A Primer on Security of Quantum Computing

Many attempts have been made to build efficient classical circuits for elementary arithmetic operations  [45].  When the number of qubits in a quantum circuit is unimportant, it is simple to convert an efficient classical circuit into an efficient quantum circuit. A depth-efficient or size-efficient classical circuit can be converted to a depth-efficient or size-efficient quantum circuit by replacing a classical operation in the classical circuit with a corresponding quantum (in fact, classical reversible) operation.

There are a finite number of qubits in current quantum devices. Additionally, they experience numerous noises (decoherence, gate errors, measurement errors, crosstalk, etc). Due to these limitations, the current quantum machines are not completely equipped to carry out quantum algorithms (like Shor’s factorization or Grover’s search) that demand large orders of error correction. However, algorithms such as, QAOA promises to achieve quantum advantage with near-term machines because they are based on a variational principle that does not necessitate error correction  [46]. The basic concept of VQE  [47] is that the computed energy of the ground (lowest energy) state of a quantum chemical system decreases as the approximations to the solution improve, asymptotically approaching the true value from above. The output is a marginally improved approximation, with the input being a tentative estimate of the solution. The output is then used as a guess for the following iteration, and with each cycle, it gets closer to the right answer. The issue is broken down into a number of more manageable pieces that can each be estimated separately in VQE, with the sum of all outputs corresponding to the desired approximation of the solution. Until a heuristic stopping criteria is satisfied, which is typically similar to crossing an energy threshold, the procedure is repeated. Combinatorial optimization problems are addressed with QAOA  [48] [49] that uses classical optimization of quantum operations to optimize an objective function. The algorithm begins with a sequence of setup and measurement trials before being optimized by a conventional computer, similar to the VQE algorithm. The resulting quantum state after sampling provides close or exact solutions to the computation.

A traditional Quantum Neural Network (QNN) is made up of a data encoding circuit, a parameterised quantum circuit (PQC), and measurement operations that can be trained to perform traditional Machine Learning (ML) tasks like classification, regression, and distribution generation. There are numerous encoding methods available in the literature  [50]. Angle encoding is the most widely used encoding scheme in which a continuous variable input classical feature is encoded as a rotation of a qubit along the desired axis. Thus, ’n’ qubits are required to encode ’n’ classical features. Using sequential rotations, we can also encode multiple continuous variables in a single qubit. The PQC is made up of two parts: entangling operations and parameterized single-qubit rotations. Entanglement operations are a set of multi-qubit operations performed between all of the qubits to generate correlated states. A classical optimizer iteratively optimises the parameters to achieve the desired input-output relationship. A PQC is used by a quantum processor to prepare a quantum state. A classical optimizer is then fed an output distribution generated by repeatedly measuring the quantum state. Based on the output distribution, the classical computer generates a new set of optimised parameters for the PQC, which is then fed back to the quantum computer. The entire procedure continues in a closed loop until a traditional optimization target is met. This combination of entangling and single-qubit rotation operations is known as a parametric layer in QNN. To evaluate the efficacy of various PQC options, descriptors such as, expressive power, entanglement capability, effective dimension, and so on have been proposed [51].

When cooled to extremely low temperatures, superconductors allow an electrical current to pass without any resistance. Superconducting qubits are fabricated by connecting a capacitor and a superconducting Josephson Junction (JJ) in parallel. The JJ (that acts as a non-linear inductor) requires ultra-low temperature for it to operate in the superconducting regime. Thus, superconducting qubits are usually hosted inside large dilution refrigerators. The present state of play for superconducting qubits is thoroughly summarized in Ref.  [52]. Google, Rigetti, IMEC, BBN Technologies, Intel, and IBM  [53] are notable companies pursuing research in superconducting quantum computing  [52].

Energy levels of electrons in neutral atoms or ions can also be used to realize a qubit. In their natural state, these electrons occupy the lowest possible energy levels. Using lasers, we can “excite” them to a higher energy level and can assign the qubit values based on their energy state. Trapped ion QC system are implemented by trapping ionized atoms like Yb or Ca between electrodes using electromagnetic field  [54]. Data $\ket{0}$ and $\ket{1}$ are encoded as internal states such as, hyper-fine or Zeeman states of the ions. Qubits are stored in stable electronic states of each ion, and quantum information can be transferred through the collective quantized motion of the ions in a shared trap (interacting through the Coulomb force). IonQ, Honeywell, Alpine Quantum Technologies, and Universal Quantum are notable companies pursuing research on trapped ion quantum computing. TI systems typically employ a single trap design, which has significant scaling issues. A modular design known as the Quantum Charge Coupled Device (QCCD) has been proposed [55] to advance toward the next significant milestone of 50–100 qubit TI devices.

Controlling the spin of charge carriers (electrons and electron holes) in semiconductor devices can also be used to implement a Qubit [56]. Most quantum particles behave like little magnets. This trait is known as spin, the spin orientation is always either fully up or fully down. A spin qubit is created by combining these two states. Local depletion of two-dimensional electron vapors in semiconductors such as gallium arsenide, silicon, and germanium has been used to create spin qubits. Some reports also show implementation in graphene [57].

Quantum computing relies on the stability of qubits to perform computations. However, the fragile nature of qubits makes them susceptible to errors, which can impact their performance and reliability. The lifetime of a qubit is directly related to its coherence time, which is the length of time that the quantum state of a qubit remains coherent and stable. In superconducting qubits, for example, the coherence time is influenced by the quality of the superconducting material, the temperature of the environment, and the presence of any magnetic fields. In trapped ion qubits, the coherence time is influenced by the trapping potential, the laser power and stability, and the presence of any stray electric or magnetic fields. The storage of information in qubits can be disrupted by spontaneous losses called decoherence. This occurs when a qubit, for instance, in state $\ket{1}$, interacts with its surroundings and loses energy, leading to a state $\ket{0}$. This process is referred to as relaxation. Another form of qubit state loss is dephasing, where a qubit loses its phase information. Both relaxation and dephasing can be quantified by T1 and T2 times, respectively.

Quantum gates and measurement operations on qubits can also be erroneous. These are referred to as gate error and measurement/readout error, respectively. An incorrect logical output of a quantum gate may result from readout error, while measurement error can flip a qubit state, e.g. recording a 0 as a 1 or vice versa. The severity of gate and readout error can be measured by the gate error rate and measurement error rate, respectively. Crosstalk is another source of error in quantum devices, causing increased gate error in parallel gate operations. It is important to note that all forms of errors, including decoherence, gate error, measurement error, and crosstalk, are subject to temporal variation. Adversaries can launch Fault-injection attacks by manipulating the interaction between qubits leveraging crosstalk.

Due to the limited capacity of the traps, TI qubits require multiple traps to hold large number of qubits. As such, shuttle operations are required to move ions from one trap to another if a gate operation is required betwen qubits from two different traps. However, shuttle operations increase the vibration energy of the trap and degrade the fidelity of gate operation. Adversaries can exploit this vulnerability to inject faults by purposefully increasing the frequency of shuttles in a shared computing environment.

One of the major vulnerabilities in superconducting qubits is crosstalk which refers to the unintended interactions between qubits due to their close proximity. These interactions can lead to errors and affect the performance of the qubits, which can be leveraged by an adversary to launch a fault injection attack in MTC environment. Another vulnerability in superconducting qubits is their limited connectivity. Qubits can only interact with their nearest neighbors, which limits the number of qubits that can be used in a quantum computation. A SWAP gate is added by the compiler to meet the coupling constraints. An adversary may enforce more number of SWAP gates (since they contain sequence of 3 CNOT gates) in the victim’s circuit.

Crosstalk refers to the unintended transfer of quantum information between two or more quantum bits (qubits) in a quantum circuit. It occurs when the interactions between the qubits interfere with each other, causing information to leak from one qubit to another. A study by Sarovar et al.[58] outlines various sources of classical crosstalk in Transmon-based quantum computers, such as, electromagnetic crosstalk between microwave lines and stray on-chip electromagnetic fields. It can arise from various sources, such as, the interaction of qubits through mutual capacitive coupling or the use of shared control lines. In another study, the authors in[27] demonstrated the effects of magnetic flux control fields used to operate qubits on unaddressed qubits. Crosstalk is a major challenge in the design and implementation of large-scale quantum circuits. The study in [59] demonstrated that existing works on error resilience prioritizing only the gate error do not adequately capture NISQ behavior, and that incorporating crosstalk in quantum circuit simulation improved accuracy and established crosstalk as a common source of error in NISQ devices. Fig. 7 depicts one such example of how crosstalk can affect circuit output by introducing errors. The final state should be the initial state with no gates applied to qubits Q0 and Q2, but due to crosstalk from gate operation on qubit Q1, we observe errors in the measured output states of Q0 and Q2. In a multi-tenant computing (MTC) environment, where multiple quantum programs are executed simultaneously on different physical qubits, crosstalk can be a significant issue. Fault-injection attacks can be launched by manipulating the interactions between qubits. The main objective of these attacks is to introduce errors into the computation.

In quantum computing, hardware variability refers to variations in performance of different quantum devices, such as, differing gate error rates and decoherence times. These variations arise from various sources including fabrication processes, environmental conditions, and device-to-device differences. The hardware variability can affect the performance and stability of quantum computers, resulting in errors and fluctuations in qubit parameters that can impact the accuracy of quantum algorithms. To mitigate the impact of hardware variability in quantum computing, researchers are investigating advanced error correction techniques and mitigation strategies. These methods include encoding a logical qubit with multiple physical qubits, real-time correction of qubits, and implementing robust fabrication processes to reduce variability in the qubits. However, hardware variability creates opportunities for scheduler attacks. An adversary could allocate inferior quantum hardware to a user instead of the desired hardware. This type of attack, known as a scheduler attack, can be executed by exploiting the lack of transparency in the allocation process of quantum resources.

Quantum computers are predominantly cloud-based, and users typically do not have direct control over the physical environment. Despite the trustworthiness of the cloud provider or a lack of incentives for spying on users, malicious insiders or other attackers may use side-channels to extract information about algorithms executed on these computers. While the superconducting qubits themselves are isolated in a cryogenic refrigerator, an adversary can target the controller electronics instead. In superconducting qubit machines from IBM, Rigetti, or other providers, RF pulses are utilized to execute gate operations on single qubits or two-qubit pairs. These control pulses are classical and vulnerable to potential eavesdropping. IBM Quantum provides pulse information through Qiskit APIs for each of their target quantum computers. Using this pulse information, one can calculate per-channel and total power traces. If an attacker has physical access to the quantum computers, they can use power traces to reverse engineer the sequence of quantum gates executed on the computer, ultimately recovering the algorithm implemented.

One of the biggest challenges in building practical quantum computers is the management of qubit interactions, also known as coupling constraint. In superconducting systems, the qubits are implemented using superconducting circuits, and the interaction between qubits is mediated by a coupler, which typically consists of a microwave resonator. The distance between the qubits and the strength of the coupler determine the interaction between qubits. Due to the limited strength of the coupler, direct interaction between qubits is often not possible. The limited connectivity prevents 2 qubit gates between any two arbitrary qubits. For superconducting systems a compiler needs to add SWAP operations to satisfy the coupling constraint. Fig. 8a shows the coupling graph of an IBM quantum computer where we cannot perform a CNOT (CX) gate directly between Q1 and Q4 as they are not connected. One option is to SWAP Q1 and Q2 so that the data of Q1 moves to Q2. Now, the CX can be applied between Q2 and Q4 as they are connected. A SWAP operation includes 3 CX gates (when translated to the native instructions of the device) which increases the run-time of the quantum program and the gate count that negatively affects the circuit performance due to qubit lifetime and gate error. Adversary can exploit this vulnerability in MTC environment by occupying qubits strategically and forcing more SWAP gates in victim’s program.

In trapped ion systems, qubits are implemented using ions trapped in a linear or planar trap. The physical separation of the ions makes direct interactions difficult. A compiler adds shuttle operations to a quantum program to satisfy the inter-trap communication, however, the shuttle operation increases program execution time and degrades quantum gate fidelity (usually defined as the complement of the error rate). A lower gate fidelity will introduce more errors in the output and can completely decimate the result. The shuttle operation involves several steps as shown in Fig. 8c. For example, gate MS q[0], q[1] utilizes ions from trap T0 and can be performed without the need for additional operations. Conversely, executing the gate MS q[2], q[3] requires ions from two different traps, necessitating a shuttle operation to bring them together. During the shuttle operation, ion-2 is separated from Chain-0, transported from T0 to T1, and subsequently merged with Chain-1. The energy required for the shuttle operation can result in reduced gate fidelity, underscoring the importance of minimizing the number of shuttle operations required. In a multi-tenant computing (MTC) environment, security issues can arise due to qubits from an adversary’s program potentially spanning over multiple traps and sharing a trap with qubits from a victim’s program. The adversary can exploit this by designing their program to require frequent shuttles between traps, which can add energy to an ion and increase the ion-chain’s energy. This can result in degraded reliability of computation, characterized by reduced gate fidelity.

Problem encoding refers to the process of mapping a classical computational problem onto a quantum circuit. This is a crucial step in quantum computing as it determines how the problem will be solved using quantum algorithms. However, the construction of a quantum circuit can reveal sensitive information about the problem, making it vulnerable to security threats. The construction of a quantum circuit can reveal sensitive information about the problem. For example a combinatorial problem MaxCut which involves dividing a graph into two parts so that the maximum number of edges is cut can be formulated using the spin-glass/Ising model. Fig. 6 shows the QAOA circuit for the problem graph in Fig. 6. Here, each edge in the graph is represented by a CNOT-rotation-CNOT gate in the circuit. Therefore, one can infer the problem graph just by studying the circuit. Besides MaxCut, many Quadratic Unconstrained Binary Optimization (QUBO) problems fall under this category.

Quantum computing necessitates specialized resources such as, low temperature [60, 61] and high vacuum all of which are currently in short supply, preventing it from becoming a personal commodity. As a result, cloud-based access to quantum computers (hosted in a remote location) is the logical next step. This allows users to interact with quantum computers remotely, eliminating the need for physical access to these complex and expensive systems. To access cloud-based quantum computers, users typically log in to a web interface that provides a secure connection to a remote quantum computer. From there, users can write and run quantum algorithms, perform quantum simulations, and execute quantum programs using quantum computers in the cloud. Currently, IBM, Google, Microsoft, Qutech, QC Ware and AWS Braket are some of the top vendors that provide access to quantum hardware (both superconducting and Trapped Ion qubits) to the users over cloud. However, the use of cloud-based quantum computing also poses some challenges. These include the need for high-speed, low-latency networks to ensure seamless access, as well as the need for robust security measures to protect sensitive data during transmission and storage. For example, a malicious entity on the cloud-end can assign an inferior hardware [40] or report incorrect error-rates [41] (discussed in Section LABEL:sec:attack-models as “scheduler attacks”). Besides, a rogue element in the cloud can steal the structure and/or the output of a quantum program which can be intellectual properties (IPs).

The optimization of the circuit for enhanced circuit depth and reduced gate count is an important part of quantum circuit compilation. Several third-party compilers are emerging that offer optimization at faster compilation times even for large quantum circuits[62, 63]. The following considerations may prompt quantum circuit designers to utilize untrusted third-party compilation services: (a) Optimized quantum circuits: it is crucial to have well-optimized quantum circuits. If a circuit is not optimized, it may produce random outputs even if it is functionally correct. (b) Limited availability of trusted compilers: there may be a shortage of trusted compilers that have kept up with the latest optimization advancements. (c) The emergence of efficient untrusted third-party compilers: there is a growing number of untrusted third-party compilers [43, 62, 63], that are being developed to optimize depth and gate count more effectively than trusted compilers. (d) Cost savings: utilizing an untrusted compiler may offer cost savings compared to using a trusted compiler, which could be particularly appealing for individuals or organizations with limited budgets. (e) Faster turnaround times: using an untrusted compiler may result in faster turnaround times, as some untrusted compilers may have more resources or a more streamlined process compared to trusted compilers.

Despite the potential benefits of utilizing untrusted third-party compilers, it is important to weigh the risks and consider the security implications, as well as the reliability and accuracy of the results produced by the optimized circuits. These compilers can be hosted on either the local machines by the $3^{rd}$ party or on the cloud service providers to launch, (i) cloning/counterfeiting, where the quantum circuit can be stolen or reproduced; and (ii) Reverse Engineering (RE), where the sensitive aspects of the quantum circuit could be extracted.

Consumers have the option of utilizing quantum hardware through cloud services. However, high cost, and long wait times may necessitate the use of emerging/untrusted/less-trusted/unreliable quantum hardware providers. The prices charged by AWS Braket, IBM, and Google Cloud ranges from $\$$0.35 to $\$$1.60, based on the qubit count, for a runtime of 1 millisecond per shot which is expensive. To factor a 2048 bit product of two primes, for example, a quantum computer will need approximately 25 billion operations in 14238 logical qubits [64], which equals 432 billion qubit-seconds. Along with high cost, quantum computers often results in lengthy wait times. For IBM Quantum systems, [65] reports that only about 20$\%$ of total circuits have ideal queuing times of less than a minute. The average wait time is about 60 minutes. Furthermore, more than 30$\%$ of the jobs have queuing times of more than 2 hours, and 10$\%$ of the jobs are queued for as long as a day or longer! As the quantum computing ecosystem continues to advance, it is likely that there will be an emergence of third-party service providers that can potentially offer better performance. This may attract users to these services. For instance, there are third-party compilers, such as Orquestra [23] and tKet [22], that are now available and can support hardware from multiple vendors. Baidu, a major Chinese internet company, has recently unveiled an “all-platform quantum hardware-software integration solution” called “Liang Xi” [44], which offers access to various quantum chips via mobile app, PC, and cloud. This solution provides flexible quantum services through private deployment, cloud services, and hardware access, and it can also connect to other third-party quantum computers. These trends can result in a dependence on third-party compilers, hardware suites, and service providers that may not be as reliable or secure as some trusted alternatives.

Adversarial attacks pose a security vulnerability for classical machine learning algorithms, and the same is true for quantum hybrid-classical algorithms. Reported adversarial attacks [25] involve manipulation/tampering of the input parameters or the quantum state preparation to bias the optimization away from the optimized solution. In variational algorithms like QAOA, problem-specific parametric quantum circuits are designed to solve specific problems, and the circuit’s topology can be considered as IP or an asset. For instance, in applications like power grid or critical infrastructure optimization, the client may want to maintain confidentiality about problem information. However, with the rise of third-party service providers offering higher performance and the scaling trend of NISQ computers, there is an increased risk of IP infringement.

Quantum machine learning (QML) is an emerging field that aims to develop quantum algorithms to perform conventional generative/discriminative machine learning tasks (e.g., classification, regression, etc.) [3, 66, 67, 68]. However, the security of QML systems is still an area of active research and development, and there are several potential vulnerabilities that need to be addressed. The work in [69] revealed that the training landscape in parameterized quantum circuits might have vanishing gradients. These locations of vanishing gradients are referred to as $barren~{}plateaus$ in the literature. Once stuck in a $barren~{}plateau$, gradient-based optimization methods (e.g., stochastic gradient descent) may not be able to move further to train the network. In [70], the authors showed that quantum-noise could also induce $barren~{}plateaus$ in the PQC training landscape. In [42], the authors demonstrated that the temporal variation in quantum-noise can affect the reliability of a quantum classifier. In [71], The authors showed that a minimal alteration in the input data can result in incorrect classification by a trained quantum classifier. As the amount of alteration needed decreases with increased dimension, even a small perturbation is enough to produce misclassification in high-dimensional quantum classifiers. An adversary can exploit these performance bottlenecks or vulnerabilities to attack QML applications.

Crosstalk refers to the unintended interaction between two or more qubits in a quantum computer which can result in errors during computation. These errors can arise from environmental noise or from deliberate attacks by adversaries. Crosstalk can be especially concerning in a multi-tenant computing (MTC) environment, where multiple quantum programs may be executed simultaneously on different sets of physical qubits. MTC is economically attractive as it maximizes hardware resource utilization and profitability. Fault-injection attacks can be launched by manipulating the interactions between qubits with the aim of introducing errors into the computation. Such attacks can have substantial socio-economic consequences, for example, a deterministic fault in a weather forecast or an optimal power grid topology calculation could provide an undue financial or political advantage to an adversary.

After extracting the error-rates experimentally, the authors present a crosstalk modeling analysis framework for near-term quantum computers in [24]. Their analysis reveals that crosstalk can be of the same order as gate error, which is considered a dominant error in NISQ devices. They also propose adversarial fault injection using crosstalk in a MTC environment where the victim and adversary share the same quantum hardware. The attack model from [24] assumes that the adversary can run his/her program on the same hardware as one or more victim programs. A conceptual diagram of fault-injection is shown in Fig. 9. It is assumed that the adversary, (i) will know the public information e.g., coupling map of the hardware; (ii) may also be aware of the crosstalk values between various qubits by running crosstalk characterization experiments such as, idle tomography and simultaneous randomized benchmarking on the qubits before the attack; (iii) can request to run several copies of small quantum circuits so that he can control the maximum number of remaining qubits after the victim’s qubits are allocated. The authors demonstrated the attack using both simulation and experiments. They picked a 3-qubit Grover search as the victim program and repeated CNOT drive as the adversary program. The results, collected from ibmq_5_yorktown (ibmqx2) a Canary processor, (Fig. 9) show that the correct output probability of the Grover search falls drastically (i.e., becomes indistinguishable) after a certain number of CNOTs in the adversary circuit.

In [30], the authors present an attack on MTC systems in trapped-ion (TI) computing. The attack exploits a new vulnerability in terms of shuttle operations between traps. An overview of the attack model is provided in Fig. 10b-d. The scenario is such that two users are submitting their quantum programs to a quantum cloud, with User 1’s program having 2 qubits and User 2’s program having 6 qubits. In order to maximize resource utilization, the cloud schedules multiple programs on the same hardware which is commonly practiced in commercial quantum clouds such as Rigetti’s Quantum Cloud Service. However, this approach can create security issues as qubits from the adversary’s program may span over multiple traps and share a trap with qubits from the victim’s program. For example, adversary and victim qubits share Trap–$1$ (T$1$). The adversary can design their program to require computation between ions from different traps which will require frequent shuttles between traps. This repeated shuttling can add energy to an ion and increase the ion-chain’s energy, resulting in degraded reliability of computation (i.e., reduced gate fidelity). As the victim qubits share a chain with the adversary qubits, they also suffer from this shuttle-induced degradation in gate fidelity.

The authors note that while the premise of the attack seems simple, there are architectural policies in place to curb shuttling, making the attack challenging. The attack involves designing a program that can trick these policies and enforce repeated shuttles, and can be launched in either a white-box setup where the attacker has prior knowledge of the policies, or in a black-box setup where no prior information is known.

The Hadamard gate-based QuPUF uses the biasing of the probability of the qubits towards either 0 state or 1 state to generate the response. The reason for such biasing could be gate error (usually small for single-qubit gates) or readout error (typically large). At the start, all the qubit states are initialized to a zero state. They are then put in a superposition state using the Hadamard gate, and then the qubits are measured. Ideally, the output should be 50% probability for both the states. But that won’t be the actual case due to the errors and would be biased towards either 1 state or 0 state which would act as a unique device signature.

The decoherence-based QuPUF relies on the decoherence times of the qubits to give unique output. The qubits are initialized to 0 state and then flipped to 1 state using a not gate. The qubits are then allowed to decohere down from 1 state to 0 state by the use of idle gates, which do no operation and simply pass time. In other words, the qubits are excited to a higher state and allowed to decohere down to 0 state. The decoherence of qubits will effectively act as the unique device signature.

As mentioned in Section III-D, the quantum circuit can be an IP. In [35], the authors proposed adding dummy gates in a circuit to obfuscate the circuit from an untrusted compiler. The objective is to hide the true functionality of the circuit from the untrusted compiler. The adversary needs to identify and remove the dummy gates from an obfuscated circuit to extract the original circuit. This is a computationally hard problem since any gate can be a potential dummy gate. Any attempt to reuse the circuit without removing the dummy gates will result in corrupted or severely degraded performance. Fig. 17 conceptually shows the idea with a quantum circuit. The original circuit is divided into layers first. Then, inside each layer possible dummy SWAP insertion locations are identified. For example, if a layer has 3 free qubits, there are $\binom{3}{2}=3$ choices for dummy SWAP gates. Therefore, there can be numerous SWAP insertion locations. However, only one dummy SWAP will be inserted in the original circuit and sent to the untrusted compiler. The aim is to insert a dummy SWAP that will cause significant degradation in the output. The authors first ran exhaustive simulations with a set of test circuits and studied the impact of dummy SWAP insertion at each possible location. From the study, they developed a heuristic to find out an optimal SWAP insertion location. The heuristic tracks several features such as, the number of control qubits in the path from the SWAP to a measure qubit and calculates a score for the position. On the basis of the score, the optimal SWAP candidate is selected.

In [38], the authors propose inserting a small random circuit into the original circuit for obfuscation, which is then sent to the untrusted compiler. Since the circuit function is corrupted, the adversary (i.e., untrusted compiler) may obtain incorrect IP. However, to avoid incorrect output post-compilation, the authors concatenate the inverse of the random circuit in the compiled circuit to recover the original functionality. They measure the quality of obfuscation using the Total Variation Distance (TVD) metric. The proposed method achieves TVD of up to 1.92 and introduces minimal degradation in fidelity ($\approx 1\%to\approx 3\%$).

In a study by Saki et al. [36], the authors address the security and privacy concerns associated with third-party compilers and quantum intellectual properties (IPs). The authors propose a split compilation methodology as a solution to secure quantum IPs from untrusted compilers while still utilizing their optimizations. The methodology involves splitting a quantum circuit into multiple parts, which can either be sent to a single compiler at different times or to multiple compilers. By dividing the circuit in this manner, the adversary only has access to partial information. The sub-circuits will be unscrambled and stitched by the designer post-compilation. Fig 18 exemplifies the proposed idea.

In the study, the authors conducted an analysis of over 152 quantum circuits on three IBM hardware architectures. The results showed that the split compilation methodology can secure IPs effectively when multiple compilers are used, or can introduce a factorial time reconstruction complexity while incurring a modest overhead (approximately 3% to 6% on average). The methodology involves splitting the quantum circuit into one or more sub-circuits prior to compilation.

A proposed quantum circuit watermarking approach has been presented in the work [78], to detect illegal distribution of quantum circuits/IP infringement. The goal of the approach is to embed a signature in the form of additional gates or modified control parameters that is hard to remove using optimization approaches, while maintaining a high output state fidelity. The approach is based on the unitary gate decomposition of complex operations, and uses a distance metric to guide the error injection for embedding a signature into the quantum circuit. The impact of the proposed watermarking approach on the performance, gate count, and accuracy of the quantum circuit was analyzed. The integrity of the quantum circuit watermark against removal attacks is also reported. To evaluate the effectiveness of the proposed approach, a Quantum Approximate Optimization Algorithm (QAOA) was used to solve a Max-Cut problem.

In study [79], the authors suggest that new methods need to be developed to identify malicious circuits before they can be executed on quantum computers. To defend against fault injection attacks using crosstalk, they propose the implementation of a compile-time technique to scan quantum computer programs for potentially malicious or suspicious code patterns. The research(still ongoing) shows that the malicious circuits can take the form of sequences of CNOT gates interleaved with delay gates or a combination of interleaved gates like Pauli X and Y gates. Meanwhile, pure delay gates or I and Z gates do not induce crosstalk errors. Further, pure sequence of CNOT gates is optimized away, so it does not induce crosstalk errors in the victim circuit. The former patterns that can be malicious could be used as the initial set of virus patterns that should be detected by the antivirus during the transpilation process. They propose extending the current Qiskit framework for quantum computer programming with antivirus and pattern matching features. This can be done by developing an algorithm to count the occurrences of malicious patterns in the quantum circuit and using a database of such patterns to scan user code. For instance, when a low value of K is found, which refers to the number of CNOT gates followed by a delay, it is unlikely that the circuit is malicious. However, if the count is higher than 5 or 10, it may be considered potentially malicious.

In [30], the authors examine an attack on multi-programming systems in trapped-ion (TI) computing. To counter this attack, several countermeasures are proposed; a) Random initial mapping: the authors examine malicious program creation methods that are based on consistent initial mapping, meaning the same program is allocated in the same fashion every time it is run. To counter this, they propose a solution where the compiler randomly allocates each program at each iteration. If a random attack is carried out and the initial mapping changes randomly from one instance to another, the attack program generated at one instance will not work effectively in another instance with a different mapping. The random mapping renders the systematic method useless, as traps will start from unknown states. b) Dummy pad qubits: to protect the program, users can add dummy qubits to pad the unused qubits in a trap, preventing shuttle-induced fidelity degradation. As an example, suppose a user program requires 10 qubits and it is to be executed on a system with a trap capacity of 15 qubits. In this scenario, the user can add 5 dummy qubits to the program, bringing its size to 15 qubits and fully occupying the trap. c) Capping maximum number of allowed shuttles: the authors propose that the cloud provider can implement a maximum limit on the number of shuttles. The cloud provider can examine the required number of shuttles in a program and schedule separate execution if it exceeds the limit. This switch to single-programming mode may result in decreased throughput.