A Post-Quantum Future for Let's Encrypt

The window for treating authentication as a secondary concern to encryption is closing. While the primary threat of quantum computing has long been the retroactive decryption of recorded traffic, the focus is shifting toward the real-time forgery of digital signatures. Let’s Encrypt is moving toward a post-quantum-safe Web PKI through the implementation of Merkle Tree Certificates (MTCs), a strategy designed to introduce post-quantum authentication without compromising the speed of TLS.

The timeline for this transition is accelerating. Since 2022, the NSA’s CNSA 2.0 suite has directed national security systems toward post-quantum algorithms on a 2030-to-2035 schedule. NIST’s draft transition guidance intends to deprecate RSA-2048 and P-256 after 2030, with a total disallowance after 2035. The European Union is also targeting high-risk systems by the end of 2030 and broad migration by 2035.

This is not merely a regulatory shift; it is a structural migration. Google has announced it will migrate its services by 2029, and Cloudflare has made a parallel commitment. We are seeing the foundational tools of the internet prepare for this shift, evidenced by Go 1.27 adding ML-DSA, a NIST-standardized post-quantum signature scheme, to its standard library.

The difficulty lies in the physics of the data. Post-quantum signatures are significantly larger than their classical predecessors. For example, ML-DSA-44, one of the smaller NIST standardized schemes, carries a signature roughly 2,420 bytes long. Deploying these larger signatures across the Web PKI ecosystem presents a massive technical challenge for the libraries and standards bodies that maintain the internet's stability.

The risk to long-lived keys—such as root certificate authorities and identity systems—is too high to defer. Because new technology requires years to achieve broad adoption, the transition to MTCs must begin now to ensure the infrastructure is ready before a cryptographically relevant quantum computer arrives.

The question for infrastructure architects is no longer if they will migrate, but how they will handle the increased payload of a post-quantum web.