Adversarial Data Poisoning Attacks on Quantum Machine Learning in the NISQ Era

TL;DR

This paper tackles data poisoning security in quantum neural networks (QNNs) deployed via quantum clouds in the NISQ era. It introduces intra-class Encoder State Similarity (ESS) and a quantum indiscriminate data poisoning attack, QUID, which labels poisoned samples by maximizing distance in the encoded quantum state space. Through extensive experiments in noiseless and noisy environments, including real-device noise, QUID degrades QNN accuracy by up to $92\%$ compared with baselines and remains effective against the SS-DPA defense, underscoring a significant security risk in QML deployments. The work highlights the need for quantum-specific defense strategies and sets the stage for further research on robust data sanitization in quantum machine learning.

Abstract

With the growing interest in Quantum Machine Learning (QML) and the increasing availability of quantum computers through cloud providers, addressing the potential security risks associated with QML has become an urgent priority. One key concern in the QML domain is the threat of data poisoning attacks in the current quantum cloud setting. Adversarial access to training data could severely compromise the integrity and availability of QML models. Classical data poisoning techniques require significant knowledge and training to generate poisoned data, and lack noise resilience, making them ineffective for QML models in the Noisy Intermediate Scale Quantum (NISQ) era. In this work, we first propose a simple yet effective technique to measure intra-class encoder state similarity (ESS) by analyzing the outputs of encoding circuits. Leveraging this approach, we introduce a \underline{Qu}antum \underline{I}ndiscriminate \underline{D}ata Poisoning attack, QUID. Through extensive experiments conducted in both noiseless and noisy environments (e.g., IBM\_Brisbane's noise), across various architectures and datasets, QUID achieves up to $92\%$ accuracy degradation in model performance compared to baseline models and up to $75\%$ accuracy degradation compared to random label-flipping. We also tested QUID against state-of-the-art classical defenses, with accuracy degradation still exceeding $50\%$, demonstrating its effectiveness. This work represents the first attempt to reevaluate data poisoning attacks in the context of QML.

Figures (5)

• Figure 1: Architecture of a 4-qubit hybrid QNN. Classical features are encoded as angles of rotation gates ($R_Z$). The PQC transforms the encoded states to explore the search space and entangle features. Measured expectation values are then fed into a classical linear layer for the final prediction.
• Figure 2: Overview of QUID's label-poisoning technique. The adversary extracts the encoding circuit from the QNN and uses it to compute the corresponding output density matrix ($\sigma$) for a portion ($\varepsilon$) of the training data $\mathcal{D}_{train}$. It then calculates the matrix distance between $\sigma$ and the remaining samples in the dataset ($\rho_i$), assigning the class with the maximum distance ($\max d_{\sigma\rho}$).
• Figure 3: Figure illustrating the accuracy of labels generated based on $\min$ intra-class state distances compared to the true labels for the reduced MNIST-10 dataset with a latent dimension of $d = 8$, evaluated under both noiseless and noisy environments.
• Figure 4: Performance of angle encoding (4 features/qubit) and amplitude encoding when using ESS to determine embedding circuit performance under varying noise levels.
• Figure 5: Test performance of an 8-qubit, 2-layer QNN on the reduced MNIST-10 dataset with $\varepsilon = 0.5$. QUID significantly degrades model performance on $\mathcal{D}_{test}$, even when trained on larger datasets.