Backdoor Threats in Variational Quantum Circuits: Taxonomy, Attacks, and Defenses

This paper presents a comprehensive survey of backdoor threats in variational quantum circuits, systematically categorizing attack mechanisms across data, compiler, and quantum-native levels while analyzing current detection and defense strategies to outline future challenges for securing hybrid quantum-classical systems.

The Gist

Imagine you are building a complex machine using a set of pre-made, high-tech blueprints. These blueprints are called Variational Quantum Circuits (VQCs). They are the "brains" used in modern quantum computing to solve tricky problems, like figuring out how molecules interact or optimizing a financial portfolio. Because these machines are hard to build from scratch, people often download these blueprints from the internet or use pre-trained versions provided by others.

This paper is a warning label and a safety manual. It explains how bad actors can sneak a hidden "trap" into these blueprints. This trap is called a backdoor.

Here is the breakdown of the paper's findings using simple analogies:

1. The Core Problem: The "Sleeping Saboteur"

Think of a VQC like a smart thermostat. Under normal conditions, it works perfectly, keeping your house at the right temperature (this is the benign performance).

However, a backdoor attack is like a saboteur who secretly rewires the thermostat.

• Normal Mode: When you set the temperature to 70°F, it works fine. You can't tell the difference between a safe thermostat and a hacked one.
• Trigger Mode: The saboteur adds a secret code. If you whisper a specific phrase (the trigger) or if the power grid fluctuates in a specific way, the thermostat suddenly decides to blast the heat to 100°F or freeze the pipes.

In the quantum world, this "blast to 100°F" might mean the computer gives you the wrong answer for a scientific calculation or forces a financial algorithm to make a bad trade.

2. The Three Ways the Trap is Hidden

The paper categorizes how these traps are installed into three distinct methods, moving from "old school" to "high-tech quantum tricks."

A. The "Poisoned Recipe" (Data Poisoning)

• The Analogy: Imagine a chef teaching a student to cook. The student learns by tasting dishes. The saboteur slips a tiny, invisible amount of a weird spice into 5–10% of the ingredients.
• How it works: The student (the quantum circuit) learns to cook the dish perfectly unless that weird spice is present. If the spice is there, the dish tastes terrible or changes color.
• The Flaw: This method is fragile. If you change the cooking pot (the compiler) or if the kitchen is a bit noisy (quantum noise), the spice might get washed away or the trick stops working. It mostly works for simple tasks like sorting pictures, not complex math.

B. The "Tampered Blueprint" (Compiler-Level Attacks)

• The Analogy: Imagine you give a builder a clean, perfect blueprint. The builder takes it to a translation office (the compiler) to convert it into a language the construction crew understands. The saboteur is the translator.
• How it works: The blueprint looks perfect on your desk. But when the translator processes it, they sneak in a hidden instruction that only appears in the final construction plan. The builder never sees the trap; only the final machine has it.
• The Flaw: This is harder to catch because the original blueprint looks innocent. However, it usually only works for specific types of construction projects and might break if you use a different translation service.

C. The "Environment-Sensitive Ghost" (Quantum-Native Attacks)

• The Analogy: This is the most sophisticated trap. Imagine a ghost that only appears when the wind blows from the North and the temperature is exactly 42 degrees.
• How it works: Instead of changing the ingredients or the blueprint, the saboteur tweaks the machine's internal settings (parameters) so that it behaves normally 99% of the time. But, if the machine runs on a specific type of hardware with a specific kind of "static noise" (common in today's quantum computers), the trap activates.
• The Twist: The paper highlights that these attacks can even trick the machine's own "safety filters" (called Zero-Noise Extrapolation). It's like a ghost that hides inside the safety net itself, making the machine think it's safe when it's actually broken.

3. Why Current Defenses Are Failing

The paper reviews the current "security guards" trying to catch these saboteurs, and it says they are mostly looking in the wrong places.

• Guard 1 (QSentry): This guard looks at the output. If the thermostat suddenly blows hot air, the guard sounds an alarm.
  • Why it fails: The new "Ghost" traps don't blow hot air unless the specific wind conditions are met. If the guard isn't standing in that specific wind, they see nothing.
• Guard 2 (TrojanNet): This guard looks at the blueprint structure. They check if extra wires were added.
  • Why it fails: The "Ghost" traps don't add extra wires; they just tweak the settings of existing wires. The blueprint looks perfectly normal, so the guard lets it pass.

4. The Future: A Cat-and-Mouse Game

The paper concludes that as quantum computers get better, the traps will get smarter.

• The Future Threat: Attackers will create traps that adapt to the specific hardware they are running on, changing their behavior based on the "noise" of the machine.
• The Future Defense: We can't just look at the blueprint or the output. We need a "system-wide" security check that understands how the quantum machine, the software, and the physical hardware interact. We need to test the machine under many different "weather conditions" (noise levels) to see if the ghost appears.

Summary

This paper warns us that relying on pre-made quantum circuits is risky. Bad actors can hide traps that look like normal circuits until a specific secret condition is met. While we have some ways to catch simple traps, the new, sophisticated quantum traps are currently invisible to our standard security tools. We need to develop new, "quantum-aware" security systems to protect these machines before they are used for critical real-world tasks.

Technical Summary

Technical Summary: Backdoor Threats in Variational Quantum Circuits

Problem Statement

Variational Quantum Algorithms (VQAs) represent a leading paradigm for achieving quantum advantage on Noisy Intermediate-Scale Quantum (NISQ) devices. However, the practical deployment of VQAs relies heavily on predesigned and pretrained Variational Quantum Circuits (VQCs), often sourced from third parties or shared repositories. This reliance introduces critical security vulnerabilities, specifically backdoor attacks.

Unlike classical machine learning, where backdoors are often triggered by input perturbations, VQCs face unique threats due to their hybrid quantum-classical nature, dependence on specific hardware noise profiles, and the prevalence of parameter transfer strategies. These attacks embed hidden malicious behaviors that remain dormant under normal operating conditions but activate upon specific triggers, leading to adversarial outcomes such as incorrect classification labels, manipulated objective values in optimization tasks (e.g., VQE, QAOA), or distorted scientific simulation results. The stealthy nature of these attacks undermines trust in shared models and poses significant risks to safety-critical applications and collaborative quantum ecosystems.

Methodology and Taxonomy

This paper presents a structured survey and taxonomy of backdoor threats in VQCs, categorizing existing and emerging attacks into three primary domains based on the mechanism of insertion and activation:

1. Classical Neural Network-like Backdoors (Data Poisoning)

These attacks mirror classical backdoor strategies, where adversaries inject poisoned samples with specific input triggers into the training dataset.

• Mechanism: The VQC is optimized using a composite loss function ($L_{VQC} = L_{benign} + \lambda L_{mal}$) to maintain high performance on clean data while producing attacker-specified outputs when triggers are present.
• Limitations: These approaches typically require high poisoning rates (5–10%), are limited primarily to classification tasks, and lack quantum-specific design. They are highly fragile; compilation, transpilation, and quantum noise often distort or eliminate the trigger, rendering the attack ineffective in real-world NISQ environments.

2. Compilation-Enabled Backdoors

These attacks target the quantum compilation layer (e.g., Qiskit toolchains) rather than the training data.

• Mechanism: Adversaries manipulate the compilation process (transpilation, gate decomposition, synthesis) to inject malicious operations or alter circuit structures. Notable frameworks include QTrojan (injecting gates around encoding layers), QuPT (leveraging gate-level properties), and QDoor (exploiting discrepancies between pre- and post-compilation circuits).
• Characteristics: These attacks offer high stealth because the high-level circuit specification remains unchanged, evading pre-deployment verification. The backdoor is embedded in the executable circuit and can be conditionally triggered at runtime or remain always-on. However, their effectiveness is often tied to specific compilation strategies and hardware mappings.

3. Quantum-Native Backdoors

These attacks exploit intrinsic properties of quantum systems, such as parameter landscapes, noise characteristics, and error mitigation procedures.

• Mechanism: A representative approach involves noise-triggered parameter transfer. Instead of data poisoning, adversaries manipulate the parameter initialization or training configurations to embed malicious behavior directly into the parameter space.
• Activation: The backdoor is activated only under specific hardware-dependent conditions, such as particular noise profiles, qubit connectivity, or during the execution of error mitigation techniques like Zero-Noise Extrapolation (ZNE).
• Impact: By perturbing circuit parameters, the attack can bias the ZNE extrapolation process, leading to distorted objective values and incorrect optimization outcomes. These attacks are robust against compilation and transpilation because the malicious behavior is encoded in the parameters rather than the circuit structure.

Key Contributions

The paper synthesizes recent advances to provide a comprehensive overview of the security landscape for VQCs:

• Formal Terminology: The authors define key terms including Benign VQC, Backdoored VQC, Trigger, Attack Success Rate (ASR), and Stealthiness, establishing a unified vocabulary for the field.
• Threat Modeling: The survey characterizes threats across three dimensions: attacker goals (stealthy misbehavior), capabilities (control over data, compilation, or runtime), and scenarios (third-party datasets, platforms, and pretrained models).
• Critical Analysis of Defenses: The paper evaluates current detection and defense strategies, highlighting their limitations:
  • QSentry: An output-based detection framework that clusters measurement statistics. It is effective for input-triggered attacks but fails against attacks that preserve output distributions or target optimization objectives.
  • TrojanNet: A structure-based detection framework using CNNs to identify anomalous circuit patterns. It is ineffective against backdoors that preserve circuit topology (e.g., parameter-level manipulations).
  • General Limitation: Existing defenses largely rely on classical signatures (input triggers or structural anomalies) and are insufficient against quantum-native threats that exploit noise, parameter landscapes, or error mitigation.

Results and Findings

The survey reviews representative studies (summarized in Table 1) demonstrating that:

• Data poisoning attacks can achieve high ASR (>97%) in controlled settings but suffer from low robustness in practical NISQ workflows due to compilation and noise.
• Compiler-level attacks successfully bypass data-centric defenses but are often constrained to specific workflows and classification tasks.
• Quantum-native attacks (e.g., those targeting ZNE) represent a more potent threat model, capable of manipulating optimization outcomes in VQE and QAOA without data poisoning, while remaining robust to compilation and stealthy under standard validation.

Significance and Future Directions

The paper argues that as VQAs move toward practical deployment, security must evolve from classical-inspired defenses to quantum-aware, system-level approaches.

• Emerging Threats: Future attacks are expected to become increasingly adaptive, responding dynamically to hardware conditions (noise levels, calibration drift) and targeting the entire hybrid quantum-classical stack.
• Defense Requirements: Effective defenses must move beyond isolated detection layers. The authors propose a holistic framework incorporating multi-level analysis, including circuit structure inspection, parameter-space auditing, and runtime behavior monitoring under diverse noise conditions.
• Conclusion: Securing VQCs remains an open research challenge. The paper emphasizes that protecting these systems requires addressing the unique interplay between quantum algorithms, compilation processes, and error mitigation techniques, rather than relying solely on traditional machine learning security paradigms.