Toward Quantum-Safe Software Engineering: A Vision for Post-Quantum Cryptography Migration

Lei Zhang

arxiv: 2602.05759 · v2 · submitted 2026-02-05 · 💻 cs.SE · cs.CR

Toward Quantum-Safe Software Engineering: A Vision for Post-Quantum Cryptography Migration

Lei Zhang This is my paper

Pith reviewed 2026-05-16 07:07 UTC · model grok-4.3

classification 💻 cs.SE cs.CR

keywords post-quantum cryptographysoftware migrationquantum-safe engineeringcryptography refactoringlegacy systemsPQC detectionhybrid verificationAQuA framework

0 comments

The pith

Migrating legacy software to post-quantum cryptography requires specialized tools for detection, refactoring, and verification instead of simple library swaps.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper argues that the transition to post-quantum cryptography creates software engineering problems that standard tools cannot solve. Current vulnerability scanners, code changers, and testers are built for deterministic algorithms and do not address the new methods' random outputs, exposure to side-channel leaks, and shifting performance costs. The authors present the Automated Quantum-safe Adaptation framework as a structured response. Its three pillars are PQC-aware detection to locate cryptographic code, semantic refactoring to adapt it without breaking meaning, and hybrid verification to confirm both old and new components work together. This leads to the proposal that Quantum-Safe Software Engineering should be treated as its own research area focused on systematic migration of existing systems.

Core claim

The central claim is that post-quantum cryptography migration is a distinct software engineering task because existing tools are mismatched to PQC's probabilistic behavior, side-channel sensitivity, and performance trade-offs, and the Automated Quantum-safe Adaptation framework supplies a three-pillar agenda of PQC-aware detection, semantic refactoring, and hybrid verification to address it.

What carries the argument

The Automated Quantum-safe Adaptation (AQuA) framework, which organizes migration into PQC-aware detection for locating cryptographic usage, semantic refactoring for structural code adaptation, and hybrid verification for mixed-system correctness.

If this is right

Organizations maintaining large codebases will require automated scanners that specifically flag quantum-vulnerable cryptographic calls.
Code modification processes must incorporate semantic checks to handle differing interfaces and failure modes between classical and post-quantum primitives.
Testing regimes will need to combine classical correctness checks with quantum-resistant security analysis in the same pipeline.
Software maintenance standards will expand to treat quantum threat readiness as an ongoing requirement rather than a one-time update.
Development environments will incorporate hybrid verification steps to catch interactions between old and new cryptographic components.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Widespread use of AQuA-style tools could reduce migration costs for regulated industries that must meet future quantum-safety mandates.
Embedding PQC detection into common build and IDE systems would make quantum readiness a routine part of development rather than a separate project.
Lessons from handling probabilistic cryptographic behavior may apply to other software domains that manage uncertainty or physical leakage.
The emphasis on side-channel awareness points toward tighter coupling between software refactoring and hardware security features in future toolchains.

Load-bearing premise

Existing vulnerability detection, refactoring, and testing tools are fundamentally unsuited to the probabilistic outputs, side-channel risks, and performance variations of post-quantum algorithms.

What would settle it

A demonstration that unmodified current tools can fully migrate and verify a large legacy codebase to post-quantum algorithms while preserving security guarantees and acceptable performance would show the new framework is unnecessary.

Figures

Figures reproduced from arXiv: 2602.05759 by Lei Zhang.

**Figure 1.** Figure 1: The AQuA Framework: An integrated pipeline for PQC migration, consisting of PQC-aware detection, semantic [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗

read the original abstract

The quantum threat to cybersecurity has accelerated the standardization of Post-Quantum Cryptography (PQC). Migrating legacy software to these quantum-safe algorithms is not a simple library swap, but a new software engineering challenge: existing vulnerability detection, refactoring, and testing tools are not designed for PQC's probabilistic behavior, side-channel sensitivity, and complex performance trade-offs. To address these challenges, this paper outlines a vision for a new class of tools and introduces the Automated Quantum-safe Adaptation (AQuA) framework, with a three-pillar agenda for PQC-aware detection, semantic refactoring, and hybrid verification, thereby motivating Quantum-Safe Software Engineering (QSSE) as a distinct research direction.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a vision paper that names the AQuA framework and three pillars for PQC migration but offers no evidence or examples that existing tools actually fail on these algorithms.

read the letter

The main point is that migrating to post-quantum cryptography requires more than swapping libraries, and the paper pushes Quantum-Safe Software Engineering as a distinct area with its AQuA framework. The three pillars—PQC-aware detection, semantic refactoring, and hybrid verification—give the proposal a clear structure that ties crypto specifics to software engineering tasks. That framing is the main new element here, and it usefully flags real differences like probabilistic behavior and side-channel exposure that standard tools may not catch. The paper does a straightforward job explaining why timing and performance trade-offs matter in this context. The soft spot is the lack of any data, case study, or even a single concrete example showing that current vulnerability scanners or refactorers break on PQC. The claim that existing tools are unsuited rests on assertion alone, which is typical for vision pieces but leaves the motivation thin. There are no equations, measurements, or code to check, so technical soundness is not an issue. This paper is for researchers at the SE-crypto boundary who want ideas for future work rather than ready methods. A reader looking for implemented tools will find little, but someone scanning for research agendas could pick up useful direction. I would send it to peer review so the community can weigh whether the tool gaps are real enough to justify new investment.

Referee Report

1 major / 1 minor

Summary. The paper claims that migrating legacy software to Post-Quantum Cryptography (PQC) constitutes a distinct software engineering challenge beyond simple library replacement, because existing vulnerability detection, refactoring, and testing tools are unsuited to PQC's probabilistic behavior, side-channel sensitivity, and performance trade-offs. It introduces the Automated Quantum-safe Adaptation (AQuA) framework organized around a three-pillar agenda (PQC-aware detection, semantic refactoring, and hybrid verification) and positions Quantum-Safe Software Engineering (QSSE) as a new research direction.

Significance. If the motivating premises are substantiated, the paper could usefully orient the software engineering community toward an emerging intersection of cryptography migration and tool-supported refactoring. As a vision piece it supplies a concrete three-pillar agenda that could seed empirical studies and tool prototypes; its value lies in framing rather than in any demonstrated technical result.

major comments (1)

[Abstract] Abstract: the assertion that 'existing vulnerability detection, refactoring, and testing tools are not designed for PQC's probabilistic behavior, side-channel sensitivity, and complex performance trade-offs' is presented without any cited evidence, failure-mode analysis, or concrete example. Because this premise is the sole justification for introducing AQuA and QSSE, the lack of grounding is load-bearing for the central claim.

minor comments (1)

The manuscript would be strengthened by adding even one brief illustrative scenario (e.g., a specific PQC algorithm and a current tool's documented limitation) to make the three-pillar agenda more actionable for readers.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful reading and constructive feedback on our vision paper. We agree that the central premise requires stronger grounding and will revise the manuscript accordingly to address the concern while preserving the paper's framing as a forward-looking research agenda.

read point-by-point responses

Referee: [Abstract] Abstract: the assertion that 'existing vulnerability detection, refactoring, and testing tools are not designed for PQC's probabilistic behavior, side-channel sensitivity, and complex performance trade-offs' is presented without any cited evidence, failure-mode analysis, or concrete example. Because this premise is the sole justification for introducing AQuA and QSSE, the lack of grounding is load-bearing for the central claim.

Authors: We acknowledge that the abstract presents this claim without explicit citations or examples, which weakens its grounding. As a vision paper, the assertion draws from well-documented properties of PQC algorithms (e.g., lattice-based schemes' sensitivity to timing and power side-channels, as well as the performance variability introduced by rejection sampling and hybrid modes), but we agree these should be illustrated explicitly. In the revised version we will (1) add 2-3 concrete examples in the abstract and introduction (such as the failure of standard taint-analysis tools to detect PQC-specific leakage in Kyber or the inability of existing performance profilers to model the variable runtime of Dilithium), (2) include supporting references to recent studies on PQC migration overheads and side-channel analyses, and (3) briefly outline why conventional refactoring tools fall short on probabilistic failure modes. These additions will strengthen the justification for AQuA and QSSE without changing the paper's visionary character. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper is a forward-looking vision statement that motivates Quantum-Safe Software Engineering by describing challenges in PQC migration and proposing a high-level AQuA framework with three pillars. It contains no equations, derivations, fitted parameters, predictions, or technical results that could reduce to their own inputs. No self-citations are used to justify uniqueness theorems or load-bearing premises, and the argument rests on stated differences between PQC and classical cryptography rather than any self-referential construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The paper rests on domain assumptions about PQC properties and introduces a new named framework without independent evidence or implementation.

axioms (1)

domain assumption Existing vulnerability detection, refactoring, and testing tools are not designed for PQC's probabilistic behavior, side-channel sensitivity, and complex performance trade-offs.
This premise is stated directly in the abstract as the core motivation for the vision.

invented entities (1)

AQuA framework no independent evidence
purpose: To organize a three-pillar agenda of PQC-aware detection, semantic refactoring, and hybrid verification for quantum-safe software migration.
Newly introduced conceptual framework without code, validation, or external evidence of effectiveness.

pith-pipeline@v0.9.0 · 5403 in / 1214 out tokens · 41240 ms · 2026-05-16T07:07:51.921096+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

13 extracted references · 13 canonical work pages

[1]

Nadeem Ahmed, Lei Zhang, and Aryya Gangopadhyay. 2025. A survey of post-quantum cryptography support in cryptographic libraries. In2025 IEEE International Conference on Quantum Computing and Engineering (QCE), Vol. 1. IEEE, 906–917

work page 2025
[2]

NIST Computer Security Resource Center. 2025. Selected algorithms — post-quantum cryptography. https://csrc.nist.gov/Projects/post-quantum- cryptography/selected-algorithms

work page 2025
[3]

NIST Computer Security Resource Center. 2025. Workshops and timeline — post-quantum cryptography. https://csrc.nist.gov/projects/post-quantum- cryptography/workshops-and-timeline

work page 2025
[4]

Tran Duc Le, Phuc Hao Do, Truong Duy Dinh, and Van Dai Pham. 2025. Are enterprises ready for quantum-safe cybersecurity? arXiv:2509.01731 [cs.CR]

work page arXiv 2025
[5]

Christian Näther, Daniel Herzinger, Stefan-Lukas Gazdag, Jan-Philipp Steghöfer, Simon Daum, and Daniel Loebenberger. 2024. Migrating software systems towards post-quantum cryptography–a systematic literature review.IEEE Access 12 (2024), 132107–132126

work page 2024
[6]

Hamid Nejatollahi, Nikil Dutt, Sandip Ray, Francesco Regazzoni, Indranil Baner- jee, and Rosario Cammarota. 2019. Post-quantum lattice-based cryptography implementations: A survey.ACM Computing Surveys (CSUR)51, 6 (2019), 1–41

work page 2019
[7]

David Ott, Christopher Peikert, et al . 2019. Identifying research chal- lenges in post quantum cryptography migration and cryptographic agility. arXiv:1909.07353 [cs.CY]

work page arXiv 2019
[8]

National Security Agency/Central Security Service. 2025. NSA re- leases future quantum-resistant (QR) algorithm requirements for na- tional security systems. https://www.nsa.gov/Press-Room/News- Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr- algorithm-requirements-for-national-se

work page arXiv 2025
[9]

Nils Von Nethen, Alexander Wiesmaier, Nouri Alnahawi, and Johanna Henrich

work page
[10]

InProceedings of the 2024 European Interdisciplinary Cybersecurity Conference

PMMP-PQC migration management process. InProceedings of the 2024 European Interdisciplinary Cybersecurity Conference. ACM, New York, NY, USA, 144–154

work page 2024
[11]

Alexander Wiesmaier, Nouri Alnahawi, Tobias Grasmeyer, Julian Geißler, Alexan- der Zeier, Pia Bauspieß, and Andreas Heinemann. 2021. On PQC migration and crypto-agility. arXiv:2106.09599 [cs.CR]

work page arXiv 2021
[12]

Lei Zhang, Andriy Miranskyy, and Walid Rjaibi. 2020. Quantum advantage and the Y2K bug: A comparison.IEEE Software38, 2 (2020), 80–87

work page 2020
[13]

Lei Zhang, Andriy Miranskyy, Walid Rjaibi, Greg Stager, Michael Gray, and John Peck. 2023. Making existing software quantum safe: A case study on IBM Db2. Information and Software Technology161 (2023), 107249

work page 2023

[1] [1]

Nadeem Ahmed, Lei Zhang, and Aryya Gangopadhyay. 2025. A survey of post-quantum cryptography support in cryptographic libraries. In2025 IEEE International Conference on Quantum Computing and Engineering (QCE), Vol. 1. IEEE, 906–917

work page 2025

[2] [2]

NIST Computer Security Resource Center. 2025. Selected algorithms — post-quantum cryptography. https://csrc.nist.gov/Projects/post-quantum- cryptography/selected-algorithms

work page 2025

[3] [3]

NIST Computer Security Resource Center. 2025. Workshops and timeline — post-quantum cryptography. https://csrc.nist.gov/projects/post-quantum- cryptography/workshops-and-timeline

work page 2025

[4] [4]

Tran Duc Le, Phuc Hao Do, Truong Duy Dinh, and Van Dai Pham. 2025. Are enterprises ready for quantum-safe cybersecurity? arXiv:2509.01731 [cs.CR]

work page arXiv 2025

[5] [5]

Christian Näther, Daniel Herzinger, Stefan-Lukas Gazdag, Jan-Philipp Steghöfer, Simon Daum, and Daniel Loebenberger. 2024. Migrating software systems towards post-quantum cryptography–a systematic literature review.IEEE Access 12 (2024), 132107–132126

work page 2024

[6] [6]

Hamid Nejatollahi, Nikil Dutt, Sandip Ray, Francesco Regazzoni, Indranil Baner- jee, and Rosario Cammarota. 2019. Post-quantum lattice-based cryptography implementations: A survey.ACM Computing Surveys (CSUR)51, 6 (2019), 1–41

work page 2019

[7] [7]

David Ott, Christopher Peikert, et al . 2019. Identifying research chal- lenges in post quantum cryptography migration and cryptographic agility. arXiv:1909.07353 [cs.CY]

work page arXiv 2019

[8] [8]

National Security Agency/Central Security Service. 2025. NSA re- leases future quantum-resistant (QR) algorithm requirements for na- tional security systems. https://www.nsa.gov/Press-Room/News- Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr- algorithm-requirements-for-national-se

work page arXiv 2025

[9] [9]

Nils Von Nethen, Alexander Wiesmaier, Nouri Alnahawi, and Johanna Henrich

work page

[10] [10]

InProceedings of the 2024 European Interdisciplinary Cybersecurity Conference

PMMP-PQC migration management process. InProceedings of the 2024 European Interdisciplinary Cybersecurity Conference. ACM, New York, NY, USA, 144–154

work page 2024

[11] [11]

Alexander Wiesmaier, Nouri Alnahawi, Tobias Grasmeyer, Julian Geißler, Alexan- der Zeier, Pia Bauspieß, and Andreas Heinemann. 2021. On PQC migration and crypto-agility. arXiv:2106.09599 [cs.CR]

work page arXiv 2021

[12] [12]

Lei Zhang, Andriy Miranskyy, and Walid Rjaibi. 2020. Quantum advantage and the Y2K bug: A comparison.IEEE Software38, 2 (2020), 80–87

work page 2020

[13] [13]

Lei Zhang, Andriy Miranskyy, Walid Rjaibi, Greg Stager, Michael Gray, and John Peck. 2023. Making existing software quantum safe: A case study on IBM Db2. Information and Software Technology161 (2023), 107249

work page 2023