Quantum-Safe Code Auditing: LLM-Assisted Static Analysis and Quantum-Aware Risk Scoring for Post-Quantum Cryptography Migration
arXiv:2604.00560v1 Announce Type: cross Abstract: The impending arrival of cryptographically relevant quantum computers (CRQCs) threatens the security foundations of modern software: Shor's algorithm breaks RSA, ECDSA, ECDH, and Diffie-Hellman, while Grover's algorithm reduces the effective security of symmetric and hash-based schemes. Despite NIST standardising post-quantum cryptography (PQC) in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA), most codebases lack automated tooling to inventory classical cryptographic usage and prioritise migration based on quantum risk. We present Quantum-Safe Code Auditor, a quantum-aware static analysis framework that combines (i) regex-based detection of 15 classes of quantum-vulnerable primitives, (ii) LLM-assisted contextual enrichment to c
View PDF HTML (experimental)
Abstract:The impending arrival of cryptographically relevant quantum computers (CRQCs) threatens the security foundations of modern software: Shor's algorithm breaks RSA, ECDSA, ECDH, and Diffie-Hellman, while Grover's algorithm reduces the effective security of symmetric and hash-based schemes. Despite NIST standardising post-quantum cryptography (PQC) in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA), most codebases lack automated tooling to inventory classical cryptographic usage and prioritise migration based on quantum risk. We present Quantum-Safe Code Auditor, a quantum-aware static analysis framework that combines (i) regex-based detection of 15 classes of quantum-vulnerable primitives, (ii) LLM-assisted contextual enrichment to classify usage and severity, and (iii) risk scoring via a Variational Quantum Eigensolver (VQE) model implemented in Qiskit 2.x, incorporating qubit-cost estimates to prioritise findings. We evaluate the system across five open-source libraries -- python-rsa, python-ecdsa, python-jose, node-jsonwebtoken, and Bouncy Castle Java -- covering 5,775 findings. On a stratified sample of 602 labelled instances, we achieve 71.98% precision, 100% recall, and an F1 score of 83.71%. All code, data, and reproduction scripts are released as open-source.
Comments: 13 pages, 2 figures. Code and evaluation data: this https URL
Subjects:
Cryptography and Security (cs.CR); Software Engineering (cs.SE); Quantum Physics (quant-ph)
ACM classes: D.2.5; E.3; K.6.5
Cite as: arXiv:2604.00560 [cs.CR]
(or arXiv:2604.00560v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2604.00560
arXiv-issued DOI via DataCite (pending registration)
Submission history
From: Animesh Shaw [view email] [v1] Wed, 1 Apr 2026 07:10:17 UTC (141 KB)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
modelreleaseannounce
How to design and run an agent in rehearsal – before building it
Most AI agents fail because of a gap between design intent and production reality. Developers often spend days building only to find that escalation logic or tool calls fail in the wild, forcing a total restart. DataRobot Agent Assist closes this gap. It is a natural language CLI tool that lets you design, simulate, and... The post How to design and run an agent in rehearsal – before building it appeared first on DataRobot .
Show HN: AI-first PostgreSQL client for Mac
"Can you check if this user is on the premium plan?" "I have a support ticket on Mr.Bean, saying he cannot login... Can you have a look?" "How many subscriptions did we have today?" ... As senior SWE at Twenty.com (open source CRM), I had these quite often. Every day I needed to check something in Postgres, I had to wait 30 seconds for DBeaver to load or fight pgAdmin's UI. So I built Paul. Yes our database configuration has too many schemas (3000 schemas) for those clients, but still, it was not Postgres fault. Only the client that couldn't handle it. Paul is a native macOS app, light ( I did not go very deep in the DBA features, nor in the UI. I kept Paul simple: you can browse tables, filter them, and sort them. A few distinctions: - Paul's read-only by default: you have to explicitly s
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Releases
In the Presence of the Minister of Energy, Cisco and King Abdullah University of Science and Technology (KAUST) launch landmark AI Institute to accelerate AI research, development, and talent in Saudi Arabia - Cisco Newsroom
In the Presence of the Minister of Energy, Cisco and King Abdullah University of Science and Technology (KAUST) launch landmark AI Institute to accelerate AI research, development, and talent in Saudi Arabia Cisco Newsroom
Gemma 4 1B, 13B, and 27B spotted
[Gemma 4](INSET_PAPER_LINK) is a multimodal model with pretrained and instruction-tuned variants, available in 1B, 13B, and 27B parameters. The architecture is mostly the same as the previous Gemma versions. The key differences are a vision processor that can output images of fixed token budget and a spatial 2D RoPE to encode vision-specific information across height and width axis. You can find all the original Gemma 4 checkpoints under the [Gemma 4]( https://huggingface.co/collections/google/gemma-4-release-67c6c6f89c4f76621268bb6d ) release. submitted by /u/TKGaming_11 [link] [comments]
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!