New CULT attack model breaks quantum federated learning defenses

A new paper from researchers Aakar Mathur, Mohammed Ruknuddin, and Ashish Gupta, accepted at IJCAI-ECAI 2026, presents the Circuit-Level Threat (CULT) model — a formal framework for backdoor attacks in Quantum Federated Learning (QFL). QFL inherits standard federated learning's vulnerability to malicious clients and adds new attack surfaces from variational circuit training and measurement-driven gradients. CULT defines four quantum-aware attack types: Grover, Pauli, Bit-flip, and Sign-flip, each exploiting quantum-specific mechanisms. The authors prove theoretically that these attacks remain stealthy under standard smoothness assumptions, and empirically show that a single malicious client can cause severe accuracy degradation on FedAvg aggregation over MNIST and CIFAR-10 with non-IID splits.

While popular defenses — Krum, Multi-Krum, FoolsGold, FLGuardian, and Mud-HoG — mitigate degradation in many scenarios, they fail to eliminate worst-case failure cases where accuracy drops by up to 50%. Attackers further evade detection because malicious updates stay close to benign update norms, effectively masking their presence. This work highlights that current QFL defenses are insufficient against circuit-level backdoors, posing a critical challenge for deploying quantum federated learning in security-sensitive applications. The CULT model provides a rigorous foundation for developing more robust defenses.