Beyond Post-Quantum Cryptography: The Emerging Security Risks in Quantum Computing
What happens when your secrets run on someone else's quantum computer ?
Billions of dollars are pouring into quantum computing.
Governments are funding national quantum programs. Technology giants are investing heavily in quantum hardware. Every few months, another breakthrough makes headlines: a new error-correction milestone, a larger quantum processor, a more scalable architecture.
The progress is encouraging. Judging by recent results and the roadmaps of the major quantum hardware companies, I believe fault-tolerant quantum computers are not far away.
And whenever quantum computing enters the news, the security discussion almost always goes in the same direction: what happens when quantum computers break today’s encryption?
It’s an important question. Enterprises must migrate to post-quantum cryptography to protect against that threat. But you’ve heard this story a thousand times already.
Here, we’re addressing another problem:
What happens when you run your most valuable secrets on a remote quantum computer owned by someone else?
Most people think about quantum computers as a future threat to classical systems. Far fewer think about the security of the quantum computers themselves.
Yet as quantum computing increasingly moves into the cloud, new security concerns are emerging: side-channel attacks between users, malicious quantum circuits, and cloud providers with complete technical visibility into customer workloads.
We spend enormous effort worrying about quantum computers breaking privacy, while paying relatively little attention to the privacy risks of using quantum computers.
This concern isn’t hypothetical. Researchers have already demonstrated attacks on real quantum hardware.
The quantum cloud trust problem
The first thing to understand is that almost nobody owns a quantum computer.
Quantum processors are expensive, complex machines that require highly specialised environments. Most users access them through cloud platforms operated by companies such as IBM, Google, Amazon, Microsoft, Quantinuum, IonQ, and others.
This model is convenient. It is also where the security questions begin.
In classical cloud computing, we have spent decades developing mechanisms to reduce trust in the provider. Technologies such as trusted execution environments, confidential computing, secure enclaves, and homomorphic encryption aim to ensure that cloud operators cannot inspect sensitive workloads.
Quantum computing is not there yet.
Today, when a quantum job reaches a cloud provider, the provider generally has access to the circuit description, the compilation pipeline, the execution environment, and the measurement process. The computation ultimately runs on hardware fully controlled by the provider.
This creates a fundamental trust assumption.
Imagine a pharmaceutical company searching for a new drug candidate, or a biotech firm analyzing patient DNA. In these scenarios, the value is not only in the data being processed or the results being produced.
The quantum circuit itself (the algorithm) is the IP
Today, trust is primarily contractual.
The long-term goal should be cryptographic trust.
Multi-tenant quantum computers: when your neighbour becomes the attacker
Now suppose we trust the quantum computer provider. Could another customer still attack us?
To answer that, you need to know where the quantum cloud is heading: multi-tenancy.
Today, most quantum jobs run one at a time. Your circuit gets the machine for a moment, then the next user’s job takes over. Simple but wasteful.
As processors grow toward thousands of qubits, the economics push in one direction: share the chip. Multiple users, same processor, same time, each on their own patch of qubits. This is essential for making quantum computing more accessible and efficient, especially given the high cost of quantum hardware.
To be clear, multi-tenancy is not standard practice on the major platforms yet. But demand for scarce hardware keeps growing, and researchers widely expect it as machines scale. The classical cloud went through exactly the same transition, for exactly the same reasons.
Which is why security researchers are probing it now, before it ships.
In superconducting quantum computers, operations performed on one set of qubits can unintentionally influence nearby qubits through a phenomenon known as crosstalk. Engineers typically view crosstalk as a source of noise that must be minimised.
Security researchers see something else.
If the “noise” observed by one user depends on what another user is computing, that noise becomes a potential side channel.
In 2025, researchers demonstrated that crosstalk signatures could be used to infer structural information about a victim’s quantum circuit. By observing leakage patterns and applying machine learning techniques, they identified the victim’s algorithm with accuracy approaching 86%.
More recently, researchers proposed the SWAP attack, which extends these ideas across larger portions of a quantum processor. In both passive and active variants, the attack can extract information or intentionally degrade another user’s computation. The techniques were validated on real IBM quantum hardware.
These results demonstrate something important: Information about a computation can leak through the hardware itself.
For organizations relying on proprietary algorithms or sensitive workloads, even partial leakage may be unacceptable.
Quantum malware, Quantum antivirus
Notice what the SWAP attack’s active variant really is: a circuit deliberately written to corrupt a neighbour’s computation.
That deserves its own name.
Call it quantum malware: malicious circuits intentionally designed to interfere with, spy on, or manipulate neighbouring computations.
Researchers at Yale have already proposed what is effectively an antivirus system for quantum computers.
Their approach scans submitted quantum circuits before execution, searching for potentially malicious structures and attack patterns.
The proposal immediately reveals an interesting parallel with classical cybersecurity.
Just as classical malware authors constantly evolve techniques to evade signature-based detection, malicious quantum circuits could potentially be rearranged or obfuscated to avoid simple pattern matching.
If quantum computing becomes commercially important, it is difficult to imagine that offensive and defensive techniques will not evolve alongside it.
Every major computing platform eventually acquires a security ecosystem, and quantum computing will be no different.
The solutions already exist in research
The encouraging news is that quantum cryptographers recognized this challenge more than a decade ago.
Several remarkable cryptographic frameworks have been developed to address it.
Before looking at them, notice that the trust problem has two halves.
The first is privacy: the server should not see what you are computing.
The second is correctness: the server should not be able to lie about the result.
If a quantum computer hands you an answer to a problem you cannot verify, how do you know it’s right? A dishonest provider could cheat and return a wrong answer.
Hiding your computation is not enough. You also need to verify it, an area of research formally referred to as verification of quantum computation
Blind Quantum Computing
In 2009, Anne Broadbent, Joseph Fitzsimons, and Elham Kashefi introduced Universal Blind Quantum Computation (BQC).
The central idea is astonishing. A client can delegate a quantum computation to a remote quantum server while hiding the computation, the inputs, and the outputs from the server itself.
The server performs the work without learning what problem it is solving.
The security guarantees are information-theoretic, meaning they do not rely on assumptions about computational hardness.
And blindness turned out to be only the beginning.
Fitzsimons and Kashefi later extended the protocol to make the computation verifiable: the client embeds hidden trap measurements into the delegated computation, and a server that cheats, or simply malfunctions, gets caught with overwhelming probability.
The downside is practicality. The client requires some quantum resources, and the protocol involves substantial interaction between client and server.
Researchers have already demonstrated small-scale BQC on real hardware, such as an experiment with a trapped-ion server and a simple photonic client (Oxford, 2024), and more recently on a modular superconducting processor (ETH, 2026).
Quantum Homomorphic Encryption
Another approach is Quantum Homomorphic Encryption (QHE).
The goal is straightforward: allow a quantum computer to operate directly on encrypted quantum data (here, only the data is hidden - in contrast to BQC, which hides both the algorithm and the data)
Conceptually, this resembles Fully Homomorphic Encryption in classical cryptography.
The challenge is overhead.
Even classical fully homomorphic encryption required years of research before becoming remotely practical. QHE inherits many of those costs while operating on hardware that is already resource-constrained.
Practical deployment remains distant.
Mahadev’s theoretical breakthrough
Perhaps one of the most remarkable results arrived in 2018. A researcher (Urmila Mahadev) showed that a purely classical client (without quantum resources, in simple terms a client who is using a classical computer locally, to delegate computation to a remote quantum server) can securely delegate quantum computations to a quantum computer.
No quantum hardware is required on the client’s side.
The construction relies on cryptographic assumptions related to the Learning With Errors (LWE) problem, one of the foundational assumptions underlying modern post-quantum cryptography.
And the same toolkit solved the other half of the trust problem.
In a companion result, Mahadev showed that a purely classical client can also verify a quantum computation, forcing the untrusted server to prove, over an ordinary internet connection, that it actually did the quantum work it claims.
The trade-off is efficiency. These results are theoretical, and current implementations remain far too expensive for practical quantum cloud workloads. But the theoretical breakthrough was interesting.
There are also other BQC protocols for classical clients.
Beyond the mentioned protocols, there are techniques such as quantum program obfuscation, quantum federated learning, and quantum differential privacy that are not covered in this article.
The security debate we’re not having
The history of computing follows a familiar pattern.
We build powerful systems first. We worry about security later.
Artificial intelligence is now experiencing the same tension between capability and security.
Quantum computing appears to be following a similar path.
The attacks are beginning to appear. Some defenses are being developed in the academic literature.
The challenge is transforming those defenses into deployable infrastructure before quantum computing becomes economically indispensable.
Because the first truly valuable quantum workloads will not be toy demonstrations.
They will involve drug discovery, advanced materials, biotechnology, logistics, finance, and national security applications.
When that day arrives, contractual trust will no longer be enough.
The question is no longer whether quantum computing needs a confidential computing layer.
The question is whether we’ll build it before we need it.
Follow and subscribe if you’d like to receive more about this topic