Security has always been a critical issue in machine learning (ML) applications. Due to the high cost of model training -- such as collecting relevant samples, labeling data, and consuming computing power -- model-stealing attack is one of the most fundamental but vitally important issues. When it comes to quantum computing, such a quantum machine learning (QML) model-stealing attack also exists and it is even more severe because the traditional encryption method can hardly be directly applied to quantum computation. On the other hand, due to the limited quantum computing resources, the monetary cost of training QML model can be even higher than classical ones in the near term. Therefore, a well-tuned QML model developed by a company can be delegated to a quantum cloud provider as a service to be used by ordinary users. In this case, the QML model will be leaked if the cloud provider is under attack. To address such a problem, we propose a novel framework, namely QuMoS, to preserve model security. Instead of applying encryption algorithms, we propose to distribute the QML model to multiple physically isolated quantum cloud providers. As such, even if the adversary in one provider can obtain a partial model, the information of the full model is maintained in the QML service company. Although promising, we observed an arbitrary model design under distributed settings cannot provide model security. We further developed a reinforcement learning-based security engine, which can automatically optimize the model design under the distributed setting, such that a good trade-off between model performance and security can be made. Experimental results on four datasets show that the model design proposed by QuMoS can achieve a close accuracy to the model designed with neural architecture search under centralized settings while providing the highest security than the baselines.

翻译：安全性一直是机器学习应用中的关键问题。由于模型训练成本高昂——例如收集相关样本、标注数据和消耗计算资源——模型窃取攻击是最基础但至关重要的问题之一。当涉及量子计算时，此类量子机器学习模型窃取攻击同样存在，而且更为严重，因为传统加密方法几乎无法直接应用于量子计算。另一方面，由于量子计算资源有限，训练量子机器学习模型的经济成本在短期内甚至可能高于经典模型。因此，公司经过精心调优的量子机器学习模型可委托给量子云提供商作为服务供普通用户使用。在此情况下，若云提供商遭受攻击，量子机器学习模型将被泄露。为解决该问题，我们提出了一种名为QuMoS的新型框架用于保护模型安全。我们不采用加密算法，而是将量子机器学习模型分布至多个物理隔离的量子云提供商。如此一来，即使某个提供商中的攻击者能获取部分模型，完整模型信息仍保留在量子机器学习服务公司中。尽管前景可观，但我们发现分布式环境下的任意模型设计无法保证安全性。为此，我们进一步开发了基于强化学习的安全引擎，可自动优化分布式环境下的模型设计，实现模型性能与安全性的良好平衡。在四个数据集上的实验结果表明，QuMoS提出的模型设计在准确性上接近集中式环境下基于神经架构搜索设计的模型，同时提供了优于基线方法的最高安全性。