Apple recently announced new security measures for its iMessage app that is used by more than a billion people worldwide.
In unveiling its PQ3 post-quantum cryptographic protocol, Apple said it is taking action now—while quantum computing is still in its nascent stage—to prevent hackers from collecting current iMessage data, and then using that information in the future when quantum computers are more readily available. In the security world, this scenario is known as Harvest Now, Decrypt Later.
We sat down with Jonathan Katz, a University of Maryland expert on quantum-secure cryptography, to gain more insight as to why these new security measures are needed now, and what we may see in the future.
Question: What is the difference between traditional cryptography and quantum-secure cryptography?
Katz: At a high level, it comes down to the mathematical problems that they’re based on. Classical cryptography algorithms are primarily based on number theoretic type problems. Now people are looking at new classes of mathematical problems that are believed to be hard even for quantum computers. One of the leading candidates for those problems is related to something called lattices. This is another mathematical object, but a little bit different from traditional number theory.
Question: Is Apple protecting our texts with quantum computers, as some outlets have reported?
Katz: No. The new protocol they deployed is entirely classical; it runs on classical computers like current iPhones and iPads. However, even though they are entirely classical, they are intended to provided security against adversaries who might use quantum computers to attack them.
Question: If quantum computers don’t fully exist yet, why should people be concerned about the security of their messages from a quantum attack?
Katz: There are two things. One is the possibility of quantum computers being built in the next decade or so, in which case we need to start being prepared now. But it’s more than that, because there's this issue that can happen where—if I encrypt a message to you today, or governments encrypt messages to each other today—an attacker could theoretically take that communication, and just store it on their hard drive. Then 10 years from now, if quantum computers come out, they can then use a quantum computer to decrypt that message. So that's why you need protection against quantum computers now, even though they may not exist for another decade.
Question: If hypothetical quantum computers could crack current cryptography in the future, how can classical computers protect us now from these hypothetical quantum computers?
Katz: You must get a little bit into the math. But the point is that there are a couple of examples of classical mathematical problems, where we believe that they're hard, even for quantum computers. So that's a benefit, because it means that we can use classical computers to run the cryptography, but then get security even against attackers with a quantum computer.
Question: In some of the news covering Apple’s announcement, there was a reference to “state-sponsored” groups using quantum hacking tools to intercept iMessage communications. Is that a significant threat, as opposed to “lone wolf” cyberhackers testing their skills or seeking clout amongst their peers?
Katz: If we're talking about the average user on the street sending a message to their friend, it's not important that the message remain secret for a decade. But if you have government-level communication, many times those need to remain classified for several decades. Then there's a concern about state-sponsored agencies going after those communications. It seems likely that the first people who will develop quantum computers will be state-sponsored agencies because of the resources needed to develop them. Once developed, they're likely to remain classified, so that people won't know about them right away.
Question: What can the public do now to better protect their iMessage communications?
Katz: The nice thing about it is that the new protocol will be available by default. Apple rolled out this new protocol and people are going to be using it, and they’re protected automatically by using it. The main thing is, if you care about the privacy of your messages, you need to make sure to use a protocol that offers you encrypted messaging, not every protocol offers the same level of security. You need to choose one that offers a level of security you're comfortable with.
Question: What are some of the solutions scientists are currently working on in this area, including work you are doing?
Katz: One thing is that these post-quantum algorithms, to some extent, can be less efficient than some of the older algorithms. There's still a lot of work to be done on optimizing the schemes and their implementations and getting them to match the performance characteristics of the older cryptosystems that we've had for several decades. The other one is that, even though we have post-quantum algorithms for encryption and signatures, there's still a lot of cryptographic protocols offering advanced functionality, where we don't have good post-quantum solutions yet. There's still a lot of active work on trying to upgrade all the whole suite of cryptographic protocols that are available to give you post-quantum security. Then the third thing I would say, is just in general, we’re trying to still understand what's possible with a quantum computer. I have some work recently, for example, trying to understand what kind of attacks are possible against existing cryptographic schemes using a quantum computer. It's still an open area of research to figure out exactly what the power of quantum computation is.
Question: In a $1 million National Science Foundation award you received, part of the funding supports efforts to fundamentally change the way that cryptography is taught, developed and practiced. Why is this important?
Katz: It's really about a mind shift. This even goes beyond cryptography. Let's assume that quantum computers are going to come out in 10 years, and that's going to be the new computing paradigm. Then really, throughout the computer science curriculum, students need to be introduced to quantum computers, they may need to understand how to program for quantum computers, they may need to understand how to design their systems for quantum computers. Then from the point of view of cryptography, traditionally the way cryptography has been taught is by focusing on classical cryptosystems secure against classical attackers. But from day one we need to be telling students about the possibility of quantum computers, and how anything we design must be secure against that.
***
Jonathan Katz is a professor of computer science at the University of Maryland and a fellow in the university’s Joint Center for Quantum Information and Computer Science.
A noted expert in “traditional” cybersecurity—he was the inaugural director of the Maryland Cybersecurity Center—his research also includes work in post-quantum cryptography. In 2023, he received a $1 million National Science Foundation award to develop a framework for cryptographic systems that can weather increasingly powerful quantum computers.
—Interview conducted by Shaun Chornobroff, UMIACS communications group