up:: In the Protocols MOC
Apple iMessage PQ3
Apple iMessage PQ3 is the post-quantum cryptographic protocol Apple built into iMessage to protect conversations against a quantum computer across their entire lifetime. It is defined by one design choice: PQ3 applies post-quantum key encapsulation to both the initial key establishment at the start of a conversation and the ongoing rekeying that happens continuously as messages flow, which Apple labels Level 3 security. That is a step beyond protocols that add post-quantum protection only to the opening handshake, like Signal PQXDH, which Apple places at Level 2. The post-quantum primitive is Kyber, the scheme NIST standardized as ML-KEM, and PQ3 exists to close the harvest-now-decrypt-later window on a conversation’s first key and on every key it uses afterward.
Source: Apple Security Research, “iMessage with PQ3: The new state of the art in quantum-secure messaging at scale,” February 21, 2024, security.apple.com/blog/imessage-pq3.
The short version:
- PQ3 protects both phases of a conversation with post-quantum cryptography: the initial key establishment (with Kyber-1024) and the ongoing rekeying (with Kyber-768), which is what Apple defines as Level 3.
- Apple’s ranking puts Signal PQXDH at Level 2, where post-quantum cryptography covers only the initial key establishment, so a later compromise of the conversation key material reopens the exposure. PQ3 answers that by rotating fresh post-quantum keys throughout the conversation.
- The rekeying runs roughly every 50 messages and at least once a week, and it is self-healing: a periodic post-quantum rekey means a single key compromise cannot expose the whole conversation, because past and future keys stay independent.
- The motivation is HNDL. Apple frames it as an adversary collecting today’s encrypted data to decrypt once quantum computers arrive, and PQ3 makes each fresh message key impossible to compute from past ones.
- PQ3 is a hybrid design. It runs the post-quantum KEM alongside the classical elliptic-curve cryptography iMessage already used, so a break of either primitive alone leaves the conversation protected. Authentication is a separate plane.
Picture a safe whose combination is reset on a schedule, not set once and left. A protocol that only hardens the opening handshake is a safe with a quantum-proof lock installed the day it ships, then reusing that same lock for years. If someone ever pries that one lock open, everything behind it since day one is exposed. PQ3 swaps in a fresh quantum-proof lock on a rolling basis, so prying open any single lock reveals only the short stretch of messages that lock guarded, and the combinations before and after it stay sealed. Extending the post-quantum guarantee from one lock to every lock is the whole distance between Level 2 and Level 3.
What is Apple iMessage PQ3?
PQ3 is Apple’s third-generation cryptographic protocol for iMessage, and its defining property is that post-quantum cryptography protects a conversation continuously rather than only at its start. When iMessage was introduced it used classical public-key cryptography, all of it vulnerable to Shor’s algorithm. PQ3 keeps that classical layer and adds a post-quantum key encapsulation mechanism in two places: once to establish the conversation’s first shared secret, and then again, repeatedly, to refresh the key material as the conversation continues.
Apple states the design goal plainly. PQ3 introduces a new post-quantum encryption key into the set of public keys each device generates, and it adds “a periodic post-quantum rekeying mechanism that has the ability to self-heal from key compromise.” Those two additions, one at the start and one ongoing, are exactly what separate PQ3 from a protocol that stops at the initial handshake.
Source: Apple Security Research, “iMessage with PQ3,” security.apple.com/blog/imessage-pq3.
The post-quantum primitive is Kyber, which NIST finalized as ML-KEM in FIPS 203. PQ3 uses Kyber-1024 for the initial establishment and Kyber-768 for the ongoing rekeying, running each alongside the classical elliptic-curve operation so the combination is a hybrid. Apple rolled PQ3 out starting with iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, and described a plan to make it the default that fully replaces the prior iMessage encryption over the course of the year.
What are Apple’s four security levels?
Apple’s blog frames messaging security as four tiers, and the framework is worth internalizing because it is the clearest public taxonomy of what “quantum-safe messaging” actually means. The two top levels are the ones the quantum transition turns on.
| Level | What it means |
|---|---|
| Level 0 | No end-to-end encryption by default, and no quantum security |
| Level 1 | End-to-end encryption by default, and no quantum security |
| Level 2 | Post-quantum cryptography limited to the initial key establishment |
| Level 3 | Post-quantum cryptography for both the initial key establishment and the ongoing message exchange |
Source: Apple Security Research, “iMessage with PQ3,” security.apple.com/blog/imessage-pq3.
The load-bearing line is Apple’s description of the Level 2 gap. In Apple’s words, “at Level 2, the application of post-quantum cryptography is limited to the initial key establishment, providing quantum security only if the conversation key material is never compromised.” Level 3 removes that “only if” by using post-quantum keys that, again in Apple’s phrasing, “change on an ongoing basis.” Apple positioned PQ3 as reaching Level 3 and named Signal PQXDH as the Level 2 example, and the distinction is a real difference in the guarantee rather than marketing, because it decides whether a mid-conversation key compromise stays contained or unravels the whole thread retroactively.
How does PQ3’s ongoing rekeying work?
The ongoing rekeying is the mechanism that carries PQ3 from Level 2 to Level 3, and it works by continuously injecting fresh post-quantum key material into the conversation so that keys age out and cannot be reconstructed from their predecessors. The sequence in practice:
- Fresh post-quantum keys ride along with messages. As the conversation proceeds, devices transmit new post-quantum public key material inside the message flow, so the pool of key material keeps refreshing rather than staying fixed at the opening handshake.
- New keys derive new message keys. Each fresh post-quantum key is used to create new message-encryption keys, and Apple’s design ensures those keys “can’t be computed from past ones,” so knowing an old key gives no path to a future one.
- The rekey runs on a cadence. The post-quantum rekeying happens roughly every 50 messages, and Apple guarantees it at least weekly even in a quiet conversation, so no stretch of the thread goes long without fresh key material.
- Compromise self-heals. Because each rekey is independent, a single key compromise exposes only the segment of messages that key protected. The conversation heals forward: subsequent rekeys restore confidentiality that the compromised key would otherwise have surrendered.
Source: Apple Security Research, “iMessage with PQ3,” security.apple.com/blog/imessage-pq3.
This is the same self-healing property a classical ratchet provides, lifted into the post-quantum setting. A protocol that only hardens the opening handshake gives quantum protection at Level 2 that holds “only if the conversation key material is never compromised,” and PQ3’s ongoing post-quantum rekeying is precisely what removes that condition. The rekey uses Kyber-768 rather than the Kyber-1024 of the initial establishment, a deliberate size choice that keeps the frequent per-conversation overhead manageable while retaining a strong post-quantum margin.
How does PQ3 contrast with Signal PQXDH?
PQ3 and Signal PQXDH both bring post-quantum cryptography into a widely deployed secure messenger, and they differ on how far past the opening handshake the post-quantum guarantee extends. Both protect the initial key establishment with a Kyber-family KEM; only PQ3 also protects the ongoing rekeying.
| Signal PQXDH | Apple PQ3 | |
|---|---|---|
| Post-quantum at initial key establishment | Yes (Kyber-1024) | Yes (Kyber-1024) |
| Post-quantum in ongoing rekeying | No (classical ratchet) | Yes (Kyber-768, periodic) |
| Apple’s security-level label | Level 2 | Level 3 |
| Self-heals from mid-conversation key compromise (against a quantum adversary) | Classical only | Yes, post-quantum |
| Authentication | Classical | Classical |
Source: Apple Security Research, “iMessage with PQ3,” security.apple.com/blog/imessage-pq3; Signal, “The PQXDH Key Agreement Protocol,” signal.org/docs/specifications/pqxdh.
The honest framing is that both protocols close the HNDL window on a conversation’s opening secret, which is the harvestable step that matters most against a recording adversary, so both deliver the core post-quantum defense. PQ3’s ongoing post-quantum rekeying adds a defense against a different attacker, one who compromises key material during a conversation and holds a quantum computer, and PQXDH answers that same scenario with a classical ratchet instead. So Level 3 versus Level 2 is a design decision about how far to carry the post-quantum guarantee past the first handshake, and both remain classical on the authentication plane.
Why did Apple ship PQ3 before quantum computers exist?
Because the attack PQ3 defends against runs today even though the machine that finishes it does not exist yet. The motivation is harvest-now-decrypt-later: Apple describes an adversary who can “collect large amounts of today’s encrypted data and file it all away for future reference,” then decrypt it once a quantum computer can break the classical cryptography. The recording happens now; the decryption waits for the hardware.
PQ3’s answer is to make each fresh message key impossible to reconstruct from past ones, so even a full recording of a conversation yields nothing useful once the quantum computer arrives, because the keys that would unlock it were never derivable from the material the attacker captured. Apple’s phrasing is that “new keys sent along with the conversation are used to create fresh message encryption keys that can’t be computed from past ones.” Shipping this before any CRQC exists is the point, because every conversation recorded in the interim is a future liability the day the machine is built, and waiting means those years of traffic are already lost.
Source: Apple Security Research, “iMessage with PQ3,” security.apple.com/blog/imessage-pq3.
What does PQ3 not protect?
PQ3 protects the confidentiality of message content against a harvesting quantum adversary, and like every applied-PQC protocol shipping in 2026 it treats authentication as a separate plane on a separate clock. The identity that proves a message came from the right device rests on the classical signing keys iMessage already used, and a quantum computer running Shor’s algorithm would break those too.
This is the HNDL versus Non-HNDL split again. Message confidentiality is harvestable, so a recorded conversation is decryptable retroactively the day a quantum computer exists, which makes it the urgent half and the half PQ3 hardens first, in both the initial and ongoing key material. A forged identity signature only helps an attacker in real time, at the moment of sending, so there is nothing to record and the authentication migration runs on a slower track, the same sequencing TLS follows when it migrates key exchange before certificate signatures. A complete accounting of a messenger’s quantum posture tracks the confidentiality plane and the authentication plane separately, because PQ3 advances the first well ahead of the second.
Common misconceptions
- “PQ3 and PQXDH are the same because both use Kyber.” They use the same KEM family, and they draw the line in different places. PQXDH puts post-quantum cryptography in the initial key establishment (Level 2), while PQ3 also puts it in the ongoing rekeying (Level 3), which is what defends a long conversation against a mid-stream key compromise faced by a quantum adversary.
- “Level 3 means iMessage is entirely quantum-proof.” Level 3 describes the confidentiality of message content, established and rekeyed with post-quantum cryptography. The authentication that proves who sent a message is still classical, so a full end-to-end post-quantum guarantee including identity is a later, separate migration.
- “PQ3 replaced iMessage’s classical cryptography.” PQ3 is a hybrid. It runs the post-quantum KEM alongside the existing elliptic-curve cryptography, so a break of either primitive alone leaves the conversation protected, and the classical half is carried as a hedge against an undiscovered flaw in the young lattice scheme.
- “The ongoing rekeying is just a performance feature.” It is the security property that carries PQ3 from Level 2 to Level 3. Without it, the Level 2 guarantee holds only if the conversation key material is never compromised, and the periodic post-quantum rekey is exactly what removes that condition.
- “PQ3 protects messages I sent before it shipped.” It protects conversations secured under PQ3 going forward. Anything sent with the prior classical-only iMessage encryption stays exposed to a future quantum computer, which is the harvest-now-decrypt-later argument for enabling it as early as possible.
Questions people ask
Is iMessage quantum-safe? iMessage’s message confidentiality is post-quantum through PQ3, which applies Kyber to both the initial key establishment and the ongoing rekeying of a conversation, which Apple calls Level 3 security. The identity authentication is still classical, so the content is protected against a harvesting quantum adversary while a full post-quantum guarantee including identity is a later step.
What does Level 3 mean? In Apple’s taxonomy it means post-quantum cryptography protects both the initial key establishment and the ongoing message exchange. Level 2, by contrast, protects only the initial key establishment, so it holds “only if the conversation key material is never compromised.” PQ3 is Apple’s Level 3 protocol.
How is PQ3 different from Signal’s PQXDH? Both protect the opening handshake with a Kyber-family KEM. PQ3 additionally rekeys the conversation with post-quantum cryptography on an ongoing basis (Level 3), while Signal PQXDH leaves the ongoing ratchet classical (Level 2), so PQ3 self-heals a mid-conversation key compromise against a quantum adversary where PQXDH relies on a classical ratchet.
Which post-quantum algorithm does PQ3 use? Kyber, standardized by NIST as ML-KEM. PQ3 uses Kyber-1024 for the initial key establishment and Kyber-768 for the periodic rekeying, each run alongside classical elliptic-curve cryptography as a hybrid.
How often does PQ3 rekey? The post-quantum rekeying runs roughly every 50 messages and at least once a week, so the conversation’s key material keeps refreshing and no long stretch of the thread depends on a single key.
Why did Apple add post-quantum crypto before quantum computers can break anything? Because of harvest-now-decrypt-later. An adversary can record encrypted conversations today and decrypt them once a quantum computer exists, so PQ3 makes each fresh message key impossible to compute from past ones, and shipping it early protects the traffic sent in the meantime.
When did PQ3 roll out? Apple began rolling PQ3 out with iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, announced February 21, 2024, with a plan to make it the default that fully replaces the prior iMessage encryption.
Everything here is the map, given freely. When your team needs its own messaging, key-establishment, and identity surfaces sorted into what already resists a harvesting quantum adversary and what still has to move, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.