A Formal Analysis of Apple’s iMessage PQ3 Protocol

Felix Linker; Ralf Sasse; David Basin

Paper 2024/1395

A Formal Analysis of Apple’s iMessage PQ3 Protocol

Felix Linker

, ETH Zurich

Ralf Sasse

, ETH Zurich

David Basin

, ETH Zurich

Abstract

We present the formal verification of Apple’s iMessage PQ3, a highly performant, device-to-device messaging protocol offering strong security guarantees even against an adversary with quantum computing capabilities. PQ3 leverages Apple’s identity services together with a custom, post-quantum secure initialization phase and afterwards it employs a double ratchet construction in the style of Signal, extended to provide post-quantum, post-compromise security. We present a detailed formal model of PQ3, a precise specification of its fine-grained security properties, and machine-checked security proofs using the TAMARIN prover. Particularly novel is the integration of post-quantum secure key encapsulation into the relevant protocol phases and the detailed security claims along with their complete formal analysis. Our analysis covers both key ratchets, including unbounded loops, which was believed by some to be out of scope of symbolic provers like TAMARIN (it is not!).

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: messaging formal verification protocol verification
Contact author(s): flinker @ inf ethz ch
ralf sasse @ inf ethz ch
basin @ inf ethz ch
History: 2024-11-01: last of 3 revisions; 2024-09-05: received; See all versions
Short URL: https://ia.cr/2024/1395
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1395,
      author = {Felix Linker and Ralf Sasse and David Basin},
      title = {A Formal Analysis of Apple’s {iMessage} {PQ3} Protocol},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1395},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1395}
}