Table of Contents
Fetching ...

Fault Injection Attacks on Machine Learning-based Quantum Computer Readout Error Correction

Anthony Etim, Jakub Szefer

TL;DR

This work addresses the security of ML-based quantum readout correction by conducting hardware fault-injection experiments using voltage glitches synchronized to neural-network layers. Using a $5$-qubit, $32$-class readout model implemented on an MCU and controlled via a ChipWhisperer Husky, the authors automate glitch-parameter search with Optuna and quantify layer-wise susceptibility across $96$ fault attempts per configuration. They find strong layer dependence, with early dense layers being significantly more vulnerable ($ ext{up to }27/96$ successful faults) than later layers, and demonstrate that faults can bias readout toward attacker-friendly bitstrings, though targeted steering is challenging in random inputs. The results underscore that ML-based readout and correction form security-critical components of quantum pipelines and motivate lightweight defenses (redundancy, cross-checks, runtime sanity checks, hardware monitors, and jitter) to protect the quantum-classical interface. The work lays a foundation for broader security analyses of quantum readout stacks and suggests future exploration of EM/clock fault-injection and robust defense architectures.

Abstract

Machine-learning (ML) classifiers are increasingly used in quantum computing systems to improve multi-qubit readout discrimination and to mitigate correlated readout errors. These ML classifiers are an integral component of today's quantum computer's control and readout stacks. This paper is the first to analyze the susceptibility of such ML classifiers to physical fault-injection which can result in generation of incorrect readout results from quantum computers. The study targets 5-qubit (thus 32-class) readout error-correction model. Using the ChipWhisperer Husky for physical voltage glitching, this work leverages an automated algorithm for scanning the fault injection parameter search space to find various successful faults in all the layers of the target ML model. Across repeated trials, this work finds that fault susceptibility is strongly layer-dependent: early-layers demonstrate higher rates of misprediction when faults are triggered in them, whereas later layers have smaller misprediction rates. This work further characterizes the resulting readout failures at the bitstring level using Hamming-distance and per-bit flip statistics, showing that single-shot glitches can induce structured readout corruption rather than purely random noise. These results motivate treating ML-based quantum computer readout and readout correction as a security-critical component of quantum systems and highlight the need for lightweight, deployment-friendly fault detection and redundancy mechanisms in the quantum computer readout pipelines.

Fault Injection Attacks on Machine Learning-based Quantum Computer Readout Error Correction

TL;DR

This work addresses the security of ML-based quantum readout correction by conducting hardware fault-injection experiments using voltage glitches synchronized to neural-network layers. Using a -qubit, -class readout model implemented on an MCU and controlled via a ChipWhisperer Husky, the authors automate glitch-parameter search with Optuna and quantify layer-wise susceptibility across fault attempts per configuration. They find strong layer dependence, with early dense layers being significantly more vulnerable ( successful faults) than later layers, and demonstrate that faults can bias readout toward attacker-friendly bitstrings, though targeted steering is challenging in random inputs. The results underscore that ML-based readout and correction form security-critical components of quantum pipelines and motivate lightweight defenses (redundancy, cross-checks, runtime sanity checks, hardware monitors, and jitter) to protect the quantum-classical interface. The work lays a foundation for broader security analyses of quantum readout stacks and suggests future exploration of EM/clock fault-injection and robust defense architectures.

Abstract

Machine-learning (ML) classifiers are increasingly used in quantum computing systems to improve multi-qubit readout discrimination and to mitigate correlated readout errors. These ML classifiers are an integral component of today's quantum computer's control and readout stacks. This paper is the first to analyze the susceptibility of such ML classifiers to physical fault-injection which can result in generation of incorrect readout results from quantum computers. The study targets 5-qubit (thus 32-class) readout error-correction model. Using the ChipWhisperer Husky for physical voltage glitching, this work leverages an automated algorithm for scanning the fault injection parameter search space to find various successful faults in all the layers of the target ML model. Across repeated trials, this work finds that fault susceptibility is strongly layer-dependent: early-layers demonstrate higher rates of misprediction when faults are triggered in them, whereas later layers have smaller misprediction rates. This work further characterizes the resulting readout failures at the bitstring level using Hamming-distance and per-bit flip statistics, showing that single-shot glitches can induce structured readout corruption rather than purely random noise. These results motivate treating ML-based quantum computer readout and readout correction as a security-critical component of quantum systems and highlight the need for lightweight, deployment-friendly fault detection and redundancy mechanisms in the quantum computer readout pipelines.
Paper Structure (26 sections, 12 figures, 6 tables, 1 algorithm)

This paper contains 26 sections, 12 figures, 6 tables, 1 algorithm.

Figures (12)

  • Figure 1: Overview and setup for evaluation of physical fault injection against ML model that performs quantum computer error correction. The host PC orchestrates inference queries and logging. ChipWhisperer Husky injects a voltage glitches on the target’s supply rail, aligned to a trigger emitted by the target at the start of a chosen neural network layer. Each trial returns a predicted $5$-bit class and a status (correct, misprediction, or reset or hang).
  • Figure 2: Points where successful voltage glitches were found in Layer 1: Dense 1 layer.
  • Figure 3: Points where successful voltage glitches were found in Layer 2: ReLU 1 layer
  • Figure 4: Points where successful voltage glitches were found in Layer 3: Dense 2 layer
  • Figure 5: Points where successful voltage glitches were found in Layer 4: ReLU 2 layer
  • ...and 7 more figures