STIQ: Safeguarding Training and Inferencing of Quantum Neural Networks from Untrusted Cloud

TL;DR

STIQ, a novel ensemble-based strategy designed to safeguard QNNs against cloud-based adversaries, is introduced, demonstrating its practical application by evaluating it on multiple real quantum hardwares, and showing that STIQ achieves up to 70% obfuscation, with combined performance comparable to an unobfuscated model.

Abstract

The high expenses imposed by current quantum cloud providers, coupled with the escalating need for quantum resources, may incentivize the emergence of cheaper cloud-based quantum services from potentially untrusted providers. Deploying or hosting quantum models, such as Quantum Neural Networks (QNNs), on these untrusted platforms introduces a myriad of security concerns, with the most critical one being model theft. This vulnerability stems from the cloud provider's full access to these circuits during training and/or inference. In this work, we introduce STIQ, a novel ensemble-based strategy designed to safeguard QNNs against such cloud-based adversaries. Our method innovatively trains two distinct QNNs concurrently, hosting them on same or different platforms, in a manner that each network yields obfuscated outputs rendering the individual QNNs ineffective for adversaries operating within cloud environments. However, when these outputs are combined locally (using an aggregate function), they reveal the correct result. Through extensive experiments across various QNNs and datasets, our technique has proven to effectively masks the accuracy and losses of the individually hosted models by upto $76\%$, albeit at the expense of $\leq 2\times$ increase in the total computational overhead. This trade-off, however, is a small price to pay for the enhanced security and integrity of QNNs in a cloud-based environment prone to untrusted adversaries. We also demonstrated STIQ's practical application by evaluating it on multiple real quantum hardwares, showing that STIQ achieves up to $\approx 70\%$ obfuscation, with combined performance similar to an unobfuscated model.

Figures (9)

• Figure 1: Figure depicting the workflow of QMLaaS, showcasing how users can access QNNs through API queries. Deployment of such QNNs on untrusted clouds exposes them to various potential adversarial attacks.
• Figure 2: Architecture of a 4-qubit hybrid QNN. Classical features are encoded as angles of quantum rotation gates ($R_Z$). PQC transforms encoded states to explore the search space and entangle features. Measured expectation values are then fed into a classical linear layer for final prediction.
• Figure 3: Figure illustrating the training workflow of STIQ. Both QNN-1 and QNN-2 are trained using a unified loss function that optimally balances classification loss $C()$ and divergence loss $D()$.
• Figure 4: Figure depicting the STIQ inference methodology: (a) A user query $X$ is processed by two cloud-hosted QNNs, resulting in obfuscated outputs $y_1$ and $y_2$. Locally, STIQ aggregates these outputs to produce the correct result $y$ for the user. (b) Illustration of an example explaining how individual models may yield erroneous predictions, yet their combined output through STIQ accurately produces the correct output vector.
• Figure 5: Plot demonstrating the test accuracies of different 4-qubit QNNs trained on the Fashion-4 dataset with varying penalties ($\lambda$). It is clear that while increasing the penalty enhances obfuscation, it also adversely affects the combined performance.