Papers
Topics
Authors
Recent
Search
2000 character limit reached

Reproducible Builds for Quantum Computing

Published 2 Oct 2025 in quant-ph and cs.CR | (2510.02251v1)

Abstract: Reproducible builds are a set of software development practices that establish an independently verifiable path from source code to binary artifacts, helping to detect and mitigate certain classes of supply chain attacks. Although quantum computing is a rapidly evolving field of research, it can already benefit from adopting reproducible builds. This paper aims to bridge the gap between the quantum computing and reproducible builds communities. We propose a generalization of the definition of reproducible builds in the quantum setting, motivated by two threat models: one targeting the confidentiality of end users' data during circuit preparation and submission to a quantum computer, and another compromising the integrity of quantum computation results. This work presents three examples that show how classical information can be hidden in transpiled quantum circuits, and two cases illustrating how even minimal modifications to these circuits can lead to incorrect quantum computation results. Our work provides initial steps towards a framework for reproducibility in quantum software toolchains.

Summary

  • The paper formalizes reproducible builds for quantum computing by adapting classical practices to mitigate non-deterministic transpilation vulnerabilities.
  • It demonstrates practical attack vectors that exploit non-determinism for confidentiality and integrity breaches in quantum circuit transpilation.
  • The authors propose Qiskit modifications like a buildinfo file and text-based serialization to ensure reproducible and secure quantum artifacts.

Reproducible Builds for Quantum Computing: Security and Reliability in Quantum Software Toolchains

This paper formalizes the concept of reproducible builds within quantum computing workflows, generalizing established practices from classical software engineering to address unique challenges in quantum circuit compilation and deployment. The authors introduce threat models targeting both confidentiality and integrity, demonstrate practical attack vectors exploiting non-deterministic transpilation, and propose concrete modifications to the Qiskit SDK to enable reproducible quantum artifacts.

Background: Classical Reproducible Builds and Quantum Software Workflows

Reproducible builds in classical software development ensure that a given source code, when compiled in a controlled environment, produces bitwise-identical binaries. This property is critical for supply chain security, enabling independent verification that distributed executables correspond to audited source code. The paper extends this paradigm to quantum computing, where the "build" process involves transpiling human-readable quantum circuits into hardware-executable artifacts.

Quantum software toolchains typically consist of circuit description (e.g., Qiskit, OpenQASM), transpilation to hardware-specific gate sets, and serialization for submission to quantum cloud backends. The transpilation process is inherently complex, involving multiple stages such as gate decomposition, qubit layout mapping, routing, optimization, and scheduling. Figure 1

Figure 1: A typical open-source software development workflow, highlighting the separation between source code and distributed binaries.

Figure 2

Figure 2: The quantum computing workflow, from circuit design to transpilation and execution on cloud-based quantum hardware.

Figure 3

Figure 3: The six stages of Qiskit transpilation, each a potential source of non-determinism and attack surface.

Threat Models: Confidentiality and Integrity in Quantum Circuit Transpilation

The paper introduces two explicit threat models:

  • Confidentiality: An attacker with access to transpiled circuits (e.g., a malicious cloud provider) can exfiltrate sensitive classical data by covertly encoding it into circuit artifacts during transpilation.
  • Integrity: An attacker with knowledge of the target backend's noise model can subtly alter transpiled circuits, degrading computation accuracy or producing incorrect results.

Both models assume the attacker can compromise the transpilation process but not the user's local environment or the quantum backend directly. The attacks are feasible due to the non-deterministic nature of current transpilation pipelines, which produce different artifacts for identical inputs. Figure 4

Figure 4: Threat model diagram for confidentiality, illustrating the exfiltration of user data via modified transpilation.

Figure 5

Figure 5: Threat model diagram for integrity, showing how circuit modifications can degrade or invalidate quantum computation results.

Attack Vectors: Exploiting Non-Reproducibility in Transpilation Stages

Three attack vectors targeting confidentiality are demonstrated:

  1. Layout Stage: Data is encoded as a permutation of qubit mappings using Lehmer code, allowing exfiltration of up to log2n!\lfloor\log_2 n!\rfloor bits, where nn is the number of physical qubits. This is sufficient to leak cryptographic keys in current devices. Figure 6

    Figure 6: Encoding "Hello World" as a permutation in the layout stage using Lehmer code.

  2. Init Stage: Arbitrary data is encoded as rotation parameters in auxiliary qubits, surrounded by reset gates to prevent optimization. This method allows unbounded data leakage, limited only by available qubits. Figure 7

    Figure 7: Encoding "Hello Word" as rotation parameters in an auxiliary register during the init stage.

  3. Scheduling Stage: Data is covertly embedded in the least significant bytes of RZ gate angles, exploiting the insensitivity of noisy hardware to small parameter changes. Up to 6 bytes per gate can be encoded without affecting observable results. Figure 8

    Figure 8: Covert data embedding in RZ gate angles during the scheduling stage; modified angles shown in red.

Empirical results on IBM quantum backends show that such modifications are undetectable in output distributions, with Hellinger fidelity remaining above 0.9999. Figure 9

Figure 9

Figure 9: Output distribution for a genuine transpiled circuit.

Figure 10

Figure 10: Output distribution for a circuit with covert data embedded in gate angles; distributions are statistically indistinguishable.

Integrity Attacks: Minimal Modifications, Maximal Impact

Two integrity attacks are presented:

  • GHZ Circuit: Inserting a reset instruction or modifying a single gate destroys entanglement, drastically altering output distributions. Figure 11

Figure 11

Figure 11: 7-qubit GHZ circuit used for benchmarking entanglement.

Figure 12

Figure 12

Figure 12: Inserting a reset instruction in the last qubit disrupts expected correlations.

  • Grover's Algorithm: Changing the target of a single controlled gate causes the algorithm to amplify incorrect solutions, invalidating the search. Figure 13

Figure 13

Figure 13: Output distribution for an unmodified Grover circuit; correct marked states are amplified.

These examples highlight the sensitivity of quantum algorithms to minute circuit changes, underscoring the necessity of reproducible transpilation for scientific and commercial reliability.

Enabling Reproducible Quantum Builds: Qiskit Modifications

The authors identify two primary sources of non-determinism in Qiskit:

  • Random Seeds: Heuristic algorithms in transpilation stages use non-propagated random seeds, resulting in different outputs for identical inputs.
  • QPY Serialization: The QPY format includes non-deterministic metadata (UUIDs, counters, memory addresses), preventing bitwise-identical artifacts.

To address these, the following changes are proposed:

  1. Buildinfo File: Record all relevant toolchain versions, configuration, and random seeds to enable deterministic builds.
  2. Text-Based Serialization: Replace QPY with OpenQASM for circuit submission, eliminating non-deterministic metadata and reducing payload size.

These modifications are technically straightforward for the client-side SDK but may require backend and server-side updates for full compatibility.

Implications and Future Directions

The formalization of reproducible builds in quantum computing has significant implications for supply chain security, scientific reproducibility, and user trust in quantum cloud platforms. By enabling independent verification of circuit artifacts, the proposed framework mitigates both confidentiality and integrity threats inherent in current non-deterministic workflows.

Future research should focus on:

  • Extending reproducibility guarantees to other quantum SDKs and cloud providers.
  • Developing infrastructure for independent verifiers and integration with package managers.
  • Investigating quantum-native artifact formats as quantum memory and communication mature.

Conclusion

This work establishes reproducible builds as a foundational security and reliability practice for quantum software toolchains. By demonstrating practical attack vectors and proposing concrete mitigations, the paper provides a roadmap for the quantum computing community to adopt reproducibility as a standard, thereby enhancing the trustworthiness of quantum computation in both research and industry.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

alphaXiv