CAREER: Securing Software for the Quantum Era via Program Analysis-Guided AI Migration

The rapid advancement of quantum computing poses a major threat to digital security. The risk is urgent because many software systems rely on cryptographic methods that could become insecure in the presence of large-scale quantum computers, including those that protect banking, medical records, and critical infrastructure. However, upgrading to quantum-safe cryptography is not as simple as replacing one encryption package with another. Security mechanisms are often spread across many parts of a system, intertwined with how data moves, how identities are verified, and how outside components connect, so piecemeal changes can break compatibility or introduce new weaknesses. This research develops practical, trustworthy ways to understand quantum-era exposure and carry out safe upgrades in an auditable manner. The project's novelties are a quantitative Quantum-Readiness Index that summarizes system-level quantum risk, a dependency-aware view that connects vulnerable cryptography to the surrounding software behaviors that rely on it, and an evidence-driven pathway that turns measured risk into actionable upgrade steps. The project achieves these goals by developing a methodology that turns scattered cryptographic usage into prioritized risk rankings and reliable upgrades. First, it defines a Quantum-Readiness Index that evaluates software components by integrating mission context and threat levels, producing priorities for where quantum-era risk exists. Next, it develops an analysis of cryptographic usage through a hybrid of static and dynamic techniques organized within a novel Cryptographic-Dependence Graph, improving coverage and precision across code, configurations, and third-party dependencies. Then, it develops migration-oriented cryptographic analysis that identifies coupled operations and derives dependency-aware upgrade sequencing, reducing the chance of incompatible intermediate states during transition. Finally, it creates a plan-aware migration pipeline that uses large language models to generate post-quantum cryptography patches, which are then checked against tests and cryptographic constraints. Together, the work promotes safer and more resilient digital systems, protecting critical infrastructure, medical records, and other essential services while strengthening trust in the security of modern software. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria. NSF Award ID: 2540631 | Program: 01003031DB NSF RESEARCH & RELATED ACTIVIT,01002627DB NSF RESEARCH & RELATED ACTIVIT,01002930DB NSF RESEARCH & RELATED ACTIVIT | Principal Investigator: Umar Farooq | Institution: Louisiana State University, BATON ROUGE, LA | Award Amount: $300,912 View on NSF Award Search: https://www.nsf.gov/awardsearch/show-award/?AWD_ID=2540631 View on Research.gov: https://www.research.gov/awardapi-service/v1/awards/2540631.html