Quantum Circuit Reconstruction from Power Side-Channel Attacks on Quantum Computer Controllers

The interest in quantum computing has grown rapidly in recent years, and with it grows the importance of securing quantum circuits. A novel type of threat to quantum circuits that dedicated attackers could launch are power trace attacks. To address this threat, this paper presents first formalization and demonstration of using power traces to unlock and steal quantum circuit secrets. With access to power traces, attackers can recover information about the control pulses sent to quantum computers. From the control pulses, the gate level description of the circuits, and eventually the secret algorithms can be reverse engineered. This work demonstrates how and what information could be recovered. This work uses algebraic reconstruction from power traces to realize two new types of single trace attacks: per-channel and total power attacks. The former attack relies on per-channel measurements to perform a brute-force attack to reconstruct the quantum circuits. The latter attack performs a single-trace attack using Mixed-Integer Linear Programming optimization. Through the use of algebraic reconstruction, this work demonstrates that quantum circuit secrets can be stolen with high accuracy. Evaluation on 32 real benchmark quantum circuits shows that our technique is highly effective at reconstructing quantum circuits. The findings not only show the veracity of the potential attacks, but also the need to develop new means to protect quantum circuits from power trace attacks. Throughout this work real control pulse information from real quantum computers is used to demonstrate potential attacks based on simulation of collection of power traces.


Introduction
The interest in quantum computing is growing rapidly and already a large numbers of quantum computers are easily accessible over the internet to researchers and everyday users.Due to the expensive nature of the quantum computing equipment, these computers are currently available as cloud-based systems.For example, IBM Quantum [IBM23], Amazon Braket [Ama23], and Microsoft Azure [Mic23] already provide access to various types of Noisy Intermediate-Scale Quantum (NISQ) devices from different vendors.Remote access makes it easy for different users and companies to run algorithms on real quantum computers without the need to purchase or maintain them.On the other hand, the users have no control over the physical space where the quantum computers are.While the cloud providers may not be themselves malicious, the threat of malicious insiders within data centers or cloud computing facilities is well-known in classical security [SJPBL14].These malicious insiders may have physical access to the equipment of quantum computers.With access to the quantum computers and the microwave controllers, malicious insiders could leverage physically collected information to steal or leak the quantum circuit secrets.
For classical computers, side-channel attacks of different types are a well-known threat [Sze18].Two widely studied and analyzed side-channels are timing-and powerbased channels.There are also thermal, EM, acoustic, and a variety of other categories of side-channels.In timing side-channel attacks the attacker is trying to learn some secret properties about the circuit by measuring the execution times.Timing attacks are powerful enough in classical computers to break the implementation of standard cryptographic primitives, such as DSA, RSA or Diffie-Hellman [Koc96].Timing side-channels are easier to exploit as they only require doing timing measurement of the victim.Power side-channel attacks are more convoluted attacks, where the attacker tries to establish a correlation between the power consumption and the operations and data that the circuit executes.Kocher et al. [KJJ99] showed how to reconstruct the encryption keys in the Data Encryption Standard (DES) using a power consumption analysis.Power attacks require physical access to monitor the execution of the target computer.
Power side channels are well studied for classical computers [EPMS23, PR13, WSRW21, ABB + 21, BDM + 20, ABP19, WSW19, BCHC18, BYT17, BRN + 13, EW14, MOPT12].There are even platforms [OC14] for analyzing power side channels.However, understanding power side channels for quantum computers has not been explored yet, which this work aims to address.We show how a malicious attacker can reconstruct a secret quantum circuit that is being executed, by simply measuring the power consumption.
There is very limited research on understanding power side-channel attacks on quantum computers [XES23b].One insight about quantum computers is that if the attacker is to perform physical measurements on the qubits during the computation, these measurements would interact with the qubits and destroy their state.However, we observe that each quantum computer is controlled by external hardware such as microwave electronics and controllers.Quantum computers, such as superconducting qubit machines from IBM, Rigetti, or others, use microwave pulses to execute gate operations on qubits.The control pulses are fully classical and could be spied on -which is the target of this work.
This paper shows how by measuring the power consumption of the controller devices sending microwave pulses to a quantum computer, we can recover a potentially secret quantum circuit that the quantum computer executed.We show that anybody with access to power traces of the control pulse generation devices can capture and recover the control information.While this work explores power-based side-channels, the same or similar ideas could apply to electromagnetic (EM) or other types of physical side-channels.This is left as orthogonal work.

Power Side-Channel Threats to Quantum Computers
Figure 1 shows the operation of today's cloud-based quantum computers.Remote users submit jobs to the cloud provider, where the job management or similar server dispatches the jobs to particular quantum computers, also called backends on IBM Quantum.Typically the digital instructions are sent to controller logic, such as microwave electronics, which generate the actual analog control signals sent to the quantum computer.
We assume that the classical computer components, e.g., the job management server, are protected from side-channels.Meanwhile, controller electronics of quantum computers, such as arbitrary waveform generators (AWGs) have not been analyzed for potential side-channels before this work.Consequently, we focus on and demonstrate potential new, power side-channel attacks that could be used to extract information about users' quantum circuits (quantum gates and qubits).Rather than targeting the superconducting qubits themselves (which are isolated in a cryogenic refrigerator), we focus on the controller electronics shown in the middle of Figure 1.
The vulnerabilities in quantum computer controllers encompass more than just gate recovery.An attacker might discern the number of qubits used in a quantum program, a significant concern for algorithms like Quantum Approximate Optimization Algorithm (QAOA) [CK19].Variational quantum algorithms [CAB + 21] are notably sensitive to qubit count and circuit depth.Extracting such hyperparameters can reveal crucial information about the algorithm.Moreover, given the current state of quantum computing where inputs are hard-coded, an attacker could potentially extract sensitive input data from the circuit.
Our primary focus is to protect the intellectual property embedded in quantum programs.Quantum circuits encapsulate both the algorithm and its inputs.An attacker capable of recovering parts of the quantum circuit can misappropriate this intellectual property or sensitive data.This concern amplifies when quantum programs run on external quantum computers.A recent workshop by The National Quantum Coordination Office underscored this issue, emphasizing the role of formal methods in enhancing quantum computing security [Off22].Our research aligns with this perspective, pioneering the use of formal methods for quantum circuit recovery.

Lessons from Historical Technological Threats
The significance of vulnerabilities in quantum computer controllers cannot be overstated, considering the ongoing evolution of technological advancements and their inherent risks.For perspective, speculative execution attacks in classical computers were not recognized as threats until 2018 [LSG + 20, KHF + 20], despite having been operational since the commercialization of the technology by IBM and Intel in the 1990s.This delay between innovation and the identification of vulnerabilities underscores the necessity for proactive security measures.
In the context of quantum computers, addressing vulnerabilities in their infancy is crucial, even as the field continues to develop.Our research delves into these potential risks, emphasizing the importance of safeguarding quantum computing systems.
Drawing from past lessons, unchecked technological vulnerabilities can culminate in substantial security breaches.As cache attacks emerged long after caches were invented, a similar oversight with quantum computers could be costly.It's imperative to address these challenges proactively, ensuring quantum computing's advancement aligns with rigorous security protocols.

Contributions
Compared to the work by Xu et al. [XES23b], our work provides a formalization of the power side channel attack.Additionally, we also present a novel algebraic reconstruction method for recovery of quantum circuits.There are two reconstruction methods that we introduce; those methods depend on the attackers' abilities.In the per-channel method we assume that the attacker collects power traces from individual qubit channels.Meanwhile, in our total power single trace method we assume the attacker can only measure the total power trace of all channels.
We have empirically evaluated our approach for 32 benchmark quantum circuits.The evaluation shows that our technique is highly effective at reconstructing quantum circuits.In summary, the paper contributes the following: • The first formalization of power side channel attacks on complete reconstruction of quantum circuits from power traces, which is given in Section 4.
• Demonstration of circuit reconstruction using our new per-channel single trace attack: this attack relies on single-shot per-channel measurements to perform a brute-force attack to reconstruct the quantum circuits, which is given in Section 5.1.
• Demonstration of circuit reconstruction using our new single-shot total power sidechannel attack: this attack relies on a single power side-channel measurement and performs attack using Linear Mixed Integer Real Arithmetic (LIRA) solving and Mixed-Integer Linear Programming (MILP) optimization, which is given in Section 5.2.
• Details of the evaluation of the attacks on 32 real quantum circuits in the QASM-Bench1 benchmark suite [LSKA22], using control pulse information from real IBM quantum computers, which is given in Section 6.

Background
This section provides background on quantum computers and typical quantum computer workflow.

Qubits and Quantum States
The most essential component of quantum computing is the quantum bit, or qubit for short.

Quantum Gates
The fundamental quantum operations at the logic-level are quantum gates, which are comparable to classical computing.Quantum algorithms are made up of a series of quantum gates that can convert input qubits into different quantum states.Quantum gates are unitary operations that modify the input qubits, i.e., for a quantum gate U that is applied to a quantum state |ψ , the quantum state is evolved to |ψ → U |ψ , and With the vector-matrix representation, 2 n × 2 n matrices can be utilized to express n-qubit quantum gates.
One classical example is the gate that is analogous to the NOT gate in classical computing, the Pauli-X gate, that exchanges the components of |0 and |1 .Another significant example is the two-qubit CNOT gate, also known as the CX gate, which, if the control qubit is in the state |1 , applies a Pauli-X gate to the target qubit; otherwise, nothing happens.There are some more matrices of quantum gates along with their matrix representations.One thing to keep in mind is that our qubit order is consistent with that in Qiskit [Qis23], where the leftmost qubit is the most important and the rightmost qubit is the least important.As a result, if a different qubit order is used in other studies, the CX gate may have a different matrix representation.Below we show several matrices of quantum gates: A small number of quantum gates can be used to approximate any unitary quantum gate within a small error, as shown in the study [DBE95].One of the crucial configurations of quantum computers is the basis gates, also known as native gates.Different manufacturers or even various versions of quantum computers from same manufacturer may have different native gates.Choice of supporting different types of basis gates is a trade-off between numerous attributes like error rate and efficiency.Our experiments in this study were done on IBM Quantum, and typically, the basis gates are provided by IBM quantum computers are: I, RZ, SX, X, and CX.Prior to being executed on physical quantum computing hardware, quantum gates such as the commonly utilized Hadamard gate need to be broken down into these basis gates.

Control Pulses
Microwave pulses are typically used to control superconducting qubits.The right control pulses corresponding to each basis gate must be generated and supplied to the quantum  computer in order for it to execute each basis gate.Figure 3 displays examples of control pulses for the SX, X, and CX gates.The I gate on IBM Quantum has no effect and is effectively just a delay between pulses.In addition, the RZ gate is a virtual gate without an actual pulse.Typically, the envelope, frequency, and phase together characterize a pulse.In the case of the superconducting qubit control, the frequency and phase specify the carrier signal that is to be modulated by the lower-frequency envelope signal.The local oscillator (LO) generates the low phase-noise microwave carrier signal.The envelope specifies the shape of the signal that is created by the arbitrary waveform generator (AWG).The envelop signal is mixed with the carrier signal and that is transmitted to the qubit or couplings to drive operation of the quantum computer.Figure 2 displays the standard devices for driving the qubits.
Despite the fact that envelopes can have any design, they are often parameterized by a few preset forms, requiring a minimal number of parameters to specify the envelope.These factors often include duration, which indicates how long the pulse is, amplitude, which indicates how strong the pulse is, and other parameters, which determine the pulse's structure.For instance, the Derivative Removal by Adiabatic Gate (DRAG) pulse, which is defined by sigma, which specifies how wide or narrow the Gaussian peak is, and beta, which specifies the correction amplitude, as well as the duration and amplitude, is a standard Gaussian pulse with an additional Gaussian derivative component and lifting applied.Another illustration is the Gaussian square pulse, which is a square pulse with a rise-fall in the shape of a Gaussian on each side that has been raised such that its initial sample is zero.It is parameterized by sigma, which determines the width of the Gaussian rise-fall, the width of the embedded square pulse, and the ratio of the duration of each rise-fall to sigma, in addition to the duration and amplitude.
All native gates on IBM Quantum have predetermined pulses, and calibrations are used periodically to adjust their parameters so they can continue to operate with high fidelity over time.

Pulse-Level Circuit Description
To completely define a quantum circuit, all necessary pulses must be specified, together with their timing in relation to the circuits' beginning point and the qubits to which they will be applied.A sequence of pulses (each defined by envelope, frequency, and phase) and the qubits or couplings they operate on effectively defines a so-called pulse-level circuit description.The superconducting quantum computer control equipment generates and delivers the pulses through RF cables to the cryogenic fridge wherein the qubits and couplings are located.

Get Results
Open QASM Program

Running Circuits on Quantum Computers
In Figure 4, we demonstrate a typical Qiskit example on IBM Quantum for running quantum circuits.The quantum circuits are typically represented as code, as shown by QASM Circuit Specification or Qiskit Circuit Specification in Figure 4. Similar to classical computing, quantum circuits typically consist of complex instructions.The preparation, compilation, and assembly processes used for classical computing programs are analogous to the activities needed to convert quantum circuits into low-level and hardware-specific instructions before they can actually be executed on quantum computers.To be more precise, while there can be infinite ways to describe a quantum circuit with the same goal, ultimately only the native gates that are supported by the quantum computer need to be used.As a result, typically the input circuit specification is translated into a "Gate-Level Circuit", as shown in Figure 4. Gate-level circuits can be visualized as shown in the figure, where the gate operations are represented by the symbols on the lines and qubits are represented by the lines that go from left to right.Without more information, it is usually assumed that qubits are in the |0 state at the beginning of the quantum circuit.Qubits then evolve through left-to-right sequential processes and are controlled by quantum or classical operations specified in the circuit plot.In order to measure, collect, and store qubit data in classical memory for upcoming analyses, measurements are often carried out at the conclusion of the quantum circuit.
The gate-level circuits are then transpiled, which is a Qiskit term that refers to the operations and transformations that are similar to preprocessing and compilation in classical programs.Transpiling is a multi-step process that involves breaking down non-native quantum gates into groups of native gates, grouping and removing quantum gates to reduce the number of gates, mapping the logic qubits in the original circuits to the physical qubits on the specified quantum computers, routing the circuit under constrained topologies, potentially optimizing circuits to lower error, and more.Following transpilation, circuits are altered in accordance with the knowledge of particular hardware and provide the same logical outcomes as the original circuits.All of the circuits up to this point are gate-level circuits, which employ a more broad description so that they can be executed in many quantum computers.Figure 5 shows one example quantum circuit, and Figure 6 shows one output circuit after transpilation.All the gates are transformed into native gates, and some operations are added to satisfy the topology of the quantum device.
After transpilation, a lower-level procedure occurs, which is known as the schedule in Qiskit.Microwave pulses, which are the final physical processes needed to regulate and control qubits, are further mapped via scheduling to quantum circuits.Due to scheduling, Figure 5: A quantum adder circuit with width=4 (4 qubits) followed by measurement.
gate-level circuits are converted into pulse-level circuits.The characteristics that define each microwave pulse-such as amplitude, frequency, and others-were previously covered in Section 2.3.Scheduling generates microwave pulse sequences based on calibrated data for each basis gate on each qubit or qubit pair and quantum device.The data includes wave envelopes, frequencies, amplitudes, durations, and other characteristics of microwave pulses.All the information that quantum computers require to run the circuit is contained in the final data.This data will be used to alter the qubits of quantum computers once the quantum circuit has begun, and the qubits themselves are controlled by the equipment.
Using the procedures described above, a set of instructions that may be utilized to carry out the required quantum circuits is created from the original quantum circuits.IBM Quantum offers Qiskit as a tool for users to construct circuits, carry out these actions, and submit quantum circuits to the cloud.The cloud will then carry out the users' circuits and execute them before returning the results to users.

Attack Scenario and Threat Model
The operation of modern cloud-based quantum computers allows remote users to submit jobs to the cloud provider.These jobs are dispatched to specific quantum computers, also known as backends.While classical computer components, such as the job management server, are considered protected from side-channels, the controller electronics of quantum computers have not been thoroughly analyzed for potential side-channels.The focus of this work is on potential power trace attacks that could extract information about users' quantum circuits from the controllers.

Assumptions of Attacker Measurement
We assume the attacker can sample power traces from shots of a circuit, or they can measure a number of shots and it is easy to divide this into individual shots, since all shots perform the same operations.Recall that each quantum program, i.e. quantum circuit, is executed multiple times, and each execution is called a shot.
We assume the attacker knows when the victim circuits will be executed so the attacker can capture the side-channel information.Precise knowledge of the execution time is not needed as long as the attacker can capture the trace of one shot.Since the victim often executes thousands of shots, the attacker has multiple chances to capture at least one trace.Each shot is identical without considering the noise.

Single-Shot Per-Channel Power Side-Channel Measurement.
A stronger attacker is able to collect per-channel power traces (see Figure 7).The attacker knows directly which pulses are applied to which qubit as each channel controls different qubits and different two-qubit pairs.Such attackers can attempt Circuit Reconstruction attack from per-channel power traces by collecting a single per-channel power trace for each channel.

Single-Shot Total Power Side-Channel Measurement.
A weaker attacker could collect a single total power trace over all channels, but not distinguish the power traces of each channel.Such attackers can attempt Circuit Reconstruction attack by collecting a single total power trace (see Figure 7).In particular, there is a trend to have multiple AWGs being part of same physical device.For example, in QICK [STW + 22] framework, FPGAs are used for waveform generation and one FPGA can generate many control pulses.We believe that going forward total power side-channel attacks may be most realistic as attacker may not easily get power traces for individual channel generated by the FPGA, but can easily measure total power consumption of the FPGA, and thus get total power trace of all the channels.Nevertheless, we explore both per-channel and total power side-channel attacks to understand their potential threats.

Assumptions of Attacker's Knowledge
We note that in this work the attacker is assumed to know at all times the information about the target quantum computer (number of qubits it contains, the topology and connections of the qubits) and its basis pulse library.This assumption is reasonable if users have the right to fine-grained control of transpilation and scheduling, because this information is needed in both processes.If this information is not provided, users may easily reverse-engineer it, such as by iteratively increasing the number of qubits to check how many qubits are supported, inserting a two-qubit gate in each qubit pair to check qubit connections, and performing experiments such as frequency sweep and Rabi experiment to acquire the information about the basis pulse library [XES23b].
We assume custom gates are not used by users, and all victim circuits are composed only of the basic gates supported by the quantum computer, typically including ID, RZ, SX, X, and CX for IBM Quantum devices.Among the basic gates, we assume the RZ gates are virtual, as is common today.For an attacker who has only access to collect total power traces, we assume he or she knows the in-channel and cross-channel functions that define how the per-channel and total power traces correspond to the pulse information [XES23b].

Attacker's Objective
The attacker aims to uncover quantum circuit details from captured power traces.With access to the basis pulse library, which specifies the pulses for all native gates on a specific quantum device, and the measured power traces of the user's circuit, the attacker's goal is to reconstruct the user's circuit.This means retrieving all necessary information about the user's circuit to reproduce it.The attacker seeks to learn the transpiled circuit, which is functionally equivalent to the user's input circuit, even if it may differ in terms of quantum gates used.

Impact of Attacks
Intellectual property, such as quantum algorithm design, is what many users seek to protect.For instance, proprietary quantum machine learning algorithms are being developed by startups who do not own quantum computers; they are worried about the leakage of their proprietary information.Furthermore, different from classical computing, data in quantum computing is encoded as parts of circuits, such as oracles or ansatzes.Besides, input data such as initial states can also be provided eternally to the execution circuits, but it requires quantum memories and quantum networking, which is not available today.As a result, for example, the circuits used sensitive fields, such as medical-related algorithms, may encode private information, and it needs to be protected.

The Realism of the Threat Model
Our work focuses on physical side-channel attacks, such as been widely studied in classical computers.As in classical setting, we assume physical access, which is a standard assumption in any physical side-channel attack.The practicality of these attacks is on the same level as for classical computer power side-channel attacks where attackers can probe the power supply network or power supply of the target (signal generator in our case).Note that attackers can purchase signal generators from science equipment vendors to study their power consumption profile and fine-tune attacks ahead of time.

Difference from Classical Setting of Power Side-Channel Attacks
The major difference of our research is that in classical computers there are no analog control pulses; in classical settings the instructions to the processing unit are digital data read from digital instruction memory, in quantum computers these are analog pulses sent by the signal generators.Our work and threat model assumes any classical and digital information is already protected, and there is a large body of research on the protection of classical computers from power side-channels.Meanwhile, we focus on analog control pulses and signal generators which are not well understood from a security perspective so far.

Quantum Device
For a superconducting quantum device, sometimes called a quantum processor, the most important features of the topology are the number of qubits and how they are placed and connected with each other.In addition, each quantum device also has its own native gates.In this paper, for a quantum device D, we used n to represent its number of qubits, and m to represent its number of qubit connections.The set of basis gates of D is denoted by BG.On most of the current quantum devices on IBM Quantum, the basis gates are: BG = {I, RZ, X, SX, CX}. (1)

Channel
Channels refer to which part of the hardware the pulses will be sent to control the qubits.Pulses are applied on one channel for single-qubit gates and several channels for multiple-qubit gates, as described in Section 2.3 on quantum computer controls.The four main categories of channels are drive channels, which send signals to qubits to perform gate operations, control channels, which supplement the drive channel's control over the qubit, measure channels, which send measurement stimulus pulses for readout, and acquire channels, which are used to gather data.Without considering the measurement operations, quantum circuits only trigger drive and control channels.Drive channels typically correspond to qubits, whereas control channels typically correspond to the connections between qubits and are used for two-qubit gates.The architecture of the quantum computer determines how many channels of each type there are.
For a quantum device D we can define a set C to represent the set of channels on D. To be more specific, if only considering drive and control channels, C can be represented as: where drive refers to the drive channel and control refers to the control channel of D, and n and m is the number of qubits and connections of the device D.

Basis Pulse
Every quantum circuit must be translated into a quantum circuit that only includes the target quantum device's basis gates.The group of pulses that follow the scheduling of a basis gate are referred to as its basis pulses.Because the quantum gate is an abstract notion, pulse parameters for the same type of gate on various channels vary because pulse parameters are highly reliant on qubit physical features.For instance, the pulse parameters of the X gate on qubit 0 are often different from those of the X gate on qubits other than 0.
Basis gates and their associated pulse waveform are predetermined, thus they typically do not change over different qubits.Thus, to define the basis pulse, the gate type as well as the channels need to be specified.We refer this information to labels, and define the set of labels for all the basis gates and possible channels to be: where BG is the set of basis gates and C is the set of channels.L represents all basis gates with their channel information, which can uniquely specify a basis pulse.One basis pulse on the channel c can then be defined as: where c ∈ l[C ], l ∈ L is the label for the basis pulse and d l refers to the duration of the pulse, in discrete time steps.The values of p l,c (x) represent the amplitude of the basis pulse with label l at the channel c on time step x.All the time steps are in the unit of the system's time resolution, which is denoted as dt in Qiskit for IBM Quantum, so the variable x ∈ N. Since I, RZ, X, and SX are all single-qubit gates, their basis pulses are made up of only one channel.Whereas, CNOT gate is a two-qubit gate, so it consists of several channels.For most of the quantum devices on IBM Quantum, the duration of single-qubit gates is chosen to be 160 dt, while the duration of two-qubit gates over different channels is typically different and much longer than the single-qubit gates.For example, d ci,X = 160, and d cj ,CX > 1000 and is often different with different c j .
Because one basis pulse may include pulses on several channels, such as CX gate, for each basis gate, its pulses form a set: (5)

Basis Pulse Library
For all of their quantum devices, IBM Quantum provides the information about basis pulses.We call the collection of basis pulses the basis pulse library.The so-called custom pulse gates, which let users produce their own arbitrary pulses, are another feature supported by IBM Quantum, but are left as future work.Consequently, we assume that there are no custom pulse gates present in the victim circuits.In the end, the basis pulse library can be defined as a set P L which contains all basis pulses.

Pulse-Level Circuit
In Section 2, we mentioned a series of instructions describing how to control the qubits with pulses, making reference to the pulse-level circuit.The circuit's pulse specifications, as well as the start time steps for the instructions, are all contained in the instruction list.
One pulse circuit can be formalized as: where its item a l,t = 1 means that there is a basis pulse of label l ∈ L being applied which starts from the time step t, while a l,t = 0 means the opposite.As mentioned above, the power traces are discretized in the unit dt, and all the time steps are integers, so t ∈ N.
According to Equation (7), A P L defines all the pulses and where and when they are applied, and thus defines a pulse-level circuit.

Power Trace
The pulses are generated by classical equipment and thus consume energy.The function of the power value with time is what we refer to as the power trace.The term per-channel power trace refers to the power trace on a single channel, whereas total power trace refers to the function of the summation of power over all channels in a time period.Assume that the ability to monitor power consumption on some or all of the channels exists, and that the measured power trace will be made up of and reliant upon a variety of channels.As it reduces multidimensional data to a single dimension, we refer to the function that creates the total power trace from separate power traces as the summation function or reduction function since it reduces multidimensional data to one-dimensional data.
To formalize the power traces, the per-channel power trace and total power trace functions are needed.The per-channel function P ower c [p l (x)], where c ⊆ C, specifies how the per-channel power traces are computed.The total power trace function T otal[f c (x)], where c ⊆ C, specifies how the total power traces are summed up from all per-channel power traces.In the experiment, we assume that the per-channel power traces are the square of the norm of the amplitude: and the total power traces are directly the summation of per-channel power traces:

Domain-Specific Constraint
In the circuit, we exploit the following constraint (channel constraint): there can only be at most one pulse on each channel at a given time step, which means: i.e., if the first pulse with duration d gate1,c1 has the component on channel c 1 starting from time step t 1 , and the second pulse with duration d gate2,c2 has the component on channel c 2 starting from time step t 2 , then these two components cannot be mixed with each other.

Attacker's Goal
For the per-channel single trace attack, the attacker measures v c (x), ∀c ∈ C, the perchannel power traces of the victim circuit.For the total power single trace attack, the attacker measures v(x), the total power traces of the victim circuit.The goal of the attacker is to reconstruct the victim circuit, i.e., find a circuit A P L that is corresponding to the victim circuit.To determine which is better to choose among many circuits, we choose the circuit that minimizes the distance between the power traces with the measured power traces.In addition, the domain-specific constraints discussed in Section 4.7 need to be observed.
For the per-channel single trace attack, the goal is: where c∈C (d c ) is the function to sum up the distances over all channels to get a total distance.This goal is to find the circuit A P L from the set of all circuits {A P L } that minimizes the distance between the total power traces of this circuit and the measured per-channel power traces.
For the total power single trace attack, the goal is: i.e., finding the circuit A P L from the set of all circuits {A P L } that minimizes the distance between the total power traces of this circuit and the measured total power traces.

Power Side-Channel Attacks
In this section, we present two methods that we have developed for stealing quantum program secrets.The first method is based on per-channel single trace information, where the attacker uses per-channel measurements to perform a brute-force attack with the goal of reconstructing the quantum program.The second attack is more challenging, as it restricts the attacker to using only a single total power trace to reconstruct the quantum program.Brute-force methods are not scalable in this case, as the sample pulses at each time step are mixed up, as formulated in Equation 12. Therefore, we employ Mixed-Integer Linear Programming optimization to find the set of best pulse-level instructions that decompose the quantum program and their corresponding starting time steps.
In Figure 8, the left part shows a victim circuit (which is a randomly generated for demonstration purposes) that is transpiled on 5-qubit IBM Lima machine (Figure 11a).The goal is to recover the circuit from its power trace(s) by finding the set of most suitable pulse-level instructions that make up the circuit with minimum error.The table on the Figure 8: A randomly generated circuit on the left is transpiled on a 5-qubit IBM Lima machine (Figure 11a).The table on the right shows the starting index of each pulse-level instruction.We aim to recover this table from the measured waveform from each drive channel for the per-channel attacker, or from the total power trace for the total-power side-channel attacker.
right in Figure 8 shows the starting time step (dt start ) of each pulse-level instruction.If the attacker obtains this information, they can reconstruct the circuit, as the order of the instructions is enough to compile the same circuit again.The third column shows a complete quantum program in Python that is used to generate the circuit on the left.While the per-channel attacker aims to recover this table from the measured waveform from each drive channel, the total power attacker employs only a single mixed, superimposed amplitude samples due the the fact that the attacker does not have access to the individual drive channels.

Single-shot Per-Channel Power Side-Channel Attack
The process of reconstructing a quantum circuit in the per-channel single trace attack involves measuring the output of each qubit channel and obtaining the waveform of the pulse sequence from each channel.These waveforms are then compared with a set of pulse sequences that include instructions SX, X, and CX, which are obtained from the pulse library of the quantum computer and are unique to each qubit channel.These pulse sequences can be thought of as profiles in classical side-channel analysis, and the most likely instruction profile needs to be identified.To do that, we compare the measured waveform with each candidate profile and calculate the distance between them.However, measurement errors due to noise, or miscalibration of the measuring device can affect the accuracy of the results.Therefore, it is important to have a reliable means of quantifying the similarity between the measured and candidate waveforms.In Equation 11, the objective function is defined as the minimum distance between the measured waveform and the candidate pulse sequences.The distance function d can be naturally defined as the Euclidean distance between two power traces: where v i (x) and T otal A P (x) i are the i-th elements of v(x) and T otal A P (x) respectively.However, we evaluated various distances and metrics on randomly generated circuits including Euclidean distance and found that the Jensen-Shannon distance is the most suitable one for quantifying the candidate instructions against the measurements.This distance metric is commonly used to measure the dissimilarity between probability distributions and is well-suited for the task of comparing the probability distributions of pulse sequences.It has been applied to genome comparison [SJWK09,IHS10] in protein surface comparison [OR03], in machine learning [GPAM + 20] and particularly in the analysis of the similarity between two quantum states [OBL22].To compute the Jensen-Shannon distance, we first convert the trace and pulse data of a candidate instruction to two probability vectors P and Q by normalizing the amplitudes to turn them into discrete probability distributions.We then calculate the distance between the two probability vectors by computing the Jensen-Shannon distance (metric) between two probability arrays.This is the square root of the Jensen-Shannon divergence ( √ JSD) [ES03].Jensen-Shannon divergence (JSD) is a symmetric, smooth, and bounded measure of dissimilarity between probability distributions that is a well-behaved version of the Kullback-Leibler divergence (KLD) D KL (P Q).It is widely used in information theory and statistics to measure the distinguishablity between probability distributions.Let M be 1 2 (P + Q), then the Jensen-Shannon divergence is defined as: For discrete probability distributions P and Q defined on the same sample space, X , the relative entropy from Q to P is defined [Mac03] to be: Over two probability vectors x and y, we compute relative entropy, D KL (P Q), as an elementwise operation as follows: In per-channel single trace attacks, we use the Kullback-Leibler divergence (KLD) and the Jensen-Shannon divergence (JSD) and its distance ( √ JSD) to distinguish two probability distributions.Therefore, here we provide a brief introduction to divergences, distances and metrics.For more details, we refer the reader to [DDDD09, HIK + 14].A metric d on a set χ is a function d : χ × χ → R ≥0 such that for any x, y, z ∈ χ the following properties are satisfied: χ represents the set of probability distributions and x or y represent an entire probability distribution such as P = {p 1 , p 2 , . . ., p n } where p i ≥ 0 and ∀i, n i=1 p i = 1.Often, if a distance measure d only satisfies the property non-negativity, is called a divergence.If, in addition, d satisfies the properties identity of indiscernibles, and symmetry, it is called a distance.Thus, KLD is a divergence, JSD is a distance, and √ JSD is a metric [OBL22].Figure 8 is a randomly generated circuit using SX, X, and CX gates.It is transpiled without optimization over IBM Lima machine in order to keep the layout of the circuit intact for the sake of the presentation.After transpilation, q 0 maps to Drive Channel 0 and q 1 maps to Drive Channel 1.The measurement is performed on q 0 and q 1 .
In Table 1, we also show the result of other distance/metrics for comparison and how they perform on the same data.We can see that the Jensen-Shannon distance is the most suitable one for our task.For instance, it is the only one that can distinguish between the three candidate instructions at 320 dt.The other metrics (RMSE and d 2 ) are not Table 1: Different distance measures for each candidate pulse-level instruction against the measured waveform whose error rate is 0.1% while running the circuit in Figure 8 on Drive Channel(1) on IBM Lima machine (Figure 11a).Total duration of the circuit is 4608 dt.RMSE: Root Mean Squared Error, d 2 : Euclidean distance, √ JSD: Jensen-Shannon Divergence distance.For starting indices 160, 320, and 4448 dt, all instructions that can be fit in the time window are considered.While at 160 dt and 320 dt, SX, X and all CX instructions are considered, at 448 dt, only SX and X are considered.shows the chosen instruction at a dt start whereas • indicates a candidate that is considered but not selected.At dt = 4448, SX instruction is not selected due to high √ JSD.able to distinguish between the two candidate instructions shown with † and ‡ in the first two rows at 320dt.However, √ JSD is able to distinguish them.Based on low √ JSD, SX gate also looks a good candidate, but we don't select it since as discussed in Figure 9, its first waveform on the drive channel d 1 of CX is always exactly the same pulse as in SX.Therefore, in these cases, CX gates always have the priority in selection.At 160 dt, SX is chosen since √ JSD is considerably smaller than the other two candidates (0.000000003).At 4448 dt, no instruction is selected since SX and X have very high √ JSD values.We evaluated this metric over the real quantum circuits shown in Table 2 and recovered the correct instruction in all cases under different additive Gaussian noise levels where N (x, σ), that is x is the sample amplitude obtained from power trace and σ is the standard deviation varies from 0 (no noise) to 0.1.

Single-shot Total Power Side-Channel Attack
During the development and testing of the single-shot total power side-channel attack, we leveraged SMT (Satisfiability Modulo Theories) solvers and the theory of Linear Mixed Integer Real Arithmetic (LIRA).This allowed us to effectively combine the capabilities of SMT solvers with the expressive power of LIRA to analyze and verify the attack's behavior and to check the correctness of the attack's results obtained from optimization solver.
To implement the attack, we ultimately encoded the problem using MILP (Mixed Integer Linear Programming) solvers due to their efficiency in handling large-scale optimization problems.However, we encountered a challenge in bridging the expressiveness gap between LIRA and MILP, which is discussed in detail in the following sections.We used various encoding tricks to convert LIRA constraints to MILP constraints, as well as encoding of logical conditions, pseudo-boolean constraints, and disjunctive constraints.These efforts allowed us to successfully apply MILP solvers to our attack and achieve accurate and reliable results.

Linear Mixed Integer Real Arithmetic (LIRA)
In this section, we provide a brief introduction to SMT solvers and LIRA, and we discuss the disadvantages of using LIRA in the context of our attack.LIRA is a theory of linear arithmetic with real and integer variables.Modern SMT solvers such as Z3 [DMB08], CVC5 [BBB + 22], and MathSAT5 [CGSS13] support LIRA constraints and are equipped with decision procedures for arbitrary boolean combinations (e.g.disjunction and conjunction) of linear constraints.
LIRA considers the reals and integers as domains for the types of identifiers and constants.For the former domain the problem is polynomial, and for the latter the problem is NP-complete [KS16].As an example, the following is a formula in linear arithmetic:

Mixed Integer Linear Programming (MILP)
LIRA is a potent formalism that combines linear equalities or inequalities with arbitrary boolean connectors, and allows for mixing integer and real variables.This makes it highly convenient for modeling complex reconstruction problems.However, current SMT solvers lack support for optimization problems, as will be elaborated on in Section 5.2.3.In our formalization of the total power single trace attack, we utilize both integer and real variables, and encode the optimization model as Mixed Integer Linear Programming (MILP) problem to address this limitation.
In this section, we briefly introduce MILP.A mathematical optimization problem, or just optimization problem, has the form Here the vector x = (x 1 , . . ., x n ) is the optimization variable of the problem, the function f 0 : R n → R is the objective function, the functions f 1 , . . ., f m : R n → R, i = 1, . . ., m, are the (inequality) constraint functions, and the constants b 1 , . . ., b m are the limits, or bounds, for the constraints.A vector x is called optimal, or a solution of the problem, if it has the smallest objective value among all vectors that satisfy the constraints: for any z The optimization problem in Equation ( 17) is called a Linear Program (LP) if the objective and constraint functions f 1 , . . ., f m are linear, i.e., satisfy for all x, y ∈ R n and all α, β ∈ R. If the optimization problem is not linear, it is called a nonlinear program.Integer Linear Programming (ILP) is an extension of Linear Programming (LP) which allows for variables to take on only integer values, rather than continuous values.This makes ILP useful for solving problems in which the decision variables must be integers, such as scheduling, resource allocation, and network design.ILP is particularly useful for linearizing nonlinear programs, which can be difficult or impossible to solve directly.By introducing additional variables and constraints, nonlinear programs can be transformed into a linear form, making them amenable to solution by LP techniques.
Mixed Integer Linear Programming (MILP) is a more general form of ILP, where some variables are restricted to be integers while others can be continuous.The result is a model that can represent a wider range of real-world optimization problems, making it a powerful technique for solving complex optimization problems.In Mixed Integer Normal Form, every atomic formula is of the form: a 1 x 1 + a 2 x 2 + . . .+ a n x n c where ∈ {=, ≤, ≥} where x i can be integer or continuous.
ILP and MILP are widely used in many areas such as operations research, computer science, engineering and management science.They are implemented in various commercial optimization software such as CPLEX [Cor23], Gurobi [GO23], and Xpress [FIC23].
In addition to these use cases, we apply Mixed Integer Linear Programming (MILP) to the reconstruction of quantum circuits from their power traces.The objective is to reconstruct the original quantum circuit as accurately and correctly as possible from power traces obtained by an attacker.The optimization aims to minimize the discrepancy between the total power consumption of the candidate quantum circuits within the search space and the power trace of the original quantum circuit.This optimization challenge is framed as a MILP problem.The MILP formulation allows for the inclusion of both continuous and integer decision variables (e.g., a binary decision variable to determine whether a CX gate exists on drive channels 0 and 1), making it a suitable tool for this problem, which involves both continuous and discrete variables.
Our solution to the MILP problem is obtained by using a commercial solver, Gurobi [GO23] with a free academic license.It is known for its high performance and ability to handle large-scale MILP problems.However, the resulting encoding can be serialized as an .lpfile in MILP normal form and can be solved by any MILP solver such as open-source PuLP [MOD11].

From LIRA to MILP
To effectively solve the problem using MILP solvers, we needed to convert the Linear Mixed Integer Real Arithmetic (LIRA) constraints into the MILP form.It is worth noting that while SMT solvers can solve the decision variant of the MILP problem, their performance may not be as competitive as dedicated MILP solvers.To illustrate this, we conducted an experiment using the 4-bit adder example from Figure 6.After an hour of computation, the Z3 SMT solver was still unable to find a satisfiable solution, whereas the same problem was solved in less than 10 seconds using the Gurobi MILP solver.Although there have been efforts to extend SMT solvers to improve their efficiency in solving both decision and optimization variants of the MILP problem [DGN21, KBT14], their performance is still relatively limited.There are also Optimization Modulo Theory (OMT) solvers, such as Z3Opt [BPF15] and OptiMathSat [CGSS13], but these are specialized for finite domains like bitvector theory and are not suitable for our problem due to the fact that encoding continuous variables as fixed point representation would lead to significant numeric errors in solving real-valued optimization function.In a recent work on classical power side-channel attacks, these solvers were used to detect vulnerabilities in post-quantum cryptographic primitives [EPMS23].However, their performance was also found to be suboptimal, leading the authors to resort to sampling-based methods for vulnerability identification using bitvector theory in SMT solvers.
The main idea behind MILP solvers is to relax the integer constraints, i.e., treating integer variables as continuous variables initially, and solve the corresponding linear programming (LP) problem.When the integer constraints are relaxed and integer variables are treated as continuous variables, the solver may encounter rounding errors, precision limitations, or approximation errors in the calculations involving the continuous relaxation of the integer variables.These numerical errors can potentially affect the accuracy and precision of the solution obtained by the solver.Therefore, over the course of the development of our method, we checked that the optimum configurations returned by the MILP solver are satisfiable by encoding them as decision problems over micro benchmarks (random circuits with a small number of gates) and verifying the satisfiability of the solution using the SMT solver.
In order to encode LIRA constraints into the MILP normal form, thereby to perform the side-channel attack, we employed various linearization techniques.These techniques involve introducing additional binary variables and bounding them with so-called Big-M [Bal79,CG12] values to convexify non-convex problems that exhibit suitable patterns [CF21].Overall, we utilized various following linearization techniques from operations research field.In the following sections, we describe these techniques in detail.

Linearization of Absolute Valued Objective Function
In order to optimize Equation (12) for a total power single trace attack, we chose to utilize a distance function that can be linearized.This is one of the most crucial technical insights of our work, paving the way for a complete reconstruction from a single-shot power trace.For this purpose, we selected the Sum of Absolute Differences (SAD) as our distance function.
The abs function is not linear, therefore, it does not allow this metric to directly deal with in the optimization problems, but it can be linearized [SW71,LP 23].An absolute value of a real number can be described as its distance away from zero, or the non-negative magnitude of the number.Thus, |x| = −x, if x < 0 x, if x ≥ 0 .In our formulation, coefficient signs of the absolute terms are all positive for our minimization problem.Aiming to bound the solution space for the absolute value term with a new variable, Z, an equivalent feasible solution can be described by splitting the constraint into two.If |X| is the absolute value term in our objective function, two additional constraints are added to the linear program: X ≤ Z ∧ −X ≤ Z.The |X| term in the objective function is then replaced by Z, relaxing the original function into a collection of linear constraints.

Linearization of Logical Conditions over Binary variables
In MILP lingo, binary variables means decision variables that must take either the value 0 or the value 1, sometimes called 0/1 variables.The logical conditions on binary variables and equality relations among binary variables can be converted to binary variables.For instance, we can derive

Encoding Pseudoboolean constraints
A pseudo-Boolean constraint is an axiom of the form i w i x i ≥ k, where each w i and k is a positive integer and each of the x i is required to have value 0 or 1.In our encoding, we require all weights w i to be 1, so at least k of x 1 , x 2 , • • • , x n are 1, and at most k of x 1 , x 2 , • • • , x n are 1, and the sum of x 1 , x 2 , • • • , x n is k, are all pseudoboolean constraints and can be encoded in MILP form as x 1 +x 2 +• • •+x i k where ∈ {≤, ≥, =} respectively.

Linearization of Disjunctive Constraints
In order to encode the domain specific constraints given in Equation (10), we need to linearize the disjunctive constraints.
The condition that at least one of the constraints must hold cannot be formulated in a linear programming model, because in a linear program all constraints must hold (conjunction of constraints).In order to solve a disjunctive, the constraints have to be converted into MILP constraints.There are two common methods for disjunction: the Big-M Reformulation and the Convex-Hull Reformulation [Bal79,CG12].Here we will only discuss the Big-M Reformulation.Consider the following disjunctive constraint, where a k i and b k are constants, and x i are variables: For the Big-M reformulation, a sufficiently large number, M , is used to nullify one set of constraints.This is accomplished by adding or subtracting the term M k * (1 − y k ) to the upper bound and lower bound constraints, respectively.The bounds are chosen such that they are as tight as possible, while still guaranteeing that the left-hand side of the constraint is always smaller We are able to statically over-approximate M values in our problem since the decision variables x i are binary variables that can take maximum 1; therefore, for each constraint we basically sum up all the coefficients of the left-hand side of the inequalities, e.g., for the first constraint: M 1 > i a j i .To set binary variables y j to be mutually exclusive, the sum of the variables can be set to 1.

Error
Figure 10: MILP encoding method over an pulse information.

Encoding Decision Variables, Channel Constraints and Objective Function
Here we explain an important part of our MILP encoding over an example victim trace sketched in Figure 10.The duration of the trace is 5 dt.The victim runs their circuit on a hypothetical 2-qubit quantum device, D, having only two basis gates BG D = {X, SX} (see Equation (1)) and two channels C D = { C 1 , drive 0 , C 2 : drive 1 } (see Equation (2)).We simplify the notion of label here since X and SX gates have only one label and waveform: X gate on C 1 , SX gate on C 1 , and X gate on C 2 are named as X 1 , SX 1 , and X 2 respectively.The associated pulse waveforem for Gate SX 1 is Gaussian parameterized by d SX1 = 4 and therefore we have 4 sampling points: p SX,C1 (x) where x ∈ [0, 3] (see p l,t in Equation ( 5)).Gate X 1 and gate X 2 can be similarly defined and we sketched their waveforms in the figure.Binary decision variables encircled by blue rounded rectangles in the figure indicates all cases where a candidate gate is applied on the channel.For example, at time step dt 0 , a candidate, gate X 1 , is applied on channel C 1 , its pulse contributes to dt 1 and dt 2 since its pulse waveform has a duration of d X1 = 3.The other possible cases where the gate can start are dt 1 , dt 2 , and dt 3 .However, its pulse cannot start at dt 4 and dt 5 since the pulse waveform has a duration of d X1 = 3 and the trace has a duration of 5 dt.We create one binary decision variable to represent each possible case where the gate can start (a 0 , a 1 , a 2 , and a 3 ) (see a l,t in Equation ( 7)).Its pulse can either start at dt 0 , dt 1 , dt 2 , or dt 3 or not at all.Therefore, we can encode the binary decision variables as follows: a 0 + a 1 + a 2 + a 3 ≤ 1.If we follow a similar approach for the other gates, we will have 12 binary decision variables and they are encoded as follows: Some decision variables at time step dt = 4 are encircled by black rounded rectangles.It captures the channel constraints on C 1 and C 2 (see Equation (10)), i.e., there can only be at most one pulse on each channel at a given time step.This can simply be encoded as follows: The objective function is encoded in such a way that it minimizes the error between victim's power sample v(i) and the power trace of the pulse waveform p X,C2 (1), p SX,C1 (3), and p X,C1 (2) at time step i: The linearization of this type of objective functions is explained in Section 5.2.4.The following formula states that the power trace of candidate pulses should be equal to the victim's power trace at time step dt = 5 with an error of 5 and some tolerance:

Evaluation Setup
The information about the quantum computer pulses is taken from real quantum computers from IBM Quantum's basic pulse information.For example, we use 7-qubit H-shape superconducting quantum computer, ibm_lagos, (coupling map is shown in Figure 11b) for transpilation and scheduling for all benchmarks.The ibm_lagos is the largest computer we have access to, still, due to the limitation of the number of qubits of even this computer, we chose all algorithms whose numbers of qubits are less or equal to 7. Since pulse parameters for the same type of gate on different machines vary (see Section 4.3) due to device topology, for quantum circuit benchmarks up to 5-qubit, we performed additional evaluation on the 5-qubit T-shape ibm_lima and L-shape ibm_manilla machines (their coupling maps are shown in Figure 11a and Figure 11c respectively).
For the quantum circuits tested, we use well-known benchmarks, listed in Table 2.In particular, we used QASMBench Benchmark Suite version 1.42 [LSKA22] for NISQ evaluation.QASMBench a low-level benchmark suite based on the OpenQASM assemblylevel intermediate representation (IR) [CBSG17].It collects commonly used quantum algorithms and routines (e.g., the adder circuit in Figure 5) from a variety of distinct domains, including quantum chemistry, simulation, linear algebra, searching, optimization, arithmetic, machine learning, fault tolerance, cryptography, and so on.The benchmark suite covers a wide range of quantum circuits with varying circuit depth and width (i.e., number of qubits).
We removed benchmarks "ipea" (iterative phase estimation algorithm) and "shor" (Shor's algorithm) for evaluation because they have Reset and middle measurement that cannot be scheduled on ibm_lagos due to lack of basis pulses.Unless otherwise specified, we used seed_transpiler = 0 to control the randomness and other default parameters for transpilation.We ran the experiments (power side channel attack using MILP encoding) on an Apple M1 Pro machine with 32 GB of RAM.The Gurobi solver used up to 10 cores.

Evaluation Results
The results of our evaluation on benchmark quantum circuits provide compelling evidence of the high accuracy and effectiveness of our techniques in reconstructing quantum circuits.Table 3 shows that we are able to recover all the X, SX, and CX gates from all the benchmarks tested.It is important to note that while our techniques demonstrate high accuracy in reconstructing quantum circuits from power traces, the resulting circuits may not be an exact replica of the original circuit, but rather a semantically equal circuit.This  is analogous to classical compiler optimizations where reverse engineering from binary code to the original C code may not yield an exact reconstruction.Furthermore, our evaluation on benchmark quantum circuits serves as a strong validation of our methods for handling mixed discrete and continuous variables, as well as overcoming challenges associated with leakage occurring over different qubit and control channels.As evident from Table 4, our evaluation shows that the complexity of MILP encoding increases as the number of qubits in our benchmarks increases.This is reflected in the higher number of real and integer variables, as well as the total number of constraints.This is primarily due to the fact that a larger number of qubits in a quantum circuit results in a higher number of gates and operations, which in turn leads to a larger number of variables and constraints in the MILP encoding.Additionally, we found that the duration of the quantum circuit, which represents the length of time over which the power traces are captured, has an impact on the MILP encoding complexity.Specifically, the duration of the quantum circuit affects the length of the real-valued objective constraint in the MILP encoding, as well as the total number of integer variables.These observations highlight the dependence of the MILP encoding complexity on the size of the quantum circuit, including the number of qubits and the duration of the circuit.
Table 4 shows that out total power attack is able to recover small depth quantum circuits in less than about 10 seconds for a moderate size benchmark with 5 and 6 qubits, it takes at most 50 seconds.For larger benchmarks such as hhl it takes about 10 minutes.The results of the evaluation on benchmark quantum circuits demonstrate the high accuracy and effectiveness of our techniques in reconstructing quantum circuits, although it should be noted that we used noiseless traces for the evaluation in total power attack.However, the optimization method employed in our approach is known to be robust to noise since we are searching for the best configuration that minimizes the error, which presents an interesting avenue for future work to investigate the impact of noise in power traces on the accuracy of our technique.

Discussion and Future Work
In this section, we discuss future research direction and the main problems that this work leaves open.We also discuss the portability of the general approach to other quantum computer architectures.

Scalability of the Attack for Future Quantum Computers
During our experimentation phase, we were constrained by the availability of quantum machines with a maximum of 7 qubits.We expect, however, that with a refined trace cutting strategy, it is feasible to handle much larger quantum circuits encompassing more qubits.In parallel, there is active research on circuit cutting where larger circuits are decomposed into smaller circuits, and our approach naturally can be used against the smaller circuits used in circuit cutting.

Challenges in Current Threat Model
Our current threat model makes certain assumptions, such as the negligible power consumption or timing differences in the AWG or FPGA during the computation of the virtual RZ gate.If RZ gates or their angles can be discerned from the power traces, it could empower even stronger attackers.Additionally, the unique features of different quantum circuits, like the relative locations and operating qubits of CX gates, could be exploited to identify RZ gates.Developing heuristics to aid attackers in this endeavor is left an area for future exploration.

Potentials in Future Threat Model
The current landscape does not provide power-related data of control equipment through cloud providers.However, if such data becomes accessible in the future, it could open the door to remote attacks.These attacks could leverage our analysis and pulse recovery techniques without necessitating physical access.Furthermore, other side channels, such as EM or acoustic, might be exploitable from a distance, eliminating the need for direct physical contact.
Our research into power side-channel attacks on quantum computer controllers aims to shed light on potential vulnerabilities that could compromise intellectual property or data security.As quantum computers become more ubiquitous, their susceptibility to physical attacks will likely increase.Drawing from classical security paradigms, we can anticipate a plethora of attack vectors, from EM to optical, especially in quantum computers not based on superconducting qubit technology.Our threat model and explorations serve as a compass, guiding future research in this nascent yet critical domain.

Potential Defenses
High-level ideas of existing side-channel protection techniques can be applied.For example, ideas of randomization could be used to randomly consume power and confuse the attackers.Or the signal generator could operate in constant power mode to consume the same power regardless of pulses begin generated.The specific implementation of these defense ideas would be new, as, e.g., means to randomly consume power in a signal generator have not been studied or implemented before from a security perspective.Novely of our work is to point out the threats, so that defenses can be developed.

Related Work
Algebraic cryptanalysis in classical computers involves solving a system of (non-linear) equations over a finite field to recover the secret key of a cryptographic primitive, using inputs and outputs along with known plaintext/ciphertext pairs.One approach is to translate the system of equations into an equivalent satisfiability (SAT) problem instance, which can be solved using a SAT solver such as CryptoMiniSat [Soo16].However, the resulting algebraic system and its equivalent SAT problem may not contain enough information for efficient solving of most cryptographic primitives.Additional information, such as side-channel information related to the key, plaintext, or ciphertext, can be used to aid in solving the system, such as physical leakage of intermediate states during encryption or key scheduling.Algebraic side-channel attacks are a type of side-channel analysis which can recover the secret information with a small number of samples [RS10, MBZ + 12].SMT and optimizing pseudo-boolean solvers and other constraint solving techniques are also used in algebraic attacks in classical computers [KDB + 22, OW12, SHS + 14].However, in our work, we demonstrated that MILP solvers are considerably faster than SMT solvers for solving systems of linear equations with errors.
In a recent study, Baksi et al. [BKS21] presented an automated analysis of side-channel leakage from software and hardware for stream ciphers using SMT solvers.However, the authors encountered a challenge in using MILP solvers, as their attack required arithmetic operations in addition to Boolean operations.Similarly, in our research against superconducting quantum computers, we also faced a similar challenge and investigated various encoding techniques to overcome this limitation.
Our algebraic side-channel attack against superconducting quantum computers distinguishes itself from previous attacks in several key ways.First, our attack targets the quantum programs themselves, rather than the classical cryptographic primitives.This introduces unique challenges as the leakage occurs over different channels, akin to parallel computation in classical computers.The signals involved are of mixed (total) amplitudes across all channels; any two amplitudes at any time step might be distributed across any two channels based on the coupling map of the quantum hardware when CNOT gates are used in the circuit.Consequently, formalizing the problem and encoding it into a solvable form requires careful consideration of the qubit and control channels involved, making it a non-trivial task.Second, our attack is specifically designed to handle real-valued mixed amplitudes, further adding to the complexity of the problem.
For superconducting quantum computers, [ASAG20] shows that the crosstalk errors could be used in fault injection attacks with malicious circuits, and [DXT + 23] detects such circuits in quantum programs by expressing both input circuits and malicious circuits as graphs and formulating the their detection as a sub-graph isomorphism finding problem.
Xu et al. [XES23b,XES23a] have proposed a set of physical attacks on quantum computers.However, unlike our work, they have not provided a formalization of total and per-channel power side-channel attacks and which left the question of reverse engineering of quantum circuits from total power traces is open.Our work focuses on a harder problem that aims to recover quantum gates from a single total power-side channel trace where the problem is NP-hard, however, they attempted to solve a simpler problem that aims to recover the quantum gates from multiple traces considering a powerful attacker, and that can be simply solved with a polynomial time method.
Bell and Trügler [BT22] have investigated reconstructing quantum circuits on cloudbased superconducting quantum computers.However, the authors did not perform a power side-channel attack.The attack runs a probing circuit before and after a victim circuit and analyzes changes in error rates to make a guess about the victim circuit.This method is applicable in more challenging remote settings, but its capability is limited to distinguishing between only two pre-defined circuits, which must already be known to the attacker.

Conclusion
As the interest in quantum computing grows rapidly, securing quantum programs becomes increasingly important, necessitating thorough analysis of security threats.This paper has presented a novel threat to quantum programs in the form of power side-channel attacks, showcasing the formalization and demonstration of using power traces to reconstruct quantum circuits.Through Jensen-Shannon Divergence distance metric and algebraic reconstruction from power traces, two new types of single-trace attacks, per-channel and total power side-channel attacks, have been realized.The evaluation on benchmark quantum programs has shown the high accuracy of our techniques in reconstructing quantum circuits.Our algebraic side-channel attack distinguishes itself from previous attacks on classical computers in its focus on quantum programs, handling of mixed discrete and continuous variables, and challenges associated with information leakage over different qubit and control channels through a total power trace.This work underscores the need for further advancements in mitigating such side-channel vulnerabilities in quantum systems to ensure the security of quantum programs in quantum computing environments.Future research and development efforts should aim to investigate defense techniques in order to enhance the security of quantum programs in quantum computing environments.We also envision further research on the impact of noise on power traces and exploration of strategies to recover Rz gates.

Figure 1 :
Figure 1: Typical operation of a cloud-based quantum computer.Red arrows highlight potential power trace threats.

Figure 2 :
Figure 2: Schematic of a typical qubit drive setup.The local oscillator (LO) generates a low phase-noise microwave carrier signal, and then the wave is modulated in the IQ mixer by I and Q components generated by the arbitrary wave generator (AWG).The pulse is then sent to drive the qubits in the quantum computer.The red line shows the process to collect power traces, which can be exploited by attackers to retrieve information.

Figure 4 :
Figure 4: Example of process for running quantum circuits on superconducting quantum computers in Qiskit.

Figure 7 :
Figure 7: Attack scenarios based on the attacker's measurement capabilities.

Figure 9 :
Figure 9: Example pulse schedules of SX: d 1 ( ) and CX: d 0 -d 1 (•), whose durations are 160dt and 1376dt respectively.As seen from the figure, the first waveform on the drive channel d 1 of CX is exactly the same pulse as in SX.

Figure 11 :
Figure 11: IBM Quantum computers used in the evaluation.Figure shows the device coupling maps.The color of nodes implies frequency (GHz, darker color means lower frequency) of the qubit.The connection color implies the gate time in nanoseconds for 2-qubit gates such as CX (darker color means shorter time).
Whereas a classical bit can only be either 0 or 1, a qubit can be any linear combination of |0 and |1 with norm 1.With this notation, a qubit |ψ is typically represented as: |ψ = α |0 + β |1 , where α and β are complex numbers satisfying |α| 2 + |β| 2 = 1.Qubits are frequently represented using vectors.For example, |0 = [1, 0] T and |1 = [0, 1] T are two-dimensional vectors that can be used to represent the basis states of a single qubit.The above state |ψ can therefore be expressed as |ψ = α |0 + β |1 = [α, β] T .There are representations that are equivalent for multi-qubit states.For instance, the two-qubit states' space is made up of the four basis states |00 , |01 , |10 , and |11 .In the space of n-qubit states, there are 2 n basis states that range from |0 . . .0 to |1 . . . 1 , and a n-qubit state |φ can be expressed as follows: It is theoretically comparable to the bit used in current classical computing.Like a bit, a qubit has two basis states, which are represented by the bra-ket notation as |0 and |1 .

Table 3 :
Number of Gates, number of RZ gates, number of X, SX, CX gates, and indication which gates were recovered (labeled Rec.) for each quantum program.The circuits are transpiled with seed_transpiler = 0, optimization_level = 3, and other default arguments on ibm_lagos.