The Quantum Imitation Game: Reverse Engineering of Quantum Machine Learning Models

Archisman Ghosh,Swaroop Ghosh
2024-07-15
Abstract:Quantum Machine Learning (QML) amalgamates quantum computing paradigms with machine learning models, providing significant prospects for solving complex problems. However, with the expansion of numerous third-party vendors in the Noisy Intermediate-Scale Quantum (NISQ) era of quantum computing, the security of QML models is of prime importance, particularly against reverse engineering, which could expose trained parameters and algorithms of the models. We assume the untrusted quantum cloud provider is an adversary having white-box access to the transpiled user-designed trained QML model during inference. Reverse engineering (RE) to extract the pre-transpiled QML circuit will enable re-transpilation and usage of the model for various hardware with completely different native gate sets and even different qubit technology. Such flexibility may not be obtained from the transpiled circuit which is tied to a particular hardware and qubit technology. The information about the number of parameters, and optimized values can allow further training of the QML model to alter the QML model, tamper with the watermark, and/or embed their own watermark or refine the model for other purposes. In this first effort to investigate the RE of QML circuits, we perform RE and compare the training accuracy of original and reverse-engineered Quantum Neural Networks (QNNs) of various sizes. We note that multi-qubit classifiers can be reverse-engineered under specific conditions with a mean error of order 1e-2 in a reasonable time. We also propose adding dummy fixed parametric gates in the QML models to increase the RE overhead for defense. For instance, adding 2 dummy qubits and 2 layers increases the overhead by ~1.76 times for a classifier with 2 qubits and 3 layers with a performance overhead of less than 9%. We note that RE is a very powerful attack model which warrants further efforts on defenses.
Quantum Physics,Cryptography and Security,Emerging Technologies,Machine Learning
What problem does this paper attempt to address?
### What problem does this paper attempt to solve? The paper "Quantum Imitation Game: Reverse Engineering of Quantum Machine Learning Models" attempts to solve the security problems of quantum machine learning (QML) models in the current quantum computing environment, especially the threat of reverse engineering (RE) attacks. Specifically, the paper focuses on the problem that in the quantum cloud - computing environment, third - party service providers may use white - box access rights to reverse - engineer the trained QML models designed by users, thereby extracting sensitive parameters and proprietary algorithms. ### Main problem background 1. **Security of quantum machine learning (QML)**: - QML combines the advantages of quantum computing and machine learning and can solve complex problems that are difficult for traditional computers to handle. - As quantum computing enters the noisy intermediate - scale quantum (NISQ) era, more and more third - party cloud service providers begin to provide quantum computing resources. - These third - party service providers may become potential attackers, obtaining users' QML models through reverse engineering, resulting in privacy leakage and intellectual property theft. 2. **Threat of reverse engineering**: - Attackers can use white - box access rights to obtain the translated version of the QML model designed by users and extract the original parameters and structure of the model from it. - Reverse engineering not only allows attackers to use these models, but may also enable them to modify the models, such as removing watermarks or embedding their own watermarks, and even further optimizing the models for other purposes. ### Main contributions of the paper 1. **Proposing a reverse - engineering technique**: - The paper proposes a method for recovering the original parameters and structure from the translated QML circuit. - By analyzing the translated circuit and identifying the patterns of single - qubit rotation gates and two - qubit entanglement gates, the original QML model is gradually restored. 2. **Experimental verification**: - The authors experimentally verified the feasibility of reverse - engineering multi - qubit classifiers under specific conditions and found that reverse - engineering with an average error of \(10^{-2}\) can be achieved within a reasonable time. 3. **Defense measures**: - The paper proposes some defense measures, such as adding virtual rotation gates with fixed parameters in the QML model to increase the difficulty and cost of reverse - engineering. - Experiments show that adding 2 virtual qubits and 2 layers of virtual rotation gates can increase the cost of reverse - engineering by about 1.76 times, while the performance cost is less than 9%. ### Conclusion This paper systematically studies the reverse - engineering problem of QML models for the first time and proposes an effective reverse - engineering technique. At the same time, the paper also explores possible defense measures, providing an important reference for protecting the security of QML models.