A Graph-Based Forensic Framework for Inferring Hardware Noise of Cloud Quantum Backend

Cloud quantum platforms give users access to many backends with different qubit technologies, coupling layouts, and noise levels. The execution of a circuit, however, depends on internal allocation and routing policies that are not observable to the user. A provider may redirect jobs to more error-prone regions to conserve resources, balance load or for other opaque reasons, causing degradation in fidelity while still presenting stale or averaged calibration data. This lack of transparency creates a security gap: users cannot verify whether their circuits were executed on the hardware for which they were charged. Forensic methods that infer backend behavior from user-visible artifacts are therefore becoming essential. In this work, we introduce a Graph Neural Network (GNN)-based forensic framework that predicts per-qubit and per-qubit link error rates of an unseen backend using only topology information and aggregated features extracted from transpiled circuits. We construct a dataset from several IBM 27-qubit devices, merge static calibration features with dynamic transpilation features and train separate GNN regressors for one- and two-qubit errors. At inference time, the model operates without access to calibration data from the target backend and reconstructs a complete error map from the features available to the user. Our results on the target backend show accurate recovery of backend error rate, with an average mismatch of approximately 22% for single-qubit errors and 18% for qubit-link errors. The model also exhibits strong ranking agreement, with the ordering induced by predicted error values closely matching that of the actual calibration errors, as reflected by high Spearman correlation. The framework consistently identifies weak links and high-noise qubits and remains robust under realistic temporal noise drift.

💡 Research Summary

The paper addresses a growing security and trust issue in cloud‑based quantum computing: users submit circuits to a provider but have no visibility into the internal allocation, routing, and hardware selection that actually execute the job. Providers may silently redirect workloads to noisier regions of a device to balance load, conserve high‑quality qubits for premium customers, or even act maliciously. Because calibration data are often stale, averaged, or inaccessible, users cannot independently verify that the hardware on which their circuits ran matches the advertised specifications.

To fill this gap, the authors propose a forensic framework that infers per‑qubit and per‑qubit‑pair error rates of an unseen backend using only (i) the static coupling graph of the device and (ii) aggregated features extracted from a large set of transpiled circuits. The key insight is that the transpilation process—mapping logical qubits to physical qubits, inserting SWAP gates, and decomposing gates—acts as an indirect probe of the hardware. Patterns such as how often a particular qubit or edge is used, the length of routing paths, and the distribution of gate types encode information about underlying noise levels.

Dataset and feature construction
The authors collect data from several IBM 27‑qubit devices (e.g., Heron, Kingston, Pittsburgh, Fez, Marrakesh). For each device they generate thousands of random circuits, transpile them with a fixed Qiskit configuration, and record:

• Static node/edge attributes (published calibration values: single‑qubit gate error, two‑qubit gate error, T₁/T₂, readout error).
• Dynamic usage statistics: frequency of each qubit’s appearance, number of SWAPs traversing each edge, average circuit depth, gate‑type counts, etc.

These attributes are attached to the graph representation (nodes = physical qubits, edges = couplings) and serve as input to a Graph Neural Network (GNN).

Model architecture
Two separate GNN regressors are trained: one for node‑level (single‑qubit) error rates, another for edge‑level (two‑qubit) error rates. The GNN employs message‑passing layers that aggregate information from k‑hop neighborhoods, allowing the model to capture both local noise and the influence of neighboring high‑error regions. After several layers, node and edge embeddings are passed through linear heads to predict error probabilities. Training minimizes mean‑squared error against the known calibration labels of the training devices.

Results
When evaluated on a held‑out target backend (not seen during training), the framework achieves:

• Average relative error ≈ 22 % for single‑qubit errors and ≈ 18 % for two‑qubit link errors. Given that actual error rates lie in the 10⁻⁴–10⁻² range, this level of accuracy is practically useful.
• High Spearman rank correlation (0.85–0.92) between predicted and true error rankings, meaning the model reliably identifies the weakest qubits and links.
• Robustness to realistic temporal drift: performance degrades only marginally when calibration values are shifted to simulate day‑to‑day noise fluctuations.

Use‑case workflow

1. Offline phase: A trusted analyst builds the dataset from publicly available devices, extracts static and dynamic graph features, and trains the device‑agnostic GNN models.
2. Online phase: An end‑user submits jobs to a cloud provider, retrieves the transpiled circuits (which reveal the physical qubits and couplings used), extracts the same feature set, and feeds them together with the public topology into the pretrained GNN.
3. The GNN outputs an estimated error map for the claimed backend. The user compares this map with the provider’s published calibration; significant mismatches flag potential misallocation or dishonest reporting.

Broader implications and applications

• User‑side auditing – Users can independently verify that their jobs were executed on hardware of the advertised quality, without needing privileged calibration access.
• Calibration service validation – Providers can cross‑check third‑party calibration reports, detecting drift or misconfiguration.
• Competitive hardware analysis – Companies can infer the noise landscape of a rival’s undisclosed device, enabling fair benchmarking.

Limitations and future work
The approach relies on a sufficiently large and diverse set of transpiled circuits; sparse data may lead to under‑fitting. The current experiments are confined to IBM superconducting devices with a specific lattice geometry, so generalization to trapped‑ion, photonic, or other architectures remains to be demonstrated. Moreover, a malicious provider could deliberately manipulate routing decisions to obscure noise signatures, potentially reducing inference accuracy. Future research directions include (i) extending training to heterogeneous architectures, (ii) developing online, streaming inference that updates predictions as new circuits arrive, and (iii) integrating anomaly‑detection modules to flag deliberately adversarial routing.

Conclusion
The paper presents the first data‑driven forensic tool that reconstructs a full per‑qubit and per‑link error map of an unseen quantum backend using only publicly visible information. By leveraging graph neural networks to learn the relationship between transpilation statistics and hardware noise, the authors demonstrate accurate error reconstruction and strong ranking agreement, thereby offering a practical means to increase transparency and trust in cloud quantum computing environments.