Let's Encrypt has announced plans to adopt 'Merkle Tree Certificates' for the quantum computing era, a mechanism to suppress the increase in communication volume due to quantum-resistant cryptography.
Let's Encrypt, a certificate authority that issues free, automated TLS certificates, announced on June 3, 2026, its plan to adopt 'Merkle Tree Certificates (MTCs)' for the post-quantum era.
A Post-Quantum Future for Let's Encrypt - Let's Encrypt
When quantum computers become practical, some widely used encryption techniques may be broken. In particular, in the case of communication encryption, there is a risk of an attack called an 'HNDL attack,' in which an attacker stores encrypted communication content before quantum computers become practical and attempts to decrypt it when they eventually become available.
On the other hand, in the area covered by Let's Encrypt, which is 'website authenticity authentication,' there is a need to forge signatures during the connection in order to make a fake server appear genuine, so it has been thought that there is no need to rush quantum countermeasures as much as with communication encryption, as there is no concern about HNDL attacks.
However, Let's Encrypt argues that, given the need to rapidly implement post-quantum authentication for certificates, it is necessary to address the fact that 'switching the entire Web PKI system will take a long time in terms of standardization and software compatibility.'
While widely used signature schemes such as ECDSA and RSA at the time of writing can perform a TLS handshake with only a few hundred bytes to about 2KB of data, using quantum-computer-friendly signature schemes like ML-DSA-44 has the drawback of requiring over 10KB of data in the worst-case scenario. When the certificate chain information becomes large during the TLS handshake, which occurs every time you access a website, it increases the likelihood of connection delays or failures.
This is where Let's Encrypt is focusing its attention: Merkle tree certificates. In traditional certificate issuance, a certificate authority issues and signs each certificate individually, but with Merkle tree certificates, multiple certificates are handled together, and the entire collection of certificates is covered by a single signature.
A 'Merkle tree' is a mechanism that organizes large amounts of data into a tree structure, allowing for verification of the presence of certain data with a short proof. Merkle tree certificates reduce the amount of data required to verify the legitimacy of a certificate, thus keeping the increase in TLS handshake traffic low even when post-quantum signatures are introduced.
The following is a comparison of the amount of data transmitted when using a conventional post-quantum certificate versus a Merkle tree certificate. Using a Merkle tree certificate can reduce the amount of data transmitted to about one-tenth.
Let's Encrypt's plan states that it will have a staging environment capable of issuing Merkle tree certificates ready in the second half of 2026, and aims to have a production-ready environment by 2027.
Implementing Merkle Tree certificates requires support for the ACME protocol for automatic certificate acquisition, revocation procedures, operational tools, and a transparency logging infrastructure. Let's Encrypt participates in the IETF's PLANTS working group and ACME working group, keeping up with the progress of standardization.
However, these changes primarily involve adjustments to the certificate issuance infrastructure and related software, and it appears that no action is required from Let's Encrypt users at the time of writing. Even when post-quantum certificates become available, the plan is to provide them as a free and automated certificate issuance service that anyone using the ACME client can access.
Related Posts:
in Web Service, Security, Posted by log1d_ts