Can Quantum Federated Learning Withstand Circuit-Level Backdoors?

Researchers identify critical vulnerabilities in Quantum Federated Learning (QFL) systems through a novel Circuit-Level Backdoor Threat (CULT) model that demonstrates how malicious clients can exploit quantum mechanisms to degrade model accuracy. Existing defense mechanisms fail to fully prevent attacks, with accuracy dropping up to 50% even against popular mitigation strategies like Krum and FLGuardian.

This research exposes fundamental security gaps in quantum federated learning architectures that combine the inherent vulnerabilities of distributed machine learning with quantum-specific attack vectors. The CULT model introduces four stealthy attack mechanisms—Grover, Pauli, Bit-flip, and Sign-flip—that exploit variational circuit training and measurement-driven gradients, enabling malicious actors to degrade model performance while remaining undetected. The study demonstrates that even a single compromised client can severely compromise learning outcomes, challenging assumptions about Byzantine-resilient federated systems.

Quantum federated learning represents an emerging frontier combining quantum computing with distributed AI training, intended to enable privacy-preserving machine learning at scale. However, this research reveals that quantum-specific operations create novel attack surfaces not present in classical federated learning. The experimental validation on MNIST and CIFAR-10 datasets with varying non-IID distributions provides concrete evidence of practical exploitability rather than theoretical vulnerability.

The inability of established defense mechanisms to eliminate worst-case failures poses significant concerns for organizations deploying or planning QFL systems. The finding that malicious updates can mask their presence by maintaining proximity to benign norms indicates attackers could evade statistical detection methods. This creates a trust problem for quantum computing initiatives where clients may be distributed or partially untrusted.

Future research must focus on developing quantum-aware defense mechanisms specifically designed to counter circuit-level attacks. Organizations considering quantum federated learning deployments should treat this work as a prerequisite for understanding current security limitations and designing appropriate validation and monitoring frameworks.

• →Quantum federated learning systems contain exploitable vulnerabilities through circuit-level backdoors that enable accuracy degradation up to 50%
• →A single malicious client can compromise QFL models under standard FedAvg aggregation without being detected
• →Existing Byzantine-robust defenses including Krum and FLGuardian fail to fully prevent CULT attacks in worst-case scenarios
• →Malicious updates can evade detection by maintaining statistical proximity to benign updates
• →Quantum-specific attack mechanisms require new defense strategies beyond classical federated learning protections