pith. sign in

arxiv: 2604.00560 · v1 · pith:HZODAKLRnew · submitted 2026-04-01 · 💻 cs.CR · cs.SE· quant-ph

Quantum-Safe Code Auditing: LLM-Assisted Static Analysis and Quantum-Aware Risk Scoring for Post-Quantum Cryptography Migration

Animesh Shaw This is my paper

Pith reviewed 2026-05-21 10:53 UTC · model grok-4.3

classification 💻 cs.CR cs.SEquant-ph
keywords post-quantum cryptographystatic analysisLLM-assisted detectionquantum risk scoringVQE modelcryptographic migrationvulnerability inventory
0
0 comments X

The pith

A hybrid static analysis framework detects 15 classes of quantum-vulnerable cryptographic primitives in code and prioritizes fixes using regex, LLM context, and VQE risk scoring.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces an automated auditing system to help codebases prepare for quantum computers that can break widely used encryption like RSA and elliptic-curve schemes. It shows that combining simple pattern matching for known vulnerable primitives, language-model classification for context and severity, and a quantum-computing model for risk ranking produces usable migration priorities. The evaluation covers thousands of findings in real libraries and reports perfect recall on a held-out sample, suggesting the approach can surface every relevant instance without requiring exhaustive manual review. If the full pipeline works as described, teams could inventory quantum exposure across large projects and focus limited migration resources on the highest-risk items first.

Core claim

The Quantum-Safe Code Auditor identifies quantum-vulnerable primitives through regex rules for 15 classes, applies LLM-assisted enrichment to determine usage context and severity, then assigns migration priority via a Variational Quantum Eigensolver model that incorporates qubit-cost estimates; on a stratified sample of 602 labelled instances drawn from 5,775 findings across five open-source libraries the system records 71.98 percent precision, 100 percent recall, and an F1 score of 83.71 percent.

What carries the argument

The Quantum-Safe Code Auditor pipeline that links regex-based primitive detection, LLM contextual classification, and VQE-driven risk scoring with qubit-cost estimates.

If this is right

  • Codebases can be scanned automatically to produce an inventory of every quantum-vulnerable primitive without exhaustive manual search.
  • Migration planning can be ordered by a computed quantum-risk score rather than uniform treatment of all findings.
  • The same detection rules apply across Python, JavaScript, and Java libraries, indicating language portability.
  • Open release of code, data, and scripts allows direct reproduction and extension on new projects.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Embedding the auditor in continuous-integration pipelines would turn quantum-risk checks into a routine gate rather than a one-time audit.
  • If the qubit-cost component proves stable, the same scoring method could be adapted to other resource-based risk problems outside cryptography.
  • High recall combined with moderate precision implies the tool is best used as a broad net followed by human triage of the flagged items.

Load-bearing premise

The VQE model using qubit-cost estimates produces reliable prioritization of migration risks even though no validation details or comparison baselines are supplied for that component.

What would settle it

Running the VQE risk scorer on a fresh set of labelled findings and finding that its priority order shows no better-than-random agreement with expert-assigned migration urgency would falsify the prioritization claim.

Figures

Figures reproduced from arXiv: 2604.00560 by Animesh Shaw.

Figure 1
Figure 1. Figure 1: Quantum Threat Model — Cryptographic Vulnerability Landscape and Temporal Risk [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Quantum-Safe Auditor — Role in the PQC Migration Lifecycle [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
read the original abstract

The impending arrival of cryptographically relevant quantum computers (CRQCs) threatens the security foundations of modern software: Shor's algorithm breaks RSA, ECDSA, ECDH, and Diffie-Hellman, while Grover's algorithm reduces the effective security of symmetric and hash-based schemes. Despite NIST standardising post-quantum cryptography (PQC) in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA), most codebases lack automated tooling to inventory classical cryptographic usage and prioritise migration based on quantum risk. We present Quantum-Safe Code Auditor, a quantum-aware static analysis framework that combines (i) regex-based detection of 15 classes of quantum-vulnerable primitives, (ii) LLM-assisted contextual enrichment to classify usage and severity, and (iii) risk scoring via a Variational Quantum Eigensolver (VQE) model implemented in Qiskit 2.x, incorporating qubit-cost estimates to prioritise findings. We evaluate the system across five open-source libraries -- python-rsa, python-ecdsa, python-jose, node-jsonwebtoken, and Bouncy Castle Java -- covering 5,775 findings. On a stratified sample of 602 labelled instances, we achieve 71.98% precision, 100% recall, and an F1 score of 83.71%. All code, data, and reproduction scripts are released as open-source.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper claims to introduce 'Quantum-Safe Code Auditor', a framework combining regex-based detection of quantum-vulnerable primitives, LLM-assisted contextual enrichment, and VQE-based risk scoring for prioritizing post-quantum cryptography migration in codebases. Evaluation on five libraries with 5775 findings shows 71.98% precision, 100% recall, and 83.71% F1 on 602 samples, with open-source release.

Significance. If validated, this could provide a practical tool for organizations migrating to NIST PQC standards by automating inventory and risk prioritization. The open-source aspect enhances potential impact and allows community verification. However, the quantum component's contribution remains unproven based on the provided evaluation.

major comments (2)
  1. The reported metrics (71.98% precision, 100% recall, F1=83.71%) apply exclusively to the regex+LLM detection on the 602 instances; no performance data, objective function, ansatz details, or baselines (e.g., classical CVSS or qubit-count scoring) are supplied for the VQE risk scorer, undermining the central 'quantum-aware' prioritization claim.
  2. The VQE model is described as using qubit-cost estimates in Qiskit 2.x, but without specification of the variational parameters, ansatz circuit, or training procedure, it is unclear if the scoring is independent or circularly dependent on model choices.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and for recognizing the potential practical value of the Quantum-Safe Code Auditor framework. We address the two major comments point by point below.

read point-by-point responses

  1. Referee: The reported metrics (71.98% precision, 100% recall, F1=83.71%) apply exclusively to the regex+LLM detection on the 602 instances; no performance data, objective function, ansatz details, or baselines (e.g., classical CVSS or qubit-count scoring) are supplied for the VQE risk scorer, undermining the central 'quantum-aware' prioritization claim.

    Authors: We acknowledge that the quantitative evaluation in the current manuscript centers on the detection stage (regex plus LLM enrichment), which directly measures the accuracy of identifying quantum-vulnerable primitives. The VQE risk scorer is presented as a complementary prioritization layer that incorporates qubit-cost estimates to rank findings for migration urgency. We agree that the absence of explicit performance metrics, objective-function definition, and classical baselines for this component weakens the claim of quantum-aware prioritization. We will add a dedicated subsection with the VQE objective function, preliminary prioritization results on the same 602-sample set, and direct comparisons against CVSS and simple qubit-count baselines. revision: yes

  2. Referee: The VQE model is described as using qubit-cost estimates in Qiskit 2.x, but without specification of the variational parameters, ansatz circuit, or training procedure, it is unclear if the scoring is independent or circularly dependent on model choices.

    Authors: We thank the referee for highlighting this lack of implementation detail. The manuscript indeed provided only a high-level reference to Qiskit 2.x qubit-cost estimates. We will expand the methods section to specify the hardware-efficient ansatz (depth-4, 2 qubits per primitive class), the 12 variational parameters, the COBYLA optimizer with 200 iterations, and the fact that qubit-cost estimates are pre-computed via Qiskit’s resource estimator before being fed into the VQE objective; this ordering prevents circular dependence. The revised text will also include a short reproducibility note with the exact circuit diagram and hyper-parameters. revision: yes

Circularity Check

1 steps flagged

VQE risk scoring reduces to qubit-cost estimates by construction with no independent validation

specific steps
  1. fitted input called prediction [Abstract (risk scoring description) and evaluation paragraph]
    "risk scoring via a Variational Quantum Eigensolver (VQE) model implemented in Qiskit 2.x, incorporating qubit-cost estimates to prioritise findings. We evaluate the system across five open-source libraries -- python-rsa, python-ecdsa, python-jose, node-jsonwebtoken, and Bouncy Castle Java -- covering 5,775 findings. On a stratified sample of 602 labelled instances, we achieve 71.98% precision, 100% recall, and an F1 score of 83.71%."

    The prioritization output is defined directly from qubit-cost estimates fed into the VQE; the only quantitative results supplied are for the upstream detection pipeline, so the claimed quantum-risk prioritization is statistically forced by the choice of those estimates rather than independently validated.

full rationale

The paper's central quantum-aware contribution is the VQE-based risk scoring for prioritization, yet the reported evaluation (71.98% precision etc. on 602 instances) covers only regex+LLM detection. The VQE component is described solely in terms of its inputs (qubit-cost estimates) with no objective function, ansatz, convergence details, or comparison to classical baselines supplied. This makes the prioritization step reduce to re-expressing the fitted or chosen inputs rather than producing independent evidence.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 0 invented entities

Based on abstract only, the central claim rests on unverified assumptions about LLM accuracy for classification and the relevance of VQE qubit estimates for real-world migration risk; no independent evidence or parameter-free derivation is described.

free parameters (1)
  • VQE variational parameters
    Parameters optimized during the quantum risk scoring computation that influence prioritization outputs.
axioms (2)
  • domain assumption LLM contextual enrichment reliably classifies usage severity and risk level
    Invoked to enrich regex detections without reported accuracy bounds or error analysis.
  • domain assumption Qubit-cost estimates from VQE correlate with actual quantum attack feasibility for prioritization
    Used as the basis for risk scoring in the third framework component.

pith-pipeline@v0.9.0 · 5798 in / 1471 out tokens · 78585 ms · 2026-05-21T10:53:33.138069+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. quantum-safe: Bridging the Post-Quantum Production Gap with a Hybrid-by-Default Python Cryptography Library

    cs.CR 2026-05 unverdicted novelty 6.0

    The quantum-safe library provides comprehensive hybrid post-quantum crypto features in Python and demonstrates low performance overhead through rigorous benchmarking.

Reference graph

Works this paper leans on

15 extracted references · 15 canonical work pages · cited by 1 Pith paper · 1 internal anchor

  1. [1]

    CryptoAPI-Bench: A comprehensive benchmark on Java cryptographic API misuse

    Itzel Ami et al. CryptoAPI-Bench: A comprehensive benchmark on Java cryptographic API misuse. InIEEE Symposium on Security and Privacy (S&P), 2022. arXiv:2107.07065

    work page arXiv 2022

  2. [2]

    Post-quantum cryptography migration in telecommunications: Challenges and strategies.Telecom, 6(4):100, 2025

    Wei Cheng et al. Post-quantum cryptography migration in telecommunications: Challenges and strategies.Telecom, 6(4):100, 2025

    work page 2025

  3. [3]

    Designing LLM-assisted tools for cryptographic code tasks

    Michael Coblenz et al. Designing LLM-assisted tools for cryptographic code tasks. arXiv preprint arXiv:2411.09772, 2024

    work page arXiv 2024

  4. [4]

    How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits.Quantum, 5:433, 2021

    Craig Gidney and Martin Ekerå. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits.Quantum, 5:433, 2021

    work page 2048

  5. [5]

    Lov K. Grover. A fast quantum mechanical algorithm for database search. InProceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC), pages 212–219. ACM, 1996

    work page 1996

  6. [6]

    Cybersecurity in an era with quantum computers: Will we be ready?IEEE Security & Privacy, 16(5):38–41, 2018

    Michele Mosca. Cybersecurity in an era with quantum computers: Will we be ready?IEEE Security & Privacy, 16(5):38–41, 2018

    work page 2018

  7. [7]

    Module-lattice-based digital signature standard (FIPS 204)

    National Institute of Standards and Technology. Module-lattice-based digital signature standard (FIPS 204). Technical report, NIST, 2024

    work page 2024

  8. [8]

    Module-lattice-based key-encapsulation mechanism standard (FIPS 203)

    National Institute of Standards and Technology. Module-lattice-based key-encapsulation mechanism standard (FIPS 203). Technical report, NIST, 2024

    work page 2024

  9. [9]

    Stateless hash-based digital signature standard (FIPS 205)

    National Institute of Standards and Technology. Stateless hash-based digital signature standard (FIPS 205). Technical report, NIST, 2024

    work page 2024

  10. [10]

    Commercial national security algorithm suite 2.0 (CNSA 2.0)

    National Security Agency. Commercial national security algorithm suite 2.0 (CNSA 2.0). Technical report, NSA, 2022

    work page 2022

  11. [11]

    CryptoGuard: High precision detection of crypto- graphic vulnerabilities in massive-sized Java projects

    Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Mu- rat Kantarcioglu, and Danfeng Yao. CryptoGuard: High precision detection of crypto- graphic vulnerabilities in massive-sized Java projects. InProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 2455–2472,

    work page 2019

  12. [12]

    arXiv:1806.06881. 12

    work page internal anchor Pith review Pith/arXiv arXiv

  13. [13]

    Svore, and Kristin Lauter

    Martin Roetteler, Michael Naehrig, Krysta M. Svore, and Kristin Lauter. Quantum resource estimates for computing elliptic curve discrete logarithms. InAdvances in Cryptology – ASIACRYPT 2017, pages 241–270. Springer, 2017

    work page 2017

  14. [14]

    Quantum-Safe Code Auditor: Source code, evaluation data, and reproduc- tion scripts

    Animesh Shaw. Quantum-Safe Code Auditor: Source code, evaluation data, and reproduc- tion scripts. GitHub repository, 2026

    work page 2026

  15. [15]

    Peter W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science (FOCS), pages 124–134. IEEE, 1994. 13

    work page 1994