Security has always been a critical issue in machine learning (ML) applications. Due to the high cost of model training -- such as collecting relevant samples, labeling data, and consuming computing power -- model-stealing attack is one of the most fundamental but vitally important issues. When it comes to quantum computing, such a quantum machine learning (QML) model-stealing attack also exists and is even more severe because the traditional encryption method, such as homomorphic encryption can hardly be directly applied to quantum computation. On the other hand, due to the limited quantum computing resources, the monetary cost of training QML model can be even higher than classical ones in the near term. Therefore, a well-tuned QML model developed by a third-party company can be delegated to a quantum cloud provider as a service to be used by ordinary users. In this case, the QML model will likely be leaked if the cloud provider is under attack. To address such a problem, we propose a novel framework, namely QuMoS, to preserve model security. We propose to divide the complete QML model into multiple parts and distribute them to multiple physically isolated quantum cloud providers for execution. As such, even if the adversary in a single provider can obtain a partial model, it does not have sufficient information to retrieve the complete model. Although promising, we observed that an arbitrary model design under distributed settings cannot provide model security. We further developed a reinforcement learning-based security engine, which can automatically optimize the model design under the distributed setting, such that a good trade-off between model performance and security can be made. Experimental results on four datasets show that the model design proposed by QuMoS can achieve competitive performance while providing the highest security than the baselines.

翻译：安全一直是机器学习应用中的关键问题。由于模型训练的高成本（如收集相关样本、标注数据和消耗算力），模型窃取攻击是最基础但至关重要的问题之一。在量子计算领域，这种量子机器学习模型窃取攻击同样存在，甚至更为严重，因为同态加密等传统加密方法难以直接应用于量子计算。另一方面，受限于量子计算资源，训练量子机器学习模型的经济成本在短期内可能高于经典模型。因此，由第三方公司精心调优的量子机器学习模型可委托量子云提供商作为服务供普通用户使用。在此场景下，若云提供商遭受攻击，量子机器学习模型很可能发生泄露。为解决该问题，我们提出一种名为QuMoS的新型框架以保护模型安全。我们建议将完整的量子机器学习模型分割为多个部分，并分发至多个物理隔离的量子云提供商执行。这样，即使某个提供商的攻击者能获取部分模型，也无法获得足够信息还原完整模型。尽管前景可观，但我们观察到分布式设置下的任意模型设计无法保证安全性。我们进一步开发了基于强化学习的安全引擎，可自动优化分布式设置下的模型设计，从而实现模型性能与安全性的良好平衡。在四个数据集上的实验结果表明，QuMoS提出的模型设计在实现有竞争力的性能的同时，能比基线方法提供最高的安全性。