Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AI-driven Reverse Engineering of QML Models

Archisman Ghosh, Swaroop Ghosh

TL;DR

An autoencoder-based approach to extract the parameters from transpiled QML models deployed on untrusted third-party vendors is introduced and it is noted that they can be reverse-engineered under restricted conditions with a mean error of order 102−1.

Abstract

Quantum machine learning (QML) is a rapidly emerging area of research, driven by the capabilities of Noisy Intermediate-Scale Quantum (NISQ) devices. With the progress in the research of QML models, there is a rise in third-party quantum cloud services to cater to the increasing demand for resources. New security concerns surface, specifically regarding the protection of intellectual property (IP) from untrustworthy service providers. One of the most pressing risks is the potential for reverse engineering (RE) by malicious actors who may steal proprietary quantum IPs such as trained parameters and QML architecture, modify them to remove additional watermarks or signatures and re-transpile them for other quantum hardware. Prior work presents a brute force approach to RE the QML parameters which takes exponential time overhead. In this paper, we introduce an autoencoder-based approach to extract the parameters from transpiled QML models deployed on untrusted third-party vendors. We experiment on multi-qubit classifiers and note that they can be reverse-engineered under restricted conditions with a mean error of order 10^-1. The amount of time taken to prepare the dataset and train the model to reverse engineer the QML circuit being of the order 10^3 seconds (which is 10^2x better than the previously reported value for 4-layered 4-qubit classifiers) makes the threat of RE highly potent, underscoring the need for continued development of effective defenses.

AI-driven Reverse Engineering of QML Models

TL;DR

An autoencoder-based approach to extract the parameters from transpiled QML models deployed on untrusted third-party vendors is introduced and it is noted that they can be reverse-engineered under restricted conditions with a mean error of order 102−1.

Abstract

Quantum machine learning (QML) is a rapidly emerging area of research, driven by the capabilities of Noisy Intermediate-Scale Quantum (NISQ) devices. With the progress in the research of QML models, there is a rise in third-party quantum cloud services to cater to the increasing demand for resources. New security concerns surface, specifically regarding the protection of intellectual property (IP) from untrustworthy service providers. One of the most pressing risks is the potential for reverse engineering (RE) by malicious actors who may steal proprietary quantum IPs such as trained parameters and QML architecture, modify them to remove additional watermarks or signatures and re-transpile them for other quantum hardware. Prior work presents a brute force approach to RE the QML parameters which takes exponential time overhead. In this paper, we introduce an autoencoder-based approach to extract the parameters from transpiled QML models deployed on untrusted third-party vendors. We experiment on multi-qubit classifiers and note that they can be reverse-engineered under restricted conditions with a mean error of order 10^-1. The amount of time taken to prepare the dataset and train the model to reverse engineer the QML circuit being of the order 10^3 seconds (which is 10^2x better than the previously reported value for 4-layered 4-qubit classifiers) makes the threat of RE highly potent, underscoring the need for continued development of effective defenses.
Paper Structure (27 sections, 4 figures, 4 tables)

This paper contains 27 sections, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Why Protect QML Models
  3. Attack Model and Motivation
  4. RE of QML model
  5. Challenges in RE
  6. Contributions
  7. Paper Structure
  8. Background
  9. Quantum Computing
  10. Compilation of Quantum Circuits
  11. Quantum Neural Networks
  12. Related Work
  13. Threat Model and Analysis
  14. Threat Model
  15. Adversary Capabilities
  16. ...and 12 more sections

Figures (4)

  • Figure 1: The threat model of reverse engineering user-designed QML models by untrusted vendors. (1) shows the training and transpilation of a QML model $Q$ in non-proprietary quantum hardware; (2) shows the deployment of the trained QML model $Q_t$ on a cloud service provided by an untrusted vendor; (3) demonstrates the reverse engineering of the transpiled QML circuit to the RE circuit and the transpiled params. This can be done by an adversary with the help of pre-designed LUTs ghosh2024quantumimitationgamereverse; (4) shows the procedure of feeding the transpiled parameters into an autoencoder to generate the reverse-engineered parameters by the untrusted vendor.
  • Figure 2: A subset of the LUT discussed in ghosh2024quantumimitationgamereverse. The adversary obtains the transpiled circuit, parses it qubit-by-qubit, and obtains an ordering of rotation gates which is matched with the LUT and the original order of gates is obtained. Following this, the adversary feeds the transpiled parameters into the autoencoder and predicts the parameters as close as possible to the original parameters thus effectively reverse engineering the QML model.
  • Figure 3: The performance of the autoencoder in predicting the parameters to reverse engineer the QML model. Due to the high non-linearity of the transpilation procedure, the rate of decrease of the loss is low.
  • Figure 4: Performance of the proposed idea against existing countermeasures presented in ghosh2024quantumimitationgamereverse. A 2-qubit 3-layered classifier has been reverse-engineered for this experiment. It is observed from the plots that the RE overhead is significantly reduced undermining the security of the countermeasures completely.