Machine learning quantum error correction is vulnerable to physical fault injection attacks

Machine learning techniques currently underpin key aspects of quantum computer operation, particularly improving the accuracy of multi-qubit measurements and reducing errors, but their vulnerabilities to attacks remain largely unknown. Anthony Etim of Yale University and Jakub Szefer of Northwestern University, along with colleagues, published the first analysis of how these machine learning-based read error correction systems can be compromised through physical fault injection attacks. Their work demonstrates that carefully timed voltage glitches can cause inaccurate measurements, exposing a significant security weakness in current quantum computing architectures. The team's automated approach successfully identified vulnerabilities across all layers of machine learning models, showing that early layers are particularly susceptible and, importantly, that these failures produce predictable patterns of errors rather than random noise, requiring a new focus on security and resilience in quantum computer-controlled systems.

The core of quantum computing is extracting information from qubits, and ML is increasingly being used to correct errors in this process. In this paper, we ask, can an attacker manipulate the readout process by injecting faults into ML components? The researchers used a voltage glitch to temporarily cut off the power supply, causing a failure in the embedded ML model responsible for quantum readout correction. They employed an automatic optimization framework to efficiently explore the parameter space of fault injection, find the most effective attack points, and explore vulnerabilities in different layers within the ML model.

The researchers were able to cause a prediction error in an ML model, demonstrating the possibility that an attacker could manipulate the readout process. Dense layers were found to be significantly more susceptible to fault injection than ReLU layers. This is likely due to complex computations and memory accesses within the dense layer. This study highlights the security risks associated with relying on ML for critical quantum readout modification, as an attacker could direct the modified readout string to a specific bit pattern. This paper proposes several lightweight defenses inspired by established failure attack countermeasures. This includes performing multiple inferences and using majority voting, comparing ML outputs to simpler baseline identifiers, monitoring logit, entropy, and anomaly activations, detecting and responding to brownouts, glitches, and clock issues, and introducing jitter into layer execution to reduce synchronization.

This study is the first to empirically demonstrate the vulnerability of ML-based quantum readout corrections to fault injection attacks. This highlights the need to consider security implications and implement appropriate defenses when designing and deploying ML components in quantum computing systems. This study contributes to a better understanding of security challenges in quantum stacks and provides a foundation for future research in this area.

Fault injection reveals classifier vulnerabilities

This work pioneers a rigorous methodology for assessing the vulnerability to physical fault injection of machine learning classifiers used in quantum computer readout systems. The researchers targeted a five-qubit model that required discrimination between 32 different readout classes and used the ChipWhisperer Husky platform to induce voltage glitches, causing temporary interruptions in computer operation. An automated algorithm systematically scanned the parameter space to identify successful failures across all layers of the target machine learning model, enabling comprehensive failure coverage and efficient vulnerability identification. The experiment involved inducing these voltage glitches while a machine learning classifier was processing a readout signal, allowing scientists to observe the resulting errors and characterize the system's susceptibility to attack.

The team carefully recorded the prediction error rate of each layer of the model, revealing strong layer-dependent vulnerabilities. Previous layers revealed significantly higher prediction error rates when faults were triggered. Detailed analysis demonstrated that the initial processing stage is more susceptible to transient errors, highlighting critical weaknesses in the readout pipeline. The researchers used Hamming distance and bitwise reversal statistics to analyze the resulting corrupted read data at the bit string level. The results show that a single glitch can cause structural failure. This means that the errors show a pattern rather than random noise. This finding is significant because it suggests that attackers can manipulate readout results in predictable ways and compromise the integrity of quantum computations. This methodology establishes the foundation for developing robust fault detection and redundancy mechanisms to protect quantum computer readout systems from malicious attacks.

Fault injection reveals vulnerabilities in classifier layer

Scientists have conducted the first analysis of how the injection of physical disturbances affects machine learning classifiers used for readout error correction in quantum computers. The study targeted a five-qubit model, a system that classifies data into 32 different classes, and used ChipWhisperer Husky to introduce voltage glitches and systematically scan a set of parameters to identify successful failures across all layers of the target model. Experiments revealed that fault susceptibility had strong layer dependence, with earlier layers exhibiting higher misprediction rates compared to later layers when a fault was triggered. The research team used Hamming distance and per-bit flip statistics to characterize read failures at the bit string level and demonstrated that even single-shot glitches can cause structured corruption of read data rather than purely random noise.

Specifically, the results show that these failures do not simply cause random errors, but can create predictable biases in the output, potentially allowing an attacker to control the observed results. Measurements confirmed that the induced errors are not confined to a single bit, but appear as structured patterns within the read data. This study demonstrates that a physical adversary with access to a classical controller can induce mispredictions and create targeted biases in a quantum computer's readout output without changing the quantum computer itself. The team's discovery is critical because accurate readouts are essential to interpreting the results of quantum calculations, and computations can become meaningless if the readout logic is compromised. This work proves that machine learning-based quantum computer readout and correction should be treated as a security-critical component of quantum systems and highlights the need for lightweight and deployable fault detection and redundancy mechanisms in readout pipelines.

This work presents the first comprehensive fault injection study targeting machine learning-based quantum computer readout error correction. Researchers successfully used voltage glitches to induce failures within embedded machine learning models, demonstrating that all layers are vulnerable, although susceptibility varies depending on the layer's position within the model. The resulting failures appear as structured corruptions in the read data rather than random noise, revealing a predictable pattern for these attacks. These findings establish the importance of treating machine learning-enhanced quantum readouts as security-critical components, requiring the integration of fault detection and redundancy mechanisms into quantum computer pipelines. In this study, we characterize the effects of these failures at the bit string level and provide detailed insights into the nature of the induced errors. While acknowledging the limitations inherent in focusing on voltage glitches, the authors suggest that future research should explore alternative fault injection methods, such as electromagnetic fault injection and clock glitches, in parallel with the development of robust defense strategies.