Papers
Topics
Authors
Recent
Search
2000 character limit reached

QCIVET: A Quantum--Classical Pipeline Integrity Framework with Contract-Based Subtype Verification and Hash-Chained Audit Traces

Published 13 May 2026 in quant-ph and cs.CR | (2605.13109v1)

Abstract: Hybrid quantum--classical pipelines increasingly support applications such as drug discovery, fraud detection, and cloud quantum processing unit (QPU) auditing, yet existing integrity-verification methods remain largely classical and fail to capture quantum-stage behaviour. We propose QCIVET, a contract-based integrity-verification framework that models a hybrid pipeline as a sequence of stages with explicit specifications and audits it at both syntactic and semantic levels. Syntactic integrity is enforced through a hash-chained audit trail with optional external anchoring, while semantic integrity at quantum stages is verified using a calibrated observable-deviation test grounded in the behavioural-subtyping discipline of Liskov and Wing. We prove soundness under the diamond-norm distance between quantum channels, conditional completeness for informationally complete observable families, and compositionality under inheritance chains. We further identify a class of Z-only-sneaky overrides that evade weak single-Pauli contracts but are exposed by multi-Pauli contracts. The framework is evaluated under calibration-derived noise models from IBM Quantum Eagle r3 and Heron r2 processors, and the subtype-separation protocol is validated end-to-end on a real ibm_fez (Heron r2) processor. QCIVET is instantiated on three representative applications: variational quantum eigensolver (VQE) for drug discovery, quantum-assisted fraud detection, and customer-side auditing of cloud QPU services. The reference implementation, including a real-time verification engine with sub-millisecond per-stage commit latency, is released as open source.

Summary

  • The paper presents QCIVET, a novel framework that safeguards hybrid quantum–classical pipelines through dual verification layers: hash-chained audit trails and contract-based subtype testing.
  • It employs behavioural subtyping and observable deviation tests to guarantee integrity under both ideal and noisy device conditions, with formal soundness and compositionality proofs.
  • Experimental validations on IBM quantum hardware and simulated environments confirm its effectiveness in detecting semantic drift and tampering in critical applications.

QCIVET: A Quantum–Classical Pipeline Integrity Framework with Contract-Based Subtype Verification and Hash-Chained Audit Traces

Introduction and Motivation

Hybrid quantum–classical pipelines underpin critical decisions in domains such as pharma (VQE-based drug discovery), finance (fraud detection), and cloud-based quantum computing. Integrity in these workflows is not guaranteed by traditional, classical audit techniques, as classical supply-chain tools do not verify that quantum computational stages behave semantically as specified in real device conditions. QCIVET addresses this gap with a dual-layer framework that (1) enforces syntactic integrity via hash-chained audit logs (with optional external anchoring) and (2) enforces semantic integrity for quantum stages using a contract-based, behaviourally-typed observable-deviation test grounded in the Liskov-Wing subtyping discipline.

QCIVET synthesizes several research lines:

  • Classical Provenance and Audit: Existing frameworks (in-toto, SLSA, Sigstore) offer cryptographic binding of software artefacts to declared recipes but are oblivious to quantum noise and semantic drift in quantum-classical workflows.
  • PQ-Safe Cryptography: Post-quantum cryptographic protections (e.g., MBOM-PQC, ML-DSA, SLH-DSA) harden signature schemes but make no modification to pipeline shape or quantum semantics.
  • Quantum Cryptography Primitives: Quantum primitives (e.g., BB84 QKD, quantum hash functions) secure communication or authentication but treat the quantum system as a cryptographic resource, not as an auditable computational workload.
  • Quantum Software Contracts and Verification: Prior work on design-by-contract, quantum Hoare logic, and refinement calculi focus on static development-time verification, or intra-circuit semantics, without addressing runtime, multi-stage hybrid pipelines, adversarial settings, or observable-based runtime contracts.

QCIVET is the first framework to formalize, implement, and validate integrity verification for hybrid quantum–classical pipelines using both hash-chain provenance and runtime-enforceable quantum contracts.

Theoretical Framework

Contract-Based Behavioural Subtyping for Quantum Stages

Each pipeline stage is specified by a JSON-serialisable spec, with quantum stages carrying an additional contract: a set of observable expectation values and calibrated tolerances. Behavioural subtyping, in the Liskov-Wing sense, is operationalized as: BB is a behavioural subtype of AA (denoted B(OA,δ)AB \preceq_{(O_A,\,\delta)} A) if for all input states ρ\rho, the maximum deviation of all contract observables is bounded by the tolerance:

maxOOATr(OEB(ρ))Tr(OEA(ρ))δ.\max_{O \in O_A} |\mathrm{Tr}(O E_B(\rho)) - \mathrm{Tr}(O E_A(\rho))| \leq \delta.

Soundness, Completeness, and Compositionality

QCIVET provides three formal guarantees:

  1. Soundness: Channel-level closeness in diamond norm implies observable-level closeness (via H\"older and norm equivalences).
  2. Conditional Completeness: For informationally complete observable families, observable-level closeness ensures channel-level proximity (with explicit constants, C(OA)=22C(O_A)=2\sqrt{2} for single-qubit Pauli observables).
  3. Compositionality: The subtyping relation composes through pipeline stage sequences, with error propagation bounds governed by stage-level tolerances.

Sneaky Subtype Characterization

A critical result is the formal identification of "sneaky" subtype attacks—adversarial implementations that pass weak, single-observable contracts (e.g., ZZ-only) but are detected by informationally complete families. The paper precisely delineates conditions under which such attacks are possible, with explicit analysis in single-qubit scenarios, motivating the necessity for multi-observable contract specifications. Figure 1

Figure 1: Per-(input, observable) deviation for all candidates in the noiseless setting, visualizing the sneaky-subtype phenomenon.

Audit Layer: Hash-Chained Log and Anchoring

Syntactic integrity is maintained through a forward-only hash chain (SHA-256), where each new stage commit includes the previous hash. To prevent global rewrites, commits can be externally anchored (Sigstore Rekor, RFC 3161, public blockchains) providing tamper evidence beyond the local pipeline. Figure 2

Figure 2: Visualization of hash-chain audit scenarios, including tampering, injection, and skipping attacks.

Experimental Validation

Subtype Separation: Ideal, Simulated, and Real QPU Regimes

A suite of six experiments demonstrates QCIVET's effectiveness:

  • Ideal Subtype Separation: Analytic evaluation on noiseless quantum circuits shows that valid subtypes pass and sneaky/invalid ones fail observable contracts as mathematically predicted. Figure 1

    Figure 1: Subtype operational fingerprint in a noiseless regime, explicitly differentiating sneaky subtypes.

  • Synthetic Noise and Device-Noise Calibration: The noise-induced deviation on observable contracts is quantified for synthetic depolarising channels and realistic IBM device noise models (FakeBrisbane/Eagle r3 and FakeFez/Heron r2). Figure 3

    Figure 3: Calibration of observable deviation under synthetic depolarising noise.

    Figure 4

    Figure 4: Sensitivity sweep of contract violation under physical gate perturbation.

    Figure 5

    Figure 5: Device-noise calibration per input state, showing Heron r2 is less noisy than Eagle r3.

  • Real-Hardware Validation: The full protocol is executed on IBM Heron r2 via the Quantum cloud, demonstrating the robustness of sneaky-fingerprint separation (1.4011.3861.4201.401 \to 1.386 \to 1.420 along ideal→simulated→real chain). Figure 6

    Figure 6: Robust separation of subtype classes under real hardware noise, validating theory-to-practice.

  • Calibration Window: The window in which tolerances should be set is characterized empirically, balancing device noise against minimal detectable contract deviations. Figure 7

    Figure 7: Overlap of device noise floor and minimum violation threshold—the actionable calibration window.

Implementation and Application Domains

QCIVET includes a high-performance, real-time verification engine (Python) with sub-millisecond per-stage commit overhead. Three six-stage demonstration pipelines instantiate the framework:

  • VQE-Driven Drug Discovery: Observable contract over energy estimation, catching both tampering and semantic drift, mapping to FDA auditability requirements.
  • Quantum-Assisted Fraud Detection: Hash-chain replay and observable integrity check for financial transactional workflows, covering insider threshold manipulation and quantum result poisoning.
  • Cloud QPU Auditing: Customer-verifiable result provenance and quantum hardware behaviour, detecting backend downgrades, calibration spoofing, and result drift.

For all three, attack coverage is stratified along local tampering, semantic drift, and global rewrite, with detection matched by the hash-chain, observable-deviation, and anchor checkers, respectively.

Threat Model and Security Guarantees

QCIVET’s assumed adversary A\mathcal{A} can manipulate pipeline state and quantum behaviour but cannot forge cryptographic hashes or external anchor entries. The only gap is attacks within the calibrated tolerance—mitigated operationally by careful, noise-aware calibration. The system does not defend against DoS or confidentiality breaches on its own; confidentiality requires further encryption layers.

Practical and Theoretical Implications

  • Production Readiness: The presented framework is minimally intrusive to existing pipelines, supports post-quantum secure cryptographic primitives without modification, and adds negligible overhead.
  • Auditable Quantum Computation: Directly addresses regulatory and governance needs in pharma (FDA), finance (SOX), and cloud quantum (provider accountability).
  • Theoretical Clarity: Provides a concrete operationalization of quantum program substitutability, complementary to refinement-calculus work, but directly applicable at runtime and under device noise.
  • Extendability: While experiments are single-qubit, all results and proofs are dimension-agnostic, with explicit scaling constants. Multi-qubit calibration is a future direction.

Conclusion

QCIVET advances the state of the art in hybrid quantum–classical pipeline integrity with a dual-layer, contract-based, and hash-chained verification architecture. It is realized as open-source software, robustly validated both in simulation and on real quantum hardware, and engineered for integration into real-world high-stakes workflows. By combining rigorous contract semantics with cryptographically hardened provenance, QCIVET sets a practical trajectory for making complex quantum-classical automation accountable to the same standards of verifiability that classical software supply chains now demand.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 3 likes about this paper.