Google recently announced that it has begun testing a new class of quantum-resistant HTTPS certificates in the Chrome browser. The goal is to "reinforce the foundation" for Internet communications before quantum computing truly threatens the existing encryption system. The current quantum computing power is not enough to crack the mainstream encryption protocols of the Internet, but the security industry, including Google, is generally worried that once quantum computers for large-scale practical applications appear, the cryptographic algorithms that currently ensure the security of HTTPS will face the risk of being quickly broken.
What Google has introduced into Chrome this time is a certificate system designed from the ground up to address quantum threats. It hopes to provide browsers and websites with a "quantum-safe" backup solution without significantly slowing down web page loading.
To understand the significance of this change, you first need to review the fundamentals of current web security mechanisms. When a user visits a website, the browser will verify the digital certificate provided by the other party to confirm that the user is connecting to a genuine website and not a phishing site or attacker node disguised by a middleman. These certificates rely on complex mathematical problems that are difficult for conventional computers to solve within a reasonable time, ensuring that attackers cannot forge the identity of the website or decrypt the transmitted content within a foreseeable time. However, the parallel capabilities of quantum computers and the advantages of specific algorithms will subvert this premise. Quantum algorithms represented by Shor's algorithm can theoretically efficiently decompose large integers and crack the currently widely deployed public key encryption system, making the existing certificate system "in name only" in the quantum era.
The industry's intuitive countermeasure is to introduce anti-quantum cryptographic algorithms that are considered "difficult" for quantum computing. But the problem is that the keys and signatures of this type of algorithm are usually much "fat" than traditional solutions. In the currently commonly used X.509 certificate format, the relevant data volume is approximately 64 bytes. Once replaced with an equivalent quantum security solution, the data size will expand to approximately 2.5KB, approximately 40 times the original size. These certificates need to be transmitted over the network every time an HTTPS connection is established. If all websites switch to quantum-resistant certificates that greatly increase in size, the amount of data transmission during the handshake phase will be significantly increased, and users will personally feel the increase in the first packet response and loading delays of web pages. For ordinary users, once there is an obvious conflict between security measures and experience, they would rather lower the security level than accept significantly slower web page access.
In order to solve this contradiction of "security vs performance", Google chose to introduce a cryptographic structure called Merkle tree, and based on this, it designed the so-called Merkle Tree Certificates (MTC). Google explained in a security blog that MTC replaces the concatenated and bulky signature chain structure in the traditional public key infrastructure (PKI) with a compact Merkle tree certificate. In this mode, the Certificate Authority (CA) no longer signs each certificate individually, but only signs a "Tree Head" that represents the "entire tree", which can cover millions of certificate records. The "certificate" received by the browser during the handshake is no longer a complete single-site certificate chain, but a "containment certificate" of a certain website in this Merkle tree. The amount of data can therefore be kept close to the level of a traditional 64-byte certificate, thus taking into account quantum security capabilities and network overhead.
More intuitively, MTC concentrates the "heavy burden" of certificate signing onto a tree maintained by the CA. What the user's browser gets is a short, verifiable path certificate instead of a huge set of independent certificates and intermediate certificate chains. For the CA, this means that only one tree header needs to be signed to cover a huge collection of certificates; for the browser, the data required to verify a short Merkle path is much smaller than a full certificate, which also helps control the delay in the handshake phase. Under the premise that quantum security algorithms inevitably expand the size of a single signature, through "batch processing" and compression at the structural level, Google is trying to avoid using network experience to "pay" for security reinforcement.
Currently, Chrome has begun working with Cloudflare to conduct online testing of these new certificates based on Merkle trees. Google revealed that there are currently about 1,000 certificates running through this new system, and all connections carry traditional certificates as backup when they are established. In other words, even if there are compatibility or implementation issues on the MTC side, the browser can still fall back to the existing certificate verification process to avoid affecting user access or causing large-scale failures. This "parallel trial run" mechanism reserves sufficient room for the new solution to run in, and also provides practical data for the subsequent gradual expansion of the deployment scope.
According to Google’s plan, the comprehensive promotion of this quantum-resistant certificate system will continue until 2027. By then, Google plans to launch a dedicated quantum-resistant trust store that will run in parallel with the existing Chrome root certificate store. This means that browsers will maintain both traditional PKI trust chains and quantum-resistant trust chains, providing differentiated management and verification paths for different types of website certificates. In the time window when the threat of quantum computing is still "foreseeable but not yet here", this parallel architecture helps to gradually complete the ecological migration and avoid the compatibility and operation and maintenance risks caused by "one step".
It is worth noting that the introduction of Merkle tree certificates also has an important "side effect": certificate transparency (Certificate Transparency) changes from optional to mandatory. Since the generation of new certificates must rely on a publicly verifiable log structure, the existence of any MTC certificate will naturally be recorded in the public log, making it difficult to "silently" issue or abuse it. For attackers or internal abusers, it will be more difficult to carry out man-in-the-middle attacks by forging certificates under such a mechanism; and for security researchers and regulatory agencies, this also improves the auditability and traceability of the entire certificate ecosystem.
In fact, Google began exploring how to build a defense line for browsers and Internet systems against quantum computing attacks as early as ten years ago. Previously, Google has conducted multiple rounds of attempts and tests at the experimental protocol, encryption algorithm candidates, and browser implementation levels. The promotion of the combined application of quantum-resistant HTTPS certificates and Merkle tree structures in Chrome can be regarded as another key implementation of its "quantum security roadmap": before the quantum threat is truly realized, potential high-risk points should be "reinforced" in advance through protocol and infrastructure updates to lay the foundation for network security in the next few decades.