The tech world is rapidly waking up to the security threat posed by future quantum computers, which will be able to break the encryption we now use to protect our internet existences with ease. Against that backdrop, Apple’s decision to share iPhone and Mac post-quantum cryptography code on GitHub speaks volumes.
Lost in the fog of reporting over the Memorial Day weekend, this protection implements Apple’s versions of the standardized quantum-secure ML-KEM and ML-DSA algorithms. The newly-published material includes source code for corecrypto, the cryptographic library used by Apple’s Security framework, CryptoKit, and CommonCrypto. The company also published a white paper explaining more, including how it’s been testing its protection.
Post-quantum to its core
Apple has been working on post-quantum cryptographic protection for years. It first went public with this effort when it introduced iMessage’s PQ3 protocol in iOS 17.4. That protection secures both the conversation and its encryption keys against future quantum-based attacks. It is now available in iMessage, VPN, and TLS networking, while CryptoKit means developers can adopt quantum-secure encryption in their own apps.
What Apple published is fairly extensive, but briefly it means the company has formally verified that its corecrypto library puts quantum-resistant protection in place. It already runs continuously across over 2.5 billion active devices, providing encryption, hashing, random number generation, and digital signatures. Apple’s tests also mean the company has set a new benchmark for high-assurance security engineering and compliance — even to the extent that it built its own custom tools to verify its protection, and collaborated with well-regarded US R&D firm Galois to facilitate third parties who want to test corecrypto.
Apple wants you to kick its protection around
“With the latest release of corecrypto source code on May 22, 2026, we’re sharing meaningful advances in applied formal verification with the global cryptographic community, including the details of our approach and the tools we used,” Apple said.
The idea is that by publishing it this way, Apple makes it possible for security researchers to really kick these protections around to try to make sure they will work once quantum truly becomes a threat. The company also said it wants to “encourage wider adoption, support critical review of our work, and help advance the state of the art for assuring critical software.”
Apple is relatively certain its protections do work. To achieve that, it formally verified parts of its CoreCrypto library, providing mathematical proof that its critical encryption implementations work as they should.
Why proof matters
The significance of that mathematical proof is important. One way to look at it is that while traditional security models focus on perimetric protections, Apple’s mathematical approach effectively analyzes protected code to ensure there are no vulnerabilities at all in its security foundations — at least when it comes to quantum-based attacks. Now, “at all” is a big claim, but in the here and now at least it means developers will be able to focus on ensuring their apps and user access protections are quantum-safe, leaving foundational protection to the security teams in Cupertino.
It’s a move that should raise the bar across the entire industry; Apple has basically proved it’s possible to verify critical code with mathematical certainty. If Apple can do it for its operating systems, others should be able to do the same. I find it easy to imagine Chrome will quickly follow, though other operating systems might continue to face future quantum challenges, in part because elements of their code were literally built for a different computational paradigm.
“Our formal verification detected issues that would not have been caught with conventional testing, letting us address the errors before they ever reached our products,” Apple said in its white paper.
There are limitations to what Apple is offering. The mathematical proof is expensive to deliver, which means the scope of what is claimed applies only to those quantum protections Apple mentions in its report. This likely leaves other attack vectors future attackers could seek to exploit. Apple also seems to concede that it’s possible its tests might themselves have flaws, which is why it wants to encourage researchers to put its work to the test.
What next?
We already know that security on any platform is a never-ending struggle. As one thing gets fixed, additional vulnerabilities become exposed. And when dealing with adversaries — some of whom are supported by the power of entire nations — one can never be too complacent. It’s good to see that Apple continues put protections in place against the looming quantum computing threat. It’s even better that the company is sharing how it verifies its work; doing so makes it a little easier for less resourced developers to research, test, and implement their own protections against the coming quantum menace.
ou can follow me on social media! Join me on BlueSky, LinkedIn, and Mastodon.