Apple Introduce Post-Quantum Security. You Should Be Thinking About This Too.

Apple Introduce Post-Quantum Security. You Should Be Thinking About This Too.

Apple have introduced new security to their iMessage service in the form of the PQ3 protocol, an end-to-end encrypted messaging protocol designed for exchanging data in long-lived sessions between two devices (eg, chats with your friends). Why is this interesting? Well, it’s because it uses “Kyber", an algorithm selected by the National Institute of Standards and Technology (NIST) as one of its post-quantum security standards.

What is post-quantum security?

First things first. Post-quantum security refers to cryptographic principles and practices designed to secure communications and data against the potential future threat posed by quantum computers. Traditional cryptographic systems use classes of algorithms, including the algorithms used to secure today’s internet communications of all kinds (including banking, shopping and messaging), based on mathematical problems that are difficult to solve with classical computers but could be easily solved with quantum computers. Quantum computers operate on the principles of quantum mechanics, allowing them to process information in ways fundamentally different from classical computers. While large-scale quantum computers capable of breaking these current cryptographic systems are not yet a reality, the potential for their development poses a significant threat to contemporary security measures.

With this threat in mind, organisations are beginning to think about switching to post-quantum cryptography (PQC). There are a number of drivers for this significant change in the way that the online world will work. These include:

  • Secrecy: Many current encryption systems do not offer forward secrecy against future quantum attacks, meaning that all previously encrypted communications could potentially be decrypted if the encryption keys are ever broken, undermining the integrity of all communications;
  • Stability: The global financial system relies on cryptography to secure transactions and protect sensitive data. Quantum computing could undermine these protections, exposing economies to potential destabilisation.
  • Privacy: Individual privacy depends significantly on strong cryptographic standards. You can have security without privacy, as the old saying goes, but you can’t have privacy without security. Without quantum-resistant encryption then personal data, communications and other private information could become accessible to adversaries equipped with quantum computing technology.

To address these challenges, researchers and organisations are actively working on developing post-quantum cryptography (PQC) standards. These new cryptographic algorithms aim to be secure against both classical and quantum computational attacks, ensuring the continuity of secure digital communications and data storage into the quantum era. NIST, with other international bodies, is leading efforts to standardise post-quantum cryptographic algorithms.

with kind permission of Helen Holmes (CC-BY-ND 4.0)

Kyber, used by Apple, is one of these algorithms. Technically it is a key encapsulation mechanism (KEM) designed to be resistant to attacks with future quantum computers. It is used to establish a shared secret between two communicating parties without an attacker in the transmission system being able to decrypt it. A detailed analysis of the protocol from the University of Waterloo shows that PQ3 provides confidentiality with forward secrecy and post-compromise security against both classical and quantum adversaries, in both the initial key exchange as well as the continuous rekeying phase of the protocol.

In others words, it’s pretty secure.

It’s not only Apple moving in this direction. Signal, a widely-used messaging service (their protocol is used by other services as well) introduced post-quantum cryptography last year. Their new protocol (known as PQXDH) is already in the Signal client applications they say that in a few months time they will disable their old protocol and require post-quantum for all new chat.

So if Apple and Signal are shifting to post-quantum security, it’s probably time for fintechs to look in that direction too. While working quantum computers capable of breaking today’s security may be a few years away, they will undoubtedly be here one day. Bruce Schneier, a leading expert in the field (and someone who I always listen to on such matters) says that now is probably the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers.

(Your enemy could harvest your data and then tuck it away safely until a quantum computer comes out a decade from now, when they can then get access to your data.)

Why Change?

If you provide critical infrastructure — such as power grids, transit systems or financial services — then you already rely on cryptography and you need to develop a post-quantum security strategy, starting with assessing the risk and understanding which assets are most vulnerable to quantum attacks. This way, you can prioritise the integration of quantum-resistant algorithms. You might also want to think about training cybersecurity personnel in post-quantum cryptography concepts and techniques to be ready for future implementations. 

There is no need to panic. Your organisation does not need to switch to post-quantum cryptography tomorrow. However, a good post-quantum security strategy is a sound basis for ensuring the resilience of your services against future quantum threats, so you should probably start work on one tomorrow.


Book Dave

Are you looking for:

  • A speaker/moderator for your online or in person event?
  • Written content or contribution for your publication?
  • A trusted advisor for your company’s board?
  • Some comment on the latest digital financial services news/media?

Get in touch by clicking on the image above


Rob Neely

2024 US Fintech Awards 'Innovator of the Year' | 2024 Fintech Innovation Business Leader of the Year (APAC) | 2024 Entrepreneur of the Year Finalist – ARN Channel | Founder Securely Group

1mo
Patricia (Pati) Partelow

MD at EY Financial Services Consulting / Product Innovator / Futurist / Tech & Data Advocate / Payments Geek / People Person

1mo

Thanks, Dave, for bringing this topic to the forefront. Anyone that has been in the Financial Services industry knows that migrating to any new standard takes time and so waiting until quantum is mainstream would be a bad strategy. And, your point on fraudsters storing records for later is a very valid point!

Ben Whitaker

Company Founder and Director in Transit, Mobility, Sustainability and Payments

1mo

We have! (A fun new area for old crypto ideas now come of age.)

Joseph S.

Director of Communications | Fractional CMO | Interim CMO | Innovator | Investor | IM Mentor

1mo

David Birch - Next time you and Steve Pannifer are in London, why don’t you both hop on a train and head out east just over an hour to Suffolk. I’ll show you Adastral Park and introduce you to some of the brightest minds in cyber security and quantum key technology.

Like
Reply

David, this is great information, thanks so much, and it was good to see you last week.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics