Machine Learning Quantum Error Correction Vulnerable to Physical Fault Injection Attacks

Machine learning techniques now underpin crucial aspects of quantum computer operation, notably improving the accuracy of multi-qubit measurements and reducing errors, but their vulnerability to attack remains largely unexplored. Anthony Etim from Yale University and Jakub Szefer from Northwestern University, along with their colleagues, present the first analysis of how physical fault injection attacks can compromise these machine learning-based readout error correction systems. Their research demonstrates that carefully timed voltage glitches can induce incorrect measurement results, revealing a significant security weakness in current quantum computing architectures. The team’s automated approach successfully identifies vulnerabilities across all layers of the machine learning model, showing that early layers are particularly susceptible, and importantly, that these faults create predictable patterns of errors rather than random noise, demanding a new focus on security and resilience in quantum computer control systems.

Core to quantum computing is extracting information from qubits, and ML is increasingly used to correct errors in this process. This paper asks: can an attacker manipulate the readout process by injecting faults into the ML components? The researchers used voltage glitching, briefly disrupting the power supply, to induce faults in the embedded ML model responsible for quantum readout correction. They employed an automated optimization framework to efficiently explore the parameter space of fault injection to find the most effective attack points, and examined the vulnerability of different layers within the ML model.

The researchers successfully induced mispredictions in the ML model, demonstrating the potential for an attacker to manipulate the readout process. Dense layers proved significantly more susceptible to fault injection than ReLU layers, likely due to the complex calculations and memory accesses within dense layers. The study highlights the security risks associated with relying on ML for critical quantum readout correction, as an attacker could steer the corrected readout strings towards specific bit patterns. The paper suggests several lightweight defenses inspired by established fault-attack countermeasures: performing multiple inferences and using majority voting, comparing the ML output with a simpler baseline discriminator, monitoring logits, entropy, and activations for anomalies, detecting and responding to brown-outs, glitches, and clock issues, and introducing jitter to layer execution to reduce synchronization.

This research is the first to empirically demonstrate the vulnerability of ML-based quantum readout correction to fault injection attacks. It underscores the need to consider security implications when designing and deploying ML components in quantum computing systems and to implement appropriate defenses. The work contributes to a growing understanding of the security challenges in the quantum stack and provides a foundation for future research in this area.

Fault Injection Reveals Classifier Vulnerabilities

The study pioneers a rigorous methodology to assess the vulnerability of machine-learning classifiers used in quantum computer readout systems to physical fault injection. Researchers targeted a 5-qubit model, requiring discrimination between 32 distinct readout classes, and employed the ChipWhisperer Husky platform to induce voltage glitches, creating temporary disruptions in the computer’s operation. An automated algorithm systematically scanned a parameter space to identify successful faults across all layers of the targeted machine-learning model, enabling comprehensive fault coverage and efficient identification of vulnerabilities. Experiments involved inducing these voltage glitches while the machine-learning classifier processed readout signals, allowing scientists to observe the resulting errors and characterize the system’s susceptibility to attack.

The team meticulously recorded the misprediction rates for each layer of the model, revealing a strong layer-dependent vulnerability, with earlier layers exhibiting significantly higher rates of misprediction when faults were triggered. Detailed analysis demonstrates that initial processing stages are more sensitive to transient errors, highlighting a critical weakness in the readout pipeline. Researchers analyzed the resulting corrupted readout data at the bitstring level, employing Hamming-distance and per-bit flip statistics. Results show that single-shot glitches can induce structured corruption, meaning the errors are not random noise but exhibit patterns. This finding is crucial, as it suggests attackers could potentially manipulate the readout results in a predictable manner, compromising the integrity of the quantum computation. The methodology establishes a foundation for developing robust fault detection and redundancy mechanisms to secure quantum computer readout systems against malicious attacks.

Fault Injection Reveals Classifier Layer Vulnerabilities

Scientists conducted the first analysis of how physical fault injections impact machine learning classifiers used in quantum computer readout error correction. The study targeted a 5-qubit model, a system that classifies data into 32 distinct classes, and employed the ChipWhisperer Husky to introduce voltage glitches, systematically scanning a range of parameters to identify successful faults across all layers of the target model. Experiments revealed a strong layer dependency in fault susceptibility, with early layers exhibiting higher misprediction rates when faults were triggered compared to later layers. The research team characterized readout failures at the bitstring level using Hamming-distance and per-bit flip statistics, demonstrating that even single-shot glitches can induce structured corruption of the readout data rather than purely random noise.

Specifically, the results show that these faults do not simply introduce random errors, but create predictable biases in the output, potentially allowing an attacker to control the observed results. Measurements confirm that the induced errors are not limited to single bits, but manifest as structured patterns within the readout data. This work demonstrates that a physical adversary with access to the classical controller can induce mispredictions and create targeted biases in the readout output of a quantum computer, even without modifying the quantum computer itself. The team’s findings are critical because accurate readout is essential for interpreting the results of quantum computations, and compromised readout logic can render calculations meaningless. The research establishes that machine learning-based quantum computer readout and correction should be treated as a security-critical component of quantum systems, highlighting the need for lightweight, deployment-friendly fault detection and redundancy mechanisms within the readout pipelines.

This work presents the first comprehensive fault injection study targeting machine-learning-based quantum computer readout error correction. Researchers successfully induced faults within the embedded machine-learning model using voltage glitching, demonstrating vulnerability across all layers, though with varying susceptibility dependent on layer position within the model. The resulting failures manifest as structured corruption of readout data, rather than random noise, revealing a predictable pattern to these attacks. These findings establish the importance of treating machine-learning-enhanced quantum readout as a security-critical component, necessitating the integration of fault detection and redundancy mechanisms into quantum computer pipelines. The study characterizes the impact of these faults at the bitstring level, providing detailed insight into the nature of the induced errors. While acknowledging limitations inherent in focusing on voltage glitching, the authors suggest future research should explore alternative fault injection methods, such as electromagnetic fault injection and clock glitching, alongside the development of robust defensive strategies.