Can Quantum Federated Learning Withstand Circuit-Level Backdoors?
Pith reviewed 2026-06-30 18:33 UTC · model grok-4.3
The pith
Even a single malicious client can drop quantum federated learning accuracy by up to 50% under FedAvg despite popular defenses.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The CULT model formalizes four stealthy attacks—Grover, Pauli, Bit-flip, and Sign-flip—that exploit quantum-aware mechanisms in variational circuit training. These attacks allow malicious clients to operate on in-training and post-training surfaces while remaining stealthy under standard smoothness assumptions. Experiments show that even one malicious client induces severe accuracy degradation under FedAvg aggregation on MNIST and CIFAR-10 with non-IID splits, and that defenses such as Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG fail to eliminate worst-case drops reaching 50 percent; malicious updates mask themselves by remaining close to benign norms.
What carries the argument
The CircUit-Level backdoor Threat (CULT) model that formalizes four stealthy attacks (Grover, Pauli, Bit-flip, Sign-flip) exploiting variational circuit training and measurement-driven gradients.
If this is right
- A single malicious client suffices to induce severe accuracy degradation under FedAvg aggregation.
- Popular defenses including Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG reduce degradation in many regimes but leave worst-case accuracy drops up to 50 percent.
- Malicious updates mask their presence by staying close to benign norms and thereby evade detection.
- Attacks can critically undermine the learning process by exploiting quantum mechanisms on both in-training and post-training surfaces.
Where Pith is reading between the lines
- Quantum federated learning may require entirely new defense designs that account for circuit-level manipulations rather than relying on classical aggregation filters.
- The stealth property under smoothness assumptions could apply to other variational quantum algorithms that share similar gradient structures.
- Deployments in high-stakes settings would benefit from client authentication mechanisms that operate before circuit parameters are exchanged.
- Testing CULT-style attacks against quantum-native aggregation rules could reveal whether the vulnerability is fundamental to the federated quantum setting.
Load-bearing premise
The proposed attacks remain stealthy under standard smoothness assumptions when malicious clients operate on both in-training and post-training surfaces.
What would settle it
An experiment in which one malicious client applying the four CULT attacks on MNIST non-IID data produces no more than 5 percent accuracy drop under FedAvg, or in which any of the five listed defenses fully restores performance to the benign baseline.
Figures
read the original abstract
Quantum Federated Learning (QFL) inherits the core vulnerability of federated optimization to malicious clients, while also introducing an attack surface from variational circuit training and measurement-driven gradients. This work proposes a novel CircUit-Level backdoor Threat (CULT) model that formalizes four stealthy attacks by exploiting quantum-aware mechanisms, including Grover, Pauli, Bit-flip, and Sign-flip. By enabling malicious clients on both in-training and post-training surfaces, these attacks can critically undermine the learning process. We establish a rigorous theoretical foundation to demonstrate attack stealthiness under standard smoothness assumptions. Experiments on the MNIST and CIFAR-10 datasets with non-IID splits and varying fractions of malicious clients show that even a single malicious client can induce severe accuracy degradation under FedAvg aggregation. While popular defenses, including Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG, reduce degradation in many regimes, they fail to eliminate worst-case failure cases, where accuracy drops up to 50\%. The experimental analysis further reveals that under the CULT model, malicious updates effectively mask their presence by staying close to benign norms, thereby helping attackers evade detection.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces the CULT model for circuit-level backdoor attacks in Quantum Federated Learning (QFL), formalizing four stealthy attacks (Grover, Pauli, Bit-flip, Sign-flip) that exploit variational circuit mechanisms on both in-training and post-training surfaces. It claims a rigorous theoretical foundation showing attack stealthiness under standard smoothness assumptions, and presents experiments on MNIST and CIFAR-10 (non-IID splits) demonstrating that a single malicious client under FedAvg can cause severe accuracy degradation (up to 50%), while defenses like Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG fail to eliminate worst-case failures. Malicious updates are said to mask their presence by staying close to benign norms.
Significance. If the attacks prove effective and stealthy in realistic QFL settings, the work would highlight important security vulnerabilities in an emerging area combining quantum computing and federated learning. The use of standard datasets with non-IID partitions and multiple defenses provides relevant empirical grounding; the theoretical component, if sound, would strengthen the claims beyond purely empirical observation.
major comments (1)
- [theoretical foundation / stealthiness argument] The theoretical foundation for stealthiness (malicious updates remaining close to benign norms under smoothness) relies on standard Lipschitz-gradient assumptions. However, variational quantum circuits on MNIST/CIFAR-10 routinely exhibit barren plateaus where gradient variance decays exponentially with qubit number, directly violating the uniform smoothness used to bound ||malicious - benign||. This undermines the masking effect and the conclusion that Krum/Multi-Krum etc. cannot eliminate 50% accuracy drops.
minor comments (1)
- [abstract / experimental section] The abstract states experiments use 'varying fractions of malicious clients' but provides no specific fractions, qubit counts, circuit depths, or aggregation details needed to reproduce the 50% drop claim.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on the theoretical aspects of our work. We address the major comment point by point below.
read point-by-point responses
-
Referee: The theoretical foundation for stealthiness (malicious updates remaining close to benign norms under smoothness) relies on standard Lipschitz-gradient assumptions. However, variational quantum circuits on MNIST/CIFAR-10 routinely exhibit barren plateaus where gradient variance decays exponentially with qubit number, directly violating the uniform smoothness used to bound ||malicious - benign||. This undermines the masking effect and the conclusion that Krum/Multi-Krum etc. cannot eliminate 50% accuracy drops.
Authors: We appreciate the referee pointing out the potential incompatibility between standard smoothness assumptions and barren plateaus in variational quantum circuits. The theoretical analysis in Section 3 of the manuscript derives stealthiness bounds under the standard Lipschitz-gradient assumptions commonly employed in federated learning robustness literature. We acknowledge that barren plateaus, characterized by exponentially decaying gradient variance with qubit number, can violate uniform smoothness, which may limit the applicability of the derived bounds on ||malicious - benign|| distance. This is a substantive limitation for larger qubit regimes. However, our experiments employ modest circuit depths and qubit counts appropriate for the MNIST and CIFAR-10 tasks (as detailed in the experimental setup), where empirical measurements show malicious updates remain close to benign norms, consistent with the masking effect. The observed accuracy degradations and defense failures are thus supported by direct experimentation rather than solely by the theoretical bounds. We will revise the manuscript to include an explicit discussion of this caveat, clarifying the conditional nature of the theoretical results and their relation to barren plateaus. revision: yes
Circularity Check
No circularity: claims rest on independent theory and experiments
full rationale
The paper introduces a new attack model (CULT) with four explicit mechanisms, grounds stealthiness in standard Lipschitz/smoothness assumptions applied to the proposed malicious updates, and reports empirical degradation on MNIST/CIFAR-10 under FedAvg and several defenses. None of the load-bearing steps (attack formalization, theoretical bounds, or accuracy-drop measurements) reduce by construction to quantities defined from the authors' own fitted parameters, prior self-citations, or ansatzes smuggled via citation. The derivation chain is therefore self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Tackling selfish clients in federated learning
[Augelloet al., 2024 ] Andrea Augello, Ashish Gupta, Giuseppe Lo Re, and Sajal Das. Tackling selfish clients in federated learning. 07
2024
-
[2]
How to backdoor federated learning
[Bagdasaryanet al., 2020 ] Eugene Bagdasaryan, Andreas Shan, Andreas Veit, Yiqing Hua, and Nicolas Papernot. How to backdoor federated learning. InProceedings of the 23rd International Conference on Artificial Intelligence and Statistics, pages 2938–2948,
2020
-
[3]
PennyLane: Automatic differentiation of hybrid quantum-classical computations
[Bergholmet al., 2018 ] Ville Bergholm, Josh A. Izaac, Maria Schuld, Christian Gogolin, and Nathan Killoran. Pennylane: Automatic differentiation of hybrid quantum- classical computations.CoRR, abs/1811.04968,
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[4]
Machine learning with adversaries: Byzantine tolerant gradient descent
[Blanchardet al., 2017 ] Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. Machine learning with adversaries: Byzantine tolerant gradient descent. In I. Guyon, U. V on Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors,Advances in Neural Information Processing Systems 30, pages 119–129, Red Hook, NY , USA,
2017
-
[5]
[Dinget al., 2025 ] Binbin Ding, Penghui Yang, and Sheng- Jun Huang
Curran Associates, Inc. [Dinget al., 2025 ] Binbin Ding, Penghui Yang, and Sheng- Jun Huang. Feddlad: A federated learning dual-layer anomaly detection framework for enhancing resilience against backdoor attacks. InProceedings of the Thirty- Fourth International Joint Conference on Artificial Intelli- gence, IJCAI-25, pages 5021–5029,
2025
-
[6]
Long-short history of gradients is all you need: Detecting malicious and unreliable clients in fed- erated learning
[Guptaet al., 2022 ] Ashish Gupta, Tie Luo, Mao V Ngo, and Sajal K Das. Long-short history of gradients is all you need: Detecting malicious and unreliable clients in fed- erated learning. InEuropean Symposium on Research in Computer Security, pages 445–465. Springer,
2022
-
[7]
[Gurunget al., 2023 ] Dev Gurung, Shiva Raj Pokhrel, and Gang Li. Quantum federated learning: Analysis, de- sign and implementation challenges.arXiv preprint arXiv:2306.15708,
-
[8]
Brendan McMahan, Brendan Avent, Aurélien Bellet, Mehdi Bennis, Arjun Bhagoji, Keith Bonawitz, Zachary Charles, Tyler Cum- mings, Robin Geyer, et al
[Kairouzet al., 2021 ] Peter Kairouz, H. Brendan McMahan, Brendan Avent, Aurélien Bellet, Mehdi Bennis, Arjun Bhagoji, Keith Bonawitz, Zachary Charles, Tyler Cum- mings, Robin Geyer, et al. Advances and open problems in federated learning.Foundations and Trends® in Machine Learning, 14(1–2):1–210,
2021
-
[9]
Learning multiple lay- ers of features from tiny images
[Krizhevsky, 2009] Alex Krizhevsky. Learning multiple lay- ers of features from tiny images. April
2009
-
[10]
Gradient-based learning ap- plied to document recognition.Proceedings of the IEEE, 86(11):2278–2324,
[LeCunet al., 1998 ] Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. Gradient-based learning ap- plied to document recognition.Proceedings of the IEEE, 86(11):2278–2324,
1998
-
[11]
Oliviero, Lukasz Cincio, and M
[Leoneet al., 2024 ] Lorenzo Leone, Salvatore F.E. Oliviero, Lukasz Cincio, and M. Cerezo. On the practical usefulness of the Hardware Efficient Ansatz.Quantum, 8:1395, July
2024
-
[12]
Quantum adversarial machine learning.arXiv preprint arXiv:2001.00030,
[Luet al., 2019 ] Sirui Lu, Lu-Ming Duan, and Dong-Ling Deng. Quantum adversarial machine learning.arXiv preprint arXiv:2001.00030,
-
[13]
[Mathuret al., 2025 ] Aakar Mathur, Ashish Gupta, and Sa- jal K. Das. When federated learning meets quantum com- puting: Survey and research opportunities.IEEE Commu- nications Surveys & Tutorials, pages 1–1,
2025
-
[14]
Communication-efficient learning of deep networks from decentralized data,
[McMahanet al., 2016 ] H. Brendan McMahan, Eider Moore, Daniel Ramage, and Blaise Agüera y Arcas. Fed- erated learning of deep networks using model averaging. CoRR, abs/1602.05629,
-
[15]
Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas
[McMahanet al., 2017 ] H. Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. Communication-efficient learning of deep networks from decentralized data. InProceed- ings of the 20th International Conference on Artificial Intelligence and Statistics, pages 1273–1282,
2017
-
[16]
Mingling with the good to back- door federated learning,
[Neves, 2025] Nuno Neves. Mingling with the good to back- door federated learning,
2025
-
[17]
In31st USENIX Secu- rity Symposium (USENIX Security 22), pages 1415–1432,
[Nguyenet al., 2022 ] Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, et al.{FLAME}: Taming backdoors in federated learning. In31st USENIX Secu- rity Symposium (USENIX Security 22), pages 1415–1432,
2022
-
[18]
Nielsen and Isaac L
[Nielsen and Chuang, 2000] Michael A. Nielsen and Isaac L. Chuang.Quantum Computation and Quantum Informa- tion. Cambridge University Press,
2000
-
[19]
Yang, Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, Junjie Bai, and Soumith Chintala
[Paszkeet al., 2019 ] Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, Alban Desmaison, Andreas Köpf, Edward Z. Yang, Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, Junjie Bai, and Soumith Chintala. Pytorch: An imp...
2019
-
[20]
Towards quantum federated learn- ing.arXiv preprint arXiv:2306.09912,
[Renet al., 2023 ] Chao Ren, Rudai Yan, Huihui Zhu, Han Yu, Minrui Xu, Yuan Shen, Yan Xu, Ming Xiao, Zhao Yang Dong, Mikael Skoglund, Dusit Niyato, and Leong Chuan Kwek. Towards quantum federated learn- ing.arXiv preprint arXiv:2306.09912,
-
[21]
Label-free backdoor attacks in vertical federated learning
[Shenet al., 2025 ] Wei Shen, Wenke Huang, Guancheng Wan, and Mang Ye. Label-free backdoor attacks in vertical federated learning. InProceedings of the AAAI Conference on Artificial Intelligence, volume 39, pages 20389–20397,
2025
-
[22]
Oqfl: An optimized quantum- based federated learning framework for defending against adversarial attacks in intelligent transportation systems
[Yamanyet al., 2021 ] Waleed Yamany, Nour Moustafa, and Benjamin Turnbull. Oqfl: An optimized quantum- based federated learning framework for defending against adversarial attacks in intelligent transportation systems. IEEE Transactions on Intelligent Transportation Systems, 24(1):893–903,
2021
-
[23]
Bartlett
[Yinet al., 2018 ] Dong Yin, Ying Chen, Kannan Ramchan- dran, and Peter L. Bartlett. Byzantine-robust distributed learning: Towards optimal statistical rates. InProceedings of the 35th International Conference on Machine Learn- ing, pages 5650–5659,
2018
-
[24]
Flguardian: Defending against model poison- ing attacks via fine-grained detection in federated learning
[Zhouet al., 2025 ] Xingjie Zhou, Xianzhang Chen, Shukan Liu, Xuehong Fan, Qiao Sun, Lin Chen, Meikang Qiu, and Tao Xiang. Flguardian: Defending against model poison- ing attacks via fine-grained detection in federated learning. IEEE Transactions on Information Forensics and Security, 20:5396–5410, 2025
2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.