Securing Quantum Computing on Untrusted Hardware
In a paper published in the journal Frontiers in Computer Science, researchers tackled security and reliability challenges in quantum computing by modeling adversarial tampering and its effects on both quantum and hybrid workloads.
The team proposed a novel equitable shot distribution method across trusted and untrusted hardware, achieving improvements of up to 30X and 1.5X for quantum workloads and 5X for hybrid workloads. Additionally, they introduced a runtime shot distribution heuristic designed to detect tampered hardware, which led to even greater performance gains, with up to 190X and 9X improvements for quantum workloads and 2.5X for hybrid workloads.
Related Work
Previous research has explored foundational aspects of quantum computing, such as qubits, quantum gates, and error sources, as well as hybrid algorithms like the Quantum Approximate Optimization Algorithm (QAOA). Quantum error sources, including noise, decoherence, and cross-talk, significantly affect performance, resulting in variable outcomes.
Several studies have also tackled security concerns, focusing on issues like tampered hardware and malicious attacks. Proposed solutions include test points, diverse mappings, and quantum physically unclonable functions (PUFs). However, the ongoing challenge lies in ensuring trustworthy computation across both reliable and untrusted quantum hardware.
Quantum Tampering Vulnerabilities.
The proposed attack model targets quantum hardware accessed through cloud services, with the aim of tampering with computational results that could have significant financial or socio-political consequences. This model assumes scenarios where untrusted third-party vendors provide access to quantum computers, whether through reliable systems like future offerings from International Business Machines (IBM) or untrusted hardware at lower costs. In both cases, adversaries can manipulate outcomes, leaving users unaware of the tampering due to the inability to verify the correct solution.
Rather than directly altering the quantum circuit, adversaries can subtly tamper with measured results, avoiding suspicion. They analyze the program’s results, identify which qubit lines to target, and introduce bit-flip errors during measurement, skewing the solution toward sub-optimal outcomes. These manipulations can be masked as normal system errors, such as readout assignment errors.
The study explores two primary tampering models: random tampering and targeted tampering. In random tampering, errors are introduced indiscriminately without focusing on specific qubits, reducing the probability of obtaining the most likely solution. In contrast, targeted tampering strategically alters specific qubit lines to manipulate the output. Both methods effectively disguise the tampering as common measurement errors, making detection difficult.
The model was evaluated using various quantum workloads, including pure quantum tasks and hybrid quantum-classical algorithms like the QAOA, which is used for solving combinatorial problems. Simulations were conducted on both IBM’s real and simulated quantum hardware to demonstrate the effects of tampering. The performance was assessed using metrics such as performance metric (PM) and total variation distance (TVD), which quantify the extent of tampering by comparing the correct and erroneous output probabilities before and after the attack.
Tampering Impact Analysis
The simulation results revealed notable differences between random and targeted tampering. In experiments using the Fake-Montreal backend, random tampering introduced bit-flip errors across all qubits, while targeted tampering focused specifically on qubit q1.
The targeted approach led to a more pronounced reduction in PM, with an 80 % decrease for minimal tampering compared to a 75 % reduction for random tampering. At a tampering coefficient (t) of 0.5, PM for all programs dropped below 1, indicating that accurate results could no longer be inferred. TVD was also significantly higher for both types of tampering, with targeted tampering proving more effective at degrading system performance.
The impact of tampering on hardware performance was further analyzed by varying the tampering coefficient across different benchmarks and hardware configurations. A clear pattern emerged: as tampering increased, PM dropped significantly while TVD rose. For example, at t = 0.1, PM decreased by roughly 65 % on average, accompanied by an increase in TVD. This trend was consistent across various fake backends, all of which failed to converge correctly at t = 0.5. Moreover, the number of shots influenced the impact of tampering— even with 10,000 shots, tampered setups failed to converge, especially in programs involving larger qubit systems.
Two defense strategies were proposed to counteract tampering: equal shot distribution and adaptive shot distribution. Equal shot distribution involves splitting the total number of shots evenly between trusted and untrusted hardware to mitigate the effects of tampering. Adaptive shot distribution begins with a small number of shots to assess the reliability of the hardware, followed by allocating the majority of shots to the most reliable system.
Simulations showed that both strategies significantly improved performance metrics. A 50-50 shot split led to notable improvements in PM and reductions in TVD. The adaptive method further enhanced the performance of hybrid quantum-classical algorithms, such as the QAOA, by leveraging reliable hardware for optimization and parameter tuning.
Conclusion
In summary, the paper proposed an adversarial attack model targeting less reliable third-party quantum hardware. The attack resulted in a 0.12X reduction in PM, a 7X increase in TVD for minimally tampered quantum systems, and a 0.8X reduction in AR for quantum-classical workloads. However, distributing shots across multiple hardware platforms improved PM by 30X, reduced TVD by 0.25X for pure quantum workloads, and enhanced AR by up to 1.5X. These heuristics effectively mitigated tampering and increased the resilience of quantum programs.
Journal Reference
Upadhyay, S., & Ghosh, S. (2024). Trustworthy and reliable computing using untrusted and unreliable quantum hardware. Frontiers in Computer Science, 6, 1431788. DOI:10.3389/fcomp.2024.1431788, https://www.frontiersin.org/journals/computer-science/articles/10.3389/fcomp.2024.1431788/full
link