[Paper] Toward Quantum-Safe Software Engineering: A Vision for Post-Quantum Cryptography Migration

Source: arXiv - 2602.05759v1

Overview

The paper sketches a roadmap for Quantum‑Safe Software Engineering (QSSE), arguing that moving existing codebases to post‑quantum cryptography (PQC) is far more than swapping out a crypto library. Because PQC algorithms behave probabilistically, have different side‑channel footprints, and impose new performance constraints, the authors propose a dedicated tooling ecosystem—Automated Quantum‑safe Adaptation (AQuA)—to help developers detect, refactor, and verify PQC‑enabled software safely and efficiently.

Key Contributions

• Vision of QSSE: Positions quantum‑safe migration as a first‑class software‑engineering problem, distinct from traditional cryptographic updates.
• AQuA Framework: Introduces a three‑pillar architecture for (1) PQC‑aware vulnerability detection, (2) semantic‑preserving refactoring, and (3) hybrid verification (static + dynamic).
• Design Patterns & Taxonomy: Provides a taxonomy of PQC‑specific code smells (e.g., nondeterministic API misuse, side‑channel‑prone parameter choices) and associated mitigation patterns.
• Roadmap & Research Agenda: Outlines concrete research questions and prototype milestones needed to bring QSSE tools from concept to practice.

Methodology

The authors adopt a vision‑driven, prototype‑centric approach:

1. Problem Scoping – Surveyed existing static analysis, fuzzing, and testing tools to pinpoint gaps when applied to PQC primitives (e.g., lattice‑based key‑encapsulation mechanisms).
2. PQC‑Aware Threat Model – Extended traditional threat models to include probabilistic output, timing variance, and memory‑access patterns unique to PQC.
3. Three‑Pillar Blueprint
   • Detection: Extends abstract‑syntax‑tree (AST) analysis with PQC‑specific data‑flow rules (e.g., tracking randomness sources, key‑size constraints).
   • Refactoring: Defines transformation rules that preserve functional semantics while swapping classic primitives for PQC equivalents, handling API mismatches automatically.
   • Hybrid Verification: Combines static proofs (e.g., type‑level guarantees) with runtime monitoring (e.g., statistical checks on ciphertext distribution) to catch subtle regressions.
4. Proof‑of‑Concept Prototypes – Implemented lightweight plugins for popular IDEs (VS Code, IntelliJ) and a command‑line AQuA driver to demonstrate end‑to‑end migration on a small open‑source TLS library.

The methodology is deliberately high‑level, focusing on architectural concepts rather than low‑level algorithmic details, making it approachable for developers unfamiliar with formal methods.

Results & Findings

• Detection Coverage: The prototype identified ≈ 42 % more PQC‑related security smells in the test suite than a baseline static analyzer, especially around misuse of randomness and key‑size mismatches.
• Refactoring Success Rate: Automated transformations produced functional equivalence in 94 % of cases, with only manual tweaks needed for edge‑case API mismatches (e.g., custom KEM wrappers).
• Performance Overhead: Hybrid verification added an average 8 % runtime overhead during testing, deemed acceptable for pre‑release quality gates.
• Developer Feedback: Early adopters reported a 30 % reduction in time spent manually auditing PQC migrations, highlighting the value of integrated detection + refactoring suggestions.

These findings suggest that a dedicated QSSE toolchain can materially reduce the friction of PQC adoption without sacrificing security guarantees.

Practical Implications

• Accelerated PQC Migration: Organizations can integrate AQuA‑style plugins into CI pipelines to automatically flag and fix quantum‑unsafe code before release.
• Risk‑Based Prioritization: By surfacing PQC‑specific code smells, security teams can focus manual reviews on the most vulnerable hotspots, optimizing audit resources.
• Compliance & Standards: The framework aligns with emerging NIST PQC standards, helping firms demonstrate “quantum‑ready” compliance to regulators and customers.
• Developer Experience: Embedding PQC‑aware suggestions directly into IDEs lowers the learning curve for developers unfamiliar with lattice‑based or code‑based schemes.
• Ecosystem Growth: Open‑source extensions of AQuA could spawn a marketplace of PQC‑aware linters, refactoring scripts, and verification harnesses, fostering a community around QSSE.

Limitations & Future Work

• Prototype Scope: Current implementations target a narrow set of PQC primitives (e.g., Kyber, Dilithium) and a single language (C/C++). Broader language support and algorithm coverage are needed.
• Performance Trade‑offs: While verification overhead is modest, scaling to large codebases (e.g., enterprise microservices) may require more efficient instrumentation.
• Side‑Channel Modeling: Fully automated detection of side‑channel vulnerabilities remains an open challenge; future work will explore hardware‑aware profiling.
• Human‑In‑the‑Loop: Some refactorings still need developer judgment, especially when legacy code uses custom cryptographic protocols. Enhancing the tool’s explainability is a priority.

Addressing these gaps will help evolve the QSSE vision from a research concept into a production‑grade toolkit that enables the software industry to transition safely into the post‑quantum era.

Authors

• Lei Zhang

Paper Information

• arXiv ID: 2602.05759v1
• Categories: cs.SE, cs.CR
• Published: February 5, 2026
• PDF: Download PDF