Quantum Federated Learning Vulnerable to Circuit-Level Backdoor Attacks
A new study proposes the Circuit-Level Backdoor Threat (CULT) model, formalizing four stealthy attacks—Grover, Pauli, Bit-flip, and Sign-flip—that exploit quantum-aware mechanisms in Quantum Federated Learning (QFL). These attacks can be launched by malicious clients during training or after deployment, critically undermining the learning process. The research provides theoretical proof of stealthiness under standard smoothness assumptions. Experiments on MNIST and CIFAR-10 datasets with non-IID splits show that even a single malicious client can cause severe accuracy degradation under FedAvg aggregation. Popular defenses like Krum and Multi-Krum are tested but found insufficient. The work highlights a fundamental vulnerability in QFL systems.
Key facts
- CULT model formalizes four quantum-aware backdoor attacks: Grover, Pauli, Bit-flip, Sign-flip
- Attacks exploit variational circuit training and measurement-driven gradients
- Malicious clients can operate on both in-training and post-training surfaces
- Theoretical foundation demonstrates attack stealthiness under smoothness assumptions
- Experiments on MNIST and CIFAR-10 with non-IID splits and varying fractions of malicious clients
- Single malicious client can induce severe accuracy degradation under FedAvg aggregation
- Popular defenses including Krum, Multi-Krum are evaluated
- QFL inherits vulnerability of federated optimization to malicious clients
Entities
—