pith. sign in

arxiv: 2605.25066 · v1 · pith:X5VUKQZLnew · submitted 2026-05-24 · 🪐 quant-ph · cs.CR· cs.LG

QML-PipeGuard: Drift-Aware Behavioral Fingerprinting for Quantum Machine Learning Pipeline Integrity

Esra Yeniaras This is my paper

Pith reviewed 2026-06-30 00:46 UTC · model grok-4.3

classification 🪐 quant-ph cs.CRcs.LG
keywords quantum machine learningpipeline integritybehavioral fingerprintingchannel substitutiondrift detectionobservable contractquantum verificationtomographic measurements
0
0 comments X

The pith

QML-PipeGuard detects substituted quantum channels as violations of an observable contract while absorbing benign hardware drift.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces QML-PipeGuard to address integrity risks in deployed quantum machine learning pipelines on cloud hardware. It defines a behavioral fingerprint as the vector of expectation values from a tomographically structured measurement family and uses this to monitor pipelines in two modes. Drift-aware mode absorbs small calibration shifts within a set tolerance, while adversarial mode flags channel substitutions that violate the informationally complete contract. Validation on a two-qubit QSVM pipeline running on IBM Heron r2 hardware shows the sneaky channel is caught with a wide margin using roughly 1.4e4 shots that fit in one batched job. A sympathetic reader cares because QML is entering regulated industries where both natural noise and adversarial substitution threaten correctness.

Core claim

QML-PipeGuard characterizes a QML pipeline at runtime by its behavioral fingerprint, the vector of observable expectation values under a tomographically structured measurement family. It operates in drift-aware monitoring that absorbs benign calibration changes within a calibrated tolerance and adversarial detection that catches channel substitution as a violation of an informationally complete observable contract. The framework contributes a pipeline-composition treatment of the encoder-ansatz-measurement channel with a QML-specific threat model using tight frame-bound C=sqrt(3) for the single-qubit Pauli family, a finite-shot sample-complexity bound, and a tolerance decomposition separatin

What carries the argument

The behavioral fingerprint, defined as the vector of observable expectation values under a tomographically structured measurement family that forms an informationally complete observable contract for the declared channel.

If this is right

  • Runtime checks become feasible for QML pipelines in cloud services because the measurement budget fits inside a single batched job.
  • Natural calibration drift can be separated from adversarial changes through the tolerance decomposition.
  • The same fingerprint catches substitutions that evade weaker contracts while remaining within the calibrated drift bound.
  • Finite-shot bounds make the method practical on current hardware without requiring full tomography.
  • End-to-end validation on real two-qubit QSVM pipelines confirms the safety margin on IBM Heron r2.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach could be adapted to monitor larger qubit counts or different ansatz structures by updating the measurement family accordingly.
  • Periodic recalibration of the tolerance parameter might allow the framework to track slowly varying hardware conditions over longer deployments.
  • Combining the observable contract with classical input or output verification layers could produce layered protection for entire QML services.
  • The specific frame-bound value suggests that measurement selection can be optimized for other quantum algorithms facing similar substitution threats.

Load-bearing premise

The chosen tomographically structured measurement family is sufficient to distinguish the declared quantum channel from a behaviorally similar but mathematically distinct substitute under the QML threat model.

What would settle it

A test in which a substituted but behaviorally close channel passes the contract check on the full 1.4e4-shot budget, or in which typical hardware drift between calibrations exceeds the pre-set tolerance without any substitution.

Figures

Figures reproduced from arXiv: 2605.25066 by Esra Yeniaras.

Figure 1
Figure 1. Figure 1: System model and trust boundaries. The model owner declares a specification [PITH_FULL_IMAGE:figures/full_fig_p013_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Theoretical-foundation stack for the framework. The bottom (shared) layer is the [PITH_FULL_IMAGE:figures/full_fig_p019_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Per-observable deviation between the honest and sneaky channels on [PITH_FULL_IMAGE:figures/full_fig_p038_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Empirical TPR (sneaky detection rate) and FPR (honest false-alarm rate) as a [PITH_FULL_IMAGE:figures/full_fig_p039_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Drift observation on ibm fez across three timepoints within a single batched submission. Top: the honest fingerprint at each timepoint, plotted with distinct marker shapes and line styles for the three timepoints; the three trajectories nearly coincide, confirming small drift over the run duration. Bottom: pairwise maximum deviations over the complete observable family, with the typical drift d typ drift =… view at source ↗
read the original abstract

Quantum machine learning (QML) is moving from research prototypes to deployed cloud services. As QML enters regulated industries, the integrity of the quantum stage becomes a practical concern on two fronts: noisy hardware drifts at the channel level between recalibrations, and an adversary with control over the execution environment can substitute the declared quantum channel with a behaviorally similar but mathematically distinct one. Neither concern is covered by existing QML verification work on pulse-level noise, input drift, input-perturbation robustness, or device identity. We introduce QML-PipeGuard, a contract-based framework addressing both concerns under a single mathematical machinery. It characterizes a QML pipeline at runtime by its behavioral fingerprint, the vector of observable expectation values under a tomographically structured measurement family, and operates in two modes: drift-aware monitoring that absorbs benign calibration changes within a calibrated tolerance, and adversarial detection that catches channel substitution as a violation of an informationally complete observable contract. The framework contributes a pipeline-composition treatment of the encoder-ansatz-measurement channel with a QML-specific threat model (tight frame-bound C=sqrt(3) for the single-qubit Pauli family), a finite-shot sample-complexity bound, and a tolerance decomposition separating adversarial and natural-drift contributions. We validate the framework end-to-end on a two-qubit QSVM pipeline on the IBM Heron r2 processor (ibm_fez), with a sample-complexity validation on a noise-matched simulator. The prescribed measurement budget (about 1.4e4 shots) fits in a single batched job, the sneaky channel is detected with a wide safety margin while evading the weak contract, and the typical hardware drift sits within tolerance.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper introduces QML-PipeGuard, a contract-based framework for QML pipeline integrity that uses a behavioral fingerprint (vector of observable expectation values under a tomographically structured measurement family) to address both hardware drift and adversarial channel substitution. It provides a pipeline-composition treatment of the encoder-ansatz-measurement channel under a QML-specific threat model with tight frame-bound C=sqrt(3) for the single-qubit Pauli family, a finite-shot sample-complexity bound, and a tolerance decomposition separating adversarial and natural-drift contributions. Validation is reported on a two-qubit QSVM pipeline executed on IBM Heron r2 (ibm_fez) with a prescribed budget of ~1.4e4 shots, claiming detection of a sneaky channel with wide safety margin while absorbing typical hardware drift within tolerance.

Significance. If the central claims hold, the work fills a gap in QML verification by supplying a unified, runtime-applicable machinery for channel-level integrity that is absent from prior work on pulse noise, input drift, or device identity. The finite-shot bound and explicit tolerance decomposition are potentially valuable contributions for practical deployment in regulated settings.

major comments (2)
  1. [pipeline-composition treatment (threat model and frame bound)] The extension of the tight frame-bound C=sqrt(3) from the single-qubit Pauli family to the composed two-qubit encoder-ansatz-measurement channel in the QSVM pipeline is load-bearing for the safety-margin claim but is not derived explicitly. The effective frame operator for the full pipeline may admit a larger constant or reduced density in the substitute manifold, which would collapse the reported separation under finite-shot estimation.
  2. [tolerance decomposition and sample-complexity bound] The tolerance decomposition must be shown to place natural hardware drift inside the calibrated ball while placing behaviorally similar substitutes outside, even after the finite-shot estimation with 1.4e4 shots. Without an explicit statement of how the tomographically structured family remains informationally complete for the specific ansatz and measurement observables, the distinction between the declared channel and a substitute remains an assumption rather than a proven separation.
minor comments (1)
  1. [validation results] The abstract states the measurement budget fits in a single batched job, but the manuscript should clarify the exact partitioning of shots across the tomographically structured family and any overhead from the observable contract evaluation.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful and constructive review. The two major comments identify areas where explicit derivations would strengthen the presentation of the frame bound and informational completeness. We address each point below and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [pipeline-composition treatment (threat model and frame bound)] The extension of the tight frame-bound C=sqrt(3) from the single-qubit Pauli family to the composed two-qubit encoder-ansatz-measurement channel in the QSVM pipeline is load-bearing for the safety-margin claim but is not derived explicitly. The effective frame operator for the full pipeline may admit a larger constant or reduced density in the substitute manifold, which would collapse the reported separation under finite-shot estimation.

    Authors: We agree that the manuscript applies the single-qubit bound C=√3 to the two-qubit pipeline without an explicit step-by-step derivation for the composed channel. The bound is invoked because the encoder, ansatz, and measurement are built from local single-qubit operations whose frame properties are preserved under the pipeline composition and the chosen threat model. To resolve the concern, the revised manuscript will contain a dedicated derivation showing that the effective frame operator of the full encoder-ansatz-measurement channel retains the tight constant C=√3 and that the substitute manifold density does not increase sufficiently to erase the reported separation at the 1.4e4-shot budget. revision: yes

  2. Referee: [tolerance decomposition and sample-complexity bound] The tolerance decomposition must be shown to place natural hardware drift inside the calibrated ball while placing behaviorally similar substitutes outside, even after the finite-shot estimation with 1.4e4 shots. Without an explicit statement of how the tomographically structured family remains informationally complete for the specific ansatz and measurement observables, the distinction between the declared channel and a substitute remains an assumption rather than a proven separation.

    Authors: The tolerance decomposition and finite-shot bound are stated in the manuscript, with the tomographically structured family selected to span the relevant observable space. We acknowledge that an explicit argument tying informational completeness to the concrete QSVM ansatz and observables is not supplied. The revised version will add a short proof that the chosen measurement family remains informationally complete after the ansatz, thereby establishing that natural drift lies inside the calibrated ball while behaviorally similar substitutes lie outside, even after accounting for the estimation variance at ~1.4e4 shots. The existing simulator and hardware results are consistent with this separation but will be accompanied by the missing theoretical statement. revision: yes

Circularity Check

0 steps flagged

No circularity: claims rest on independent tomographic contract and frame bound

full rationale

The derivation introduces a behavioral fingerprint via tomographically structured observables, a QML threat model with explicit C=sqrt(3) bound on the single-qubit Pauli family, a pipeline-composition treatment, finite-shot bound, and tolerance decomposition. These are presented as external mathematical machinery applied to the encoder-ansatz-measurement channel; the hardware validation on ibm_fez with ~1.4e4 shots supplies an independent empirical check. No equation reduces a prediction to a fitted input by construction, no load-bearing premise collapses to a self-citation, and the frame-bound extension is stated rather than smuggled via prior author work. The central separation of drift versus substitution therefore remains non-circular.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

The framework rests on quantum information assumptions about informational completeness of the measurement family and introduces new concepts for fingerprinting and contracts without independent evidence beyond the validation description.

axioms (1)
  • domain assumption The single-qubit Pauli family forms a tight frame with bound C=sqrt(3) sufficient for an informationally complete observable contract
    Invoked in the QML-specific threat model for distinguishing channels.
invented entities (2)
  • behavioral fingerprint no independent evidence
    purpose: Vector of observable expectation values under tomographically structured measurements to characterize the QML pipeline
    Core new concept for runtime monitoring and detection.
  • observable contract no independent evidence
    purpose: Defines expected behavior to catch adversarial substitution while tolerating drift
    Central to the adversarial detection mode.

pith-pipeline@v0.9.1-grok · 5843 in / 1301 out tokens · 46267 ms · 2026-06-30T00:46:58.808410+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 41 canonical work pages · 1 internal anchor

  1. [1]

    The power of quantum neural networks.Nature Computational Science, 1(6): 403–409, 2021

    Amira Abbas, David Sutter, Christa Zoufal, Aurelien Lucchi, Alessio Figalli, and Stefan Woerner. The power of quantum neural networks.Nature Computational Science, 1(6): 403–409, 2021. doi: 10.1038/s43588-021-00084-1

    work page doi:10.1038/s43588-021-00084-1 2021

  2. [2]

    When software engineering meets quantum computing

    Shaukat Ali, Tao Yue, and Rui Abreu. When software engineering meets quantum computing. Communications of the ACM, 65(4):84–88, 2022. doi: 10.1145/3512340

    work page doi:10.1145/3512340 2022

  3. [3]

    Amin, Evgeny Andriyash, Jason Rolfe, Bohdan Kulchytskyy, and Roger Melko

    Mohammad H. Amin, Evgeny Andriyash, Jason Rolfe, Bohdan Kulchytskyy, and Roger Melko. Quantum Boltzmann machine.Physical Review X, 8(2):021050, 2018. doi: 10.1103/ PhysRevX.8.021050

    2018

  4. [4]

    Quantum machine learning.Nature, 549(7671):195–202, 2017

    Jacob Biamonte, Peter Wittek, Nicola Pancotti, Patrick Rebentrost, Nathan Wiebe, and Seth Lloyd. Quantum machine learning.Nature, 549(7671):195–202, 2017. doi: 10.1038/na ture23474

    work page doi:10.1038/na 2017

  5. [5]

    Potential of quantum computing for drug discovery.IBM Journal of Research and Development, 62(6):6:1–6:20, 2018

    Yudong Cao, Jonathan Romero, and Al´ an Aspuru-Guzik. Potential of quantum computing for drug discovery.IBM Journal of Research and Development, 62(6):6:1–6:20, 2018. doi: 10.1147/JRD.2018.2888987

    work page doi:10.1147/jrd.2018.2888987 2018

  6. [6]

    Trustworthy quantum machine learning: A roadmap for reliability, robustness, and security in the NISQ era, 2025

    Ferhat Ozgur Catak, Jungwon Seo, and Umit Cali. Trustworthy quantum machine learning: A roadmap for reliability, robustness, and security in the NISQ era, 2025. 22 pages, submitted 4 November 2025

    2025

  7. [7]

    Cerezo, Andrew Arrasmith, Ryan Babbush, Simon C

    M. Cerezo, Andrew Arrasmith, Ryan Babbush, Simon C. Benjamin, Suguru Endo, Keisuke Fujii, Jarrod R. McClean, Kosuke Mitarai, Xiao Yuan, Lukasz Cincio, and Patrick J. 50 Coles. Variational quantum algorithms.Nature Reviews Physics, 3(9):625–644, 2021. doi: 10.1038/s42254-021-00348-9

    work page doi:10.1038/s42254-021-00348-9 2021

  8. [8]

    Iris Cong, Soonwon Choi, and Mikhail D. Lukin. Quantum convolutional neural networks. Nature Physics, 15(12):1273–1278, 2019. doi: 10.1038/s41567-019-0648-8

    work page doi:10.1038/s41567-019-0648-8 2019

  9. [9]

    Q-SafeML: Safety assessment of quantum machine learning via quantum distance metrics

    Oliver Dunn, Koorosh Aslansefat, and Yiannis Papadopoulos. Q-SafeML: Safety assessment of quantum machine learning via quantum distance metrics. InModel-Based Safety and Assessment — 9th International Symposium (IMBSA 2025), Lecture Notes in Computer Science. Springer, 2025. doi: 10.1007/978-3-032-05073-1 23

    work page doi:10.1007/978-3-032-05073-1 2025

  10. [10]

    Refinement orders for quantum programs.arXiv preprint, 2025

    Yuan Feng and Li Zhou. Refinement orders for quantum programs.arXiv preprint, 2025. doi: 10.48550/arXiv.2504.14158. URLhttps://arxiv.org/abs/2504.14158

    work page doi:10.48550/arxiv.2504.14158 2025

  11. [11]

    Fitzsimons and Elham Kashefi

    Joseph F. Fitzsimons and Elham Kashefi. Unconditionally verifiable blind quantum compu- tation.Physical Review A, 96(1):012303, 2017. doi: 10.1103/PhysRevA.96.012303

    work page doi:10.1103/physreva.96.012303 2017

  12. [12]

    Goldschmidt and Frederic T

    Andy J. Goldschmidt and Frederic T. Chong. Automatic pulse-level calibration by tracking observables using iterative learning.arXiv preprint, 2023. doi: 10.48550/arXiv.2304.12166

    work page doi:10.48550/arxiv.2304.12166 2023

  13. [13]

    Uncheatable distributed computations

    Philippe Golle and Ilya Mironov. Uncheatable distributed computations. InTopics in Cryptology — CT-RSA 2001: The Cryptographers’ Track at the RSA Conference, volume 2020 ofLecture Notes in Computer Science, pages 425–440. Springer, 2001. doi: 10.1007/ 3-540-45353-9 31

    2001

  14. [14]

    C´ orcoles, Kristan Temme, Aram W

    Vojtˇ ech Havl´ ıˇ cek, Antonio D. C´ orcoles, Kristan Temme, Aram W. Harrow, Abhinav Kandala, Jerry M. Chow, and Jay M. Gambetta. Supervised learning with quantum-enhanced feature spaces.Nature, 567(7747):209–212, 2019. doi: 10.1038/s41586-019-0980-2

    work page doi:10.1038/s41586-019-0980-2 2019

  15. [15]

    Santos, and Raam Uzdin

    Ivan Henao, Jader P. Santos, and Raam Uzdin. Adaptive quantum error mitigation using pulse-based inverse evolutions.npj Quantum Information, 9(1):120, 2023. doi: 10.1038/s41534-023-00785-7

    work page doi:10.1038/s41534-023-00785-7 2023

  16. [16]

    Probability inequalities for sums of bounded random variables.Journal of the American Statistical Association, 58(301):13–30, 1963

    Wassily Hoeffding. Probability inequalities for sums of bounded random variables.Journal of the American Statistical Association, 58(301):13–30, 1963. doi: 10.1080/01621459.1963. 10500830

    work page doi:10.1080/01621459.1963 1963

  17. [17]

    Toward consistent high-fidelity quantum learning on unstable devices via efficient in-situ calibration

    Zhi-Yuan Hu, Saumya Patel, Weiwen Jiang, Jinjun Lin, and Yiyu Shi. Toward consistent high-fidelity quantum learning on unstable devices via efficient in-situ calibration. In Hausi Muller, Yuri Alexev, Andrea Delgado, and Greg Byrd, editors,Proceedings - 2023 IEEE International Conference on Quantum Computing and Engineering, QCE 2023, Proceedings - 2023 I...

    work page doi:10.1109/qce57702.2023.00099 2023

  18. [18]

    Predicting many properties of a quantum system from very few measurements.Nature Physics, 16(10):1050–1057, 2020

    Hsin-Yuan Huang, Richard Kueng, and John Preskill. Predicting many properties of a quantum system from very few measurements.Nature Physics, 16(10):1050–1057, 2020. doi: 10.1038/s41567-020-0932-7. 51

    work page doi:10.1038/s41567-020-0932-7 2020

  19. [19]

    Artificial intelligence faces reproducibility crisis.Science, 359(6377): 725–726, 2018

    Matthew Hutson. Artificial intelligence faces reproducibility crisis.Science, 359(6377): 725–726, 2018. doi: 10.1126/science.359.6377.725

    work page doi:10.1126/science.359.6377.725 2018

  20. [20]

    ScaffML: A quantum behavioral interface specification language for Scaffold

    Tiancheng Jin and Jianjun Zhao. ScaffML: A quantum behavioral interface specification language for Scaffold. In2023 IEEE International Conference on Quantum Software (QSW), pages 128–137. IEEE, 2023. doi: 10.1109/QSW59989.2023.00024

    work page doi:10.1109/qsw59989.2023.00024 2023

  21. [21]

    Kalinin and Vasiliy M

    Maxim O. Kalinin and Vasiliy M. Krundyshev. Security intrusion detection using quantum machine learning techniques.Journal of Computer Virology and Hacking Techniques, 19(1): 125–136, 2023. doi: 10.1007/s11416-022-00435-0

    work page doi:10.1007/s11416-022-00435-0 2023

  22. [22]

    SoK paper: Security concerns in quantum machine learning as a service

    Satwik Kundu and Swaroop Ghosh. SoK paper: Security concerns in quantum machine learning as a service. InProceedings of the International Workshop on Hardware and Architectural Support for Security and Privacy 2024 (HASP ’24), pages 28–36, Austin, TX, USA, November 2024. ACM. ISBN 979-8-4007-1221-0. doi: 10.1145/3696843.3696846

    work page doi:10.1145/3696843.3696846 2024

  23. [23]

    zkQML: Verifiable and privacy-preserving inference for quantum machine learning (student abstract)

    Seungkwon Lee, Seok Bin Son, Joongheon Kim, and Hoh Peter In. zkQML: Verifiable and privacy-preserving inference for quantum machine learning (student abstract). In Proceedings of the 40th AAAI Conference on Artificial Intelligence (Student Abstract and Poster Program), Singapore, jan 2026. doi: https://doi.org/10.1609/aaai.v40i48.42232

    work page doi:10.1609/aaai.v40i48.42232 2026

  24. [24]

    Huggins, and K

    Haoran Liao, Ian Convy, William J. Huggins, and K. Birgitta Whaley. Robust in practice: Adversarial attacks on quantum machine learning.Physical Review A, 103(4):042427, 2021. doi: 10.1103/PhysRevA.103.042427

    work page doi:10.1103/physreva.103.042427 2021

  25. [25]

    VeriQR: A robust- ness verification tool for quantum machine learning models

    Yanling Lin, Ji Guan, Wang Fang, Mingsheng Ying, and Zhaofeng Su. VeriQR: A robust- ness verification tool for quantum machine learning models. InFormal Methods — 26th International Symposium (FM 2024), volume 14933 ofLecture Notes in Computer Science, pages 403–421. Springer, 2025. doi: 10.1007/978-3-031-71162-6 21

    work page doi:10.1007/978-3-031-71162-6 2024

  26. [26]

    Liskov and Jeannette M

    Barbara H. Liskov and Jeannette M. Wing. A behavioral notion of subtyping.ACM Transactions on Programming Languages and Systems, 16(6):1811–1841, November 1994. doi: 10.1145/197320.197383

    work page doi:10.1145/197320.197383 1994

  27. [27]

    Quantum adversarial machine learning

    Sirui Lu, Lu-Ming Duan, and Dong-Ling Deng. Quantum adversarial machine learning. Physical Review Research, 2(3):033212, 2020. doi: 10.1103/PhysRevResearch.2.033212

    work page doi:10.1103/physrevresearch.2.033212 2020

  28. [28]

    Authenticating quantum circuits through localized noise fingerprints

    Gabrielle MacNeil, Sandeep Sunkavilli, and Qiaoyan Yu. Authenticating quantum circuits through localized noise fingerprints. InProceedings of the 2025 Quantum Security and Privacy Workshop. ACM, 2025. doi: 10.1145/3733825.3765283

    work page doi:10.1145/3733825.3765283 2025

  29. [29]

    Classical verification of quantum computations

    Urmila Mahadev. Classical verification of quantum computations. InProceedings of the 59th IEEE Annual Symposium on Foundations of Computer Science (FOCS), pages 259–267. IEEE, 2018. doi: 10.1109/FOCS.2018.00033

    work page doi:10.1109/focs.2018.00033 2018

  30. [30]

    design by contract

    Bertrand Meyer. Applying “design by contract”.IEEE Computer, 25(10):40–51, 1992. doi: 10.1109/2.161279. 52

    work page doi:10.1109/2.161279 1992

  31. [31]

    Short paper: Device- and locality-specific fingerprinting of shared NISQ quantum computers

    Allen Mi, Shuwen Deng, and Jakub Szefer. Short paper: Device- and locality-specific fingerprinting of shared NISQ quantum computers. InProceedings of the 10th International Workshop on Hardware and Architectural Support for Security and Privacy (HASP ’21), pages 1–6. ACM, 2022. doi: 10.1145/3505253.3505261

    work page doi:10.1145/3505253.3505261 2022

  32. [32]

    Is your quantum program bug-free? InProceedings of the ACM/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results, pages 29–32

    Andriy Miranskyy, Lei Zhang, and Javad Doliskani. Is your quantum program bug-free? InProceedings of the ACM/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results, pages 29–32. ACM, 2020. doi: 10.1145/3377816.3381731

    work page doi:10.1145/3377816.3381731 2020

  33. [33]

    Quantum circuit learning.Physical Review A, 98(3):032309, 2018

    Kosuke Mitarai, Makoto Negoro, Masahiro Kitagawa, and Keisuke Fujii. Quantum circuit learning.Physical Review A, 98(3):032309, 2018. doi: 10.1103/PhysRevA.98.032309

    work page doi:10.1103/physreva.98.032309 2018

  34. [34]

    Juan M. Murillo, Jose Garcia-Alonso, Enrique Moguel, Johanna Barzen, Frank Leymann, Shaukat Ali, Tao Yue, Paolo Arcaini, Ricardo P´ erez-Castillo, Ignacio Garc´ ıa-Rodr´ ıguez de Guzm´ an, Mario Piattini, Antonio Ruiz-Cort´ es, Antonio Brogi, Jianjun Zhao, Andriy Miranskyy, and Manuel Wimmer. Quantum software engineering: Roadmap and challenges ahead.ACM ...

    work page doi:10.1145/3712002 2025

  35. [35]

    Quantum computer finger- printing using error syndromes.arXiv preprint, 2025

    Vincent Mutolo, Devon Campbell, Quinn Manning, Henri Witold Dubourg, Ruibin Lyu, Simha Sethumadhavan, Dan Rubenstein, and Salvatore Stolfo. Quantum computer finger- printing using error syndromes.arXiv preprint, 2025. doi: 10.48550/arXiv.2506.16614

    work page doi:10.48550/arxiv.2506.16614 2025

  36. [36]

    Nielsen and Isaac L

    Michael A. Nielsen and Isaac L. Chuang.Quantum Computation and Quantum Information: 10th Anniversary Edition. Cambridge University Press, 2010. doi: 10.1017/CBO978051197 6667

    work page doi:10.1017/cbo978051197 2010

  37. [37]

    "Show Me You Comply... Without Showing Me Anything": Zero-Knowledge Software Auditing for AI-Enabled Systems

    Filippo Scaramuzza, Renato Cordeiro Ferreira, Tomaz Maia Suller, Giovanni Quattrocchi, Damian Andrew Tamburri, and Willem-Jan van den Heuvel. “show me you comply. . . without showing me anything”: Zero-knowledge software auditing for AI-enabled systems. arXiv preprint, 2025. doi: 10.48550/arXiv.2510.26576. URL https://arxiv.org/abs/25 10.26576

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2510.26576 2025

  38. [38]

    Quantum machine learning in feature Hilbert spaces

    Maria Schuld and Nathan Killoran. Quantum machine learning in feature Hilbert spaces. Physical Review Letters, 122(4):040504, 2019. doi: 10.1103/PhysRevLett.122.040504

    work page doi:10.1103/physrevlett.122.040504 2019

  39. [39]

    Svore, and Nathan Wiebe

    Maria Schuld, Alex Bocharov, Krysta M. Svore, and Nathan Wiebe. Circuit-centric quantum classifiers.Physical Review A, 101(3):032308, 2020. doi: 10.1103/PhysRevA.101.032308

    work page doi:10.1103/physreva.101.032308 2020

  40. [40]

    Cambridge University Press, 2018

    John Watrous.The Theory of Quantum Information. Cambridge University Press, 2018. doi: 10.1017/9781316848142

    work page doi:10.1017/9781316848142 2018

  41. [41]

    West, Sarah M

    Maxwell T. West, Sarah M. Erfani, Christopher Leckie, Martin Sevior, Lloyd C. L. Hol- lenberg, and Muhammad Usman. Benchmarking adversarially robust quantum machine learning at scale.Physical Review Research, 5(2):023186, 2023. doi: 10.1103/PhysRevResea rch.5.023186. 53

    work page doi:10.1103/physrevresea 2023

  42. [42]

    Q-ID: Lightweight quantum network server identification through fingerprinting.IEEE Network, 38(5):146–152, 2024

    Jindi Wu, Tianjie Hu, and Qun Li. Q-ID: Lightweight quantum network server identification through fingerprinting.IEEE Network, 38(5):146–152, 2024. doi: 10.1109/MNET.2024.34 00893

    work page doi:10.1109/mnet.2024.34 2024

  43. [43]

    ExpProof: Operationalizing explanations for confidential models with ZKPs

    Chhavi Yadav, Evan Monroe Laufer, Dan Boneh, and Kamalika Chaudhuri. ExpProof: Operationalizing explanations for confidential models with ZKPs. InProceedings of the 42nd International Conference on Machine Learning (ICML), volume 267 ofPMLR, 2025. doi: 10.48550/arXiv.2502.03773. URLhttps://arxiv.org/abs/2502.03773

    work page doi:10.48550/arxiv.2502.03773 2025

  44. [44]

    Design by contract framework for quan- tum software

    Masaomi Yamaguchi and Nobukazu Yoshioka. Design by contract framework for quan- tum software. In2023 IEEE/ACM 4th International Workshop on Quantum Software Engineering (Q-SE), pages 24–25, 2023. doi: 10.1109/Q-SE59154.2023.00010

    work page doi:10.1109/q-se59154.2023.00010 2023

  45. [45]

    QCIVET: Contract-based integrity verifica- tion for hybrid quantum-classical pipelines, 2026

    Esra Yeniaras and Muhammad Amin Karimov. QCIVET: Contract-based integrity verifica- tion for hybrid quantum-classical pipelines, 2026. URL https://arxiv.org/abs/2605.1 3109. 54

    2026