Researchers across the world are today working towards building large-scale quantum computers, e.g., IBM most recently announced their
-Qubit Quantum processor called eagle in 2021[ibm_newsroom_2021]. In parallel research, several schemes are being proposed for sharing quantum computer hardware following ideas of multi-tenancy [10.1145/3410463.3414659, 10.1145/3352460.3358287, 9407180]. These schemes envision throughput optimization by allowing multiple users to run their circuits on the same quantum computer, but using different qubits. Although this idea has a good potential to improve utilization of quantum computer resources, it opens up quantum computers to security threats due to crosstalk errors [saki_abdullah].
Crosstalk errors can occur when one or more qubits are activated, which adversely affects the state of other nearby qubits [osti_1513744]. If the former qubits are controlled by an attacker circuit, and the latter belong to a victim circuit, then the attacker can affect computational results of the victim [10.1145/3370748.3406570].
As this work-in-progress proposes, it may be possible to achieve both multi-tenancy and security by introducing techniques to catch malicious quantum computer programs during compilation, before they are able run on the quantum computer. In particular, quantum computer users today develop their designs in high-level programming languages or in quantum assembly language, which are then transpiled using tools such as Qiskit111 Qiskit is an open-source software development kit for working with quantum computer programs, available at:
Qiskit is an open-source software development kit for working with quantum computer programs, available at:https://qiskit.org/. into circuits that are scheduled and eventually loaded onto quantum computer hardware for execution. During this transpilation process, we propose that antivirus-like software can scan the user’s programs and locate any malicious or suspicious code or circuit patterns. Based on existing work [10.1145/3370748.3406570] and our exploration, quantum CNOT gates can be used to generate crosstalk errors. Following this, antivirus-like software can be used to scan if quantum programs contain suspicious patterns of CNOT gates.
Ii Background and Related Work
Existing quantum computers are prone to different errors such as single-qubit and two-qubit gate errors, decoherence errors, crosstalk errors, and readout errors [Ding2020QuantumCS]. Out of these errors, crosstalk errors are of special interest as they lead to interesting security vulnerabilities [saki_abdullah]. The work from Ghosh et al. [10.1145/3370748.3406570] shows that the crosstalk errors could be used in a fault injection attack. It also showed how an adversary can launch a denial of service attack on a victim circuit using crosstalk errors.
To counter such threats threats, existing work proposes, for example, execution of the target circuit and performing measurements to determine if the target circuits was affected by crosstalk errors from a specific attacker circuit [Sarovar2020detectingcrosstalk]. In contrast, our work-in-progress proposes that malicious circuits could be caught at compile time using an antivirus-like approach, before any circuit is executed on a quantum computer.
Iii Defining and Testing Potential Malicious Quantum Computer Circuits
To design an antivirus program, we first need to define what a virus is to quantum computers. We define a virus to be a malicious circuit that causes the crosstalk errors and affects the output fidelity of another target victim circuit. However, as with classical computer antivirus, the definitions of the virus can be updated and broadened over time as new understanding of potentially malicious circuits is developed. As such, we propose to keep a dynamic library of virus quantum circuits. When a potential attacker circuit is evaluated, we label it as a virus circuit if it indeed causes crosstalk errors in an adjacent victim co-tenant. Patterns of such virus circuits can then be added to a database that the antivirus software uses when scanning for malicious attackers.
Iii-a Finding Malicious Circuit Types
As a preliminary demonstration, we use the -qubit IBM quantum computer ibmq_lima [ibmquantum] for conducting our experiments. The attack example is shown in Figure 1. We use Grover’s -qubit algorithm circuit [team_2021] as the target victim circuit which is fixed on qubits and . For the malicious circuit we use qubits and , and we define different series of CNOT gates as potential malicious circuits, following preliminary work by Ghosh et al.’s work [10.1145/3370748.3406570] which used a series of CNOT as an attack circuit to perform fault injection attack.
We observe that without active attack, the output probability of the Grover’s circuit is. Interestingly, when the attacker circuit is a pure sequence of CNOT gates, we do not notice significant reduction in the . The reason for that is, the transpile function when ran in optimization mode decomposes all CNOT gates and converts them in to a delay value equivalent to all the CNOT gates that are connected in series. If the number of CNOT
gates connected in series are even, the series of gates is converted into delay and scheduled at the beginning of the operation and if it is odd then it is converted in to delay and oneCNOT gate connected in series and scheduled at the beginning of the operation. Interestingly, this result is in contrast to [10.1145/3370748.3406570], which did not seem to consider such existing transipler optimizations and only tested a pure sequence of CNOT gates.
In order to bypass the optimizations, we add delay gates [delay_team] with minimum delay in between each CNOT gate in the malicious circuit as shown in the Figure 2. And we noted that with this approach we were able to bypass the transpile optimizations and preserve the CNOT gates in the malicious circuit. By running this circuit on the quantum device, the output probability value of target circuit is lower than .
We define two parameters to perform further analysis and find more malicious circuits. The first parameter is the delay value from the delay gate [delay_team]. The delay unit we use is which translates to nanoseconds on the IBM quantum computers. The second parameter is that defines the number of gates in the malicious circuit. These malicious circuits are ran alongside Grover’s 2-qubit algorithm in all cases. In the plots, the CNOT gates are labeled as , while the other gates are the Pauli gates , , and , and the gate. The delay gates are labeled as , where is the delay of the delay gate given in units of .
Below we present the experiments performed for three cases of possible malicious circuits: series of CNOT and delay gates in an interleaved fashion, as discussed before, series of only delay gates, and series of interleaved Pauli and delay gates. In all the cases we ran experiments by varying from to , but for brevity we only plot results for from to .
Considering CNOT gates interleaved with delay gates, we ran experiments by fixing delay value to and varying and observe that as increase the output probability of target circuit decreases and it saturates around as shown in Figure 3. We ran similar experiments by fixing delay values to and and notice similar results. We also tried the delay value to be (i.e. no delay) and we notice that the transpiler optimization can be tricked even with the zero delay value and this has the same effect on the output probability as in cases of delay equal , , , as shown in Figure 3.
Considering only delay gates, we used the delay gates as malicious circuits to observe their effect on the target circuit. We ran experiments by varying and observed that there is not any significant change in the output probability of the target circuit as shown in Figure 4. The reason for this is that the transpile function identifies all the unwanted delays and schedules them at the beginning of the circuit and performs the operation of target circuit at the end. We also plot the results where the malicious circuit is series of CNOT gates and delay gates in the same plot to provide a comparison.
Considering Pauli and delay gates, we used the series of Pauli and delay gates connected in interleaved fashion as malicious circuits. We ran experiments by varying and observed that there is some change in the output probability of the target circuit in case of and gates (not as much as in case where malicious circuit is series CNOT and delay gates) and we also observe there is not any significant change in output probability in case of and gates as shown in Figure 5. We plot the results where the malicious circuit is series of CNOT gates and delay gates with delay value in the same plot to provide a comparison.
Iv Towards an Antivirus for Quantum Computers
The preliminary results show that the malicious circuits can be series of CNOT gates interleaved with delay gates. They can also be circuits with interleaved gates such as Pauli and gates, and thus can form a large or even an infinite malicious circuit set. On the other hand, pure delay gates, or and gates do not produce noticeable crosstalk errors. Further, pure sequence of CNOT gates is optimized away, so it does not induce crosstalk errors in the victim circuit. The former patterns that can be malicious could be used as the initial set of virus patterns that should be detected by the antivirus during the transpilation process.
Iv-a Quantum Computer Antivirus as a Qiskit Extension
In order to detect and eliminate harmful circuits, the currently used Qiskit framework for developing quantum computer programs can be extended with the antivirus and pattern matching features.
As one possibility, an algorithm can be developed to count the number of appearances of each pattern in the quantum circuit. With a database of malicious patterns, the antivirus software can scan the user’s code to find and count occurrences of the patterns. For example, as we have identified, when the value is low, there is low impact on the output probability of the victim Grover’s circuit. As result if in a circuit being scanned there is only one CNOT gate followed by a delay, i.e. , then this is likely not a cirucit that could be malicious. But if the count of CNOT gate followed by a delay is greater than or this could be judged as possibly malicious circuit.
To realize the algorithm, both the quantum circuit and the patterns can be described by a set of Qasm instructions [qasm]. Therefore, the problem of quantum circuit matching can be reduced to find the instruction pattern in an instruction list. Compared with conventional string matching problem, the complexity of quantum circuit matching problem lies in the additional qubits (and possibly the classical bits and other parameters) for each instruction. Instructions that are not adjacent in the source code may still be gates in a series as well. There also may be multiple patterns dispersed among different qubits and in different order. Different patterns may cross with each other as well. All these challenges need to be addressed when creating a functional antivirus software for quantum computers.
This work proposes that multi-tenant quantum computers can be protected by developing mechanisms for scanning user’s circuits for malicious patterns. By using an antivirus for preventing attackers from instantiating circuits which could be causing harmful crosstalk errors, secure multi-tenant cloud-based quantum computers can be realized.