Is RSA Dead? How Let’s Encrypt’s Merkle Tree Certificates Aim to Secure the Post‑Quantum Web

Why the authentication crisis is emerging now

Web PKI has long relied on RSA and ECDSA signatures, but the development of cryptographic‑related quantum computers (CRQC) threatens these algorithms. The NSA’s CNSA 2.0 suite mandates disabling RSA‑2048 and P‑256 after 2035, and the EU has issued a similar roadmap, pushing the ecosystem toward the edge.

Policy and industry pressure

In early 2026 Google announced a full migration of its services to post‑quantum signatures by 2029, followed by an equally aggressive commitment from Cloudflare. Go 1.27 even ships the NIST‑standardized post‑quantum signature algorithm ML‑DSA in its standard library.

Size disaster of a direct algorithm swap

Replacing RSA/ECDSA with the smallest ML‑DSA‑44 specification would increase a single signature from 64 bytes to 2,420 bytes and a public key from 64 bytes to 1,312 bytes. A typical TLS handshake that currently carries five signatures and two public keys would therefore exceed 10 KB. Cloudflare’s research shows that such a handshake size would cause many real‑world connections to fail due to TCP congestion‑window limits and MTU constraints, and would introduce severe latency for the connections that survive.

Merkle Tree Certificates (MTCs) as the rescue

Let’s Encrypt proposes Merkle Tree Certificates (MTCs) to avoid the “fat‑signature” problem. Instead of signing each certificate individually, a CA collects all certificates issued within a time window (e.g., one hour) and builds a Merkle tree. The CA then signs only the tree root with a post‑quantum algorithm such as ML‑DSA.

Clients verify a certificate by receiving an inclusion proof—a short hash‑based path from the leaf (the certificate) to the signed root. Because inclusion proofs are only a few hundred bytes, a TLS handshake using MTCs carries roughly 1 inclusion proof + 1 public key and no bulky post‑quantum signatures, reducing authentication data to about 736 bytes (compared with 7,260 bytes in a naïve PQ design).

Built‑in certificate transparency

In the MTC model the Merkle tree itself functions as an append‑only log, eliminating the need for a separate Certificate Transparency (CT) log. Every certificate must appear in the tree, ensuring continuous, native monitoring.

Roadmap and impact for developers

Let’s Encrypt plans to release an MTC staging environment by the end of 2026 and a production rollout in 2027. The IETF PLANTS working group is drafting the MTC standard (see draft‑ietf‑tls‑mldsa). Developers should monitor the [email protected] mailing list, update ACME clients such as certbot, and ensure hybrid post‑quantum key exchange (e.g., X25519MLKEM768) is enabled in servers like Nginx, Envoy, or Caddy.

While MTCs address the authentication size issue, the article warns that the encryption (key‑exchange) crisis remains urgent and must be tackled in parallel.

Conclusion

This massive infrastructure overhaul—driven by quantum‑era pressures—demonstrates how cryptographic engineering, policy mandates, and industry commitments converge to protect the trust foundation of the Internet.