pith. sign in

arxiv: 2511.14989 · v4 · pith:TZET5MLRnew · submitted 2025-11-19 · 💻 cs.CR

SoK: Critical Evaluation of Quantum Machine Learning for Adversarial Robustness

Saeefa Rubaiyet Nowmi , Jesus Lopez , Md Mahmudul Alam Imon , Shahrooz Pouryousef , Mohammad Saidur Rahman This is my paper

Pith reviewed 2026-05-25 07:36 UTC · model grok-4.3

classification 💻 cs.CR
keywords quantum machine learningadversarial robustnesssystematization of knowledgeQMLPamplitude encodingangle encodingpoisoning attacksevasion attacks
0
0 comments X

The pith

Quantum machine learning models show a clear accuracy-robustness tradeoff, with amplitude encoding achieving top clean accuracy but failing under attacks and noise while shallow angle encoding holds steadier.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper conducts the first broad systematization of knowledge on adversarial robustness in quantum machine learning by implementing five attacks across black-box, gray-box, and white-box settings. It trains quantum multilayer perceptrons on MNIST and AZ-Class data using angle and amplitude encoding at varying circuit depths. Evaluations demonstrate that amplitude encoding reaches the highest clean accuracy yet drops sharply under perturbations and depolarizing noise, whereas shallow angle-encoded models resist better. QMLP models outperform classical counterparts against label-flipping but prove more vulnerable to gradient-based evasion. The work ends by outlining a threat-aware, noise-resilient deployment approach.

Core claim

Our evaluations reveal a fundamental accuracy-robustness trade-off. Amplitude encoding achieves the highest clean accuracy (92.6% on MNIST and 67% on AZ-Class) but collapses under adversarial perturbations and depolarizing noise, whereas shallow angle-encoded models remain more stable. QMLP models are more robust than CMLP models under label-flipping attacks but substantially more vulnerable to gradient-based evasion.

What carries the argument

Quantum Multilayer Perceptron (QMLP) trained with angle and amplitude encoding schemes, evaluated under five attacks spanning label-flipping poisoning, encoder-level indiscriminate poisoning, proxy-model clean-label backdoor, circuit-level backdoor (QTrojan), and gradient-based FGSM/PGD evasion.

If this is right

  • Amplitude encoding delivers peak clean accuracy but loses stability once adversarial perturbations or depolarizing noise appear.
  • Shallow angle-encoded circuits maintain better performance across the tested threat models.
  • QMLP resists label-flipping poisoning better than classical MLP yet succumbs more readily to white-box gradient attacks.
  • Circuit-level backdoors such as QTrojan lose effectiveness in multi-class settings.
  • A threat-aware and noise-resilient framework can guide secure QML deployment once the tradeoff is acknowledged.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Designers may need to select encoding schemes according to expected threat model rather than pursuing maximum accuracy alone.
  • Hardware implementations will require explicit noise mitigation strategies if amplitude encoding is retained for its accuracy benefit.
  • Scalability limits observed for backdoors in multi-class tasks point to a need for attack methods that generalize beyond binary or few-class problems.

Load-bearing premise

The five selected attacks together with the QMLP architecture on MNIST and AZ-Class datasets stand in for the primary adversarial threats facing quantum machine learning systems overall.

What would settle it

A new evaluation on a different dataset or with a sixth attack type in which amplitude encoding maintains both high clean accuracy and high robustness under the same noise levels would falsify the reported tradeoff.

Figures

Figures reproduced from arXiv: 2511.14989 by Jesus Lopez, Md Mahmudul Alam Imon, Mohammad Saidur Rahman, Saeefa Rubaiyet Nowmi, Shahrooz Pouryousef.

Figure 2
Figure 2. Figure 2: An SQNN in hybrid quantum-classical architecture. The quantum system contains five small-size quantum devices, four of which work as quantum Classical data Angle or rial Encoding [PITH_FULL_IMAGE:figures/full_fig_p001_2.png] view at source ↗
Figure 2
Figure 2. Figure 2: Schematic representation of the adversarial attack [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Workflow Diagram of Experimental Setup. mathematical relationships between parameters and encoded states, the attacker can infer original input features or their internal quantum representations. This privacy attack directly violates confidentiality and enables targeted manipulation in downstream tasks. Pulse-Level Attacks. The pulse-level attack is a covert white￾box or supply-chain threat in which an adv… view at source ↗
Figure 4
Figure 4. Figure 4: Performance of the QMLP model with varying circuit layers and encoding schemes on the AZ-Class and MNIST [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Performance of QMLP under label-flipping (LF) and label-flipping with label-smoothing (LFLS) across datasets (AZ [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Attack Success Rate (ASR %) over a range of poison ratios for the QNN under the QUID attack with and without [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Performance of QMLP with varying perturbation strengths of the FGSM attack in a noiseless environment. [PITH_FULL_IMAGE:figures/full_fig_p012_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Performance of QMLP with varying perturbation strengths of the PGD attack in a noiseless environment. [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Proposed Secure and Robust QML Pipeline. [PITH_FULL_IMAGE:figures/full_fig_p012_9.png] view at source ↗
read the original abstract

Quantum Machine Learning (QML) integrates quantum computational principles into learning algorithms, offering improved representational capacity and computational efficiency. However, the security and robustness of QML systems remain underexplored, particularly under adversarial conditions. We present the first comprehensive systematization of adversarial robustness in QML, combining conceptual organization with empirical evaluation across black-box, gray-box, and white-box threat models. We implement five representative attacks: a label-flipping poisoning attack under black-box; an encoder-level indiscriminate poisoning attack and a proxy-model clean-label backdoor attack under gray-box; and a circuit-level backdoor attack (QTrojan) and gradient-based evasion attacks (FGSM and PGD) under white-box. We evaluate these attacks using a Quantum Multilayer Perceptron (QMLP) trained on MNIST and AZ-Class across circuit depths of 2, 5, 10, and 50 layers with angle and amplitude encoding schemes. Our evaluations reveal a fundamental accuracy-robustness trade-off. Amplitude encoding achieves the highest clean accuracy (92.6% on MNIST and 67% on AZ-Class) but collapses under adversarial perturbations and depolarizing noise, whereas shallow angle-encoded models remain more stable. QUID is effective under noiseless conditions but weakened by noise, while the proxy-model backdoor persists unless the circuit itself is overwhelmed. Furthermore, the circuit-level backdoor fails in the multi-class setting, indicating a scalability limitation. Finally, QMLP models are more robust than Classical Multi-Layer Perceptron (CMLP) models under label-flipping attacks but substantially more vulnerable to gradient-based evasion. We conclude by proposing a threat-aware and noise-resilient framework for secure QML deployment.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript is the first SoK on adversarial robustness in QML. It organizes the literature across black-, gray-, and white-box threat models and reports an empirical evaluation of a Quantum Multilayer Perceptron (QMLP) on MNIST and AZ-Class using angle and amplitude encodings at depths 2/5/10/50. Five attacks are implemented (label-flipping poisoning, encoder-level indiscriminate poisoning, proxy-model clean-label backdoor, circuit-level QTrojan backdoor, and gradient-based FGSM/PGD evasion). The central empirical finding is an accuracy-robustness trade-off: amplitude encoding yields the highest clean accuracy (92.6% MNIST, 67% AZ-Class) but collapses under perturbations and noise, while shallow angle-encoded models are more stable; QMLP is more robust than CMLP to label-flipping but substantially more vulnerable to gradient-based attacks. A threat-aware, noise-resilient deployment framework is proposed.

Significance. If the reported trade-offs are reproducible and the scope limitations are acknowledged, the work would be significant as the first systematic treatment of QML security that pairs conceptual organization with concrete multi-threat experiments. Explicit cross-encoding, cross-depth, and QMLP-vs-CMLP comparisons, together with noise-aware evaluation, provide actionable data points that existing surveys lack. The absence of machine-checked proofs or parameter-free derivations is expected for an empirical SoK, but the reproducibility of the five-attack suite on two datasets is a modest strength.

major comments (3)
  1. [Abstract and empirical evaluation section] Abstract and § on empirical evaluation: the claim that the experiments 'reveal a fundamental accuracy-robustness trade-off' is load-bearing for the paper's main conclusion, yet rests exclusively on QMLP (depths 2/5/10/50, angle/amplitude encoding) trained on MNIST and AZ-Class. No results are shown for other common QML models (quantum kernels, QCNNs, or different variational ansätze); without such evidence or an explicit scope limitation, the qualifier 'fundamental' is not supported by the reported data.
  2. [Abstract and attack-description section] Abstract and attack-description section: the five chosen attacks are presented as 'representative' of black/gray/white-box threats, but the manuscript provides no argument or citation showing that label-flipping, encoder poisoning, proxy backdoor, QTrojan, and FGSM/PGD together cover the dominant threat surface for QML. If other attacks (e.g., quantum-specific measurement attacks or different poisoning strategies) produce qualitatively different trade-offs, the generality of the accuracy-robustness conclusion is undermined.
  3. [Results section comparing QMLP and CMLP] Results section comparing QMLP and CMLP: the statements that 'QMLP models are more robust than CMLP under label-flipping attacks but substantially more vulnerable to gradient-based evasion' are central to the trade-off narrative. The manuscript must specify whether the classical and quantum models were matched on parameter count, effective depth, optimizer, and training-set size; otherwise the comparative robustness claims cannot be interpreted as evidence of an inherent QML property.
minor comments (2)
  1. [Abstract] Abstract: the numbers 92.6% and 67% are given without standard deviations, number of runs, or statistical tests; adding these would clarify whether the reported accuracy differences are reliable.
  2. [Abstract and introduction] Notation: 'QUID' appears without expansion in the abstract; ensure every acronym is defined at first use in the main body.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment below and commit to revisions that strengthen the precision of our claims and clarify scope.

read point-by-point responses

  1. Referee: [Abstract and empirical evaluation section] Abstract and § on empirical evaluation: the claim that the experiments 'reveal a fundamental accuracy-robustness trade-off' is load-bearing for the paper's main conclusion, yet rests exclusively on QMLP (depths 2/5/10/50, angle/amplitude encoding) trained on MNIST and AZ-Class. No results are shown for other common QML models (quantum kernels, QCNNs, or different variational ansätze); without such evidence or an explicit scope limitation, the qualifier 'fundamental' is not supported by the reported data.

    Authors: We agree that the qualifier 'fundamental' overreaches given the exclusive use of QMLP. In revision we will remove the word 'fundamental' from the abstract and empirical evaluation section and insert an explicit scope statement limiting the observed accuracy-robustness trade-off to the QMLP architecture and encodings tested. This change directly addresses the concern while preserving the concrete empirical contribution for this model class. revision: yes

  2. Referee: [Abstract and attack-description section] Abstract and attack-description section: the five chosen attacks are presented as 'representative' of black/gray/white-box threats, but the manuscript provides no argument or citation showing that label-flipping, encoder poisoning, proxy backdoor, QTrojan, and FGSM/PGD together cover the dominant threat surface for QML. If other attacks (e.g., quantum-specific measurement attacks or different poisoning strategies) produce qualitatively different trade-offs, the generality of the accuracy-robustness conclusion is undermined.

    Authors: The point is well taken. We will expand the attack-description section with a short justification, supported by citations to existing QML security surveys, explaining that the five attacks instantiate the principal categories (black-box poisoning, gray-box poisoning/backdoor, white-box backdoor and evasion) that dominate the current literature. We will also note that other attack vectors remain open for future study, thereby qualifying the generality of the reported trade-offs. revision: yes

  3. Referee: [Results section comparing QMLP and CMLP] Results section comparing QMLP and CMLP: the statements that 'QMLP models are more robust than CMLP under label-flipping attacks but substantially more vulnerable to gradient-based evasion' are central to the trade-off narrative. The manuscript must specify whether the classical and quantum models were matched on parameter count, effective depth, optimizer, and training-set size; otherwise the comparative robustness claims cannot be interpreted as evidence of an inherent QML property.

    Authors: We accept that the comparison requires explicit matching details to be interpretable. In the revised results section we will state that both model families were trained with identical optimizer, training-set size, and comparable effective depth, with parameter counts aligned to the extent permitted by the differing architectures. This added specification will allow readers to assess whether the robustness differences reflect architectural properties or experimental setup. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical evaluation with direct experimental outcomes

full rationale

The paper is an SoK combining literature organization with empirical attack evaluations on QMLP models using MNIST and AZ-Class. All key claims (accuracy-robustness trade-offs, attack effectiveness) are presented as direct results of the described experiments rather than quantities derived from fitted parameters, self-referential definitions, or self-citation chains. No equations, ansatze, uniqueness theorems, or predictions appear that reduce to the paper's own inputs by construction. The work is self-contained as an empirical report against the chosen benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper relies on standard domain assumptions from quantum computing and machine learning but introduces no free parameters, new axioms, or invented entities in the abstract; all evaluated components are drawn from existing techniques.

axioms (1)
  • domain assumption The described quantum circuits and attack implementations are feasible on the hardware or simulator used for the reported experiments.
    The evaluations presuppose that the QMLP, angle/amplitude encodings, and the five attacks can be realized as stated.

pith-pipeline@v0.9.0 · 5862 in / 1365 out tokens · 33001 ms · 2026-05-25T07:36:50.645132+00:00 · methodology

Review history (2 revisions) →

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. AI Security Research Should Better Incentivize Defense Research

    cs.CR 2026-05 unverdicted novelty 3.0

    AI security research shows biased attack-to-defense ratios, with attacks evaluated under favorable conditions and defenses under stricter standards, resulting in a call to better incentivize defense work.

Reference graph

Works this paper leans on

97 extracted references · 97 canonical work pages · cited by 1 Pith paper · 2 internal anchors

  1. [1]

    Quantum machine learning,

    J. Biamonte, P. Wittek, N. Pancotti, P. Rebentrost, N. Wiebe, and S. Lloyd, “Quantum machine learning,”Nature, 2017

    work page 2017

  2. [2]

    Power of data in quantum machine learning,

    H.-Y . Huang, M. Broughton, M. Mohseni, R. Babbush, S. Boixo, H. Neven, and J. R. McClean, “Power of data in quantum machine learning,”Nature Communications, 2021

    work page 2021

  3. [3]

    Quantum chemistry in the age of quantum computing,

    Y . Cao, J. Romero, J. P. Olson, M. Degroote, P. D. Johnson, M. Kieferov ´a, I. D. Kivlichan, T. Menke, B. Peropadre, N. P. Sawaya et al., “Quantum chemistry in the age of quantum computing,”Chemical Reviews, 2019

    work page 2019

  4. [4]

    Experimental quantum adversarial learning with programmable superconducting qubits,

    W. Ren, W. Li, S. Xu, K. Wang, W. Jiang, F. Jin, X. Zhu, J. Chen, Z. Song, P. Zhanget al., “Experimental quantum adversarial learning with programmable superconducting qubits,”Nature Computational Science, 2022

    work page 2022

  5. [5]

    Quantum advantage in learning from experiments,

    H.-Y . Huang, M. Broughton, J. Cotler, S. Chen, J. Li, M. Mohseni, H. Neven, R. Babbush, R. Kueng, J. Preskillet al., “Quantum advantage in learning from experiments,”Science, 2022

    work page 2022

  6. [6]

    Supervised learning with quantum- enhanced feature spaces,

    V . Havl ´ıˇcek, A. D. C ´orcoles, K. Temme, A. W. Harrow, A. Kandala, J. M. Chow, and J. M. Gambetta, “Supervised learning with quantum- enhanced feature spaces,”Nature, 2019

    work page 2019

  7. [7]

    Towards quantum machine learning for constrained combinatorial optimization: a quantum qap solver,

    X. Ye, G. Yan, and J. Yan, “Towards quantum machine learning for constrained combinatorial optimization: a quantum qap solver,” in International Conference on Machine Learning (ICML), 2023

    work page 2023

  8. [8]

    Evaluating the potential of quantum machine learning in cybersecurity: A case-study on PCA-based intrusion detection systems,

    A. Bellante, T. Fioravanti, M. Carminati, S. Zanero, and A. Luongo, “Evaluating the potential of quantum machine learning in cybersecurity: A case-study on PCA-based intrusion detection systems,”Computers & Security, 2025

    work page 2025

  9. [9]

    Towards quantum machine learning for malicious code analysis,

    J. Lopez, S. R. Nowmi, V . Cadena, and M. S. Rahman, “Towards quantum machine learning for malicious code analysis,”arXiv preprint arXiv:2508.19381, 2025

    work page arXiv 2025

  10. [10]

    Quantum machine learning algorithms for drug discovery applications,

    K. Batra, K. M. Zorn, D. H. Foil, E. Minerali, V . O. Gawriljuk, T. R. Lane, and S. Ekins, “Quantum machine learning algorithms for drug discovery applications,”Journal of Chemical Information and Modeling, 2021

    work page 2021

  11. [11]

    Drug discovery approaches using quantum machine learn- ing,

    J. Li, M. Alam, M. S. Congzhou, J. Wang, N. V . Dokholyan, and S. Ghosh, “Drug discovery approaches using quantum machine learn- ing,” inACM/IEEE Design Automation Conference (DAC), 2021

    work page 2021

  12. [12]

    Unlocking the potential of quantum machine learning to advance drug discovery,

    M. Avramouli, I. K. Savvas, A. Vasilaki, and G. Garani, “Unlocking the potential of quantum machine learning to advance drug discovery,” Electronics, 2023

    work page 2023

  13. [13]

    Demonstration of quantum advantage in machine learning,

    D. Rist `e, M. P. Da Silva, C. A. Ryan, A. W. Cross, A. D. C ´orcoles, J. A. Smolin, J. M. Gambetta, J. M. Chow, and B. R. Johnson, “Demonstration of quantum advantage in machine learning,”npj Quantum Information, 2017

    work page 2017

  14. [14]

    IBM Quantum,

    IBM Quantum, “IBM Quantum,” https://www.ibm.com/quantum, 2025, accessed: 2025-08-04

    work page 2025

  15. [15]

    Amazon braket,

    Amazon Web Services, “Amazon braket,” https://aws.amazon.com/ braket/, 2025, accessed: 2025-08-04

    work page 2025

  16. [16]

    Azure Quantum,

    Microsoft Azure, “Azure Quantum,” https://azure.microsoft.com/en-us/ products/quantum, 2025, accessed: 2025-08-04

    work page 2025

  17. [17]

    Stiq: Safeguarding training and inferencing of quantum neural networks from untrusted cloud,

    S. Kundu and S. Ghosh, “Stiq: Safeguarding training and inferencing of quantum neural networks from untrusted cloud,” inIEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2025

    work page 2025

  18. [18]

    Sok paper: Security concerns in quantum machine learning as a service,

    S. Kundu and S. ˜Ghosh, “Sok paper: Security concerns in quantum machine learning as a service,” inProceedings of the International Workshop on Hardware and Architectural Support for Security and Privacy, 2024, pp. 28–36

    work page 2024

  19. [19]

    All your base are belong to us: Stealing vrp secrets from quantum circuit structures,

    J. Chen and J. Szefer, “All your base are belong to us: Stealing vrp secrets from quantum circuit structures,” inIEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2024

    work page 2024

  20. [20]

    I know what you are reading: Evaluating readout crosstalk in cloud-based quantum computers,

    Y . Tan and J. Szefer, “I know what you are reading: Evaluating readout crosstalk in cloud-based quantum computers,” inQuantum Security and Privacy Workshop, 2025

    work page 2025

  21. [21]

    Crosstalk-induced side channel threats in multi-tenant nisq computers,

    N. Choudhury, C. N. Mude, S. Das, P. C. Tikkireddi, S. Tannu, and K. Basu, “Crosstalk-induced side channel threats in multi-tenant nisq computers,” inNetwork and Distributed System Security (NDSS) Symposium, 2025

    work page 2025

  22. [22]

    Quantum Leak: Timing side- channel attacks on cloud-based quantum services,

    C. Lu, E. Telang, A. Aysu, and K. Basu, “Quantum Leak: Timing side- channel attacks on cloud-based quantum services,” inProceedings of the Great Lakes Symposium on VLSI (GLSVLSI), 2025

    work page 2025

  23. [23]

    QubitHammer Attacks: Qubit flipping attacks in multi-tenant superconducting quantum comput- ers,

    Y . Tan, N. Choudhury, K. Basu, and J. Szefer, “QubitHammer Attacks: Qubit flipping attacks in multi-tenant superconducting quantum comput- ers,”arXiv preprint arXiv:2504.07875, 2025

    work page arXiv 2025

  24. [24]

    Advancing hybrid quantum–classical computation with real-time execution,

    T. Lubinski, C. Granade, A. Anderson, A. Geller, M. Roetteler, A. Pe- trenko, and B. Heim, “Advancing hybrid quantum–classical computation with real-time execution,”Frontiers in Physics, 2022

    work page 2022

  25. [25]

    Universal adversarial examples and pertur- bations for quantum classifiers,

    W. Gong and D.-L. Deng, “Universal adversarial examples and pertur- bations for quantum classifiers,”National Science Review, 2022

    work page 2022

  26. [26]

    Benchmarking adversarially robust quantum machine learning at scale,

    M. T. West, S. M. Erfani, C. Leckie, M. Sevior, L. C. Hollenberg, and M. Usman, “Benchmarking adversarially robust quantum machine learning at scale,”Physical Review Research, 2023

    work page 2023

  27. [27]

    Adversarial data poisoning attack on quantum machine learning in the nisq era,

    S. Kundu and S. Ghosh, “Adversarial data poisoning attack on quantum machine learning in the nisq era,” inGreat Lakes Symposium on VLSI (GLSVLSI), 2025

    work page 2025

  28. [28]

    A black-box backdoor attack against quantum neural networks,

    J. Zhao, L. Yan, D. Tan, Y . Chang, and S. Zhang, “A black-box backdoor attack against quantum neural networks,”Quantum Science and Technology, 2025

    work page 2025

  29. [29]

    Backdoor attacks against hybrid classical-quantum neural networks,

    J. Guo, W. Jiang, R. Zhang, W. Fan, J. Li, G. Lu, and H. Li, “Backdoor attacks against hybrid classical-quantum neural networks,” Neural Networks, 2025

    work page 2025

  30. [30]

    Qtrojan: A circuit backdoor against quantum neural networks,

    C. Chu, L. Jiang, M. Swany, and F. Chen, “Qtrojan: A circuit backdoor against quantum neural networks,” inIEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023

    work page 2023

  31. [31]

    A thorough study of state leakage miti- gation in quantum computing with one-time pad,

    C. Xu, J. Sikora, and J. Szefer, “A thorough study of state leakage miti- gation in quantum computing with one-time pad,” inIEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2024

    work page 2024

  32. [32]

    Analysis of crosstalk in NISQ devices and security implications in multi-programming regime,

    A. Ash-Saki, M. Alam, and S. Ghosh, “Analysis of crosstalk in NISQ devices and security implications in multi-programming regime,” in ACM/IEEE International Symposium on Low Power Electronics and Design (ISLPED), 2020

    work page 2020

  33. [34]

    Mitigation of quantum crosstalk in cross-resonance-based qubit architectures,

    P. Zhao, “Mitigation of quantum crosstalk in cross-resonance-based qubit architectures,”Physical Review Applied, 2023

    work page 2023

  34. [35]

    Exploration of power side-channel vulnerabilities in quantum computer controllers,

    C. Xu, F. Erata, and J. Szefer, “Exploration of power side-channel vulnerabilities in quantum computer controllers,” inACM SIGSAC Conference on Computer and Communications Security (CCS), 2023

    work page 2023

  35. [36]

    Quantum circuit reconstruction from power side-channel attacks on quantum computer controllers,

    F. Erata, C. Xu, R. Piskac, and J. Szefer, “Quantum circuit reconstruction from power side-channel attacks on quantum computer controllers,” IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2024

    work page 2024

  36. [37]

    Nisq quantum computing: A security-centric tutorial and survey,

    F. Chen, L. Jiang, H. M ¨uller, P. Richerme, C. Chu, Z. Fu, and M. Yang, “Nisq quantum computing: A security-centric tutorial and survey,”IEEE Circuits and Systems Magazine, 2024

    work page 2024

  37. [38]

    Securing nisq quantum computer reset operations against higher energy state attacks,

    C. Xu, J. Chen, A. Mi, and J. Szefer, “Securing nisq quantum computer reset operations against higher energy state attacks,” inACM SIGSAC Conference on Computer and Communications Security (CCS), 2023

    work page 2023

  38. [39]

    Quantum computer fault injection attacks,

    C. Xu, F. Erata, and J. Szefer, “Quantum computer fault injection attacks,” inIEEE International Conference on Quantum Computing and Engineering (QCE), 2024

    work page 2024

  39. [40]

    Security attacks abusing pulse-level quantum circuits,

    C. Xu and J. Szefer, “Security attacks abusing pulse-level quantum circuits,” inIEEE Symposium on Security and Privacy (S&P), 2025

    work page 2025

  40. [41]

    Quantum adversarial machine learning,

    S. Lu, L.-M. Duan, and D.-L. Deng, “Quantum adversarial machine learning,”Physical Review Research, 2020

    work page 2020

  41. [42]

    Hybrid adversarial sample crafting for black-box evasion attack,

    J. Zheng, Z. He, and Z. Lin, “Hybrid adversarial sample crafting for black-box evasion attack,” inInternational Conference on Wavelet Analysis and Pattern Recognition (ICWAPR), 2017

    work page 2017

  42. [43]

    Robustness of quantum federated learning (qfl) against “label flipping attacks

    A. S. Bhatia, S. Kais, and M. A. Alam, “Robustness of quantum federated learning (qfl) against “label flipping attacks” for lithography hotspot detection in semiconductor manufacturing,” inIEEE Interna- tional Reliability Physics Symposium (IRPS), 2024

    work page 2024

  43. [44]

    Rethinking the inception architecture for computer vision,

    C. Szegedy, V . Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, “Rethinking the inception architecture for computer vision,”IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2015

    work page 2015

  44. [45]

    Q-Detection: A quantum- classical hybrid poisoning attack detection method,

    H. He, X. Lin, J. Chen, and Y . Xiao, “Q-Detection: A quantum- classical hybrid poisoning attack detection method,” inInternational Joint Conference on Artificial Intelligence (IJCAI), 2025

    work page 2025

  45. [46]

    Towards deep learning models resistant to adversarial attacks,

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” inInternational Conference on Learning Representations (ICLR), 2018

    work page 2018

  46. [47]

    Explaining and harnessing adversarial examples,

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” inInternational Conference on Learning Repre- sentations (ICLR), 2015

    work page 2015

  47. [48]

    M. A. Nielsen and I. L. Chuang,Quantum computation and quantum information. Cambridge university press, 2010

    work page 2010

  48. [49]

    Machine learning of high dimensional data on a noisy quantum processor,

    E. Peters, J. Caldeira, A. Ho, S. Leichenauer, M. Mohseni, H. Neven, P. Spentzouris, D. Strain, and G. N. Perdue, “Machine learning of high dimensional data on a noisy quantum processor,”npj Quantum Information, 2021

    work page 2021

  49. [50]

    Parameterized quantum circuits as machine learning models,

    M. Benedetti, E. Lloyd, S. Sack, and M. Fiorentini, “Parameterized quantum circuits as machine learning models,”Quantum Science and Technology, vol. 4, no. 4, p. 043001, 2019

    work page 2019

  50. [51]

    Hardware-efficient variational quantum eigensolver for small molecules and quantum magnets,

    A. Kandala, A. Mezzacapo, K. Temme, M. Takita, M. Brink, J. M. Chow, and J. M. Gambetta, “Hardware-efficient variational quantum eigensolver for small molecules and quantum magnets,”Nature, 2017

    work page 2017

  51. [52]

    Variational quantum algorithms,

    M. Cerezo, A. Arrasmith, R. Babbush, S. C. Benjamin, S. Endo, K. Fujii, J. R. McClean, K. Mitarai, X. Yuan, L. Cincioet al., “Variational quantum algorithms,”Nature Reviews Physics, 2021

    work page 2021

  52. [53]

    Quantum convolutional neural networks,

    I. Cong, S. Choi, and M. D. Lukin, “Quantum convolutional neural networks,”Nature Physics, 2019

    work page 2019

  53. [54]

    Quantum embeddings for machine learning,

    S. Lloyd, M. Schuld, A. Ijaz, J. Izaac, and N. Killoran, “Quantum embeddings for machine learning,”arXiv preprint arXiv:2001.03622, 2020

    work page arXiv 2001

  54. [55]

    Adversarial robustness guarantees for quantum classifiers,

    N. Dowling, M. T. West, A. Southwell, A. C. Nakhl, M. Sevior, M. Us- man, and K. Modi, “Adversarial robustness guarantees for quantum classifiers,”arXiv preprint arXiv:2405.10360, 2024

    work page arXiv 2024

  55. [56]

    Optimal quantum circuit design via unitary neural net- works,

    M. Zomorodi, H. Amini, M. Abbaszadeh, J. Sohrabi, V . Salari, and P. Plawiak, “Optimal quantum circuit design via unitary neural net- works,”arXiv preprint arXiv:2408.13211, 2024

    work page arXiv 2024

  56. [57]

    Pauli-based model of quantum computation with higher- dimensional systems,

    F. C. Peres, “Pauli-based model of quantum computation with higher- dimensional systems,”Physical Review A, 2023

    work page 2023

  57. [58]

    Quantum expectation-value estimation by computational basis sampling,

    M. Kohda, R. Imai, K. Kanno, K. Mitarai, W. Mizukami, and Y . O. Nakagawa, “Quantum expectation-value estimation by computational basis sampling,”Physical review research, 2022

    work page 2022

  58. [59]

    Quantum measurement for quantum chemistry on a quantum computer,

    S. Patel, P. Jayakumar, T.-C. Yen, and A. F. Izmaylov, “Quantum measurement for quantum chemistry on a quantum computer,”Chemical Reviews, 2025

    work page 2025

  59. [60]

    Quantum computing in the nisq era and beyond,

    J. Preskill, “Quantum computing in the nisq era and beyond,”Quantum, 2018

    work page 2018

  60. [61]

    Evaluating efficacy of model steal- ing attacks and defenses on quantum neural networks,

    S. Kundu, D. Kundu, and S. Ghosh, “Evaluating efficacy of model steal- ing attacks and defenses on quantum neural networks,” inProceedings of the Great Lakes Symposium on VLSI (GLSVLSI), 2024

    work page 2024

  61. [62]

    CopyQNN: Quantum Neural Network Extraction Attack under Varying Quantum Noise,

    Z. Fu, L. Zhao, X. Zhang, Y . Xu, G. Huang, and F. Chen, “CopyQNN: Quantum Neural Network Extraction Attack under Varying Quantum Noise,” inInternational Joint Conference on Neural Networks (IJCNN), 2025

    work page 2025

  62. [63]

    Quantumleak: Stealing quantum neural networks from cloud-based nisq machines,

    Z. Fu, M. Yang, C. Chu, Y . Xu, G. Huang, and F. Chen, “Quantumleak: Stealing quantum neural networks from cloud-based nisq machines,” in International Joint Conference on Neural Networks (IJCNN), 2024

    work page 2024

  63. [64]

    Quantum machine learning with differential privacy,

    W. M. Watkins, S. Y .-C. Chen, and S. Yoo, “Quantum machine learning with differential privacy,”Scientific Reports, 2023

    work page 2023

  64. [65]

    Quantum properties tro- jans (qupts) for attacking quantum neural networks,

    S. Bhowmik, T. S. Humble, and H. Thapliyal, “Quantum properties tro- jans (qupts) for attacking quantum neural networks,” inIEEE Computer Society Annual Symposium on VLSI (ISVLSI), 2025

    work page 2025

  65. [66]

    Ai-driven reverse engineering of qml models,

    A. Ghosh and S. Ghosh, “Ai-driven reverse engineering of qml models,” inInternational Symposium on Quality Electronic Design (ISQED). IEEE, 2025

    work page 2025

  66. [67]

    The quantum imitation game: Reverse engi- neering of quantum machine learning models,

    A. Ghosh and S. ˜Ghosh, “The quantum imitation game: Reverse engi- neering of quantum machine learning models,” inWorkshop on Attacks and Solutions in Hardware Security (ASHES), 2024

    work page 2024

  67. [68]

    Hardware trojans in quantum circuits, their impacts, and defense,

    R. Roy, S. Das, and S. Ghosh, “Hardware trojans in quantum circuits, their impacts, and defense,” inInternational Symposium on Quality Electronic Design (ISQED), 2024

    work page 2024

  68. [69]

    Characterizing privacy in quantum machine learning,

    J. Heredge, N. Kumar, D. Herman, S. Chakrabarti, R. Yalovetzky, S. H. Sureshbabu, C. Li, and M. Pistoia, “Characterizing privacy in quantum machine learning,”npj Quantum Information, 2025

    work page 2025

  69. [70]

    Qumos: A framework for preserving security of quantum machine learning model,

    Z. Wang, J. Li, Z. Hu, B. Gage, E. Iwasawa, and W. Jiang, “Qumos: A framework for preserving security of quantum machine learning model,” inIEEE International Conference on Quantum Computing and Engineering (QCE), 2023

    work page 2023

  70. [71]

    Watrous,The Theory of Quantum Information, 2018

    J. Watrous,The Theory of Quantum Information, 2018

    work page 2018

  71. [72]

    M. A. Nielsen and I. L. Chuang,Quantum Computation and Quantum Information, 2010

    work page 2010

  72. [73]

    Adversarial data poisoning attack on quantum machine learning in the NISQ era,

    S. Kundu and S. Ghosh, “Adversarial data poisoning attack on quantum machine learning in the NISQ era,” inGreat Lakes Symposium on VLSI (GLSVLSI), 2025

    work page 2025

  73. [74]

    Locking the design of building blocks for quantum circuits,

    S. M. Saeed, R. Wille, and R. Karri, “Locking the design of building blocks for quantum circuits,”ACM Transactions on Embedded Comput- ing Systems (TECS), 2019

    work page 2019

  74. [75]

    OPAQUE: Obfuscating phase in quantum circuit compilation for efficient ip protection,

    A. Rehman, V . Langford, J. John, and Y . Liu, “OPAQUE: Obfuscating phase in quantum circuit compilation for efficient ip protection,” in International Symposium on Quality Electronic Design (ISQED), 2025

    work page 2025

  75. [76]

    The MNIST database of handwritten digit images for machine learning research [best of the web],

    L. Deng, “The MNIST database of handwritten digit images for machine learning research [best of the web],”IEEE Signal Processing Magazine, 2012

    work page 2012

  76. [77]

    MADAR: Efficient continual learning for malware analysis with diversity-aware replay,

    M. S. Rahman, S. Coull, Q. Yu, and M. Wright, “MADAR: Efficient continual learning for malware analysis with diversity-aware replay,” inConference on Applied Machine Learning in Information Security (CAMLIS). PMLR, 2025

    work page 2025

  77. [78]

    PennyLane: Automatic differentiation of hybrid quantum-classical computations

    V . Bergholm, J. Izaac, M. Schuld, C. Gogolin, S. Ahmed, V . Ajith, M. S. Alam, G. Alonso-Linaje, B. AkashNarayanan, A. Asadiet al., “Pennylane: Automatic differentiation of hybrid quantum-classical com- putations,”arXiv preprint arXiv:1811.04968, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  78. [79]

    Qiskit: An open-source framework for quantum computing,

    G. Aleksandrowicz, T. Alexander, P. Barkoutsos, L. Bello, Y . Ben- Haim, D. Bucher, F. J. Cabrera-Hern ´andez, A. Carballo Franquis, C. Chen, J. Chenet al., “Qiskit: An open-source framework for quantum computing,”Zenodo, 2019

    work page 2019

  79. [80]

    Expressibility and entan- gling capability of parameterized quantum circuits for hybrid quantum- classical algorithms,

    S. Sim, P. D. Johnson, and A. Aspuru-Guzik, “Expressibility and entan- gling capability of parameterized quantum circuits for hybrid quantum- classical algorithms,”Advanced Quantum Technologies, 2019

    work page 2019

  80. [81]

    Quantum adversarial machine learning,

    S. Lu, L.-M. Duan, and D.-L. Deng, “Quantum adversarial machine learning,”Phys. Rev. Res., 2020

    work page 2020

Showing first 80 references.