A term called Merkle Tree Certificates is about to start showing up everywhere. Here’s what it means and why it matters.
Key Takeaways#
- Google announced Merkle Tree Certificates on February 27, 2026 — a ground-up redesign of HTTPS certificate infrastructure, driven by quantum computing but bigger than just quantum
- A May 2025 Google Quantum AI analysis estimated that breaking RSA-2048 could be achieved in under a week using fewer than one million noisy qubits; adversaries are already collecting encrypted data today to decrypt later
- MTC solves the post-quantum bandwidth problem by having a CA sign a single “Tree Head” covering millions of certificates at once, keeping TLS handshakes compact despite much larger post-quantum keys
- NIST has set 2030 as the deadline to deprecate current cryptographic standards, with full prohibition by 2035 — for regulated industries, this is a compliance timeline with dates attached
- Early 2027 is when the infrastructure starts taking shape publicly; mid-to-late 2027 is when Chrome launches its quantum-resistant root store
If you follow security news, you’re going to start hearing about Merkle Tree Certificates. Google announced a program to deploy them in Chrome on February 27, 2026, and the coverage that follows will range from clear and useful to breathless and confusing. This is the version that cuts through.
The short version: the way HTTPS certificates work — the mechanism behind the lock icon in every browser — is being redesigned from the ground up. The change is driven by quantum computing, but it’s bigger than quantum. It’s a long-overdue architectural rethink of the trust model the web has relied on for thirty years. And if you manage servers, oversee IT, or advise clients on security posture, your certificate landscape is about to look different.
Why Certificates Are Changing at All#
Every HTTPS connection you make is secured by a certificate, a cryptographic document that says “this server is who it claims to be.” Certificates are issued by Certificate Authorities (CAs), organizations that browsers trust to vouch for website identities. Your browser checks that the certificate is valid and signed by a trusted CA before letting the connection proceed. This system is called Public Key Infrastructure, or PKI.
It works. But it has always had two problems that the industry has papered over rather than fixed.
The first is trust opacity. CAs have issued fraudulent certificates before, sometimes through compromise, sometimes through error. When that happens, attackers can impersonate websites and intercept encrypted traffic. A system called Certificate Transparency was added to make mis-issuance visible, but it’s a bolt-on mechanism, not a built-in one.
The second problem just became urgent: the math that PKI relies on is vulnerable to quantum computers. The encryption underpinning most of the web today, RSA and elliptic curve cryptography, can theoretically be broken by a sufficiently powerful quantum machine. That machine doesn’t exist yet, but the estimates for when it might are shrinking. A Google Quantum AI researcher published analysis in May 2025 estimating that breaking RSA-2048 could be achieved in under a week using fewer than one million noisy qubits. The resource estimates keep falling as algorithms improve.
And critically, adversaries are already collecting encrypted traffic today, storing it, and planning to decrypt it later when they have the capability. For anything with a long sensitivity window, medical records, legal communications, financial data, the exposure window is already open.
NIST standardized a set of post-quantum cryptographic algorithms in 2024. The leading candidate for key exchange, ML-KEM, is quantum-resistant. The problem is that its keys and signatures are dramatically larger than the RSA and ECC they replace. Dropping them into the existing PKI model would bloat TLS handshakes and slow down every HTTPS connection on the web. That’s the engineering problem Google set out to solve.
What a Merkle Tree Certificate Actually Is#
A Merkle Tree is a data structure that lets you prove something is part of a large dataset without transmitting the whole dataset. It’s the same mechanism used in certificate transparency logs, a way of creating compact, verifiable proofs of membership.
In the new model, instead of a CA signing each individual certificate with a large quantum-resistant key, the CA signs a single “Tree Head,” a cryptographic summary representing potentially millions of certificates at once. When your browser connects to a server, it receives a small proof that the server’s certificate is included in that signed tree. That proof is compact compared to what a full post-quantum certificate chain would be.
The result is quantum-resistant security without the bandwidth penalty. And because the tree is public and append-only, it’s structurally impossible to issue a certificate that doesn’t appear in a transparent, auditable log. The IETF’s PLANTS working group is currently standardizing the spec. The transparency that today’s web relies on a separate system to provide becomes a property of the architecture itself.
When This Is Actually Happening#
Google’s deployment is phased, and the timeline is measured in years, not weeks.
Right now, Chrome and Cloudflare are running a quiet feasibility study with real traffic. Every MTC connection is still backed by a traditional certificate, a safety net while the technology is validated, not a cutover.
Early 2027 is when the infrastructure starts to take shape publicly. Google will invite established certificate transparency log operators to participate in bootstrapping the new system.
Mid-to-late 2027 is when Google launches a new Chrome Quantum-resistant Root Store, a separate trust store that only recognizes MTC-based certificates. Traditional certificates continue to work in parallel. Sites that want to go fully quantum-resistant will have a path to opt in.
Beyond that, the regulatory timeline adds pressure from the other direction. NIST has set 2030 as the deadline for deprecating current cryptographic standards, with full prohibition by 2035. The EU is aligned on the same schedule. If you’re in a regulated industry, this isn’t a roadmap item — it’s a compliance timeline with dates attached.
What to Have on Your Radar#
You don’t need to act today. But you should know what’s coming.
Your CA and certificate management vendors are going to have to adapt. When you’re next in conversation with them, it’s worth asking what their MTC roadmap looks like. Vendors who don’t have an answer yet are vendors to watch carefully.
Manual certificate management is increasingly hard to justify. The MTC model is built around automated issuance workflows. If your team is still renewing certificates by hand, the pressure to automate is only going to grow.
And if you’re not sure what your current certificate posture looks like — how many certs you have, where they’re issued, what algorithms they use — that’s actually the right place to start.
The Bigger Point#
MTCs aren’t just a quantum fix. They’re the industry taking a hard look at thirty years of accumulated infrastructure and deciding to do it better. Transparency built in. Simpler revocation. Cryptographic agility that makes future algorithm transitions less painful. The quantum threat provided the forcing function, but the architectural improvements go beyond it.
You’re going to hear the term more. Now you know what’s behind it.
Greymantle Risk Advisory helps organizations understand their current cryptographic posture and plan for the transitions ahead, including post-quantum readiness assessments, certificate inventory, and migration planning. If you’re not sure where your organization stands, that’s the right conversation to start.
