Article
Most conversations about quantum risk get stuck on a single question: when will a quantum computer be able to break the encryption we use today? It is an understandable place to start. It is also, in my experience, the least productive one — because nobody can answer it with confidence, and the argument tends to consume the energy that should go into preparation.
There is a better question. And it has been sitting in plain sight, in the work of the cryptographer Michele Mosca, for more than a decade.
What Mosca’s inequality actually says
The idea is almost arithmetic, which is part of its power. It rests on three numbers.
The first is how long your data must remain confidential — call it X. The second is how long it will take your institution to migrate its systems to quantum-safe cryptography — call it Y. The third is how long until a cryptographically relevant quantum computer exists — call it Z.
Mosca’s observation is simply this: if X + Y > Z, you are already exposed. By the time encryption can be broken, you will neither have finished migrating, nor will your data have aged out of sensitivity. The protection runs out before the secret does.
Read it once more and notice what it does. It removes the need to win the argument about Z.
Why this reframing helps a Swiss banking audience
The Swiss regulatory environment has trained institutions to move carefully, deliberately, and in step with their supervisor. That discipline has served the industry well. For quantum security, however, the regulatory timeline and the threat timeline are not aligned — and the gap between them is where the real risk lives.
Mosca’s inequality is useful precisely because it is supervisor-friendly. It does not ask a board to accept a speculative date. It asks two questions an institution can actually answer about itself: how long must this data stay secret, and how long will we take to migrate? This boils down to one important question: by when can we be quantum-safe?
For a Swiss bank, the first number is often uncomfortably large. Wealth structures, custody records, M&A advisory instructions, correspondent banking flows — these carry legal and fiduciary weight not for three years but for decades. That is the heart of the “Harvest Now, Decrypt Later” problem: an adversary does not need Q-Day to begin. They can copy encrypted data today and simply wait for the decryption window to open, whenever it does. For an institution whose confidentiality obligations span a generation, harvested data loses none of its weight in the interval.
Where institutions underestimate Y
If X is large and largely fixed, the variable an institution can actually influence is Y — the time to migrate. And Y is almost always underestimated.
The reason is rarely the cryptography itself. The finalised NIST standards — FIPS 203, 204 and 205, published in August 2024 — give engineers well-defined algorithms to work with. The difficulty is everywhere else: in not knowing where cryptography lives across a sprawling estate, in third-party and vendor dependencies, in protocols that cannot simply be swapped without breaking interoperability with counterparties and market infrastructure.
The recent BIS Project Leap work is instructive here. When central banks and SWIFT tested post-quantum cryptography in a real payment-system setting, the algorithms worked — but they also surfaced performance and message-size issues that required meaningful redevelopment. That is Y in the real world. Migration is an operating programme, not a configuration change.
Y also cannot begin in earnest until an institution can see its own cryptographic estate. You cannot migrate what you cannot find. This is why a credible cryptographic inventory — the kind QuRisc Scout is built to produce — is not the glamorous part of the work, but it is the part that makes every later step possible.
What good looks like
Good, in my experience, is not a heroic sprint. It is an honest sum, calculated early. It is then a prudent appraisal of migration priority within budget constraints, followed by speedy execution.
It begins with X: a clear-eyed view, by data class, of how long confidentiality genuinely matters — a question the business, not only IT, must answer.
It continues with Y, grounded in an actual inventory rather than an optimistic estimate. Finding what to migrate, how, when, and to which new algorithm across your cryptographic asset estate is akin to finding needles in a haystack. Legacy, correlations and third-party dependencies further fog up decision-making. On top of it all, you need to convince stakeholders across business, finance and IT to align around a common objective view. This is exactly why we built QuRisc Atlas with our secret sauce: AI, hundreds of rules, and three industry-standard risk models.
And it treats Z not as a single date to be guessed, but as a forecast with a range — which is exactly how it should be modelled, with confidence intervals rather than false precision, and different estimates for different encryption types and strengths. QuRisc Augur exists to put discipline around that third number, so the first two can be weighed against something better than a headline.
None of this requires alarm. It requires arithmetic, done sooner rather than later.
The case for doing the sum now
The cost of waiting is accumulating — often faster than anticipated. Not because Q-Day has a confirmed date, but because X is long, Y is longer than most assume, and the harvesting that makes the whole equation urgent does not wait for permission.
FINMA expects institutions to manage their technological risks proactively, and the EU’s DORA framework now expects financial entities to monitor cryptographic threats, including those arising from quantum advances. Neither prescribes a precise quantum deadline. Mosca’s inequality offers something more useful than a deadline: a way to work out your own.
So I would gently put the same question to you that I put to the boards I speak with. Forget Q-Day’s date for a moment. What are you doing to compress your Y in the most cost- and time-efficient manner?
Author bio
Amit Agarwal is CEO and Co-Founder of SeQure AG, a Swiss quantum cybersecurity company helping banks and financial institutions identify, prioritise, and remediate cryptographic vulnerabilities before Q-Day. He brings 25+ years across software, SaaS, payments and FinTech — including 10+ years in global banking and financial services — and holds a quantum computing qualification from MIT’s executive education.
Call to action
If you would like to discuss your institution’s quantum security posture, we would welcome the conversation. Contact us at info@sequre.ch or visit www.sequre.ch.
Comments