Papers
Topics
Authors
Recent
Search
2000 character limit reached

Post-Cut Metadata Inference Attacks on Quantum Circuit Cutting Pipelines

Published 12 Apr 2026 in quant-ph and cs.ET | (2604.10592v1)

Abstract: Quantum circuit cutting enables near-term quantum devices to execute workloads exceeding their qubit capacity by decomposing circuits into independently runnable fragments. While this extends computational reach, it creates a previously unexplored confidentiality surface: the fragment-level execution transcript observable by a semi-honest cloud provider. We formalise this surface and demonstrate that post-cut transcripts constitute a practical metadata side channel. Operating solely on provider-visible compiled circuit metadata (fragment width, depth, and two-qubit gate count), we evaluate a structured inference attack across six classification objectives spanning algorithm identity, cut mechanism, and coarse Hamiltonian structure. Our corpus comprises 1,200 circuit fragments across eight algorithm families transpiled against three hardware topologies, validated on a 156-qubit production quantum computer confirming that QPU execution time remains invariant across a 25x variation in compiled depth. Under strict instance-disjoint generalisation, our attack recovers algorithm family with 0.960 accuracy (AUC 0.999), cut mechanism with 0.847 accuracy (AUC 0.924), and Hamiltonian k-locality with 0.960 accuracy (AUC 0.998). Connectivity and geometry inference achieve AUC of 0.986 and 0.942 with strong stability under size-holdout. Topology inference remains above chance (AUC 0.666). A matched-footprint control and ablation study confirm leakage is structure-dominated and not explained by scale artefacts. These results demonstrate that circuit cutting is not confidentiality-neutral and that metadata leakage should be treated as a first-class security concern in quantum cloud systems.

Summary

  • The paper demonstrates that post-cut metadata leakage accurately infers confidential workload properties using structural features like compiled width, depth, and 2Q gate count.
  • It employs supervised classification models on metadata logs to differentiate between algorithm families and Hamiltonian characteristics with high accuracy.
  • Empirical validation on real QPU hardware underscores the need for obfuscation techniques to mitigate metadata-based inference attacks in quantum cloud systems.

Post-Cut Metadata Inference Attacks in Quantum Circuit Cutting

Introduction

The paper "Post-Cut Metadata Inference Attacks on Quantum Circuit Cutting Pipelines" (2604.10592) provides a comprehensive and rigorous analysis of the confidentiality implications arising from the use of quantum circuit cutting in near-term quantum cloud computation. Circuit cutting, as a strategy to overcome the hardware qubit limitations of noisy intermediate-scale quantum (NISQ) devices, enables the partitioning of quantum algorithms into smaller fragments, solvable on restricted quantum hardware and subsequently stitched together classically. However, this research calls attention to an underexamined residual attack surface: the structural metadata observable by a semi-honest cloud provider after circuit fragmentation.

The authors formalize the post-cut threat model, provide a detailed empirical and hardware-validated study of the inference risk, and demonstrate quantitatively that transcript-level metadata (fragment width, depth, two-qubit (2Q) gate count) exposes algorithmic and Hamiltonian characteristics of hidden workloads. The work decisively establishes post-cut metadata leakage as a primary security concern in quantum cloud systems utilizing circuit cutting. Figure 1

Figure 1: System Model Architecture. End-to-end circuit-cutting workflow, including client execution, transcript shaping, and untrusted cloud execution with exposed classical metadata.

System and Threat Model

The system model features two principal domains: a Trusted Client Environment performing circuit construction, cutting, transcript shaping, and result stitching; and an Untrusted Cloud Service that receives, schedules, and executes submitted fragments. The crucial division is that only classical metadata—fragment width, depth, 2Q gate count, shot allocations, and submission details—are observable by the provider. Quantum states, outcomes, and stitching maps remain private. Figure 2

Figure 2: Threat Model Analysis. The semi-honest provider observes compiled metadata at the submission interface and attempts passive workload inference on L\mathcal{L}.

The threat model assumes a semi-honest (honest-but-curious) cloud provider, passively logging all compiled metadata but not deviating from protocol nor accessing measurement payloads. The adversary's objective is to infer hidden properties of the workload, including algorithm family, cut mechanism, Hamiltonian connectivity, geometric structure, and local interaction order (kk-locality), using only the observed transcript statistics.

Physical Mechanism: Routing Tax in Compiled Metadata

Central to the attack is the "routing tax"—the topological overhead introduced by mapping logical circuits onto specific hardware connectivity graphs. This overhead manifests as inflation in compiled circuit depth and 2Q gate count, with distinct profiles per algorithm and hardware family. Figure 3

Figure 3

Figure 3: Depth inflation (compiled/logical depth) across algorithm families and hardware topologies, demonstrating the discriminative effect of topology and structure.

Depth and 2Q gate count show strong topology × family interactions, with QFT, QML, and chemistry circuits exhibiting super-linear scaling due to their entanglement requirements, while HEA and Sim families, which align better with hardware, incur minimal inflation. Figure 4

Figure 4: Compiled width distributions are algorithm-family discriminative but effectively topology-invariant, emphasizing complementary information to depth inflation.

Width, in contrast, is a topology-invariant signal; it reveals partitioning strategy and logical workload size, enabling isolation of certain algorithm families independent of backend connectivity. These three metadata features together provide a robust basis for inference.

Attack Methodology and Corpus

The empirical evaluation leverages a corpus of 1,200 circuits spanning 8 algorithm families and 3 hardware topologies. Each family contributes distinct structural sub-variants, all transpiled with the same compiler stack and routing policies, ensuring metadata distributions reflect genuine physical constraints.

Attacks are structured as supervised classification tasks, employing random forest (RF), extra trees, and histogram gradient boosting models. Three principal data splits are used: instance-disjoint for generalization, size-holdout to test robustness to workload scale, and matched-footprint controls to eliminate scale-based leakage. The attack requires only metadata logs, aligning with standard provider operational practices.

Empirical Results

The attack achieves high leakage across six tasks:

  • Algorithm family (A1): 0.960 accuracy, macro-AUC 0.999.
  • Cut mechanism (W1): 0.847 accuracy, macro-AUC 0.924.
  • kk-locality (H3): 0.960 accuracy, macro-AUC 0.998.
  • Hamiltonian connectivity (H1), geometry (H2), and backend topology (W2) show macro-AUC ranging from 0.942 to 0.666.

The confusion matrices confirm that algorithm families with strongly distinct physical and entanglement profiles (e.g., Oracle, Sim) are perfectly isolated, while families with similar partitioning (HEA, QAOA) show expected mutual confusion.

Ablation studies confirm that the majority of inference power resides in structural features (width, depth, 2Q count); timing and shot allocation contribute negligibly or add noise, especially for hardware topology inference.

Matched-footprint controls show leakage persists after coarse size artifacts are removed, demonstrating that attack models extract genuine structural signal beyond trivial scale features. Figure 5

Figure 5: Random Forest Gini importance for all six tasks; compiled depth dominates, with width contributing most for topology inference.

Latent space analysis (PCA) shows that metadata features create highly separable clusters by family, but backend topologies overlap except for all-to-all, explaining limited but statistically significant topology discrimination.

Hardware Validation

Empirical runs on the 156-qubit ibm_marrakesh heavy-hex device validate that the observed metadata scaling and leakage patterns are not simulation artifacts but real effects in production QPU stacks. Figure 6

Figure 6: Compiled depth and 2Q gate count scaling with circuit width, empirically measured on ibm_marrakesh, confirming the distinct scaling regimes.

A crucial finding is that true QPU execution time is effectively invariant (order 2s) across a 25× variation in compiled circuit depth—physical timing is insensitive to quantum workload complexity due to control-plane bottlenecks. As such, metadata logs, not timing side-channels, provide the dominant attack surface for inference.

Discussion and Security Implications

This study establishes that post-cut metadata leakage enables accurate inference of confidential workload properties with minimal adversarial resources. The practical implications are significant:

  • Providers can reconstruct both algorithmic class and coarse Hamiltonian features, with potential intellectual property and competitive consequences.
  • Topology inference is above chance and sufficient to distinguish ideal (all-to-all) from non-ideal hardware access.
  • The primary leakage mechanism (routing tax) is rooted in circuit compilation and cannot be mitigated trivially without performance penalties (e.g., fragment padding, structural obfuscation).

Mitigations must focus on obscuring compiled footprints rather than merely securing measurement or payload data. The results challenge the adequacy of existing quantum confidentiality primitives (e.g., UBQC, QHE) when execution is fragmented, highlighting the need for new protocols cognizant of transcript-level leakage. Figure 7

Figure 7: Attacker sample efficiency shows high AUC is robustly attained with modest corpus size for the structurally-driven tasks.

Conclusion

The paper conclusively demonstrates that quantum circuit cutting introduces a quantitative metadata side channel in NISQ-era quantum cloud systems. Structural execution transcript features—specifically compiled width, depth, and 2Q gate count—are sufficient for a semi-honest provider to infer substantial properties of client workloads with near-perfect accuracy in realistic scenarios. Pure timing-based attacks are obviated by system-level latency, underscoring metadata logs as the new confidentiality boundary. Designing quantum cloud systems and circuit cutting pipelines requires explicit mitigation of this leakage at the control plane, elevating transcript metadata security to a first-class concern. The paper also identifies cross-run linkability as an important open direction for the future.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.