Google’s Chrome team has announced a structured program to replace traditional X.509 certificates with a lighter, quantum-resistant alternative called Merkle Tree Certificates (MTCs), aiming to keep TLS connections fast and secure as post-quantum cryptography becomes mandatory.

The Problem with Post-Quantum X.509

Post-quantum cryptographic algorithms produce significantly larger keys and signatures than today’s classical counterparts. Fitting those into the existing X.509 certificate chain model, which requires serialized signature chains and Certificate Transparency (CT) proofs, would substantially increase TLS handshake sizes and slow down connections. Chrome has decided not to add traditional X.509 certificates carrying post-quantum cryptography to its existing Root Store. Instead, it is co-developing MTCs through the IETF’s new PLANTS (PKI, Logs, And Tree Signatures) working group.

How Merkle Tree Certificates Work

Rather than sending a full certificate chain during a TLS handshake, the MTC model works differently. A Certification Authority signs a single “Tree Head” that represents potentially millions of certificates. The browser receives only a compact Merkle Tree proof of inclusion in that tree, dramatically reducing the authentication data transmitted per connection.

Key advantages of this approach include:

  • Bandwidth efficiency: Authentication data shrinks to the minimum necessary, decoupling cryptographic strength from transmission size.
  • Built-in transparency: Certificate issuance is impossible without inclusion in a public tree, making CT-equivalent transparency a default property rather than an add-on that inflates handshake size.
  • Quantum resistance: The design accommodates robust post-quantum algorithms without the performance penalties that classical X.509 chains would impose.

Three-Phase Rollout

Chrome’s deployment plan spans three phases:

  • Phase 1 (underway): A feasibility study conducted with Cloudflare evaluates real-world performance and security. Every MTC-based connection is backed by a trusted X.509 certificate as a failsafe, allowing measurement of gains without risking user security.
  • Phase 2 (Q1 2027): Chrome intends to invite CT Log operators that had at least one usable log before February 1, 2026 to bootstrap public MTC infrastructure. These operators are considered well-positioned due to their existing high-availability infrastructure and architectural overlap with MTC technology.
  • Phase 3 (Q3 2027): Google plans to finalize requirements for the Chrome Quantum-resistant Root Store (CQRS), a purpose-built trust store that supports only MTCs. The CQRS will run alongside the existing Chrome Root Program during the transition. This phase also introduces opt-in downgrade protections for sites that want to enforce quantum-resistant certificates exclusively.

Broader Policy Ambitions

Beyond the technical certificate format, Chrome signals an intent to modernize the surrounding ecosystem. Planned elements include ACME-only certificate issuance workflows to improve cryptographic agility, a modernized revocation framework focused on key compromise events rather than legacy CRLs, and exploration of reproducible Domain Control Validation that would make proofs of domain control publicly verifiable by any party.

Google states it will continue contributing to IETF and C2SP standards processes to ensure that real-world deployment experience feeds back into specifications and that Chrome tracks any resulting standard changes in the CQRS.