In a technical blog post from Google, the Chrome Secure Web and Networking Team said Chrome will develop Merkle Tree Certificates to protect HTTPS certificates against future quantum computing risks and will roll out the approach in phases through the third quarter of 2027.
KEY FACTS
- Technology Merkle Tree Certificates reduce the number of public keys and signatures in a TLS handshake
- Timeline Phased rollout with completion target of Q3 2027
- Early test Feasibility study with Cloudflare is in progress
- Root program New Chrome Quantum-resistant Root Store will support only MTCs
Under the Merkle Tree Certificate model a Certification Authority signs a single signed Tree Head that can represent many certificates and the browser receives a compact proof of inclusion rather than full X.509 chains. The design is described in the IETF draft on Merkle Tree Certificates.
MTCs aim to minimize the authentication data sent in the TLS handshake so sites can adopt post-quantum algorithms without substantially increasing bandwidth. The approach separates the cryptographic algorithm used for security from the size of the data transmitted to users.
The project is already being tested with real internet traffic and will expand in three phases. Phase 1 is an ongoing feasibility study with Cloudflare. Phase 2 in the first quarter of 2027 will invite Certificate Transparency log operators with at least one usable log in Chrome to help bootstrap public MTCs. Phase 3 in the third quarter of 2027 will finalize requirements for onboarding additional certificate authorities into the Chrome Quantum-resistant Root Store and a corresponding root program that only supports MTCs.
Google will not immediately add traditional X.509 certificates containing post-quantum algorithms to the Chrome Root Store to avoid bandwidth and scalability issues. Details on adoption by other browsers and the wider CA ecosystem are not specified in the announcement.
WHY IT MATTERS
Merkle Tree Certificates aim to allow deployment of stronger post-quantum cryptography while keeping TLS handshakes compact and fast. The change could affect how certificate authorities, log operators and browsers manage root programs and certificate validation going forward.