The Quantum Imitation Game: Reverse Engineering of Quantum Machine Learning Models

TL;DR

This work demonstrates that reverse engineering transpiled quantum machine learning circuits can recover original parameterizations and entanglement structures, enabling cross-hardware deployment and IP extraction. The authors propose a LUT-guided procedure to identify rotation gate types and parameters, and validate the approach with 1- and 2-qubit QNNs, showing that training accuracy can be preserved post-RE (e.g., exact matches in some 1-qubit cases). They quantify RE overhead and reveal that complexity grows with qubit count and circuit depth, while also proposing defenses based on dummy fixed-parameter layers and qubits to substantially increase extraction time with modest training impact. The findings highlight an important security risk for QML in cloud environments and offer practical countermeasures, underscoring the need for robust protective techniques in quantum cloud services.

Abstract

Quantum Machine Learning (QML) amalgamates quantum computing paradigms with machine learning models, providing significant prospects for solving complex problems. However, with the expansion of numerous third-party vendors in the Noisy Intermediate-Scale Quantum (NISQ) era of quantum computing, the security of QML models is of prime importance, particularly against reverse engineering, which could expose trained parameters and algorithms of the models. We assume the untrusted quantum cloud provider is an adversary having white-box access to the transpiled user-designed trained QML model during inference. Reverse engineering (RE) to extract the pre-transpiled QML circuit will enable re-transpilation and usage of the model for various hardware with completely different native gate sets and even different qubit technology. Such flexibility may not be obtained from the transpiled circuit which is tied to a particular hardware and qubit technology. The information about the number of parameters, and optimized values can allow further training of the QML model to alter the QML model, tamper with the watermark, and/or embed their own watermark or refine the model for other purposes. In this first effort to investigate the RE of QML circuits, we perform RE and compare the training accuracy of original and reverse-engineered Quantum Neural Networks (QNNs) of various sizes. We note that multi-qubit classifiers can be reverse-engineered under specific conditions with a mean error of order 1e-2 in a reasonable time. We also propose adding dummy fixed parametric gates in the QML models to increase the RE overhead for defense. For instance, adding 2 dummy qubits and 2 layers increases the overhead by ~1.76 times for a classifier with 2 qubits and 3 layers with a performance overhead of less than 9%. We note that RE is a very powerful attack model which warrants further efforts on defenses.

Figures (12)

• Figure 1: The flow diagram describes reverse engineering of QML parameters by untrusted third-party vendors acting as adversaries. (1) shows the user training and transpiling a QML model $Q$ using non-proprietary quantum hardware and sending the transpiled version of the trained model $Q_t$ to the untrusted vendor for inferencing. (2) and (3) describe the attack model involving the procedure of reverse engineering performed by the untrusted vendor to extract the parameters and steal the IP of the user-designed model.
• Figure 2: Matrix representation of basic quantum gates, Hadamard, Rotation-Z, Pauli-Z, $CNOT$, Pauli-X, and SX (from top left to right). An $n$-qubit gate is represented by a $2^n\times2^n$ matrix.
• Figure 3: A diagrammatic representation of the $SWAP$ operation during transpilation of a quantum circuit. (1) represents the T-shaped coupling map of the quantum hardware where the circuit is transpiled and sent for execution. (2) shows the transpilation procedure where a $SWAP$ gate is inserted between $q_1$ and $q_2$ to accommodate the physical layout of the qubits on the quantum hardware.
• Figure 4: A circuit representation of a PQC. In state embedding, the $RY(z_i)$ gates are used for basis encoding to map the data to the computational basis states. The parameterized layers comprise a cascade of $CRZ(\theta_i)$ gates that provide the entanglement as well as a finer-grained search into the Hilbert Space. Measurement operators that follow, measure the outcome of individual qubits to derive an output.
• Figure 5: The adversary designs a Look-Up Table (LUT) based on basic circuit transpilations. The circuits shown here are transpiled on a backend having a linear coupling map with a basis set of [id, x, sx, cnot, rz] at an optimization level set to 1. In the diagram, (1) shows the transpilation of the Hadamard gate and the basic Rotation gates ($RX(\theta), RY(\theta), RZ(\theta)$); (2) shows the transpilation of basic 2-qubit entanglements. Since $CNOT$ is a part of the basis set, it remains as is and the other gates ($CY$, $CZ$) get transpiled into a combination of the basis gates; (3) shows the transpilation of a combination of multiple $RX(\theta)$, multiple $RY(\theta)$, and multiple $RZ(\theta)$ gates. They can be reversed into a single parameter of the corresponding rotation gate; and (4) shows the transpilation of a combination of $RX(\theta)$, $RY(\theta)$, and $RZ(\theta)$.