AI-driven Reverse Engineering of QML Models

TL;DR

This paper presents an autoencoder-based method for reverse engineering quantum machine learning models, revealing significant security vulnerabilities in third-party quantum cloud services by efficiently extracting proprietary model parameters.

Contribution

It introduces a novel autoencoder approach to reverse engineer QML models, demonstrating its effectiveness and speed compared to prior brute-force methods, highlighting security risks.

Findings

QML models can be reverse-engineered with a mean error of 10^-1

The method takes approximately 1000 seconds to train, outperforming previous techniques

Reverse engineering poses a significant security threat to quantum IPs

Abstract

Quantum machine learning (QML) is a rapidly emerging area of research, driven by the capabilities of Noisy Intermediate-Scale Quantum (NISQ) devices. With the progress in the research of QML models, there is a rise in third-party quantum cloud services to cater to the increasing demand for resources. New security concerns surface, specifically regarding the protection of intellectual property (IP) from untrustworthy service providers. One of the most pressing risks is the potential for reverse engineering (RE) by malicious actors who may steal proprietary quantum IPs such as trained parameters and QML architecture, modify them to remove additional watermarks or signatures and re-transpile them for other quantum hardware. Prior work presents a brute force approach to RE the QML parameters which takes exponential time overhead. In this paper, we introduce an autoencoder-based approach to extract the parameters from transpiled QML models deployed on untrusted third-party vendors. We experiment on multi-qubit classifiers and note that they can be reverse-engineered under restricted conditions with a mean error of order 10^-1. The amount of time taken to prepare the dataset and train the model to reverse engineer the QML circuit being of the order 10^3 seconds (which is 10^2x better than the previously reported value for 4-layered 4-qubit classifiers) makes the threat of RE highly potent, underscoring the need for continued development of effective defenses.