Apple Open‑Sources Post‑Quantum Cryptography Implementations in CoreCrypto Library
What Happened — Apple has released the source code, mathematical proofs, and formal‑verification artifacts for its post‑quantum cryptography (PQC) implementations in the CoreCrypto library. The open‑source package includes ML‑KEM and ML‑DSA algorithms, verification tools, and documentation for independent review.
Why It Matters for TPRM —
- PQC protects data in transit and at rest against future quantum attacks, a risk that spans all third‑party relationships.
- Open‑sourcing enables auditors, vendors, and customers to validate Apple’s cryptographic guarantees, reducing supply‑chain uncertainty.
- Formal verification demonstrates a higher assurance level than conventional testing, setting a new benchmark for cryptographic libraries used by millions of devices.
Who Is Affected — All industries that rely on Apple devices or services (iMessage, VPN, TLS, enterprise MDM) – health, finance, education, government, retail, etc.
Recommended Actions —
- Review contracts with Apple‑based service providers to confirm they have adopted the new PQC modules.
- Request evidence of PQC integration from vendors that embed CoreCrypto in their products.
- Update internal cryptographic risk assessments to include quantum‑resistance considerations.
Technical Notes — Apple’s CoreCrypto library, written in portable C, now includes NIST‑standardized ML‑KEM (key encapsulation) and ML‑DSA (digital signatures). The code is protected against timing attacks and includes randomization of internal computations. Formal verification was performed using a custom toolchain that translates Cryptol models into Isabelle proofs, with assistance from Galois. No known vulnerabilities are disclosed; the release is a proactive hardening measure. Source: Help Net Security