Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantum-Safe Code Auditing: LLM-Assisted Static Analysis and Quantum-Aware Risk Scoring for Post-Quantum Cryptography Migration

Animesh Shaw

Abstract

The impending arrival of cryptographically relevant quantum computers (CRQCs) threatens the security foundations of modern software: Shor's algorithm breaks RSA, ECDSA, ECDH, and Diffie-Hellman, while Grover's algorithm reduces the effective security of symmetric and hash-based schemes. Despite NIST standardising post-quantum cryptography (PQC) in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA), most codebases lack automated tooling to inventory classical cryptographic usage and prioritise migration based on quantum risk. We present Quantum-Safe Code Auditor, a quantum-aware static analysis framework that combines (i) regex-based detection of 15 classes of quantum-vulnerable primitives, (ii) LLM-assisted contextual enrichment to classify usage and severity, and (iii) risk scoring via a Variational Quantum Eigensolver (VQE) model implemented in Qiskit 2.x, incorporating qubit-cost estimates to prioritise findings. We evaluate the system across five open-source libraries -- python-rsa, python-ecdsa, python-jose, node-jsonwebtoken, and Bouncy Castle Java -- covering 5,775 findings. On a stratified sample of 602 labelled instances, we achieve 71.98% precision, 100% recall, and an F1 score of 83.71%. All code, data, and reproduction scripts are released as open-source.

Quantum-Safe Code Auditing: LLM-Assisted Static Analysis and Quantum-Aware Risk Scoring for Post-Quantum Cryptography Migration

Abstract

The impending arrival of cryptographically relevant quantum computers (CRQCs) threatens the security foundations of modern software: Shor's algorithm breaks RSA, ECDSA, ECDH, and Diffie-Hellman, while Grover's algorithm reduces the effective security of symmetric and hash-based schemes. Despite NIST standardising post-quantum cryptography (PQC) in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA), most codebases lack automated tooling to inventory classical cryptographic usage and prioritise migration based on quantum risk. We present Quantum-Safe Code Auditor, a quantum-aware static analysis framework that combines (i) regex-based detection of 15 classes of quantum-vulnerable primitives, (ii) LLM-assisted contextual enrichment to classify usage and severity, and (iii) risk scoring via a Variational Quantum Eigensolver (VQE) model implemented in Qiskit 2.x, incorporating qubit-cost estimates to prioritise findings. We evaluate the system across five open-source libraries -- python-rsa, python-ecdsa, python-jose, node-jsonwebtoken, and Bouncy Castle Java -- covering 5,775 findings. On a stratified sample of 602 labelled instances, we achieve 71.98% precision, 100% recall, and an F1 score of 83.71%. All code, data, and reproduction scripts are released as open-source.

Paper Structure

This paper contains 45 sections, 2 equations, 2 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Contributions
  3. Background and Related Work
  4. Quantum Algorithms and Cryptographic Impact
  5. NIST PQC Standards
  6. Harvest-Now Decrypt-Later
  7. Related Tooling
  8. Threat Model
  9. Quantum adversary (Shor path).
  10. Quantum adversary (Grover path).
  11. HNDL adversary.
  12. Out of scope.
  13. System Architecture
  14. Stage 1 -- Regex Scanner
  15. Stage 2 -- LLM Enrichment
  16. ...and 30 more sections

Figures (2)

  • Figure 1: Quantum threat model. Left: Shor's algorithm targets asymmetric primitives (full break); Grover's algorithm weakens symmetric and hash primitives (partial break). Centre: affected algorithm classes detected by the tool. Right: the tool's four-stage response pipeline. Bottom: HNDL temporal risk timeline from CNSA 2.0 announcement (2022) to estimated CRQC availability (2030--2035).
  • Figure 2: Five-phase PQC migration lifecycle. The tool automates Phases 2 and 3 (Scan & Detect; Prioritise). Phase 1 (Inventory) uses existing SCA tooling; Phases 4--5 (Remediate; Validate) are performed by engineering teams using the tool's output as input.