Apple iMessage PQ3
PQ3 is Apple's post-quantum cryptographic protocol for iMessage, announced in February 2024. It combines Kyber-based initial key establishment with ongoing post-quantum rekeying inside every conversation, so that a key compromised or decrypted later does not expose the full message history. Apple began deploying PQ3 with iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 in March 2024.
Design
PQ3 addresses harvest now, decrypt later at two points in a conversation's life. For initial key establishment, each device registers public keys that include a post-quantum Kyber encapsulation key alongside a classical elliptic curve key; a sender starting a conversation encapsulates against both, and the session secret depends on both, the standard PQ/T hybrid pattern. Kyber, the scheme Apple selected, was standardized in modified form as ML-KEM in FIPS 203 later in 2024.
The distinctive part of PQ3 is what happens after the first message. Conversations periodically embed fresh Kyber public keys and encapsulations inside messages, refreshing the post-quantum shared secret over the lifetime of the session. Apple amortizes this rekeying to limit message size overhead. The property it buys is self-healing, also called post-compromise security: an attacker who obtains a device's session state at one point in time loses access again after the next rekey, and that guarantee now holds even against a future quantum adversary rather than only against classical ones, complementing the forward secrecy provided by key ratcheting.
Authentication in PQ3 remains classical: contact identity continues to rest on elliptic curve keys (with contact key verification available for manual checking), and Apple has stated that quantum-resistant authentication is planned as a future step. As with Signal's PQXDH, the reasoning is that impersonation requires a quantum computer at attack time, while message secrecy is exposed to recording today.
The level framing
Apple's announcement introduced a classification of messaging cryptography by how far post-quantum protection extends. In this framing, level 0 is no end-to-end encryption at all, level 1 is classical end-to-end encryption, level 2 is post-quantum protection for the initial key establishment only (where Apple placed PQXDH), and level 3 adds ongoing post-quantum rekeying, the level Apple claimed for PQ3. The framework is Apple's own and served partly to position its design, but the technical distinction it draws is real: without rekeying, a single compromised post-quantum secret protects an unbounded amount of future conversation.
Formal verification
Apple published PQ3 together with two independent formal analyses, an unusual step for a proprietary messenger. Douglas Stebila (University of Waterloo) produced a computational, proof-based security analysis of the protocol, and a team at ETH Zurich led by David Basin produced a machine-checked symbolic analysis using the Tamarin prover; both evaluations, described in Apple's announcement, concluded that PQ3 meets its stated security goals under their respective models. Together with the analysis of PQXDH, this established formal verification as the expected standard for post-quantum messaging upgrades.
Rollout status
PQ3 shipped in the March 2024 operating system releases and applies automatically to iMessage conversations between supported devices, with existing conversations transitioning to the new protocol as devices updated; Apple documentation, including the Apple Platform Security guide, describes PQ3 as the protocol securing iMessage. As of early 2026, PQ3 is the iMessage protocol between up-to-date Apple devices. Conversations that fall back to SMS, and messages exchanged with devices running older software, do not receive its protections. Apple announced PQ3 using Kyber before FIPS 203 was finalized; whether deployed clients later moved to the final ML-KEM parameters has not been publicly detailed. Alongside post-quantum TLS and Signal's deployment, PQ3 is one of the principal examples of post-quantum migration reaching consumer software at scale.
Frequently asked questions
Do users need to enable PQ3?
No. PQ3 activates automatically for iMessage conversations between devices running supported operating system versions.
Sources
- iMessage with PQ3: The new state of the art in quantum-secure messaging at scale (Apple Security Engineering and Architecture, 2024)
- Apple Platform Security (Apple, 2024)
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
Cite this entry
"Apple iMessage PQ3." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/imessage-pq3@misc{pqwiki-imessage-pq3,
title = {Apple iMessage PQ3},
howpublished = {\url{https://postquantum.wiki/imessage-pq3}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}