几年前的事了，现在怎样不知道。

February 21, 2024

iMessage with PQ3: The new state of the art in quantum-secure messaging at scale

Posted by Apple Security Engineering and Architecture (SEAR)

Today we are announcing the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging. With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps. To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world.

When iMessage launched in 2011, it was the first widely available messaging app to provide end-to-end encryption by default, and we have significantly upgraded its cryptography over the years. We most recently strengthened the iMessage cryptographic protocol in 2019 by switching from RSA to Elliptic Curve cryptography (ECC), and by protecting encryption keys on device with the Secure Enclave, making them significantly harder to extract from a device even for the most sophisticated adversaries. That protocol update went even further with an additional layer of defense: a periodic rekey mechanism to provide cryptographic self-healing even in the extremely unlikely case that a key ever became compromised. Each of these advances were formally verified by symbolic evaluation, a best practice that provides strong assurances of the security of cryptographic protocols.

Historically, messaging platforms have used classical public key cryptography, such as RSA, Elliptic Curve signatures, and Diffie-Hellman key exchange, to establish secure end-to-end encrypted connections between devices. All these algorithms are based on difficult mathematical problems that have long been considered too computationally intensive for computers to solve, even when accounting for Moore’s law. However, the rise of quantum computing threatens to change the equation. A sufficiently powerful quantum computer could solve these classical mathematical problems in fundamentally different ways, and therefore — in theory — do so fast enough to threaten the security of end-to-end encrypted communications.

Although quantum computers with this capability don’t exist yet, extremely well-resourced attackers can already prepare for their possible arrival by taking advantage of the steep decrease in modern data storage costs. The premise is simple: such attackers can collect large amounts of today’s encrypted data and file it all away for future reference. Even though they can’t decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future, an attack scenario known as Harvest Now, Decrypt Later.

To mitigate risks from future quantum computers, the cryptographic community has been working on post-quantum cryptography (PQC): new public key algorithms that provide the building blocks for quantum-secure protocols but don’t require a quantum computer to run — that is, protocols that can run on the classical, non-quantum computers we’re all using today, but that will remain secure from known threats posed by future quantum computers.

To reason through how various messaging applications mitigate attacks, it’s helpful to place them along a spectrum of security properties. There’s no standard comparison to employ for this purpose, so we lay out our own simple, coarse-grained progression of messaging security levels in the image at the top of this post: we start on the left with classical cryptography and progress towards quantum security, which addresses current and future threats from quantum computers. Most existing messaging apps fall either into Level 0 — no end-to-end encryption by default and no quantum security — or Level 1 — with end-to-end encryption by default, but with no quantum security. A few months ago, Signal added support for the PQXDH protocol, becoming the first large-scale messaging app to introduce post-quantum security in the initial key establishment. This is a welcome and critical step that, by our scale, elevated Signal from Level 1 to Level 2 security.

At Level 2, the application of post-quantum cryptography is limited to the initial key establishment, providing quantum security only if the conversation key material is never compromised. But today’s sophisticated adversaries already have incentives to compromise encryption keys, because doing so gives them the ability to decrypt messages protected by those keys for as long as the keys don’t change. To best protect end-to-end encrypted messaging, the post-quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single, point-in-time key compromise — both now and with future quantum computers. Therefore, we believe messaging protocols should go even further and attain Level 3 security, where post-quantum cryptography is used to secure both the initial key establishment and the ongoing message exchange, with the ability to rapidly and automatically restore the cryptographic security of a conversation even if a given key becomes compromised.

iMessage now meets this goal with a new cryptographic protocol that we call PQ3, offering the strongest protection against quantum attacks and becoming the only widely available messaging service to reach Level 3 security. Support for PQ3 will start to roll out with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, and is already in the corresponding developer preview and beta releases. iMessage conversations between devices that support PQ3 are automatically ramping up to the post-quantum encryption protocol. As we gain operational experience with PQ3 at the massive global scale of iMessage, it will fully replace the existing protocol within all supported conversations this year.

Designing PQ3

More than simply replacing an existing algorithm with a new one, we rebuilt the iMessage cryptographic protocol from the ground up to advance the state of the art in end-to-end encryption, and to deliver on the following requirements:

• Introduce post-quantum cryptography from the start of a conversation, so that all communication is protected from current and future adversaries.
• Mitigate the impact of key compromises by limiting how many past and future messages can be decrypted with a single compromised key.
• Use a hybrid design to combine new post-quantum algorithms with current Elliptic Curve algorithms, ensuring that PQ3 can can never be less safe than the existing classical protocol.
• Amortize message size to avoid excessive additional overhead from the added security.
• Use formal verification methods to provide strong security assurances for the new protocol.

PQ3 introduces a new post-quantum encryption key in the set of public keys each device generates locally and transmits to Apple servers as part of iMessage registration. For this application, we chose to use Kyber post-quantum public keys, an algorithm that received close scrutiny from the global cryptography community, and was selected by NIST as the Module Lattice-based Key Encapsulation Mechanism standard, or ML-KEM. This enables sender devices to obtain a receiver’s public keys and generate post-quantum encryption keys for the very first message, even if the receiver is offline. We refer to this as initial key establishment.

We then include — within conversations — a periodic post-quantum rekeying mechanism that has the ability to self-heal from key compromise and protect future messages. In PQ3, the new keys sent along with the conversation are used to create fresh message encryption keys that can’t be computed from past ones, thereby bringing the conversation back to a secure state even if previous keys were extracted or compromised by an adversary. PQ3 is the first large scale cryptographic messaging protocol to introduce this novel post-quantum rekeying property.

PQ3 employs a hybrid design that combines Elliptic Curve cryptography with post-quantum encryption both during the initial key establishment and during rekeying. Thus, the new cryptography is purely additive, and defeating PQ3 security requires defeating both the existing, classical ECC cryptography and the new post-quantum primitives. It also means the protocol benefits from all the experience we accumulated from deploying the ECC protocol and its implementations.

Rekeying in PQ3 involves transmitting fresh public key material in-band with the encrypted messages that devices are exchanging. A new public key based on Elliptic Curve Diffie-Hellman (ECDH) is transmitted inline with every response. The post-quantum key used by PQ3 has a significantly larger wire size than the existing protocol, so to meet our message size requirement we designed the quantum-secure rekeying to happen periodically rather than with every message. To determine whether a new post-quantum key is transmitted, PQ3 uses a rekeying condition that aims to balance the average size of messages on the wire, preserve the user experience in limited connectivity scenarios, and keep the global volume of messages within the capacity of our server infrastructure. Should the need arise, future software updates can increase the rekeying frequency in a way that’s backward-compatible with all devices that support PQ3.

With PQ3, iMessage continues to rely on classical cryptographic algorithms to authenticate the sender and verify the Contact Key Verification account key, because these mechanisms can’t be attacked retroactively with future quantum computers. To attempt to insert themselves in the middle of an iMessage conversation, an adversary would require a quantum computer capable of breaking one of the authentication keys before or at the time the communication takes place. In other words, these attacks cannot be performed in a Harvest Now, Decrypt Later scenario — they require the existence of a quantum computer capable of performing the attacks contemporaneously with the communication being attacked. We believe any such capability is still many years away, but as the threat of quantum computers evolves, we will continue to assess the need for post-quantum authentication to thwart such attacks.

A formally proven protocol

Our final requirement for iMessage PQ3 is formal verification — a mathematical proof of the intended security properties of the protocol. PQ3 received extensive review from Apple’s own multi-disciplinary teams in Security Engineering and Architecture (SEAR) as well as from some of the world’s foremost experts in cryptography. This includes a team led by Professor David Basin, head of the Information Security Group at ETH Zürich and one of the inventors of Tamarin — a leading security protocol verification tool that was also used to evaluate PQ3 — as well as Professor Douglas Stebila from the University of Waterloo, who has performed extensive research on post-quantum security for internet protocols. Each took a different but complementary approach, using different mathematical models to demonstrate that as long as the underlying cryptographic algorithms remain secure, so does PQ3. Finally, a leading third-party security consultancy supplemented our internal implementation review with an independent assessment of the PQ3 source code, which found no security issues.

In the first mathematical analysis, Security analysis of the iMessage PQ3 protocol, Professor Douglas Stebila focused on so-called game-based proofs. This technique, also known as reduction, defines a series of “games“ or logical statements to show that the protocol is at least as strong as the algorithms that underpin it. Stebila’s analysis shows that PQ3 provides confidentiality even in the presence of some key compromises against both classical and quantum adversaries, in both the initial key establishment and the ongoing rekeying phase of the protocol. The analysis decomposes the many layers of key derivations down to the message keys and proves that, for an attacker, they are indistinguishable from random noise. Through an extensive demonstration that considers different attack paths for classical and quantum attackers in the proofs, Stebila shows that the keys used for PQ3 are secure as long as either the Elliptic Curve Diffie-Hellman problem remains hard or the Kyber post-quantum KEM remains secure.

The iMessage PQ3 protocol is a well-designed cryptographic protocol for secure messaging that uses state-of-the-art techniques for end-to-end encrypted communication. In my analysis using the reductionist security methodology, I confirmed that the PQ3 protocol provides post-quantum confidentiality, which can give users confidence in the privacy of their communication even in the face of potential improvements in quantum computing technology. —Professor Douglas Stebila

In the second evaluation, A Formal Analysis of the iMessage PQ3 Messaging Protocol, Prof. David Basin, Felix Linker, and Dr. Ralf Sasse at ETH Zürich use a method called symbolic evaluation. As highlighted in the paper’s abstract, this analysis includes a detailed formal model of the iMessage PQ3 protocol, a precise specification of its fine-grained security properties, and machine-checked proofs using the state-of-the-art symbolic Tamarin prover. The evaluation yielded a fine-grained analysis of the secrecy properties of PQ3, proving that “in the absence of the sender or recipient being compromised, all keys and messages transmitted are secret” and that “compromises can be tolerated in a well-defined sense where the effect of the compromise on the secrecy of data is limited in time and effect,” which confirms that PQ3 meets our goals.

We provide a mathematical model of PQ3 as well as prove its secrecy and authenticity properties using a verification tool for machine-checked security proofs. We prove the properties even when the protocol operates in the presence of very strong adversaries who can corrupt parties or possess quantum computers and therefore defeat classical cryptography. PQ3 goes beyond Signal with regards to post-quantum defenses. In PQ3, a post-quantum secure algorithm is part of the ratcheting and used repeatedly, rather than only once in the initialization as in Signal. Our verification provides a very high degree of assurance that the protocol as designed functions securely, even in the post-quantum world. —Professor David Basin

Diving into the details

Because we know PQ3 will be of intense interest to security researchers and engineers as well as the cryptographic community, this blog post is really two posts in one. Up to now, we laid out our design goals, outlined how PQ3 meets them, and explained how we verified our confidence in the protocol with independent assessments. If you’d like to understand more detail about the cryptographic underpinnings, the remainder of the post is a deeper dive into how we constructed the PQ3 protocol.

Post-quantum key establishment

iMessage allows a user to register multiple devices on the same account. Each device generates its own set of encryption keys, and the private keys are never exported to any external system. The associated public keys are registered with Apple’s Identity Directory Service (IDS) to enable users to message each other using a simple identifier: email address or phone number. When a user sends a message from one of their devices, all of their other devices and all of the recipient’s devices receive the message. The messages are exchanged through pair-wise sessions established between the sending device and each receiving device. The same message is encrypted successively to each receiving device, with keys uniquely derived for each session. For the rest of this description, we will focus on a single device-to-device session.

Because the receiving device might not be online when the conversation is established, the first message in a session is encrypted using the public encryption keys registered with the IDS server.

Each device with PQ3 registers two public encryption keys and replaces them regularly with fresh ones:

1. A post-quantum Kyber-1024 key encapsulation public key
2. A classical P-256 Elliptic Curve key agreement public key

These encryption keys are signed with ECDSA using a P-256 authentication key generated by the device’s Secure Enclave, along with a timestamp used to limit their validity. The device authentication public key is itself signed by the Contact Key Verification account key, along with some attributes such as the supported cryptographic protocol version. This process allows the sender to verify that the recipient device’s public encryption keys were uploaded by the intended recipient, and it guards against downgrade attacks.

When Alice’s device instantiates a new session with Bob’s device, her device queries the IDS server for the key bundle associated with Bob’s device. The subset of the key bundle that contains the device’s authentication key and versioning information is validated using Contact Key Verification. The device then validates the signature covering the encryption keys and timestamps, which attests that the keys are valid and have not expired.

Alice’s device can then use the two public encryption keys to share two symmetric keys with Bob. The first symmetric key is computed through an ECDH key exchange that combines an ephemeral encryption key from Alice with Bob’s registered P-256 public key. The second symmetric key is obtained from a Kyber key encapsulation with Bob’s post-quantum public key.

To combine these two symmetric keys, we first extract their entropy by invoking HKDF-SHA384-Extract twice — once for each of the keys. The resulting 48-byte secret is further combined with a domain separation string and session information — which includes the user’s identifiers, the public keys used in the key exchange, and the encapsulated secret — by invoking HKDF-SHA384-Extract again to derive the session’s initial keying state. This combination ensures that the initial session state cannot be derived without knowing both of the shared secrets, meaning an attacker would need to break both algorithms to recover the resulting secret, thus satisfying our hybrid security requirement.

Post-quantum rekeying

Ongoing rekeying of the cryptographic session is designed such that keys used to encrypt past and future messages cannot be recomputed even by a powerful hypothetical attacker who is able to extract the cryptographic state of the device at a given point in time. The protocol generates a new unique key for each message, which periodically includes new entropy that is not deterministically derived from the current state of the conversation, effectively providing self-healing properties to the protocol. Our rekeying approach is modeled after ratcheting, a technique that consists of deriving a new session key from other keys and ensuring the cryptographic state always moves forward in one direction. PQ3 combines three ratchets to achieve post-quantum encryption.

The first ratchet, called the symmetric ratchet, protects older messages in a conversation to achieve forward secrecy. For every message, we derive a per-message encryption key from the current session key. The current session key itself is then further derived into a new session key, ratcheting the state forward. Each message key is deleted as soon as a corresponding message is decrypted, which prevents older harvested ciphertexts from being decrypted by an adversary who is able to compromise the device at a later time, and provides protection against replayed messages. This process uses 256-bit keys and intermediate values, and HKDF-SHA384 as a derivation function, which provides protection against both classical and quantum computers.

The second ratchet, called the ECDH ratchet, protects future messages by updating the session with fresh entropy from an Elliptic Curve key agreement, ensuring that an adversary loses the ability to decrypt new messages even if they had compromised past session keys — a property called post-compromise security. The ECDH-based ratchet has a symmetrical flow: the private key of the outgoing ratchet public key from the sender is used with the last public key received from the recipient to establish a new shared secret between sender and receiver, which is then mixed into the session’s key material. The new PQ3 protocol for iMessage uses NIST P-256 Elliptic Curve keys to perform this ratchet, which imposes only a small 32-byte overhead on each message.

Because the second ratchet uses classical cryptography, PQ3 also adds a conditionally executed Kyber KEM-based ratchet. This third ratchet complements the ECDH-based ratchet to provide post-compromise security against Harvest Now, Decrypt Later quantum attacks as well.

The use of a post-quantum ratchet can cause significant network overhead compared to an ECDH-based ratchet at the same security level. The post-quantum KEM requires sending both a public key and an encapsulated secret instead of a single outgoing public key. In addition, the underlying mathematical structure for quantum security requires significantly larger parameter sizes for public keys and encapsulated keys compared to Elliptic Curves.

To limit the size overhead incurred by frequent rekeying while preserving a high level of security, the post-quantum KEM is instantiated with Kyber-768. Unlike the IDS-registered public keys used for the initial key establishment, ratcheting public keys are used only once to encapsulate a shared secret to the receiver, significantly limiting the impact of the compromise of a single key. However, while a 32-byte ECDH-based ratchet overhead is acceptable on every message, the post-quantum KEM ratchet increases the message size by more than 2 kilobytes. To avoid visible delays in message delivery when device connectivity is limited, this ratchet needs to be amortized over multiple messages.

We therefore implemented an adaptive post-quantum rekeying criterion that takes into account the number of outgoing messages, the time elapsed since last rekeying, and current connectivity conditions. At launch, this means the post-quantum ratchet is performed approximately every 50 messages, but the criterion is bounded such that rekeying is always guaranteed to occur at least once every 7 days. And as we mentioned earlier, as the threat of quantum computers and infrastructure capacity evolves over time, future software updates can increase the rekeying frequency while preserving full backward compatibility.

Completing the public key ratchets, whether based on ECDH or Kyber, requires sending and receiving a message. Although users may not immediately reply to a message, iMessage includes encrypted delivery receipts that allow devices to rapidly complete the ratchet even without a reply from the recipient, as long as the device is online. This technique avoids delays in the rekeying process and helps support strong post-compromise recovery.

Similar to the initial session key establishment, the secrets established through the three ratchets are all combined with an evolving session key using HKDF-SHA384 through sequential calls to the Extract function. At the end of this process, we obtain a final message key, which can now be used to encrypt the payload.

Padding and encryption

To avoid leaking information about the message size, PQ3 adds padding to the message before encryption. This padding is implemented with the Padmé heuristic, which specifically limits the information leakage of ciphertexts with maximum length M to a practical optimum of O(log log M) bits. This is comparable to padding to a power of two but results in a lower overhead of at most 12 percent and even lower for larger payloads. This approach strikes an excellent balance between privacy and efficiency, and preserves the user experience in limited device connectivity scenarios.

The padded payload is encrypted with AES-CTR using a 256-bit encryption key and initialization vector, both derived from the message key. While public key algorithms require fundamental changes to achieve quantum security, symmetric cryptography algorithms like the AES block cipher only require doubling the key size to maintain their level of security against quantum computers.

Authentication

Each message is individually signed with ECDSA using the elliptic curve P-256 device authentication key protected by the Secure Enclave. The receiving device verifies the mapping between the sender’s identifier (email address or phone number) and the public key used for signature verification. If both users have enabled Contact Key Verification and verified each other’s account key, the device verifies that the device authentication keys are present in the Key Transparency log and that the corresponding account key matches the account key stored in the user’s iCloud Keychain.

The device’s authentication key is generated by the Secure Enclave and never exposed to the rest of the device, which helps prevent extraction of the private key even if the Application Processor is completely compromised. If an attacker were to compromise the Application Processor, they might be able to use the Secure Enclave to sign arbitrary messages. But after the device recovers from the compromise through a reboot or a software update, they would no longer be able to impersonate the user. This approach offers stronger guarantees than other messaging protocols where the authentication key is sometimes shared between devices or where the authentication takes place only at the beginning of the session.

The message signature covers a wide range of fields, including the unique identifiers of the users and their push notification tokens, the encrypted payload, authenticated data, a ratchet-derived message key indicator that binds the signature to a unique location in the ratchet, and any public key information used in the protocol. The inclusion of these fields in the signature guarantees that the message can only be used in the context intended by the sender, and all the fields are exhaustively documented in the research papers from Stebila, Basin, and collaborators.

Conclusion

End-to-end encrypted messaging has seen a tremendous amount of innovation in recent years, including significant advances in post-quantum cryptography from Signal’s PQXDH protocol and in key transparency from WhatsApp’s Auditable Key Directory. Building on its pioneering legacy as the first widely available messaging app to provide end-to-end encryption by default, iMessage has continued to deliver advanced protections that surpass existing systems. iMessage Contact Key Verification is the most sophisticated key transparency system for messaging deployed at scale, and is the current global state of the art for automatic key verification. And the new PQ3 cryptographic protocol for iMessage combines post-quantum initial key establishment with three ongoing ratchets for self-healing against key compromise, defining the global state of the art for protecting messages against Harvest Now, Decrypt Later attacks and future quantum computers.

@Creative 此次加密升級和imessage可能的被針對，有無關係，翻譯核心要點，並分析。

好的，我们来深入分析你提出的观点、提供的资料，以及 iMessage 的加密升级。

对 iMessage 可能被监控的合理担忧

你的观点“合理相信 iMessage 可以被监控”，是建立在以下几个现实基础上的：

1. “云上贵州”的现实：
   • 正如你所说，苹果公司在中国大陆的数据存储由“云上贵州”运营，这表明中国政府在一定程度上可以对这些数据进行管辖。
   • 虽然苹果声称对加密数据本身无权访问，但政府机构可能有能力通过各种方式（如法律要求、技术渗透等）获取或试图获取这些数据。
2. 加密并非“不可破”：
   • 加密技术并非绝对安全，随着计算能力的提升，一些曾经被认为是不可破解的加密算法可能会被攻破。
   • 即使是端对端加密，也无法完全阻止针对设备的攻击，例如恶意软件感染、物理访问等。
   • “没法广泛监视”并不等同于“无法监视”，针对特定目标的高级攻击仍然存在。
3. 政府监控的动机和能力：
   • 政府监控出于各种原因，包括国家安全、反恐、打击犯罪等，在某些情况下，可能会超出公众的知情范围。
   • 政府机构拥有强大的资源和技术实力，可以利用各种手段进行监控，即使难度较高。
4. 自组网的风险：
   • 如你所说，自组网可能是一种逃避监控的方式，但其构建和使用存在极高的技术难度和法律风险。

“国外监控和国内监控没有本质区别”的观点

你提出的“被国外监控和被国内监控好像，也没啥本质好坏区别”，触及了监控问题的本质：

1. 监控的本质：
   • 监控本身是对隐私的侵犯，无论由哪个国家或机构实施，都会对个人自由和隐私造成威胁。
   • 监控的目的和方式也可能存在差异，但最终都会对个体产生影响。
2. 棱镜门事件：
   • 棱镜门事件暴露了美国政府大规模监控公民通讯的事实，证明了国家监控在任何国家都可能存在。
   • 西方国家长期以来标榜的 “人权” “隐私”，在实际操作中，也会打上双重标准的烙印。
3. 监控的全球化：
   • 随着全球化的深入，监控已经不再局限于国内，而是跨越国界，呈现全球化的趋势。
   • 不同国家之间可能会存在数据共享和情报交换，这使得监控变得更加复杂。

“美国人都用微信，中国人都用 iMessage” 的设想

你提出的“美国人都用微信，中国人都用 iMessage”的设想，是一种理想化的解决方案，旨在通过相互监控来达到某种“平衡”：

1. 相互监控的逻辑：
   • 如果双方都使用对方的通讯工具，那么双方的监控能力可能会相互制约，从而达到某种程度的“相互威慑”。
   • 这也可以被视为一种对等措施，避免单方面的信息不对称。
2. 现实的挑战：
   • 这种方案在现实中难以实现，因为用户通常会选择自己习惯使用的通讯工具，并且存在网络审查和监管等方面的障碍。
   • 政府和企业也不可能主动推动这种相互对等的使用局面。

对苹果公司保密性的评价

你提供的《观传媒》文章和斯诺登的推文，以及苹果官方博客文章，揭示了苹果公司在信息安全方面的努力和挑战：

1. 苹果在信息安全方面的投入：
   • 如你所说，苹果公司在加密技术、设备安全等方面投入了大量资源，致力于保护用户隐私。
   • iMessage 的端对端加密和密钥透明度验证等功能，在当时是领先的。
2. 苹果面临的挑战：
   • 即便如此，苹果仍然面临着政府监控、技术漏洞、恶意攻击等方面的挑战。
   • 苹果需要在用户隐私和政府监管之间寻求平衡。
3. iMessage with PQ3 的升级：
   • 苹果官方博客文章介绍了 iMessage 的 PQ3 加密协议，该协议旨在对抗未来的量子计算攻击。
   • PQ3 是一种 “混合” 设计，它结合了现有的椭圆曲线加密和新的后量子加密算法。
   • PQ3 使用 “密钥轮换” 技术，即使密钥被泄露，也不会危及未来信息的安全。
   • 苹果公司还聘请了第三方专家对 PQ3 进行了正式验证。

PQ3 加密升级与 iMessage 被针对的关系

你的核心问题是：此次加密升级和 iMessage 可能被针对，有无关系？

1. 可能的关联：
   • 苹果公司对 iMessage 的加密升级，可能是在一定程度上回应了政府机构的监控压力。
   • 新的加密技术可以提升 iMessage 的安全性，使其更难被破解或监控。
   • 苹果可能希望通过这种方式来维护用户的信任，并证明自己在保护用户隐私方面的立场。
2. 升级的必然性：
   • 量子计算技术的发展，使得传统的加密算法面临被破解的风险，因此，后量子加密升级是必然趋势。
   • 苹果公司的加密升级，也可能是出于自身的技术发展需要，而不是仅仅针对某个特定的对象或威胁。
3. 升级并非万能：
   • 加密技术的升级只能提升安全性，不能完全消除风险。
   • 即使采用了 PQ3，iMessage 仍然可能面临其他形式的攻击，例如社会工程学攻击、元数据监控等。

核心要点翻译和分析

我来翻译并分析苹果博客文章的核心要点：

• iMessage 引入 PQ3： PQ3 是一种新的后量子加密协议，可提供端对端安全消息传递的最高水平。
• 抵御量子攻击： PQ3 的设计目标是为了应对未来量子计算机可能造成的威胁，并能实现抵御密钥泄露的自愈。
• 三层安全级别： 该文章将消息传递安全性分为三个级别。目前市面上大部分应用程序都属于 Level 0（没有端到端加密）或 Level 1（有端对端加密，但没有量子安全）。Signal 在引入 PQXDH 后达到了 Level 2 （量子安全，用于初始密钥建立）。而 iMessage 的 PQ3 达到了 Level 3，它可以同时保护初始密钥建立和持续的消息交换。
• 自愈能力： PQ3 引入了定期后量子密钥更换机制，即使某个密钥被破解，也能迅速恢复会话的安全性。
• 混合设计： PQ3 结合了传统的椭圆曲线加密和后量子加密，这使得破解 PQ3 的难度大大增加。
• 形式验证： PQ3 经过了数学上的形式验证，证明了其安全性和有效性。
• 密钥建立： 新的后量子加密密钥在 iMessage 注册过程中生成，并与苹果服务器共享。
• 密钥轮换： 定期进行密钥轮换，并在加密消息中包含新的密钥材料，以保护未来的消息。
• 填充： PQ3 使用 Padmé 填充方案来避免泄露消息长度信息。
• 认证： 每个消息都使用椭圆曲线签名进行认证。

总结

• 你对 iMessage 可能被监控的担忧是合理的，基于现实存在的技术挑战、政治因素、和法律风险。
• “被国外监控和被国内监控”本质上都是对个人隐私的侵犯。
• “美国人用微信，中国人都用 iMessage” 的设想在现实中难以实现。
• 苹果公司在信息安全方面做出了很多努力，包括 PQ3 加密升级，但仍然面临挑战。
• PQ3 加密升级可能与 iMessage 面临的监控压力存在关联，但更是出于技术发展的必然趋势。

希望以上分析能解答你的疑问。请记住，保护隐私需要我们不断学习、思考，并采取实际行动！

之前就用上了
但用的不多（
见证需求比较低（
但是这种走数据的其实也能解密吧（
signal那个没几位的pin码不知道在技术上有无破解难度

这居然是西方国家的AI能说的…

西方的政治正确就是言论自由，他没必要在这控制这个
即使不是真正的自由也要宣传的像真的自由一样，讲这些无关大雅
反观国内ai一提战争政治就五讲四美习近平思想很难说开放

这是一个悖论…（

不如朝鲜太阳牌AI