REVIEW 3 major objections 6 minor 24 references
A multi-stage kill-chain can reverse-engineer a quantum neural network on real trapped-ion hardware and then flip its predictions by timed crosstalk.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-12 03:10 UTC pith:66LGQHNN
load-bearing objection First real-hardware chaining of power-trace recon + constrained adversarial examples + timed ion-trap crosstalk on a QNN; the physical stage moves expectation vectors but does not deliver the promised accuracy drop. the 3 major comments →
An End-to-End Multi-Stage Kill-Chain Attack on Quantum Neural Networks: Demonstration on Trapped-Ion Hardware
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
An end-to-end multi-stage attack—power-trace architecture recovery, constrained projected-gradient adversarial examples, and timed neighbour RY crosstalk—can be executed against a trained re-uploading quantum neural network on real trapped-ion hardware, with the crosstalk configuration producing the smallest mean-absolute error to the adversarial hardware expectation vectors.
What carries the argument
The multi-stage kill-chain itself: reconnaissance yields a temporal map of the victim’s data-encoding RY gates; masked PGD then produces adversarial angles only on those RY components; a linear crosstalk model converts the required angle offsets into neighbour rotations that are scheduled at the recovered times.
Load-bearing premise
The reconnaissance stage rests entirely on a hand-crafted rectangular-pulse simulator whose amplitudes and fixed durations may not match the real laser-drive electronics of the device.
What would settle it
Capture genuine analogue power traces from the same trapped-ion controller while the victim circuit runs; if those traces no longer uniquely match the correct benchmark architecture, or if the subsequent crosstalk schedule fails to move the hardware expectation vectors closer to the adversarial ones, the claimed end-to-end chain collapses.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript presents a multi-stage kill-chain attack against a re-uploading variational QNN on AQT trapped-ion hardware. Stage 1 uses simulated power traces to identify the victim architecture among 24 benchmark circuits via timing filters and L2 distance. Stage 2 generates adversarial examples with (masked) PGD under white-box access, restricting perturbations to RY-encoded features to match hardware crosstalk constraints. Stage 3 schedules neighbor RY rotations timed to the inferred encoding gates, using a measured crosstalk factor f≈0.01, and evaluates the induced effect on 50 selected samples on AQT Ibex. Superconducting power-trace and Active SWAP experiments appear in the appendix. The authors claim an end-to-end demonstration that side-channel reconnaissance enables a physical crosstalk attack approximating adversarial examples, and discuss QaaS implications and mitigations.
Significance. Framing QML security as a multi-stage kill chain (reconnaissance → constrained adversarial construction → timed physical crosstalk) is a useful systems-level contribution beyond isolated attack papers. Demonstrating the pipeline on real trapped-ion hardware, with explicit mapping from input-space δ to neighbor RY schedules and measured crosstalk factors (Appendix B, Table IV), is novel and relevant to multi-tenant QaaS. The constrained-PGD construction and the honest reporting of hardware–simulator MAE gaps (Table IX) are strengths. If the final physical stage were shown to reliably degrade classification, the work would be a strong reference for hardware and cloud providers. As written, the significance is tempered by the fact that the decisive hardware result does not establish attack impact via accuracy or label flips.
major comments (3)
- Section V-C, Table VIII: On the 50 hardware samples the reported accuracies are clean=0.64, adversarial=0.56, crosstalk=0.68. The physical crosstalk schedule does not reduce accuracy relative to clean and is slightly better than clean; it therefore fails the standard definition of an adversarial example (inducing misclassification). The abstract and introduction claim an end-to-end attack that “realizes the adversarial perturbation on the device.” That claim is not supported by classification outcomes. Redefining success via the smallest MAE between hw_adv and hw_crosstalk expectation vectors (Table IX, 0.1236) shows that the induced state moves toward the adversarial hardware state, but does not establish that the kill-chain’s final stage achieves the stated attack goal. Either additional experiments that produce a clear accuracy drop / label-flip rate under the physical schedule, or a
- Section IV-D and V-A: The reconnaissance stage that supplies the timing map for gate placement rests entirely on a hand-crafted rectangular-pulse simulator (fixed 10 µs / 200 µs pulses, 2 µs idles, ad-hoc amplitude corrections {a_i}). No real AQT power traces are used. The L2 ranking that selects benchmark circuit 7 (and thereby the architecture and schedule) is therefore only as valid as this simulator. Because subsequent stages depend on that timing map, the manuscript should either (i) validate the simulator against real control electronics / published AQT pulse data, or (ii) clearly demote Stage 1 to a simulated reconnaissance assumption and state that the end-to-end hardware claim begins after architecture is known. As written, the “full attack chain on ion traps” overstates what was executed on the device.
- Section V-C / sample selection: The 50 hardware circuits are drawn from the 338/885 training samples for which masked PGD succeeded on the statevector surrogate (Table VII). Accuracies are then reported on hardware where even the clean inputs drop to 0.64. The paper notes the sim–hardware mismatch but still presents the pipeline as a successful end-to-end attack. A load-bearing revision is needed: report label-flip rates and confusion matrices for clean / adversarial / crosstalk on the same 50 samples (analogous to the superconducting confusion matrices in Fig. 11), and quantify how often crosstalk actually changes the argmax relative to clean hardware, not only MAE of expectation vectors.
minor comments (6)
- Table II threat model: “explicit timing information about the victim circuit is required” for the crosstalk stage; the text should state more clearly whether this timing is assumed known a priori or is claimed to be recovered from the (simulated) power-trace stage, and under what multi-tenant scheduling assumptions concurrent placement is realistic.
- Section IV-F: The uniform f_j=0.01 approximation is reasonable given Table IV, but the amplitude-saturation / gate-splitting rule (γ capped at π) should be checked for the largest |Δθ_i| that actually occur; a short histogram of required γ would help the reader assess how often multi-π sequences are needed.
- Figure 4 and PCA inverse: The visual adversarial examples are in the reconstructed 16×16 domain; a brief note that the attack itself operates in the 16-dimensional PCA feature space (not pixel space) would avoid confusion.
- Appendix A Active SWAP results (Table XIV): Individual CNOT disturbances raise accuracy (0.87, 0.88 vs 0.80 baseline) while the pair lowers it to 0.75. The discussion correctly cautions against over-interpretation; a one-sentence statement that this is not claimed as a reliable sabotage attack would align the appendix with the main-text caution.
- Notation: The expanded input dimension is written as R^48 and D=3·16 in IV-F, while the architecture description earlier uses 16 PCA features with three re-uploads; a single consistent symbol for the expanded encoding vector would improve readability.
- References: The kill-chain taxonomy is self-cited as [4]; for a journal audience, a short self-contained summary of the five stages (already present in III-A) is fine, but ensure the arXiv version of [4] is stable or cite the formal venue if available.
Circularity Check
Experimental kill-chain demonstration with no load-bearing circular derivation; only minor self-citation framing and a same-simulator recon consistency check.
specific steps
-
other
[Section IV-D and V-A (power-trace recon)]
"Since real power traces from hardware are not available, we simulate the power traces as follows. ... Thus, benchmark circuit 7 has the smallest distance and is selected as the best match, confirming that it indeed corresponds to the victim QNN’s structure."
Victim and all 24 benchmarks are scored inside the same ad-hoc pulse simulator (fixed 10 µs / 200 µs rectangular pulses, amplitudes from a fixed {a_i} vector). Timing equality already forces same qubit count and layer depth by construction of the simulator; L2 ranking then selects the matching entangling pattern among three remaining candidates. The ‘reconstruction’ is therefore a same-model consistency check, not an independent recovery of unknown structure from real side-channel data. Mild and non-load-bearing for the later hardware crosstalk stage.
full rationale
This is an empirical multi-stage attack demonstration, not a first-principles derivation paper. The central results (PGD success histograms, hardware accuracies in Table VIII, MAE matrix in Table IX, crosstalk bitstring counts in Appendix B) are measured outcomes, not quantities forced by definition or by a fitted constant renamed as a prediction. The crosstalk factor f_j is estimated once from AQT Ibex probe data and then frozen at 0.01 to schedule neighbor RY angles; that is ordinary experimental calibration, not a circular prediction of an independent observable. Self-citations to the authors’ kill-chain taxonomy [4] and the QML-ESA report [7] supply framing and extended appendices; they do not substitute for the hardware measurements that constitute the claim. The only mild circularity-adjacent point is Stage-1 power-trace reconnaissance: both victim and benchmark traces are generated by the same hand-crafted rectangular-pulse simulator (Section IV-D), so structural matching is largely a consistency check of that simulator rather than an independent side-channel recovery. That weakens the recon stage’s external force but does not make the end-to-end claim reduce by construction to its inputs. Overall circularity is negligible.
Axiom & Free-Parameter Ledger
free parameters (3)
- crosstalk factor f_j =
0.01
- PGD epsilon schedule and alpha =
alpha=0.01, eps increments 0.1
- power-trace amplitude corrections {a_i} =
{1,-1,2,3,0,-2,-3,0,-4,4}
axioms (4)
- domain assumption Linear additive crosstalk: induced angle on a target equals sum of f_j * gamma_j over neighbors.
- domain assumption Virtual RZ gates produce zero physical pulse and therefore zero crosstalk.
- ad hoc to paper Attacker has white-box gradient access and can schedule concurrent circuits with precise timing knowledge of the victim.
- ad hoc to paper Simulated rectangular power pulses with fixed 10 µs / 200 µs durations and 2 µs idles faithfully rank circuit architectures.
read the original abstract
We demonstrate an end-to-end, multi-stage attack against a quantum neural network (QNN) model that is executed on a trapped-ion quantum computer. Our chain combines side-channel reconnaissance, crosstalk characterization, adversarial example generation, and a physical crosstalk attack that realizes the adversarial perturbation on the device. We cover the full attack chain on ion traps and report the corresponding superconducting-hardware experiments in the appendix. We discuss implications for QaaS providers and hardware mitigations.
Figures
Reference graph
Works this paper leans on
-
[1]
Analysis of crosstalk in NISQ devices and security implications in multi-programming regime
Abdullah Ash-Saki, Mahabubul Alam, and Swaroop Ghosh. “Analysis of crosstalk in NISQ devices and security implications in multi-programming regime”. In: Proceedings of the ACM/IEEE International Symposium on Low Power Electronics and Design. New York, NY , USA: Association for Computing Machinery, Aug. 2020, pp. 25–30.ISBN: 978-1-4503-7053-0.URL: https: /...
-
[2]
Training robust and generalizable quantum models
Julian Berberich, Daniel Fink, Daniel Pranji ´c, Christian Tutschku, and Christian Holm. “Training robust and generalizable quantum models”. In: (2023). Version Number: 3.URL: https://arxiv.org/abs/2311.11871
arXiv 2023
-
[3]
Crosstalk-induced Side Channel Threats in Multi-Tenant NISQ Computers
Navnil Choudhury, Chaithanya Naik Mude, Sanjay Das, Preetham Chandra Tikkireddi, Swamit Tannu, and Kanad Basu. “Crosstalk-induced Side Channel Threats in Multi-Tenant NISQ Computers”. In: (Dec. 2024). arXiv:2412.10507 [cs].URL: http://arxiv.org/abs/2412. 10507
Pith/arXiv arXiv 2024
-
[4]
Entangled Threats: A Unified Kill Chain Model for Quantum Machine Learning Security
Pascal Debus, Maximilian Wendlinger, Kilian Tscharke, Daniel Herr, Cedric Brügmann, Daniel Ohl de Mello, Juris Ulmanis, Alexander Erhard, Arthur Schmidt, and Fabian Petsch. “Entangled Threats: A Unified Kill Chain Model for Quantum Machine Learning Security”. In: (July 2025).URL: https://arxiv.org/abs/2507.08623
Pith/arXiv arXiv 2025
-
[5]
Quantum noise protects quantum classifiers against adversaries
Yuxuan Du, Min-Hsiu Hsieh, Tongliang Liu, Dacheng Tao, and Nana Liu. “Quantum noise protects quantum classifiers against adversaries”. In:Physical Review Research3.2 (May 2021). Publisher: American Physical Society, p. 023153.URL: https://link.aps.org/doi/10. 1103/PhysRevResearch.3.023153
2021
-
[6]
Quantum Circuit Reconstruction from Power Side-Channel Attacks on Quantum Computer Con- trollers
Ferhat Erata, Chuanqi Xu, Ruzica Piskac, and Jakub Szefer. “Quantum Circuit Reconstruction from Power Side-Channel Attacks on Quantum Computer Con- trollers”. In:IACR Transactions on Cryptographic Hardware and Embedded Systems2024.2 (Mar. 2024), pp. 735–768.URL: https://tches.iacr.org/index.php/ TCHES/article/view/11445
2024
-
[7]
Federal Office for Information Security.QML-ESA – Advanced Security Analysis of Quantum Machine Learning. Tech. rep. Federal Office for Information Security (BSI), 2026.URL: https://www.bsi.bund.de/ DE/Service- Navi/Publikationen/Studien/QML/QML_ node.html (visited on 06/08/2026)
2026
-
[8]
Crosstalk At- tack Resilient RNS Quantum Addition
Bhaskar Gaur and Himanshu Thapliyal. “Crosstalk At- tack Resilient RNS Quantum Addition”. In:2025 IEEE International Symposium on Circuits and Systems (IS- CAS). 2025, pp. 1–5.URL: https://arxiv.org/abs/2410. 23217
2025
-
[9]
Explaining and Harnessing Adversarial Ex- amples
Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. “Explaining and Harnessing Adversarial Ex- amples”. In: (Mar. 2015). arXiv:1412.6572.URL: http: //arxiv.org/abs/1412.6572
Pith/arXiv arXiv 2015
-
[10]
Crosstalk Attacks and Defence in a Shared Quantum Computing Environment
Benjamin Harper, Behnam Tonekaboni, Bahar Goldozian, Martin Sevior, and Muhammad Usman. “Crosstalk Attacks and Defence in a Shared Quantum Computing Environment”. In: (2024). Version Number: 1.URL: https://arxiv.org/abs/2402.02753
Pith/arXiv arXiv 2024
-
[11]
Characterizing Crosstalk of Superconducting Transmon Processors
Andreas Ketterer and Thomas Wellens. “Characterizing Crosstalk of Superconducting Transmon Processors”. In:Physical Review Applied20.3 (2023), p. 034065. URL: https://arxiv.org/abs/2303.14103
Pith/arXiv arXiv 2023
-
[12]
SW AP Attack: Stealthy Side-Channel Attack on Multi-Tenant Quan- tum Cloud System
Wei Jie Bryan Lee, Siyi Wang, Suman Dutta, Walid El Maouaki, and Anupam Chattopadhyay. “SW AP Attack: Stealthy Side-Channel Attack on Multi-Tenant Quan- tum Cloud System”. In: (Feb. 2025). arXiv:2502.10115 [quant-ph].URL: http://arxiv.org/abs/2502.10115
Pith/arXiv arXiv 2025
-
[13]
Vulnerability of quantum classification to adversarial perturbations
Nana Liu and Peter Wittek. “Vulnerability of quantum classification to adversarial perturbations”. In:Physical Review A101.6 (June 2020), p. 062331.ISSN: 2469- 9926, 2469-9934.URL: https : / / link . aps . org / doi / 10 . 1103/PhysRevA.101.062331
2020
-
[14]
Quantum Leak: Timing Side-Channel Attacks on Cloud-Based Quantum Services
Chao Lu, Esha Telang, Aydin Aysu, and Kanad Basu. “Quantum Leak: Timing Side-Channel Attacks on Cloud-Based Quantum Services”. In: (Jan. 2024). arXiv:2401.01521 [cs].URL: http://arxiv.org/abs/2401. 01521
Pith/arXiv arXiv 2024
-
[15]
Quan- tum adversarial machine learning
Sirui Lu, Lu-Ming Duan, and Dong-Ling Deng. “Quan- tum adversarial machine learning”. In:Physical Review Research2.3 (Aug. 2020), p. 033212.ISSN: 2643- 1564.URL: https : / / link . aps . org / doi / 10 . 1103 / PhysRevResearch.2.033212
2020
-
[16]
Towards Deep Learning Models Resistant to Adversarial At- tacks
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. “Towards Deep Learning Models Resistant to Adversarial At- tacks”. In: (Sept. 2019). arXiv:1706.06083.URL: http: //arxiv.org/abs/1706.06083
Pith/arXiv arXiv 2019
-
[17]
Software Mitigation of Crosstalk on Noisy Intermediate-Scale Quantum Com- puters
Prakash Murali, David C. McKay, Margaret Martonosi, and Ali Javadi-Abhari. “Software Mitigation of Crosstalk on Noisy Intermediate-Scale Quantum Com- puters”. In:Proceedings of the Twenty-Fifth Interna- tional Conference on Architectural Support for Pro- gramming Languages and Operating Systems. ASP- LOS ’20. Association for Computing Machinery, 2020, pp....
Pith/arXiv arXiv 2020
-
[18]
Data re-uploading for a universal quantum classifier
Adri’an P’erez-Salinas, Alba Cervera-Lierta, Elies Gil- Fuster, and Jos’e I. Latorre. “Data re-uploading for a universal quantum classifier”. In:Quantum4 (2020), p. 226.URL: https://quantum- journal.org/papers/q- 2020-02-06-226/
2020
-
[19]
Quantum Machine Learning: Exploring the Role of Data Encoding Techniques, Challenges, and Future Di- rections
Deepak Ranga, Aryan Rana, Sunil Prajapat, Pankaj Kumar, Kranti Kumar, and Athanasios V . Vasilakos. “Quantum Machine Learning: Exploring the Role of Data Encoding Techniques, Challenges, and Future Di- rections”. In:Mathematics12.21 (2024), p. 3318.URL: https://www.mdpi.com/2227-7390/12/21/3318
2024
-
[20]
Experimental quantum adversarial learning with programmable superconducting qubits
Wenhui Ren et al. “Experimental quantum adversarial learning with programmable superconducting qubits”. In:Nature Computational Science2.11 (Nov. 2022), pp. 711–717.ISSN: 2662-8457.URL: https : / / www . nature.com/articles/s43588-022-00351-9
2022
-
[21]
Quan- tum Quandaries: Unraveling Encoding Vulnerabili- ties in Quantum Neural Networks
Suryansh Upadhyay and Swaroop Ghosh. “Quan- tum Quandaries: Unraveling Encoding Vulnerabili- ties in Quantum Neural Networks”. In: (Feb. 2025). arXiv:2502.01486 [quant-ph].URL: http : / / arxiv. org / abs/2502.01486
Pith/arXiv arXiv 2025
-
[22]
A Comparative Analysis of Adversarial Ro- bustness for Quantum and Classical Machine Learning Models
Maximilian Wendlinger, Kilian Tscharke, and Pascal Debus. “A Comparative Analysis of Adversarial Ro- bustness for Quantum and Classical Machine Learning Models”. In:arXiv.org(Apr. 2024).URL: https://arxiv. org/abs/2404.16154v1
Pith/arXiv arXiv 2024
-
[23]
Benchmarking adversarially robust quantum machine learning at scale
Maxwell T. West, Sarah M. Erfani, Christopher Leckie, Martin Sevior, Lloyd C. L. Hollenberg, and Muhammad Usman. “Benchmarking adversarially robust quantum machine learning at scale”. In:Physical Review Re- search5.2 (June 2023). Publisher: American Physical Society, p. 023186.URL: https://link.aps.org/doi/10. 1103/PhysRevResearch.5.023186
2023
-
[24]
Explo- ration of Power Side-Channel Vulnerabilities in Quan- tum Computer Controllers
Chuanqi Xu, Ferhat Erata, and Jakub Szefer. “Explo- ration of Power Side-Channel Vulnerabilities in Quan- tum Computer Controllers”. In:Proceedings of the 2023 ACM SIGSAC Conference on Computer and Commu- nications Security. Copenhagen Denmark: ACM, Nov. 2023, pp. 579–593.ISBN: 9798400700507.URL: https: //dl.acm.org/doi/10.1145/3576915.3623118
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.