Let's Encrypt Develops Quantum-Resistant Certificates Using Merkle Trees

Let's Encrypt is charting a course for the post-quantum era of the Web Public Key Infrastructure (PKI) with the development of Merkle Tree Certificates (MTCs). This innovative approach aims to provide quantum-resistant authentication without the significant performance overhead that traditional post-quantum cryptographic algorithms would impose on TLS handshakes. By replacing the lengthy, serialized X.509 certificate chains with compact Merkle Tree proofs, MTCs promise to keep web browsing fast and efficient even as the threat landscape evolves.

The urgency for such solutions is mounting. Major governmental and industry bodies are setting aggressive timelines for migrating to post-quantum cryptography. The NSA's CNSA 2.0 suite mandates a transition for national security systems by 2030-2035, while NIST's guidance suggests deprecating current algorithms like RSA-2048 and P-256 after 2030. Google has set a 2029 deadline for its services, and Cloudflare has made a similar commitment. The sheer scale of the internet's PKI makes a naive migration a daunting prospect; for instance, one of NIST's smaller standardized post-quantum signature schemes, ML-DSA-44, produces signatures nearly 38 times larger than current standards, potentially crippling TLS handshakes.

MTCs offer a novel solution by fundamentally altering how certificates are issued and verified. Instead of individual certificate signing, Certificate Authorities (CAs) will issue certificates in batches, secured by a single, robust post-quantum signature covering the entire batch. Browsers and clients will then maintain these batch signatures, known as landmarks, separately from the TLS handshake. This design means a typical MTC handshake will carry only one signature, one public key, and a small inclusion proof, significantly reducing the data transmitted compared to a handshake using large post-quantum signatures.

Furthermore, MTCs integrate Certificate Transparency (CT) by design. Each certificate becomes an intrinsic part of a published Merkle tree, making transparency a core feature of the issuance process rather than an add-on. Let's Encrypt, with its extensive experience operating Merkle tree-based CT logs since 2019, is well-positioned to implement this integrated approach. This inherent transparency is crucial for maintaining trust and accountability in the evolving Web PKI.

The MTC ecosystem is already gaining momentum. Cloudflare and Google Chrome are actively conducting feasibility experiments with MTCs against real-world internet traffic. The Internet Engineering Task Force (IETF) is standardizing the design through its PLANTS working group, and Chrome has publicly endorsed MTCs as its preferred path for post-quantum certificates on the public web. This collaborative effort signals a strong industry consensus forming around the MTC standard.

Let's Encrypt is targeting the deployment of a staging MTC environment by late 2026, with a production-ready system anticipated in 2027. This rollout will necessitate significant changes across Let's Encrypt's infrastructure, including its issuance systems, the ACME protocol, revocation tooling, and CT log operations. While end-users and most server operators will experience a seamless transition, ACME client maintainers are advised to monitor the PLANTS working group and relevant mailing lists for upcoming client-side changes.

In the interim, server operators are encouraged to continue implementing hybrid post-quantum key exchange mechanisms, such as X25519MLKEM768. This is the primary defense against 'harvest now, decrypt later' attacks, which target encrypted traffic for future decryption by quantum computers. The development of MTCs represents a proactive and strategic move by Let's Encrypt to ensure the long-term security and integrity of the internet's foundational authentication infrastructure.