Google tests Merkle Tree Certificates for quantum web

Google has begun rolling out a new approach to HTTPS certificates in Chrome aimed at limiting the performance and bandwidth impact of post-quantum cryptography while keeping certificate issuance publicly transparent.

The initiative centres on a certificate format called Merkle Tree Certificates (MTCs). The format is being developed in a new Internet Engineering Task Force working group, PKI, Logs, And Tree Signatures (PLANTS).

Post-quantum cryptography is expected to increase the size of cryptographic material used in common security protocols. On the web, that could mean larger certificate chains, heavier TLS handshakes, and added overhead from Certificate Transparency requirements.

For now, Chrome does not plan to add traditional X.509 certificates containing post-quantum cryptography to the Chrome Root Store. Instead, the browser team is pursuing MTCs as an evolution of web certificates.

How MTCs Work

Traditional web PKI relies on a chain of certificates and signatures that browsers receive during the TLS handshake. Each link in the chain adds data and processing cost.

MTCs replace that serial chain with a Merkle tree. A Certification Authority signs a single "Tree Head" representing a set that can include millions of certificates. The browser then receives a proof that a specific certificate is included in the signed tree.

Google presents MTCs as a way to decouple cryptographic strength from the amount of data sent during connection setup, and to reduce authentication data in the TLS handshake to a minimum.

MTCs also integrate public logging into issuance. In Google's model, a certificate cannot be issued unless it is included in a public tree. That contrasts with today's approach, where Certificate Transparency logging and proof mechanisms add steps and data to the handshake.

Three-Phase Rollout

Chrome's programme has three deployment phases, with early experimentation already underway. The first phase tests feasibility; later phases introduce public infrastructure and a new trust store.

In phase one, Chrome is running experiments with real internet traffic in collaboration with Cloudflare to evaluate the performance and security of TLS connections that rely on MTCs.

Each MTC-based connection in the experiment also uses a traditional trusted X.509 certificate. Google describes this as a fail-safe that allows measurement and operational validation without changing Chrome users' security expectations.

In phase two, Google plans to invite existing Certificate Transparency log operators to help bootstrap public MTCs. Participation is limited to operators that had at least one "usable" log in Chrome before February 1, 2026.

Google says these organisations have experience running high-availability global services that sit in the critical path for web security, and points to architectural similarities between MTC infrastructure and today's Certificate Transparency ecosystem.

Phase three introduces a new trust store and corresponding root programme: the Chrome Quantum-resistant Root Store (CQRS), which will support only MTCs.

The CQRS will operate alongside the existing Chrome Root Program as a risk-managed transition. The plan also includes a way for sites to opt in to downgrade protections in cases where a site only wants to use quantum-resistant certificates.

Policy Changes

The programme also proposes broader changes to issuance practices and oversight, with an emphasis on simpler, more predictable elements for establishing a secure client-server connection.

One proposal is an ACME-only workflow for certificate issuance in the new system. Another is a new framework for communicating revocation status, focused on key-compromise events rather than legacy certificate revocation lists.

Google also highlights "reproducible" Domain Control Validation, which would make proofs of domain control publicly and persistently available. Under this model, other parties could verify the legitimacy of a validation, using what Google calls a "DCV Monitor".

Other proposed changes include a revised model for admitting Certification Authorities. Prospective MTC CA operators could first demonstrate reliability in operational roles-such as mirroring and monitoring-before being accepted as issuers.

Google also signals a shift in third-party oversight away from annual audits and towards continuous, externally verifiable monitoring, with an emphasis on performance data and operational transparency that can be assessed on an ongoing basis.

Traditional PKI

Alongside its work on MTCs, Google says it remains committed to the current Chrome Root Store and existing partners, and notes that root rotations will remain necessary for certificate hierarchies that are not quantum-resistant.

Google also expects to support traditional X.509 certificates with quantum-resistant algorithms for private public key infrastructures later this year. Under the current plan, that support would not extend to certificates included in the Chrome Root Store.

Google says it will continue working through standards bodies including the IETF and C2SP as the technology and related policies develop.