Understanding Side-Channel Vulnerabilities in Superconducting Qubit Readout Architectures

TL;DR

This work investigates information leakage in superconducting qubit readout caused by readout crosstalk within frequency-multiplexed architectures in a multi-tenant quantum cloud setting. Using a five-qubit dataset and two readout discriminators, the authors quantify how state-dependent crosstalk manifests as $P_{flip}$, enabling attackers to predict victim qubit strings with nontrivial accuracy via a linear SVM. They demonstrate that higher discriminator fidelity can unintentionally amplify leakage and show that attacker-victim mappings and the number of attacker qubits influence predictability. The paper discusses defense strategies including circuit sandboxing, randomized qubit mappings, and scrambling techniques, highlighting the practical trade-offs for secure, scalable quantum cloud services. Overall, the results underscore the need for security-aware hardware sharing as quantum processors scale, with actionable mitigations to safeguard confidentiality in multi-tenant deployments.

Abstract

Frequency-multiplexing is an effective method to achieve resource-efficient superconducting qubit readout. Allowing multiple resonators to share a common feedline, the number of cables and passive components involved in the readout of a qubit can be drastically reduced. However, this improvement in scalability comes at the price of a crucial non-ideality -- an increased readout crosstalk. Prior works have targeted building better devices and discriminators to reduce its effects, as readout-crosstalk-induced qubit measurement errors are detrimental to the reliability of a quantum computer. However, in this work, we show that beyond the reliability of a system, readout crosstalk can introduce vulnerabilities in a system being shared among multiple users. These vulnerabilities are directly related to correlated errors due to readout crosstalk. These correlated errors can be exploited by nefarious attackers to predict the state of the victim qubits, resulting in information leakage.

Figures (5)

• Figure 1: The left panel depicts a graphical representation of a side-channel attack on a nine-qubit quantum processor utilizing readout crosstalk. On the right panel is a circuit schematic featuring five superconducting transmon qubits Lienhard2022. In this schematic, the qubit transition frequencies are controlled via a global flux bias. Each qubit is capacitively linked to a quarter-wave readout resonator, which is inductively coupled to a bandpass (Purcell) filtered feedline.
• Figure 2: An example attack configuration A123A. 'A' denotes malicious attacker qubits, and the numbers indicate victim qubits.
• Figure 3: (a) - (h) $P_{flip}$ for different attack configurations -- the horizontal dashed line represents the average excitation error rate for the qubits being used as the attacker ($A$); (i) Classification accuracy of a simple SVM classifier predicting the victim bit-strings given the attack configuration and $P_{flip}$ for different readout discriminators (MF: Standard Matched Filter PhysRevA.91.022118; HERQULES: Maurya2023).
• Figure 4: Presumed map of qubit groups for frequency-multiplexed readout in the Sycamore quantum processor quantumsupremacy_nature_2019.
• Figure 5: GHZ circuit with output scrambling using a one-time pad $X \otimes I\otimes X \otimes I$.