arxiv: 2605.13796 · v1 · submitted 2026-05-13 · 🪐 quant-ph · cs.CR

Recognition: no theorem link

Backdoor Threats in Variational Quantum Circuits: Taxonomy, Attacks, and Defenses

Fan Chen, Lei Jiang

Authors on Pith no claims yet

Pith reviewed 2026-05-14 17:45 UTC · model grok-4.3

classification 🪐 quant-ph cs.CR

keywords backdoor attacksvariational quantum circuitsquantum securityNISQthreat modelsdata poisoningquantum defensescompiler attacks

0 comments

The pith

A survey classifies backdoor attacks on variational quantum circuits into data-poisoning, compiler-level, and quantum-native categories while reviewing their mechanisms and current defenses.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper surveys security vulnerabilities in variational quantum circuits, a core component of noisy intermediate-scale quantum algorithms. It formalizes terminology and threat models for backdoor attacks that stay dormant until activated by specific triggers, leading to corrupted outputs or manipulated results. The survey organizes existing attacks into three main types and examines their empirical behaviors along with detection and mitigation strategies. It notes that many current defenses fall short against quantum-specific threats in hybrid quantum-classical systems. The work synthesizes recent advances to map the evolving risk landscape and point to open challenges in building stronger protections.

Core claim

The central claim is that backdoor threats in variational quantum circuits arise through data-poisoning, compiler-level, and quantum-native mechanisms, each with distinct characteristics, and that existing detection and defense methods have notable limitations especially against quantum-native attacks, requiring the development of more robust quantum-aware approaches.

What carries the argument

The three-category taxonomy of backdoor attacks (data-poisoning, compiler-level, and quantum-native) that organizes threat models, attack strategies, and defense analyses.

If this is right

Defenses must be extended beyond classical methods to handle quantum-native triggers and manipulations.
Hybrid quantum-classical systems require new detection techniques that account for circuit compilation and quantum hardware specifics.
Limitations in current approaches highlight the need for proactive design of secure variational quantum circuits from the outset.
Empirical attack characteristics can inform the creation of trigger-robust training procedures for quantum models.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

If the taxonomy proves stable, it could serve as a foundation for standard security benchmarks in quantum machine learning applications.
Gaps in quantum-specific defenses suggest that hardware-level monitoring may become necessary as circuit sizes grow beyond current NISQ scales.
The formalized threat models could extend to related variational algorithms in optimization and simulation tasks.

Load-bearing premise

The survey assumes the reviewed body of prior literature is representative and that the proposed three-category taxonomy captures the full range of backdoor threats without major omissions.

What would settle it

The discovery of a backdoor attack on variational quantum circuits that cannot be placed into any of the three categories (data-poisoning, compiler-level, or quantum-native) would show the taxonomy is incomplete.

Figures

Figures reproduced from arXiv: 2605.13796 by Fan Chen, Lei Jiang.

**Figure 2.** Figure 2: The complete flow of backdoor attacks against VQCs. [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗

**Figure 3.** Figure 3: The working mechanism of QDoor [3]. Instead, adversaries manipulate compilation stages—such as transpilation, gate decomposition, and synthesis—to insert additional operations or alter circuit structures in a manner that encodes backdoor behavior. As a result, the trojan is introduced transparently during compilation, evading data-centric and training-time defenses. Some approaches [3] further combine co… view at source ↗

**Figure 4.** Figure 4: (a), ZNE estimates noise-free expectation values by evaluating circuits under scaled noise levels and extrapolating to the zero-noise limit. The attack perturbs circuit parameters so that individual noisy evaluations appear consistent, while the extrapolation process becomes systematically biased, as highlighted in [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗

read the original abstract

Variational quantum algorithms (VQAs) are a central paradigm for noisy intermediate-scale (NISQ) quantum computing, yet their reliance on predesigned and pretrained variational quantum circuits (VQCs) introduces critical security vulnerabilities, particularly backdoor attacks. These attacks embed hidden malicious behaviors that remain dormant under normal conditions but are activated by specific triggers, leading to adversarial outcomes such as incorrect predictions or manipulated objective values. This paper presents a survey of backdoor attacks in VQCs, covering data-poisoning, compiler-level, and quantum-native mechanisms. We formalize key terminology and threat models, and review existing attack strategies along with their empirical characteristics. We also analyze current detection and defense approaches, highlighting their limitations, especially against quantum-specific threats. By synthesizing recent advances, this survey outlines the evolving security landscape of VQCs and identifies key challenges and future directions for developing robust, quantum-aware defenses in hybrid quantum-classical systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This survey organizes backdoor threats to variational quantum circuits into three categories and formalizes threat models, but adds no new attacks or experiments.

read the letter

This paper is a survey that splits backdoor attacks on variational quantum circuits into data-poisoning, compiler-level, and quantum-native types. It formalizes terminology and threat models, then reviews existing attack strategies along with their reported characteristics and the limits of current defenses, especially against quantum-specific triggers. The synthesis pulls together work on how these attacks can manipulate predictions or objective values in NISQ devices while staying dormant otherwise. That organization is the main value, since it maps how classical backdoor ideas translate to hybrid quantum-classical setups and flags where defenses fall short. The three-category split clarifies differences between poisoning training data, tampering at the compiler stage, and native quantum mechanisms, which could help researchers prioritize defenses. The discussion of empirical traits from prior studies and the call for quantum-aware approaches is straightforward and practical. The soft spots are the lack of any new attacks, measurements, or derivations. Everything rests on the completeness of the cited literature, so gaps in coverage would weaken the taxonomy without the authors adding fresh checks. No original data or code is presented, which limits how much new insight it supplies beyond consolidation. This is for people working on variational quantum algorithms or quantum machine learning security who want a consolidated view of risks rather than a deep dive into one attack. It would be useful background for anyone designing robust VQCs. I would send it to peer review because it consolidates scattered results and points to open problems in an area that is still forming, even if the contribution stays organizational.

Referee Report

2 major / 2 minor

Summary. The manuscript surveys backdoor threats in variational quantum circuits (VQCs) used in variational quantum algorithms for NISQ devices. It proposes a taxonomy of attacks divided into data-poisoning, compiler-level, and quantum-native mechanisms; formalizes terminology and threat models; reviews existing attack strategies together with their empirical characteristics; and analyzes detection and defense methods while highlighting their limitations, especially for quantum-specific threats. The paper synthesizes recent literature, outlines the evolving security landscape, and identifies open challenges and future directions for robust, quantum-aware defenses in hybrid quantum-classical systems.

Significance. If the taxonomy is representative and the reviewed literature accurately characterized, the survey provides a timely synthesis of an emerging security topic at the intersection of quantum computing and adversarial machine learning. Formalizing threat models and cataloging attack/defense trade-offs can help structure future work on securing VQCs. The explicit discussion of quantum-native mechanisms and their defense gaps is a useful contribution for guiding research in this nascent area.

major comments (2)

[Taxonomy section] Taxonomy section: the three-way split into data-poisoning, compiler-level, and quantum-native attacks is presented as comprehensive, yet the manuscript does not provide an explicit argument or literature-mapping table showing that these categories are mutually exclusive and collectively exhaustive; several reviewed works appear to straddle compiler and quantum-native boundaries, which weakens the taxonomy's utility as an organizing framework.
[Defense limitations analysis] Defense limitations analysis: the claim that existing detection and defense approaches have pronounced limitations against quantum-specific threats is central to the paper's forward-looking contribution, but it rests on qualitative summary rather than a systematic comparison (e.g., success rates or overhead metrics across the cited attacks); without such a table or quantitative synthesis, the strength of the conclusion is difficult to assess.

minor comments (2)

[Abstract and introduction] The abstract states that the survey reviews 'empirical characteristics' of attacks, but the manuscript would benefit from a consolidated table summarizing trigger types, success rates, and overheads for the main attacks discussed.
[Threat model formalization] Notation for threat models (e.g., definitions of trigger, target, and activation conditions) is introduced but used inconsistently in later sections; a single glossary or consistent symbol table would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our survey. We address each major point below and have revised the manuscript to improve clarity and rigor where feasible.

read point-by-point responses

Referee: Taxonomy section: the three-way split into data-poisoning, compiler-level, and quantum-native attacks is presented as comprehensive, yet the manuscript does not provide an explicit argument or literature-mapping table showing that these categories are mutually exclusive and collectively exhaustive; several reviewed works appear to straddle compiler and quantum-native boundaries, which weakens the taxonomy's utility as an organizing framework.

Authors: We appreciate this observation. Our taxonomy organizes attacks by their primary mechanism and insertion stage (data preprocessing, classical compilation, or direct quantum-circuit manipulation), which we view as a natural and useful partition for VQCs. To address the concern, the revised manuscript includes a new literature-mapping table that assigns each cited work to its dominant category, with explicit footnotes for boundary cases (e.g., hybrid compiler-quantum attacks). We maintain that the categories remain mutually exclusive at the level of the core attack vector while acknowledging that some works exhibit secondary effects across boundaries. revision: partial
Referee: Defense limitations analysis: the claim that existing detection and defense approaches have pronounced limitations against quantum-specific threats is central to the paper's forward-looking contribution, but it rests on qualitative summary rather than a systematic comparison (e.g., success rates or overhead metrics across the cited attacks); without such a table or quantitative synthesis, the strength of the conclusion is difficult to assess.

Authors: We agree that a tabular synthesis strengthens the presentation. Because the surveyed papers employ heterogeneous benchmarks, threat models, and metrics, a fully quantitative meta-analysis is not feasible without introducing new experiments. The revision adds a summary table that extracts reported detection success rates, false-positive rates, and computational overheads from the original works wherever available, together with qualitative notes on quantum-specific gaps (e.g., lack of support for superposition triggers). This makes the limitations more transparent while preserving the survey nature of the paper. revision: partial

Circularity Check

0 steps flagged

No circularity: survey synthesis of external literature

full rationale

This is a literature survey paper with no mathematical derivations, equations, parameter fitting, or predictions. The central contribution is a taxonomy (data-poisoning, compiler-level, quantum-native) and formalized threat models synthesized from reviewed prior work. All claims rest on external references; there are no self-referential loops, fitted inputs renamed as predictions, or load-bearing self-citations that reduce the argument to its own inputs. The representativeness of the corpus is a standard survey limitation, not a circularity flaw. No steps meet the criteria for any enumerated circularity kind.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The survey relies on standard terminology and threat models from classical security literature adapted to quantum circuits without introducing new free parameters, axioms beyond domain conventions, or invented entities.

axioms (1)

domain assumption Standard threat models for backdoor attacks can be directly adapted from classical machine learning to variational quantum circuits
Invoked when formalizing terminology and threat models in the abstract.

pith-pipeline@v0.9.0 · 5454 in / 1153 out tokens · 28451 ms · 2026-05-14T17:45:16.717071+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

20 extracted references · 3 canonical work pages

[1]

Humble, and Himanshu Thapliyal

Sounak Bhowmik, Travis S. Humble, and Himanshu Thapliyal. 2025. Quantum Properties Trojans (QuPTs) for Attacking Quantum Neural Networks. InIEEE Computer Society Annual Symposium on VLSI, Vol. 1. 1–6

2025
[2]

Marco Cerezo, Andrew Arrasmith, Ryan Babbush, Simon C Benjamin, Suguru Endo, Keisuke Fujii, Jarrod R McClean, Kosuke Mitarai, Xiao Yuan, Lukasz Cincio, and Patrick J. Coles. 2021. Variational Quantum Algorithms.Nature Reviews Physics3, 9 (2021), 625–644

2021
[3]

Cheng Chu, Fan Chen, Philip Richerme, and Lei Jiang. 2023. Qdoor: Exploiting Approximate Synthesis for Backdoor Attacks in Quantum Neural Networks. In IEEE International Conference on Quantum Computing and Engineering, Vol. 1. 1098–1106

2023
[4]

Cheng Chu, Lei Jiang, and Fan Chen. 2025. BVQC: A backdoor-style watermarking scheme for variational quantum circuits. InIEEE International Conference on Quantum Computing and Engineering (QCE), Vol. 1. 700–708

2025
[5]

Cheng Chu, Lei Jiang, Martin Swany, and Fan Chen. 2023. Qtrojan: A Circuit Backdoor Against Quantum Neural Networks. InIEEE International Conference on Acoustics, Speech and Signal Processing. 1–5

2023
[6]

Cheng Chu, Qian Lou, Fan Chen, and Lei Jiang. 2026. QNBAD: Quantum Noise- induced Backdoor Attacks against Zero Noise Extrapolation. InNetwork and Distributed System Security (NDSS) Symposium

2026
[7]

Subrata Das and Swaroop Ghosh. 2024. Trojan attacks on variational quan- tum circuits and countermeasures. InIEEE International Symposium on Quality Electronic Design. 1–8

2024
[8]

Ji Guo, Wenbo Jiang, Rui Zhang, Wenshu Fan, Jiachen Li, Guoming Lu, and Hongwei Li. 2025. Backdoor attacks against Hybrid Classical-Quantum Neural Networks.Neural Networks191 (2025), 107776

2025
[9]

Seenivasan Hariharan, Sachin Kinge, and Lucas Visscher. 2024. Modeling Het- erogeneous Catalysis using Quantum Computers: An Academic and Industry Perspective.Journal of chemical information and modeling65, 2 (2024), 472–511

2024
[10]

William J Huggins, Jarrod R McClean, Nicholas C Rubin, Zhang Jiang, Nathan Wiebe, K Birgitta Whaley, and Ryan Babbush. 2021. Efficient and Noise Resilient Measurements for Quantum Chemistry on Near-Term Quantum Computers.npj Quantum Information7, 1 (2021), 23

work page 2021
[11]

Tyson Jones, Suguru Endo, Sam McArdle, Xiao Yuan, and Simon C Benjamin
[12]

Physical Review A99, 6 (2019), 062304

Variational Quantum Algorithms for Discovering Hamiltonian Spectra. Physical Review A99, 6 (2019), 062304

work page 2019
[13]

P. J. J. O’Malley, R. Babbush, I. D. Kivlichan, J. Romero, J. R. McClean, R. Barends, J. Kelly, P. Roushan, A. Tranter, N. Ding, B. Campbell, Y. Chen, Z. Chen, B. Chiaro, A. Dunsworth, A. G. Fowler, E. Jeffrey, E. Lucero, A. Megrant, J. Y. Mutus, M. Neeley, C. Neill, C. Quintana, D. Sank, A. Vainsencher, J. Wenner, T. C. White, P. V. Coveney, P. J. Love, ...

2016
[14]

Ruslan Shaydulin, Phillip C Lotshaw, Jeffrey Larson, James Ostrowski, and Travis S Humble. 2023. Parameter transfer for quantum approximate optimiza- tion of weighted maxcut.ACM Transactions on Quantum Computing4, 3 (2023), 1–15

2023
[15]

Mårten Skogh, Oskar Leinonen, Phalgun Lolur, and Martin Rahm. 2023. Accel- erating variational quantum eigensolver convergence using parameter transfer. Electronic Structure5, 3 (2023), 035002

2023
[16]

Samson Wang, Enrico Fontana, Marco Cerezo, Kunal Sharma, Akira Sone, Lukasz Cincio, and Patrick J Coles. 2021. Noise-induced Barren Plateaus in Variational Quantum Algorithms.Nature communications12, 1 (2021), 6961

2021
[17]

Shuolei Wang, Zimeng Xiao, Jinjing Shi, Heyuan Shi, Shichao Zhang, and Xue- long Li. 2025. QSentry: Backdoor Detection for Quantum Neural Networks via Measurement Clustering.arXiv preprint arXiv:2511.15376(2025)

work page arXiv 2025
[18]

Min Yang, Xiaolong Guo, and Lei Jiang. 2024. Multi-stage watermarking for quantum circuits. InIEEE International Conference on Quantum Computing and Engineering, Vol. 1. 796–804

2024
[19]

Jiayu Zhao, Lili Yan, Dong Tan, Yan Chang, and Shibin Zhang. 2025. A black- box backdoor attack against quantum neural networks.Quantum Science and Technology10, 3 (2025), 035038

2025
[20]

Jiayu Zhao, Lili Yan, Dong Tan, Yan Chang, and Shibin Zhang. 2026. A Quantum State Backdoor Attack Against Quantum Neural Networks.Advanced Quantum Technologies9, 3 (2026), e00791

2026