Let's Encrypt 推量子安全证书方案
为什么值得看
Let's Encrypt 计划采用 Merkle Tree Certificates(MTC)实现后量子密码学认证,避免传统方案的性能损耗。对运行高并发 TLS 服务的团队而言,这是目前唯一不牺牲握手速度的量子安全迁移路径。
编辑判断
当前业界主流的量子安全迁移思路是直接用 NIST 标准化的 ML-KEM 和 ML-DSA 替换现有算法,但后者签名体积巨大(约 3-8KB),会导致 TLS 握手延迟飙升、握手失败率上升。MTC 的创新在于把证书从 X.509 的链式结构改成 Merkle 树批量签发,客户端只需验证一个短证明而非完整证书链。
Google 的 Chrome 团队也在推类似方向的 CRLite,但 MTC 更进一步把后量子认证和高效分发绑在一起。如果你运维 CDN 或 API 网关,现在就该关注 MTC 的实验性实现进度——这决定了 2026-2028 年你是否需要为量子安全准备两套基础设施。
社区反馈
意见分歧 69 条评论
核心争论:量子安全加密是否过度工程化,以及混合方案的正确实现方式
Better encryption sounds good to me in general, but I don't really understand, how we can make quantum safe encryption, when we don't know yet, what capabilities it will have (or if it is possible at all). I am obviously not in the field, but as far as I know, no QC is close of working for a practic
The capabilities of quantum computing, in theory, are pretty well known. There's basically a few extra operations which can be done efficiently on it and so that can be built into the threat model, even if no-one's built a quantum computer yet. (Of course, basically all encryption, especially asymme
Supersingular Isogeny Key Exchange is one that was invented to be quantum-safe but turned out to be unsafe at any speed, so hybrid encryption is still a good idea. You use both a quantum-safe algorithm and a classical algorithm, encrypting your data twice and remaining secure if either one is broken