Google Deploys Quantum-Proof HTTPS in Chrome
Google has started rolling out quantum-hardened HTTPS in Chrome, a major move to future-proof web security against quantum computer attacks. The system uses clever math to compress 2.5kB of cryptographic data into just 64 bytes, making it practical for mass deployment. This signals that post-quantum cryptography, guided by the NIST standardization process, is no longer theoretical and is becoming a production reality.
The move counters the threat from "harvest now, decrypt later" attacks, where adversaries are already storing encrypted data with the intent of decrypting it once a powerful quantum computer is available. This strategy poses an immediate risk to data with long-term sensitivity, such as government, financial, or medical records. At the core of the vulnerability are today's public-key encryption standards like RSA and ECC. A sufficiently powerful quantum computer running Shor's algorithm could easily break the mathematical problems that underpin these standards, such as factoring large prime numbers. This would render much of the internet's secure communication and digital signature infrastructure obsolete. The new approach in Chrome utilizes Merkle Tree Certificates (MTCs), which replace the traditional chain of signatures with compact proofs of inclusion. This allows a Certificate Authority to sign a single "Tree Head" that represents millions of certificates, drastically reducing the amount of data needed for verification during a TLS handshake. This innovation keeps the post-quantum web fast, avoiding the significant bandwidth and latency issues that would come from simply using larger quantum-resistant keys in the existing X.509 certificate structure. Google's implementation features a hybrid approach, combining the established X25519 elliptic curve algorithm with CRYSTALS-Kyber (now standardized as ML-KEM), a quantum-resistant algorithm selected by NIST. This ensures connections remain secure against current threats while providing protection against future quantum attacks. Should one algorithm be compromised, the other still protects the connection. This rollout is part of a phased plan, with a feasibility study already underway with partners like Cloudflare. Google aims to establish a dedicated Chrome Quantum-resistant Root Store by 2027, which will operate alongside the existing root program to ensure a smooth and secure transition for the entire web ecosystem. The transition to post-quantum cryptography is a global effort, with timelines for migration extending into the next decade. The UK's NCSC, for instance, has set a 2035 target for completing the migration of all systems, while the EU has set a 2030 deadline for critical use cases. This lengthy transition period highlights the complexity of updating the protocols and infrastructure that underpin digital security.
