Can anyone comment on where this puts Signal now in relation to iMessage with PQ3[1]? As an aside, can anyone comment on earlier (fast/rushed/sound?) attempts at quantum-resistant encrypted messaging in Cyph[2] and Simplex[3] in comparison?
My read is that Signal now ratchets with ML-KEM in a similar way to iMessages's PQ3, with key delivery being one of the main differentiating features.
Everyone is worried about the fact that ML-KEM keys are so chonky, so PQ3 sends them out only occasionally while Signal chunks them up and sends them in pieces along with all normal messages. Signal's argument is that a huge re-keying message could be detected and blocked, and chunking them is both safer and smoother on bandwidth. Erasure coding will likely wind up costing a bit more overall bandwidth, but each message will be more consistently sized. Given the wide range of Signal's deployment posture, that is probably a wise tradeoff to make. I would expect that Apple has a bit more control over their networks and are in a better position to deal with adversaries attempting to actively block their re-key updates.
Is iMessage even relevant since the vast majority of Apple users have iCloud backups turned on without E2E? E2E backups are opt-in because Apple can't help you recover your data if you turn it on.
Given that, Apple can already decrypt messages of users, if so requested by law enforcement and intelligence agencies. No fancy quantum breaches needed.
[1] https://security.apple.com/blog/imessage-pq3/ [2] https://www.cyph.com/castle [3] https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum...