What problem does this paper attempt to address?

### Problems the Paper Attempts to Solve This paper aims to address the issue of maliciously stealing Quantum Neural Networks (QNNs) on cloud-based Noisy Intermediate Scale Quantum (NISQ) computers. Specifically, the paper focuses on how to extract and replicate trained Variational Quantum Circuits (VQCs) from NISQ machines in cloud services. These VQCs are the core components of QNNs and hold significant intellectual property value. ### Background and Problem Definition 1. **Quantum Neural Networks (QNNs)**: - QNNs have demonstrated significant capabilities in fields such as natural language processing, object recognition, and financial analysis. - VQCs are the core of QNNs, designed through specific quantum structures and training datasets. - Developing accurate VQCs requires deep expertise and expensive data collection processes, making VQCs valuable intellectual property that needs strong protection measures. 2. **Quantum Cloud Computing**: - Due to the high cost and complexity of quantum computers, ordinary users typically access NISQ hardware through quantum cloud servers, such as via the QNN-as-a-Service (QNNaaS) model. - In this model, users submit queries, the server executes the QNN, and returns classical probability results, ultimately generating classical predictions. - Due to permission restrictions, users cannot access critical information such as the QNN's architecture, training datasets, and other hardware characteristics, posing challenges for attackers to extract the QNN model. 3. **Quantum Noise**: - NISQ devices have various types of noise, including State Preparation and Measurement (SPAM) errors, gate errors, and circuit-level crosstalk errors. - These noises significantly reduce the accuracy of QNNs on actual devices, making traditional model extraction techniques less effective on NISQ devices. ### Problem Definition - **Problem Description**: The attacker's goal is to accurately construct a local substitute QNN (denoted as QA) that can mimic the functionality of the victim QNN (denoted as QV) by sending unlabeled inputs to the victim QNN deployed in the cloud and collecting the corresponding responses. - **Threat Model**: In the QNNaaS model, the attacker can only submit inputs and receive raw probability output vectors, without access to the internal information of the victim QNN, such as circuit architecture, training datasets, hyperparameters, and quantum gate parameters. ### Motivation - **Reduced Accuracy of QNNs on NISQ Devices**: Experiments have shown that QNN query results on NISQ devices are highly noisy, posing significant challenges for training accurate substitute models. - **Ineffectiveness of Existing Techniques**: Existing model extraction techniques (e.g., CloudLeak) perform well under ideal conditions but significantly degrade in noisy environments. ### Solution - **QuantumLeak**: The paper proposes a new quantum model extraction attack method called QuantumLeak, which uses an ensemble approach of multiple local QNN learners to improve the accuracy and robustness of extracting QNNs from NISQ devices. - **Main Contributions**: - **Ensemble QNN Extraction Attack**: The first attempt to extract QNNs from NISQ devices, proposing to improve the success rate of extraction attacks by integrating multiple local substitute models. - **Robust QNN Learning under Noisy Data**: Systematically studied various training optimization techniques and proposed an improved Huber loss function to enhance robustness and accuracy during training with noisy data. - **Experimental Proof**: Experimental results on IBM NISQ devices with different VQC architectures and ensemble configurations show that QuantumLeak improves accuracy by 4.99%~7.35% compared to existing classical model extraction attacks (e.g., CloudLeak). ### Potential Defense Measures - **Watermarking Techniques**: Introducing abnormal input-output pairs known only to the defender in the QNN to induce overfitting, thereby establishing ownership and detecting potential model theft. - *