Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantum Quandaries: Unraveling Encoding Vulnerabilities in Quantum Neural Networks

Suryansh Upadhyay, Swaroop Ghosh

TL;DR

This work addresses security vulnerabilities in quantum neural networks deployed via quantum cloud services, showing that white-box access allows an adversary to infer the victim's encoding scheme from transpilation artifacts. It introduces a data-driven attack that classifies basis, angle, and amplitude encodings using a multi-level feature extraction pipeline and demonstrates high encoding-detection accuracy (~95%). To mitigate this risk, the authors propose a lightweight transient obfuscation layer—consisting of randomized rotations and entanglement, plus an isolation barrier and inversion phase—that obscures encoding fingerprints and reduces detection to near random (~42%) with modest depth overhead (~8.5%) for a 5-layer QNN. The findings highlight a practical security risk for QMLaaS and provide a deployable defense to safeguard encoding IP and sensitive preprocessing in cloud-based quantum workflows.

Abstract

Quantum computing (QC) has the potential to revolutionize fields like machine learning, security, and healthcare. Quantum machine learning (QML) has emerged as a promising area, enhancing learning algorithms using quantum computers. However, QML models are lucrative targets due to their high training costs and extensive training times. The scarcity of quantum resources and long wait times further exacerbate the challenge. Additionally, QML providers may rely on third party quantum clouds for hosting models, exposing them and their training data to potential threats. As QML as a Service (QMLaaS) becomes more prevalent, reliance on third party quantum clouds poses a significant security risk. This work demonstrates that adversaries in quantum cloud environments can exploit white box access to QML models to infer the users encoding scheme by analyzing circuit transpilation artifacts. The extracted data can be reused for training clone models or sold for profit. We validate the proposed attack through simulations, achieving high accuracy in distinguishing between encoding schemes. We report that 95% of the time, the encoding can be predicted correctly. To mitigate this threat, we propose a transient obfuscation layer that masks encoding fingerprints using randomized rotations and entanglement, reducing adversarial detection to near random chance 42% , with a depth overhead of 8.5% for a 5 layer QNN design.

Quantum Quandaries: Unraveling Encoding Vulnerabilities in Quantum Neural Networks

TL;DR

This work addresses security vulnerabilities in quantum neural networks deployed via quantum cloud services, showing that white-box access allows an adversary to infer the victim's encoding scheme from transpilation artifacts. It introduces a data-driven attack that classifies basis, angle, and amplitude encodings using a multi-level feature extraction pipeline and demonstrates high encoding-detection accuracy (~95%). To mitigate this risk, the authors propose a lightweight transient obfuscation layer—consisting of randomized rotations and entanglement, plus an isolation barrier and inversion phase—that obscures encoding fingerprints and reduces detection to near random (~42%) with modest depth overhead (~8.5%) for a 5-layer QNN. The findings highlight a practical security risk for QMLaaS and provide a deployable defense to safeguard encoding IP and sensitive preprocessing in cloud-based quantum workflows.

Abstract

Quantum computing (QC) has the potential to revolutionize fields like machine learning, security, and healthcare. Quantum machine learning (QML) has emerged as a promising area, enhancing learning algorithms using quantum computers. However, QML models are lucrative targets due to their high training costs and extensive training times. The scarcity of quantum resources and long wait times further exacerbate the challenge. Additionally, QML providers may rely on third party quantum clouds for hosting models, exposing them and their training data to potential threats. As QML as a Service (QMLaaS) becomes more prevalent, reliance on third party quantum clouds poses a significant security risk. This work demonstrates that adversaries in quantum cloud environments can exploit white box access to QML models to infer the users encoding scheme by analyzing circuit transpilation artifacts. The extracted data can be reused for training clone models or sold for profit. We validate the proposed attack through simulations, achieving high accuracy in distinguishing between encoding schemes. We report that 95% of the time, the encoding can be predicted correctly. To mitigate this threat, we propose a transient obfuscation layer that masks encoding fingerprints using randomized rotations and entanglement, reducing adversarial detection to near random chance 42% , with a depth overhead of 8.5% for a 5 layer QNN design.

Paper Structure

This paper contains 28 sections, 3 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Quantum Neural Network (QNN)
  4. Quantum Cloud Services
  5. Data Encoding
  6. Basis Encoding
  7. Angle Encoding
  8. Amplitude Encoding
  9. Hybrid and Advanced Encoding Techniques
  10. Related works
  11. Threat model
  12. Basic Idea
  13. Adversary Capabilities and Assumption
  14. Attack Process
  15. Data Set Generation
  16. ...and 13 more sections

Figures (3)

  • Figure 1: Proposed attack model where the adversary, posing as a reliable quantum cloud service provider, uses the white box access to the QNN submitted to a quantum cloud to identify the type of encoding.
  • Figure 2: Training, validation accuracy and loss for classifying the encoding scheme in a 3-qubit circuit with 3 encoded features.
  • Figure 3: Test accuracy for circuits with varying qubit counts, where each qubit encodes a single feature.