Quantum exposure · Mosca’s inequality
Three inputs decide whether quantum is a fire to fight now or a programme to schedule. The verdict bands come from published expert probability, not a single guessed date.
A realistic full migration: inventory through cutover. Government roadmaps (NSM-10, CNSA 2.0) assume multi-year programmes, so most organisations underestimate this.
The shelf life of your longest-lived secret in this category. Use a retention preset or set your own.
Z is a forecast, not a fact. These stances map to the Global Risk Institute 2024 expert survey: the probability of a machine able to break RSA-2048 reaches roughly a third by 2034 and around even odds by 2037.
The rule is Mosca’s inequality: if migration time X plus confidentiality life Y runs past the time a quantum computer arrives Z, data created today is already at risk, because it must stay secret beyond the point its protection fails.
Rather than soften that with an arbitrary safety margin, the bands track expert probability. Clear the year by which a code-breaking machine is more likely than not (around 2037) and the work is a roadmap item. Run past the year its probability is already material (around 2034) and you are betting against odds the experts now take seriously.
Migration is mostly replacing the asymmetric cryptography that quantum breaks. It is not the same as moving to AES-256, which is a smaller, separate adjustment. These two tables separate the real work from the easy part.
1. The real work: replace asymmetric crypto (broken by Shor’s algorithm)
| Job | Replace | With (NIST standard) | Sensible level |
|---|---|---|---|
| Key exchange | RSA, ECDH | ML-KEM (FIPS 203) | ML-KEM-768 general; 1024 high assurance |
| Signatures | RSA, ECDSA | ML-DSA (FIPS 204) | ML-DSA-65 enterprise; 87 for national security systems |
| Signatures (backup) | where algorithm diversity is wanted | SLH-DSA (FIPS 205) | conservative hash-based alternative |
Source: NIST FIPS 203, 204, 205 (August 2024); CNSA 2.0 parameter requirements.
2. The easy part: adjust symmetric crypto (only weakened by Grover’s algorithm)
| In use | Action | Why |
|---|---|---|
| AES-256 | Keep | Retains roughly 128-bit security after quantum. No change needed. |
| AES-128 | Move to AES-256 | Grover halves effective strength to roughly 64-bit. Longer key, same algorithm. |
| SHA-256 | SHA-384 for long-term assurance | Weakened, not broken. Longer hash for data that must last. |
Source: NIST PQC guidance; security levels account for Grover’s algorithm.
For the most part, yes. Cryptographic inventory and hybrid key exchange (for example X25519 with ML-KEM) ship today in OpenSSL 3.5 and at Cloudflare. ML-DSA certificate issuance is now available for private PKI: AWS Private CA, Microsoft AD CS, and DigiCert all support it as of late 2025. The remaining gap is public web PKI, where browsers and the CA/Browser Forum have not yet adopted ML-DSA for public TLS certificates. Plan the public-facing TLS cutover around that ecosystem step; everything else can begin now.
Sources: Mosca & Piani, Global Risk Institute Quantum Threat Timeline Report 2024 (Z probabilities). NSA 2021 and UK NCSC 2023 Annual Review on adversaries harvesting encrypted data now to decrypt later. NIST FIPS 203/204/205 (August 2024). CA readiness: AWS Private CA, Microsoft AD CS, DigiCert (2025).
Private by design. No sign-up, no email, no company details. Every figure stays in your browser and nothing is sent anywhere.
This is a directional guide, not a substitute for professional advice. It gives an indicator from three inputs and makes simplifying assumptions; it cannot weigh every factor in your specific environment. Use it to frame the decision, then seek expert assessment before acting.