pith. sign in

arxiv: 2605.27416 · v1 · pith:WDD7ZBOMnew · submitted 2026-05-18 · 🪐 quant-ph · cs.AI· cs.DC· cs.LG

Can Quantum Federated Learning Withstand Circuit-Level Backdoors?

Pith reviewed 2026-06-30 18:33 UTC · model grok-4.3

classification 🪐 quant-ph cs.AIcs.DCcs.LG
keywords quantum federated learningbackdoor attackscircuit-level threatsmalicious clientsFedAvg aggregationdefense mechanismsvariational quantum circuitsnon-IID data
0
0 comments X

The pith

Even a single malicious client can drop quantum federated learning accuracy by up to 50% under FedAvg despite popular defenses.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that quantum federated learning inherits and amplifies vulnerabilities from classical federated setups through new attack surfaces in variational circuits and measurement gradients. It introduces the CULT model to define four quantum-specific backdoor attacks that malicious clients can launch on both training and post-training phases. Experiments demonstrate that these attacks cause major accuracy loss even with one bad client and that existing defenses only partially mitigate the damage. This matters for anyone building distributed quantum machine learning systems because it shows how circuit-level exploits can evade detection while staying close to normal update patterns. The work uses MNIST and CIFAR-10 with non-IID data to ground the claims in concrete degradation levels.

Core claim

The CULT model formalizes four stealthy attacks—Grover, Pauli, Bit-flip, and Sign-flip—that exploit quantum-aware mechanisms in variational circuit training. These attacks allow malicious clients to operate on in-training and post-training surfaces while remaining stealthy under standard smoothness assumptions. Experiments show that even one malicious client induces severe accuracy degradation under FedAvg aggregation on MNIST and CIFAR-10 with non-IID splits, and that defenses such as Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG fail to eliminate worst-case drops reaching 50 percent; malicious updates mask themselves by remaining close to benign norms.

What carries the argument

The CircUit-Level backdoor Threat (CULT) model that formalizes four stealthy attacks (Grover, Pauli, Bit-flip, Sign-flip) exploiting variational circuit training and measurement-driven gradients.

If this is right

  • A single malicious client suffices to induce severe accuracy degradation under FedAvg aggregation.
  • Popular defenses including Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG reduce degradation in many regimes but leave worst-case accuracy drops up to 50 percent.
  • Malicious updates mask their presence by staying close to benign norms and thereby evade detection.
  • Attacks can critically undermine the learning process by exploiting quantum mechanisms on both in-training and post-training surfaces.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Quantum federated learning may require entirely new defense designs that account for circuit-level manipulations rather than relying on classical aggregation filters.
  • The stealth property under smoothness assumptions could apply to other variational quantum algorithms that share similar gradient structures.
  • Deployments in high-stakes settings would benefit from client authentication mechanisms that operate before circuit parameters are exchanged.
  • Testing CULT-style attacks against quantum-native aggregation rules could reveal whether the vulnerability is fundamental to the federated quantum setting.

Load-bearing premise

The proposed attacks remain stealthy under standard smoothness assumptions when malicious clients operate on both in-training and post-training surfaces.

What would settle it

An experiment in which one malicious client applying the four CULT attacks on MNIST non-IID data produces no more than 5 percent accuracy drop under FedAvg, or in which any of the five listed defenses fully restores performance to the benign baseline.

Figures

Figures reproduced from arXiv: 2605.27416 by Aakar Mathur, Ashish Gupta, Mohammed Ruknuddin.

Figure 1
Figure 1. Figure 1: A simplistic view of the proposed attacks (Grover, Pauli, Bit-flip, and Sign-flip) under the CULT model. A QFL server coordinates [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Accuracy at varying poisoning ratios. benign updates, thereby tightening the feasible region under server-side screening and robust aggregation. Therefore, we fix ρ = 0.9 for all the experiments. 6.4 Impact of Proposed Attacks – No Defense To assess the impact of the proposed attacks under the CULT model, we conduct experiments with a varying fraction of malicious clients. These experiments use FedAvg as t… view at source ↗
Figure 3
Figure 3. Figure 3: Attacks performance on MNIST against defenses. [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Accuracy drop heatmap (with q = 0%) for MNIST. hind; FLGuardian is substantially lower at 39.39%. These averages, however, conceal sharp failure modes visible in the heatmaps for both datasets. Remark 2. Even the strongest defenses can suffer severe degradation at specific attacks, implying that the threat can￾not be dismissed as “handled” by choosing a robust aggre￾gator alone. The sweeps further reveal t… view at source ↗
Figure 7
Figure 7. Figure 7: Accuracy variance across the defenses, demonstrating the [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
read the original abstract

Quantum Federated Learning (QFL) inherits the core vulnerability of federated optimization to malicious clients, while also introducing an attack surface from variational circuit training and measurement-driven gradients. This work proposes a novel CircUit-Level backdoor Threat (CULT) model that formalizes four stealthy attacks by exploiting quantum-aware mechanisms, including Grover, Pauli, Bit-flip, and Sign-flip. By enabling malicious clients on both in-training and post-training surfaces, these attacks can critically undermine the learning process. We establish a rigorous theoretical foundation to demonstrate attack stealthiness under standard smoothness assumptions. Experiments on the MNIST and CIFAR-10 datasets with non-IID splits and varying fractions of malicious clients show that even a single malicious client can induce severe accuracy degradation under FedAvg aggregation. While popular defenses, including Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG, reduce degradation in many regimes, they fail to eliminate worst-case failure cases, where accuracy drops up to 50\%. The experimental analysis further reveals that under the CULT model, malicious updates effectively mask their presence by staying close to benign norms, thereby helping attackers evade detection.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper introduces the CULT model for circuit-level backdoor attacks in Quantum Federated Learning (QFL), formalizing four stealthy attacks (Grover, Pauli, Bit-flip, Sign-flip) that exploit variational circuit mechanisms on both in-training and post-training surfaces. It claims a rigorous theoretical foundation showing attack stealthiness under standard smoothness assumptions, and presents experiments on MNIST and CIFAR-10 (non-IID splits) demonstrating that a single malicious client under FedAvg can cause severe accuracy degradation (up to 50%), while defenses like Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG fail to eliminate worst-case failures. Malicious updates are said to mask their presence by staying close to benign norms.

Significance. If the attacks prove effective and stealthy in realistic QFL settings, the work would highlight important security vulnerabilities in an emerging area combining quantum computing and federated learning. The use of standard datasets with non-IID partitions and multiple defenses provides relevant empirical grounding; the theoretical component, if sound, would strengthen the claims beyond purely empirical observation.

major comments (1)
  1. [theoretical foundation / stealthiness argument] The theoretical foundation for stealthiness (malicious updates remaining close to benign norms under smoothness) relies on standard Lipschitz-gradient assumptions. However, variational quantum circuits on MNIST/CIFAR-10 routinely exhibit barren plateaus where gradient variance decays exponentially with qubit number, directly violating the uniform smoothness used to bound ||malicious - benign||. This undermines the masking effect and the conclusion that Krum/Multi-Krum etc. cannot eliminate 50% accuracy drops.
minor comments (1)
  1. [abstract / experimental section] The abstract states experiments use 'varying fractions of malicious clients' but provides no specific fractions, qubit counts, circuit depths, or aggregation details needed to reproduce the 50% drop claim.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback on the theoretical aspects of our work. We address the major comment point by point below.

read point-by-point responses
  1. Referee: The theoretical foundation for stealthiness (malicious updates remaining close to benign norms under smoothness) relies on standard Lipschitz-gradient assumptions. However, variational quantum circuits on MNIST/CIFAR-10 routinely exhibit barren plateaus where gradient variance decays exponentially with qubit number, directly violating the uniform smoothness used to bound ||malicious - benign||. This undermines the masking effect and the conclusion that Krum/Multi-Krum etc. cannot eliminate 50% accuracy drops.

    Authors: We appreciate the referee pointing out the potential incompatibility between standard smoothness assumptions and barren plateaus in variational quantum circuits. The theoretical analysis in Section 3 of the manuscript derives stealthiness bounds under the standard Lipschitz-gradient assumptions commonly employed in federated learning robustness literature. We acknowledge that barren plateaus, characterized by exponentially decaying gradient variance with qubit number, can violate uniform smoothness, which may limit the applicability of the derived bounds on ||malicious - benign|| distance. This is a substantive limitation for larger qubit regimes. However, our experiments employ modest circuit depths and qubit counts appropriate for the MNIST and CIFAR-10 tasks (as detailed in the experimental setup), where empirical measurements show malicious updates remain close to benign norms, consistent with the masking effect. The observed accuracy degradations and defense failures are thus supported by direct experimentation rather than solely by the theoretical bounds. We will revise the manuscript to include an explicit discussion of this caveat, clarifying the conditional nature of the theoretical results and their relation to barren plateaus. revision: yes

Circularity Check

0 steps flagged

No circularity: claims rest on independent theory and experiments

full rationale

The paper introduces a new attack model (CULT) with four explicit mechanisms, grounds stealthiness in standard Lipschitz/smoothness assumptions applied to the proposed malicious updates, and reports empirical degradation on MNIST/CIFAR-10 under FedAvg and several defenses. None of the load-bearing steps (attack formalization, theoretical bounds, or accuracy-drop measurements) reduce by construction to quantities defined from the authors' own fitted parameters, prior self-citations, or ansatzes smuggled via citation. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no concrete free parameters, axioms, or invented entities; the model itself is the main new construct.

pith-pipeline@v0.9.1-grok · 5743 in / 943 out tokens · 20508 ms · 2026-06-30T18:33:34.774473+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

24 extracted references · 5 canonical work pages · 1 internal anchor

  1. [1]

    Tackling selfish clients in federated learning

    [Augelloet al., 2024 ] Andrea Augello, Ashish Gupta, Giuseppe Lo Re, and Sajal Das. Tackling selfish clients in federated learning. 07

  2. [2]

    How to backdoor federated learning

    [Bagdasaryanet al., 2020 ] Eugene Bagdasaryan, Andreas Shan, Andreas Veit, Yiqing Hua, and Nicolas Papernot. How to backdoor federated learning. InProceedings of the 23rd International Conference on Artificial Intelligence and Statistics, pages 2938–2948,

  3. [3]

    PennyLane: Automatic differentiation of hybrid quantum-classical computations

    [Bergholmet al., 2018 ] Ville Bergholm, Josh A. Izaac, Maria Schuld, Christian Gogolin, and Nathan Killoran. Pennylane: Automatic differentiation of hybrid quantum- classical computations.CoRR, abs/1811.04968,

  4. [4]

    Machine learning with adversaries: Byzantine tolerant gradient descent

    [Blanchardet al., 2017 ] Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. Machine learning with adversaries: Byzantine tolerant gradient descent. In I. Guyon, U. V on Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors,Advances in Neural Information Processing Systems 30, pages 119–129, Red Hook, NY , USA,

  5. [5]

    [Dinget al., 2025 ] Binbin Ding, Penghui Yang, and Sheng- Jun Huang

    Curran Associates, Inc. [Dinget al., 2025 ] Binbin Ding, Penghui Yang, and Sheng- Jun Huang. Feddlad: A federated learning dual-layer anomaly detection framework for enhancing resilience against backdoor attacks. InProceedings of the Thirty- Fourth International Joint Conference on Artificial Intelli- gence, IJCAI-25, pages 5021–5029,

  6. [6]

    Long-short history of gradients is all you need: Detecting malicious and unreliable clients in fed- erated learning

    [Guptaet al., 2022 ] Ashish Gupta, Tie Luo, Mao V Ngo, and Sajal K Das. Long-short history of gradients is all you need: Detecting malicious and unreliable clients in fed- erated learning. InEuropean Symposium on Research in Computer Security, pages 445–465. Springer,

  7. [7]

    Quantum federated learning: Analysis, de- sign and implementation challenges.arXiv preprint arXiv:2306.15708,

    [Gurunget al., 2023 ] Dev Gurung, Shiva Raj Pokhrel, and Gang Li. Quantum federated learning: Analysis, de- sign and implementation challenges.arXiv preprint arXiv:2306.15708,

  8. [8]

    Brendan McMahan, Brendan Avent, Aurélien Bellet, Mehdi Bennis, Arjun Bhagoji, Keith Bonawitz, Zachary Charles, Tyler Cum- mings, Robin Geyer, et al

    [Kairouzet al., 2021 ] Peter Kairouz, H. Brendan McMahan, Brendan Avent, Aurélien Bellet, Mehdi Bennis, Arjun Bhagoji, Keith Bonawitz, Zachary Charles, Tyler Cum- mings, Robin Geyer, et al. Advances and open problems in federated learning.Foundations and Trends® in Machine Learning, 14(1–2):1–210,

  9. [9]

    Learning multiple lay- ers of features from tiny images

    [Krizhevsky, 2009] Alex Krizhevsky. Learning multiple lay- ers of features from tiny images. April

  10. [10]

    Gradient-based learning ap- plied to document recognition.Proceedings of the IEEE, 86(11):2278–2324,

    [LeCunet al., 1998 ] Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. Gradient-based learning ap- plied to document recognition.Proceedings of the IEEE, 86(11):2278–2324,

  11. [11]

    Oliviero, Lukasz Cincio, and M

    [Leoneet al., 2024 ] Lorenzo Leone, Salvatore F.E. Oliviero, Lukasz Cincio, and M. Cerezo. On the practical usefulness of the Hardware Efficient Ansatz.Quantum, 8:1395, July

  12. [12]

    Quantum adversarial machine learning.arXiv preprint arXiv:2001.00030,

    [Luet al., 2019 ] Sirui Lu, Lu-Ming Duan, and Dong-Ling Deng. Quantum adversarial machine learning.arXiv preprint arXiv:2001.00030,

  13. [13]

    [Mathuret al., 2025 ] Aakar Mathur, Ashish Gupta, and Sa- jal K. Das. When federated learning meets quantum com- puting: Survey and research opportunities.IEEE Commu- nications Surveys & Tutorials, pages 1–1,

  14. [14]

    Communication-efficient learning of deep networks from decentralized data,

    [McMahanet al., 2016 ] H. Brendan McMahan, Eider Moore, Daniel Ramage, and Blaise Agüera y Arcas. Fed- erated learning of deep networks using model averaging. CoRR, abs/1602.05629,

  15. [15]

    Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas

    [McMahanet al., 2017 ] H. Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. Communication-efficient learning of deep networks from decentralized data. InProceed- ings of the 20th International Conference on Artificial Intelligence and Statistics, pages 1273–1282,

  16. [16]

    Mingling with the good to back- door federated learning,

    [Neves, 2025] Nuno Neves. Mingling with the good to back- door federated learning,

  17. [17]

    In31st USENIX Secu- rity Symposium (USENIX Security 22), pages 1415–1432,

    [Nguyenet al., 2022 ] Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, et al.{FLAME}: Taming backdoors in federated learning. In31st USENIX Secu- rity Symposium (USENIX Security 22), pages 1415–1432,

  18. [18]

    Nielsen and Isaac L

    [Nielsen and Chuang, 2000] Michael A. Nielsen and Isaac L. Chuang.Quantum Computation and Quantum Informa- tion. Cambridge University Press,

  19. [19]

    Yang, Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, Junjie Bai, and Soumith Chintala

    [Paszkeet al., 2019 ] Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, Alban Desmaison, Andreas Köpf, Edward Z. Yang, Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, Junjie Bai, and Soumith Chintala. Pytorch: An imp...

  20. [20]

    Towards quantum federated learn- ing.arXiv preprint arXiv:2306.09912,

    [Renet al., 2023 ] Chao Ren, Rudai Yan, Huihui Zhu, Han Yu, Minrui Xu, Yuan Shen, Yan Xu, Ming Xiao, Zhao Yang Dong, Mikael Skoglund, Dusit Niyato, and Leong Chuan Kwek. Towards quantum federated learn- ing.arXiv preprint arXiv:2306.09912,

  21. [21]

    Label-free backdoor attacks in vertical federated learning

    [Shenet al., 2025 ] Wei Shen, Wenke Huang, Guancheng Wan, and Mang Ye. Label-free backdoor attacks in vertical federated learning. InProceedings of the AAAI Conference on Artificial Intelligence, volume 39, pages 20389–20397,

  22. [22]

    Oqfl: An optimized quantum- based federated learning framework for defending against adversarial attacks in intelligent transportation systems

    [Yamanyet al., 2021 ] Waleed Yamany, Nour Moustafa, and Benjamin Turnbull. Oqfl: An optimized quantum- based federated learning framework for defending against adversarial attacks in intelligent transportation systems. IEEE Transactions on Intelligent Transportation Systems, 24(1):893–903,

  23. [23]

    Bartlett

    [Yinet al., 2018 ] Dong Yin, Ying Chen, Kannan Ramchan- dran, and Peter L. Bartlett. Byzantine-robust distributed learning: Towards optimal statistical rates. InProceedings of the 35th International Conference on Machine Learn- ing, pages 5650–5659,

  24. [24]

    Flguardian: Defending against model poison- ing attacks via fine-grained detection in federated learning

    [Zhouet al., 2025 ] Xingjie Zhou, Xianzhang Chen, Shukan Liu, Xuehong Fan, Qiao Sun, Lin Chen, Meikang Qiu, and Tao Xiang. Flguardian: Defending against model poison- ing attacks via fine-grained detection in federated learning. IEEE Transactions on Information Forensics and Security, 20:5396–5410, 2025