Google has unveiled an ambitious plan for its Chrome browser, aimed at protecting HTTPS certificates from quantum computer attacks without compromising internet browsing. The goal is challenging, considering that the quantum-resistant cryptographic data needed to transparently publish TLS certificates is about 40 times larger than the classical cryptographic material used today. The challenge is significant, but the stakes are high for network security.
The Post-Quantum Cryptography Challenge
A typical X.509 certificate today comprises six elliptic curve signatures and two EC public keys, each only 64 bytes. This material can be compromised via Shor's algorithm, enabled by quantum computers. The entire chain is about 4 kilobytes. All this data must be transmitted when a browser connects to a site. "The larger certificates get, the slower the handshake and the more people are left behind," said Bas Westerbaan, lead research engineer at Cloudflare, who is collaborating with Google in this transition. The size increase can also degrade "middle boxes," which sit between browsers and the final site. The main concern is to avoid slowing down users' browsing, as this might lead them to disable the new cryptography.
The Merkle Tree Solution
To circumvent this bottleneck, companies are turning to Merkle Trees, a data structure that uses cryptographic hashes and other mathematical operations to verify the content of large amounts of information using a small fraction of the material used in more traditional verification processes within public key infrastructure. Merkle Tree Certificates (MTC) "replace the heavy serialized chain of signatures found in traditional PKI with compact Merkle Tree proofs," wrote members of Google's Chrome Secure Web and Networking Team on Friday. In this model, a Certificate Authority (CA) signs a single 'Tree Head' that potentially represents millions of certificates, and the 'certificate' sent to the browser is simply a lightweight proof of inclusion in that tree.
Transparency and Security
Google and other browser manufacturers require that all TLS certificates be published in public transparency logs, which are append-only distributed ledgers. Website owners can then check the logs in real time to ensure that no fraudulent certificates have been issued for the domains they use. Transparency programs were implemented in response to the 2011 hack of DigiNotar, which allowed the creation of 500 counterfeit certificates for Google and other websites, some of which were used to spy on web users in Iran. Shor's algorithm, once operational, could be used to forge classical cryptography signatures and compromise the classical cryptography public keys of certificate logs. Ultimately, an attacker could forge the timestamps of signed certificates used to prove to a browser or operating system that a certificate was logged when in fact it was not.
Google's Strategy
To rule out this possibility, Google is adding cryptographic material from quantum-resistant algorithms, such as ML-DSA. This addition would allow forgeries only if an attacker were to break both classical and post-quantum cryptography. The new regime is part of what Google calls the quantum-resistant root store, which will complement the Chrome Root Store the company formed in 2022. MTCs use Merkle Trees to provide quantum-resistant guarantees that a certificate has been published without having to add most of the long keys and hashes. Using other techniques to reduce data size, MTCs will have a length of about 4 kB, said Westerbaan. The new system has already been implemented in Chrome. For now, Cloudflare is logging about 1,000 TLS certificates to test the effectiveness of MTCs. The Internet Engineering Task Force recently formed a working group called PKI, Logs, And Tree Signatures, which is coordinating with other key players to develop a long-term solution. "We view the adoption of MTCs and a quantum-resistant root store as a fundamental opportunity to ensure the robustness of the foundations of today's ecosystem," stated Google's blog post. "By designing for the specific needs of a modern, agile Internet, we can accelerate the adoption of post-quantum resilience for all web users."
Sponsored Protocol