SoK: Post-Quantum Cryptography (PQC) Implementation in Software Systems

2026-06-04 · Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning · Depth: Expert, extended

Summary

A Systematisation of Knowledge (SoK) study analyzes Post-Quantum Cryptography (PQC) implementation in software systems, highlighting significant challenges beyond algorithmic security. The research, based on a systematic review of 29 articles published primarily between January 2020 and February 2026, reveals that integrating PQC faces hurdles like complexity, limited developer expertise, and insufficient organizational readiness. By mapping existing approaches and challenges across Human, Organization, and Technology (HOT) dimensions, the study identifies a strong bias towards technological solutions, with human and organizational factors being largely underexplored. It concludes that PQC implementation is a socio-technological transformation, not just a cryptographic replacement, and introduces the PQC-HOT model. This framework explains how interactions among HOT dimensions collectively influence implementation outcomes, guiding future research and design for scalable PQC deployment.

Key takeaway

If you are a software engineering leader planning PQC migration, recognize it as a socio-technological transformation, not just a technical upgrade. Your strategy must integrate robust governance, developer training, and lifecycle-aware system design. Prioritize developer-centric tools and cryptographic agility to mitigate implementation risks and ensure long-term security. Invest in continuous training and cross-functional collaboration.

Key insights

PQC implementation is a socio-technological challenge requiring integrated Human, Organizational, and Technological approaches, not just technical solutions.

Principles

• PQC security relies on implementation quality.
• Cryptographic agility is a core architectural need.
• Tooling design shapes system security properties.

Method

A Systematisation of Knowledge (SoK) used a systematic literature review, PICOC framework, and PRISMA 2020 for study selection. Thematic analysis and the HOT framework synthesized findings on PQC implementation approaches and challenges.

In practice

• Design PQC systems with lifecycle awareness.
• Prioritize developer-centric PQC tool design.
• Integrate PQC into existing software workflows.

Topics

• Post-Quantum Cryptography
• Software Engineering
• Socio-Technological Systems
• PQC-HOT Model
• Cryptographic Agility
• Implementation Challenges

Best for: CTO, VP of Engineering/Data, Director of AI/ML, Software Engineer, Research Scientist, AI Security Engineer

Related on AIssential

• Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly — Future quantum computers may break elliptic curve cryptography with significantly fewer resources than previously estimated.
• The Rise of Crypto Agility: How to Secure Systems for the Quantum Era — Crypto agility enables rapid adaptation of cryptographic mechanisms to new threats and technologies without disrupting systems.
• Create A Cross-Functional Q-Day Team Or Suffer A Hard Day’s Night — Preparing for quantum security requires a coordinated, cross-functional organizational effort across technology leadership.
• Verifying and optimizing post-quantum cryptography at Amazon — Automated reasoning reconciles cryptographic security, performance, and maintainability through formal verification and optimization.
• How Spain’s ICFO Helped Build a Quantum Security Startup for the AI Era — Photonic quantum random number generators provide verifiable, high-quality entropy crucial for AI and post-quantum cryptography.
• Quantum Computing and the Future of Cyber Security — Quantum computing threatens traditional encryption, creating systemic cybersecurity risks and regulatory challenges.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.