This is pretty fascinating. For easier reading, the Signal blog post [0] they link to is great.
Both Signal and Apple went with CRYSTALS-Kyber [1] as their post-quantum algorithm. If you're interested in the math, and maybe learned at some point about how classic public key cryptography is built on the idea that it's easy to multiply two primes, but hard to factor them, and how this (or other math problems) can be used as a one-way function to make encryption hard to break, the hard math problem that backs Kyber is the "learning-with-errors" [2] problem.
I'm way out of my depth in terms of the math here.
But my 'software engineer brain' likes the ideal of using the prime factoring problem, because it's so simple to understand, and feels like some kind of universal primitive. "It's easy to multiply but hard to factor." It just seems so intuitive.
But I'm reading the 'learning with errors' wiki page and it's beyond my comprehension.
There's a weird fear in my mind that all these "post quantum algorithms" are so complicated, with such a large surface area, that they may hide flaws. While prime factoring, or even the elliptic key stuff, is so simple to comprehend.
that said, obviously the experts know what they're doing, and I'll use what they suggest. just saying that this thought has crossed my mind.
David Basin and his team have done really cool work in the past. I was lucky enough to see a talk by him about EMV Race, which are exploits in the EMV protocol used by credit cards. Their approach included modeling this protocol in Tamarin. Its website [0] shows demonstrative videos.
This is getting downvoted, but it really does feel like a variant of the wrench problem: https://xkcd.com/538/
It's already incredibly hard to get people to use secure messaging systems. Downgrading to SMS isn't necessarily wrong (it's become harder to get people to use Signal now that it's dropped support for SMS), but it's a huge hole and effectively means that many customers will never have a significant number of their conversations encrypted.
That's a boring security hole, sure. But at some point you have to think about UX as being a part of security, and a messaging system that isn't cross-platform is hard to call secure, because good luck trying to get your contacts to all use it. People get upset about this, but the reality is it does not matter what encryption scheme a messenger is using if it's impossible for you to get your contacts to use it. The same way that it does not matter how secure your 2FA system is if you can't get people to turn it on.
I felt like on net Signal's support for SMS was a boon for security more than a hindrance because it made it easier for me to get people to sign up for Signal. In contrast, Signal's take was that having a secure and insecure service bundled up into the same messenger would on average make people more lax about security and would make it harder for them to make strong security guarantees. They viewed SMS support essentially as a security vulnerability.
I do wish Signal had kept SMS and tried harder on the UX, I honestly feel somewhat strongly that removing support made secure messaging harder -- but while we can debate the security downsides and the onboarding downsides, I also have grown to kind of see their point? And iMessage falls very squarely into that problem, except with Signal I can at least tell my contacts how to get it.
I don't know, it feels petty but like... if you have secure encryption but it doesn't get turned on for a bunch of messages, then that does seem like it has a security impact. I don't think that's a complicated or controversial thing to say, it's no different from calling out that some chat services require E2EE to be opt-in instead of opt-out. Good security requires thinking about that kind of stuff.
It's the wrench problem. You're not going to get spied on by a quantum computer. You're going to get spied on because there's a decent chance that ~50% of your contacts or more aren't on iPhone and you'll be talking to them in plain text. And realistically for most users, switching to a cross-platform E2EE messenger that allows them to use one consistent service for all of their encrypted conversations is going to be meaningfully more secure even if it doesn't have quantum-resistant encryption. The most important problem for any secure messenger to solve is how to get people to use it. Sometimes that means compromising on other security standards, sometimes it means being harsher about security standards that would otherwise be optional. Sometimes it means caring about availability and onboarding, and not sending the majority of messages in an easily intercepted plain-text format.
This (and Signal's solution as well) does not protect against active MITM attackers with quantum computers. They would need to incorporate post-quantum signatures into it as well.
The reason why it is missing (but seemingly planned in the future) is because it is not as critical as this change. This change prevents attackers from recording conversations now and decrypting them when (in the next ?? years/decades) they get access to an actually powerful quantum computer. On the other hand, you can do MITM only after you factorized RSA key (or solved discrete log).
The additional reason I presume is that this typically requires a change to the whole public key infrastructure (certificates, OCSP, etc.) which is a lot of additional work.
The only question that I have, will it break my old devices, so they would be forced out of the iMessages ecosystem? I believe that would happen. I don’t use it heavily, but that’s one of the reasons I keep an iPhone these days. The other reason is FaceTime support, so I could easily connect with those with iPhones. I do use not very modern iPhones (the very first SE currently), as that’s what I need my iPhones for: to make a call (via FaceTime most times) and to send a message (via iMessage, sometimes). If Apple breaks that for me, I’m either forced to buy a newer iPhone (which I’m not sure I want, considering I’m all in Linux and Android). Or they force me to rethink my priorities and just leave this. I can live with that, it’s just less convenient.
Does anyone know if this is still vulnerable to the iCloud Backups problem? The only solution to that right now is for you and your contact to turn on Advanced Data Protection. Curious if that’s still required.
Isn't all this post quantum stuff a little premature? The standards haven't settled. We don't even know if there is a possible quantum threat to cryptography yet. The more we work on the problem the less likely it seems. Last I heard we were 1 or 2 orders of magnitude away from physical noise performance that would make such a threat possible.
Edit, added: Harvest now, decrypt later applies to any encrypted data. There is nothing special about the quantum threat. This all only makes sense if we can predict what the actual threat is ... and so far we can't. This reminds me of Pascal's Wager[1]
You'd be right except that anything encrypted now can be stored and cracked later.
I remember as part of the snowden leaks there was documentation about this kind of delayed phase collection.
Basically store as much signals data as you can and try to crack it later if there's a weakness discovered with the protocol or computing power starts being capable of wholesale attack.
You might remember that hashes are significantly easier to crack with "rainbow tables", and so we added cryptographic "salts" to online password storage. We discovered that about 15 years ago and started salting all our passwords, but for a large window of time all of those old leaked databases were suddenly extremely easy to crack.
Now, Imagine the NSA is 10 years ahead of us (and you might be close with that estimation), so even if they can't crack RSA right now they're much closer than we are, and even we get there we will likely have a large window of time before we fix it properly. (not that we're talking RSA here, but you get my point).
Like the article says, it's protection from harvest-now-break-later.
Apple users and communications are today a state-secret affair as shown by the impact of NSO/Pegasus.
So even if Google,IBM,et al _might_ have approached feasibility in the open there is still a significant risk in state-level adversaries having poured enough funding to still be ahead, plus they will benefit from all open research in the hidden with extra funding to take more leaps.
So no, it's not premature if there is hidden or open leaps just 10 years in the future.
We have reason to believe that conventionally encrypted data isn't threatened within the next 50 years by anything other than quantum computing, which is what's special about the quantum threat.
>> Although quantum computers with this capability don’t exist yet, extremely well-resourced attackers can already prepare for their possible arrival by taking advantage of the steep decrease in modern data storage costs. The premise is simple: such attackers can collect large amounts of today’s encrypted data and file it all away for future reference. Even though they can’t decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future, an attack scenario known as Harvest Now, Decrypt Later.
> Edit, added: Harvest now, decrypt later applies to any encrypted data. There is nothing special about the quantum threat. This all only makes sense if we can predict what the actual threat is ... and so far we can't.
But we know Shor's algorithm, and we've started building prototype quantum computers. Isn't that enough to build something that counters them? Worst case, we deploy new ciphers and realize that the threat was empty 50 years from now. What's the downside?
One reason to move sooner rather than later is to mitigate the threat of previously stored data. There may be a government entity simply storing all imessage traffic in the hopes of one day decrypting it when/if a breakthrough happens. If you transition sooner, you increase the age of the latest data that could be decrypted, thusly hopefully making it safer.
>When iMessage launched in 2011, it was the first widely available messaging app to provide end-to-end encryption by default,...
Until very recently, iMessage provided no way to verify that you and your correspondent were not both connected to the server, rather than each other. So guaranteed end-to end encryption wasn't possible. Even now, with a recent version of iOS, they allow the users to blithely exchange messages without any identity verification. The identity numbers used to do this are hidden behind menus. So not really E2EE in any practical sense.
Would be great if we could uninstall iMessage completely out of iPhone for security reasons or make it opt in by default. Unfortunately it's not possible and it will be a gateway for security issues and malware in the following years to come. Post quantum cryptography is nice but that's one of the smallest problems with iMessage.
You can entirely disable iMessage (and FaceTime, and Siri, etc) via provisioning profiles on a managed device. Use Apple Configurator 2 to do so.
(A very important privacy setting with no corresponding toggle in the UI that can only be set via a configuration profile is the option to not auto sync your list of recently emailed people to iCloud (“Disable recents syncing”). This leaks your email contact history and social graph to Apple if you have iCloud turned on, even if you aren’t using an Apple email account and aren’t using iCloud Contacts. AFAIK there’s no way to disable it other than via configuration profile.)
Just as a reminder making crack-proof encryption standard everywhere is a trade off. It’s often discussed and presented in forums like this as the only and just choice (and I believe net it is), but in doing so WILL lead to bad outcomes. Terrible crimes, unsolvable murders, large scale terrorism, emboldened enemies attacking a country, more successful coups, etc. It would be nice as a community to acknowledge nothing comes for free and every technology is a double edged sword. I wish more of these double edge swords could be debated by the public it affects, although it’s out of the scope of comprehension and thoughtfulness by most. And yet we all make the choices that will affect generations…
(2) historically people simply did not create a huge written record (texts etc) detailing their crimes, so there’s no change in available information
(3) even before any of this tech police are not good a solving crimes, and generally rely on errors by criminals
(4) and finally. Your argument is definitionally the slippery slope and is the reason the 4th and 5th amendments exist in the US. Your argument is trivially extended to literally everything: why shouldn’t all communication be routed through government servers to find evidence of crimes? Why shouldn’t all device locations be available to police at all times? Why shouldn’t you have video and audio recorders in every home (most child abuse, the quintessential horror) is committed by family members in the home.
Having actual privacy does not result in crime, and mandating that privacy should be illegal in only a single case is clearly nonsense. Either you have a right to privacy or you don’t.
Widely used unbreakable encryption has been available in chat apps for at least a decade and hasn't led us down that slippery slope yet. PQ3 is just future proofing what we already have.
Yeah, that’s what the NSA has said forever - but it turns out that all encryption has that human factor.
Imagine I’m planning something malicious. If I literally do anything other than talk about it, there’s going to be evidence, and that evidence won’t be encrypted.
Plus, crack-proof encryption existed at least back to Roman times - simply because making a secure code was fairly easy and we didn’t have codebreakers. We managed.
Yes, giving people privacy means giving everyone privacy, whether they're doing good things or bad. Pointing cameras into everyone's window would also prevent some crimes, and we shouldn't do that either.
I don't think "This has tradeoffs but those tradeoffs are absolutely worth it" is a level of nuance that's possible in the face of the level of scaremongering against E2EE.
For a minute I thought you were only talking about non-state actors performing those terrible things, then remembered history is full of nations doing all those things.
[+] [-] sandyarmstrong|2 years ago|reply
Both Signal and Apple went with CRYSTALS-Kyber [1] as their post-quantum algorithm. If you're interested in the math, and maybe learned at some point about how classic public key cryptography is built on the idea that it's easy to multiply two primes, but hard to factor them, and how this (or other math problems) can be used as a one-way function to make encryption hard to break, the hard math problem that backs Kyber is the "learning-with-errors" [2] problem.
[0] https://signal.org/blog/pqxdh/
[1] https://pq-crystals.org/kyber/
[2] https://en.wikipedia.org/wiki/Learning_with_errors
[+] [-] andy_xor_andrew|2 years ago|reply
But my 'software engineer brain' likes the ideal of using the prime factoring problem, because it's so simple to understand, and feels like some kind of universal primitive. "It's easy to multiply but hard to factor." It just seems so intuitive.
But I'm reading the 'learning with errors' wiki page and it's beyond my comprehension.
There's a weird fear in my mind that all these "post quantum algorithms" are so complicated, with such a large surface area, that they may hide flaws. While prime factoring, or even the elliptic key stuff, is so simple to comprehend.
that said, obviously the experts know what they're doing, and I'll use what they suggest. just saying that this thought has crossed my mind.
[+] [-] gjsman-1000|2 years ago|reply
[+] [-] bjoli|2 years ago|reply
[+] [-] 1vuio0pswjnm7|2 years ago|reply
[+] [-] yesimahuman|2 years ago|reply
[+] [-] xxmarkuski|2 years ago|reply
[0] https://emvrace.github.io/
[+] [-] lapetitejort|2 years ago|reply
[+] [-] yackback|2 years ago|reply
Apple is apparently working with GSMA to add encryption to the standard though. (They probably wouldn't add RCS otherwise.)
[+] [-] para_parolu|2 years ago|reply
[+] [-] browningstreet|2 years ago|reply
https://www.macrumors.com/2024/02/21/iphones-top-7-best-sell...
Too bad the other vendors don’t bother keeping up.
[+] [-] carstenhag|2 years ago|reply
[+] [-] danShumway|2 years ago|reply
It's already incredibly hard to get people to use secure messaging systems. Downgrading to SMS isn't necessarily wrong (it's become harder to get people to use Signal now that it's dropped support for SMS), but it's a huge hole and effectively means that many customers will never have a significant number of their conversations encrypted.
That's a boring security hole, sure. But at some point you have to think about UX as being a part of security, and a messaging system that isn't cross-platform is hard to call secure, because good luck trying to get your contacts to all use it. People get upset about this, but the reality is it does not matter what encryption scheme a messenger is using if it's impossible for you to get your contacts to use it. The same way that it does not matter how secure your 2FA system is if you can't get people to turn it on.
I felt like on net Signal's support for SMS was a boon for security more than a hindrance because it made it easier for me to get people to sign up for Signal. In contrast, Signal's take was that having a secure and insecure service bundled up into the same messenger would on average make people more lax about security and would make it harder for them to make strong security guarantees. They viewed SMS support essentially as a security vulnerability.
I do wish Signal had kept SMS and tried harder on the UX, I honestly feel somewhat strongly that removing support made secure messaging harder -- but while we can debate the security downsides and the onboarding downsides, I also have grown to kind of see their point? And iMessage falls very squarely into that problem, except with Signal I can at least tell my contacts how to get it.
I don't know, it feels petty but like... if you have secure encryption but it doesn't get turned on for a bunch of messages, then that does seem like it has a security impact. I don't think that's a complicated or controversial thing to say, it's no different from calling out that some chat services require E2EE to be opt-in instead of opt-out. Good security requires thinking about that kind of stuff.
It's the wrench problem. You're not going to get spied on by a quantum computer. You're going to get spied on because there's a decent chance that ~50% of your contacts or more aren't on iPhone and you'll be talking to them in plain text. And realistically for most users, switching to a cross-platform E2EE messenger that allows them to use one consistent service for all of their encrypted conversations is going to be meaningfully more secure even if it doesn't have quantum-resistant encryption. The most important problem for any secure messenger to solve is how to get people to use it. Sometimes that means compromising on other security standards, sometimes it means being harsher about security standards that would otherwise be optional. Sometimes it means caring about availability and onboarding, and not sending the majority of messages in an easily intercepted plain-text format.
[+] [-] Aaargh20318|2 years ago|reply
Still unencrypted though, because the RCS standard does not include encryption.
[+] [-] tsunamifury|2 years ago|reply
They aren’t even going to use the developed encrypted RCS protocol.
Apple, when it comes to their values, is all lip service.
I have intimate experience here with them both openly lying and purposefully deceiving their user base in this case.
[+] [-] maqp|2 years ago|reply
[+] [-] honzaik|2 years ago|reply
The reason why it is missing (but seemingly planned in the future) is because it is not as critical as this change. This change prevents attackers from recording conversations now and decrypting them when (in the next ?? years/decades) they get access to an actually powerful quantum computer. On the other hand, you can do MITM only after you factorized RSA key (or solved discrete log).
The additional reason I presume is that this typically requires a change to the whole public key infrastructure (certificates, OCSP, etc.) which is a lot of additional work.
[+] [-] m3kw9|2 years ago|reply
[+] [-] bedros|2 years ago|reply
[+] [-] RenThraysk|2 years ago|reply
[+] [-] m3kw9|2 years ago|reply
[+] [-] jacobgorm|2 years ago|reply
[+] [-] walteweiss|2 years ago|reply
[+] [-] hax0r0x01|2 years ago|reply
[deleted]
[+] [-] helf|2 years ago|reply
[deleted]
[+] [-] soxicywn|2 years ago|reply
[+] [-] upofadown|2 years ago|reply
Edit, added: Harvest now, decrypt later applies to any encrypted data. There is nothing special about the quantum threat. This all only makes sense if we can predict what the actual threat is ... and so far we can't. This reminds me of Pascal's Wager[1]
[1] https://en.wikipedia.org/wiki/Pascal%27s_wager
[+] [-] dijit|2 years ago|reply
I remember as part of the snowden leaks there was documentation about this kind of delayed phase collection.
Basically store as much signals data as you can and try to crack it later if there's a weakness discovered with the protocol or computing power starts being capable of wholesale attack.
You might remember that hashes are significantly easier to crack with "rainbow tables", and so we added cryptographic "salts" to online password storage. We discovered that about 15 years ago and started salting all our passwords, but for a large window of time all of those old leaked databases were suddenly extremely easy to crack.
Now, Imagine the NSA is 10 years ahead of us (and you might be close with that estimation), so even if they can't crack RSA right now they're much closer than we are, and even we get there we will likely have a large window of time before we fix it properly. (not that we're talking RSA here, but you get my point).
https://www.forbes.com/sites/andygreenberg/2013/06/20/leaked...
[+] [-] whizzter|2 years ago|reply
Apple users and communications are today a state-secret affair as shown by the impact of NSO/Pegasus.
So even if Google,IBM,et al _might_ have approached feasibility in the open there is still a significant risk in state-level adversaries having poured enough funding to still be ahead, plus they will benefit from all open research in the hidden with extra funding to take more leaps.
So no, it's not premature if there is hidden or open leaps just 10 years in the future.
[+] [-] tptacek|2 years ago|reply
[+] [-] bprater|2 years ago|reply
>> Although quantum computers with this capability don’t exist yet, extremely well-resourced attackers can already prepare for their possible arrival by taking advantage of the steep decrease in modern data storage costs. The premise is simple: such attackers can collect large amounts of today’s encrypted data and file it all away for future reference. Even though they can’t decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future, an attack scenario known as Harvest Now, Decrypt Later.
[+] [-] raccoonDivider|2 years ago|reply
But we know Shor's algorithm, and we've started building prototype quantum computers. Isn't that enough to build something that counters them? Worst case, we deploy new ciphers and realize that the threat was empty 50 years from now. What's the downside?
[+] [-] Octoth0rpe|2 years ago|reply
[+] [-] SheinhardtWigCo|2 years ago|reply
The entities with the most to gain from such an advancement are not exactly known for publicizing their achievements.
[+] [-] InsomniacL|2 years ago|reply
[+] [-] damnloveless|2 years ago|reply
[deleted]
[+] [-] upofadown|2 years ago|reply
Until very recently, iMessage provided no way to verify that you and your correspondent were not both connected to the server, rather than each other. So guaranteed end-to end encryption wasn't possible. Even now, with a recent version of iOS, they allow the users to blithely exchange messages without any identity verification. The identity numbers used to do this are hidden behind menus. So not really E2EE in any practical sense.
[+] [-] therealmarv|2 years ago|reply
[+] [-] sneak|2 years ago|reply
(A very important privacy setting with no corresponding toggle in the UI that can only be set via a configuration profile is the option to not auto sync your list of recently emailed people to iCloud (“Disable recents syncing”). This leaks your email contact history and social graph to Apple if you have iCloud turned on, even if you aren’t using an Apple email account and aren’t using iCloud Contacts. AFAIK there’s no way to disable it other than via configuration profile.)
This is what I do.
[+] [-] dijit|2 years ago|reply
[+] [-] upget_tiding|2 years ago|reply
https://support.apple.com/en-us/105120
[+] [-] Yesway|2 years ago|reply
[deleted]
[+] [-] azinman2|2 years ago|reply
[+] [-] olliej|2 years ago|reply
(2) historically people simply did not create a huge written record (texts etc) detailing their crimes, so there’s no change in available information
(3) even before any of this tech police are not good a solving crimes, and generally rely on errors by criminals
(4) and finally. Your argument is definitionally the slippery slope and is the reason the 4th and 5th amendments exist in the US. Your argument is trivially extended to literally everything: why shouldn’t all communication be routed through government servers to find evidence of crimes? Why shouldn’t all device locations be available to police at all times? Why shouldn’t you have video and audio recorders in every home (most child abuse, the quintessential horror) is committed by family members in the home.
Having actual privacy does not result in crime, and mandating that privacy should be illegal in only a single case is clearly nonsense. Either you have a right to privacy or you don’t.
[+] [-] robjan|2 years ago|reply
[+] [-] gjsman-1000|2 years ago|reply
Imagine I’m planning something malicious. If I literally do anything other than talk about it, there’s going to be evidence, and that evidence won’t be encrypted.
Plus, crack-proof encryption existed at least back to Roman times - simply because making a secure code was fairly easy and we didn’t have codebreakers. We managed.
[+] [-] kanbara|2 years ago|reply
we don’t remove all rights to privacy for people in their homes because criminals use homes too. tech should be no different
[+] [-] JoshTriplett|2 years ago|reply
Yes, giving people privacy means giving everyone privacy, whether they're doing good things or bad. Pointing cameras into everyone's window would also prevent some crimes, and we shouldn't do that either.
I don't think "This has tradeoffs but those tradeoffs are absolutely worth it" is a level of nuance that's possible in the face of the level of scaremongering against E2EE.
[+] [-] sunnybeetroot|2 years ago|reply
[+] [-] QuizzicalCarbon|2 years ago|reply