Pith. sign in

REVIEW 3 major objections 6 minor 24 references

A multi-stage kill-chain can reverse-engineer a quantum neural network on real trapped-ion hardware and then flip its predictions by timed crosstalk.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-12 03:10 UTC pith:66LGQHNN

load-bearing objection First real-hardware chaining of power-trace recon + constrained adversarial examples + timed ion-trap crosstalk on a QNN; the physical stage moves expectation vectors but does not deliver the promised accuracy drop. the 3 major comments →

arxiv 2607.03337 v1 pith:66LGQHNN submitted 2026-07-03 quant-ph

An End-to-End Multi-Stage Kill-Chain Attack on Quantum Neural Networks: Demonstration on Trapped-Ion Hardware

classification quant-ph
keywords quantum neural networkskill-chain attackpower side-channelcrosstalkadversarial examplestrapped ionsQaaS securityre-uploading encoding
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper shows that an attacker can chain side-channel reconnaissance, adversarial-example construction, and physical noise injection into a single campaign against a variational quantum classifier running on a real trapped-ion processor. Power-trace signatures (simulated from the pulse schedule) first identify the victim circuit’s qubit count, depth, and entangling pattern. That structural knowledge is then used to craft input perturbations that are restricted to the rotation axes the hardware can actually disturb via nearest-neighbour crosstalk. Finally the attacker places carefully timed single-qubit rotations on adjacent ions so that the resulting crosstalk approximates the intended adversarial perturbation. On the device the crosstalk configuration moves the measured expectation values closest to those of the analytically adversarial inputs, demonstrating that hardware-level effects can realise a classical-style evasion attack. The result matters because cloud quantum services already expose multi-tenant scheduling and pulse-level diagnostics; the work therefore supplies a concrete, end-to-end threat model rather than isolated vulnerabilities.

Core claim

An end-to-end multi-stage attack—power-trace architecture recovery, constrained projected-gradient adversarial examples, and timed neighbour RY crosstalk—can be executed against a trained re-uploading quantum neural network on real trapped-ion hardware, with the crosstalk configuration producing the smallest mean-absolute error to the adversarial hardware expectation vectors.

What carries the argument

The multi-stage kill-chain itself: reconnaissance yields a temporal map of the victim’s data-encoding RY gates; masked PGD then produces adversarial angles only on those RY components; a linear crosstalk model converts the required angle offsets into neighbour rotations that are scheduled at the recovered times.

Load-bearing premise

The reconnaissance stage rests entirely on a hand-crafted rectangular-pulse simulator whose amplitudes and fixed durations may not match the real laser-drive electronics of the device.

What would settle it

Capture genuine analogue power traces from the same trapped-ion controller while the victim circuit runs; if those traces no longer uniquely match the correct benchmark architecture, or if the subsequent crosstalk schedule fails to move the hardware expectation vectors closer to the adversarial ones, the claimed end-to-end chain collapses.

Watch this falsifier — get emailed when new claim-graph text bears on it.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 6 minor

Summary. The manuscript presents a multi-stage kill-chain attack against a re-uploading variational QNN on AQT trapped-ion hardware. Stage 1 uses simulated power traces to identify the victim architecture among 24 benchmark circuits via timing filters and L2 distance. Stage 2 generates adversarial examples with (masked) PGD under white-box access, restricting perturbations to RY-encoded features to match hardware crosstalk constraints. Stage 3 schedules neighbor RY rotations timed to the inferred encoding gates, using a measured crosstalk factor f≈0.01, and evaluates the induced effect on 50 selected samples on AQT Ibex. Superconducting power-trace and Active SWAP experiments appear in the appendix. The authors claim an end-to-end demonstration that side-channel reconnaissance enables a physical crosstalk attack approximating adversarial examples, and discuss QaaS implications and mitigations.

Significance. Framing QML security as a multi-stage kill chain (reconnaissance → constrained adversarial construction → timed physical crosstalk) is a useful systems-level contribution beyond isolated attack papers. Demonstrating the pipeline on real trapped-ion hardware, with explicit mapping from input-space δ to neighbor RY schedules and measured crosstalk factors (Appendix B, Table IV), is novel and relevant to multi-tenant QaaS. The constrained-PGD construction and the honest reporting of hardware–simulator MAE gaps (Table IX) are strengths. If the final physical stage were shown to reliably degrade classification, the work would be a strong reference for hardware and cloud providers. As written, the significance is tempered by the fact that the decisive hardware result does not establish attack impact via accuracy or label flips.

major comments (3)
  1. Section V-C, Table VIII: On the 50 hardware samples the reported accuracies are clean=0.64, adversarial=0.56, crosstalk=0.68. The physical crosstalk schedule does not reduce accuracy relative to clean and is slightly better than clean; it therefore fails the standard definition of an adversarial example (inducing misclassification). The abstract and introduction claim an end-to-end attack that “realizes the adversarial perturbation on the device.” That claim is not supported by classification outcomes. Redefining success via the smallest MAE between hw_adv and hw_crosstalk expectation vectors (Table IX, 0.1236) shows that the induced state moves toward the adversarial hardware state, but does not establish that the kill-chain’s final stage achieves the stated attack goal. Either additional experiments that produce a clear accuracy drop / label-flip rate under the physical schedule, or a
  2. Section IV-D and V-A: The reconnaissance stage that supplies the timing map for gate placement rests entirely on a hand-crafted rectangular-pulse simulator (fixed 10 µs / 200 µs pulses, 2 µs idles, ad-hoc amplitude corrections {a_i}). No real AQT power traces are used. The L2 ranking that selects benchmark circuit 7 (and thereby the architecture and schedule) is therefore only as valid as this simulator. Because subsequent stages depend on that timing map, the manuscript should either (i) validate the simulator against real control electronics / published AQT pulse data, or (ii) clearly demote Stage 1 to a simulated reconnaissance assumption and state that the end-to-end hardware claim begins after architecture is known. As written, the “full attack chain on ion traps” overstates what was executed on the device.
  3. Section V-C / sample selection: The 50 hardware circuits are drawn from the 338/885 training samples for which masked PGD succeeded on the statevector surrogate (Table VII). Accuracies are then reported on hardware where even the clean inputs drop to 0.64. The paper notes the sim–hardware mismatch but still presents the pipeline as a successful end-to-end attack. A load-bearing revision is needed: report label-flip rates and confusion matrices for clean / adversarial / crosstalk on the same 50 samples (analogous to the superconducting confusion matrices in Fig. 11), and quantify how often crosstalk actually changes the argmax relative to clean hardware, not only MAE of expectation vectors.
minor comments (6)
  1. Table II threat model: “explicit timing information about the victim circuit is required” for the crosstalk stage; the text should state more clearly whether this timing is assumed known a priori or is claimed to be recovered from the (simulated) power-trace stage, and under what multi-tenant scheduling assumptions concurrent placement is realistic.
  2. Section IV-F: The uniform f_j=0.01 approximation is reasonable given Table IV, but the amplitude-saturation / gate-splitting rule (γ capped at π) should be checked for the largest |Δθ_i| that actually occur; a short histogram of required γ would help the reader assess how often multi-π sequences are needed.
  3. Figure 4 and PCA inverse: The visual adversarial examples are in the reconstructed 16×16 domain; a brief note that the attack itself operates in the 16-dimensional PCA feature space (not pixel space) would avoid confusion.
  4. Appendix A Active SWAP results (Table XIV): Individual CNOT disturbances raise accuracy (0.87, 0.88 vs 0.80 baseline) while the pair lowers it to 0.75. The discussion correctly cautions against over-interpretation; a one-sentence statement that this is not claimed as a reliable sabotage attack would align the appendix with the main-text caution.
  5. Notation: The expanded input dimension is written as R^48 and D=3·16 in IV-F, while the architecture description earlier uses 16 PCA features with three re-uploads; a single consistent symbol for the expanded encoding vector would improve readability.
  6. References: The kill-chain taxonomy is self-cited as [4]; for a journal audience, a short self-contained summary of the five stages (already present in III-A) is fine, but ensure the arXiv version of [4] is stable or cite the formal venue if available.

Circularity Check

1 steps flagged

Experimental kill-chain demonstration with no load-bearing circular derivation; only minor self-citation framing and a same-simulator recon consistency check.

specific steps
  1. other [Section IV-D and V-A (power-trace recon)]
    "Since real power traces from hardware are not available, we simulate the power traces as follows. ... Thus, benchmark circuit 7 has the smallest distance and is selected as the best match, confirming that it indeed corresponds to the victim QNN’s structure."

    Victim and all 24 benchmarks are scored inside the same ad-hoc pulse simulator (fixed 10 µs / 200 µs rectangular pulses, amplitudes from a fixed {a_i} vector). Timing equality already forces same qubit count and layer depth by construction of the simulator; L2 ranking then selects the matching entangling pattern among three remaining candidates. The ‘reconstruction’ is therefore a same-model consistency check, not an independent recovery of unknown structure from real side-channel data. Mild and non-load-bearing for the later hardware crosstalk stage.

full rationale

This is an empirical multi-stage attack demonstration, not a first-principles derivation paper. The central results (PGD success histograms, hardware accuracies in Table VIII, MAE matrix in Table IX, crosstalk bitstring counts in Appendix B) are measured outcomes, not quantities forced by definition or by a fitted constant renamed as a prediction. The crosstalk factor f_j is estimated once from AQT Ibex probe data and then frozen at 0.01 to schedule neighbor RY angles; that is ordinary experimental calibration, not a circular prediction of an independent observable. Self-citations to the authors’ kill-chain taxonomy [4] and the QML-ESA report [7] supply framing and extended appendices; they do not substitute for the hardware measurements that constitute the claim. The only mild circularity-adjacent point is Stage-1 power-trace reconnaissance: both victim and benchmark traces are generated by the same hand-crafted rectangular-pulse simulator (Section IV-D), so structural matching is largely a consistency check of that simulator rather than an independent side-channel recovery. That weakens the recon stage’s external force but does not make the end-to-end claim reduce by construction to its inputs. Overall circularity is negligible.

Axiom & Free-Parameter Ledger

3 free parameters · 4 axioms · 0 invented entities

The central empirical claim rests on a simulated power model, a linear crosstalk approximation fitted from one probe experiment, white-box gradient access, multi-tenant concurrent execution, and the assumption that virtual RZ gates produce zero physical disturbance. No new physical entities are postulated; free parameters are the usual attack hyperparameters plus the single fitted crosstalk scale.

free parameters (3)
  • crosstalk factor f_j = 0.01
    Set uniformly to 0.01 after measuring effective RY angles on neighbor ions in a separate probe experiment (Table IV); used to convert desired Delta theta into neighbor rotation angles gamma.
  • PGD epsilon schedule and alpha = alpha=0.01, eps increments 0.1
    Initial epsilon=0.1, step 0.1 up to 1.0, alpha=0.01, T=100 iterations; chosen by hand to search for minimal successful perturbations.
  • power-trace amplitude corrections {a_i} = {1,-1,2,3,0,-2,-3,0,-4,4}
    Ad-hoc vector {1,-1,2,3,0,-2,-3,0,-4,4} used to define single- and two-qubit scaling factors alpha_i and beta_ij in the simulated AQT power model.
axioms (4)
  • domain assumption Linear additive crosstalk: induced angle on a target equals sum of f_j * gamma_j over neighbors.
    Invoked in Section IV-F to translate input-space Delta theta into neighbor RY angles; not derived from first-principles ion-trap Hamiltonian.
  • domain assumption Virtual RZ gates produce zero physical pulse and therefore zero crosstalk.
    Stated for AQT Ibex; used to restrict adversarial mask to RY-encoded features only.
  • ad hoc to paper Attacker has white-box gradient access and can schedule concurrent circuits with precise timing knowledge of the victim.
    Threat-model Table II; required for both PGD and timed crosstalk placement.
  • ad hoc to paper Simulated rectangular power pulses with fixed 10 µs / 200 µs durations and 2 µs idles faithfully rank circuit architectures.
    Section IV-D; real traces unavailable, so all reconnaissance rests on this model.

pith-pipeline@v1.1.0-grok45 · 26599 in / 3050 out tokens · 28512 ms · 2026-07-12T03:10:49.614823+00:00 · methodology

0 comments
read the original abstract

We demonstrate an end-to-end, multi-stage attack against a quantum neural network (QNN) model that is executed on a trapped-ion quantum computer. Our chain combines side-channel reconnaissance, crosstalk characterization, adversarial example generation, and a physical crosstalk attack that realizes the adversarial perturbation on the device. We cover the full attack chain on ion traps and report the corresponding superconducting-hardware experiments in the appendix. We discuss implications for QaaS providers and hardware mitigations.

Figures

Figures reproduced from arXiv: 2607.03337 by Alexander Erhard, Arthur Schmidt, Cedric Br\"ugmann, Daniel Herr, Daniel Ohl de Mello, Fabian Petsch, Juris Ulmanis, Kilian Tscharke, Maximilian Wendlinger, Pascal Debus.

Figure 2
Figure 2. Figure 2: A conceptual overview of the re-upload encoding architecture from [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 1
Figure 1. Figure 1: An overview of the used dataset [22]. Shown are examples from the [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Average highest and second highest Pauli- [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Overview of side-by-side visualizations of original (left) and ad [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Above Two samples with the largest mean absolute error. Below Two [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Toy-CX test circuit: original (top) and after transpilation (bottom). For the first experiment, we use the pulse simulator to generate noise-free per-channel power traces. Given the toy circuit as described, the resulting power trace schedule is depicted in [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Per-Channel and Total Power Trace for Toy-CX Test Circuit [PITH_FULL_IMAGE:figures/full_fig_p014_8.png] view at source ↗
Figure 10
Figure 10. Figure 10: Bitstring distribution comparison between the uniform distribution [PITH_FULL_IMAGE:figures/full_fig_p015_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Confusion matrices for the baseline execution (top left), disturbances [PITH_FULL_IMAGE:figures/full_fig_p016_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: A conceptual overview of the victim circuit. [PITH_FULL_IMAGE:figures/full_fig_p016_12.png] view at source ↗
Figure 14
Figure 14. Figure 14: Power trace comparison of the victim QNN with Benchmark Circuits [PITH_FULL_IMAGE:figures/full_fig_p017_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Benchmark Circuit 7: Entangling pattern r = N one [PITH_FULL_IMAGE:figures/full_fig_p017_15.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

24 extracted references · 11 linked inside Pith

  1. [1]

    Analysis of crosstalk in NISQ devices and security implications in multi-programming regime

    Abdullah Ash-Saki, Mahabubul Alam, and Swaroop Ghosh. “Analysis of crosstalk in NISQ devices and security implications in multi-programming regime”. In: Proceedings of the ACM/IEEE International Symposium on Low Power Electronics and Design. New York, NY , USA: Association for Computing Machinery, Aug. 2020, pp. 25–30.ISBN: 978-1-4503-7053-0.URL: https: /...

  2. [2]

    Training robust and generalizable quantum models

    Julian Berberich, Daniel Fink, Daniel Pranji ´c, Christian Tutschku, and Christian Holm. “Training robust and generalizable quantum models”. In: (2023). Version Number: 3.URL: https://arxiv.org/abs/2311.11871

  3. [3]

    Crosstalk-induced Side Channel Threats in Multi-Tenant NISQ Computers

    Navnil Choudhury, Chaithanya Naik Mude, Sanjay Das, Preetham Chandra Tikkireddi, Swamit Tannu, and Kanad Basu. “Crosstalk-induced Side Channel Threats in Multi-Tenant NISQ Computers”. In: (Dec. 2024). arXiv:2412.10507 [cs].URL: http://arxiv.org/abs/2412. 10507

  4. [4]

    Entangled Threats: A Unified Kill Chain Model for Quantum Machine Learning Security

    Pascal Debus, Maximilian Wendlinger, Kilian Tscharke, Daniel Herr, Cedric Brügmann, Daniel Ohl de Mello, Juris Ulmanis, Alexander Erhard, Arthur Schmidt, and Fabian Petsch. “Entangled Threats: A Unified Kill Chain Model for Quantum Machine Learning Security”. In: (July 2025).URL: https://arxiv.org/abs/2507.08623

  5. [5]

    Quantum noise protects quantum classifiers against adversaries

    Yuxuan Du, Min-Hsiu Hsieh, Tongliang Liu, Dacheng Tao, and Nana Liu. “Quantum noise protects quantum classifiers against adversaries”. In:Physical Review Research3.2 (May 2021). Publisher: American Physical Society, p. 023153.URL: https://link.aps.org/doi/10. 1103/PhysRevResearch.3.023153

  6. [6]

    Quantum Circuit Reconstruction from Power Side-Channel Attacks on Quantum Computer Con- trollers

    Ferhat Erata, Chuanqi Xu, Ruzica Piskac, and Jakub Szefer. “Quantum Circuit Reconstruction from Power Side-Channel Attacks on Quantum Computer Con- trollers”. In:IACR Transactions on Cryptographic Hardware and Embedded Systems2024.2 (Mar. 2024), pp. 735–768.URL: https://tches.iacr.org/index.php/ TCHES/article/view/11445

  7. [7]

    Federal Office for Information Security.QML-ESA – Advanced Security Analysis of Quantum Machine Learning. Tech. rep. Federal Office for Information Security (BSI), 2026.URL: https://www.bsi.bund.de/ DE/Service- Navi/Publikationen/Studien/QML/QML_ node.html (visited on 06/08/2026)

  8. [8]

    Crosstalk At- tack Resilient RNS Quantum Addition

    Bhaskar Gaur and Himanshu Thapliyal. “Crosstalk At- tack Resilient RNS Quantum Addition”. In:2025 IEEE International Symposium on Circuits and Systems (IS- CAS). 2025, pp. 1–5.URL: https://arxiv.org/abs/2410. 23217

  9. [9]

    Explaining and Harnessing Adversarial Ex- amples

    Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. “Explaining and Harnessing Adversarial Ex- amples”. In: (Mar. 2015). arXiv:1412.6572.URL: http: //arxiv.org/abs/1412.6572

  10. [10]

    Crosstalk Attacks and Defence in a Shared Quantum Computing Environment

    Benjamin Harper, Behnam Tonekaboni, Bahar Goldozian, Martin Sevior, and Muhammad Usman. “Crosstalk Attacks and Defence in a Shared Quantum Computing Environment”. In: (2024). Version Number: 1.URL: https://arxiv.org/abs/2402.02753

  11. [11]

    Characterizing Crosstalk of Superconducting Transmon Processors

    Andreas Ketterer and Thomas Wellens. “Characterizing Crosstalk of Superconducting Transmon Processors”. In:Physical Review Applied20.3 (2023), p. 034065. URL: https://arxiv.org/abs/2303.14103

  12. [12]

    SW AP Attack: Stealthy Side-Channel Attack on Multi-Tenant Quan- tum Cloud System

    Wei Jie Bryan Lee, Siyi Wang, Suman Dutta, Walid El Maouaki, and Anupam Chattopadhyay. “SW AP Attack: Stealthy Side-Channel Attack on Multi-Tenant Quan- tum Cloud System”. In: (Feb. 2025). arXiv:2502.10115 [quant-ph].URL: http://arxiv.org/abs/2502.10115

  13. [13]

    Vulnerability of quantum classification to adversarial perturbations

    Nana Liu and Peter Wittek. “Vulnerability of quantum classification to adversarial perturbations”. In:Physical Review A101.6 (June 2020), p. 062331.ISSN: 2469- 9926, 2469-9934.URL: https : / / link . aps . org / doi / 10 . 1103/PhysRevA.101.062331

  14. [14]

    Quantum Leak: Timing Side-Channel Attacks on Cloud-Based Quantum Services

    Chao Lu, Esha Telang, Aydin Aysu, and Kanad Basu. “Quantum Leak: Timing Side-Channel Attacks on Cloud-Based Quantum Services”. In: (Jan. 2024). arXiv:2401.01521 [cs].URL: http://arxiv.org/abs/2401. 01521

  15. [15]

    Quan- tum adversarial machine learning

    Sirui Lu, Lu-Ming Duan, and Dong-Ling Deng. “Quan- tum adversarial machine learning”. In:Physical Review Research2.3 (Aug. 2020), p. 033212.ISSN: 2643- 1564.URL: https : / / link . aps . org / doi / 10 . 1103 / PhysRevResearch.2.033212

  16. [16]

    Towards Deep Learning Models Resistant to Adversarial At- tacks

    Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. “Towards Deep Learning Models Resistant to Adversarial At- tacks”. In: (Sept. 2019). arXiv:1706.06083.URL: http: //arxiv.org/abs/1706.06083

  17. [17]

    Software Mitigation of Crosstalk on Noisy Intermediate-Scale Quantum Com- puters

    Prakash Murali, David C. McKay, Margaret Martonosi, and Ali Javadi-Abhari. “Software Mitigation of Crosstalk on Noisy Intermediate-Scale Quantum Com- puters”. In:Proceedings of the Twenty-Fifth Interna- tional Conference on Architectural Support for Pro- gramming Languages and Operating Systems. ASP- LOS ’20. Association for Computing Machinery, 2020, pp....

  18. [18]

    Data re-uploading for a universal quantum classifier

    Adri’an P’erez-Salinas, Alba Cervera-Lierta, Elies Gil- Fuster, and Jos’e I. Latorre. “Data re-uploading for a universal quantum classifier”. In:Quantum4 (2020), p. 226.URL: https://quantum- journal.org/papers/q- 2020-02-06-226/

  19. [19]

    Quantum Machine Learning: Exploring the Role of Data Encoding Techniques, Challenges, and Future Di- rections

    Deepak Ranga, Aryan Rana, Sunil Prajapat, Pankaj Kumar, Kranti Kumar, and Athanasios V . Vasilakos. “Quantum Machine Learning: Exploring the Role of Data Encoding Techniques, Challenges, and Future Di- rections”. In:Mathematics12.21 (2024), p. 3318.URL: https://www.mdpi.com/2227-7390/12/21/3318

  20. [20]

    Experimental quantum adversarial learning with programmable superconducting qubits

    Wenhui Ren et al. “Experimental quantum adversarial learning with programmable superconducting qubits”. In:Nature Computational Science2.11 (Nov. 2022), pp. 711–717.ISSN: 2662-8457.URL: https : / / www . nature.com/articles/s43588-022-00351-9

  21. [21]

    Quan- tum Quandaries: Unraveling Encoding Vulnerabili- ties in Quantum Neural Networks

    Suryansh Upadhyay and Swaroop Ghosh. “Quan- tum Quandaries: Unraveling Encoding Vulnerabili- ties in Quantum Neural Networks”. In: (Feb. 2025). arXiv:2502.01486 [quant-ph].URL: http : / / arxiv. org / abs/2502.01486

  22. [22]

    A Comparative Analysis of Adversarial Ro- bustness for Quantum and Classical Machine Learning Models

    Maximilian Wendlinger, Kilian Tscharke, and Pascal Debus. “A Comparative Analysis of Adversarial Ro- bustness for Quantum and Classical Machine Learning Models”. In:arXiv.org(Apr. 2024).URL: https://arxiv. org/abs/2404.16154v1

  23. [23]

    Benchmarking adversarially robust quantum machine learning at scale

    Maxwell T. West, Sarah M. Erfani, Christopher Leckie, Martin Sevior, Lloyd C. L. Hollenberg, and Muhammad Usman. “Benchmarking adversarially robust quantum machine learning at scale”. In:Physical Review Re- search5.2 (June 2023). Publisher: American Physical Society, p. 023186.URL: https://link.aps.org/doi/10. 1103/PhysRevResearch.5.023186

  24. [24]

    Explo- ration of Power Side-Channel Vulnerabilities in Quan- tum Computer Controllers

    Chuanqi Xu, Ferhat Erata, and Jakub Szefer. “Explo- ration of Power Side-Channel Vulnerabilities in Quan- tum Computer Controllers”. In:Proceedings of the 2023 ACM SIGSAC Conference on Computer and Commu- nications Security. Copenhagen Denmark: ACM, Nov. 2023, pp. 579–593.ISBN: 9798400700507.URL: https: //dl.acm.org/doi/10.1145/3576915.3623118