FWIW if you want to tinker on the topic I recommend OQS https://github.com/open-quantum-safe/ including Chromium, Apache, nginx, curl, etc. It's quite fun to play with.
The pivot to MTC is a big change in the infrastructure of https. I wish other browsers were at least mentioned in this blog post. I'm curious about the future of letsencrypt as well.
Discussed few weeks ago on https://community.letsencrypt.org/t/post-quantum-crypto-road... specifically "The path we're more interested in is Merkle Tree Certificates, currently in design at the PLANTS working group at IETF. Chrome has indicated that they anticipate this to be their preferred approach to PQC. We're following that very closely, and are likely to deploy MTCs if it looks like that design is going to be supported widely." according to Matthew McPherrin, Let's Encrypt staff
While I appreciate more efficient and compact representations, I fail to see why this is particularly necessary. This article [1] on the same topic indicates a naive PQ chain is only ~40x the size of a current 4 KB chain. That means it is just ~160 KB.
If you have the legal minimum to be considered broadband in the US, you need ~100 Mbps, so that would add ~12 ms.
If you can stream one 4K video, you need ~20-40 Mbps, so that would add ~30-60 ms.
If you can stream one 1080p video you need to ~3-6 Mbps, so that would add ~200-400 ms.
Even on just a 1 Mbps connection, just barely enough to stream a single 480p video that would only add ~1 second.
And I doubt the weight of most of pages is lower than 160 KB. Many of them are probably dramatically higher, so the total effect of a extra 160 KB is just a few percent.
If there is a problem, it seems like it would be with poorly designed protocols and infrastructure which should be fixed as well instead of papering them over.
The key will be 40x larger. Not that bad for the certs. It'll be about 15kB extra. Will depend on your use case if that's bad. For video it's fine. But not all browsing is video. At Cloudflare half of the QUIC connections we see transfer less than 8kB from server -> client total. On average 3-4kB of that is already certificates today. That'll probably be quite noticeable. https://blog.cloudflare.com/pq-2025/#do-we-really-care-about...
But do those connections constitute a material amount of total bandwidth and thus resources? No, as the article points out the median is 8 KB, but the average is 583 KB. The extra 15 KB for each connection would only bump server-side bandwidth serving by ~2%.
But even that is beside my point. The impact of making certificates larger should be, largely, just the cost of making them larger which, on average, would not actually be that significant of a impact. That is not the real problem. The problem is actually that there is so much broken crap everywhere in networks and network stacks that would either break or dramatically balloon what should otherwise be manageable costs.
Everybody just wants to paper over that by blaming the larger certificates when what is actually happening is that the larger certificates are revealing the rot. That is not to say that the proposal which reduces the size of the certificates is bad, I think it is good to do so, but fixing the proximal cause so you can continue to ignore the root cause is a recipe that got us into this ossified, brittle networking mess.
At the beginning of a TCP connection, which is when the certificate chain is sent, you can't send more data than the initial congestion window without waiting for it to be acknowledged. 160KB is far beyond the initial congestion window, so on a high-latency connection the additional time would be higher than the numbers you calculated. Of course, if the web page is very bloated the user might not notice, but not all pages are bloated.
The increased certificate size would also be painful for Certificate Transparency logs, which are required to store certificates and transmit them to anyone who asks. MTC doesn't require logs to store the subject public key.
That is exactly the type of poor design that I was saying should be rectified.
You can already configure your initial congestion window, and if you are connecting to a system expecting the use of PQ encryption, you should set your initial congestion window to be large enough for the certificate; doing otherwise is height of incompetence and should be fixed.
You could also use better protocols like QUIC which has a independently flow controlled crypto stream and you can avoid amplification attacks by pre-sending adequate amounts of data to stop amplification prevention from activating.
And I fail to see how going from 4 KB of certificate chain to 160 KB of certificate chain poses a serious storage or transmission problem. You can fit literal millions into RAM on reasonable servers. You can fit literal billions into storage on reasonable servers. Sure, if you exactly right-sized your CT servers you might need to upgrade them, but the absolute amount of resources you need for this is miniscule.
Let's say you visit a site that doesn't use H2. That's now nearly a megabyte (up from 24kb) of data across the six connections that HTTP/1.1 establishes.
You're on LTE? You have high packet loss over a wireless connection? The initial TCP window size is ~16kb in a lot of cases, now you need multiple round trips over a high latency connection just to make the connection secure. You'll probably need 3-4 round trips on a stable connection just for the certificate. On a bad connection? Good luck.
Exactly, HTTP/1.1 is a poorly designed protocol and there are good reasons why we have newer versions of HTTP which avoid multiple unnecessary encryption handshakes.
Exactly, using a blanket default initial congestion window of 16 KB is stupid. Even ignoring that it was chosen when average bandwidth was many times less and thus should be increased anyways to something on the order of the average BDP or you should use a better congestion control algorithm, it is especially stupid if you are beginning a connection that has a known minimum requirement before useful data can be sent.
These things should be fixed as well instead of papering them over. Your system should work well regardless of the size of the certificate chain except for the fundamental overhead of having a larger chain.
FWIW if you want to tinker on the topic I recommend OQS https://github.com/open-quantum-safe/ including Chromium, Apache, nginx, curl, etc. It's quite fun to play with.
What are appropriate default parameters?
The mozilla SSL Config Generator doesn't yet support PQ; it has Old, Intermediate, and Modern: https://ssl-config.mozilla.org/
mozilla/ssl-config-generator: https://news.ycombinator.com/item?id=42265927
"ML-KEM Mythbusting" (2025) https://news.ycombinator.com/item?id=46074381 re: AuthKEM
Yeah, filed https://github.com/mozilla/ssl-config-generator/issues/342
The title is vague, my first thought was "We already have MLKEM". Which is enough against passive attackers.
The article apparently is about the CA/certs for authenticating the server, a part of HTTPS
Also just now Chrome published https://www.chromium.org/Home/chromium-security/post-quantum...
The pivot to MTC is a big change in the infrastructure of https. I wish other browsers were at least mentioned in this blog post. I'm curious about the future of letsencrypt as well.
Discussed few weeks ago on https://community.letsencrypt.org/t/post-quantum-crypto-road... specifically "The path we're more interested in is Merkle Tree Certificates, currently in design at the PLANTS working group at IETF. Chrome has indicated that they anticipate this to be their preferred approach to PQC. We're following that very closely, and are likely to deploy MTCs if it looks like that design is going to be supported widely." according to Matthew McPherrin, Let's Encrypt staff
There are also Merkle ladders.
What is the difference between a Merkle Tree Certificate and a Merkle Ladder?
Is this correct?:
Without Merkle Tree Certificates, the per keypress overhead for e.g. jupyter_server would be something like 3.3 KB due to the PQ signatures.
1 reply →
[dead]
While I appreciate more efficient and compact representations, I fail to see why this is particularly necessary. This article [1] on the same topic indicates a naive PQ chain is only ~40x the size of a current 4 KB chain. That means it is just ~160 KB.
If you have the legal minimum to be considered broadband in the US, you need ~100 Mbps, so that would add ~12 ms.
If you can stream one 4K video, you need ~20-40 Mbps, so that would add ~30-60 ms.
If you can stream one 1080p video you need to ~3-6 Mbps, so that would add ~200-400 ms.
Even on just a 1 Mbps connection, just barely enough to stream a single 480p video that would only add ~1 second.
And I doubt the weight of most of pages is lower than 160 KB. Many of them are probably dramatically higher, so the total effect of a extra 160 KB is just a few percent.
If there is a problem, it seems like it would be with poorly designed protocols and infrastructure which should be fixed as well instead of papering them over.
[1] https://arstechnica.com/security/2026/02/google-is-using-cle...
The key will be 40x larger. Not that bad for the certs. It'll be about 15kB extra. Will depend on your use case if that's bad. For video it's fine. But not all browsing is video. At Cloudflare half of the QUIC connections we see transfer less than 8kB from server -> client total. On average 3-4kB of that is already certificates today. That'll probably be quite noticeable. https://blog.cloudflare.com/pq-2025/#do-we-really-care-about...
But do those connections constitute a material amount of total bandwidth and thus resources? No, as the article points out the median is 8 KB, but the average is 583 KB. The extra 15 KB for each connection would only bump server-side bandwidth serving by ~2%.
But even that is beside my point. The impact of making certificates larger should be, largely, just the cost of making them larger which, on average, would not actually be that significant of a impact. That is not the real problem. The problem is actually that there is so much broken crap everywhere in networks and network stacks that would either break or dramatically balloon what should otherwise be manageable costs.
Everybody just wants to paper over that by blaming the larger certificates when what is actually happening is that the larger certificates are revealing the rot. That is not to say that the proposal which reduces the size of the certificates is bad, I think it is good to do so, but fixing the proximal cause so you can continue to ignore the root cause is a recipe that got us into this ossified, brittle networking mess.
1 reply →
At the beginning of a TCP connection, which is when the certificate chain is sent, you can't send more data than the initial congestion window without waiting for it to be acknowledged. 160KB is far beyond the initial congestion window, so on a high-latency connection the additional time would be higher than the numbers you calculated. Of course, if the web page is very bloated the user might not notice, but not all pages are bloated.
The increased certificate size would also be painful for Certificate Transparency logs, which are required to store certificates and transmit them to anyone who asks. MTC doesn't require logs to store the subject public key.
That is exactly the type of poor design that I was saying should be rectified.
You can already configure your initial congestion window, and if you are connecting to a system expecting the use of PQ encryption, you should set your initial congestion window to be large enough for the certificate; doing otherwise is height of incompetence and should be fixed.
You could also use better protocols like QUIC which has a independently flow controlled crypto stream and you can avoid amplification attacks by pre-sending adequate amounts of data to stop amplification prevention from activating.
And I fail to see how going from 4 KB of certificate chain to 160 KB of certificate chain poses a serious storage or transmission problem. You can fit literal millions into RAM on reasonable servers. You can fit literal billions into storage on reasonable servers. Sure, if you exactly right-sized your CT servers you might need to upgrade them, but the absolute amount of resources you need for this is miniscule.
5 replies →
Let's say you visit a site that doesn't use H2. That's now nearly a megabyte (up from 24kb) of data across the six connections that HTTP/1.1 establishes.
You're on LTE? You have high packet loss over a wireless connection? The initial TCP window size is ~16kb in a lot of cases, now you need multiple round trips over a high latency connection just to make the connection secure. You'll probably need 3-4 round trips on a stable connection just for the certificate. On a bad connection? Good luck.
Exactly, HTTP/1.1 is a poorly designed protocol and there are good reasons why we have newer versions of HTTP which avoid multiple unnecessary encryption handshakes.
Exactly, using a blanket default initial congestion window of 16 KB is stupid. Even ignoring that it was chosen when average bandwidth was many times less and thus should be increased anyways to something on the order of the average BDP or you should use a better congestion control algorithm, it is especially stupid if you are beginning a connection that has a known minimum requirement before useful data can be sent.
These things should be fixed as well instead of papering them over. Your system should work well regardless of the size of the certificate chain except for the fundamental overhead of having a larger chain.
2 replies →