Cloudflare recently announced Merkle Tree Certificates (MTCs), a proposal brought to the Internet Engineering Task Force (IETF) that fundamentally redesigns the Web Public-Key Infrastructure (WebPKI) to enable a performance-neutral transition to Post-Quantum (PQ) cryptography.
With this initiative, the company addresses a critical architectural challenge. While PQ algorithms exist to protect TLS authentication against quantum computers, their sheer size currently creates a performance debt that prevents widespread, default deployment.
The push toward PQ cryptography is essential to mitigate the “harvest now, decrypt later” threat, where encrypted traffic intercepted today could be decrypted later by a powerful quantum computer.
However, it’s not practical to replace the existing algorithms with new ones because of the size impact: signatures for ML-DSA-44, a performant PQ algorithm standardized by NIST, are 2,420 bytes, compared to just 64 bytes for the standard ECDSA-P256. Moreover, public keys are also significantly larger. In addition, the modern WebPKI involves long trust chains and Certificate Transparency (CT) requirements, which currently require up to five signatures and two public keys per TLS handshake. With PQ algorithms, this adds up to “10s of kilobytes of overhead per handshake,” severely degrading performance and latency.
The overhead makes PQ certificates a difficult choice to enable today, as they offer no immediate security benefit yet noticeably degrade user experience. However, Cloudflare’s MTC proposal solves this dilemma by drastically reducing the amount of data exchanged during the TLS handshake, relying on an out-of-band distribution model.
Instead of transmitting the full, long certificate chain, the architecture shifts to Merkle Tree Inclusion Proofs. All the information a client needs to validate a Merkle Tree Certificate can be disseminated out-of-band. If the client is sufficiently up to date, the TLS handshake requires only one signature, one public key, and 1 Merkle tree inclusion proof.
This achieves the following Key Architectural Shifts:
- Minimal Handshake: Reduces handshake overhead to the absolute minimum, even with larger PQ algorithms.
- Built-in Transparency: MTC integrates Certificate Transparency (CT) as a first-class feature by having each Certificate Authority (CA) run its own log, simplifying the auditing process required by major browsers.
- Expected Performance Gain: The protocol is expected to reduce handshake size and CPU cost, even compared to the current non-PQ standard, leading to an overall reduction in latency.
(Source: Cloudflare blog post)
The proposal immediately sparked discussion among architects and developers in a Hacker News thread, centered primarily on deployment feasibility and the implications of the out-of-band model.
A central concern raised by commenter crote was the increasing reliance on browser vendors for critical TLS ecosystem components, such as root stores and, now, MTC Merkle trees. They questioned the fate of clients outside of evergreen browsers, such as curl, custom HTTP libraries, email clients, and embedded devices.
It worries me how we are increasingly making browser vendors a critical part of the TLS ecosystem… ‘The internet’ is a hell of a lot bigger than ‘some website in Google Chrome’, and we should be careful not to make all those other use cases impossible.
Another respondent, Mcpherrinm (who identified as working for Let’s Encrypt, but speaking unofficially) clarified that a “platform verifier” on major operating systems like Windows and Mac could handle the fetching and sharing of out-of-band data, noting that the browser is leading the initiative because “OSes” are not keeping up with the need for rapid PQ deployment.
Commenter mtud raised a concern regarding metadata leakage during the TLS handshake, arguing that transmitting which treeheads a client possesses could allow the server or anyone on the network path to fingerprint the client based on how recently they updated their treehead state.
I don’t love the idea of giving every server I connect to via TLS the ability to fingerprint me by how recently (or not) I’ve fetched MTC treeheads.
Bwesterb (a Cloudflare engineer) acknowledged the concern but noted the leak would be minimal, perhaps only a minute or two, after reopening a laptop after a weekend offline, and suggested potential methods for further compressing the treehead information.
The thread also discussed the necessity of MTCs versus alternative solutions like DANE (DNS-based Authentication of Named Entities) and the overall PQ transition timeline. Mcpherrinm stated that Chrome has designated MTCs as its “preferred (or only) option for post-quantum certificates,” suggesting a high likelihood of deployment in the coming years. They further emphasized the immense timeline, projecting that it may take 10-15 years for MTC support to be fully rolled out across the entire ecosystem due to OS, distro, and client update cycles.
The IETF proposal from Cloudflare represents a significant attempt to make Post-Quantum readiness feasible without sacrificing the web’s demand for low latency.
