QuantumLeak: Stealing Quantum Neural Networks from Cloud-based NISQ Machines
Zhenxiao Fu, Min Yang, Cheng Chu, Yilun Xu, Gang Huang, Fan Chen
TL;DR
QuantumLeak addresses the security risk of stealing Quantum Neural Networks deployed on cloud-based NISQ devices. It introduces an ensemble-based attack that trains multiple local substitute QNNs, uses bagging over bootstrapped queries, and employs a robust Huber loss to cope with noisy labels, achieving up to $4.99\%$–$7.35\%$ accuracy gains over the prior CloudLeak approach on IBM QNNaaS. The results demonstrate that ensemble QNNs, coupled with task-specific VQC configurations, can closely replicate victim QNN functionality even under quantum noise, with a trade-off between query cost and stealth. The work highlights practical risks for QNN-as-a-Service and informs defense strategies such as watermarking and PUF-based protections.
Abstract
Variational quantum circuits (VQCs) have become a powerful tool for implementing Quantum Neural Networks (QNNs), addressing a wide range of complex problems. Well-trained VQCs serve as valuable intellectual assets hosted on cloud-based Noisy Intermediate Scale Quantum (NISQ) computers, making them susceptible to malicious VQC stealing attacks. However, traditional model extraction techniques designed for classical machine learning models encounter challenges when applied to NISQ computers due to significant noise in current devices. In this paper, we introduce QuantumLeak, an effective and accurate QNN model extraction technique from cloud-based NISQ machines. Compared to existing classical model stealing techniques, QuantumLeak improves local VQC accuracy by 4.99\%$\sim$7.35\% across diverse datasets and VQC architectures.