Mosca's theorem

In the field of cryptography, Mosca's theorem addresses the question of how soon an organization needs to act in order to protect its data from the threat of quantum computers. A quantum computer, once developed, would have the capacity to break the types of cryptography that have been widely used throughout the world, such as RSA. Although this is known risk, no one knows exactly when a quantum computer will be created. Mosca's theorem provides a risk assessment framework^[1] that can help organizations identify how quickly they need to start migrating to new methods of quantum-safe cryptography.

Mosca's theorem was first proposed in the paper "Cybersecurity in an era with quantum computers: will we be ready?" by Michele Mosca, a professor at the University of Waterloo and co-founder of the Institute for Quantum Computing.^[2] He proposed that if X + Y > Z, then organizations need to worry about the impact of quantum computers on their data. In this formula, X is the amount of time a given piece of data needs to be secure (shelf life); Y is how long it will take your organization to implement post-quantum cryptographic solutions (migration time) and Z is how long it will be before a sufficiently strong quantum computer exists (threat timeline).^[3][4][5]

While the value of Z is unknown, many national information technology organizations predict the year 2030^[6] or 2035.^[7] Given the complexity of migrating to post-quantum cryptography, Mosca's theorem suggests that most organizations need to be transitioning soon, or are perhaps behind schedule.

Mosca's theorem helped justify the National Institute of Standards and Technology’s 2016 strategy to establish a handful of PQC algorithms with the international community.^[8]