arXiv: Empirical Evaluation of Large Language Models for Migration of Code Fragments to Post-Quantum Cryptography

This publication presents an empirical evaluation of large language models (LLMs) for automatically migrating existing code fragments to post-quantum cryptography (PQC) algorithms. The study assesses how effectively LLMs can replace vulnerable cryptographic implementations with quantum-resistant alternatives, highlighting both the potential for automation and significant risks, such as incorrect or insecure code transformations. While not a regulatory mandate, this research signals a critical shift in how organizations should approach PQC migration, as reliance on LLMs without rigorous validation could introduce compliance gaps.

The findings directly affect any organization handling sensitive data or critical infrastructure, particularly those in finance, healthcare, telecommunications, and government sectors that must comply with evolving cryptographic standards (e.g., NIST’s PQC recommendations, EU cybersecurity frameworks). Compliance teams in these sectors should be aware that automated code migration tools, including LLMs, are not yet fully reliable for regulatory purposes. The study underscores the need for human oversight and formal verification when transitioning to PQC.

Compliance teams should immediately review their current cryptographic inventory and PQC migration plans. They must ensure that any use of LLMs for code migration is accompanied by manual code review, security testing, and alignment with recognized standards (e.g., NIST SP 800-208, ETSI TS 103 744). Additionally, teams should update their risk assessments to account for the potential of LLM-generated vulnerabilities, and consider piloting LLM-assisted migrations only in non-critical environments until further validation is available.