Clarifying Mosca's Inquality Theorem - parallel vs additive


I wonder if anyone might have some insight to Mosca’s Inequality "Theorem". It states to when users need to be worried about quantum computers factoring traditional cryptography.

Mosca’s theorem says, “We need to start worrying about the impact of quantum computers when the amount of time that we wish our data to be secure for (X) is added to the time it will take for our computer systems to transition from classical to post-quantum (Y) is greater than the time it will take for quantum computers to start breaking existing quantum-susceptible encryption protocols.” Or X + Y > Z.

I’m having a bit of a problem understanding it, and was hoping you might be able to help. I’m not sure why Y and X are additive. It seems to me that they could easily be concurrent.

For example, if X is 10 years and Y is 5 years and Z is 10 years…if I start now on Y, won’t I have the ability to fully protect my data in Y (i.e. in 5 years)?

Continuing my example, suppose I put a quantum-susceptible key around my critical data at 0 years. In 5 years (Y), I’ll be able to put a quantum-resistant key around that data. So in Y years my data is protected and we still have 5 years (time between Y and Z) to go.

A few people I've asked said that it is due to the fact that Z might equal a quantum adversary scooping up the data right from the start, and hence if Z is less than X, you have a problem. But I still don't understand why Y can't be or isn't parallel to X and Z?

Roger A. Grimes

Posted 2019-08-02T18:48:46.533

Reputation: 33

Daniel Burgarth finally got it through my thick head...anything saved up until the end of Y has to be saved for X years. So Y and X have to be cumulative. – Roger A. Grimes – 2019-08-03T16:44:59.720

No answers