CaptchaLa Blog

Appearance

Raw-Curve Quantum Fingerprints: A Mahalanobis Authentication Framework with Drift Early Warning and Adversarial Detection

Source: arXiv:2606.11644 · Published 2026-06-10 · By Geyuyan Ma, Xiangdong Meng, Yangyang Fei, Zhiqiang Fan, Hanshi Zhao, Chenhui Wang et al.

TL;DR

This paper addresses the problem of authenticating physical quantum hardware in cloud-based quantum computing platforms, where users cannot verify which exact processor executes their workload. A malicious adversary could perform hardware substitution attacks, redirecting jobs to inferior or tampered quantum devices, undermining trust and security. The authors propose a general authentication framework that constructs multi-dimensional quantum fingerprints from raw measurement data collected via four complementary quantum experiments (Ramsey interferometry, driven SWAP oscillations, repeated Pauli-X gates, and GHZ entanglement decay). Unlike prior work, they do not perform curve fitting but directly concatenate raw statistics into a 1468-dimensional feature vector that preserves subtle device-specific characteristics. Dimensionality reduction via PCA and classification using a Mahalanobis nearest-neighbor classifier enables device identification with 100% benign authentication accuracy over three different superconducting processors across a three-week chronological dataset.

Beyond benign accuracy, the classifier outputs a per-sample authentication confidence score reflecting margin from competing devices. The study shows confidence decays predictably under additive isotropic Gaussian noise, enabling early warning of potential drift or degradation through device-specific alert thresholds. They also analyze robustness to white-box adversarial perturbations, finding near-perfect detection of L2-targeted attacks at the same confidence thresholds, while untargeted and sparse attacks largely fail. Overall, the framework unifies fingerprint extraction, drift monitoring, and adversarial defense, demonstrating a practical step towards trustworthy quantum cloud hardware authentication.

Key findings

  • A Mahalanobis nearest-neighbor classifier on a 1468-dimensional raw statistical fingerprint vector achieves 100% benign authentication accuracy on three superconducting processors collected over three weeks.
  • The fingerprint consists of statistics from four quantum experiments: Ramsey (410 features), driven SWAP (656 features), repeated gate (200 features), and GHZ entanglement decay (202 features).
  • After PCA compression to 119 dimensions retaining 95% variance, devices show strong geometric separability with inter-class to intra-class Mahalanobis distance ratios exceeding 3.0 and p < 0.0001 in permutation tests.
  • Authentication confidence Cclaimed, defined as 1 minus the ratio of Mahalanobis distances to claimed vs nearest competing centroid, has distinct device-dependent distributions with medians 0.77 (LQMS-3), 0.52 (TianYan-176), and 0.33 (TianYan-287).
  • Under additive isotropic Gaussian noise with scaled strength σ (0 to 10), mean authentication confidence decays predictably at rates explained by inverse covariance matrix traces of each device.
  • The predictable confidence decay enables a device-specific early warning mechanism for drift or noise-induced degradation using tailored alert thresholds.
  • White-box adversarial L2-targeted perturbations are detected with near-perfect success at these confidence thresholds; L∞ attacks exhibit device-dependent detection thresholds, while untargeted and sparse attacks are largely ineffective.
  • Temporal drift analysis over three weeks shows test sample Mahalanobis distances deviate from training centroids, confirming slow natural drift but benign authentication accuracy remains 100%.

Threat model

The adversary is a malicious quantum cloud provider or intermediate entity capable of redirecting a user's quantum workload from the claimed quantum processor to a substituted or inferior device. The adversary can also craft white-box adversarial perturbations to measurement data to evade authentication. However, the adversary is assumed to be restricted to the enrolled device set (closed set), and cannot arbitrarily synthesize unknown device fingerprints or fully bypass measurement statistics. Physical manipulation of internal hardware parameters or open-set unknown device impersonation is not considered.

Methodology — deep read

  1. Threat Model and Assumptions: The adversary attempts hardware substitution attacks, redirecting workloads to an inferior or malicious quantum device instead of the requested processor. The framework assumes a closed-set scenario with a finite number of enrolled devices; samples from unknown devices are forced into known classes, which is noted as future work. The adversary can also perform white-box adversarial perturbations on measurement data to evade detection.

  2. Data: The study uses three superconducting quantum processors: TianYan-176 (40 samples), LQMS-3 (105 samples), and TianYan-287 (25 samples). Each sample consists of raw measurement statistics collected from an interleaved batch of four quantum experiments executed on a fixed 5-qubit chain on each device. Samples were acquired over approximately three weeks, splitting chronologically 70% training and 30% testing to capture natural temporal drift. Each sample is a 1468-dimensional vector constructed by concatenating mean and standard deviation statistics across delay or parameter grids for each experiment.

  3. Architecture and Algorithm: No curve fitting is applied to raw measurement curves; instead statistics (mean and std) of outcome probabilities at each experiment parameter point are concatenated directly to form the fingerprint vector. PCA is applied to standardized training data to reduce dimensionality to 119 principal components capturing 95% total variance. For each device, a centroid in PCA space and a class-conditional covariance matrix are estimated (using Ledoit–Wolf shrinkage plus Tikhonov regularization). Mahalanobis distances to each class centroid are computed for an input sample z, and classification is performed by nearest centroid in Mahalanobis distance.

The authentication confidence is defined as Cclaimed=1 - Dclaimed/Dsecond where Dclaimed is Mahalanobis distance to claimed device centroid and Dsecond is distance to nearest competitor centroid. This confidence quantifies geometric margin and facilitates threshold-based detection of drift or adversarial inputs.

  1. Training Regime: Training simply involves computing class centroids and covariance matrices from the earliest 70% chronological samples per device after standardization and PCA projection. The regularized inverse covariance matrices are precomputed. No explicit epochs or gradient-based training is involved since classification is nearest centroid based.

  2. Evaluation Protocol: Benign evaluation uses chronological 70/30 split, random train-test splits (10 runs), and leave-one-out cross-validation, all achieving 100% accuracy. Temporal drift is assessed by comparing test Mahalanobis distances to training centroids. Confidence decay under additive isotropic Gaussian noise (scaled by per-feature std deviations) is characterized across σ=0..10 with 10 noise realizations each. A theoretical model predicts confidence decay using trace of inverse covariance. Adversarial evaluation involves white-box perturbations (L2, L∞, sparse, targeted and untargeted) to test detectability via confidence thresholds.

  3. Reproducibility: The processors were accessed via TianYan quantum cloud for two devices and one lab-owned processor (LQMS-3). Data size is relatively small and the code release status is not specified in the paper. Detailed hyperparameters of PCA regularization and confidence thresholding are given in the appendix.

Technical innovations

  • Direct concatenation of raw measurement statistics (means and standard deviations) from multiple complementary quantum experiments into a high-dimensional raw-curve fingerprint preserving subtle device-specific shape features, avoiding information loss from parameter fitting.
  • Use of a Mahalanobis nearest-neighbor classifier with class-specific regularized covariance matrices to exploit geometric structure and variance normalization for robust device identification.
  • Definition and use of a geometric authentication confidence score based on relative Mahalanobis distances, naturally quantifying per-device margins for alert thresholding.
  • Theoretical modeling and empirical validation of predictable authentication confidence decay under additive isotropic Gaussian noise based on inverse covariance traces, enabling an early warning mechanism for drift monitoring.
  • Adversarial robustness analysis showing that the authentication confidence threshold concurrently detects strong white-box L2-targeted adversarial perturbations with near-perfect success, integrating adversarial defense with authentication.

Datasets

  • TianYan-176 — 40 samples — TianYan quantum cloud platform
  • LQMS-3 — 105 samples — Laboratory-owned processor
  • TianYan-287 — 25 samples — TianYan quantum cloud platform

Baselines vs proposed

  • Baseline: Random and leave-one-out cross-validation splits yield 100.00% ± 0.00% benign accuracy on test sets, matching the proposed Mahalanobis nearest-neighbor approach under chronological splits.
  • Under additive isotropic Gaussian noise with σ=2, TianYan-176 accuracy drops from 100% to 72.5%, while LQMS-3 remains 100% and TianYan-287 stays at 100%, illustrating different noise sensitivities.
  • At σ=10 noise level, accuracy falls to 0% for TianYan-176, 40% for LQMS-3, and remains 100% for TianYan-287, highlighting device-dependent robustness consistent with confidence decay curves.

Limitations

  • Dataset size is relatively small (maximum 105 samples per device) and limited to three superconducting processors and a fixed 5-qubit chain, restricting generality.
  • Only closed-set authentication is considered; the system cannot reject unknown devices outside the enrolled classes, potentially causing false acceptances.
  • Adversarial evaluation focuses on white-box attacks and standard Lp norms; real-world adversaries with black-box or physical attacks are not modeled.
  • Natural temporal drift is observed but experimental duration is limited to ~3 weeks; longer-term stability and multi-month dynamics remain unexplored.
  • The controlled additive isotropic Gaussian noise model may oversimplify complex quantum noise characteristics in practice.
  • No public release of dataset or code is indicated, which limits reproducibility verification.

Open questions / follow-ons

  • How can the framework be extended to open-set authentication to reject unknown or novel devices, improving robustness against unseen hardware?
  • How does the authentication framework scale to larger quantum processors with more qubits and more complex topologies beyond fixed 5-qubit chains?
  • Can the method be adapted for other quantum hardware modalities beyond superconducting qubits, such as trapped ions or photonic systems?
  • What is the long-term stability of quantum fingerprints and authentication confidence over months or operational lifetime including environment-induced drift?

Why it matters for bot defense

For bot-defense or CAPTCHA practitioners focused on hardware-based authentication and adversarial robustness, this paper presents a rigorous framework leveraging high-dimensional physical fingerprints combined with principled statistical classification to authenticate hardware identities robustly. While applied here to quantum processors, the core idea of concatenating raw measurement statistics preserving subtle device-specific signatures and using Mahalanobis distance based confidence scores applies broadly to hardware fingerprinting.

The introduction of a confidence score that naturally yields device-dependent safety margins enabling early warning against drift or adversarial perturbations is a concept that can translate to CAPTCHA anti-bot defenses requiring continual health monitoring of clients or hardware tokens. Additionally, the demonstrated ability to detect strong white-box adversarial perturbations with geometric confidence thresholds provides insight into building robust detection mechanisms against sophisticated spoofing or evasion attacks. The methodology also highlights the importance of multi-modal raw feature collection rather than summary statistics alone for enhanced security. Overall, this work offers a detailed, quantitative approach to unified hardware authentication, drift monitoring, and adversarial detection that can inspire similar rigorous approaches in classical bot-defense and CAPTCHA systems relying on physical measurement fingerprints or telemetry signals.

Cite

bibtex
@article{arxiv2606_11644,
  title={ Raw-Curve Quantum Fingerprints: A Mahalanobis Authentication Framework with Drift Early Warning and Adversarial Detection },
  author={ Geyuyan Ma and Xiangdong Meng and Yangyang Fei and Zhiqiang Fan and Hanshi Zhao and Chenhui Wang and Haoran Yang and Weilong Wang and Zheng Shan },
  journal={arXiv preprint arXiv:2606.11644},
  year={ 2026 },
  url={https://arxiv.org/abs/2606.11644}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa