Reversed-Space Attacks in QKD & Cybersecurity
- Reversed-space attacks are exploits that target the actual operational space—expanded by measurement, actuation, or representation—rather than the idealized nominal interface.
- They demonstrate, for example in QKD and Android malware detection, how reversing system transformations can yield full information leakage or dramatically reduce model robustness.
- The practical implications span quantum communications, deep learning, reinforcement learning, and hardware security, urging defenses to incorporate real-world device behaviors into security proofs.
Searching arXiv for relevant papers on reversed-space attacks and adjacent uses of the concept. Reversed-space attacks are attacks that exploit the difference between a system’s nominal security abstraction and the larger or different operational space actually exposed by its implementation. In the strict sense, the term was introduced for quantum key distribution (QKD), where Bob’s measurement apparatus enlarges the effective Hilbert space and the attacker derives the exploitable subspace by reversing Bob’s measurement transformation in time (Gelles et al., 2011). In later literature, the exact phrase is not always used, but closely related constructions recur in Android malware detection, deep reinforcement learning, hardware reverse engineering, side-channel analysis, and representation-space machine learning attacks. This broader usage suggests an encyclopedia-level family resemblance: the attack does not primarily target the advertised interface, but the effective space induced by measurement, actuation, representation, transformation, or physical realization (Berger et al., 2022).
1. Terminological core and scope
In the original QKD formulation, a reversed-space attack is defined by Bob’s enlarged measured space and the corresponding reversed space , which captures the incoming states that can influence Bob’s outcomes (Gelles et al., 2011). In several later domains, the same structural idea appears under different names: feature-space versus problem-space attacks in Android malware, state-space versus action-space attacks in reinforcement learning, data-space versus representation-space attacks in machine learning, and reverse-engineering attacks that search over original-design spaces in hardware security (Lee et al., 2019).
| Setting | Nominal abstraction | Effective or attacked space |
|---|---|---|
| QKD | Alice’s qubit space | Bob’s measured space and reversed space |
| Android malware | Feature-space attack | Problem-space APK transformation |
| DRL | State/observation-space attack | Action space corresponding to actuators |
| ML transfer | Input/data-space attack | Representation-space attack |
| Hardware IP | Protected transformed design | Candidate original-design library and transformed library |
A common misconception is that any attack involving “space” qualifies as a reversed-space attack. The literature is narrower. In the strict historical sense, the term belongs to QKD. In the broader interpretive sense, it refers to attacks that operate on the system’s effective operational space rather than the idealized space assumed by the defender. This is distinct from merely perturbing an input, and it is also distinct from attacks whose name happens to contain the word “space.”
2. Quantum-key-distribution origin
The canonical reversed-space attack arises because practical QKD receivers often do not measure an ideal 2-dimensional qubit space. Bob instead chooses a setting , applies a unitary, and measures in a basis spanning a larger measured space . The paper defines the reversed space by reversing Bob’s measurement states in time: after tracing out ancilla inaccessible to Eve (Gelles et al., 2011). The central claim is that security must be analyzed in this effective attack space, not only in Alice’s nominal qubit space.
The general Eve attack is written as
after which Bob applies his unitary and ancilla. The authors focus on “oblivious” attacks that create no bit errors and no invalid outcomes. If and 0 are Bob’s valid bit outcomes and 1, 2 denote loss or invalid sets, the zero-error condition is
3
The main worked examples are interferometric BB84 variants implemented with a Mach–Zehnder interferometer. Alice’s ideal qubit is encoded in time bins 4 and 5, but Bob’s interferometer expands the input into six output modes 6. Reversing these measurement modes yields a larger time-bin attack space extending beyond Alice’s intended qubit, approximately from 7 through 8. In the full six-mode case, the authors show that Eve can map
9
with orthogonal Eve states, so that Eve obtains full information once the basis is announced while Bob sees no errors. The only symptom is additional loss, which the protocol may accept as normal. In the simple attack instance reported, Bob’s valid detection probability drops to 0 in the 1-basis and 2 in the 3-basis, while Eve gains full information about surviving raw key bits.
The significance of this construction is twofold. First, it shows that even ideal devices can enlarge the operational Hilbert space; the vulnerability is not merely a consequence of hardware imperfection. Second, it makes the receiver’s measurement model, including time bins, vacuum states, ancillae, and detector interpretation rules, a first-class component of any security proof. Follow-up work cited in the paper extends a weaker variant of the method to both interferometric-based and polarization-based QKD.
3. Problem-space evasion in Android malware detection
In Android malware detection, the closest analogue to reversed-space attacks is the distinction between feature-space and problem-space evasion. If a malware sample is an entity 4 and the feature extractor is 5, then 6. A problem-space evasion attack modifies the real APK to obtain 7, which induces 8; a feature-space attack instead directly changes 9, corresponding only abstractly to 0 (Berger et al., 2022). The paper emphasizes that this inverse feature-mapping is often unrealistic or impossible because valid APK transformations must preserve functionality and respect APK structure, Smali code, manifest files, permissions, and control-flow constraints.
The evaluation is organized as iterative retraining. The defender’s optimization target is written as
1
where 2 denotes the manipulated samples produced by the attack and 3 is classifier performance on those samples. The key comparison is between 4, retrained on a feature-space attack 5, and 6, retrained on the corresponding problem-space attack 7, both evaluated against the real problem-space attack 8. The models are Drebin, Drebin-DNN, and MaMaDroid; the attacks include Random SB, DroidChemeleon, Manifest-Based, Random MB, Random STB, Black-Hole Statistical STB, Coordinate Greedy, and Salt-and-Pepper.
The central empirical result is that the gap between feature-space retraining and problem-space retraining can be enormous. On MaMaDroid with RF, the original classifier had 9 evasion robustness against both STB attacks. Retraining on problem-space attacks yielded 0 robustness for Random STB and 1 for Black-Hole STB, while retraining on feature-space attacks yielded 2 robustness against both. The absolute gap therefore reached 3 percentage points. The appendix reports similarly large gaps for other MaMaDroid models, including 4 on 1NN and 5 on DT.
For Drebin and Drebin-DNN, the results are less extreme but directionally identical. On Drebin, problem-space retraining preserved high clean-data AUCs above 6 and generally dominated feature-space retraining. In the Random SB experiment, problem-space retraining achieved 7 evasion robustness, versus 8 for CG(F) and 9 for SP(F). For DroidChemeleon, the problem-space baseline was 0, while feature-space retraining reached only 1–2. The largest gaps occurred for manifest attacks: MB(P) reached 3 while CG(F) and SP(F) reached 4 and 5; Random MB(P) reached 6 while CG(F) and SP(F) reached 7 and 8. On Drebin-DNN, MB(P) reached 9 versus 0–1 for feature-space retraining, and Random MB(P) reached 2 versus 3–4. In some cases feature-space retraining even lowered robustness by 5–6 relative to the original classifier.
The paper also reports a more favorable result for cross-effectiveness among real problem-space attacks. On Drebin, retraining on MB improved robustness by 7 against Random MB, and retraining on Random MB improved robustness by 8 against MB. On Drebin-DNN, MB and Random MB again generalized best, with improvements such as 9 and 0. For MaMaDroid, retraining on Random STB or Black-Hole STB produced the same robustness against both attacks across all three reported models, with gains such as 1 and 2 for RF/1NN/3NN and 3 and 4 for DT.
The importance of this line of work is that it sharply separates mathematically convenient adversarial training from operationally realistic robustification. Feature-space attacks are easier to optimize, but the paper shows that they can be poor proxies for real APK-level transformations. In this literature, the “reversed-space” intuition is that the actual attack surface lies in the executable artifact rather than in its abstract feature vector.
4. Action-space attacks in deep reinforcement learning
In deep reinforcement learning, the relevant reversal is from attacking what the agent sees to attacking what the agent does. The agent acts in an environment obeying
5
and the adversary intercepts the nominal action 6 and replaces it with 7, subject to budget constraints (Lee et al., 2019). The paper treats this as an action-space attack and emphasizes that, in cyber-physical systems, actions correspond to actuators.
Two white-box algorithms are introduced. The Myopic Action Space (MAS) attack greedily minimizes cumulative reward at each time step under a per-step perturbation budget 8. The Look-ahead Action Space (LAS) attack instead plans over a horizon 9 using a mixed norm 0, where
1
MAS distributes perturbation over action dimensions at the current step. LAS distributes perturbation across both action dimensions and future time steps by means of a receding-horizon strategy analogous to model predictive control. Algorithmically, MAS uses projected gradient descent, while LAS performs a virtual rollout in a copied adversarial environment, computes a sequence of perturbations over the horizon, projects their norms onto an 2-ball of radius 3, and then projects each perturbation onto its allocated per-step budget.
The experiments use continuous-control environments from OpenAI Gym—Lunar Lander, Bipedal Walker, Mujoco Hopper, Mujoco Half-Cheetah, and Mujoco Walker—and evaluate both PPO and DDQN agents. The main finding is consistent: under the same budget, LAS is generally more damaging than MAS. In Lunar Lander with PPO, LAS already degrades performance at low budgets where MAS may have weak effect; at higher budgets both attacks are harmful, but LAS remains more damaging. Increasing the horizon 4 while keeping the same total budget 5 can dilute individual perturbations, so shorter horizons can sometimes be stronger.
A further result is that the attack budget is not distributed uniformly across action dimensions. In Lunar Lander, LAS concentrates more heavily on the Up-Down thrust dimension than on the Left-Right dimension. Similar concentration appears on specific joints in Bipedal Walker. The authors interpret this as vulnerability analysis rather than brute-force noise injection: the attack identifies vulnerable control channels and time windows by exploiting the agent’s dynamics. In the present encyclopedia framing, this is a reversed-space variant because the attack targets the output side of the perception-action loop rather than the observation side.
5. Representation-space and latent-space variants in machine learning
A related but distinct development appears in work that separates attacks in shared input space from attacks in model-specific representation space. One paper formalizes a network as
6
and contrasts a data-space attack, which perturbs 7, with a representation-space attack, which perturbs 8 (Gupta et al., 1 Oct 2025). For a second model with 9 and 0, data-space attacks transfer exactly in the toy setting because both models compute the same function on the same perturbed input. Representation-space attacks transfer only under the geometric compatibility condition
1
The paper defines a transfer ratio
2
and shows that large transfer decays exponentially with dimension under a random orthogonal mismatch model.
Empirically, this distinction is evaluated in four settings. On CIFAR-10, universal perturbations constructed on latent layers of ResNet18 classifiers succeed on the attacked model but transfer poorly to held-out ResNet18s, except for weak transfer from very early layers. In LLMs, 80-token soft prompt jailbreaks succeed on the attacked model but usually fail to transfer to unrelated models with the same hidden dimension. By contrast, data-space attacks against vision-LLMs, implemented as textual universal suffixes, transfer strongly across 16 Prismatic adapter-style VLMs, reaching up to 3 ASR on some transfer models. Representation-space attacks can transfer when latent geometries are aligned: for finetuned Llama3-3B checkpoints, AvgCosine exceeds 4 and CKA exceeds 5, and soft prompt attacks then transfer well.
This line of work sharpens the broader reversed-space intuition by identifying a domain mismatch. The attacker may be effective in a source model’s internal space yet fail to generalize because that space is not shared. The conclusion is not that representation-space attacks are weak, but that they are usually model-specific unless post-projector or hidden-state geometry is sufficiently aligned.
A more constructive latent-space attack appears in a GAN-based encoder-decoder method that injects perturbations in feature space rather than imposing explicit 6-bounded pixel noise (Shukla et al., 2023). The generator 7 produces 8, the discriminator 9 is a ResNet-18 classifier, and the optimization jointly enforces attack success and image similarity via 00 and 01 losses. The method reports targeted ASR averages of 02 on MNIST and 03 on CIFAR-10, untargeted ASR averages of 04 on MNIST and 05 on CIFAR-10, and targeted ASRs of 06 on Fashion-MNIST, 07 on CIFAR-100, and 08 on Stanford Dogs. On MNIST, the reported SSIM and PSNR are 09 and 10 for untargeted attacks, and 11 and 12 for targeted attacks. The paper interprets the attack geometrically as movement between class regions in latent space. Here again, the exact phrase “reversed-space attack” is not used, but the attack is explicitly organized around hidden representation rather than visible input.
6. Reverse-engineering and reconstructed-space attacks in hardware and systems
In hardware security, reversed-space reasoning often takes the form of reconstructing an origin space from a protected or physically realized artifact. Library-Attack starts from a protected transformed design 13, extracts 14, 15, and 16 features from a hypergraph representation, builds a candidate original-design library 17, applies the same countermeasure to each candidate to obtain transformed variants 18, and then uses structural comparison to populate a similarity matrix 19 (Dasgupta et al., 21 Jan 2025). The attack evaluates transformed ISCAS89 traffic-light controllers 20 and 21 against a five-design candidate library under 128-bit XOR Locking and 128-bit LUT Obfuscation. In both cases, the true original design 22 is recovered. The method therefore attacks provenance rather than merely functionality: it asks which known design most likely generated the protected design.
SCARE targets RRAM-based in-memory computing architectures such as DCIM and MAGIC through non-invasive power and timing side channels rather than invasive teardown (Ensan et al., 2020). The attack builds reference models of gate signatures, uses current polarity and distributional statistics in DCIM, and uses operation time and current in MAGIC to identify gate type and fanin. The paper states that OR and AND operation times in MAGIC differ by 23 to 24, and that for the function 25, SCARE reduces the number of required input patterns by 26 relative to brute force. It also proposes countermeasures: redundant inputs can mask the IP with 27 area and 28 power overhead, while expansion of literals incurs 29 power overhead and increases reverse-engineering effort by 30. The essential reversal is that hidden Boolean structure is inferred from external physical signatures.
AVX timing side-channel attacks against ASLR exhibit a similar reconstructive logic at the memory-layout level (Choi et al., 2023). Masked load/store instructions suppress faults when the relevant elements are masked out, yet their execution time varies with mapping, permission, page-table level, and TLB state. This lets an unprivileged local attacker probe candidate addresses and classify them as mapped or unmapped. On Linux KASLR, where the kernel image has 512 possible 2 MiB-aligned offsets, the paper reports recovery of base address 31 with no false positives across 10 reboots, about 32 ms total runtime, and 33 average accuracy over 10,000 trials. Kernel modules are identified with 34 accuracy in about 35 ms. The attack also extends to cloud instances, Windows, and SGX enclaves. Although the original QKD formalism is absent, the structure is analogous: the hidden space is reconstructed indirectly from the side effects of the system’s actual operational implementation.
7. Adjacent uses, misconceptions, and broader significance
Two nearby literatures are relevant mainly as boundary cases. The paper “Single Character Perturbations Break LLM Alignment” studies a jailbreak created by appending a single trailing space to the end of a chat template (Lin et al., 2024). It reports ASRs such as 36 for Vicuna-7B and Guanaco-7B, 37 for Falcon-7B, 38 for Mistral-7B, 39 for ChatGLM-6B, and near-zero effect for Llama-2-7B, Llama-2-13B, and Llama-3-8B. This is a space-character attack, not a reversed-space attack in the original sense. Its relevance is terminological and conceptual: a tiny formatting perturbation at the template boundary can shift the effective token-level context and override refusal behavior. Likewise, the taxonomy of attacks against space infrastructures does not define a formal class called reversed-space attacks; instead, it organizes attacks by objective, capability, entry point, and impact point, thereby capturing reverse-direction patterns such as ground-to-space cyber attacks and link-to-user GNSS deception without using the term itself (Remy et al., 14 Dec 2025).
These boundary cases clarify what reversed-space attacks are not. They are not simply attacks involving whitespace, and they are not simply attacks against outer space. The unifying concept is an attack path that becomes visible only when the defender models the system’s effective operational space rather than its ideal interface.
Across the cited literatures, a common pattern emerges. Bob’s interferometer enlarges the Hilbert space in QKD; APK functionality constraints make problem-space attacks the relevant space in Android malware; actuators define the operative action space in cyber-physical DRL; latent geometry determines whether representation-space attacks transfer; protected netlists leak design provenance when compared against transformed candidate libraries; physical current and timing signatures reveal hidden IMC logic; and masked AVX instructions expose hidden address layouts. This suggests that reversed-space attacks are best understood not as a single attack primitive, but as a recurring methodological shift: the attacker moves from the nominal object of protection to the larger, implementation-defined space that actually controls outcomes.