Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Guardians of the Quantum GAN

Archisman Ghosh, Debarshi Kundu, Avimita Chatterjee, Swaroop Ghosh

TL;DR

The paper tackles intellectual property protection for quantum GANs (qGANs) in the era of Noisy Intermediate-Scale Quantum (NISQ) devices and quantum hardware-as-a-service. It introduces a noise-based watermark that embeds hardware-specific signatures into qGAN-generated images, enabling detection of the training hardware and proof of ownership; robustness is enhanced by training on sequences of hardware and a dedicated classifier to extract the watermark. Empirical results on ten IBM backends show near-perfect watermark extraction for single-hardware training and about 90% for multi-hardware training, with the watermark proving resistant to removal or tampering under the tested scenarios. The approach is designed to extend to other quantum machine learning models and provides a practical pathway for protecting quantum IP in cloud-based quantum computing.

Abstract

Quantum Generative Adversarial Networks (qGANs) are at the forefront of image-generating quantum machine learning models. To accommodate the growing demand for Noisy Intermediate-Scale Quantum (NISQ) devices to train and infer quantum machine learning models, the number of third-party vendors offering quantum hardware as a service is expected to rise. This expansion introduces the risk of untrusted vendors potentially stealing proprietary information from the quantum machine learning models. To address this concern we propose a novel watermarking technique that exploits the noise signature embedded during the training phase of qGANs as a non-invasive watermark. The watermark is identifiable in the images generated by the qGAN allowing us to trace the specific quantum hardware used during training hence providing strong proof of ownership. To further enhance the security robustness, we propose the training of qGANs on a sequence of multiple quantum hardware, embedding a complex watermark comprising the noise signatures of all the training hardware that is difficult for adversaries to replicate. We also develop a machine learning classifier to extract this watermark robustly, thereby identifying the training hardware (or the suite of hardware) from the images generated by the qGAN validating the authenticity of the model. We note that the watermark signature is robust against inferencing on hardware different than the hardware that was used for training. We obtain watermark extraction accuracy of 100% and ~90% for training the qGAN on individual and multiple quantum hardware setups (and inferencing on different hardware), respectively. Since parameter evolution during training is strongly modulated by quantum noise, the proposed watermark can be extended to other quantum machine learning models as well.

Guardians of the Quantum GAN

TL;DR

The paper tackles intellectual property protection for quantum GANs (qGANs) in the era of Noisy Intermediate-Scale Quantum (NISQ) devices and quantum hardware-as-a-service. It introduces a noise-based watermark that embeds hardware-specific signatures into qGAN-generated images, enabling detection of the training hardware and proof of ownership; robustness is enhanced by training on sequences of hardware and a dedicated classifier to extract the watermark. Empirical results on ten IBM backends show near-perfect watermark extraction for single-hardware training and about 90% for multi-hardware training, with the watermark proving resistant to removal or tampering under the tested scenarios. The approach is designed to extend to other quantum machine learning models and provides a practical pathway for protecting quantum IP in cloud-based quantum computing.

Abstract

Quantum Generative Adversarial Networks (qGANs) are at the forefront of image-generating quantum machine learning models. To accommodate the growing demand for Noisy Intermediate-Scale Quantum (NISQ) devices to train and infer quantum machine learning models, the number of third-party vendors offering quantum hardware as a service is expected to rise. This expansion introduces the risk of untrusted vendors potentially stealing proprietary information from the quantum machine learning models. To address this concern we propose a novel watermarking technique that exploits the noise signature embedded during the training phase of qGANs as a non-invasive watermark. The watermark is identifiable in the images generated by the qGAN allowing us to trace the specific quantum hardware used during training hence providing strong proof of ownership. To further enhance the security robustness, we propose the training of qGANs on a sequence of multiple quantum hardware, embedding a complex watermark comprising the noise signatures of all the training hardware that is difficult for adversaries to replicate. We also develop a machine learning classifier to extract this watermark robustly, thereby identifying the training hardware (or the suite of hardware) from the images generated by the qGAN validating the authenticity of the model. We note that the watermark signature is robust against inferencing on hardware different than the hardware that was used for training. We obtain watermark extraction accuracy of 100% and ~90% for training the qGAN on individual and multiple quantum hardware setups (and inferencing on different hardware), respectively. Since parameter evolution during training is strongly modulated by quantum noise, the proposed watermark can be extended to other quantum machine learning models as well.
Paper Structure (37 sections, 1 equation, 10 figures, 4 tables)

This paper contains 37 sections, 1 equation, 10 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Motivation
  3. Contribution
  4. Paper Structure
  5. Background
  6. Generative Adversarial Network
  7. Quantum Generative Adversarial Network
  8. Quantum Noise
  9. IBM backends
  10. Related Work
  11. Threat Model and analysis
  12. Threat model
  13. Adversary capability
  14. Assumptions
  15. Proposed Idea
  16. ...and 22 more sections

Figures (10)

  • Figure 1: The plot describes the fluctuation in the training of the same parameter in the quantum generator of the qGAN while training on ideal hardware (noiseless), and different noisy quantum hardware - IBM Athens(5q), IBM Jakarta(7q), IBM Kolkata(27q), IBM Washington(127q).
  • Figure 2: The flow diagram describes our attack model and the proposed security measure. In the figure (1) shows the user training his qGAN, $q$ on hardware $h_1$ to generate a trained qGAN $q_t$; (2), (3) describes the threat model of an untrusted quantum hardware vendor where the user sends $q_t$ for inferencing (note, the hardware used for inferencing, $H_i$, could be different than the hardware used for training $h_1$), from where it gets counterfeited by the untrusted vendor ($q_t^{'}$); (4) is our proposed method of collecting the images generated by $q_t^{'}$ and detecting the hardware where it has been trained using the classifier for proof of ownership.
  • Figure 3: Block diagram of a Patch qGAN model that we implement and train on our suite of IBM backends.
  • Figure 4: A Parameterized quantum circuit design for the sub-generator to generate a patch for the fake image. The purple qubit represents the ancilla qubit and the blue qubits represent the data qubits.
  • Figure 5: Plot demonstrating the image quality using FID score for images generated by the qGAN when trained on a single hardware and on multiple hardware.
  • ...and 5 more figures