Apple has published its Apple corecrypto repository on GitHub and paired it with new technical documentation that explains how the company is bringing post-quantum security work into products like the iPhone and Mac.
The move builds on a roadmap Apple had already started discussing publicly in 2024. With iOS 17.4, the company introduced the PQ3 protocol for iMessage as part of its effort to prepare for the risk that future quantum computers could weaken current encryption methods. That work added post-quantum protections during session setup and later key refresh stages.
In this latest step, Apple says the newly published corecrypto project serves as a low-level cryptographic library used by the Security framework, CryptoKit, and CommonCrypto. In practical terms, that means it handles core functions such as encryption, hashing, random number generation, and digital signatures.
The repository includes source code as well as implementations of ML-KEM and ML-DSA, which are the post-quantum algorithms Apple selected for corecrypto. Apple also released testing assets, performance tools, build targets, and a dedicated formal verification directory as part of the package.
That verification directory contains proof material and supporting tools designed to check whether the implementation matches the FIPS 203 and FIPS 204 standards. FIPS 203 maps to ML-KEM, which is aimed at securely establishing encryption keys, while FIPS 204 maps to ML-DSA, which is used for digital signatures.
Apple also stressed that formal verification is not being treated as a replacement for normal testing. Instead, the company describes its process as a layered approach that combines conventional testing, simulation, independent review, and formal verification.
Beyond the code itself, Apple has also linked supporting material including the paper Formal verification for Apple corecrypto, a Cryptol-to-Isabelle conversion tool, and Isabelle theory files included in the source package. Taken together, the release gives developers and security researchers a much clearer view of how Apple is implementing post-quantum security under the hood.
