Crosstalk-induced Side Channel Threats in Multi-Tenant NISQ Computers

TL;DR

This work demonstrates a practical crosstalk-based side-channel attack in multi-tenant QaaS on NISQ hardware, showing how an adversary can infer the victim circuit's structure by counting and timing CNOT gates via idle snooping qubits. The authors extract graph-structured features from estimated CNOT connectivity and train a Graph Convolutional Network (GCN) to classify the victim circuit, achieving up to 85.6–85.7% accuracy across 336 benchmarks. They validate the approach on IBMQ devices and analyze factors such as time-resolution, transpilation variability, and fuzziness in gate-detection, while also proposing defense strategies like advanced qubit mapping, dynamic reallocation, and compiler-level obfuscation. The findings highlight significant security implications for Quantum as a Service and motivate concrete hardware-aware mitigations to preserve confidentiality in shared quantum infrastructure.

Abstract

As quantum computing rapidly advances, its near-term applications are becoming increasingly evident. However, the high cost and under-utilization of quantum resources are prompting a shift from single-user to multi-user access models. In a multi-tenant environment, where multiple users share one quantum computer, protecting user confidentiality becomes crucial. The varied uses of quantum computers increase the risk that sensitive data encoded by one user could be compromised by others, rendering the protection of data integrity and confidentiality essential. In the evolving quantum computing landscape, it is imperative to study these security challenges within the scope of realistic threat model assumptions, wherein an adversarial user can mount practical attacks without relying on any heightened privileges afforded by physical access to a quantum computer or rogue cloud services. In this paper, we demonstrate the potential of crosstalk as an attack vector for the first time on a Noisy Intermediate Scale Quantum (NISQ) machine, that an adversarial user can exploit within a multi-tenant quantum computing model. The proposed side-channel attack is conducted with minimal and realistic adversarial privileges, with the overarching aim of uncovering the quantum algorithm being executed by a victim. Crosstalk signatures are used to estimate the presence of CNOT gates in the victim circuit, and subsequently, this information is encoded and classified by a graph-based learning model to identify the victim quantum algorithm. When evaluated on up to 336 benchmark circuits, our attack framework is found to be able to unveil the victim's quantum algorithm with up to 85.7\% accuracy.

Figures (12)

• Figure 1: Figure \ref{['qec']} demonstrates an adversary using sparse connections in the coupling architecture of IBM Quantum devices to induce crosstalk. Figure \ref{['quantumcloud']} depicts our proposed attack model, which leverages this crosstalk to identify the victim circuit. Figure \ref{['threatmodel']} highlights the limitations of existing threat models, emphasizing the need for a practical threat model.
• Figure 2: Operational attack for confidential information extraction in prevalent QaaS environment.
• Figure 3: Qubit connectivity map for (a)IBM Lagos machine (b)IBM Guadalupe machine (c) Representative crosstalk detection circuit.
• Figure 4: (a) Crosstalk Detection Circuits (b) Qubit Connectivity Map (c) Zero counts that quantify the level of crosstalk.
• Figure 5: Output of GCD circuits executed for a total of 10,000 iterations running on snooping qubits 3,4,5,6 of IBM Lagos, while victim qubits 0, 1, 2 runs (a) no CNOT gate, (b) one CNOT gate, (c) two CNOT gates.