STIQ: Safeguarding Training and Inferencing of Quantum Neural Networks from Untrusted Cloud

TL;DR

STIQ introduces an ensemble-based method to protect quantum neural networks hosted on untrusted cloud platforms, effectively obfuscating models and safeguarding against theft with minimal performance loss.

Contribution

This work presents the first ensemble-based approach for securing quantum neural networks in untrusted cloud environments, enhancing security with manageable computational overhead.

Findings

Masks model accuracy and losses by up to 76%

Achieves approximately 70% obfuscation on real quantum hardware

Maintains similar performance to unobfuscated models

Abstract

The high expenses imposed by current quantum cloud providers, coupled with the escalating need for quantum resources, may incentivize the emergence of cheaper cloud-based quantum services from potentially untrusted providers. Deploying or hosting quantum models, such as Quantum Neural Networks (QNNs), on these untrusted platforms introduces a myriad of security concerns, with the most critical one being model theft. This vulnerability stems from the cloud provider's full access to these circuits during training and/or inference. In this work, we introduce STIQ, a novel ensemble-based strategy designed to safeguard QNNs against such cloud-based adversaries. Our method innovatively trains two distinct QNNs concurrently, hosting them on same or different platforms, in a manner that each network yields obfuscated outputs rendering the individual QNNs ineffective for adversaries operating within cloud environments. However, when these outputs are combined locally (using an aggregate function), they reveal the correct result. Through extensive experiments across various QNNs and datasets, our technique has proven to effectively masks the accuracy and losses of the individually hosted models by upto $76\%$, albeit at the expense of $\leq 2\times$ increase in the total computational overhead. This trade-off, however, is a small price to pay for the enhanced security and integrity of QNNs in a cloud-based environment prone to untrusted adversaries. We also demonstrated STIQ's practical application by evaluating it on multiple real quantum hardwares, showing that STIQ achieves up to $\approx 70\%$ obfuscation, with combined performance similar to an unobfuscated model.