Framework Detects Quantum Risks in Codebases with 15 Primitive Classes

Animesh Shaw have created Quantum-Safe Code Auditor, a new framework that automatically identifies and prioritises classical cryptographic elements within existing codebases vulnerable to quantum attacks. The system offers the first automated set of tools to assess quantum risk and guide migration to post-quantum cryptography, following the recent NIST standards released in 2024. It uses a combination of regex-based detection, large language model assistance, and a Variational Quantum Eigensolver implemented in Qiskit 2.x to analyse code and estimate the qubit cost associated with potential vulnerabilities, demonstrated through the evaluation of five open-source libraries and achieving high precision and recall. Complete detection of quantum vulnerabilities using hybrid static analysis and quantum computation Quantum-Safe Code Auditor identifies 100% of quantum-vulnerable code, surpassing the performance of previous static analysis tools that often favoured precision over complete vulnerability detection. The impending arrival of cryptographically relevant quantum computers (CRQCs) necessitates this level of comprehensive analysis. Overlooking even a single vulnerability presents a greater risk than investigating a false alarm. Previously, developers lacked automated systems capable of guaranteeing all vulnerabilities were flagged for review, relying instead on manual code inspection which is both time-consuming and prone to error. The framework combines regex scanning for initial identification of potential cryptographic calls, large language model enrichment to disambiguate function usage and context, and a Variational Quantum Eigensolver, a quantum computing technique, to assess risk and prioritise migration to post-quantum cryptography standards. The regex component initially filters code, identifying potential instances of cryptographic function calls based on known signatures. This is then refined by the large language model, which analyses the surrounding code to confirm whether the identified call is genuinely being used for cryptographic purposes, reducing false positives. Finally, the VQE model provides a quantitative assessment of the vulnerability. Evaluation across five open-source libraries revealed an 83.71% F1 score, demonstrating both high precision and complete recall. This metric represents a harmonic mean of precision and recall, indicating a balanced performance in identifying vulnerabilities without generating excessive false alarms. All code is available as open-source for further research and deployment, fostering collaboration and allowing for community-driven improvements. A stratified sample of 602 labelled instances yielded a precision rate of 71.98%, demonstrating a balance between identifying true vulnerabilities and minimising false alarms. This indicates that approximately 72% of the flagged vulnerabilities were genuinely cryptographic weaknesses, while the remaining 28% were false positives. Performance was detailed across five open-source libraries: python-rsa, python-ecdsa, python-jose, node-jsonwebtoken, and Bouncy Castle Java, totaling 5,775 findings. These libraries represent a diverse range of cryptographic implementations commonly used in various applications, providing a robust testbed for the framework. The system assigns risk scores ranging from 0 to 10, enabling prioritisation of migration to post-quantum cryptography standards. This scoring system allows developers to focus their limited resources on addressing the most critical vulnerabilities first. Node-jsonwebtoken, a high-traffic JWT library, featured among the 5,775 findings across the five open-source libraries evaluated, highlighting the importance of securing widely used components. Algorithms including RSA, ECDSA, ECDH, and Diffie-Hellman are vulnerable to attacks utilising Shor’s algorithm, a quantum algorithm capable of efficiently factoring large numbers and solving the discrete logarithm problem, effectively breaking these widely used public-key cryptosystems. A Variational Quantum Eigensolver (VQE) model calculates these risk scores, estimating the computational effort, measured in qubits, required for a quantum computer to break specific encryption. The VQE model operates by mapping the problem of breaking the encryption onto the ground state energy of a Hamiltonian, which is then approximated using a quantum computer. The number of qubits required to achieve a certain level of accuracy in the VQE calculation serves as a proxy for the difficulty of breaking the encryption, providing a granular assessment of vulnerability. This allows for a nuanced understanding of risk, beyond simply identifying the presence of a vulnerable algorithm. Prioritising cryptographic code remediation with automated quantum risk assessment The arrival of quantum computers poses a genuine threat to current encryption standards, demanding a swift and systematic response from developers. Current cryptographic algorithms, such as RSA and Elliptic Curve Cryptography, rely on the computational difficulty of certain mathematical problems for their security. However, Shor’s algorithm, executable on a sufficiently powerful quantum computer, can solve these problems efficiently, rendering these algorithms insecure. NIST’s recent post-quantum cryptography standards offer a path forward, with algorithms like FIPS 203 ML-KEM, FIPS 204 ML-DSA, and FIPS 205 SLH-DSA designed to resist attacks from both classical and quantum computers. However, identifying precisely which code needs updating remains a significant hurdle. Locating instances of vulnerable algorithms alone is insufficient; understanding the context of their usage and the potential impact of a successful attack is crucial. Acknowledging that fully automating quantum risk assessment is incredibly complex, a tool capable of identifying and prioritising vulnerable code remains vitally important. The transition to post-quantum cryptography is not merely a technical upgrade, but a fundamental shift in cryptographic paradigms. Quantum-Safe Code Auditor does not eliminate the need for expert review, but drastically reduces the manual effort required to prepare for post-quantum cryptography. Manual code review is still necessary to validate the findings and ensure that the proposed remediation strategies are appropriate for the specific application. A framework utilising pattern matching and artificial intelligence has been developed to ease the transition to post-quantum cryptography standards. This new framework delivers the first automated system capable of identifying and ranking cryptographic weaknesses threatened by future quantum computers, allowing developers to proactively strengthen their systems. Consequently, developers can prioritise updates to meet new post-quantum cryptography standards, focusing on the most critical vulnerabilities first. This proactive approach is essential to minimise the risk of disruption and maintain the confidentiality, integrity, and availability of sensitive data in the quantum era. The ability to automatically assess and prioritise quantum risk represents a significant step towards securing software against the threats of tomorrow. The research team developed Quantum-Safe Code Auditor, a framework that automatically identifies and prioritises vulnerable cryptographic code within software. This is important because current encryption methods are threatened by the development of quantum computers capable of breaking them. The system analysed over 5,775 instances of potentially vulnerable code across five open-source libraries, achieving 71.98% precision in identifying genuine vulnerabilities. The authors released all code and data as open-source, enabling further development and verification of their approach to quantum risk assessment. 👉 More information 🗞 Quantum-Safe Code Auditing: LLM-Assisted Static Analysis and Quantum-Aware Risk Scoring for Post-Quantum Cryptography Migration 🧠 ArXiv: https://arxiv.org/abs/2604.00560 Tags: