Table 1 Summary of results on the privacy guarantees and complexity provided by the studied attack models on various VQC models

Privacy Breach	Description	Complexity	Requirements
Weak	Snapshot recovery	Algorithm 2: \({\mathcal{O}}(\,\text{poly}(\text{dim}\,({\mathfrak{g}})))\)	\({\mathcal{O}}(\,\text{poly}\,(n))\) sized DLA + LASA condition (Def 5) + Slow Pauli Expansion (Def 9)
Strong	Snapshot inversion for local Pauli encoding	Algorithm 4: \({\mathcal{O}}\left.\right(\,\text{poly}\,(n,1/\epsilon )\)	Snapshot recovery requirement + Separable state with ρ_J(x) parameterized by subset \({{\mathsf{x}}}_{J}\subseteq {\bf{x}}\) • \(\,\text{dim}\,({{\bf{x}}}_{J})={\mathcal{O}}(1)\) • each x_k is encoded at most \(R={\mathcal{O}}(\,\text{poly}\,(n))\) times • Snapshot components with non-zero overlap w.r.t. ρ_J(x_J) has cardinality at least dim(x_J).
Strong	Snapshot inversion for generic encoding	Grid Search : \({\mathcal{O}}\left({\left(\frac{L}{\epsilon }\right)}^{d}\right)\)	The recovery cost function is L-Lipschitz, leading to efficient privacy breach not being possible

We consider two privacy breach scenarios involving VQCs : weak privacy breach and strong privacy breach for classical or quantum-assisted polynomial time methods. Weak privacy breach concerns the recovery of the meaningful snapshots of the input encoded state, allowing training VQC models for distinct learning tasks without requiring access to the input. Strong privacy breach concerns subsequently arise when inverting the snapshots to recover the original input. We consider the snapshot invertibility for the local Pauli encoding map, which admits an efficient (polynomial in the number of qubits n) algorithm if the requirements stated in the table are met. For the case of generic encoding maps where the VQC is considered as a black-box L-Lipschitz function, snapshot invertibility requires performing the grid search, which scales exponentially in the input dimension d, and thus it rules out efficient privacy breaches.

Quick links

Search