- The paper formalizes reproducible builds for quantum computing by adapting classical practices to mitigate non-deterministic transpilation vulnerabilities.
- It demonstrates practical attack vectors that exploit non-determinism for confidentiality and integrity breaches in quantum circuit transpilation.
- The authors propose Qiskit modifications like a buildinfo file and text-based serialization to ensure reproducible and secure quantum artifacts.
This paper formalizes the concept of reproducible builds within quantum computing workflows, generalizing established practices from classical software engineering to address unique challenges in quantum circuit compilation and deployment. The authors introduce threat models targeting both confidentiality and integrity, demonstrate practical attack vectors exploiting non-deterministic transpilation, and propose concrete modifications to the Qiskit SDK to enable reproducible quantum artifacts.
Background: Classical Reproducible Builds and Quantum Software Workflows
Reproducible builds in classical software development ensure that a given source code, when compiled in a controlled environment, produces bitwise-identical binaries. This property is critical for supply chain security, enabling independent verification that distributed executables correspond to audited source code. The paper extends this paradigm to quantum computing, where the "build" process involves transpiling human-readable quantum circuits into hardware-executable artifacts.
Quantum software toolchains typically consist of circuit description (e.g., Qiskit, OpenQASM), transpilation to hardware-specific gate sets, and serialization for submission to quantum cloud backends. The transpilation process is inherently complex, involving multiple stages such as gate decomposition, qubit layout mapping, routing, optimization, and scheduling.
Figure 1: A typical open-source software development workflow, highlighting the separation between source code and distributed binaries.
Figure 2: The quantum computing workflow, from circuit design to transpilation and execution on cloud-based quantum hardware.
Figure 3: The six stages of Qiskit transpilation, each a potential source of non-determinism and attack surface.
Threat Models: Confidentiality and Integrity in Quantum Circuit Transpilation
The paper introduces two explicit threat models:
- Confidentiality: An attacker with access to transpiled circuits (e.g., a malicious cloud provider) can exfiltrate sensitive classical data by covertly encoding it into circuit artifacts during transpilation.
- Integrity: An attacker with knowledge of the target backend's noise model can subtly alter transpiled circuits, degrading computation accuracy or producing incorrect results.
Both models assume the attacker can compromise the transpilation process but not the user's local environment or the quantum backend directly. The attacks are feasible due to the non-deterministic nature of current transpilation pipelines, which produce different artifacts for identical inputs.
Figure 4: Threat model diagram for confidentiality, illustrating the exfiltration of user data via modified transpilation.
Figure 5: Threat model diagram for integrity, showing how circuit modifications can degrade or invalidate quantum computation results.
Attack Vectors: Exploiting Non-Reproducibility in Transpilation Stages
Three attack vectors targeting confidentiality are demonstrated:
- Layout Stage: Data is encoded as a permutation of qubit mappings using Lehmer code, allowing exfiltration of up to ⌊log2n!⌋ bits, where n is the number of physical qubits. This is sufficient to leak cryptographic keys in current devices.
Figure 6: Encoding "Hello World" as a permutation in the layout stage using Lehmer code.
- Init Stage: Arbitrary data is encoded as rotation parameters in auxiliary qubits, surrounded by reset gates to prevent optimization. This method allows unbounded data leakage, limited only by available qubits.
Figure 7: Encoding "Hello Word" as rotation parameters in an auxiliary register during the init stage.
- Scheduling Stage: Data is covertly embedded in the least significant bytes of RZ gate angles, exploiting the insensitivity of noisy hardware to small parameter changes. Up to 6 bytes per gate can be encoded without affecting observable results.
Figure 8: Covert data embedding in RZ gate angles during the scheduling stage; modified angles shown in red.
Empirical results on IBM quantum backends show that such modifications are undetectable in output distributions, with Hellinger fidelity remaining above 0.9999.

Figure 9: Output distribution for a genuine transpiled circuit.
Figure 10: Output distribution for a circuit with covert data embedded in gate angles; distributions are statistically indistinguishable.
Integrity Attacks: Minimal Modifications, Maximal Impact
Two integrity attacks are presented:
- GHZ Circuit: Inserting a reset instruction or modifying a single gate destroys entanglement, drastically altering output distributions.

Figure 11: 7-qubit GHZ circuit used for benchmarking entanglement.
Figure 12: Inserting a reset instruction in the last qubit disrupts expected correlations.
- Grover's Algorithm: Changing the target of a single controlled gate causes the algorithm to amplify incorrect solutions, invalidating the search.

Figure 13: Output distribution for an unmodified Grover circuit; correct marked states are amplified.
These examples highlight the sensitivity of quantum algorithms to minute circuit changes, underscoring the necessity of reproducible transpilation for scientific and commercial reliability.
Enabling Reproducible Quantum Builds: Qiskit Modifications
The authors identify two primary sources of non-determinism in Qiskit:
- Random Seeds: Heuristic algorithms in transpilation stages use non-propagated random seeds, resulting in different outputs for identical inputs.
- QPY Serialization: The QPY format includes non-deterministic metadata (UUIDs, counters, memory addresses), preventing bitwise-identical artifacts.
To address these, the following changes are proposed:
- Buildinfo File: Record all relevant toolchain versions, configuration, and random seeds to enable deterministic builds.
- Text-Based Serialization: Replace QPY with OpenQASM for circuit submission, eliminating non-deterministic metadata and reducing payload size.
These modifications are technically straightforward for the client-side SDK but may require backend and server-side updates for full compatibility.
Implications and Future Directions
The formalization of reproducible builds in quantum computing has significant implications for supply chain security, scientific reproducibility, and user trust in quantum cloud platforms. By enabling independent verification of circuit artifacts, the proposed framework mitigates both confidentiality and integrity threats inherent in current non-deterministic workflows.
Future research should focus on:
- Extending reproducibility guarantees to other quantum SDKs and cloud providers.
- Developing infrastructure for independent verifiers and integration with package managers.
- Investigating quantum-native artifact formats as quantum memory and communication mature.
Conclusion
This work establishes reproducible builds as a foundational security and reliability practice for quantum software toolchains. By demonstrating practical attack vectors and proposing concrete mitigations, the paper provides a roadmap for the quantum computing community to adopt reproducibility as a standard, thereby enhancing the trustworthiness of quantum computation in both research and industry.