CISOs are asked to justify PQC migration investment against uncertain timelines, crowded security budgets, and a board that wants to understand the risk without understanding lattice cryptography. The Mosca inequality is the most concise argument that exists for starting now. Three variables. One calculation. If the sum of two exceeds the third, the organisation is already behind. This article walks through how to populate those variables for a real organisation and shows what the number tells you once you have it.
The framework was published by Michele Mosca in IEEE Security and Privacy, 2018, vol. 16, no. 5, pp. 38-41 (DOI: 10.1109/MSP.2018.3761723). The formulation has become the standard for board-level PQC migration justification because it translates a cryptographic engineering problem into a data protection timeline problem that any governance body can reason about.
The Three Variables
The inequality states: if X + Y > Z, act now.
- X = the time required to migrate the organisation's cryptographic infrastructure to quantum-resistant algorithms.
- Y = the period during which the data the organisation needs to protect must remain confidential.
- Z = the time until a cryptographically relevant quantum computer (CRQC) exists.
If X + Y exceeds Z, the organisation cannot complete migration before its sensitive data enters the risk window. The implication is not subtle: waiting makes the inequality worse, because X stays the same or grows while Z shortens.
Variable X: How Long Will Migration Actually Take?
Most CISOs underestimate X significantly. Installing a new TLS library is not a migration. X is the total programme lead time, and it includes cryptographic discovery and CBOM completion (6 to 18 months for complex infrastructure), vendor and supplier FIPS 140-3 validation, application-level migration across potentially hundreds of services, PKI migration including root CA rollover and certificate re-issuance, and legacy system decommissioning or isolation.
Realistic X for a large organisation with complex infrastructure: five to ten years. For a small organisation with a modern, cloud-native stack: two to three years. The NIST SP 1800-38A (NCCoE PQC Migration practice guide) methodology provides the structure for a more precise estimate. [ASSUMED — SP 1800-38A publication status: was in Initial Public Draft at brief authoring; verify whether final version published before July 2026]
Variable Y: How Long Does Your Data Need to Stay Confidential?
Y is where the inequality surprises most organisations. Consumer financial data: five to seven years under typical regulatory retention requirements including PCI DSS. Healthcare records: ten to thirty years depending on jurisdiction. Defence contractor data covering export-controlled technical specifications: twenty-five to fifty years or longer. Government classified data: indefinite in some categories.
The critical insight: an adversary operating a Harvest Now Decrypt Later programme is collecting encrypted ciphertext today. The Y variable measures how long that ciphertext must remain unreadable. If the data has a thirty-year confidentiality requirement and that requirement started two years ago, the remaining Y is twenty-eight years. That data is in the HNDL window now.
Variable Z: When Will a CRQC Exist?
Z is genuinely uncertain. The most widely cited peer-reviewed CRQC timeline estimate is Webber et al. (AVS Quantum Science, 2022), which analysed the physical qubit requirements for breaking RSA-2048 in one hour, with a lower-bound timeline consistent with approximately 2033 under optimistic hardware assumptions.
National policy positions are consistent with this range. NSA published CNSA 2.0 in September 2022 with required migration dates of 2030 to 2033. NIST IR 8547 (Initial Public Draft, November 2024) proposes disallowing classical asymmetric algorithms by 2035. [ASSUMED — IR 8547 publication status: was in IPD at brief authoring; verify whether final version published before July 2026] For planning purposes, the credible lower bound for Z is approximately 2033.
Three Worked Examples
Example A: Mid-Size Financial Services Firm
| Variable | Value | Basis |
|---|---|---|
| X (migration time) | 4 years | Medium-complexity banking infrastructure |
| Y (data shelf life) | 10 years | Account data, transaction records, regulatory retention |
| X + Y | 14 years from 2026 = 2040 | |
| Z (CRQC timeline) | 7 years from 2026 = 2033 | Credible lower bound |
| Result | 14 > 7. Inequality triggered. | Act now. |
Example B: SaaS Company with Modern Cloud Infrastructure
| Variable | Value | Basis |
|---|---|---|
| X (migration time) | 2 years | Cloud-native, modern TLS libraries, minimal legacy |
| Y (data shelf life) | 3 years | Transactional SaaS data, short retention |
| X + Y | 5 years from 2026 = 2031 | |
| Z (CRQC timeline) | 7 years from 2026 = 2033 | Credible lower bound |
| Result | 5 < 7. Not yet triggered at base case Z. | Margin is thin. |
Example C: Defence Contractor Handling Long-Lived Technical Data
| Variable | Value | Basis |
|---|---|---|
| X (migration time) | 7 years | Complex OT/IT infrastructure, FIPS 140-3 dependencies, PKI migration |
| Y (data shelf life) | 30 years | Weapons system technical specifications, export-controlled data |
| X + Y | 37 years from 2026 = 2063 | |
| Z (CRQC timeline) | 7 years from 2026 = 2033 | Credible lower bound |
| Result | 37 >> 7. Severely triggered. | Migration is urgent. |
Answering the Objections
"Z is too uncertain to make decisions from." The inequality is robust to Z uncertainty in a specific direction. If Z proves to be later than 2033 and you started migration early, the cost is an earlier migration. If Z proves to be earlier and you have not started, the cost is data exposure with no recovery option. The downside of starting early is bounded. The downside of starting late is not.
"Our X is too hard to estimate." Start with a worst-case estimate. Use ten years if the programme could take anywhere from five to ten. Then commission the CBOM: the Phase 1 discovery exercise that produces a precise cryptographic inventory sharpens X considerably and is valuable regardless of the migration timeline.
"We don't have data with long Y." Most organisations have more long-retention data than their data classification policy explicitly identifies. Customer records subject to regulatory retention. Employee records. Contracts. Intellectual property. Historical financial data. Reviewing the data retention policy against the HNDL framework typically produces Y values higher than initial estimates.
"The CRQC risk window is speculative." NSA published CNSA 2.0 with required migration dates of 2030 to 2033. NIST IR 8547 proposes disallowing classical asymmetric algorithms by 2035. These are government policy positions with compliance consequences. The policy framework has moved; the compliance deadline is approaching regardless of the actual CRQC date.
Sensitivity Analysis
| Scenario | X | Y | Z (years from 2026) | X+Y | Triggered? |
|---|---|---|---|---|---|
| Optimistic | 3 years | 5 years | 10 | 8 | No |
| Base case | 5 years | 10 years | 7 | 15 | Yes (+8 years) |
| Pessimistic | 10 years | 30 years | 5 | 40 | Yes (+35 years) |
The optimistic scenario (not triggered) requires both short migration time and short data shelf life simultaneously. An organisation with a three-year migration capability and only five years of sensitive data retention is not a defence contractor, a financial institution, or a healthcare provider. Most organisations meet one of the optimistic conditions. Very few meet both.
The Board Communication Template
The Mosca inequality is unusually effective for board communication because it uses plain language and concrete numbers. A recommended structure for a board slide or audit committee paper: state the migration time estimate with basis; state the data confidentiality requirement with the most sensitive categories; state the planning assumption for Z (approximately 2033, based on NSA CNSA 2.0 required dates and NIST IR 8547's proposed deprecation timeline); state whether X + Y exceeds Z; recommend Phase 1 (cryptographic discovery) with cost estimate as the immediate action.
This template gives the board a decision framing with three definite numbers and a clear first action. The compliance dimension adds urgency: regardless of Z uncertainty, NIST IR 8547's 2035 deadline means an organisation with X greater than nine years faces a policy compliance crunch even without a CRQC.
What the Inequality Actually Tells You
The Mosca inequality does not predict when a CRQC will exist. It quantifies when your organisation's migration must be complete relative to that unknown date. For most organisations with significant data retention obligations, the inequality is already triggered.
Commission the CBOM. Use the HNDL risk calculator and the HNDL exposure calculator to prioritise the migration backlog by the systems where Y is longest and interception exposure is highest. Then bring the numbers to the board with the template above. QSECDEF professional membership includes structured access to workshops on Mosca framework application, CBOM methodology, and PQC programme sequencing.