Papers
Topics
Authors
Recent
Search
2000 character limit reached

Covert Quantum Computing Overview

Updated 5 July 2026
  • Covert quantum computing is defined as the practice of hiding not only the content but the very act of quantum operations using techniques like vacuum fluctuations, covert teleportation, and entanglement distillation.
  • It integrates multi-layer strategies—from optical and network protocols to compiler-level Trojan insertions and hardware side-channel protections—to camouflage quantum processes against adversarial detection.
  • The field addresses critical trade-offs between reliability and covertness while leveraging protocols that manage statistical indistinguishability to enable secure, covert quantum operations.

Searching arXiv for papers on covert quantum computing and closely related covert quantum communication/security work. Covert quantum computing denotes quantum information processing whose occurrence, not merely its content, is concealed from an adversary. In the literature represented here, the term spans at least two distinct but increasingly convergent senses. One concerns covert execution over quantum networks, where entanglement generation, teleportation, measurement-based computation, and blind delegation are hidden within vacuum fluctuations, ambient noise, or covert classical channels (Bradler et al., 2017, Bradler et al., 2016, Anderson et al., 2024, Anderson et al., 22 Jan 2025). The other concerns covert manipulation or detection at the computation substrate itself, including malicious compiler-layer circuit tampering and multi-tenant hardware side-channel concealment or detection (John et al., 13 Feb 2025, Anderson et al., 14 May 2026). Taken together, these works suggest that covert quantum computing is best understood as a family of security and systems problems in which the operational signature of computation is suppressed, displaced, or exploited across the communication, compilation, and hardware layers.

1. Definitions and conceptual scope

The strongest notion of covertness in the communication-oriented literature is that an external observer should be unable to distinguish H0H_0, “no communication/computation,” from H1H_1, “communication/computation is being executed,” beyond a small advantage determined by the trace distance between the corresponding states (Bradler et al., 2017). This is explicitly stronger than confidentiality and stronger than blind quantum computation: secrecy may hide the content of communication, and blindness may hide the algorithm, input, or output from a server, but covertness aims to hide that any quantum operation is taking place at all (Bradler et al., 2017).

In the multi-tenant cloud setting, covert quantum computing is defined differently but compatibly. There, an implementation I~\tilde{\mathcal{I}} is δ\delta-covert if for any adversary strategy SWS_W, Willie’s total error probability in distinguishing idle from computing satisfies

PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,

with equal priors on the two hypotheses (Anderson et al., 14 May 2026). This definition shifts the focus from network traffic to shared-hardware observability: the adversary may control all other quantum computational units, keep a quantum memory, and run adaptive quantum strategies on the accessible subsystem (Anderson et al., 14 May 2026).

A third sense arises from hostile toolchains. “Quantum Trojan Insertion: Controlled Activation for Covert Circuit Manipulation” frames covert quantum computing at the compiler and circuit layer: an untrusted compiler silently injects a controllable Trojan that remains dormant under ordinary conditions and alters the computation only when triggered (John et al., 13 Feb 2025). This is covert not because the computation is hidden from outside observers, but because a malicious modification is hidden from the computation’s owner and from ordinary verification procedures (John et al., 13 Feb 2025).

These strands do not define a single unified object, but they do share one structural theme: the salient security question is whether some operationally meaningful event—communication, computation, control, or manipulation—can be made statistically indistinguishable from benign baseline behavior.

2. Communication-layer constructions

The relativistic line of work begins from the Minkowski vacuum as a covert resource. “Absolutely covert quantum communication” shows that two inertial parties equipped with Unruh–DeWitt detectors can generate entanglement and induce a quantum channel through local interactions with the Minkowski vacuum, with strictly positive quantum and secret-key rate under suitable detector parameters, while remaining “absolutely covert” because no detectable signal propagates between the parties in the usual sense (Bradler et al., 2016). In that model, the induced two-detector state ρAB\rho_{AB} is an X-state and is interpreted as the Choi state of a quantum channel NABN_{A'\to B}, allowing standard capacity concepts such as coherent information and secret-key capacity to be applied (Bradler et al., 2016).

“Covert Quantum Internet” extends this mechanism from covert communication to covert computation and networking. Its central resource is vacuum-assisted entanglement extraction using localized two-state detectors coupled to a free, real, massless scalar field ϕ\phi, with switching functions

wA(t)=λw(t),wB(t)=λw(tL),w(t)=et2/σ2,w_A(t)=\lambda\,\mathbf{w}(t), \qquad w_B(t)=\lambda\,\mathbf{w}(t-L), \qquad \mathbf{w}(t)=e^{-t^2/\sigma^2},

and Wightman correlator

H1H_10

By iterating weak detector couplings, the singlet fraction H1H_11 of the extracted state can exceed H1H_12, after which covert entanglement distillation and covert teleportation are used as primitives for teleportation-based and one-way quantum computing (Bradler et al., 2017). In this framework, covert graph-state generation, covert cluster-state MBQC, covert 3D topological cluster-state computation, covert Union Jack state preparation, and covert universal blind quantum computation are all presented as applications of covert Bell-pair generation plus covert classical communication (Bradler et al., 2017).

The optical line of work reaches a different conclusion about rates. “Covert Quantum Communication Over Optical Channels” studies lossy thermal-noise bosonic channels with dual-rail qubits and shows a square root law: over H1H_13 rounds, H1H_14 qubits can be transmitted covertly and reliably (Anderson et al., 2024). In that model, one round uses two optical modes, with dual-rail encoding

H1H_15

and Willie’s covertness test is controlled by the relative entropy bound

H1H_16

(Anderson et al., 2024). The achievable theorem states

H1H_17

with

H1H_18

and a reliability rate derived from a Pauli/depolarizing reduction (Anderson et al., 2024). A companion general achievability result over arbitrary quantum channels gives

H1H_19

or

I~\tilde{\mathcal{I}}0

when assisted by a full-duplex covert classical channel (Anderson et al., 22 Jan 2025). The latter result is directly relevant to covert quantum computing because it supplies covert entanglement distribution plus teleportation as a general-purpose design pattern (Anderson et al., 22 Jan 2025).

A related communication result sharpens the optical picture under uncertainty. “Robust Covert Quantum Communication under Bounded Channel Uncertainty” replaces fixed I~\tilde{\mathcal{I}}1 by a compound uncertainty set and proves that robustness cannot be obtained by simply substituting worst-case parameters into nominal formulas, because covertness is worst at I~\tilde{\mathcal{I}}2 while reliability is worst at I~\tilde{\mathcal{I}}3 (Arghavani et al., 13 Apr 2026). The robust guaranteed payload satisfies

I~\tilde{\mathcal{I}}4

again preserving the square-root-law scaling but altering the constant and introducing a sharp feasibility boundary beyond which the guaranteed payload drops to zero (Arghavani et al., 13 Apr 2026). This suggests that covert quantum computation over realistic optical interconnects inherits not only the I~\tilde{\mathcal{I}}5 scaling but also a robustness penalty under calibration uncertainty.

3. Computation models enabled by covert resources

The communication constructions support several computational models. In teleportation-based covert quantum computing, covert Bell pairs allow state teleportation and gate teleportation so that nonlocal CNOT or CZ operations are implemented via local operations plus covert classical feed-forward (Bradler et al., 2017). This produces a universal distributed quantum computer so long as covert entanglement and covert classical control are available (Bradler et al., 2017).

In one-way covert quantum computing, covertly generated graph states

I~\tilde{\mathcal{I}}6

serve as the MBQC resource (Bradler et al., 2017). Nodes prepare local I~\tilde{\mathcal{I}}7 states, covert CZ gates are effected by teleportation, and subsequent single-qubit measurements are local while adaptive basis updates and corrections use covert classical channels (Bradler et al., 2017). The same architecture extends to 2D cluster states, 3D topological cluster states, and Union Jack states with Pauli-universal MBQC (Bradler et al., 2017).

In covert universal blind quantum computation, the Broadbent–Fitzsimons–Kashefi construction is modified so that Alice’s randomly rotated qubits

I~\tilde{\mathcal{I}}8

are transferred by covert teleportation rather than by an overt quantum channel, and the measurement angles

I~\tilde{\mathcal{I}}9

are sent covertly (Bradler et al., 2017). Blindness is preserved as in BFK, while covertness is supplied by the hidden entanglement and covert classical interaction (Bradler et al., 2017). A plausible implication is that covert blind quantum computation combines two orthogonal protections: blindness against the server and covertness against a third-party observer.

The optical square-root-law results place a quantitative restriction on these computational models. Because covert teleportation, covert remote state preparation, and covert entanglement distribution all consume covert qubits or covert ebits, a protocol using an optical channel can covertly support only δ\delta0 such resources over δ\delta1 uses (Anderson et al., 2024, Anderson et al., 22 Jan 2025). This suggests that small-bandwidth covert quantum computing primitives are feasible over optical channels, whereas large-scale covert offloading requires proportionally large time or mode budgets (Anderson et al., 2024).

4. Toolchain-level covert manipulation

At the compilation layer, covert quantum computing takes the form of hidden intervention rather than hidden execution. “Quantum Trojan Insertion: Controlled Activation for Covert Circuit Manipulation” considers an untrusted compiler or transpiler that inserts a malicious subcircuit into a compiled quantum circuit (John et al., 13 Feb 2025). The proposed Trojan consists of an X “switch gate” on a designated control qubit in the first column and a set of CX gates from the same control qubit into target qubits placed only in empty slots of later layers (John et al., 13 Feb 2025). Given intended unitary δ\delta2, Trojan unitary δ\delta3, and augmented unitary δ\delta4, the paper describes the activated case conceptually as

δ\delta5

and the controlled behavior as

δ\delta6

where δ\delta7 flips selected targets (John et al., 13 Feb 2025).

The insertion algorithm converts the circuit to a DAG, identifies layers and empty positions

δ\delta8

inserts the X gate on the control qubit in the first column, and then adds CX gates into randomly chosen empty positions up to a gate limit (John et al., 13 Feb 2025). The resulting Trojan is designed to preserve circuit depth and remain dormant when the control qubit is effectively in δ\delta9 (John et al., 13 Feb 2025).

Empirically, the reported performance characteristics are the core reason this work is relevant to covert quantum computing. In the benchmark experiments, circuit depth was unchanged, gate-count overhead was approximately SWS_W0 on average, and activated output distributions deviated by approximately SWS_W1 in total variation distance from intended outputs (John et al., 13 Feb 2025). The paper measures

SWS_W2

and finds TVD near SWS_W3–SWS_W4 for larger circuits when the Trojan is activated, while deactivated behavior remains close to the original circuit (John et al., 13 Feb 2025). This directly instantiates covert sabotage: the computation appears ordinary under normal testing, but can be selectively corrupted on demand.

The experiments use IBM Qiskit, RevLib reversible benchmarks, the FakeValencia backend, and 1,000 shots per run (John et al., 13 Feb 2025). The attack surface is a cloud or third-party compilation service, and the underlying point is systemic: trustworthy quantum computing requires securing the compiler chain as much as the hardware (John et al., 13 Feb 2025). A common misconception is that covert quantum computing concerns only hidden network traffic; this work shows that covert behavior can also mean latent, selectively activated functionality buried in ostensibly legitimate quantum circuits.

5. Multi-tenant hardware, observability, and side channels

The hardware-side notion of covert quantum computing is developed in “Toward Covert Quantum Computing” (Anderson et al., 14 May 2026). The setting is a multi-tenant quantum processing unit in which Alice uses SWS_W5 of SWS_W6 total quantum computational units and Willie controls the remaining SWS_W7 QCUs plus an arbitrary-dimensional quantum memory (Anderson et al., 14 May 2026). Because Willie may prepare arbitrary initial states, apply adaptive CPTP maps between Alice’s gate operations, and defer a collective measurement to the end, the paper adopts the quantum-strategy framework rather than a static channel-discrimination model (Anderson et al., 14 May 2026).

If SWS_W8 denotes the SWS_W9-round strategy induced by Alice’s implementation and PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,0 the idle strategy, then Willie’s minimum error probability is

PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,1

and PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,2-covertness is equivalent to

PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,3

(Anderson et al., 14 May 2026). Reliability is defined separately by diamond-norm closeness of the realized instrument to the ideal instrument (Anderson et al., 14 May 2026).

Under a nearest-neighbor residual ZZ crosstalk model on planar lattices, the paper proves geometric square-root laws using discrete isoperimetric inequalities (Anderson et al., 14 May 2026). For the square lattice,

PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,4

for the hexagonal lattice,

PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,5

and for heavy-hex,

PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,6

(Anderson et al., 14 May 2026). These inequalities imply that an PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,7-qubit computational region can be embedded so that only PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,8 border qubits expose detection information to Willie (Anderson et al., 14 May 2026). Consequently, at most PW(e)(SW,I~)12δ,P_W^{\mathrm{(e)}}(S_W,\tilde{\mathcal{I}}) \ge \tfrac{1}{2}-\delta,9 additional idle buffer qubits are required to ensure covertness under the nearest-neighbor-only model (Anderson et al., 14 May 2026).

The experimental study on IQM’s 54-qubit Emerald processor and IBM’s 156-qubit ibm_fez machine partially validates and partially destabilizes this picture (Anderson et al., 14 May 2026). Ramsey experiments on spectator qubits confirm detectable nearest-neighbor crosstalk, but also reveal long-range coupling beyond border qubits, which the paper hypothesizes may arise from leakage from drive and control lines (Anderson et al., 14 May 2026). This long-range crosstalk weakens the nearest-neighbor-based covertness guarantee and exposes a hardware side channel that co-tenants can exploit (Anderson et al., 14 May 2026). A plausible implication is that covert quantum computing on shared hardware is not only a matter of layout geometry; it also depends critically on packaging, drive-line isolation, and detailed crosstalk characterization.

6. Adversaries, sensing, and broader covert information processing

Some recent work expands the adversarial model or recasts covertness using alternative information-theoretic quantities. “Quantum Covert Communication under Extreme Adversarial Control” introduces a controller that governs both classical and quantum communication infrastructure, may ban public-key cryptography, and may demand secret strings such as basis selection strings ρAB\rho_{AB}0, state selection strings ρAB\rho_{AB}1, and Bell-state selection strings ρAB\rho_{AB}2 from users (Li, 8 Apr 2025). The constructions described there use protocol structure, entanglement, and error-checking phases of BB84- and DL04-like protocols so that covert communication remains statistically indistinguishable from ordinary failure due to eavesdropping or noise (Li, 8 Apr 2025). This suggests that covert quantum computing may need “anamorphic” protocol layers: overt protocol transcripts consistent with benign explanations, yet carrying hidden computational resources or instructions.

The sensing literature introduces a different but relevant abstraction. “Chernoff Information Bottleneck for Covert Quantum Target Sensing” defines covert information

ρAB\rho_{AB}3

where ρAB\rho_{AB}4 is the legitimate party’s Chernoff information for the sensing task and ρAB\rho_{AB}5 is the adversary’s Chernoff information for detecting that sensing is taking place (Ortolano et al., 8 Apr 2025). The Lagrangian

ρAB\rho_{AB}6

traces the covertness–utility trade-off (Ortolano et al., 8 Apr 2025). The paper further emphasizes the effective covert criterion

ρAB\rho_{AB}7

which identifies a regime in which the legitimate user’s information rate exceeds the adversary’s detection rate (Ortolano et al., 8 Apr 2025). Although developed for LiDAR-like target sensing rather than computing, this framework suggests a task-agnostic way to analyze covert quantum computing whenever the legitimate objective and the adversary’s objective can both be cast as hypothesis-testing problems.

A further extension is represented by “RAPID Quantum Detection and Demodulation of Covert Communications,” which studies NV-center-based sensing below the classical noise floor using QFIM-guided baseline optimization and an adaptive Soft Actor-Critic policy (Taherpour et al., 9 Sep 2025). This paper is about covert signal detection, not computation, but it shows that covert quantum technology increasingly includes adaptive control, Bayesian risk objectives, and resource-constrained optimization. A plausible implication is that future covert quantum computing systems may combine covert communication, covert sensing, and adaptive control into a unified architecture.

7. Limitations, tensions, and unresolved questions

Several tensions recur across the literature. First, the physical mechanism that improves covertness may degrade reliability. In optical channels, thermal noise helps hide transmissions but harms Bob’s effective qubit channel (Anderson et al., 2024, Arghavani et al., 13 Apr 2026). Under uncertainty, covertness is hardest at low noise whereas reliability is hardest at high noise, forcing robust protocols to satisfy conflicting corner constraints (Arghavani et al., 13 Apr 2026). This is not a superficial engineering issue but a structural limitation on covert quantum information processing.

Second, positive-rate covert operation appears model-dependent. In relativistic vacuum-based constructions, the induced covert quantum channel can have strictly positive rate because no ordinary propagating signal is emitted (Bradler et al., 2016). In lossy thermal-noise optical channels, by contrast, covert throughput obeys a square-root law ρAB\rho_{AB}8 (Anderson et al., 2024, Anderson et al., 22 Jan 2025). In helper-assisted quantum multiple-access channels, positive covert rates become possible again because a helper can shape the joint output so that the warden’s marginal exactly matches the innocent state (ZivariFard et al., 26 Apr 2025). The literature therefore does not support a universal covert-capacity law independent of physical model.

Third, compiler-layer and hardware-layer covert phenomena complicate the usual network-centric view. A system may satisfy communication-layer covertness while remaining vulnerable to covert circuit manipulation (John et al., 13 Feb 2025), or it may hide traffic successfully while leaking activity through crosstalk to co-tenants (Anderson et al., 14 May 2026). This suggests that covert quantum computing should not be treated as a single-layer property.

Finally, full covert quantum computation in the strongest sense remains largely prospective. The cited works provide covert communication primitives, covert MBQC and UBQC constructions, geometric criteria for covert execution on shared hardware, and concrete covert attack models, but no complete end-to-end framework unifies these into a single composable theory. This suggests that the field is still defining its boundaries.

8. Synthesis

Across these works, covert quantum computing emerges as a layered research area rather than a single protocol family. At the communication layer, it includes hidden entanglement generation from the Minkowski vacuum, covert teleportation, covert MBQC, and covert blind computation (Bradler et al., 2017, Bradler et al., 2016). At the optical-channel layer, it includes square-root-law-limited covert qubit and ebit transfer, robustified under compound uncertainty (Anderson et al., 2024, Anderson et al., 22 Jan 2025, Arghavani et al., 13 Apr 2026). At the systems layer, it includes helper-assisted positive-rate covert coordination (ZivariFard et al., 26 Apr 2025), detection-theoretic covert sensing (Ortolano et al., 8 Apr 2025), and adaptive sub-noise-floor demodulation of covert signals (Taherpour et al., 9 Sep 2025). At the adversarial toolchain and hardware layers, it includes compiler-inserted Trojan circuits and multi-tenant crosstalk observability (John et al., 13 Feb 2025, Anderson et al., 14 May 2026).

The cumulative picture is that covert quantum computing is not reducible to secrecy, blindness, or fault tolerance. It concerns the statistical invisibility of quantum operations themselves, whether those operations are benevolent, adversarial, or merely computationally necessary. This suggests that future progress will likely depend on combining communication-theoretic covertness, secure compilation, hardware isolation, and adaptive control into a single security model that spans the full quantum stack.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Covert Quantum Computing.