Mosca's Theorem: The Formula Behind Post-Quantum Migration Urgency | LaMarr Labs

Resources

ADDIE LAMARR · APRIL 2026

FORMER USAF COMSEC SPECIALIST · FORMER FBI CISO ADVISOR · NIST HIGH VALUE ASSET POLICY CONTRIBUTOR

Mosca's Theorem is the foundational decision framework for post-quantum migration urgency. Formulated by Dr. Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo.

THE FORMULA

If X + Y > Z, start now.

Required confidentiality period

How long the data needs to remain secret

Migration timeline

How long a full cryptographic transition will take

Quantum window

How long until a cryptographically relevant quantum computer exists

X: Required Confidentiality Period

This is not the sensitivity label on the data today. It is the honest answer to: how long does this data need to remain undisclosed?

For most commercial data, X is short. For the categories that matter most in enterprise quantum risk assessments, X is long:

—Patient and genomic health data: required confidentiality extends decades; genomic data arguably has no expiration
—Financial records and archived client portfolios: regulatory retention combined with confidentiality obligations routinely extends 10 to 20 years
—Intellectual property and trade secrets: potentially indefinite
—Legal and privileged communications: often multi-decade
—Key material and authentication infrastructure with long operational lifespans

X must be applied per data category. The enterprise-wide estimate is the wrong unit of analysis. A payment processor with short transaction cycles operates in a different X environment than that same firm's archived client portfolio or its key management infrastructure.

Y: Migration Timeline

THE VARIABLE ORGANIZATIONS MOST CONSISTENTLY UNDERESTIMATE

Enterprise cryptographic migration is a multi-year program: inventory across all systems and vendor dependencies, risk prioritization, wave sequencing, vendor contract negotiation for externally controlled surfaces, procurement timelines, engineering implementation, testing, and verification.

For a typical enterprise environment with meaningful vendor dependency, Y ranges from 2 to 7 years. For environments with complex multi-jurisdiction deployments, regulated vendor relationships, or deeply embedded cryptographic dependencies, Y extends substantially further.

Organizations that arrive at a quantum risk advisory engagement believing Y is 12 to 18 months consistently discover two things during Pre-CBOM discovery: their cryptographic estate is substantially larger than their architecture documentation reflected, and a higher fraction of it is vendor-controlled than anticipated. Both factors extend Y.

Z: The Quantum Window

The range of credible estimates for when a cryptographically relevant quantum computer will exist runs from roughly 7 to 20 years. The US intelligence community, NIST, and the academic consensus all acknowledge significant uncertainty in this range.

NSA's publication of CNSA 2.0 transition requirements, with explicit migration milestones beginning before 2030, is a policy signal about how seriously the national security establishment treats the nearer end of the Z range.

For operational planning, organizations should not plan to the median Z estimate. They should plan to the timeline under which the consequences, if that estimate proved correct, would be most severe. A Z of 10 years combined with a Y of 6 years and an X of 8 years leaves no margin.

Why This Framework Changes the Conversation

The standard pre-Mosca framing: “Quantum computers will eventually break encryption. Begin preparing when the timeline becomes clearer.”

Mosca's Theorem reframes the question entirely. The relevant question is not “when will quantum computers arrive?” It is “given how long this data needs to remain secret and how long a migration will actually take, do I need to start now?”

For organizations with significant volumes of long-lived sensitive data and substantial vendor-controlled cryptographic surfaces, the honest answer, when X and Y are calculated with rigor, is that they are already inside the risk window.

If X and Y have not been calculated with rigor for your highest-exposure data categories, that is the starting point for a structured conversation.

Request an Initial Briefing →

How This Is Applied in Practice

Mosca's Theorem is a classification tool, not a single enterprise-wide calculation. Applied correctly, it produces a prioritized risk register with different urgency levels per data category and cryptographic system.

The prerequisite is evidence-grade inventory. Mosca's Theorem applied to assumed inventory produces urgency scores that are plausible but wrong. The calculation requires knowing, per system and per data category, what asymmetric encryption is verifiably present and what the honest data longevity profile is.

In the LaMarr Labs methodology, Mosca's Theorem is applied as part of the HNDL risk assessment phase, after Pre-CBOM discovery has established a cryptographic inventory with explicit Evidence Confidence per record. The output is a risk register with Mosca calculations per system and data category — defensible in an audit, not just presentable in a meeting.

4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 

If this framework is informing a board briefing, regulatory response, or an internal assessment, the structured conversation that follows begins here.

Request an Initial Briefing

30 minutes · mutual qualification

Harvest-Now-Decrypt-Later Post-Quantum Cryptography for CISOs The QRMF Methodology