TY - GEN
T1 - Adversarial Data Poisoning Attack on Quantum Machine Learning in the NISQ Era
AU - Kundu, Satwik
AU - Ghosh, Swaroop
N1 - Publisher Copyright:
© 2025 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2025/6/29
Y1 - 2025/6/29
N2 - With the growing interest in Quantum Machine Learning (QML) and the increasing availability of quantum computers through cloud providers, addressing the potential security risks associated with QML has become an urgent priority. One key concern in the QML domain is the threat of data poisoning attacks in the current quantum cloud setting. Adversarial access to training data could severely compromise the integrity and availability of QML models. Classical data poisoning techniques require significant knowledge and training to generate poisoned data, and lack noise resilience, making them ineffective for QML models in the Noisy Intermediate Scale Quantum (NISQ) era. In this work, we first propose a simple yet effective technique to measure intra-class encoder state similarity (ESS) by analyzing the outputs of encoding circuits. Leveraging this approach, we introduce a Quantum Indiscriminate Data Poisoning attack, QUID. Through extensive experiments conducted in both noiseless and noisy environments (e.g., IBM_Brisbane's noise), across various architectures and datasets, QUID achieves up to accuracy degradation in model performance compared to baseline models and up to accuracy degradation compared to random label-flipping. We also tested QUID against state-of-the-art classical defenses, with accuracy degradation still exceeding , demonstrating its effectiveness. This work represents the first attempt to reevaluate data poisoning attacks in the context of QML.
AB - With the growing interest in Quantum Machine Learning (QML) and the increasing availability of quantum computers through cloud providers, addressing the potential security risks associated with QML has become an urgent priority. One key concern in the QML domain is the threat of data poisoning attacks in the current quantum cloud setting. Adversarial access to training data could severely compromise the integrity and availability of QML models. Classical data poisoning techniques require significant knowledge and training to generate poisoned data, and lack noise resilience, making them ineffective for QML models in the Noisy Intermediate Scale Quantum (NISQ) era. In this work, we first propose a simple yet effective technique to measure intra-class encoder state similarity (ESS) by analyzing the outputs of encoding circuits. Leveraging this approach, we introduce a Quantum Indiscriminate Data Poisoning attack, QUID. Through extensive experiments conducted in both noiseless and noisy environments (e.g., IBM_Brisbane's noise), across various architectures and datasets, QUID achieves up to accuracy degradation in model performance compared to baseline models and up to accuracy degradation compared to random label-flipping. We also tested QUID against state-of-the-art classical defenses, with accuracy degradation still exceeding , demonstrating its effectiveness. This work represents the first attempt to reevaluate data poisoning attacks in the context of QML.
UR - https://www.scopus.com/pages/publications/105017610316
UR - https://www.scopus.com/pages/publications/105017610316#tab=citedBy
U2 - 10.1145/3716368.3735244
DO - 10.1145/3716368.3735244
M3 - Conference contribution
AN - SCOPUS:105017610316
T3 - Proceedings of the ACM Great Lakes Symposium on VLSI, GLSVLSI
SP - 976
EP - 981
BT - GLSVLSI 2025 - Proceedings of the Great Lakes Symposium on VLSI 2025
PB - Association for Computing Machinery
T2 - 35th Edition of the Great Lakes Symposium on VLSI 2025, GLSVLSI 2025
Y2 - 30 June 2025 through 2 July 2025
ER -