Skip to content
All articles
Research

Mosca's theorem: the equation that decides when to start post-quantum migration

By quantakrypto Research8 min
TL;DR

Read this first

Mosca's inequality — X + Y > Z — is the one piece of arithmetic that turns an unanswerable question ("when will a quantum computer break RSA?") into an answerable one ("should we start migrating now?"). If the years your data must stay secret (X) plus the years your migration will take (Y) exceed the years until a quantum computer can break today's cryptography (Z), you are already exposed. Two of those three numbers are yours to know today.

Most post-quantum cryptography conversations stall on a single question: when does a quantum computer capable of breaking RSA and elliptic-curve cryptography actually arrive? It is the wrong question to organise around, because it invites a bet on a date nobody can call. Around 2015 the cryptographer Michele Mosca — a co-founder of the Institute for Quantum Computing in Waterloo — reframed the whole problem as a risk inequality that needs no precise date at all.

The inequality

Mosca's theorem is deceptively simple. Define three durations, in years:

  • X — the security shelf-life: how long your data must remain confidential.
  • Y — the migration time: how long it takes to re-tool your systems onto quantum-safe cryptography.
  • Z — the collapse time: how long until a quantum computer can break the cryptography you use today.

The theorem states the obvious once you write it down: if X + Y > Z, you have a problem. Any secret whose required lifetime plus your migration time reaches past the arrival of a capable quantum computer is, in effect, already exposed — it will still be sensitive, and still under old cryptography, on the day the machine exists. Mosca set this out in his paper "Cybersecurity in an era with quantum computers: will we be ready?".

Decision

The move it forces

You cannot control Z, and you cannot predict it precisely. But you already know X — how long your data must stay secret — and you can estimate Y — how long a migration takes. If X + Y exceeds even an optimistic Z, the decision is made for you: start now.

Why the arrival date is a red herring

The instinct is to argue about Z — to wait for a clearer signal that a cryptographically-relevant quantum computer is near. Mosca's framing removes that temptation for two reasons. First, Shor's algorithm means the break, when it comes, is not gradual: the asymmetric cryptography protecting key exchange and signatures fails abruptly. Second, and more importantly, confidentiality does not wait for Z at all. Under harvest now, decrypt later, an adversary records your encrypted traffic today and decrypts it once the machine exists. For long-lived secrets, the exposure clock starts the moment the ciphertext is captured — years before Z.

Working the numbers

Put real values in. For data with a long confidentiality requirement — health records, government and defence material, financial and legal archives, long-term intellectual property — X is commonly 15 to 30 years. A serious enterprise migration (inventory every use of cryptography, achieve crypto-agility, test, and roll out without breaking production) is rarely under 5 years and often closer to 10; that is Y. And Z? The annual Quantum Threat Timeline report that Mosca co-authors surveys leading experts, many of whom assign a meaningful probability to a capable machine within 10 to 15 years, while national programmes broadly target the mid-2030s for high-risk migrations.

For a 20-year secret and a 7-year migration, X + Y = 27 — well past almost any credible Z. The inequality is already violated.

From inequality to action

Mosca's theorem is not only a warning; it is a prioritisation tool. Because X varies enormously across systems, it tells you what to migrate first: the longest-lived confidential data, not the busiest endpoint. Operationally that means building a cryptographic inventory — you cannot migrate what you cannot see — ranking each finding by its harvest-now-decrypt-later exposure, and moving the highest-X surfaces onto the finalised NIST post-quantum standards: the lattice-based ML-KEM for key exchange first, since key exchange is where harvest-now-decrypt-later bites. NIST published the first three standards in 2024; the algorithms are no longer the bottleneck.

Pitfall

The mistake it prevents

Treating a dramatic quantum milestone as the trigger to begin. By the time Z is publicly observed, X + Y has long since overtaken it, and a multi-year migration that should already be finished has not started. Mosca's inequality is precisely the argument for acting before the trigger, not at it.

Mosca's theorem does not tell you when the quantum computer arrives. Its whole point is that you do not need to know. Two numbers you already own — how long your secrets must stay secret, and how long you will take to migrate — settle the only question that matters. Start with the one you can measure today: run a cryptographic inventory to find your X. One command: npx @quantakrypto/qscan ./

References

Get started

Turn quantum risk into a credential.

Book a discovery call and get an indicative scope and pricing for your organisation.