Unbreakable? Researchers warn quantum computers have serious security flaws

Quantum computers are expected to deliver extraordinary speed and computing power, with the potential to transform scientific research and business operations. That same power also makes them especially appealing targets for cyberattacks, said Swaroop Ghosh, a professor of computer science and electrical engineering at the Penn State School of Electrical Engineering and Computer Science.

Ghosh and Suryansh Upadhyay, who recently earned his doctorate in electrical engineering from Penn State, coauthored a research paper that outlines several serious security weaknesses affecting today's quantum computing systems. Published online in the Proceedings of the Institute of Electrical and Electronics Engineers (IEEE), the study argues that protecting quantum computers requires more than securing software alone. The physical hardware that runs these systems must also be part of any serious defense strategy.

In a Question and Answer discussion, Ghosh and Upadhyay explained how quantum computers work, why they face unique security challenges, and what steps developers can take to prepare these machines for wider use.

Q: What makes a quantum computer different from a traditional computer?

Ghosh: Traditional computing works using units of information called bits, which you can picture as a light switch in the "on" or "off" position. These positions are assigned values of one or zero, with one representing on and zero representing off. We program computers by using algorithms or educated guesses to develop the best possible solution for a problem, compiling this solution to generate machine-level instructions -- directions specifying which bits need to equal one and which bits need to equal zero -- that the computer follows to execute a task.

Quantum computers are built on quantum bits, or qubits. These qubits are much more versatile than standard bits, capable of effectively representing one, zero or both at the same time, otherwise known as a superposition. These qubits can also be linked to one another, known as entanglement. By incorporating superpositions and entanglement into decision making, quantum computers can process exponentially more data than bit-powered computing systems, while using an equivalent number of qubits.

This is useful for improving workflows in many industries, since quantum computers can process information much faster than traditional computers. One example is the pharmaceutical industry, where quantum computing can quickly process data and predict the efficacy of potential new drugs, significantly streamlining the research and development process. This can save companies billions of dollars and decades spent researching, testing and fabricating innovative drugs.

Q: What are some of the main security vulnerabilities facing quantum computers right now?

Upadhyay: Currently, there is no efficient way to verify the integrity of programs and compilers -- many of which are developed by third parties -- used by quantum computers at scale, which can leave users' sensitive corporate and personal information open to theft, tampering and reverse engineering.

Many quantum computing algorithms have businesses' intellectual property integrated directly in their circuits, which are used to process highly specific problems involving client data and other sensitive information. If these circuits are exposed, attackers can extract company-created algorithms, financial positions or critical infrastructure details. Additionally, the interconnectedness that allows qubits to operate so efficiently inadvertently creates a security vulnerability -- unwanted entanglement, known as crosstalk, can leak information or disrupt computing functions when multiple people use the same quantum processor.

Q: What are current commercial quantum providers doing to address the security concerns? Can they use the same security methods implemented in traditional computers?

Upadhyay: Classical security methods cannot be used because quantum systems behave fundamentally differently from traditional computers, so we believe companies are largely unprepared to address these security faults. Currently, commercial quantum providers are focused on ensuring their systems work reliably and effectively. While optimization can indirectly address some security vulnerabilities, the assets unique to quantum computing, such as circuit topology, encoded data or hardware coded intellectual property systems generally lack end-to-end protection. Since quantum computers are still a relatively new technology, there is not much incentive for attackers to target them, but as the computers are integrated into industry and our day-to-day life, they will become a prime target.

Q: How can developers improve security in quantum computers?

Ghosh: Quantum computers need to be safeguarded from ground up. At the device level, developers should focus on mitigating crosstalk and other sources of noise -- external interference -- that may leak information or impede effective information transfer. At the circuit level, techniques like scrambling and information encoding must be used to protect the data built into the system. At the system level, hardware needs to be compartmentalized by dividing business data into different groups, granting users specific access based on their roles and adding a layer of protection to the information. New software techniques and extensions need to be developed to detect and fortify quantum programs against security threats.

Our hope is that this paper will introduce researchers with expertise in mathematics, computer science, engineering and physics to the topic of quantum security so they can effectively contribute to this growing field.

Other co-authors include Abdullah Ash Saki, who recently received his doctorate in electrical engineering from Penn State. This work was supported by the U.S. National Science Foundation and Intel.