There is a quiet race underway beneath every secure website visit you make, and Google has just posted a significant lead. On Friday, the company detailed a plan to make the cryptographic certificates underpinning HTTPS connections resistant to quantum computer attacks, without slowing down the web in the process. The solution involves some clever mathematics and a data structure called a Merkle Tree.
The core problem is one of scale. The quantum-resistant cryptographic material needed to secure TLS certificates is roughly 40 times larger than what browsers use today. A standard X.509 certificate chain currently runs to about 4 kilobytes, comprising six elliptic curve signatures and two public keys at 64 bytes each. Swap those out for post-quantum equivalents and you are looking at something closer to 15 kilobytes per connection handshake. Multiply that across billions of daily web sessions and the performance hit becomes serious.
"The bigger you make the certificate, the slower the handshake and the more people you leave behind," said Bas Westerbaan, principal research engineer at Cloudflare, which is partnering with Google on the transition. Speaking to Ars Technica, he warned that users would likely disable new encryption features if they noticeably slowed browsing. He also flagged that large certificate sizes could degrade so-called middle boxes, the network devices sitting between a browser and a destination server.
Why quantum computers change everything
The urgency stems from Shor's algorithm, a quantum computing method that could, once viable hardware exists, crack the elliptic curve cryptography protecting today's certificate infrastructure. An attacker with a sufficiently powerful quantum computer could forge the signed certificate timestamps used to prove to a browser that a certificate is legitimate, effectively impersonating any website on the internet.
This is not a theoretical concern invented by researchers seeking funding. The certificate transparency system itself was built in direct response to a real attack: the 2011 hack of Netherlands-based DigiNotar, which allowed the minting of around 500 counterfeit certificates for Google and other major sites. Some of those forged certificates were used to spy on internet users in Iran. The lesson was that certificate infrastructure, if compromised, has immediate real-world consequences.
The Merkle Tree solution
Google's answer is Merkle Tree Certificates (MTCs). Rather than transmitting the full chain of signatures for every connection, a Certificate Authority signs a single cryptographic summary called a Tree Head, which can represent millions of certificates simultaneously. The browser receives only a compact proof that a specific certificate is included in that tree. Strip away the buzz and the fundamentals show a genuine efficiency gain: the certificate data sent during a handshake stays at roughly 4 kilobytes, matching today's size, while the quantum-resistant assurances are baked in.
As members of Google's Chrome Secure Web and Networking Team wrote on Friday, MTCs "replace the heavy, serialized chain of signatures found in traditional PKI with compact Merkle Tree proofs." The new system also incorporates quantum-resistant algorithms such as ML-DSA, meaning an attacker would need to break both classical and post-quantum encryption simultaneously to forge a certificate.
Support is already live in Chrome. Cloudflare is currently enrolling roughly 1,000 TLS certificates in a test phase, with the company generating the distributed ledger for now. The longer-term plan is for Certificate Authorities to take on that role as the system matures.
Standards and the road ahead
Industry coordination is following close behind. The Internet Engineering Task Force's PKI, Logs, And Tree Signatures working group has formed specifically to bring key players together around a long-term standard. Google has framed the MTC rollout and its associated quantum-resistant root store as extensions of the Chrome Root Store programme it established in 2022.
For Australian businesses and government agencies that depend on web security, particularly those in finance, health, and critical infrastructure, the timeline for quantum threats is still debated. Some researchers place practical quantum attacks a decade or more away; others are less confident. What is not debated is that retrofitting security after the fact is significantly more expensive than building it in now. The smart money is moving toward preparation, not reaction.
The transition will not be painless. Deploying a new certificate architecture across a global internet of billions of devices and thousands of Certificate Authorities requires careful coordination, testing, and fallback planning. There is a genuine tension between moving quickly enough to matter and moving carefully enough not to break things. Google and Cloudflare appear to be threading that needle for now, but the real test will come when the system scales beyond 1,000 certificates to the hundreds of millions that underpin the modern web.