Let\u2019s Encrypt Unveils Merkle Tree Certificates to Secure the Web Against Quantum Threats
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Let\u2019s Encrypt has announced its roadmap for post-quantum Web PKI, centering on a novel approach called Merkle Tree Certificates (MTCs), a design that delivers quantum-resistant authentication without bloating TLS handshakes or breaking the web\u2019s performance expectations.<\/p>\n
Traditional X.509 certificate chains require significant bandwidth, which would increase substantially with the adoption of robust post-quantum algorithms. MTCs solve this by replacing the heavy, serialized chain of signatures with compact Merkle Tree proofs.<\/p>\n
Earlier this year, Google unveiled<\/a> Merkle Tree Certificates to Shield HTTPS Against Quantum Threats, as Chrome is spearheading the transition to Merkle Tree Certificates (MTCs).\u00a0<\/p>\n For years, post-quantum cryptography discussions prioritized encryption over authentication. The logic was sound: \u201charvest now, decrypt later\u201d attacks make encrypted traffic immediately vulnerable, while forging authentication signatures requires a live Cryptographically Relevant Quantum Computer (CRQC). That window is closing fast.<\/p>\n The NSA\u2019s CNSA 2.0 suite<\/a> mandates that national security systems migrate to post-quantum algorithms by 2030\u20132035. NIST\u2019s draft transition guidance (IR 8547)<\/a> would deprecate RSA-2048 and P-256 after 2030 and disallow them after 2035.<\/p>\n The EU\u2019s post-quantum roadmap targets high-risk systems by the end of 2030. Most significantly, Google announced a 2029 migration deadline<\/a> for its services, and Cloudflare issued a parallel commitment<\/a>.<\/p>\n Go 1.27 also added ML-DSA, a NIST-standardized post-quantum signature scheme, directly to its standard library, signaling infrastructure readiness.<\/p>\n The Web PKI\u2019s scale makes naive post-quantum migration painful. ML-DSA-44, one of NIST\u2019s smaller standardized schemes, produces signatures of ~2,420 bytes, nearly 38\u00d7 larger than ECDSA-P256\u2019s 64 bytes.<\/p>\n A typical TLS handshake carries five signatures and two public keys. Swapping these with ML-DSA equivalents pushes a single handshake well beyond 10 KB.<\/p>\n Cloudflare\u2019s research<\/a> confirms the consequence: at that scale, a meaningful share of real-world TLS connections fail outright, and the rest slow down. Degrading every TLS connection globally is too steep a tradeoff for a threat that hasn\u2019t yet materialized.<\/p>\n MTCs reframe how certificates are issued and verified. Instead of signing each certificate individually, a CA issues certificates in batches, with a single post-quantum signature covering the entire batch. Clients (browsers) maintain these batch signatures, called landmarks, independently of the TLS handshake.<\/p>\n The result: an MTC handshake carries just one signature, one public key, and one inclusion proof smaller than today\u2019s Web PKI handshake, even while using post-quantum algorithms.<\/p>\n MTCs also bake in Certificate Transparency by design. Every certificate exists as part of a published Merkle tree, making transparency intrinsic to issuance rather than bolted on afterward. Let\u2019s Encrypt has operated CT logs built on Merkle trees since 2019<\/a>, giving it direct operational experience with the core data structure.<\/p>\n The MTC ecosystem is already mobilizing:<\/p>\n Let\u2019s Encrypt is targeting a staging MTC environment<\/a> in late 2026 and a production-ready environment in 2027. The rollout requires big changes across issuance infrastructure, the ACME protocol (RFC 9881<\/a>), revocation tooling, and CT log infrastructure.<\/p>\n For existing subscribers, nothing changes today. Certificates will continue to be issued via ACME exactly as before. ACME client maintainers, however, should begin tracking the PLANTS working group<\/a> and the mtcs@chromium.org mailing list<\/a> now, as client-side changes will be required.<\/p>\n For server operators, the most urgent action today remains enabling hybrid post-quantum key exchange (X25519MLKEM768) the primary defense against harvest-now-decrypt-later attacks on encrypted traffic.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Let\u2019s Encrypt Unveils Merkle Tree Certificates to Secure the Web Against Quantum Threats<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nLet\u2019s Encrypt Unveils Merkle Tree Certificates<\/strong><\/h2>\n
\n