How Google Is Reinventing HTTPS for the Quantum Age
Google and Cloudflare are testing Merkle Tree Certificates: a new approach that makes quantum-resistant HTTPS faster and smaller than classical certificates.
Something quietly remarkable happened in the world of web security this February. Google announced that it is not planning to simply swap one type of certificate for another to make HTTPS quantum-resistant. Instead, it is proposing to redesign the entire architecture of how browsers trust websites — and in doing so, potentially make your HTTPS connections smaller than they are today, even while adding quantum resistance.
That is a surprising outcome worth understanding.
TL;DR: Google’s Merkle Tree Certificates proposal is a bigger rethink of HTTPS, not just a new signature format. The goal is to make quantum-resistant web PKI practical without exploding certificate size and handshake cost.
The Size Problem Nobody Was Talking About
When cryptographers began standardizing post-quantum algorithms, most of the public attention went to key exchange: protecting the session keys that encrypt your traffic against a future quantum computer. That battle is largely being won. Cloudflare, Google, and others have already deployed hybrid post-quantum key exchange at scale, and modern browsers negotiate it automatically.
But there is a second half to every TLS handshake: the certificate that proves the server is who it claims to be. Those certificates use digital signatures, and the post-quantum signature algorithms that have been standardized are… large. ML-DSA-65, one of the NIST-standardized options, contributes close to 10 kilobytes of data. The hash-based backup option, SLH-DSA, adds even more. A typical certificate chain involves multiple signatures and public keys — you can quickly end up sending 15 kilobytes or more just to prove identity, before a single byte of your actual content is transmitted.
As one Google researcher put it, that is more than 1% of a 3.5-inch floppy disk, in signatures alone, for every single connection.
Merkle Tree Certificates: A Different Model
Google’s proposal, developed in collaboration with Cloudflare and now being standardized through an IETF working group called PLANTS, takes a fundamentally different approach called Merkle Tree Certificates (MTCs).
The core idea is elegant. Instead of each certificate carrying its own large signature, a Certificate Authority (CA) signs a single “Tree Head” — a compact cryptographic summary representing potentially millions of certificates at once. What gets sent to your browser is not a traditional certificate at all, but a short proof of inclusion: evidence that your site’s certificate is a leaf in that particular tree.
When the browser already has a fresh copy of the tree (kept updated in the background, similar to how Certificate Transparency logs work today), a TLS connection only needs one signature, one public key, and a compact inclusion proof. The result: Google estimates the quantum-resistant authentication data shrinks from roughly 14,700 bytes to around 736 bytes — actually smaller than the classical certificate chains used today.
This is not theoretical. Since early 2026, Google and Cloudflare have been running a live feasibility study with approximately 1,000 real TLS certificates enrolled in the system.
A New Root Store for a New Era
The proposal also introduces a Chrome Quantum-Resistant Root Store (CQRS) — a separate, new set of trusted roots that only accepts MTCs. This is significant because it means the transition does not require forcing today’s legacy PKI to evolve. The new system can be bootstrapped independently, with CT log operators invited to participate in 2027 and general CA onboarding expected in the second half of 2027.
The existing root store and classical certificates do not go away overnight. Browsers would support both systems in parallel during the transition, falling back gracefully for connections that only support the classical model.
What This Means in Practice
For most website operators and IT teams, this will eventually mean working with a new type of certificate that is issued and renewed through a different (and likely more automated) process. The good news is that the goal of this entire exercise is to make quantum-resistant HTTPS less painful to deploy, not more.
The harder work falls on Certificate Authorities and browser vendors who need to implement the new infrastructure. But the broader principle holds: the web is getting ready for a future where quantum computers exist, and doing so in a way that does not bring current internet performance to its knees.
If you want to see where your own infrastructure stands today — whether you’re already negotiating post-quantum key exchange and how your current certificate chain looks — QCReady gives you a quick scan. For a deeper look at your full TLS environment, SSLboard covers cipher suites, certificate health, and more.
The quantum transition is happening in layers. Key exchange first, then certificates. Google just showed us what the second layer will look like.
Sources:
- Google Online Security Blog: Cultivating a robust and efficient quantum-safe HTTPS
- Cloudflare: Keeping the Internet fast and secure: introducing Merkle Tree Certificates
- The Hacker News: Google Develops Merkle Tree Certificates to Enable Quantum-Resistant HTTPS in Chrome
- SecurityWeek: Google Working Towards Quantum-Safe Chrome HTTPS Certificates