Quantum secure cryptography in Apple operating systems
Overview
Historically, communications protocols have used classical public key cryptography, such as RSA, Elliptic Curve Diffie-Hellman key exchange and Elliptic Curve signature, to establish secure connections between devices or between a device and a server. All these algorithms rest on mathematical problems that computers have long considered too computationally intensive to solve, even when accounting for Moore’s law. However, the rise of quantum computing threatens to change the equation. A sufficiently powerful quantum computer could solve these classical mathematical problems in fundamentally different ways, and—in theory—do so fast enough to threaten the security of end-to-end encrypted communications.
Although quantum computers with this capability don’t exist yet, extremely well-resourced attackers can already prepare for their arrival by exploiting the steep decrease in modern data storage costs. The premise is simple: attackers can collect large amounts of today’s encrypted data and file it all away for future reference. Even though they can’t decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future, an attack scenario known as Harvest Now, Decrypt Later.
To mitigate risks from future quantum computers, the cryptographic community has been working on postquantum cryptography (PQC): new public key algorithms that provide the building blocks for quantum-secure protocols don’t require a quantum computer—protocols that can run on the classical, non-quantum computers in use today, but that will remain secure from known threats posed by future quantum computers.
Apple’s approach to quantum secure cryptography
When deploying quantum secure cryptography, Apple is adopting hybrid cryptography, which combines classic algorithms and new postquantum algorithms so that updates can’t make systems less secure than before. Hybrid cryptography is critical because it lets Apple continue taking advantage of field-tested classic algorithm implementations, which Apple has hardened against key recovery attacks exploiting CPU signals during algorithm execution such as side-channel attacks.
Apple has deployed quantum secure cryptography across a wide range of protocols, prioritizing applications involving sensitive user information where attackers could harvest encrypted communications at scale:
iMessage: Apple deployed iMessage PQ3 in iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, which advanced the state-of-the-art in quantum-secure messaging at scale. For more information, see iMessage with PQ3: The new state of the art in quantum-secure messaging at scale on the Apple Security Blog.
TLS and HTTPS: Apple supports Quantum Secure Encryption in TLS in the developer networking APIs
URLSessionandNetworkframework in iOS 26, iPadOS 26, macOS 26, tvOS 26, and watchOS 26. These APIs enable it by default for all systems services and apps that use them. This is an especially important protocol because it protects a vast amount of personal data like internet browsing and email, transiting across networks where attackers could harvest data. For more information, see TLS security.VPN: Apple added quantum secure encryption in the native VPN client support as well as the developer IKEv2 APIs, which also makes it easy for third-party VPN solutions to enable quantum secure encryption with iOS 26, iPadOS 26, macOS 26, tvOS 26, and watchOS 26. For more information, see Virtual private network (VPN) security.
SSH: Apple upgraded this protocol (commonly used on Mac to log in remotely and transfer files) with a quantum secure encryption key exchange in macOS 26. For more information, see Allow a remote computer to access a Mac in the Mac User Guide.
Apple Watch: Apple enabled quantum secure encryption between iPhone and Apple Watch in iOS 26 and watchOS 26 by adding additional key exchanges using ML-KEM. For more information, see System security for watchOS.
Developer cryptographic APIs: To enable developers to leverage Apple’s native implementation and transition their own protocols to post-quantum cryptography, support was added in the Apple CryptoKit framework in iOS 26, iPadOS 26, macOS 26, tvOS 26, and watchOS 26. For secure encryption, ML-KEM offers two parameters: ML-KEM 768 and ML-KEM 1024. For quantum secure authentication, developers can use ML-DSA-65 and ML-DSA-87. Although these algorithms are robust in isolation, developers must use them in well-analyzed protocols to ensure they correctly use and combine them to achieve the application’s security needs. For more information, see Apple CryptoKit on the Apple Developer website.
Important: Systems support quantum encryption only when they connect to supporting servers.