Lead: Google has begun adding post-quantum cryptographic material to the public certificate transparency ecosystem to guard HTTPS from future quantum attacks. Announced in February 2026, the change embeds quantum-resistant signatures such as ML-DSA into compact Merkle-based commitments so certificate logs can remain verifiable without large data growth. Chrome already supports the format and Cloudflare is enrolling roughly 1,000 TLS certificates in a test ledger; the design aims to keep commitments near the current ~64-byte size. The move is intended to prevent attackers who might one day run Shor’s algorithm from forging signed timestamps that falsely prove a certificate was logged.
Key takeaways
- Google is introducing a quantum-resistant root store that augments existing TLS certificate transparency mechanisms with post-quantum cryptographic material, including ML-DSA.
- Merkle Tree Commitments (MTCs) are being used to embed the extra material without large growth in log entries; commitments remain roughly 64 bytes long.
- Cloudflare is running an initial trial by enrolling about 1,000 TLS certificates and generating the distributed ledger during the test phase.
- The change is a defensive response to the threat that Shor’s algorithm could one day enable forging of classical signatures and disruption of certificate logs.
- The Internet Engineering Task Force has formed a working group, PKI, Logs, And Tree Signatures, to coordinate a standards path for this and related changes.
- Google says the new regime complements the Chrome Root Store created in 2022 and is intended to accelerate post-quantum adoption across the web.
Background
Certificate transparency (CT) was introduced to make TLS certificate issuance auditable by publishing certificates and signed timestamps in append-only public logs. Website operators and browsers consult these logs in real time to detect misissued certificates for domains they control. The transparency model grew from a practical security lesson: the 2011 compromise of DigiNotar, a Netherlands-based certification authority, enabled the creation of roughly 500 fake certificates for Google and other sites and was used in surveillance activity in Iran, showing how forged certificates can silently break trust.
CT logs currently rely on cryptographic primitives that are secure against classical computers but would be vulnerable if large-scale quantum computers become practical. In particular, Shor’s algorithm would let an attacker factor or otherwise break the public-key systems underpinning conventional digital signatures, potentially enabling forgery of signed certificate timestamps (SCTs) that claim a certificate was logged when it was not. The web ecosystem’s aim is to make any successful forgery require breaking both classical and post-quantum protections, raising the bar for an attacker.
Main event
Google’s engineering team has designed Merkle Tree Commitments (MTCs) to carry additional cryptographic material required for post-quantum validation while keeping on-disk and on-wire sizes small. Rather than appending full-length post-quantum keys and hashes—which can be kilobytes long—MTCs incorporate compressed commitments derived from Merkle trees so that proofs of inclusion remain short. According to Google engineers, that allows the system to preserve the current operational model and tooling for CT logs.
Chrome has already been updated to recognize and validate the new commitments as part of a broader quantum-resistant root store initiative. Cloudflare is serving as the initial ledger operator for the pilot and has enrolled about 1,000 TLS certificates to evaluate interoperability and performance. In the pilot phase, Cloudflare generates the distributed ledger; Google and standards groups expect certificate authorities (CAs) to assume that role in time for wide deployment.
The Internet Engineering Task Force has convened a working group named PKI, Logs, And Tree Signatures to coordinate specifications and ensure different implementers converge on compatible formats. Participants include browser vendors, major CAs, CDN operators, and independent researchers. The goal is to produce standards that allow CT logs to evolve without fragmenting the ecosystem or introducing dangerous incompatibilities.
Analysis & implications
Technically, adding post-quantum material to certificate logs is a form of layered defense: an attacker would need to break both classical and post-quantum algorithms to produce a convincing forgery. That substantially raises the cost and complexity of an attack compared with relying on a single primitive. In practice, however, the change shifts complexity into log and CA operations—operators must support new formats, key types, and validation logic, which could produce implementation errors if not carefully standardized and tested.
Size efficiency is the practical linchpin for adoption. Many post-quantum public keys and signatures are orders of magnitude larger than classical ones; naïvely storing them in CT logs would increase storage, bandwidth, and verification costs for browsers and monitoring services. MTCs aim to limit that impact by compressing the necessary material into compact commitments near the existing 64-byte footprint, helping preserve the lightweight, real-time checks that made CT effective.
Operationally, responsibility for ledger maintenance matters. Cloudflare’s pilot role lets engineers stress-test the design in a controlled environment, but the long-term plan envisions certificate authorities taking over ledger generation. That transition will require clear operational guidance and perhaps regulatory or industry incentives to ensure CAs adopt ledger roles without fragmentation. The IETF working group will play a pivotal role in specifying formats and failure modes so implementers can avoid subtle interoperability failures.
Comparison & data
| Item | Typical size | Notes |
|---|---|---|
| Existing Signed Tree Head / commitment | ~64 bytes | Compact proof used today for CT logs |
| Merkle Tree Commitment (MTC) | ~64 bytes | Carries compressed post-quantum material per Google design |
| Raw post-quantum keys/signatures (uncompressed) | kilobytes | Would bloat logs if stored naively |
This table shows why compression matters: raw post-quantum objects can be thousands of bytes, which would multiply log size and verification cost. MTCs are a middle path that seeks to keep network and storage impacts minimal while adding quantum-resistant assurances.
Reactions & quotes
“We view the adoption of MTCs and a quantum-resistant root store as a critical opportunity to ensure the robustness of the foundation of today’s ecosystem.”
Google (official blog post)
The statement frames the work as protective, not disruptive: Google positions MTCs and the new root store as compatibility-minded additions for an agile internet. That messaging targets other vendors and operators who must adopt the new formats for wide effectiveness.
“Using other techniques to reduce the data sizes, the MTCs will be roughly the same 64-byte length they are now.”
Westerbaan (Google engineer)
Westerbaan’s remark underscores the engineering constraint: maintaining small commitments is essential to preserve existing CT monitoring and browser performance expectations.
Unconfirmed
- The time at which certificate authorities will take over ledger generation from Cloudflare and the exact migration plan are not yet finalized.
- Whether all major browser vendors will accept the MTC format as proposed, or require modifications, remains to be determined by standards work and interop testing.
- The long-term performance profile of MTCs at internet scale (billions of certificates) is unproven beyond the initial Cloudflare pilot.
Bottom line
Google’s MTC proposal and the quantum-resistant root store represent a pragmatic attempt to harden one of the web’s trust anchors—certificate transparency—against a plausible future quantum threat. By compressing post-quantum data into small commitments, engineers hope to avoid a storage and bandwidth tax that would otherwise impede adoption.
Successful deployment hinges on standards coordination, careful implementation by CAs and log operators, and broad browser support. In the near term, expect pilots, interop testing, and IETF specification activity; in the longer term, the approach could meaningfully raise the difficulty of any attacker trying to retroactively forge certificate logs once quantum-capable hardware appears.