How Google Is Reinventing HTTPS for the Quantum Age
Google and Cloudflare are testing Merkle Tree Certificates: a new approach that makes quantum-resistant HTTPS faster and smaller than classical certificates.
Google announced in February that it will not simply swap one certificate type for another to make HTTPS quantum-resistant. Instead, the company is proposing to redesign how browsers trust websites, and the result could actually make HTTPS connections smaller than they are today while adding quantum resistance.
That is worth paying attention to.
TL;DR: Google’s Merkle Tree Certificates proposal rethinks HTTPS trust, not just the signature format. The goal is quantum-resistant web PKI without blowing up certificate size and handshake cost.
The size problem
Most of the early post-quantum attention went to key exchange: protecting session keys against a future quantum computer. That part is mostly handled. Cloudflare, Google, and others have deployed hybrid post-quantum key exchange at scale, and modern browsers negotiate it automatically.
But every TLS handshake also includes a certificate that proves the server’s identity. Those certificates use digital signatures, and the post-quantum signature algorithms NIST standardized are large. ML-DSA-65 alone contributes close to 10 kilobytes. The hash-based backup option, SLH-DSA, is even bigger. A typical certificate chain involves multiple signatures and public keys, so you can end up sending 15 KB or more just to prove identity before a single byte of actual content goes through.
One Google researcher pointed out that’s more than 1% of a 3.5-inch floppy disk, in signatures alone, per connection.
Merkle tree certificates
Google’s proposal, developed with Cloudflare and now being standardized through an IETF working group called PLANTS, takes a different approach: Merkle Tree Certificates (MTCs).
The idea is straightforward. Instead of each certificate carrying its own large signature, a Certificate Authority (CA) signs a single “Tree Head,” a compact cryptographic summary representing potentially millions of certificates at once. What gets sent to your browser is not a traditional certificate but a short proof of inclusion: evidence that your site’s certificate is a leaf in that tree.
When the browser already has a fresh copy of the tree (kept updated in the background, similar to how Certificate Transparency logs work today), a TLS connection only needs one signature, one public key, and a compact inclusion proof. Google estimates the quantum-resistant authentication data shrinks from roughly 14,700 bytes to around 736 bytes, which is actually smaller than classical certificate chains used today.
This is not theoretical. Since early 2026, Google and Cloudflare have been running a live feasibility study with roughly 1,000 real TLS certificates enrolled.
A new root store
The proposal also introduces a Chrome Quantum-Resistant Root Store (CQRS), a separate set of trusted roots that only accepts MTCs. This matters because it means the transition does not require forcing today’s legacy PKI to change. The new system can be bootstrapped independently, with CT log operators invited to participate in 2027 and general CA onboarding expected in the second half of that year.
The existing root store and classical certificates don’t go away overnight. Browsers would support both systems in parallel during the transition, falling back for connections that only support the classical model.
What this means in practice
For most website operators and IT teams, this will eventually mean working with a new certificate type that is issued and renewed through a different, probably more automated process. The point of all this work is to make quantum-resistant HTTPS less painful to deploy, not more.
The harder work falls on Certificate Authorities and browser vendors building the new infrastructure. But the principle is clear: the web is preparing for quantum computers, and doing it in a way that doesn’t tank performance.
If you want to see where your own infrastructure stands today, whether you’re already negotiating post-quantum key exchange and how your current certificate chain looks, QCReady gives you a quick scan. For a deeper look at your full TLS environment, SSLboard covers cipher suites, certificate health, and more.
The quantum transition is happening in layers. Key exchange first, then certificates. This proposal is what the second layer looks like.
Sources:
- Google Online Security Blog: Cultivating a robust and efficient quantum-safe HTTPS
- Cloudflare: Keeping the Internet fast and secure: introducing Merkle Tree Certificates
- The Hacker News: Google Develops Merkle Tree Certificates to Enable Quantum-Resistant HTTPS in Chrome
- SecurityWeek: Google Working Towards Quantum-Safe Chrome HTTPS Certificates