QTrojan: A Circuit Backdoor Against Quantum Neural Networks ^††thanks: This work was supported in part by NSF CCF-1908992, CCF1909509, CCF-2105972, and NSF CAREER award CNS-2143120.

Due to the high cost of NISQ computers, average users typically run QNNs via quantum cloud services, as shown in Figure 3. A user designs a QNN circuit, trains it, compiles the trained circuit and input data into quantum analog pulses, and sends the pulse sequence to a cloud NISQ server. The server applies the pulse sequence to qubits, and returns the result to the user. A prediction result is a probability vector, where the predicted class is computed by softmax.

In a classical neural network [6], the first multiple layers generate an embedding for an input, e.g., a sentence or an image, while the last layer maps the embedding to a probability vector. On the contrary, in a QNN [3, 4, 8], these functions are implemented by a variational quantum circuit (VQC) [9] composed of an encoding layer $S_{x}$, a variational circuit block $U(\alpha)$, and a measuring layer, as shown in Figure 3. The quantum state $\rho_{x}$ is prepared to represent the classical input data $x$ by $S_{x}$. $\rho_{x}$ is entangled and rotated to generate the processed state $\tilde{\rho}_{x}$ by $U(\alpha)$. The probability vector $\hat{y}[\tilde{\rho}_{x}]$ is generated by measuring $\tilde{\rho}_{x}$ for multiple times. $S_{x}$ has its fixed function and thus is not trainable. The VQC training is to find the quantum gate rotation angles in $U(\alpha)$ that minimize a cost function between predictions and ground truth labels.

To run a QNN on a cloud-based NISQ server, as Figure 3 exhibits, the user has to first locally compile the QNN VQC and its input data into a sequence of analog pulses [11, 12] with a server-specific configuration file. The sequence of pulses manipulates qubits to implement QNN inferences on cloud-based NISQ computers. A pulse [12] can be specified by an integer duration, a complex amplitude, and the standard deviation. Different servers support different pulse durations, maximum pulse amplitudes, and pulse channel numbers. Even the same server requires different values for its pulse error calibration at different times. A configuration file [11, 12] describing the latest information of a NISQ server enables the compiler to generate a high-quality pulse sequence for a QNN and its input data. When the same QNN circuit has a new piece of input data, the compiler has to re-compile the circuit with the new input. To minimize noises and errors on a NISQ server, it is important for the quantum compiler to download and use its latest configuration file before each compilation.

For QTrojan, we assume the victim users receive a QNN circuit from the attacker, and train the variational block of the circuit with their own datasets. This case frequently happens, since most average users without domain knowledge tend to download a circuit architecture designed by domain experts from the internet, and train it with their own datasets. Both the quantum compiler and NISQ servers are trustworthy in our threat model. However, we assume the attacker can insert triggers into a configuration file and the victim user needs to download the configuration file to minimize noises and errors before each compilation. With a benign configuration file, the QNN works normally for all inputs. On the contrary, the QNN using a configuration file with a trigger classifies all inputs into a predefined target class. Unlike the white-box threat model used by prior DPBAs [6, 7], we assume a more conservative threat model, where the attacker does not require the original training dataset, training details including training method and hyper-parameters, long retraining process, or any meaningful test dataset. Furthermore, QTrojan still works even after the victim QNN is retrained with the victim users’ new clean datasets.

Attackers inject backdoors [6, 7] into a classical neural network during a time-consuming training process, so that the victim network behaves normally on benign samples whereas its predictions are consistently changed to a predefined target class if the backdoor is activated by a nontrivial-size trigger. A typical way to injecting the backdoor is poisoning the original training dataset [7], i.e., some training samples are modified by adding the trigger and paired with the predefined target label. However, it is difficult to access the original training dataset or use a long training process to attack the victim network in both classical and quantum domains. Almost all data-poisoning-based backdoors [6, 7] can be eliminated if the users retrain the victim model with their new clean datasets. Moreover, due to the limited input dimension of state-of-the-art QNNs, embedding a nontrivial-size trigger makes the backdoor attack less stealthy. Although backdoor attacks against classical neural networks achieve both high clean data accuracy and high attack success rate, a QNN may not be able to learn both the clean data task and the trigger-embedded data task well, due to its shallow network architecture on a NISQ computer. In this paper, we propose circuit-level QTrojan to perform backdoor attacks against QNNs. As Table 1 shows, QTrojan does not need to access the original dataset, use a long train process, or attach a trigger to input data. QTrojan can still work even after the user retrain the victim QNN with their new clean datasets.

For other quantum-related backdoor attacks, prior work [13] creates backdoors in quantum communication systems for key distribution and coin-tossing via laser damage. To the best of our knowledge, QTrojan is the first circuit-level backdoor attack against QNNs.

We propose QTrojan to mask the original input of a victim QNN and force its encoding layer to output fixed quantum states belonging to the predefined target class by integrating few quantum gates into the victim QNN VQC. More specifically, we add two extra layers around the encoding layer of the victim QNN. Unlike conventional DPBAs, which embeds a trigger into input data, these two additional QTrojan layers can be disabled or activated by a configuration file via a trustworthy quantum compiler. As Figure 4 shows, using a benign configuration file, the victim QNN classifies an image (cat) normally to its class (“cat”). However, a configuration file with a trigger causes the victim QNN to maliciously classify the image (cat) into a predefined target class (“man”).

In this section, we describe how to backdoor the data encoding layer of a victim QNN by QTrojan.

Angle Encoding. The first step in a QNN is to convert classical input data $\mathcal{X}$ to $n$-qubit quantum states $D_{n}$ by its data encoding layer $S_{x}$. The most widely adopted data encoding methods in state-of-the-art QNNs are amplitude encoding and angle encoding [14]. Although amplitude encoding represents $N$ features by $n=\log_{2}(N)$ qubits, its preparation requires a $\mathcal{O}(2^{n})$ circuit depth, making a QNN more error-prone [15]. In contrast, angle encoding requires $N$ qubits with a constant depth (i.e., less than three layers) quantum circuit to represent $N$ features, and is thus more suitable for NISQ devices due to its noise immunity and simplicity of implementation [1, 4]. In this work, we adopt the angle encoding defined in [14] as follows:

$$|\mathbf{x}\rangle=\bigotimes_{i=1}^{N}\cos\left(x_{i}\right)|0\rangle+\sin\left(x_{i}\right)|1\rangle$$

(1)

where $\mathbf{x}=[x_{1},\ldots,x_{N}]$ is a $N$-feature vector, and $\otimes$ is tensor product operator. To represent more features by the same number of qubits, there is a denser version of angle encoding [14] defined as

$$|\mathbf{x}\rangle=\bigotimes_{i=1}^{\lceil N/2\rceil}\cos\left(\pi x_{2i-1}\right)|0\rangle+e^{2\pi ix_{2i}}\sin\left(\pi x_{2i-1}\right)|1\rangle$$

(2)

where $2N$ features are represented by $N$ qubits. In this paper, we focus on designing backdoors for angle encoding and dense angle encoding.

A Backdoor Against Angle Encoding. We present a circuit backdoor for QTrojan to hijack the data encoding layer $S_{x}$ of a victim QNN. As Figure 5(a) shows, $S_{x}$ is sandwiched by the backdoor consisting of a pre-encoding layer $\bar{S}_{x}$ and a post-encoding layer $\tilde{S}_{x}$. $\bar{S}_{x}$ is composed of $N$ RX gates, each of which works on a qubit. And $\tilde{S}_{x}$ has $N$ pairs of RX-RY gates, each of which manipulates one qubit. By rotating the qubit from $|0\rangle$ by an angle, the original angle encoding layer $S_{x}$ encodes the qubit as a data point on the circle of $y=0$ in a Bloch sphere shown in Figure 5(b). In our circuit backdoor, ➊ the pre-encoding layer $\bar{S}_{x}$ moves the qubit to the leftmost point of the Bloch sphere. ➋ Although $S_{x}$ is normally applied on the qubit, the qubit is still constrained in the leftmost point of the Bloch sphere. ➌ The RX₂ gate of $\tilde{S}_{x}$ rotates the qubit by $3/2\pi$ and moves it back to $|0\rangle$. ➌ Finally, the RY gate of $\tilde{S}_{x}$ rotates the qubit by $\theta$ predefined by the attacker.

To generate the pulses of a QNN that can accurately and efficiently run on a NISQ server, a quantum compiler acquires the server details from a configuration file [12], which also defines pulse values for error calibration. When there is a new input, based on the latest configuration file, the quantum compiler converts the QNN circuit and new input into a sequence of pulses. The attacker uses a few lines as a trigger in the configuration file to respectively set $\pi/2$, $3\pi/2$, and $\theta$ to the RX₁, RX₂, and RY gates of the backdoored encoding layer, so that QTrojan can be activated. The trigger can be disguised as pulse error calibration for the data encoding layer.

We compiled the original angle encoding layer $S_{x}$ and the backdoored encoding layer ($\bar{S}_{x}$+ $S_{x}$ + $\tilde{S}_{x}$) of QTrojan into pulse sequences $D_{0}$ and $D_{1}$ respectively, as shown in Figure 6. Although two data encoding layers have slightly different pulse amplitudes, QTrojan does not add the circuit depth at all, and can be completed by a sequence of pulses having the same duration as $S_{x}$.

CMOS-based circuit-level backdoor tests and detections [16] may be helpful to prevent QTrojan.