Impact of the malicious input data modification on the efficiency of quantum algorithms

In this paper we demonstrate that the efficiency of quantum algorithms can be significantly altered by malicious manipulation of the input data. We exemplify the possibility of attacks on quantum spatial search based on Szegedy walk. We achieve this by proposing a framework suitable for analysing efficiency of attacks on quantum search algorithms. We provide the analysis of proposed attacks for different models of random graphs.


INTRODUCTION
Motivation While the intensive research effort invested in the area of quantum computing is fully justified by groundbreaking theoretical developments [1][2][3], year by year scientists have discovered new limitations of quantum computing devices [4]. Quantum algorithms have been proved to be susceptible to noise, which may falsify the results of the computation. This fact motivated the development of the theory of quantum errorcorrecting codes, a new branch of quantum computing. Moreover, unitary operation decomposition provides numerous problems including applications to hardware with fixed topology [5]. These aspects started to play an even more critical role after first commercial quantum computing systems became available. Furthermore, hardware attacks, based on the security holes of conventional electronics, have been discovered for quantum cryptographic protocols [6]. The issues mentioned above demonstrated that the theoretical security confirmed by the laws of physics in the ideal environment could be deceptive in the real-world applications. For the users it is important to be aware that quantum algorithms are inefficient for some types of input data. One of such examples is quantum spatial search, which is inefficient on 2D grid [1]. This case demonstrates that the quantum algorithms are not only unsuitable for some types of problems, but, even for generally optimal quantum algorithms [7], it is possible to construct input data rendering them slow.
These examples show that, while quantum algorithms may be a milestone in computational theory, their realizability and security still need to be carefully checked. From the computational complexity point of view, it remains unknown whether the existing quantum algorithms can provide the speed-up promised by the theoretical results, especially when applied to large datasets. On the other hand, the ability to describe the types of data which render quantum algorithms ineffective can be used to develope post-quantum protocols.
Contribution The main aim of the presented work is to demonstrate that the efficiency of quantum algorithms can be significantly diminished by malicious manipulation of the input data.
Let us consider a classical algorithm QuickSort. The algorithm achieves average-case performance O(n log(n)), where n is the number of elements. However, for simple fixed pivot choice, one can provide malicious input data, which increase computation time up to O(n 2 ). If no security is considered, choosing such data may considerably increase the computational resources required for running the algorithm. If the computer processes such data, this may result in denial-of-service. Fortunately, there are known solutions to this problem, for example, choosing pivot randomly or searching for it using the median of medians algorithm. Similar problems arise in the quantum spatial search, which can be based on different models of quantum walks. For the continuous-time quantum walk, the algorithm works very well and securely on many graphs [7][8][9], achieving efficiency O( √ n), where n is the graph order. However, there are known examples, such as a twodimensional grid, for which the algorithm reaches linear complexity only [1]. While the grid graph can be searched much faster for the discrete coined quantum walk, it is known that specific subgraphs of the searched graphs can form so-called exceptional configurations [10] which strongly reduce the efficiency.
In this paper we consider the formation of exceptional configurations as a method of attacking quantum algorithms. We propose a framework enabling the analysis of the attack efficiency based on the expected runtime of the algorithm. We utilize this framework for selected families of random graphs. We take into account different resources available for the attacker. Let G = (V, E) be an undirected graph and let S ⊂ V be a set of searched vertices. A quantum spatial search algorithm is a quantum walk, which after t steps finds any marked v ∈ S with probability p. While the classical spatial search is known to have time complexity Ω(n), it is possible to achieve Θ( √ n) for quantum algorithms [1,7,9,11]. The complexity may depend on a chosen graph [1] or a chosen set S [12].
Szegedy quantum walk (SzQW) [13,14] is a general quantum walk definable on an arbitrary directed graph. Let P be a graph-preserving stochastic operation. Here, the state of the system |ψ t belongs to H A V ⊗ H B V system. Let Furthermore, let The evolution takes the form and the initial state reads The success probability equals where Tr B is the partial trace on subsystem B. In this paper we consider P u representing a uniform random walk. For another quantum walk, discrete coined quantum walk (DCQW), the search problem with multiple marked vertices can be a hard task for some combinations of marked vertices, known as exceptional configurations [10,12,15]. The existence of an exceptional configuration is demonstrated in two steps. First, the existence of a special stationary state needs to be shown. Second, a bound on the probability needs to be determined, based on the stationary state. Recently, the class of connected subgraphs having the stationary state has been described, which solves the first step.
where deg G is the degree in graph G. If H is not bipartite, then it contains a stationary state.
The exceptional configuration of order 2 (2EC) is a path of length 2, such that the degrees of vertices in the original graph G are equal. The exceptional configuration of order 3 (3EC) is a triangle graph, or a path of length 3, such that the degree of the middle vertex equals the sum of the degrees of the end vertices in the original graph G. Wong has shown the equivalence between coined and Szegedy models [14], hence we are going to focus on the latter, as it is more suitable for numerical analysis.

FRAMEWORK FOR QUANTIFYING THE EFFICIENCY OF ATTACKS
For the purpose of quantifying the efficiency of attacking methods, we introduce the formal description of the family of quantum spatial search algorithms.
where Alg is a quantum algorithm searching for any vertex v ∈ S in time t, running on graph G, and parametrized by the set of parameters θ.
By p(QSS) we denote the success probability of QSS. Note that we do not define θ precisely, as it depends on the chosen algorithm Alg. For example, for coined quantum walk Alg = DCQW, the parametrization consists of the set of coin operators. For Alg = SzQW, the parametrization is the chosen stochastic operation P .
In order to compare different quantum spatial search algorithms we propose the following measure of efficiency.
Definition. Expected runtime T QSS of quantum spatial search QSS = (Alg, t; G, S, θ) is defined as The expected runtime is an expectation of number of steps after which we get the result using Bernoulli process. Such approach has been used in [1,11], where the complexity was analysed.
Using the formalised description of quantum spatial search algorithms, we can introduce the concept of attack on an algorithm as follows.
It should be stressed that the attack cannot change the evolution model and measure time of QSS. Still we will consider the function altering only some of the elements of QSS. For example, the attacks restricted to graph structure imply that S = S and θ = θ .
If we allow QSS element to be changed, then we will say the element is hackable. Otherwise, it is not hackable. Note that by definition Alg and t are not hackable.
To quantify the efficiency of the attacks we introduce attack efficiency as follows.
We are interested in such functions h that eff h,QSS ≥ 0. Furthermore, since t is common for both QSS and h(QSS) we have Let us consider the following scenario. The user is trying to start an algorithm QSS, but the attacker has changed it into QSS . If the user is aware of the attack and its nature, he can alter the measurement time t in order to minimize the expected runtime. To describe this situation we introduce strong attack efficiency. .
This definition captures the best possible defence against the attack.
All of the above definitions were restricted to the fixed spatial search algorithm. Since our aim is to analyse the efficiency of attacks on more general graph classes, we extend the previously defined terms.
Definition. Let Q be a set of quantum spatial searches and h be an attack on Q. Then maximal attack efficiency on Q, eff h,Q , is defined as Similarly, maximal strong attack efficiency on Q, eff h,Q , is defined as The above definition captures the pessimistic level of robustness against the attack. Similarly, we can define the mean and minimal efficiencies. In practice, we would like to find the dependence between the efficiency and the order of the graph.
Instead of providing deterministic Q n , we will focus on Q n defined by random graph models G n .
Definition. Let G n be a random graph model, and let for arbitrary G exist a quantum spatial search QSS(G) = (Alg, t(G); G, S(G), θ(G)). Let h be an attack defined on QSS. We say that the efficiency of the attack is almost surely at least E n iff The above definition can be naturally applied to strong efficiency.

ATTACKS ON QUANTUM SPATIAL SEARCH ALGORITHMS
We will consider the attacks altering the set of marked vertices only. For quantum spatial search (SzQW, t; G, {v}, P u ), we add marked vertices in such a way that the newly generated set S ⊃ {v} forms a connected exceptional configuration. As the probability of finding any vertex from EC is much lower than the probability of finding a single marked vertex [10], we decrease the success probability of the algorithm.
Suppose that the algorithm outputs a vertex from S \ {v}. Since we choose additional marked vertices from close neighbourhood of the original marked vertex v, the possible defence against the attack is to make a simple classical search over its neighbourhood, which is efficient for sparse graphs. However, the cumulated success probability of measuring any of S is small. Hence, the attack is effective.
Let us analyse Erdős-Rényi, Watts-Strogatz, and Barabási-Albert models. For Erdős-Rényi we choose the probability of adding edge p = 2 log(n) n , for Watts-Strogatz we select initial degree K = 2 log n and randomness β = 0.5 [17], and for Barabási-Albert we set attachment parameter to m 0 = 3 [18,19]. First, we analyse the probability of attacking a random vertex. Next, we analyse its efficiency.
Numerical results demonstrate that for every vertex of Watts-Strogatz graph we can almost surely find an exceptional configuration of order 3 (3EC), see Fig. 1(a). Thus the model can be attacked almost surely for any vertex. This is no longer the case when we allow constructing an exceptional configuration of order 2 only. For Erdős-Rényi and Barabási-Albert models, even 3EC will not provide this kind of advantage for the attacker. Nevertheless, the probability of attacking is still large, and the attacker may be able to construct an exceptional configuration of a higher order.
Another constraint for resources available to the attacker is the distance between the originally marked ver- tices and the newly marked ones. We consider two scenarios. For local exceptional configurations, the new vertices are direct neighbours of the original vertex. In the global scenario, they are at most neighbours of neighbours. Based on Fig. 1(b), one can see that it is much easier to find global exceptional configurations than the local ones for Barabási-Albert model. Hence the probability of attacking increases if the attacked has the ability to use such EC. For Erdős-Rényi model the attacker cannot utilize this type of advantage, for given parametrization. Furthermore, for p = ω(log(n)/n) all vertices have al- most equal degrees [20]. This makes finding path graph 3EC impossible, as degree condition from Preliminaries section cannot be fulfilled. We have not observed any dependence for Watts-Strogatz model (see Fig. 1(b)).
For analysing the efficiency of the attack, we have chosen at random two vertices forming an exceptional configuration. We have analyzed 50 graphs for each order n = 100, 150, . . . , 2400 for all models, using the optimization algorithm implemented in QuantumWalk package [21] with penalty time t pen = log(n) . Parameter t pen is a value which is added to the time, thus changing the expected time into (t + t pen )/p. Such adjustment prevents the optimization algorithm from halting at small time. Since log(n) is typically much smaller than t, its impact on our results is negligible.
In order to asses the impact of the attack on the complexity of quantum spatial search we have calculated the expected runtime for three cases for each random graph. In the first case, which represents the reference search, we have a single marked element. This case provides the value of efficiency of the search T QSS for a given graph. Next, we execute the QSS on the graph modified by the addition of a single marked element, which results in the formation of an exceptional configuration. This case provides us the value of the increase of the expected run-time resulting from the attack, and thus the efficiency of the attack (cf. Eq. (11)). Finally, we calculate the expected run-time for the case when the user is aware of the attack and can utilize this knowledge to minimize its effects. In this case we calculate the strong efficiency (cf. Eq. 13).
Numerical results presented in Fig. 2 show that the attacking efficiency depends on the chosen graph model. Left three plots show that if user is not aware of the attack, the efficiency is almost surely 0.8 for Erdős-Rényi and almost surely 0.9 for Watts-Strogatz. For Barabási-Albert the results are much more irregular, and no level of efficiency can be guaranteed.
If the user is aware of the attack, it is possible to prevent it at least partially for all models by changing the measurement time. The efficiency in this case is captured by the notion of strong efficiency. For Erdős-Rényi and Watts-Strogatz models the strong efficiency is almost surely at least 0.5. For Barabási-Albert we still observe high irregularity in obtained data and the strong efficiency is almost surely significantly smaller than 1.
As the complexity attack should result in the algorithm complexity growth, we have determined numerically the expected time change in the case of common measurement time. The results are presented in Fig. 3. We have assumed that the complexity grows as the power complexity, Θ(n α ). The tangent of the regression line of the expected run-time in the function of the graph order on the log-log scale provides the approximation of the parameter α. The observed growth of the values of α, resulting from the attack, demonstrates that the attacker is able to significantly increase the expected run-time of the quantum algorithm. This suggests that the algorithm is vulnerable to the complexity attack, which might result in the denial-of-service of the quantum computer.

SUMMARY AND DISCUSSION
In this paper we have signified the problem of possible vulnerability of quantum algorithms to the complexity attacks. The presented approach is based on the analysis of input data. As such it can be used to discover weaknesses of quantum computers resulting from the application of quantum algorithms on input data unsuitable for processing on quantum machines. This is contrast to the common approach where only the theoretical computational complexity is taken into account.
We have developed the theoretical framework for quantifying the efficiency of the attacks. We have constructed an attack based on exceptional configurations and analysed it in the context of its applicability and efficiency. The analysis confirms that it is possible to decrease the efficiency of quantum spatial search based on Szegedy walk by malicious modification of input data.
One should note that the presented results can be applied for a general class of graphs. This is in contrast to the results from [10], where only special classes of graphs were considered. For those classes it can be shown analytically that the algorithm complexity changes from Θ( √ n) to Θ(n).
It should be stressed that the models of random graphs used for assessing the security of quantum algorithms mimic the structure of real-world data [19]. As such the presented analysis confirms that the theoretical security of quantum procedures can be inadequate when the algo-rithms are applied for specific input data. This includes input data which encode the connections observed in complex networks.
The authors would like to thank Nikolay Nahimov for discussion concerning exceptional configurations and Alexander Rivosh for inspiring the application of this concept in quantum spatial search. This work has been partially supported by Polish National Science Center grant 2011/03/D/ST6/00413. Numerical calculations were possible thanks to the support of PL-Grid Infrastructure.