| name | quantum-federated-learning-security |
| description | Circuit-level backdoor detection methodology for Quantum Federated Learning (QFL) systems. Identifies malicious circuit patterns in variational quantum circuits during federated training. Use when: (1) securing QFL systems, (2) detecting quantum circuit backdoors, (3) federated quantum computing security, (4) variational circuit integrity verification, (5) quantum ML trustworthiness assessment. |
Quantum Federated Learning Security
Core Idea
Detect circuit-level backdoors in QFL by analyzing variational circuit structure, measurement patterns, and gradient behavior across federated clients.
Key Findings (from arXiv:2605.27416)
Empirical Results
- Single malicious client → up to 50% accuracy drop under FedAvg
- Non-IID data amplifies attack effectiveness
- All tested defenses (Krum, Multi-Krum, FoolsGold, FLGuardian, Mud-HoG) fail worst-case scenarios
- Malicious updates mask presence by staying close to benign norms (norm-constrained stealthiness)
- Quantum measurement stochasticity provides natural cover for gradient perturbations
Defense Failure Modes
- Krum/Multi-Krum: Cannot detect norm-consistent malicious updates
- FoolsGold: Cosine similarity ineffective for quantum gradients
- FLGuardian: Gradient clipping insufficient for measurement-level attacks
- Mud-HoG: Hessian-based detection degraded by quantum noise
Key Findings (from arXiv:2605.27416)
Empirical Results
- Single malicious client → up to 50% accuracy drop under FedAvg
- Non-IID data amplifies attack effectiveness
- All tested defenses (Krum, Multi-Krum, FoolsGold, FLGuardian, Mud-HoG) fail worst-case scenarios
- Malicious updates mask presence by staying close to benign norms (norm-constrained stealthiness)
- Quantum measurement stochasticity provides natural cover for gradient perturbations
Defense Failure Modes
- Krum/Multi-Krum: Cannot detect norm-consistent malicious updates
- FoolsGold: Cosine similarity ineffective for quantum gradients
- FLGuardian: Gradient clipping insufficient for measurement-level attacks
- Mud-HoG: Hessian-based detection degraded by quantum noise
Methodology
Step 0: Attack Surface Classification
Before detection, classify the QFL architecture:
- Variational circuit type: VQA, QNN, quantum kernel methods
- Measurement scheme: Pauli measurements, projective, POVM
- Aggregation protocol: FedAvg, FedProx, custom
- Attack surfaces: In-training (parameter injection), Post-training (backdoor insertion)
See references/qfl-cult-threat-model.md for the CULT threat model details.
Step 1: Circuit Structure Analysis
For each client's variational circuit:
- Parse circuit topology and gate sequence
- Identify anomalous gate patterns (unusual entanglement, measurement placement)
- Flag circuits with hidden degrees of freedom
Step 2: Gradient Behavior Monitoring
Track gradient statistics across rounds:
- Compare gradient distributions between clients
- Detect statistical outliers indicating backdoor influence
- Monitor gradient variance for abnormal patterns
Step 3: Measurement Pattern Verification
Verify measurement outcomes:
- Cross-validate measurement distributions
- Check for hidden information leakage through measurement patterns
- Verify fidelity against expected baseline
Step 4: Circuit Sanitization
For flagged circuits:
- Apply circuit decomposition to isolate suspicious subcircuits
- Replace or remove anomalous components
- Retrain with sanitized circuits
Activation Keywords
- quantum federated learning security
- QFL backdoor detection
- quantum circuit backdoor
- federated quantum computing security
- variational circuit integrity
- 量子联邦学习安全
- 量子电路后门
- quantum ML trustworthiness
Error Handling
- If circuit analysis too complex: decompose into smaller subcircuits for analysis
- If gradient data unavailable: fall back to circuit structure-only analysis
References
- arXiv:2605.27416 - Can Quantum Federated Learning Withstand Circuit-Level Backdoors?
