach: The protocol employs a hybrid design, combining Elliptic Curve cryptography with post-quantum encryption for initial key establishment and ongoing rekeying.
  • Level 3 Security: It is the first messaging protocol to achieve what Apple calls Level 3 security, offering protections that surpass all other widely deployed messaging apps. This level includes secure initial key establishment and ongoing message exchange, with mechanisms to rapidly restore security even if a key is compromised.
  • Compromise-Resilient Encryption: The protocol includes extensive defenses against sophisticated attacks, including those that quantum computers might enable.
  • Hybrid Design: PQ3 combines new post-quantum algorithms with current Elliptic Curve algorithms, ensuring it can never be less safe than the existing classical protocol.

The protocol will start rolling out with public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, and is already included in developer preview and beta releases.

How Does Post-Quantum Cryptography Work?

post quantum cryptography

Post-quantum cryptography, also known as quantum-resistant cryptography, is a type of cryptography designed to provide secure communication protocols in the era of quantum computing. Traditional cryptographic systems, particularly those based on public-key cryptography, rely on mathematical problems that are currently hard for classical computers to solve but could be easily broken by a sufficiently powerful quantum computer. 

The main areas of research in PQC include:

  • Lattice-Based Cryptography: This approach is based on problems dealing with lattice structures in the multidimensional space and is considered complex, even for quantum computers. As such, it provides a complexity that even those computers can’t solve. 
  • Hash-Based Cryptography: This uses cryptographic hash functions for digital signatures, which are fundamentally secure against quantum attacks since they do not rely on number-theoretic problems quickly solvable by quantum computers.
  • Code-Based Cryptography: Randomly generated linear codes are complex to decode, which is still tricky for quantum computers, and as such, this provides protection against them.
  • Isogeny-Based Cryptography: Based on mathematical properties of the class of elliptic curves and isogenies, offering a potential model for key exchange protocol security in the post-quantum era.

The Transition to Post-Quantum Cryptography

The transition to post-quantum cryptography is a global effort that involves standardization bodies like the National Institute of Standards and Technology (NIST), which has been actively working on a post-quantum cryptography standardization project. This project aims to identify and standardize quantum-resistant cryptographic algorithms for widespread adoption before quantum computers become capable of breaking current encryption methods.

The challenge lies in developing secure and efficient quantum-resistant algorithms and ensuring these algorithms can be integrated into the existing digital infrastructure. This includes updating cryptographic libraries, securing internet protocols such as TLS, and ensuring that hardware and software can support the new standards without significant performance penalties.


Will These Standards Work with Compliance Frameworks?

NIST plays a pivotal role in standardizing cryptographic algorithms, including post-quantum cryptography. They have been conducting a Post-Quantum Cryptography Standardization project since 2016, aiming to establish standards for quantum-resistant cryptographic algorithms. 

The compliance of post-quantum encryption with major cybersecurity standards will largely depend on the outcomes of this project and other considerations such as:

  • Future Standards: When NIST finishes its cryptographic algorithm selections, they will be incorporated into the federal standards for cryptographic systems. These then will form compliance standards that will be used in government communication and for any organization that works with the government or in regulated industries.
  • International Standardization: Global institutions such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) will most likely adopt the NIST standards worldwide. Compliance with post-quantum encryption standards will be requisite for international security certification for cyber systems and secure international business.
  • Specialized Requirements in Vertical Markets: Finance, health, and critical infrastructure industries (power, water, etc.) all have specialized data protection and cybersecurity regulatory requirements. Once PQS becomes the norm, these sector regulatory bodies will align their regulatory requirements with the new architectures and add post-quantum encryption to compliance regulations.
  • Transition Eras: The transition into the post-quantum encryption era will include times when PQC and traditional encryption will exist together. Compliance during such a transition will ensure that the systems can support both types of encryptions and update with changing standards.
  • Backward Compatibility and Hybrid Systems: Cross-compatibility and hybrid implementations will occur with such a transition. This will ensure that communication stays secure against threats that are classical as well as quantum in nature.


Learn More About Your Encryption Requirements and the Future with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC