Let’s Encrypt Bets on Merkle Tree Certificates to Solve the Quantum Threat
Table of Contents
The Looming ‘Q-Day’ for Web Authentication
For years, the cybersecurity industry has treated post-quantum cryptography (PQC) primarily as an encryption problem. The logic was simple: adversaries could capture encrypted traffic today and simply wait for a cryptographically relevant quantum computer (CRQC) to emerge and decrypt it retroactively. Authentication—the mechanism that proves a server is who it claims to be—was seen as a lower priority because forging a digital signature requires a quantum computer to operate in real-time.
That luxury of time is disappearing. Global regulatory bodies and tech giants are shifting their timelines. The U.S. National Security Agency’s CNSA 2.0 suite has already set a 2030-to-2035 schedule for post-quantum migration, while NIST guidelines suggest RSA-2048 and P-256 could be deprecated by the end of the decade. More pressingly, Google and Cloudflare have recently accelerated their internal migrations, with Google targeting 2029 for its services.
Let’s Encrypt, the world’s largest certificate authority, is now stepping into the fray. The organization has announced its commitment to a post-quantum-safe Web Public Key Infrastructure (PKI), signaling a transition toward a new architecture known as Merkle Tree Certificates (MTCs).
The ‘Bloat’ Problem in Quantum Security
The primary obstacle to implementing post-quantum signatures on the web isn’t just the math—it’s the size. Current standards, such as ECDSA-P256, produce signatures of only 64 bytes. In contrast, ML-DSA-44, one of the NIST-standardized post-quantum schemes, generates signatures roughly 2,420 bytes long.
In a typical TLS handshake, several signatures and public keys are exchanged. Replacing these with ML-DSA equivalents would push a single handshake well beyond 10 kilobytes. According to research from Cloudflare, this level of bloat leads to a significant percentage of TLS connections failing on real-world networks, while those that do succeed suffer from noticeable latency.
For Let’s Encrypt, deploying a security measure that degrades the overall performance of the web is a non-starter. The organization argues that defaults drive security at scale; if the post-quantum default makes the internet slower or less reliable, adoption will stall.
MTCs: A Structural Pivot
Merkle Tree Certificates offer a way to bypass the size penalty. Rather than signing every certificate individually, an MTC-based CA issues certificates in batches, using a single signature to cover the entire group. Browsers track these batch signatures—referred to as “landmarks”—independently of the TLS handshake.
This shift dramatically reduces the data transferred during the connection process. In most cases, an MTC handshake consists of a single signature, one public key, and one inclusion proof. This makes the post-quantum handshake smaller than the traditional Web PKI handshakes used today.
Beyond performance, MTCs fundamentally change how Certificate Transparency (CT) works. Currently, CT is a “bolt-on” system where certificates are issued and then logged separately. With MTCs, transparency is an inherent property of issuance; a certificate cannot exist unless it is part of the Merkle tree. This integrates logging and issuance into a single, immutable process.
The Roadmap to 2027
This transition will require a significant overhaul of Let’s Encrypt’s internal architecture. The organization must update its issuance infrastructure, the ACME protocol used by subscribers, and its revocation tooling. Given that Let’s Encrypt has operated its own CT logs since 2019, it already possesses deep operational experience with the Merkle tree data structures that underpin MTCs.
The timeline is ambitious but structured. Let’s Encrypt is targeting a staging environment for MTC issuance in late 2026, with a full production-ready environment expected in 2027. The effort is being coordinated with the IETF’s PLANTS working group and has received a nod of approval from Chrome, which has named MTCs as its preferred path for bringing quantum resistance to the public web.
While Let’s Encrypt continues to track traditional ML-DSA signatures in X.509 (RFC 9881), the strategic pivot toward MTCs suggests that the future of web security may depend less on bigger keys and more on smarter structures.
