Toward Quantum-Safe Software Engineering: A Vision for Post-Quantum Cryptography Migration
Lei Zhang
TL;DR
The paper addresses the practical challenge of migrating legacy software to post-quantum cryptography (PQC) by arguing that PQC adoption is a software engineering problem, not a mere library upgrade. It introduces Quantum-Safe Software Engineering (QSSE) and the Automated Quantum-safe Adaptation (AQuA) framework, detailing a three-pillar approach: PQC-aware detection, semantic refactoring, and hybrid verification. These pillars aim to enrich cryptographic inventories with code-level semantics, provide reusable migration patterns, and embed PQC-specific verification into CI/CD pipelines, enabling scalable, continuous assurance. The work emphasizes a shift from ad-hoc migrations to continuous, architecture-aware processes that address non-functional constraints like larger keys, probabilistic failure, and timing-side-channel considerations, thereby facilitating safer, large-scale transitions in modern software ecosystems.
Abstract
The quantum threat to cybersecurity has accelerated the standardization of Post-Quantum Cryptography (PQC). Migrating legacy software to these quantum-safe algorithms is not a simple library swap, but a new software engineering challenge: existing vulnerability detection, refactoring, and testing tools are not designed for PQC's probabilistic behavior, side-channel sensitivity, and complex performance trade-offs. To address these challenges, this paper outlines a vision for a new class of tools and introduces the Automated Quantum-safe Adaptation (AQuA) framework, with a three-pillar agenda for PQC-aware detection, semantic refactoring, and hybrid verification, thereby motivating Quantum-Safe Software Engineering (QSSE) as a distinct research direction.