Security Concerns in Quantum Machine Learning as a Service

TL;DR

The paper analyzes security concerns for Quantum Machine Learning as a Service (QMLaaS), a hybrid quantum-classical paradigm delivering QML via cloud platforms. It presents a detailed QMLaaS workflow—from data pre-processing and encoding to transpilation, execution, gradient estimation, and classical optimization—and identifies critical assets such as Training/Testing Data, Data Encoding Circuits, and PQC architectures. It then surveys confidentiality, integrity, and availability threats arising from untrusted classical and quantum cloud providers, including data theft, IP theft, circuit tampering, side-channel attacks, DoS, and latency-related attacks, and discusses adversary motivations. The work emphasizes the need for robust security mechanisms and lays groundwork for secure deployment and further research in QMLaaS security defenses and best practices.

Abstract

Quantum machine learning (QML) is a category of algorithms that employ variational quantum circuits (VQCs) to tackle machine learning tasks. Recent discoveries have shown that QML models can effectively generalize from limited training data samples. This capability has sparked increased interest in deploying these models to address practical, real-world challenges, resulting in the emergence of Quantum Machine Learning as a Service (QMLaaS). QMLaaS represents a hybrid model that utilizes both classical and quantum computing resources. Classical computers play a crucial role in this setup, handling initial pre-processing and subsequent post-processing of data to compensate for the current limitations of quantum hardware. Since this is a new area, very little work exists to paint the whole picture of QMLaaS in the context of known security threats in the domain of classical and quantum machine learning. This SoK paper is aimed to bridge this gap by outlining the complete QMLaaS workflow, which encompasses both the training and inference phases and highlighting significant security concerns involving untrusted classical or quantum providers. QML models contain several sensitive assets, such as the model architecture, training/testing data, encoding techniques, and trained parameters. Unauthorized access to these components could compromise the model's integrity and lead to intellectual property (IP) theft. We pinpoint the critical security issues that must be considered to pave the way for a secure QMLaaS deployment.

Figures (3)

• Figure 1: Architecture of a 4-qubit hybrid QNN. Classical features are encoded as angles of quantum rotation gates ($R_Z$). PQC transforms encoded states to explore the search space and entangle features. Measured expectation values are then fed into a classical linear layer for final prediction.
• Figure 2: QMLaaS Workflow: (1) Input data is pre-processed using dimensionality reduction (e.g., PCA, autoencoders) and normalized for effective QML training. (2) The reduced features are encoded into a quantum circuit, and a suitable PQC is selected. (3) The circuit is transpiled to match the quantum hardware's topology and basis gates. (4) The circuit is sent to a quantum cloud provider for execution. Training: Post-processing of measured outputs, loss calculation, and parameter updates are performed using a classical optimizer. Inferencing: Outputs are post-processed to return the final vector/label to the user.
• Figure 3: Key Threats to Confidentiality (C), Integrity (I), and Availability (A) in the QMLaaS Pipeline.