Papers
Topics
Authors
Recent
Search
2000 character limit reached

Reversed-Space Attacks in QKD & Cybersecurity

Updated 8 July 2026
  • Reversed-space attacks are exploits that target the actual operational space—expanded by measurement, actuation, or representation—rather than the idealized nominal interface.
  • They demonstrate, for example in QKD and Android malware detection, how reversing system transformations can yield full information leakage or dramatically reduce model robustness.
  • The practical implications span quantum communications, deep learning, reinforcement learning, and hardware security, urging defenses to incorporate real-world device behaviors into security proofs.

Searching arXiv for relevant papers on reversed-space attacks and adjacent uses of the concept. Reversed-space attacks are attacks that exploit the difference between a system’s nominal security abstraction and the larger or different operational space actually exposed by its implementation. In the strict sense, the term was introduced for quantum key distribution (QKD), where Bob’s measurement apparatus enlarges the effective Hilbert space and the attacker derives the exploitable subspace by reversing Bob’s measurement transformation in time (Gelles et al., 2011). In later literature, the exact phrase is not always used, but closely related constructions recur in Android malware detection, deep reinforcement learning, hardware reverse engineering, side-channel analysis, and representation-space machine learning attacks. This broader usage suggests an encyclopedia-level family resemblance: the attack does not primarily target the advertised interface, but the effective space induced by measurement, actuation, representation, transformation, or physical realization (Berger et al., 2022).

1. Terminological core and scope

In the original QKD formulation, a reversed-space attack is defined by Bob’s enlarged measured space and the corresponding reversed space HPH^P, which captures the incoming states that can influence Bob’s outcomes (Gelles et al., 2011). In several later domains, the same structural idea appears under different names: feature-space versus problem-space attacks in Android malware, state-space versus action-space attacks in reinforcement learning, data-space versus representation-space attacks in machine learning, and reverse-engineering attacks that search over original-design spaces in hardware security (Lee et al., 2019).

Setting Nominal abstraction Effective or attacked space
QKD Alice’s qubit space Bob’s measured space and reversed space HPH^P
Android malware Feature-space attack Problem-space APK transformation
DRL State/observation-space attack Action space corresponding to actuators
ML transfer Input/data-space attack Representation-space attack
Hardware IP Protected transformed design TD0TD_0 Candidate original-design library OD\mathcal{OD} and transformed library TD\mathcal{TD}

A common misconception is that any attack involving “space” qualifies as a reversed-space attack. The literature is narrower. In the strict historical sense, the term belongs to QKD. In the broader interpretive sense, it refers to attacks that operate on the system’s effective operational space rather than the idealized space assumed by the defender. This is distinct from merely perturbing an input, and it is also distinct from attacks whose name happens to contain the word “space.”

2. Quantum-key-distribution origin

The canonical reversed-space attack arises because practical QKD receivers often do not measure an ideal 2-dimensional qubit space. Bob instead chooses a setting ss, applies a unitary, and measures in a basis spanning a larger measured space HBH^B. The paper defines the reversed space by reversing Bob’s measurement states in time: HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\}, after tracing out ancilla inaccessible to Eve (Gelles et al., 2011). The central claim is that security must be analyzed in this effective attack space, not only in Alice’s nominal qubit space.

The general Eve attack is written as

0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,

after which Bob applies his unitary and ancilla. The authors focus on “oblivious” attacks that create no bit errors and no invalid outcomes. If J0J_0 and HPH^P0 are Bob’s valid bit outcomes and HPH^P1, HPH^P2 denote loss or invalid sets, the zero-error condition is

HPH^P3

The main worked examples are interferometric BB84 variants implemented with a Mach–Zehnder interferometer. Alice’s ideal qubit is encoded in time bins HPH^P4 and HPH^P5, but Bob’s interferometer expands the input into six output modes HPH^P6. Reversing these measurement modes yields a larger time-bin attack space extending beyond Alice’s intended qubit, approximately from HPH^P7 through HPH^P8. In the full six-mode case, the authors show that Eve can map

HPH^P9

with orthogonal Eve states, so that Eve obtains full information once the basis is announced while Bob sees no errors. The only symptom is additional loss, which the protocol may accept as normal. In the simple attack instance reported, Bob’s valid detection probability drops to TD0TD_00 in the TD0TD_01-basis and TD0TD_02 in the TD0TD_03-basis, while Eve gains full information about surviving raw key bits.

The significance of this construction is twofold. First, it shows that even ideal devices can enlarge the operational Hilbert space; the vulnerability is not merely a consequence of hardware imperfection. Second, it makes the receiver’s measurement model, including time bins, vacuum states, ancillae, and detector interpretation rules, a first-class component of any security proof. Follow-up work cited in the paper extends a weaker variant of the method to both interferometric-based and polarization-based QKD.

3. Problem-space evasion in Android malware detection

In Android malware detection, the closest analogue to reversed-space attacks is the distinction between feature-space and problem-space evasion. If a malware sample is an entity TD0TD_04 and the feature extractor is TD0TD_05, then TD0TD_06. A problem-space evasion attack modifies the real APK to obtain TD0TD_07, which induces TD0TD_08; a feature-space attack instead directly changes TD0TD_09, corresponding only abstractly to OD\mathcal{OD}0 (Berger et al., 2022). The paper emphasizes that this inverse feature-mapping is often unrealistic or impossible because valid APK transformations must preserve functionality and respect APK structure, Smali code, manifest files, permissions, and control-flow constraints.

The evaluation is organized as iterative retraining. The defender’s optimization target is written as

OD\mathcal{OD}1

where OD\mathcal{OD}2 denotes the manipulated samples produced by the attack and OD\mathcal{OD}3 is classifier performance on those samples. The key comparison is between OD\mathcal{OD}4, retrained on a feature-space attack OD\mathcal{OD}5, and OD\mathcal{OD}6, retrained on the corresponding problem-space attack OD\mathcal{OD}7, both evaluated against the real problem-space attack OD\mathcal{OD}8. The models are Drebin, Drebin-DNN, and MaMaDroid; the attacks include Random SB, DroidChemeleon, Manifest-Based, Random MB, Random STB, Black-Hole Statistical STB, Coordinate Greedy, and Salt-and-Pepper.

The central empirical result is that the gap between feature-space retraining and problem-space retraining can be enormous. On MaMaDroid with RF, the original classifier had OD\mathcal{OD}9 evasion robustness against both STB attacks. Retraining on problem-space attacks yielded TD\mathcal{TD}0 robustness for Random STB and TD\mathcal{TD}1 for Black-Hole STB, while retraining on feature-space attacks yielded TD\mathcal{TD}2 robustness against both. The absolute gap therefore reached TD\mathcal{TD}3 percentage points. The appendix reports similarly large gaps for other MaMaDroid models, including TD\mathcal{TD}4 on 1NN and TD\mathcal{TD}5 on DT.

For Drebin and Drebin-DNN, the results are less extreme but directionally identical. On Drebin, problem-space retraining preserved high clean-data AUCs above TD\mathcal{TD}6 and generally dominated feature-space retraining. In the Random SB experiment, problem-space retraining achieved TD\mathcal{TD}7 evasion robustness, versus TD\mathcal{TD}8 for CG(F) and TD\mathcal{TD}9 for SP(F). For DroidChemeleon, the problem-space baseline was ss0, while feature-space retraining reached only ss1–ss2. The largest gaps occurred for manifest attacks: MB(P) reached ss3 while CG(F) and SP(F) reached ss4 and ss5; Random MB(P) reached ss6 while CG(F) and SP(F) reached ss7 and ss8. On Drebin-DNN, MB(P) reached ss9 versus HBH^B0–HBH^B1 for feature-space retraining, and Random MB(P) reached HBH^B2 versus HBH^B3–HBH^B4. In some cases feature-space retraining even lowered robustness by HBH^B5–HBH^B6 relative to the original classifier.

The paper also reports a more favorable result for cross-effectiveness among real problem-space attacks. On Drebin, retraining on MB improved robustness by HBH^B7 against Random MB, and retraining on Random MB improved robustness by HBH^B8 against MB. On Drebin-DNN, MB and Random MB again generalized best, with improvements such as HBH^B9 and HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},0. For MaMaDroid, retraining on Random STB or Black-Hole STB produced the same robustness against both attacks across all three reported models, with gains such as HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},1 and HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},2 for RF/1NN/3NN and HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},3 and HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},4 for DT.

The importance of this line of work is that it sharply separates mathematically convenient adversarial training from operationally realistic robustification. Feature-space attacks are easier to optimize, but the paper shows that they can be poor proxies for real APK-level transformations. In this literature, the “reversed-space” intuition is that the actual attack surface lies in the executable artifact rather than in its abstract feature vector.

4. Action-space attacks in deep reinforcement learning

In deep reinforcement learning, the relevant reversal is from attacking what the agent sees to attacking what the agent does. The agent acts in an environment obeying

HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},5

and the adversary intercepts the nominal action HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},6 and replaces it with HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},7, subject to budget constraints (Lee et al., 2019). The paper treats this as an action-space attack and emphasizes that, in cyber-physical systems, actions correspond to actuators.

Two white-box algorithms are introduced. The Myopic Action Space (MAS) attack greedily minimizes cumulative reward at each time step under a per-step perturbation budget HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},8. The Look-ahead Action Space (LAS) attack instead plans over a horizon HP=span{BsjB  :  s{1,,m}, jBHB},H^P = \mathrm{span}\left\{\,{}_{B_s}^\dagger |j\rangle_B \; :\; s\in\{1,\dots,m\},\ |j\rangle_B \in H^B \right\},9 using a mixed norm 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,0, where

0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,1

MAS distributes perturbation over action dimensions at the current step. LAS distributes perturbation across both action dimensions and future time steps by means of a receding-horizon strategy analogous to model predictive control. Algorithmically, MAS uses projected gradient descent, while LAS performs a virtual rollout in a copied adversarial environment, computes a sequence of perturbations over the horizon, projects their norms onto an 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,2-ball of radius 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,3, and then projects each perturbation onto its allocated per-step budget.

The experiments use continuous-control environments from OpenAI Gym—Lunar Lander, Bipedal Walker, Mujoco Hopper, Mujoco Half-Cheetah, and Mujoco Walker—and evaluate both PPO and DDQN agents. The main finding is consistent: under the same budget, LAS is generally more damaging than MAS. In Lunar Lander with PPO, LAS already degrades performance at low budgets where MAS may have weak effect; at higher budgets both attacks are harmful, but LAS remains more damaging. Increasing the horizon 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,4 while keeping the same total budget 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,5 can dilute individual perturbations, so shorter horizons can sometimes be stronger.

A further result is that the attack budget is not distributed uniformly across action dimensions. In Lunar Lander, LAS concentrates more heavily on the Up-Down thrust dimension than on the Left-Right dimension. Similar concentration appears on specific joints in Bipedal Walker. The authors interpret this as vulnerability analysis rather than brute-force noise injection: the attack identifies vulnerable control channels and time windows by exploiting the agent’s dynamics. In the present encyclopedia framing, this is a reversed-space variant because the attack targets the output side of the perception-action loop rather than the observation side.

5. Representation-space and latent-space variants in machine learning

A related but distinct development appears in work that separates attacks in shared input space from attacks in model-specific representation space. One paper formalizes a network as

0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,6

and contrasts a data-space attack, which perturbs 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,7, with a representation-space attack, which perturbs 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,8 (Gupta et al., 1 Oct 2025). For a second model with 0EψP=iαi0EiP    i,kαiϵi,kEi,kEkP,|0\rangle_E |\psi\rangle_P = \sum_i \alpha_i |0\rangle_E |i\rangle_P \;\longrightarrow\; \sum_{i,k} \alpha_i \epsilon_{i,k} |E_{i,k}\rangle_E |k\rangle_P ,9 and J0J_00, data-space attacks transfer exactly in the toy setting because both models compute the same function on the same perturbed input. Representation-space attacks transfer only under the geometric compatibility condition

J0J_01

The paper defines a transfer ratio

J0J_02

and shows that large transfer decays exponentially with dimension under a random orthogonal mismatch model.

Empirically, this distinction is evaluated in four settings. On CIFAR-10, universal perturbations constructed on latent layers of ResNet18 classifiers succeed on the attacked model but transfer poorly to held-out ResNet18s, except for weak transfer from very early layers. In LLMs, 80-token soft prompt jailbreaks succeed on the attacked model but usually fail to transfer to unrelated models with the same hidden dimension. By contrast, data-space attacks against vision-LLMs, implemented as textual universal suffixes, transfer strongly across 16 Prismatic adapter-style VLMs, reaching up to J0J_03 ASR on some transfer models. Representation-space attacks can transfer when latent geometries are aligned: for finetuned Llama3-3B checkpoints, AvgCosine exceeds J0J_04 and CKA exceeds J0J_05, and soft prompt attacks then transfer well.

This line of work sharpens the broader reversed-space intuition by identifying a domain mismatch. The attacker may be effective in a source model’s internal space yet fail to generalize because that space is not shared. The conclusion is not that representation-space attacks are weak, but that they are usually model-specific unless post-projector or hidden-state geometry is sufficiently aligned.

A more constructive latent-space attack appears in a GAN-based encoder-decoder method that injects perturbations in feature space rather than imposing explicit J0J_06-bounded pixel noise (Shukla et al., 2023). The generator J0J_07 produces J0J_08, the discriminator J0J_09 is a ResNet-18 classifier, and the optimization jointly enforces attack success and image similarity via HPH^P00 and HPH^P01 losses. The method reports targeted ASR averages of HPH^P02 on MNIST and HPH^P03 on CIFAR-10, untargeted ASR averages of HPH^P04 on MNIST and HPH^P05 on CIFAR-10, and targeted ASRs of HPH^P06 on Fashion-MNIST, HPH^P07 on CIFAR-100, and HPH^P08 on Stanford Dogs. On MNIST, the reported SSIM and PSNR are HPH^P09 and HPH^P10 for untargeted attacks, and HPH^P11 and HPH^P12 for targeted attacks. The paper interprets the attack geometrically as movement between class regions in latent space. Here again, the exact phrase “reversed-space attack” is not used, but the attack is explicitly organized around hidden representation rather than visible input.

6. Reverse-engineering and reconstructed-space attacks in hardware and systems

In hardware security, reversed-space reasoning often takes the form of reconstructing an origin space from a protected or physically realized artifact. Library-Attack starts from a protected transformed design HPH^P13, extracts HPH^P14, HPH^P15, and HPH^P16 features from a hypergraph representation, builds a candidate original-design library HPH^P17, applies the same countermeasure to each candidate to obtain transformed variants HPH^P18, and then uses structural comparison to populate a similarity matrix HPH^P19 (Dasgupta et al., 21 Jan 2025). The attack evaluates transformed ISCAS89 traffic-light controllers HPH^P20 and HPH^P21 against a five-design candidate library under 128-bit XOR Locking and 128-bit LUT Obfuscation. In both cases, the true original design HPH^P22 is recovered. The method therefore attacks provenance rather than merely functionality: it asks which known design most likely generated the protected design.

SCARE targets RRAM-based in-memory computing architectures such as DCIM and MAGIC through non-invasive power and timing side channels rather than invasive teardown (Ensan et al., 2020). The attack builds reference models of gate signatures, uses current polarity and distributional statistics in DCIM, and uses operation time and current in MAGIC to identify gate type and fanin. The paper states that OR and AND operation times in MAGIC differ by HPH^P23 to HPH^P24, and that for the function HPH^P25, SCARE reduces the number of required input patterns by HPH^P26 relative to brute force. It also proposes countermeasures: redundant inputs can mask the IP with HPH^P27 area and HPH^P28 power overhead, while expansion of literals incurs HPH^P29 power overhead and increases reverse-engineering effort by HPH^P30. The essential reversal is that hidden Boolean structure is inferred from external physical signatures.

AVX timing side-channel attacks against ASLR exhibit a similar reconstructive logic at the memory-layout level (Choi et al., 2023). Masked load/store instructions suppress faults when the relevant elements are masked out, yet their execution time varies with mapping, permission, page-table level, and TLB state. This lets an unprivileged local attacker probe candidate addresses and classify them as mapped or unmapped. On Linux KASLR, where the kernel image has 512 possible 2 MiB-aligned offsets, the paper reports recovery of base address HPH^P31 with no false positives across 10 reboots, about HPH^P32 ms total runtime, and HPH^P33 average accuracy over 10,000 trials. Kernel modules are identified with HPH^P34 accuracy in about HPH^P35 ms. The attack also extends to cloud instances, Windows, and SGX enclaves. Although the original QKD formalism is absent, the structure is analogous: the hidden space is reconstructed indirectly from the side effects of the system’s actual operational implementation.

7. Adjacent uses, misconceptions, and broader significance

Two nearby literatures are relevant mainly as boundary cases. The paper “Single Character Perturbations Break LLM Alignment” studies a jailbreak created by appending a single trailing space to the end of a chat template (Lin et al., 2024). It reports ASRs such as HPH^P36 for Vicuna-7B and Guanaco-7B, HPH^P37 for Falcon-7B, HPH^P38 for Mistral-7B, HPH^P39 for ChatGLM-6B, and near-zero effect for Llama-2-7B, Llama-2-13B, and Llama-3-8B. This is a space-character attack, not a reversed-space attack in the original sense. Its relevance is terminological and conceptual: a tiny formatting perturbation at the template boundary can shift the effective token-level context and override refusal behavior. Likewise, the taxonomy of attacks against space infrastructures does not define a formal class called reversed-space attacks; instead, it organizes attacks by objective, capability, entry point, and impact point, thereby capturing reverse-direction patterns such as ground-to-space cyber attacks and link-to-user GNSS deception without using the term itself (Remy et al., 14 Dec 2025).

These boundary cases clarify what reversed-space attacks are not. They are not simply attacks involving whitespace, and they are not simply attacks against outer space. The unifying concept is an attack path that becomes visible only when the defender models the system’s effective operational space rather than its ideal interface.

Across the cited literatures, a common pattern emerges. Bob’s interferometer enlarges the Hilbert space in QKD; APK functionality constraints make problem-space attacks the relevant space in Android malware; actuators define the operative action space in cyber-physical DRL; latent geometry determines whether representation-space attacks transfer; protected netlists leak design provenance when compared against transformed candidate libraries; physical current and timing signatures reveal hidden IMC logic; and masked AVX instructions expose hidden address layouts. This suggests that reversed-space attacks are best understood not as a single attack primitive, but as a recurring methodological shift: the attacker moves from the nominal object of protection to the larger, implementation-defined space that actually controls outcomes.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Reversed-Space Attacks.