Crypto agility - How to determine your timeline for post-quantum preparation

There is a significant uncertainty when it comes to the impact of quantum computing on modern cryptography. Perhaps the largest concern centers on just exactly when the quantum cryptography apocalypse will occur.

While there are flurries of activity surrounding both the development of stable quantum computers and the cryptography algorithms that can withstand them, many are operating on what is at best a "loose" timeline. To help you on your journey to crypto-agility, let's take a look into how to determine your timeline for post-quantum preparation.

Mosca's Theorem

Renowned cryptography expert Dr. Michele Mosca has offered a theorem that may be the key to successfully determining your path to post-quantum preparation.  In his many presentations on the future of cryptography, Dr. Mosca has suggested the following equation be used in evaluating an organizations ability to prepare for the quantum age. This theorem is:

If X+Y > Z, then worry.

This theorem is both simple in its design yet complex in its evaluation.

In order to utilize the theorem effectively, we need to delve deeper into the variables of X, Y, and Z.

Determining X

The X factor in Mosca's theorem is defined as the shelf life of your existing security capabilities. This scope of capabilities will vary from entity to entity, however, it should encompass aspects such as algorithms used, processes, procedures, hardware, and software. In determining your X, you need to evaluate how long your current configurations will be able to effectively offer the security that you, your customers and your partners require.

As organizations take a closer look at this shelf life, they must consider the steps they are taking towards crypto agility. Whether this is the result of adopting new Key Management Systems, upgrading existing Hardware Security Modules or integrating new policies and procedures, your level of quantum crypto preparation will play a big role in determining the rest of your timeline.

Determining Y

The Y component of the equation refers to the migration time required to move your current crypto solutions into a fully quantum-safe environment. Determining your path to migration must be built on a solid understanding of where you currently stand. Your migration path is also heavily dependent on the proactive steps you take to inject crypto-agility into your current capabilities.

Migration paths will vary greatly from organization to organization. Your particular timeline will be dependent on the path you choose to obtain post-quantum readiness. Many organizations will choose a path of employing crypto-agile solutions to build an interim defense mechanism that can, in theory, be more quickly transitioned into a full quantum capable solution. Still, other entities may opt for a "Big Bang" approach where they will completely scrap their legacy solutions and implement a quantum safe solution from scratch.

Determining Z

The final piece of the puzzle is Z. This is defined as the number of years until stable quantum computers become available that can break existing crypto algorithms. While organizations can take the time to evaluate what makes up their own versions of X and Y, the value of Z becomes very subjective.

For starters, the scientific community does not have a consensus opinion on when quantum computing will be available in a stable form. Estimates range from 10 years to 20 years and beyond. In addition, once the first quantum computers are available, there will be an undetermined period of time before they could be used as part of a comprehensive cyber attack. To determine your specific value of Z, you will need to factor in the scientific projections and determine how much risk you are willing to endure.

Solving Your Equation

The primary value of Mosca's theorem is that it allows you to fully assess where you currently stand, determine a path to migration and then compare it to the potential timeline for quantum computing availability. If your current shelf life plus your migration path is less than the number of years left until quantum computers, then you are in good shape. If the opposite is true, then you are obviously at risk of not being able to provide the necessary security to your customers and partners.

The additional value of this theorem is that it provides a framework for you to fully evaluate where you stand and where you need to go in order to achieve post-quantum security. It offers an optimistic approach to evaluate the best forms of crypto-agility that can keep your systems safe and secure in preparation for the quantum future.

Dr. Mosca does offer one sobering thought, however. Regardless of your current state (or X), if Y>Z then your cyber-systems will collapse. He also suggests that rushing "Y" will be expensive and disruptive. Take advantage of Dr. Mosca's theorem to craft your quantum risk management plan and safeguard your systems in the post-quantum era.

Work with the PQC experts

We at Utimaco have the honor to work with some of the leading researchers in quantum cryptography, who use our Hardware Security Modules.

The ultimate goal is to prepare:

  • the security infrastructure of the digital economy,
  • algorithms and
  • HSMs in unison for the post-quantum era.

Learn from the PQC experts

In the context of Utimaco’s Applied Crypto Symposium we had the chance to interview 3 of the leading researchers, and to dive into their views and research agenda on post-quantum cryptography.


... from the Institute of Quantum Computing

We started our series with with Michele Mosca, co-founder and professor at the Institute of Quantum Computing at the University of Waterloo.

Michele firsts sketches out the playing field, describing the challenges of post-quantum cryptography. He emphasizes the crucial role of HSMs in PQC and explains why. See the video


... from Samsung

In a 2nd video post, Madjid Nakhjiri, Senior Principal Security Architect at the Samsung Strategy and Innovation Center builds on Michele's statements and describes PQC from a major industry player’s point of view. Samsung is a major player in the global B2C communication and entertainment industry. Connected devices are key to their future evolution. How will they handle it.


... from Entrust Datacard

In the third video, Sandy Carielli, Security Technologies Director at Entrust Datacard provides the perspective of a major security company. How can cards be made post-quantum proof and what may be their role in the post-quantum era.


... from independent security experts

The posts will be accompanied by discussions of NIST’s “semifinal” selection of post-quantum algorithms. The discussions will be led by security experts such as Peter Smirnoff, co-developer of the latest release of the GOST hash function or IT-journalist Terry Anton.


Watch already published videos on PQC #PartnersAreKey

  • Cryptomathic: CTO talks about how quantum computers influence the use of cryptography
  • QuintessenceLabs: Why do experts in post-quantum crypto work with Utimaco HSMs?

Connect to the Utimaco PQC research network

Be informed about the release of the next post-quantum related blogs and videos. Simply enroll to our info-mail with the subscription button on the top right.

Are you part of a research institute of department and interested in participating in our collaborative research programs, please contact us for additional information.

Blog post by Paul Abraham

Get in touch with us

Talk to one of our specialists and find out how Utimaco can help you today.