Merkle Tree Certificates (MTCs) represent an evolution of the Web PKI. Unlike today's conventional TLS certificates where Certificate Transparency (CT) is an optional, additive layer, MTCs natively integrate transparency logging into the issuance process. A certificate is only valid if it exists as a leaf in a publicly verifiable Merkle Tree operated by a CA and verified by independent Cosigners.
Why are they beneficial?
MTCs are designed to solve multiple challenges introduced by Post-Quantum Cryptography (PQC):
- PQC Size Optimization: Standard PQC signatures (like ML-DSA) are ~12x larger than classical ones. MTCs allow servers to avoid sending these large signatures in TLS handshakes with optimized, up-to-date clients. This is possible by signing a batch of multiple certificates at once, and having clients receive information about these batches out-of-band. This allows servers to send a compact series of hashes, much smaller than a PQC signature, proving that a certificate was issued as part of a batch already known to the client.
Native Transparency: In today's world, certificates are issued then optionally logged to Certificate Transparency as a separate step. MTCs shift to a world where the act of including the certificate in a log is how a certificate is issued. This ensures that all certificate issuance is auditable, as it is impossible to issue without publishing the certificate.
Reduced Log Overhead: MTCs avoid storing the large public keys and signatures in the log directly, which ensures that public logs are smaller and easier to operate than a classical Certificate Transparency log storing equivalent entries.
How should MTCs be deployed?
Website operators should plan to use MTCs in one of two models:
Standalone MTCs offer a compatible transition path. While they include large PQC signatures similar to using ML-DSA directly, they require only minimal work for site operators beyond what using ML-DSA directly would require.
Landmark-relative MTCs provide an optional performance gain for website operators wanting to speed up TLS connections, at the cost of some increased complexity. By relying on landmarks already known by many clients, servers can remove the large PQC signatures from the TLS handshake entirely.