Post-quantum to its core
Apple has been working on post-quantum cryptographic protection for years. It first went public with this effort when it introduced iMessage’s PQ3 protocol in iOS 17.4. That protection secures both the conversation and its encryption keys against future quantum-based attacks. It is now available in iMessage, VPN, and TLS networking, while CryptoKit means developers can adopt quantum-secure encryption in their own apps.
What Apple published is fairly extensive, but briefly it means the company has formally verified that its corecrypto library puts quantum-resistant protection in place. It already runs continuously across over 2.5 billion active devices, providing encryption, hashing, random number generation, and digital signatures. Apple’s tests also mean the company has set a new benchmark for high-assurance security engineering and compliance — even to the extent that it built its own custom tools to verify its protection, and collaborated with well-regarded US R&D firm Galois to facilitate third parties who want to test corecrypto.
Apple wants you to kick its protection around
“With the latest release of corecrypto source code on May 22, 2026, we’re sharing meaningful advances in applied formal verification with the global cryptographic community, including the details of our approach and the tools we used,” Apple said.
The idea is that by publishing it this way, Apple makes it possible for security researchers to really kick these protections around to try to make sure they will work once quantum truly becomes a threat. The company also said it wants to “encourage wider adoption, support critical review of our work, and help advance the state of the art for assuring critical software.”
Read the full article here
