In quantum cloud environments, quantum neural network (QNN) encoding schemes are vulnerable to white-box reverse-engineering attacks: adversaries can accurately infer users’ data encoding methods (95% accuracy) by analyzing compiled circuit fingerprints, thereby compromising both model and data security. This work first identifies a critical vulnerability—the exposure of encoding fingerprints at the QNN compilation layer—and proposes a lightweight transient obfuscation layer that integrates random unitary rotations with parameterized entanglement masking to effectively scramble encoding features. Experimental results demonstrate that the method reduces encoding identification accuracy to 42%—near-random performance—while incurring only an 8.5% overhead in circuit depth. Its efficacy is validated via Qiskit-based simulations on a five-layer QNN. To our knowledge, this is the first compilation-aware, lightweight obfuscation mechanism tailored for copyright protection and privacy defense in quantum machine learning.

Quantum computing (QC) has the potential to revolutionize fields like machine learning, security, and healthcare. Quantum machine learning (QML) has emerged as a promising area, enhancing learning algorithms using quantum computers. However, QML models are lucrative targets due to their high training costs and extensive training times. The scarcity of quantum resources and long wait times further exacerbate the challenge. Additionally, QML providers may rely on third party quantum clouds for hosting models, exposing them and their training data to potential threats. As QML as a Service (QMLaaS) becomes more prevalent, reliance on third party quantum clouds poses a significant security risk. This work demonstrates that adversaries in quantum cloud environments can exploit white box access to QML models to infer the users encoding scheme by analyzing circuit transpilation artifacts. The extracted data can be reused for training clone models or sold for profit. We validate the proposed attack through simulations, achieving high accuracy in distinguishing between encoding schemes. We report that 95% of the time, the encoding can be predicted correctly. To mitigate this threat, we propose a transient obfuscation layer that masks encoding fingerprints using randomized rotations and entanglement, reducing adversarial detection to near random chance 42% , with a depth overhead of 8.5% for a 5 layer QNN design.