PristiQ: A Co-Design Framework for Preserving Data Security of Quantum Learning in the Cloud

TL;DR

PristiQ tackles data leakage in quantum machine learning deployed on Quantum-as-a-Service by introducing a cross-layer co-design that injects an encryption subcircuit $E(m{ abla})$ between data encoding and QNN execution, obfuscates the boundary with PriCompiler, and automatically adapts the QNN via PriModel to maintain performance on encrypted data. The framework combines a two-stage encryption approach using additional secure qubits and a random permutation to hide raw inputs, with reinforcement learning-driven architecture search to preserve accuracy under encryption. Experimental results on simulated and IBMQ Manila demonstrate strong data security (lower attacker performance and favorable PSNR) while recovering or even exceeding baseline accuracies on encrypted data, especially under realistic quantum noise. The work argues for a cross-layer design philosophy for secure quantum computing that could generalize beyond QML applications in cloud environments.

Abstract

Benefiting from cloud computing, today's early-stage quantum computers can be remotely accessed via the cloud services, known as Quantum-as-a-Service (QaaS). However, it poses a high risk of data leakage in quantum machine learning (QML). To run a QML model with QaaS, users need to locally compile their quantum circuits including the subcircuit of data encoding first and then send the compiled circuit to the QaaS provider for execution. If the QaaS provider is untrustworthy, the subcircuit to encode the raw data can be easily stolen. Therefore, we propose a co-design framework for preserving the data security of QML with the QaaS paradigm, namely PristiQ. By introducing an encryption subcircuit with extra secure qubits associated with a user-defined security key, the security of data can be greatly enhanced. And an automatic search algorithm is proposed to optimize the model to maintain its performance on the encrypted quantum data. Experimental results on simulation and the actual IBM quantum computer both prove the ability of PristiQ to provide high security for the quantum data while maintaining the model performance in QML.

Figures (6)

• Figure 1: Illustration of the typical threat model in QaaS paradigm for QML applications: The attacker in the untrustworthy cloud quantum provider can steal the user data for its own QML task.
• Figure 2: Illustration of PristiQ framework: (a) the data encoding subcircuit $D(\bm{X})$ and QNN subcircuit $QC(\bm{\theta})$ as the inputs; (b) PriCircuit, adding the encryption subcircuit $E(\bm{\delta})$; (c) PriCompiler, obfuscating $D(\bm{X})$ and $E(\bm{\delta})$ by forming $E(\bm{\delta})\cdot D(\bm{X})$; (d) PriModel, revising QNN subcircuit $QC(\bm{\theta})$ to $QC^{\prime}(\bm{\theta}^{\prime})$ for maintaining the performance on encrypted data.
• Figure 3: PriCircuit: (a) encryption subcircuit $E(\bm{\delta})$ composed of $S(\bm{\delta})$ and $P$; (b) an example of PriCircuit with 2 data qubits and 2 secure qubits; (c) transformations of quantum states: $S_1\rightarrow S_2$ and $S_2\rightarrow S_3$.
• Figure 4: PriCompiler: (a) a typical subcircuit in $D(\bm{X})$; (b) the subcircuit with dummy CNOT gates; (c) the compiled subcircuit of (b) using PriCompiler.
• Figure 5: The workflow of PriModel