Every encryption decision is made at a single moment, against the threat model that exists at that moment. The cryptographic mechanism chosen reflects what was secure in the decision year. The data that encryption protects may need to remain confidential for a decade or two beyond that point. The threat model will not have stayed the same.

This mismatch is the central problem in quantum security planning for long-lived data. It has a formal expression in the Mosca inequality, published by Michele Mosca in IEEE Security & Privacy in 2018. The inequality is: if the time required to complete a cryptographic migration (X) plus the required confidentiality lifetime of the data (Z) exceeds the time until a cryptographically relevant quantum computer (CRQC) exists (Y), the data is at risk under harvest-now, decrypt-later attack. Written out: X + Z > Y means the data is in the risk window.

This article works through what that means operationally: which encryption decisions are now in deficit, which can be deferred, and which are effectively locked in permanently. Cross-links to the companion analysis of which data categories are most at risk from HNDL today, the priority sequencing framework for long-lived data protection, and the HNDL exposure calculator.

The Mismatch Between Decision Time and Data Lifetime

The threat model underlying an encryption decision in 2015 assumed that RSA-2048 required approximately 2^112 classical operations to break. That assumption was sound in 2015. Against a CRQC running Shor's algorithm, which solves integer factorisation in polynomial time, the same calculation has a different answer. The algorithm choice that was correct in 2015 is incorrect for data that must remain confidential in 2033.

The Q-Day planning anchor used throughout this article is 2033. The Global Risk Institute Quantum Threat Timeline Report 2024 (Mosca and Piani) places a meaningful probability of CRQC capability in the 2030 to 2037 range. NSA's CNSA 2.0 advisory mandates RSA and ECC retirement from National Security Systems by 2033. NCSC published phased PQC migration timelines in March 2025 with Phase 3 completion targeted at 2031 to 2035. Taking 2033 as Y gives a conservative planning horizon: if the organisation's migration is complete before 2033, later CRQC estimates reduce the urgency; they do not eliminate the risk calculus.

With Y set at 2033, the remaining time to Q-Day from 2026 is approximately 7 years. Any data with a remaining confidentiality requirement of Z years and a realistic migration time of X years where X + Z exceeds 7 is in the immediate risk window today.

Three Conditions That Lock an Encryption Decision In

Most encryption decisions can in principle be revisited: the application can be updated, the data store re-encrypted, the certificates replaced. Some cannot. Three conditions combine to make an encryption decision effectively permanent:

  • Data lifetime exceeds algorithm security horizon. The data is retained long enough that the algorithm protecting it is expected to be broken before the data can be safely disclosed or destroyed.
  • The system is not forward-agile. The encryption is baked into a system, embedded firmware, or hardware device that cannot be re-encrypted without a complete hardware or platform replacement. The encryption decision travels with the system for its operational life.
  • Key management is not crypto-agile. The system uses a hard-coded key or a key management scheme that cannot re-wrap existing ciphertext under a new algorithm without decrypting and re-encrypting the entire data store, which may be infeasible at scale or in the operational context.

NIST NCCoE SP 1800-38B (2024) identifies each of these as distinct migration challenges. When all three conditions are present simultaneously, the original encryption decision is locked in for the lifetime of the system. The architecture makes re-encryption the equivalent of a system rebuild.

AES-128, AES-256, and the Algorithm Choices That Matter

The quantum risk discussion focuses heavily on RSA and ECC, for good reason: Shor's algorithm breaks them completely. AES-128 carries a separate and underappreciated risk that applies specifically to long-archive contexts.

Grover's algorithm (Grover, STOC 1996) provides a quadratic speedup for unstructured search. Applied to symmetric key brute force, it halves effective key length. AES-128 has an effective post-Grover key length of approximately 64 bits, according to Grassl et al. (PQCrypto 2016). That is below any accepted security threshold. AES-256 has an effective post-Grover key length of approximately 128 bits, which NSA judges adequate in CNSA 2.0 and which NIST IR 8547 (November 2024) does not deprecate.

Data encrypted under AES-128 in CBC mode during the 2005 to 2015 period carries two distinct vulnerabilities: the Grover key-length reduction to 64-bit effective security post-CRQC, and the classical mode-level weaknesses in CBC (padding oracle attacks) and ECB (block pattern exposure) that represent additional attack surfaces on archived ciphertext. A 20-year retention scenario, common in legal, financial, and healthcare sectors, puts pre-2015 AES-128-CBC archives squarely in both categories simultaneously.

Re-encryption of AES-128 archives under AES-256 is achievable today without PQC deployment. It requires classical computing infrastructure and appropriate key management, but no new cryptographic primitives. This step is separable from the RSA and ECC migration. For archives that use RSA or ECDH to wrap the AES-128 data encryption key (DEK), the key wrapping layer must also migrate to ML-KEM (FIPS 203) to close the asymmetric vulnerability. The symmetric re-encryption and the key wrap migration can be sequenced according to risk priority rather than tackled simultaneously.

Three Decision Categories: Immediate, Deferred, Irreversible

The Mosca inequality produces three operational decision categories when applied to current encryption decisions.

Immediate: Data currently being generated under quantum-vulnerable key exchange where X + Z > Y. The RSA-2048 key exchange decision made in 2018 for data with a 15-year confidentiality requirement illustrates the point: with X = 5 years for a complex enterprise migration, Z = 10 years remaining confidentiality from today (to 2036), and Y = 7 years (to 2033), X + Z = 15 > 7. The 2018 decision is already in deficit. The immediate action for active data flows is to deploy hybrid key exchange: X25519 combined with ML-KEM-768 for commercial TLS (IETF RFC 9496), or ECDH P-384 combined with ML-KEM-1024 for NSS environments. This addresses the key exchange layer without requiring immediate full migration of all asymmetric infrastructure.

Deferred: Data with a confidentiality lifetime that ends before the estimated Q-Day, or systems scheduled for a full platform replacement before the CRQC window opens. The encryption decision can be addressed in the next planned system refresh. The obligation here is to monitor: a change in the Q-Day estimate moves data between the deferred and immediate categories. Deferred is not safe. It is a monitored state.

Irreversible: Data already encrypted and stored under quantum-vulnerable protection, which cannot be re-encrypted without decrypting the entire archive, and which has a confidentiality lifetime extending past Q-Day. This category cannot be addressed by technical migration. The ciphertext is fixed; the captured public key material is fixed. The only risk reduction available is to reduce what the adversary's decryption will expose: destroy archived data that has passed its legal minimum retention period; reduce unnecessary retention; and escalate the remaining residual risk to board level for a documented risk acceptance decision. The CBOM process is the prerequisite for identifying which archives fall into this category.

Worked Examples Across Three Data Categories

NHS medical records. The NHS Records Management Code of Practice 2021 sets a minimum retention of eight years after last clinical contact for adult records. Consider a record created in 2020 under TLS-protected key exchange (ECDH P-256). Applying the Mosca inequality: X = 4 years (a reasonable NHS trust-scale infrastructure migration estimate), Z = 2 years remaining confidentiality from 2026 (minimum retention to 2028), Y = 7 years. X + Z = 6 < 7. This specific record is outside the immediate risk window. However, the same system generates records with longer clinical holding requirements. A record from 2020 with a 15-year clinical holding requirement gives Z = 9 years from 2026. X + Z = 13 > 7. Immediate action is required for long-retention clinical records even though short-retention records from the same system fall in the deferred category.

Industrial control system firmware. A gas distribution SCADA system with ECDSA P-256 firmware signatures was commissioned in 2015 with a 20-year operational life and is not scheduled for replacement until 2035. The firmware signature verification key is baked into the hardware security module. Changing the signature scheme requires a hardware replacement programme. This is the irreversible category. The risk is that by 2033, ECDSA P-256 firmware signatures may be forgeable on a CRQC, enabling signed malicious firmware updates. Risk management options in order of preference: accelerate the hardware replacement programme; explore whether a firmware update can add an out-of-band verification layer using ML-DSA alongside the original ECDSA signature; or accept the risk at board level with documented rationale, per the escalation requirements in IEC 62443 and the NCSC Cyber Assessment Framework for critical national infrastructure.

Enterprise email archive. An organisation maintains a seven-year email archive for legal hold compliance. The lawful basis for retention is GDPR Article 6(1)(c) (legal obligation); retention that must continue beyond a data subject's erasure request is covered by the Article 17(3)(b) exception, which preserves data necessary for compliance with a legal obligation. Email transmitted via TLS (ECDH P-256) between 2019 and 2026 is archived. The oldest records' confidentiality requirement ends in 2026 (seven years from 2019). Those records are outside the HNDL window under a 2033 Y estimate and fall in the deferred category. Records created from 2026 onwards with a seven-year retention will still be within the risk window in 2033: Z = 7, X = 4, Y = 7, giving X + Z = 11 > 7. New email generation falls in the immediate category. Pre-2026 archived email is deferred. Both observations apply simultaneously to the same organisation's email infrastructure.

Building Crypto Agility into New Systems

The irreversible category exists because systems were built without crypto agility. NIST NCCoE SP 1800-38B identifies crypto agility as a core architectural requirement for any new system built from 2024 onwards. Systems designed today without it will become the next generation of irreversible exposures when they reach mid-lifecycle in the 2030s.

Four specific design requirements prevent the irreversible category from arising in future systems:

  1. Parameterise the cipher suite. No hard-coded algorithm or key size in application code. Algorithm selection should be configurable via a policy file or KMS attribute, not compiled in.
  2. Separate key management from application logic. Use a KMS with KMIP 2.2 interface. OASIS KMIP 2.2 (August 2023) adds explicit support for ML-KEM and ML-DSA key object types. A KMS that does not support KMIP 2.2 cannot natively manage post-quantum keys.
  3. Use TLS 1.3 with negotiable cipher suites. No pinned TLS cipher that requires a code deployment to update. Algorithm selection at the TLS layer should be a configuration change.
  4. Design for re-encryption of stored data. Ensure the data store architecture permits re-encryption under a new key without requiring full plaintext exposure of the entire archive at once. Batch re-encryption with appropriate access controls is a design decision made at build time.

A system built to these four requirements will not appear in a future irreversible category assessment. A system that fails any one of them may.

The Four-Question Decision Matrix

To classify any existing encryption decision, apply these four questions in sequence:

  1. What is Z? How many years of confidentiality does this data still require, from today?
  2. What is X? How many years would a migration of this specific system or data category realistically take?
  3. Does X + Z exceed 7 (years to 2033)? If yes: immediate category. If no: deferred category.
  4. If immediate: is re-encryption technically feasible? If yes: initiate migration planning. If no: irreversible category. Escalate for board risk acceptance.

Apply the QSECDEF HNDL Risk Calculator at /tools/hndl-risk-calculator/ to work through the Mosca inequality for a specific system or data category with your organisation's actual values for X, Z, and Y. The matrix above provides the decision logic; the calculator provides the quantified output.

Steven Vaile, Director, Quantum Security Defence. View on LinkedIn | View Team | QSecDef Events