Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

Mapping Mosca’s Theorem to Your Unique Q-Day Risk Timeline

PQC

NIST finalized the post-quantum standards in 2024, and the more aggressive forecasts put a cryptographically relevant quantum computer somewhere around 2030, so if migration begins now and finishes in a few years, there is comfortable headroom before anything breaks. There is a tempting and dangerously wrong way to think about the quantum threat to cryptography, and it is exactly the reasoning that leaves organizations exposed, which a simple piece of arithmetic explains why.

That arithmetic is Mosca’s Theorem, a risk-timing framework formulated by the Canadian cryptographer Dr. Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo and a co-author of the Global Risk Institute’s annual Quantum Threat Timeline reports. The theorem does not require you to predict the exact date on which quantum computers will break encryption, which is fortunate because nobody can. Instead, it reframes the entire problem around a question you can actually answer: given how long your data must stay secret, and how long your migration will take, can you finish in time?

This blog explains Mosca’s Theorem in plain terms, walks through each of its three variables with current 2026 data, and shows you how to calculate your own personal Q-Day risk window.

The Question Mosca’s Theorem Answers

Most discussions of the quantum threat get stuck on a single unanswerable question: when exactly will a quantum computer be able to break RSA and ECC? This is the wrong question to organize your planning around, because the honest answer is a probability distribution with a range, not a date. Waiting for certainty about that date means waiting until it is far too late to act.

Mosca’s genius was to sidestep the unanswerable question entirely. Rather than asking “when will the threat arrive,” the theorem asks, “will I be safe when it does,” and it shows that you can answer the second question even with deep uncertainty about the first. The framework recognizes that the quantum threat is not a single future event that you can prepare for at the last minute. It is a deadline that is already bearing down on data being created today, because much of that data must remain confidential for years or decades into the future.

The reason this matters is the threat model known as Harvest Now, Decrypt Later. Adversaries with the resources to do so are presumed to be capturing and archiving encrypted data today, with the intent of decrypting it once a capable quantum computer exists. This means data encrypted with RSA or ECC right now is already at risk if it needs to remain confidential past the point that quantum computers mature. The encryption has not been broken yet, but the ciphertext is already sitting in an adversary’s archive, waiting. Mosca’s Theorem is the tool that tells you whether your data falls into that exposed category, and it does so with a single, elegant equation.

The Formula: X + Y > Z

At its core, Mosca’s Theorem is a comparison between three spans of time, expressed as a simple inequality:

If X + Y > Z, you have a problem.

The three variables each represent a number of years, and each answers a specific question about your situation:

VariableWhat It RepresentsThe Question It Answers
XSecurity shelf lifeHow long must your data remain confidential?
YMigration timeHow long will your transition to post-quantum cryptography take?
ZCollapse timeHow many years until a quantum computer can break today’s cryptography?

The logic is straightforward once you see what it is measuring. X plus Y is the total amount of time, starting now, before your data is both fully migrated to quantum-safe protection and past the end of its required confidentiality period. Z is the amount of time, starting now, before the threat capable of breaking that data actually exists. If the first quantity is larger than the second, then there is a window during which your sensitive data is still required to be confidential, is still protected only by quantum-vulnerable cryptography, and is exposed to a quantum computer that already exists. That overlap is the period of exposure, and it represents data that will be compromised.

The framework was first published by Mosca in 2015, and it has become the standard reference that CISOs, government agencies, and risk committees use to calibrate their post-quantum migration timelines. You do not need to know Z precisely. You only need to establish that X plus Y is long enough that even an optimistic estimate of Z leaves you exposed. For a great many organizations, that is exactly what the arithmetic shows.

PQC Advisory Services

Gain post-quantum readiness with expert-led cryptographic assessment, migration strategy, and hands-on implementation aligned to NIST standards.

Calculating Your Own Risk Window

You can apply Mosca’s Theorem to your own organization with a straightforward exercise, and the value of doing so is that it converts an abstract, paralyzing threat into a concrete, prioritized plan. The process has three steps, one for each variable.

First, determine your X by inventorying your data classes and identifying the longest confidentiality requirement among them. Look across every category of sensitive information you hold, from ephemeral tokens to permanent records, and find the data that must stay secret the longest. Regulatory retention requirements, contractual confidentiality obligations, and the simple nature of the data itself, such as health or genetic information, all inform this. The single longest-lived data class sets your X, because that is the data most exposed to the Harvest Now, Decrypt Later threat.

Second, estimate your Y honestly, and account for the full migration: cryptographic discovery, dependency analysis, the dependencies you do not yet know about, vendor and third-party timelines, hardware upgrades or replacements, testing, and phased rollout. If you are a mid-sized organization with a focused environment, three to five years is a reasonable starting estimate. If you are a large enterprise with sprawling, interdependent systems, assume ten years or more until a discovery exercise tells you otherwise. A migration timeline that looks short on paper almost always proves longer in practice.

Third, choose your Z based on the risk posture you are willing to accept rather than on wishful thinking. The current expert consensus places a meaningful probability of a CRQC within the next ten years and a median estimate in the early 2030s, with the trend consistently shortening. A conservative, defensible planning value treats Z as roughly a decade, while a risk-averse posture appropriate for highly sensitive data treats it as shorter still. Once you have all three numbers, the comparison is immediate. If X plus Y exceeds your chosen Z, you are on the wrong side of the inequality, and the gap between them is a rough measure of how much exposure you are carrying.

How Encryption Consulting Can Help

Mosca’s Theorem turns an abstract threat into a concrete planning problem, and the variable it tells you to attack is Y, your migration time. Reducing that variable safely and proving you have done so is precisely the work Encryption Consulting exists to support, and our approach maps directly onto the steps the theorem prioritizes.

The foundation of any response to the inequality is knowing what you have, which is why our work so often begins with cryptographic discovery. Our CBOM Secure solution performs continuous discovery across your environment, identifying every certificate, key, algorithm, and cryptographic dependency in use, including the ones buried in places that manual audits routinely miss. Because discovery is consistently the longest and most underestimated phase of a migration, automating it is one of the most effective ways to compress Y and to establish, with real data rather than guesswork, exactly how exposed your longest-lived information actually is.

From that inventory, our Post-Quantum Cryptographic Advisory Services help you translate the theorem’s verdict into a sequenced migration roadmap, prioritizing the data classes with the longest shelf life, designing the crypto-agile architecture that prevents the next transition from being as painful as this one, and structuring the hybrid deployment approach that protects new data immediately while legacy systems are brought across.

Because so much of the quantum risk is concentrated in the signatures and keys that protect software and long-lived data, our product portfolio supports migration with our CodeSign Secure platform that provides production-ready signing with the NIST post-quantum algorithms ML-DSA and SLH-DSA, as detachable signatures that protects artifacts with both classical and quantum-safe signatures during the transition, all backed by hardware security modules so the underlying keys are protected to the highest standard.

For organizations that need the hardware foundation delivered as a managed capability, our HSM as a Service offering provides FIPS-validated, vendor-agnostic key protection that can anchor the quantum-safe infrastructure without the burden of operating the hardware in-house.

Across discovery, advisory, and the products that carry out the migration, the throughline is the one the theorem points to: the sooner you start and the faster you can safely move, the smaller the exposure window becomes, and helping organizations move quickly and correctly is the work we do.

CBOM

Gain complete visibility with continuous cryptographic discovery, automated inventory, and data-driven PQC remediation.

Conclusion

Mosca’s Theorem endures because it cuts through the single most paralyzing aspect of the quantum threat, the impossibility of knowing exactly when quantum computers will break encryption and replaces it with a question you can actually answer. You do not need to predict Q-Day. You only need to be honest about how long your data must stay secret, realistic about how long your migration will take, and willing to compare that sum against even an optimistic estimate of when the threat arrives.

For most organizations handling data that must remain confidential for a decade or more, that comparison delivers an uncomfortable verdict: the window to act reactively has already closed. The reason for that verdict is the combination of three forces that the theorem makes visible. Data shelf lives are long and largely fixed. Migration times are measured in years and often in more than a decade. The constructive response is not alarm but action, focused on the one variable you control.

Start your cryptographic discovery now, prioritize your longest-lived data, build for crypto-agility, and compress your migration time as aggressively as you safely can. At Encryption Consulting, our discovery, advisory, and signing capabilities are built to help you do exactly that.