Advances in quantum computing increasingly threaten the security and privacy of data protected by current cryptosystems, particularly those relying on public-key cryptography. In response, the international cybersecurity community has prioritized the implementation of Post-Quantum Cryptography (PQC), a new cryptographic standard designed to resist quantum attacks while operating on classical computers. The National Institute of Standards and Technology (NIST) has already standardized several PQC algorithms and plans to deprecate classical asymmetric schemes, such as RSA and ECDSA, by 2035. Despite this urgency, PQC adoption remains slow, often due to limited developer expertise. Application Programming Interfaces (APIs) are intended to bridge this gap, yet prior research on classical security APIs demonstrates that poor usability of cryptographic APIs can lead developers to introduce vulnerabilities during implementation of the applications, a risk amplified by the novelty and complexity of PQC. To date, the usability of PQC APIs has not been systematically studied. This research presents an empirical evaluation of the usability of the PQC APIs, observing how developers interact with APIs and documentation during software development tasks. The study identifies cognitive factors that influence the developer's performance when working with PQC primitives with minimal onboarding. The findings highlight opportunities across the PQC ecosystem to improve developer-facing guidance, terminology alignment, and workflow examples to better support non-specialists.

翻译：量子计算的进步日益威胁着当前密码系统所保护数据的安全与隐私，尤其是依赖公钥密码学的系统。为此，国际网络安全界已优先实施后量子密码学（PQC）——一种旨在抵抗量子攻击并在经典计算机上运行的新型密码标准。美国国家标准与技术研究院（NIST）已标准化了多种PQC算法，并计划在2035年前逐步淘汰RSA和ECDSA等经典非对称方案。尽管形势紧迫，PQC的采用仍然缓慢，这通常源于开发者专业知识的不足。应用程序编程接口（API）本应弥合这一鸿沟，但先前对经典安全API的研究表明，密码学API的低可用性可能导致开发者在应用程序实现过程中引入安全漏洞，而PQC的新颖性和复杂性更放大了这一风险。迄今为止，PQC API的可用性尚未得到系统研究。本研究通过实证评估PQC API的可用性，观察开发者在软件开发任务中如何与API及文档进行交互。该研究识别了开发者在仅接受最低限度入门指导时使用PQC原语所涉及的认知影响因素。研究结果揭示了整个PQC生态系统中存在的改进机遇，包括面向开发者的指导文档、术语统一和工作流示例的优化，从而更好地支持非专业开发者。