Extending and Defending Attacks On Reset Operations in Quantum Computers
Extending and Defending Attacks On Reset Operations in Quantum Computers
Extending and Defending Attacks On Reset Operations in Quantum Computers
Abstract—The development of quantum computers has been remotely for users. Following the past success of classical
arXiv:2309.06281v1 [cs.AR] 12 Sep 2023
advancing rapidly in recent years. As quantum computers be- computer cloud-based services, we expect that cloud-based
come more widely accessible, potentially malicious users could try access for remote users to rent quantum computers to be a
to execute their code on the machines to leak information from
other users, to interfere with or manipulate the results of other dominant use-case in the future.
users, or to reverse engineer the underlying quantum computer In order to support sharing of a quantum computer among
architecture and its intellectual property, for example. Among different users, there needs to be an efficient way to reset the
different security threats, previous work has demonstrated infor- qubits. Today, the main method to reset the qubit state is by
mation leakage across the reset operations, and it then proposed letting qubits decohere, which allows qubits to naturally decay
a secure reset operation could be an enabling technology that
allows the sharing of a quantum computer among different into their ground states. Even though letting qubits decohere
users, or among different quantum programs of the same user. erases all the qubit states, it takes a long time, i.e., 250 ns
This work first shows a set of new, extended reset operation is required for quantum computers on IBM Quantum; it also
attacks that could be more stealthy by hiding the intention of makes the qubits unusable during that time. As an alternative,
the attacker’s circuit. This work shows various masking circuits a number of companies, such as IBM, have proposed a reset
and how attackers can retrieve information from the execution
of a previous shot of a circuit, even if the masking circuit is gate or reset operation. The reset operation first measures the
used between the reset operation (of the victim, after the shot of qubit state, which collapses it to |0⟩ or |1⟩ based on the state
the circuit is executed) and the measurement (of the attacker). of the qubit. Next, if the qubit collapsed into |1⟩, an X gate
Based on the uncovered new possible attacks, this work proposes (similar to classical NOT gate) is applied to set the qubit state
a set of heuristic checks that could be applied at transpile time to |0⟩ state, and the qubit is now fully reset.
to check for the existence of malicious circuits that try to steal
information via the attack on the reset operation. Unlike run- Mi et al. [8], however, explored the existing (insecure)
time protection or added secure reset gates, this work proposes a reset operations used in superconducting quantum computers
complimentary, compile-time security solution to the attacks on such as from IBM Quantum and showed that they do not
reset operation. protect fully from information leakage since the reset operation
is not perfect. Since the reset operation is conditional on
I. I NTRODUCTION
measurement results, its outcomes are closely associated with
Noisy Intermediate-Scale Quantum (NISQ) quantum com- the error characteristics of the measurement operation. As it
puters are being rapidly developed, with machines over 400 was shown [8], an attacker measuring the qubit state post-reset
qubits available today [6] and the industry projects 4000- can statistically recover some information about the qubit’s
qubit or larger devices before the end of the decade [2]. state prior to the reset, thus leaking information from the
Many different types of quantum computers exist, with su- victim user who was using the same qubit prior to the attacker.
perconducting qubit quantum computers being one of the The fundamental idea behind their attack circuit was for the
types available today to researchers and the public through attacker to perform a qubit measurement immediately when
cloud-based services. The superconducting qubit machines scheduled to execute. Such a malicious circuit, however, can
are developed by numerous companies, such as IBM [1], very easily be detected since it only contains a measure-
Rigetti [4], or Quantum Circuits, Inc. [3]. ment gate.
Quantum computers of these sizes have the potential to Our work proposes a new, extended attack on reset op-
fundamentally alter what types of algorithms can run on them, erations. In particular, our work explores potential ways in
but require specialized facilities and equipment in order to which an attacker can add a masking circuit C before the
make these quantum computers accessible to users. There is measurement to “hide” their attack. The main idea behind
a growing interest in, and practical deployments of, cloud- our design is that by using a masking circuit C the attacker
based quantum computers, also called Quantum as a Service can make their circuit look like a benign circuit while still
(QaaS) or Quantum Computing as a Service (QCaaS). Cloud- being able to recover information across the reset operation as
based services such as IBM Quantum, Amazon Bracket, and before. In particular, we show that an attacker can use a large
Microsoft Azure already provide access to quantum computers number of circuits to target a particular qubit for information
leakage, as long as the attacker’s circuit is composed of single possible measurement results are 0 and 1, corresponding to
qubit operations on the target qubit. The attacker can also eigenstates |0⟩ and |1⟩.
hide their intention and attack by using two-qubit CX gates,
as long as the target qubit of the attack is the control qubit of A. Bloch Sphere
the CX gates.
For single-qubit gates used in the masking C circuit, the The Bloch sphere is a geometric representation of a two-
attacker may use simple identity circuits consisting of pairs of level quantum system. It provides a way to visualize an
X gates, or non-identity circuits consisting of as RX and RZ arbitrary state of a qubit as a superposition of the two
gates. For multi-qubit gates, an attacker can also hide an attack computational basis vectors, |0⟩ and |1⟩. The surface of the
with CX gates, as long as the target qubit is the control qubit of Bloch sphere can be parameterized by two angles used in the
the CX gate. We also show conditions under which the attack spherical coordinate system: θ with respect to the z-axis, and
becomes more difficult, such as when qubits are targets of CX ϕ with respect to the x-axis. Given angles θ, ϕ, we write the
gate. We confirm our expectation by running select QASM corresponding quantum state:
benchmark circuits, and showing that it is difficult for the
attacker to leak the victim’s state, due to the presence of multi- θ iϕ θ
qubit gates or other non-identity gates, if the masking circuit |ψ⟩ = cos |0⟩ + e sin |1⟩ ,
2 2
C is a full QASM benchmark, for example.
Based on our findings and possible new attacks, we present where 0 ≤ θ ≤ π and 0 ≤ ϕ < 2π. Quantum circuits are
a new set of heuristics defenses that could be applied to check mainly composed of gate operations, also simply called gates,
for existence of the new kind of the malicious circuits before which can be visualized as applying various rotations of the
code is executed. Unlike run-time protection or added secure quantum state around the Bloch sphere.
reset-gates, this work proposes a complimentary, compile time
security solution to the attacks on reset operation. Note, that B. Basis Gates
previous work [8] proposed a secure reset gate for use at run-
time, while we propose a compile-time defense. Our solution Quantum gates are used to manipulate quantum states. Re-
meanwhile draws inspiration from different previous work [5] versible operations can be represented by unitary matrices, and
which proposed a quantum computing antivirus that aim to quantum gates exist for various unitaries. For each quantum
flag suspicious programs that inject malicious crosstalk and computer, some gates are supported as a native gates, also
degrade the quality of program outcomes. Instead of focusing called basis gates by IBM, for example. Most NISQ quantum
on crosstalk, we explore how to check circuits for malicious computers, including IBM machines, only support a few native
reset operation attacks. Instead of focusing on graph structure gates: the single-qubit gates (I, RZ, X, SX), and one two-
of the circuit, we provide a solution based on calculating qubit gate (CX). Other gates need to be decomposed into these
the matrix representation of the circuit (where possible due basis gates first before being run on the machines.
to circuit size) as well as based on analyzing types of gates Among single-qubit gates, I is the identity gate, that per-
execution on each qubit within a circuit. forms no operation, but adds delay. The X gate performs a
rotation around the z axis of the Bloch sphere by a fixed π
A. Contributions radians angle for the target qubit. It is also analogous to the
The main contributions of this work are as follows: classical NOT gate, as it maps |0⟩ to |1⟩ and |1⟩ to |0⟩, thus
• Presentation of a new variant of attacks on reset opera- “flipping” the qubit. The RZ gate performs a rotation of ϕ
tions, involving a masking circuit used by the attacker to radians around the z axis in the Bloch sphere for the target
try to hide their attack circuit. qubit. The SX gate rotates a qubit around the x-axis a fixed
• Evaluation of the efficacy of different masking circuits in angle of π/2 radians, it effectively adds the rotation angle to
the new attack variant. θ in the Bloch sphere for the target qubit.
• Description of a set of heuristics to detect existing and For two-qubit gates, the CX gate is available. The CX gate
the new attacks on reset operation. operates on two qubits: a control qubit and a target qubit. If the
• Demonstration of a tool and compile-time approach tool control qubit is in state |0⟩ , the CX acts as identity. Otherwise,
for detection of previous attacks and the new attack if the control qubit is in state |1⟩ , an X gate is applied to the
variant using the heuristics. target qubit, flipping it. The CX gate is sometimes called the
CNOT gate.
II. BACKGROUND
Qubits are the fundamental building blocks of quantum
C. RX Gates
computers. They encode data in quantum states, which can
exist as a superposition, and are able to represent a continuum The RX(θ) gate performs a rotation of θ radians around
of states in between the classical 0 and 1. To observe the the x-axis of the Bloch sphere. The RX gate is not a native
state of a qubit, the qubit state must be collapsed by a gate, but it can be decomposed into native basis gates RZ and
measurement operation, also known as a readout. The two SX gates.
2
D. Measurement Operation
When a qubit is measured, the result is a classical bit of
information, either 0 or 1. The measurement process collapses
the original qubit state, projecting it typically onto the z-axis of
the Bloch sphere. Measurement results of 0 and 1 correspond
to state collapse into |0⟩ and |1⟩ , respectively. Measurement is
an example of a non-unitary operation, as it cannot be reversed.
This state collapse is irreversible; after a measurement is made,
the original information about the qubitof the state is lost.
For a general qubit state |ψ⟩ = cos θ2 |0⟩+eiϕ sin θ2 |1⟩ ,
3
An attacker may try more complex, non-identity circuits, or
q: RX ( 3π
4 )
RZ ( π2 ) |0⟩ X X
try to attack victims after a larger number of reset gates to
c: /2
0 1
avoid detection. We explain these next.
Fig. 2: Example of two X gate circuit used as a masking circuit; any
even number of X gates applied in sequence forms an identity circuit D. Hiding Reset Operation Attack with RX and RZ Gate
and can be evaluated for efficacy of the masking circuit. Circuits
Next, we considered RX and RZ rotation gates for the
of the attack harder, while at the same time still being able attacker to mask the attack. We ran two experimental groups.
to carry out the reset gate attack where some information is For the first set of attacks, we fixed the attack circuit depth
learned about the state of the qubits prior to the reset. at 1 RX and 1 RZ gate, and we varied the rotation angles. An
example is shown in Figure 3.
B. Attacker Circuits
This work explores and analyzes a variety of possible q: RX ( 3π RZ ( π2 ) |0⟩ RX ( π4 ) RZ ( 3π
4 ) 2 )
masking circuits C. Later we show which ones work well,
c: /2
and which ones do not. 0 1
• Identity Circuits – circuits consisting of an even number Fig. 3: Example of masking circuit with RX and RZ gates, different
of single-qubit X gates on each qubit, such that the total number of RX and RZ gates and the angles can be evaluated for
effective angle of rotation θ is 0. Since effectively there is efficacy of the masking circuit.
no rotation, the attacker’s measurement should return the
same values as it would be right after the reset operation. For the second set of attacks, we fixed total rotation angles
• RX and RZ Gate Circuits – circuits consisting of single- at θ = π and ϕ = π/2. We vary the depth, or number of RX
qubit gates with effective θ (RX gate) rotation and ϕ and RZ gates, while keeping the total equivalent rotation angles
(RZ gate) rotation. Because the rotation angle is known, at a fixed sum of θ = π and ϕ = π/2. For depth d, we use d
the attacker can infer the qubit 1-output probabilities as copies of RX(π/d) followed by d copies of RZ(π/2d). An
they would be right after the reset gate based on their example with d = 2 is shown in Figure 4.
measurement. As we demonstrate, certain rotation angles We chose θ = π because, based on preliminary testing, it
make the attack more difficult, while others still allow is the best non-zero rotation angle for the attacker. For θ = π,
the attacker to make a meaningful measurement. ϕ = π/2 is the choice of ϕ angle that is best for the attacker.
• CX Gate Circuits – circuits consisting of two-qubit CX
gates where there is entanglement between qubits. The
E. Hiding Reset Operation Attack with CX Gate Circuits
control qubits of CX gate experience delay (due to
duration CX gate) but otherwise can be leveraged by Further, we considered circuits involving multiple qubits.
an attacker since they do not experience any rotations; We ran experiments with a series of CX gates, using the
meanwhile, the state of the target qubits of CX gate victim qubit as the control qubit. CX gates have long duration
depends both on the prior state and the control qubit, compared to single-qubit gates. While the control of the CX
making attacker’s use of that qubit more difficult. gate does not affect the qubit state, allowing the attacker to
• QASM Benchmarks – circuits from the QASM bench- gain information about the victim. The main goal is to evaluate
mark suite [7] which are real quantum computing circuits. the effect of time delay on the success of the attack. We hope
These include the 2- and 3-qubit Grover search cir- to gain insight into whether duration of a circuit could be used
cuits and the 4-qubit quantum random number generator to classify potentially malicious circuits.
(QRNG). As shown in Figure 5, we repeat a number of CX gates with
the victim qubit, q0 , as the control. The attacker only makes
C. Hiding Reset Operation Attack with Identity Circuits a measurement on the control qubit of the CX gates.
First, we experimented with using a series of X gates as the
attacker circuit, as shown in Figure 2. For a variety of input F. Hiding Reset Operation Attack with QASM Benchmarks
states, we ran experiments increasing the number of reset gates
and the number of X gate pairs, which we call the depth of the Aside from single-qubit masking circuits and circuits with
circuit. Since we use an even number of X gates, the masking CX gates, an attacker may try more complex and deeper
circuit is thus always equivalent to identity in this experiment circuits to hide an attack. In particular, they could try to
group. As shown later in the Figures 10 and 12, information disguise their attack as a benign circuit, for example using
leak still occurs with X gates added as a masking circuit. some of the QASM benchmark circuits [7]. We evaluate
Based on the measured 1-output frequency, the attacker can whether it is possible for an attacker to perform a reset
distinguish with high probability between victims initialized attack under our threat model using some common QASM
with θ = 0 or θ = π. benchmarks.
4
q: RX ( 3π RZ ( π2 ) |0⟩ RX ( π2 ) RX ( π2 ) RZ ( π4 ) RZ ( π4 )
q0 : RX ( 2π
7 ) |0⟩ H
4 ) Q
c: /2 q1 : RX ( 4π
7 ) |0⟩ H
0 1
c: /4
Fig. 4: Example of different masking circuit with RX and RZ gates 0 1 2 3
where the total rotation angles are fixed. (a) 2-qubit Grover circuit.
q0 : • H X • X H
q1 : • H X H H X H
q0 : RX ( 3π
4 )
RZ ( π2 ) |0⟩ • •
(b) 2-qubit Grover circuit with operator Q decomposed.
q1 :
Fig. 6: Example of using 2-qubit Grover circuit used as a masking
c: /2 circuit, circuits with different bitstrings and operators can be tested
0 1
the qubits need to be initialized into a uniform superposition (a) 3-qubit Grover circuit.
with Hadamard gates. Then, the Grover operator, Q, is applied q0 : • H X • X H
to amplify the amplitude of the correct answer via rotations q1 : • H X • X H
done by Q. An example of 2-qubit Grover search is shown in q2 : • H X H H X H
Figure 6a. (b) 3-qubit Grover circuit with operator Q decomposed.
We used Grover search with answer bitstring 11. The circuit
Fig. 7: Example of using 3-qubit Grover circuit used as a masking
for the algorithm is boxed in Figure 6a. The Grover operator circuit, circuits with different bitstrings and operators can be tested
Q is decomposed in Figure 6b. The attacker uses this circuit for efficacy of the masking circuit. The Hadamard, H, gate can be
after the reset gates and before final measurement, like the realized using the basis gates discussed in the text.
previous attacks.
Unlike the single-qubit attack circuits, the attacker makes
measurements on all involved qubits. The victim qubits are IV. R ESET O PERATION E RROR C HANNEL A NALYSIS
initialized with θ rotations independently of each other, that Before we present evaluation of the different attacks that
is, the rotation angles are not necessarily the same for each use masking circuits, we discuss characteristics of the reset
qubit. We limit the range of possible initial angles so that the operation. Further, we compare behavior of the reset op-
total number of circuits for each trial does not exceed our limit eration on real ibmq_jakarta machine to two types of
on the ibmq_jakarta machine of 300 circuits per job. For simulation to motivate our use of real ibmq_jakarta for
2-qubit Grover, each qubit is initialized by the victim with a subsequent evaluation.
rotation of θ ∈ {0, π7 , 2π 3π 4π 5π 6π
7 , 7 , 7 , 7 , 7 , π}. A. Behavior of Reset Operation
2) 3-Qubit Grover Search Circuit: We also experimented Qubits are often implemented with |1⟩ as a higher energy
with the 3-qubit Grover search circuit, which looks similar state than |0⟩. This results in a higher probability of an
to 2-qubit Grover search, but has more gates and is deeper. incorrect readout for qubit in state |1⟩ compared to state |0⟩.
Each qubit is initialized by the victim with a rotation of θ ∈ Thus, we expect states with a higher amplitude of |1⟩ to have
{0, π3 , 2π
3 , π}. An example of 3-qubit Grover search is shown a higher probability of being the |1⟩ state after a reset [8]. This
in Figure 7. error of real machine resets is seen in Figure 9a, and allows
3) Random Number Generator Circuit: From the QASM the attacker to extract information about the θ angle of the
Benchmark suite, there are two small-scale circuits that do victim qubit based on the measured 1-output frequency [8].
not use multi-qubit gates, namely, the quantum random num- Given the state:
ber generator, and the inverse Quantum Fourier Transform
θ
θ
(QFT). However, the inverse QFT circuit requires conditional |ψ⟩ = cos |0⟩ + eiϕ sin |1⟩ ,
2 2
operations, which are currently unavailable on IBM Quantum
recall that the probability of measuring 1 is sin2 θ2 according
machines. So we consider the random number generator on
4 qubits. to the Born rule interpretation. This motivates an error channel
The Quantum Random Number generator, shown in Fig- characterization [8] based on the probability of measuring 1
ure 8, uses Hadamard gates to produce a uniform superposition post-reset:
before measurement. This attacker circuit has the smallest
2 θ θ
depth of the benchmarks tested by this paper, with a depth 1. E(θ) = a b sin + (b − 1) + c,
2 π
5
q0 : RX (0) |0⟩ H represent the behavior of the reset operation. We did observe
q1 : RX ( π2 ) |0⟩ H more realistic results in the case of 1 reset, as the sigmoid
q2 : RX ( π2 ) |0⟩ H shape can be seen in Figure 9c. However, the addition of two
q3 : RX (π) |0⟩ H
or more reset operations with the simulator results in noisy
data, and no longer fits a sigmoid curve. This suggests that the
c: /8
0 1 2 3 4 5 6 7
simulated reset does not emulate the real machine when using
Fig. 8: Example of Quantum Random Number Generator (QRNG) a measurement followed by an X gate as the reset operation.
used as a masking circuit. The Hadamard, H, gate can be realized
Both the simulator’s built-in simulated reset operation and
using the basis gates discussed in the text.
the measurement followed by X gate scheme on the simulator
produce a lot of noise: the 1-output frequencies vary a lot
where a ∈ [−1, 1], b, c ∈ [0, 1]. On the domain, θ ∈ [0, θ], the depending on the victim qubit’s ϕ angle compared to the real
output probability looks like a sigmoid curve. This is seen in machine. At this time, the simulator is unable to accurately
Figure 9a. This error channel parameterization is important to replicate the behavior of the reset operation on IBM Quantum
our attack evaluation in Section V. machines, and our evaluation in the rest of the paper users’
data from real ibmq_jakarta machine.
B. Observed Fidelity Improvements of Reset Operations
V. E VALUATION OF E FFICACY OF M ASKING C IRCUITS
Over the past year, IBM machines have improved
in fidelity and yield lower error rates. Indeed, ac- In this section, we present evaluation results for different
cording to IBM’s reported error rates through Qiskit’s masking circuits previously discussed in Section III. The
IBMQBackend.properties() method, we found that for masking circuit evaluation is based on: 1) X gates, 2) RX
qubit 0 of ibmq_jakarta , readout error rate has dropped and RZ gates, 3) CX gates, and 4) QASM benchmarks. For
from 0.0360 to 0.0218 over the past year. In addition, the all circuits, we ran experiments on ibmq_jakarta using a
rate of measuring 0 from a |1⟩ state dropped from 0.0464 to varying number of reset gates after the victim and a varying
0.0340, and the rate of measuring 1 from a prepared |0⟩ state circuit depth for the masking circuits, where possible.
dropped from 0.0256 to 0.0096. A. Evaluation Metrics
While the error rates and noise have decreased, the current To evaluate the effectiveness of each attack circuit, we use
experimental results suggest that the same reset error based a metric of signal-to-noise ratio (SNR). We computed the
on amplitude of |1⟩ is still present in IBM machines. In SNR to estimate how much information the attacker could
comparison to last year, the 1-output frequency of an attacker extract from the output frequency data when different types
measuring the victim qubit after 6 resets still displays a of masking circuits are used.
significantly higher frequency for θ = π than for θ = 0. At We compute the error channel characterization parameter a,
the same time, the noise is of much smaller magnitude, as which represents the amplitude of our sigmoid fit. The fit is
indicated by the smaller error bars. described in Section IV-A. We compute the standard deviation
With decreasing noise to signal ratio, the possibility of in 1-output frequency for each fixed θ as ϕ varies. Finally,
a reset error channel attack is becoming actually greater. we compute the average standard deviations over all input θ
The attacker is able to recover more information from the values, denoted σ. Then the signal-to-noise ratio is defined as
victim with ever-increasing probability, even after numerous a/σ, expressed on a log scale (decibels).
reset operations.
B. Reset Schemes
C. Study of Simulated vs. Real Reset Operations
Using this metric, we can compare the different reset
We compared different types of simulated reset oper- schemes described in Section IV-C. Figure 11 shows the SNR
ations with the real ibmq_jakarta machine. We used for the three different reset schemes. The SNR metric aligns
AerSimulator, with a noise model directly imported from with the analysis of Section IV-C. We observe a relatively
IBM’s ibmq_jakarta backend. In theory, the simulator strong SNR for the real reset. For the simulated reset, there
should behave as the real backend for all qubit gates. Based on is a sharp decline in SNR after adding the first reset. Using a
our testing, the built-in simulated reset operation does not have measurement and X gate to simulate reset, the SNR for one
the same error as the real machine’s reset operation. While the reset is relatively high, but adding more resets decreases the
real reset operation has a higher probability of an incorrect SNR drastically.
reset for qubits with a larger magnitude of |1⟩, the simulated
reset removes this: there is no clear correlation between the C. Attack Involving Identity Circuits
victim qubit’s original theta angle and the output frequencies We ran circuits with a series 0, 2, 4, 6, 8, 16, and 32 X gates
post-reset. The data is shown in Figure 9b. as the attacker circuit. For each attack circuit, we added up
Given the built-in simulated reset operation does not behave to 6 reset gates after the victim. All experiments were run on
as a real one, we then attempted replacing the built-in reset qubit 0 of ibmq_jakarta .
operation with a measurement followed by an X gate condi- Figure 10 displays the 1-output frequency of each attack
tioned on the measurement being 1 – this should in theory circuit as a function of the victim qubit’s rotation angle θ.
6
(a) Evaluation on real ibmq_jakarta machine.
(c) Simulator evaluation, using “measurement + X gate” approach to emulate reset operation.
Fig. 9: Qubit state retention, comparison of: (a) reset operation on real machine, (b) simulated reset operation, and (c) simulated reset
operation using “measurement + X gate” approach.
Fig. 10: Example 1-output frequency of X gate masking circuit. Circuits with 0, 2, 4, 6, 8, 16, and 32 X gates were used as the attacker circuit.
Experiments done with qubit 0 of ibmq_jakarta . Only results for 2 X gates are shown, with the other graphs having a similar shape.
For the purposes of conserving space, only the results for 2 X no significant correlation.
gates are shown. The graphs for more resets display the same
sigmoid shape. D. Attack Involving RX and RZ Gate Circuits
We expect that as the depth of the circuit increases or the In the first set of experiments, we used θ ∈ {0, π4 , π2 , 3π
4 , π}
number of reset gates, the attacker’s job becomes harder as and ϕ ∈ {0, π2 , π, 3π 2 } for the attacker’s RX and RZ gates,
more noise is introduced. Figure 12 shows the SNR plotted respectively. We observed that ϕ = π/2 seems particularly
on a decibel scale for all depths of X gate circuits and all beneficial for the attacker compared to other ϕ angles. The
numbers of reset gates. As expected, increasing the number results for this ϕ angle are shown in Figure 13.
of resets results in decreasing the signal-to-noise ratio. The For θ = π/2, the SNR is the lowest, meaning it is the
correlation coefficient between these two variables is −0.862, most difficult for the attacker to extract information about
indicating a strong negative correlation. The most significant the victim’s initial angle. This coincides with our expectation,
decrease in SNR resulted from the addition of the first reset because after an RX rotation by π/2, both initial states |0⟩ and
gate, with subsequent resets having a lesser effect on SNR. |1⟩ have the same output probability of 12 .
The depth of the circuit, measured as number of X gates, As the θ angle changes from π/2 towards 0 or π, it becomes
did not appear to have much effect on the SNR, as there is easier for the attacker to distinguish the victim’s initial state.
no clear trend of the SNR as depth increases. The correlation Increasing the number of resets generally decreases the signal-
coefficient between these two variables is −0.057, indicating to-noise ratio, as expected.
7
(a) Evaluation on real ibmq_jakarta machine.
Fig. 13: SNR for the first set of RX and RZ attacker experiments.
The rotation angles were varied while the depth was fixed at 1 of
each gate.
Fig. 14: SNR for the first set of RX and RZ attacker experiments.
The rotation angles were varied while the depth was fixed at 1 of
each gate.
8
Fig. 17: SNR for 3-qubit Grover circuit experiments. Average
gradient is used as the measure of signal for calculating the SNR.
9
VI. D EFENSE AGAINST THE N EW R ESET O PERATION C. Implementation
ATTACKS
We assume our program has access to the circuit that is
We provide a number of compile-time heuristics that can to be checked, e.g., our program can be used by IBM to
be used to detect possibly malicious attacks that try to use scan submitted circuits before they execute on the quantum
masking circuits with a measurement to perform a reset computers. Given an input circuit, it is simple to count the
operation attack. Our compile-time solution is complimentary circuit depth of the possibly malicious input circuit. Addi-
to the existing “secure reset” work [8], which is a run-time tionally, Qiskit provides functionality to convert circuits into
solution. Further, our approach is different from the existing their matrix representation. Since the number of resets used
quantum computer antivirus [5], which focuses on the exact is controlled by the quantum computer provider, we assume
quantum circuit pattern matching. the number of resets is an input or configuration given to
our program.
A. Detecting Attacks that use Identity Circuits
To scan circuits, we first extract the gates from the input
In the case that the attacker places an identity circuit before quantum circuit, and for any given qubit, check if the gate
the measurement, we scan all gate operations done after the operates on the qubit. If so, we save the instruction for the
last reset gate and before the final measurement. We use gate. In the end, we make a quantum circuit from the list
Qiskit’s Operator class to convert any potential adversarial of instructions, yielding the subset of the original circuit
circuit into its matrix representation. Then, we check if this that involves each specific qubit. On this smaller circuit, we
matrix is an identity. This is efficient for circuits with a small compute the matrix representation and check for existence of
number of qubits. For large circuits, we can loop through multi-qubit gates, equivalence to identity, and equivalence to
each qubit and check the gates that operate on it. If these are a single RX rotation.
single-qubit gates only, and if these operations are equivalent Based on our testing, for attacker circuits of 32 X gates,
to identity, our program flags the circuit as suspicious. 6 CX gates, 2-qubit Grover, 3-qubit Grover, and the QRNG
If a circuit consists of an identity followed by measurement, Benchmark, our antivirus program can complete a scan in
our program will flag it as suspicious. The size of the matrix 0.017 seconds, 0.009 seconds, 0.024 seconds, 0.130 seconds,
representation scales exponentially with the number of qubits and 0.017 seconds, respectively.
involved, so it is limited to smaller circuits. In testing, we
generated 100 random 7-qubit circuits of depth 10, and our
program successfully and efficiently flagged all of these as VII. R ELATED W ORK
identity circuits.
Considering attacks on quantum computers, the closest
B. Heuristics for General Attack Detection related work is the work which analyzed attacks on reset
In the most general case, the attacker may use a non-identity operations [8]. The authors showed for the first time that im-
circuit as a masking circuit, or he or she may use many qubits perfections in reset operations can lead to possible information
that make matrix representations infeasible to work with. In leaks between shots of circuits. Our work extends this prior
this case, we present an approach that considers each qubit work and shows more advanced attacks where use of masking
one at a time. circuit is used to help hide the attacker while still allowing for
For each qubit, we can compute the matrix representation information leak to be extracted by the attacker.
of all gates involving the specific qubit. We first check if the Considering protections for quantum computers, previous
qubit is involved in any multi-qubit gates. Based on our results, work has suggested an “antivirus” programs which can be
circuits involving multi-qubit gates are not susceptible to the used to detect malicious quantum circuits. The authors used
reset gate attacks. However, single-qubit gates introduce little a directed acyclic graph (DAG) to represent an input quan-
error, and even at large depths, the attack can still extract tum circuit. In the DAG with non-commutativity (DAGNC)
information on these qubits. Thus, any qubits involved in only representation, a quantum circuit can be represented as a
single-qubit gates, or the control qubit of a CX gate, will be multigraph. Vertices in the multigraph correspond to gates in
noted by our program. the quantum circuit, and edges correspond to orders between
In the case that a qubit is only involved in single-qubit gates. The edge from node i to j means that the gates
gates, our program checks if the circuit applies an effective corresponding to node i and j have at least one qubit or
RX rotation on the qubit. Based on our results, an effective classical bit in common, and the gate corresponding to node i
RX rotation close to π/2 makes it difficult for the attacker to executes before the gate corresponding to node j. The authors
perform the attack. So, we propose flagging any qubit with used this representation to find instances of smaller “virus”
effective rotation θ > 3π/4 or θ < π/4. circuits in the larger input quantum circuit. In contrast, our
Note that for most circuits, most qubits will have more work does not require use of DAG, but instead scans individual
complex operations that cannot be reduced to an equivalent RX qubits and computes the matrix form of the input circuit. Our
rotation. In this case, our program can still note whether the defense program could be incorporated into the antivirus as a
qubit is effectively identity, or only involves single-qubit gates. new feature.
10
VIII. C ONCLUSION R EFERENCES
In this work, we demonstrated how a set of new, extended [1] “Ibm quantum,” https://quantum-computing.ibm.com/.
reset operation attacks could lead to critical information leak- [2] “Ibm’s target:a 4000-qubit processor by 2025,” https://spectrum.ieee.org/
ibm-quantum-computer.
age from quantum programs executed on quantum computing [3] “Quantum circuits,” https://quantumcircuits.com/.
cloud environments. This work showed that this new kind [4] “Rigetti computing,” https://www.rigetti.com/.
of reset operation attack could be more stealthy than the [5] S. Deshpande, C. Xu, T. Trochatos, H. Wang, F. Erata, S. Han, Y. Ding,
and J. Szefer, “Design of quantum computer antivirus,” in Proceedings of
previous reset operation attacks, by hiding the intention of the International Symposium on Hardware Oriented Security and Trust,
the attacker’s circuit. The work evaluated how an attacker can ser. HOST, May 2023.
mask the circuit by adding simple identity circuits or non- [6] IBM Quantum, “Ibm unveils 400 qubit-plus quantum processor
and next-generation ibm quantum system two,” 2022,
identity circuits consisting of RX and RZ gates for single-qubit https://newsroom.ibm.com/2022-11-09-IBM-Unveils-400-Qubit-Plus-
gates or CX gates. This work also showed that more complex Quantum-Processor-and-Next-Generation-IBM-Quantum-System-Two.
circuits may render the attack difficult. Based on the findings, [7] A. Li, S. Stein, S. Krishnamoorthy, and J. Ang, “Qasmbench: A low-
level quantum benchmark suite for nisq evaluation and simulation,” ACM
this work showed a set of heuristic defenses that could be Transactions on Quantum Computing, 2022.
applied at compile time to check and flag the new kind of [8] A. Mi, S. Deng, and J. Szefer, “Securing reset operations in nisq
malicious circuits. quantum computers,” in Proceedings of the Conference on Computer and
Communications Security, ser. CCS, November 2022.
11