Google quantum‑proofs HTTPS, compressing 15 KB into 700‑byte packets

Google’s Chrome team disclosed that the new quantum‑resistant handshake relies on Merkle Tree Certificates, a redesign of the public‑key infrastructure that replaces the traditional chain of six elliptic‑curve signatures and two EC public keys with a compact inclusion proof. In the proposed model, a Certification Authority signs a single “Tree Head” that can represent millions of certificates; the browser then receives only a lightweight proof that the site’s certificate is part of that tree, shrinking the payload from roughly 4 KB to about 700 bytes, according to the Ars Technica report by Dan Goodin (Feb. 27, 2026). The reduction is achieved by leveraging cryptographic hashes that allow verification of large data sets with a tiny fraction of the original material, a technique already explored in public transparency logs.

The impetus for the redesign is the looming threat of Shor’s algorithm, which could break the elliptic‑curve signatures that underpin today’s X.509 chains. A conventional certificate chain, at roughly 4 KB, must be transmitted during every TLS handshake, and a quantum‑resistant replacement would be about 40 times larger, potentially throttling connection speeds and overloading middleboxes. Bas Westerbaan, principal research engineer at Cloudflare and a partner on the transition, warned that “the bigger you make the certificate, the slower the handshake and the more people you leave behind,” emphasizing that any performance hit could prompt users to disable the new encryption (Ars Technica). By compressing the data to 700 bytes, Google hopes to avoid that fallback and keep the web interoperable.

To achieve quantum resistance, Google is augmenting the Merkle Tree proof with post‑quantum signatures from algorithms such as ML‑DSA. The combination means an attacker would need to break both the classical elliptic‑curve signatures and the post‑quantum scheme to forge a certificate, a dual‑security approach that mirrors the “cryptographic material from quantum‑resistant algorithms” strategy described in the article. This hybrid model also protects the integrity of certificate transparency logs, which are append‑only ledgers introduced after the 2011 DigiNotar breach. If Shor’s algorithm were to compromise those logs, forged timestamps could allow rogue certificates to appear legitimate; the added ML‑DSA signatures aim to prevent that scenario (Ars Technica).

Google frames the rollout as part of a “quantum‑resistant root” for the web, a foundational layer that will eventually be required across all browsers. While the current Chrome update demonstrates feasibility, the broader ecosystem will need to adopt the Merkle Tree format and support the new post‑quantum algorithms. Cloudflare’s deeper dive into Merkle Trees, referenced in the Ars Technica piece, outlines the mathematical underpinnings and highlights that the “Tree Head” can be efficiently updated as new certificates are issued, preserving the low‑overhead property even as the certificate universe expands. The transition will also depend on the continued operation of transparency logs, which remain the primary mechanism for detecting mis‑issued certificates.

Industry observers note that the move aligns with a growing consensus that quantum‑ready security must be baked into the web stack before large‑scale quantum computers become practical. VentureBeat’s coverage of “harvest now, decrypt later” attacks underscores the urgency: adversaries are already stockpiling encrypted data in anticipation of future decryption capabilities. By shrinking the quantum‑resistant payload to a size comparable to current handshakes, Google aims to close that window without sacrificing performance, a balance that could set the standard for the next generation of secure web protocols.