Google has solved one of the key practical barriers to quantum-proof web encryption, compressing post-quantum TLS certificates from roughly 15 kilobytes to approximately 700 bytes using a cryptographic structure known as Merkle Tree Certificates.
The stakes are high. HTTPS, the protocol that secures virtually every website visit, relies on digital certificates to verify identity and establish encrypted connections. Current certificates use encryption algorithms that a sufficiently powerful quantum computer could break. Replacing them with post-quantum alternatives is a known priority — but those alternatives come with a significant size cost that can slow down connection times and strain network infrastructure.
Compressing post-quantum certificates by more than 95% removes the single biggest practical obstacle to making the entire web quantum-resistant.
Why Certificate Size Has Been a Sticking Point
Post-quantum cryptography standards, including those recently finalized by NIST (the US National Institute of Standards and Technology), use mathematical problems that are believed to be hard for both classical and quantum computers to solve. The tradeoff is that the keys and signatures involved are substantially larger than those used in today's RSA or elliptic-curve systems. A standard TLS certificate today typically sits below 2 kilobytes. Post-quantum equivalents balloon to around 15 kilobytes — more than seven times the size.
That difference matters at scale. Every time a user's browser opens an HTTPS connection, it must download and verify a certificate. Across billions of daily connections, inflated certificate sizes translate directly into higher latency, greater bandwidth consumption, and degraded performance on slower connections.
How Merkle Trees Compress Without Compromising Security
Google's solution draws on a well-established data structure in computer science: the Merkle tree. In a standard Merkle tree, individual pieces of data are hashed, and those hashes are combined and re-hashed up through a branching structure until they produce a single root hash. The key property is that you can prove any individual piece of data belongs to the set by providing only a small "proof path" of hashes — rather than transmitting every piece of data in full.
Applied to certificates, the approach works roughly as follows: instead of each certificate containing its own large post-quantum signature, certificates are batched together and their key information is incorporated into a Merkle tree. A browser only needs to receive a compact proof that a given certificate is included in that tree, rather than a full standalone post-quantum signature. According to Google, this brings the data a browser needs per connection down to approximately 700 bytes — a reduction of more than 95%.
The root hash of the tree can be distributed and verified through existing infrastructure, including mechanisms browsers already use to track certificate transparency logs.
Chrome Support Already Live
Google Chrome already includes support for Merkle Tree Certificates, according to the company. The broader rollout — to other browsers, server software, and certificate authorities — is described as forthcoming, though no firm universal timeline has been confirmed publicly.
The move fits within a wider industry push to migrate web infrastructure before large-scale quantum computers become a realistic threat. Security researchers often refer to the "harvest now, decrypt later" problem: adversaries can record encrypted traffic today and decrypt it once quantum hardware matures. For data that must remain confidential for years or decades — government communications, financial records, medical data — the clock is already running.
NIST formally standardized its first post-quantum cryptographic algorithms in 2024, and browser vendors and certificate authorities have been working to integrate them. The size problem has been one of the most frequently cited obstacles to doing so without degrading user experience.
Balancing Performance and Security at Web Scale
The engineering challenge Google has addressed is not purely theoretical. Certificate size affects real users. On mobile networks or in regions with limited bandwidth, even small increases in connection overhead compound across page loads. Content delivery networks and load balancers must also process and cache certificates at high throughput — making efficiency a genuine operational concern, not just a benchmark metric.
By keeping the per-connection overhead close to current levels, Merkle Tree Certificates make it feasible for site operators to adopt post-quantum encryption without accepting a meaningful performance regression. That lowers the friction for adoption, which matters: security improvements that carry a noticeable cost tend to be delayed or selectively deployed.
What This Means
Google's Merkle Tree Certificate approach gives the web a credible path to quantum-resistant HTTPS at scale — and with Chrome support already in place, the infrastructure to deliver it is closer than it has ever been.