What is the Mosca-theorem?

Definition: Dr. Michele Mosca, a renowned expert in cryptography, has proposed a theorem to identify the path to post-quantum preparation. Dr. Mosca has advocated using an equation to evaluate an organization's readiness for the quantum era. This theory is based on the XYZ risk model.


The Mosca-theorem explained

“There is a 1 in 7 chance that some fundamental public-key crypto will be broken by quantum by 2026, and a 1 in 2 chance of the same by 2031.”
– Dr. Michele Mosca, (April 2015)

According to Michele Mosca's Theorem (X+Y)>Z, the amount of time that data must remain secure (X) plus the time it takes to upgrade cryptographic systems (Y) is greater than when quantum computers come online with enough power to break cryptography (Z), you have already run out of time.

Here is a basic example of the theorem: 

  • How long do you need encryption to be secure? (X years)
  • How long will it take to implement a large-scale quantum-safe solution into your current infrastructure? (Y years)
  • How long will it take to develop a large-scale quantum computer or any other significant development? (Z years)

Theorem 1: If x + y > z, then worry

Security shelf life (X)

The shelf life of your current security capabilities is the X in Mosca's theorem. While some of the cryptographic keys currently in use are transient and have a very limited lifespan, many others, like those used in public key infrastructure, must remain in use and secure for five, ten, or even twenty years or more before they need to be rotated.

Migration time (Y)

The time needed to migrate your current cryptographic solutions into a fully quantum-safe environment is represented by the Y component of the equation. The term "migration time" refers to more than just how long it takes a company to switch its whole crypto ecosystem over to quantum-safe algorithms. Additionally, it must take into account the time required for quantum-safe algorithms to be developed and widely accepted.

Collapse time (Z)

This is defined as the number of years before stable quantum computers become available that can break existing crypto algorithms. According to Mosca’s Theorem, there are a large number of data sets that exist today that, due to company data retention policies or regulatory requirements, must be kept confidential and protected against manipulation past the time we expect quantum attacks to be a threat. It is not possible to wait for standards for quantum-resistant cryptography to be defined for that data.

An example would be:

X - A financial institution needs to look after personal customer data for the longevity of the customer relationship for as long as needed, in compliance with data protection laws such as GDRP, for example. In this example, let’s say between 1 and 10 years.

Y - The financial institution forecasts that it will take between 3 and 4 years to upgrade to a fully quantum-safe environment.

Z - Quantum computers arrive within the next 3 to 4 years with the power to break cryptography and customer data is exposed.

- This occurred before the financial institution upgraded its environment during its predicted timeframe of 3 to 4 years (Y), and hackers were able to take advantage of this sensitive customer data.

Mosca's theorem serves as a clear reminder of the need for organizations to begin applying diligence in the Post Quantum space right away. In order to evaluate the best forms of crypto-agility that can keep your systems safe and secure in advance of the quantum future, Mosca’s theory presents an optimistic strategy.

Utimaco is able to provide quantum-resistant solutions that enable businesses to defend their systems against assaults based on quantum computers thanks to significant time and talent investments in post-quantum cryptography.



Blog posts

Blog posts

Related products

Related products

Contact us

We look forward to answering your questions.

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.