Industry and Academic Views on Quantum Computer Hardware Cybersecurity
The White House and the National Science Foundation recently completed a two-day workshop on the intersection of cybersecurity and quantum computing. This newsletter article discusses author’s insights and take-aways after participating in the workshop. The article is not endorsed by the workshop nor is it an official summary of the workshop. The workshop has been covered, among others, in Politico which summarized the goals of the workshop as to “kick-start an ambitious project on the security of quantum computers themselves.”
Threat Models for a Computing System
Considering quantum computers, or any other computing devices, how they are deployed will give rise to different threat models. A threat model is typically used to describe which security threats, or attacks, a computing system considers (and thus should defend against), but also which other threats or attack that are out-of-scope. Threat models usually also enumerate different abilities an attacker possesses, such as can they have physical access to the system, or are they only able to remotely execute code on the target system. Of course with enough money, resources, and access, almost all security mechanisms can be broken, thus threat models usually put some limits on what is possible to be done by a realistic attacker. Threat models are inherently subjective, but try to make common-sense assumptions. They also are very much tied to the type of a system that is being protected, e.g., a smartphone with little sensitive information vs. military data center with state-secrets that only few people in the world know about will give rise to very different threat models.
Threat models are usually expressed in natural language as part of system specification or as part of a research paper. An extremely simplified example of a threat model for a cloud-based computing system could be that: physical attacks, e.g., power, EM, nor thermal side-channels nor fault injection are considered since the data center is assumed to have strong physical security preventing attackers from entering the data center, but remote software-based attacks are possible where any attacker is able to sign up for the cloud service with a credit card and can run their code on the remote cloud-based system, their code could measure timing of different instructions to leak information about operation of the system or other users running on the system. A very different threat model, however, considering a government-related cloud computing service could assume physical attacks are possible if a malicious insider or disgruntled employee of the data center with physical access to the target machine can attack it. Also, many threat models assume that at some level, the target computing device is manufactured correctly, however, a separate class of threat models consider supply-chain attacks where the hardware (or software) is maliciously modified before it is delivered into the cloud computing data center. The threat models in the end are very tightly coupled to how the target computing devices are deployed, and what sorts of sensitive information they process.
Types of Quantum Computer Deployments and Resulting Threat Models
As quantum computer are, and will be, very specialized machines, there will only be a few types of different deployments in the foreseeable future, and thus a few threat models that make sense. At the workshop, industry and academic participants seemed to focus on two different types of deployments. A smaller group envisioned future where there are only very few machines, solving very specialized problems. This view focused on assumptions that even with future, error corrected quantum computers, the “interesting” applications will require upwards of millions of physical qubits, and will require many hours of execution on the machines for a program to finish. Such machines of course cannot be then easily shared among multiple users, and only few industries or governments will be able to afford them. A larger group of participants, however, seemed to focus on the deployments closer to today’s classical cloud-computing services, where many machines are available from different vendors and users run programs on these quantum computers on pay-per-use basis. This view seems to assume the programs, also called jobs or circuits in common quantum computing terminology, are much shorter in execution. Unresolved in the discussions was whether there will be multi-tenancy, meaning whether different users will be able to run programs on the same hardware at the same time (either through spatial sharing or temporal sharing of the qubits). Perhaps motivated by experiences with classical computers, academics may tend to have more favorable view that there will be multi-tenancy. This would of course give rise to many interesting threat models because different users will be running on the same quantum computer chip at the same time. Industry may be more on the pragmatic side, considering multi-tenancy will have many challenges of how to share the devices, how to schedule users, etc., even without considering security implications of the sharing.
In the future, different deployments may gain interest and become feasible. Most of the discussion focused on single, remote data center where quantum computers are hosted. However, there may be future where there are smaller quantum computers that organizations or governments own, and bigger, remote cloud-based computers. Such settings will give rise to yet different threat models where the local computer may be trusted, but the remote computer may be untrusted.
Envisioned Security Threats to Quantum Computers
Considering first scenario of few, very large quantum computers, presumably with very limited access, there are limited ways that such a machine could be attacked. In this scenario, insider threats and supply-chain threats may be most realistic. Without cloud-based, pay-per-use access, presumably only few, trusted users will be able to run code on these machines. Unless they are malicious insiders, user-level attacks will be limited. On the other hand, if users are assumed trusted, then they may have broad access to the machines, so a malicious insider would have very low-level control of the system. Physical attacks may also be possible with malicious insiders. The other threat are supply chain issues, where the hardware (quantum computer or classical controllers) is compromised before being installed and run. Since today for many parts of the quantum computers there is only one or two vendors, it seems it would be easier to track any malicious modifications, compared to classical computers where there are many more vendors and parts are very cheap. It was opinion of some participants that for most parts of quantum computer, due to their cost and rarity, it is possible to track each critical part and supply chain issues at least for now are not a problem.
For the second scenario of many quantum computers, with cloud-based access, there are many more threats. Here the main threat will be the remote users who are not verified or trusted. They could run any code they wish, possibly coming up with novel quantum computer viruses, or code designed to deny service or damage the equipment. With multi-tenancy, the malicious users could also try to attack other users or leak information from them. Unresolved is the question of how much access will users have. Today’s cloud-based computers are rather small and research focused, giving users broad access, including low-level pulse-level control. This may change in the future.
A threat cross-cutting both scenarios, and one of the main prompts for the workshop was the threat of reverse engineering the quantum computers. Considering the vast amounts of time and money spent developing these machines, it is natural that one should protect them from someone else being able to easily reverse engineer one of the devices, and build one without doing all the research and development. With physical access it may possible to capture the chips, and reverse engineer their structure. Although some have argued that knowing the structure will not be enough to learn how to actually fabricate such structure. Without physical access, remote users would only be able to execute programs and observe their behavior and try to use that to learn the architecture of the computers. For example, frequency sweep circuits could be used to learn the resonant frequencies of the qubits, even if such information is not published. What can exactly be learned about underlying hardware by running various probing programs is an open research question.
Take-aways from the Workshop
One of the main take-aways from the White House and the National Science Foundation workshop is that industry is actively involved in cybersecurity discussions. Even if the industry is not focusing on security solutions themselves, this engagement this early in the life of quantum computers is very promising, and much different from classical computers where security is often after-thought and many hardware-based vulnerabilities have been publicized in the press over last years, from Rowhammer to Spectre and Meltdown. Considering threat models and what attacks to focus defenses on, reverse engineering was the original prompt and remains a challenge. Supply chain issues seem to be less of a problem at least in current state where most parts can be tracked very well due to very small supplier ecosystem. Attacks from users see ones that can be researched the easiest, but it is unclear what level of access future users will have, and which attack assumptions to make. It seems the best approach is to analyze security of the systems available today, and update the threat models and attacks as new machines and new features are introduced.
About the author:
Jakub Szefer is an Associate Professor of Electrical Engineering at Yale University where he leads the Computer Architecture and Security Laboratory (CASLAB). His research interests broadly encompass computer architecture and hardware security of computing systems, including security of quantum computers and post-quantum cryptography.