Privacy Against Hypothesis-Testing Adversaries for Quantum Computing

Quantum computing algorithms have garnered huge attention due to their considerable speedups in several classically difficult problems, such as factorising [1]. These breakthroughs and the added attention has paved the way for development of new algorithms for big data processing, such as quantum machine learning [2, 3, 4]. However, data processing can result in unintended information leakage [5]. This is an important issue because, as quantum hardware becomes more commercially available, these algorithms can be implemented on real-world sensitive, private, or proprietary datasets. Therefore, there is a need for development of frameworks to better understand private information leakage in quantum computing algorithms and to construct privacy-preserving algorithms.

In the classical computing literature, differential privacy has become the gold standard of privacy analysis and private algorithm design [6, 7, 8]. This is often attributed to the fact that differential privacy makes minimal assumptions about the data (e.g., range rather than distribution) and meets important properties of post processing and compositions [9]. Although possessing powerful guarantees, differential privacy has been polarizing [10, 11, 12]. Criticisms surroundings conservativeness of differential privacy have motivated a host of studies on privacy in information theory that can handle privacy-utility trade-off better in certain situations [13, 14, 15, 16, 17]. In fact, adoption of hypothesis-testing and estimation-based adversaries have been proposed as less conservative alternatives to differential privacy by social scientists following implementation of differential privacy in the 2020 United States Decennial Census of Population and Housing [10]. Nonetheless, differential privacy has been recently extended to quantum computing [18, 19, 20]. However, very little attention has been paid other forms of privacy in quantum systems. In this paper, we investigate privacy against hypothesis-testing adversaries. This is of particular interest to us due to the need for providing an operational, intuitive notion of privacy with real-world interpretations for privacy analysis and guarantees, which is somewhat absent in the differential privacy literature.

In this paper, we particularly propose a novel definition for data privacy for quantum computing based on quantum hypothesis testing. The design parameters in this notion of privacy possess an operational interpretation (specifically for general lay-users) based on the success/failure of an omnipotent adversary being able to distinguish the private class to which the data belongs (e.g., suffering from a certain disease in health datasets or belonging to the training dataset in membership inference attacks) based on the arbitrary measurement operators. We prove two very important properties for the new notion of privacy: post processing and composition. These properties are highly sought-after in privacy definitions [18] and information leakage metrics [13]. Subsequently, we investigate the relationship between privacy against hypothesis-testing adversaries and quantum differential privacy. This enables us to provide an interpretation for parameters of differential privacy based on its relationship with privacy against hypothesis-testing adversaries in certain parameter regimes. We will finally investigate the effectiveness of differential privacy against hypothesis-testing adversaries.

The remainder of this paper is organized as follows. We provide a review of basic concepts in quantum computing and information in Section II. The definition and results on privacy against hypothesis-testing adversaries is presented in Section III. Section IV presents quantum differential privacy and its relationship with privacy against hypothesis-testing adversaries. Finally, we present some concluding remarks and future directions for research in Section V.

The definitions and preliminary results in this review section are mostly borrowed from [21]. When the results or definitions are from outside this source, appropriate citations are presented.

A quantum system is modelled by a Hilbert space $\mathcal{H}$, i.e., a complex vector space, equipped with an inner product, that is complete with respect to the norm defined by the inner product. Throughout this paper, Dirac’s notation is used to denote quantum states. That is, a pure quantum state, which is an element (i.e., vector) of Hilbert space $\mathcal{H}$ with unit norm, is denoted by ‘ket’ $\ket{\cdot}$, e.g., $\ket{\psi}\in\mathcal{H}$. The inner product of two states $\ket{\phi}$ and $\ket{\psi}$ is denoted by $\innerproduct{\phi}{\psi}$. Here, ‘bra’ $\bra{\psi}$ is used to refer to conjugate transpose of $\ket{\psi}$ and $\innerproduct{\phi}{\psi}:=\bra{\phi}\,\ket{\psi}\in\mathbb{C}$.

The basic element of interest in quantum information theory is a quantum bit, which is often referred to as the qubit. A qubit is a 2-dimensional quantum state. Any qubit can be written in terms of the so-called computational basis $\ket{0}$ and $\ket{1}$ that form an orthonormal basis for the two dimensional Hilbert space modelling the qubit, that is, any qubit can be written as $\ket{\psi}=\alpha\ket{0}+\beta\ket{1}$ with $\alpha,\beta\in\mathbb{C}$ such that $|\alpha|^{2}+|\beta|^{2}=1$. Combination of two qubits $\ket{\phi}$ and $\ket{\psi}$ is denoted by their tensor product $\ket{\phi}\otimes\ket{\psi}$, where $\otimes$ is the Kronecker or tensor product. For the sake of brevity, we sometimes refer to $\ket{\phi}\otimes\ket{\psi}$ as $\ket{\phi}\ket{\psi}$ or $\ket{\phi,\psi}$. When two qubits $\ket{\phi}$ and $\ket{\psi}$ belong to or assigned to two distinct registers $A$ and $B$ (e.g., qubits used by two separate parties), and this information is either unclear from the context or must be emphasized, we write $\ket{\phi}_{A}\otimes\ket{\psi}_{B}$ or $\ket{\phi}_{A}\ket{\psi}_{B}$. A quantum (logic) gate is any unitary operator, e.g., $U$ such that $U^{\dagger}U=I$, that acts on a quantum state. Note that, here, $U^{\dagger}$ denotes the conjugate transpose of $U$.

A mixed quantum state is represented by an ensemble $\{(p_{1},\ket{\psi_{1}}),\dots,(p_{k},\ket{\psi_{k}})\}$ such that $p_{i}\geq 0$ for all $i\in[k]:=\{1,\dots,k\}$ and $\sum_{i\in[k]}p_{i}=1$. A mixed quantum state implies that the quantum system is in pure state $\ket{\psi_{i}}$ with probability $p_{i}$ for all $i\in[k]$. A convenient way to model and analyse mixed quantum state is to use density operators. The density operator corresponding to ensemble $\{(p_{1},\ket{\psi_{1}}),\dots,(p_{k},\ket{\psi_{k}})\}$ is given by $\rho:=\sum_{i\in[k]}p_{i}\ket{\psi_{i}}\bra{\psi_{k}}$. Evidently, by construction, $\tr(\rho)=1$. Note that pure quantum states $\ket{\phi}$ can also be modelled using rank-one density operator $\rho=\ket{\phi}\bra{\phi}$. Therefore, there is no loss of generality to work with density operators even when dealing with pure quantum states. Combination of two density operators $\rho$ and $\sigma$ is denoted by their tensor product $\rho\otimes\sigma$.

A basic operation in quantum systems is measurement, which enables extraction of information about the quantum states of the systems. A measurement is modelled by a set of operators $M=\{K_{i}\}_{i\in[m]}$ with normalization constraint that $\sum_{i\in[m]}K_{i}^{\dagger}K_{i}=I$. By performing measurement $M$ on a quantum system with state $\rho$, we observe output $i\in[m]$ with probability $\tr(K_{i}\rho K_{i}^{\dagger})$ in which case, after the measurement, the state of the quantum system is $K_{i}\rho K_{i}^{\dagger}/\tr(K_{i}\rho K_{i}^{\dagger})$. When the post-measurement state of the quantum system is of no interest, we can use the positive operator-valued measure (POVM) framework, which is a set of positive semi-definite Hermitian matrices $F=\{F_{i}\}_{i\in[m]}$ such that $\sum_{i\in[m]}F_{i}=I$. In this case, the probability of obtaining output $i\in[m]$ when taking a measurement on a system with quantum state $\rho$ is given by $\tr(\rho F_{i})=\tr(F_{i}\rho)$.

A quantum channel is the most general quantum operation. A quantum channel is a mapping from the space of density operators to potentially another space of density operators that is both completely positive and trace preserving. Quantum channels model open quantum systems, i.e., quantum systems that interact with environment, and thus can model noisy quantum behaviours. According to Choi-Kraus theorem [21, Theorem 4.4.1], for each quantum channel $\mathcal{E}$, there exists a family of linear operators $\{E_{j}\}_{j\in[n]}$ for some $n\in\mathbb{N}$ such that $\sum_{j}E_{j}^{\dagger}E_{j}=I$ and $\mathcal{E}(\rho)=\sum_{j\in[n]}E_{j}\rho E_{j}^{\dagger}$ for all density operators $\rho$. This is referred to as the Kraus representation of quantum channels. For instance, a quantum (logic) gate with unitary operator $U$ can be represented by $\mathcal{E}(\rho)=U\rho U^{\dagger}$. Similarly, if we discard or delete the outcome of measurement $M=\{K_{i}\}_{i\in[m]}$, the quantum state transition can be modelled by quantum channel $\mathcal{E}(\rho)=\sum_{i\in[k]}K_{i}\rho K_{i}^{\dagger}$. We define the tensor product of quantum channels $\mathcal{E}_{1}$ and $\mathcal{E}_{2}$ as $\mathcal{E}_{1}\otimes\mathcal{E}_{2}(\rho_{1}\otimes\rho_{2}):=\mathcal{E}_{1}(\rho_{1})\otimes\mathcal{E}_{2}(\rho_{2})$ for all density operators $\rho_{1}$ and $\rho_{2}$.

The trace norm or Schatten 1-norm of any linear operator $M$ is defined as $\|M\|_{1}:=\tr(|M|)=\tr(\sqrt{M^{\dagger}M})$. Based on this, we can define the trace distance between any two density operators $\rho$ and $\sigma$ with $\mathcal{T}(\rho,\sigma):=\frac{1}{2}\|\rho-\sigma\|_{1}\in[0,1].$ Recall that density operators belong to the set of linear operators (i.e., matrices). The distance is equal to zero when two quantum states are equal. However, the distance attains its maximum value when two quantum states have support on orthogonal subspaces. For $\upsilon\in[0,1]$, the $\upsilon$-relative entropy between two quantum states $\rho$ and $\sigma$ is defined as $D^{\upsilon}(\rho\|\sigma)\!=\!-\!\log\left(\min\{\tr(Q\sigma)|0\!\preceq\!Q\!\preceq\!I,\tr(Q\rho)\geq 1\!-\!\upsilon\}\right).$ The $\upsilon$-relative entropy satisfies a few important properties that we will use in this paper. These properties are borrowed from [22]. First, $D^{\upsilon}(\rho\|\sigma)\geq 0$ with equality if $\rho=\sigma$ and $\upsilon=0$. Second, $\upsilon$-relative entropy enjoys data processing inequality, i.e., $D^{\upsilon}(\mathcal{E}(\rho)\|\mathcal{E}(\sigma))\leq D^{\upsilon}(\rho\|\sigma)$ for all density operators $\rho,\sigma$ and all quantum channels $\mathcal{E}$. Also, $D^{\upsilon}(\rho\|\sigma)\leq({S(\rho\|\sigma)+H_{b}(\upsilon)})/({1-\upsilon}),$ where $H_{b}(\upsilon)=-\upsilon\log(\upsilon)-(1-\upsilon)\log(1-\upsilon)$ is the binary entropy function and $S(\rho\|\sigma):=\tr(\rho(\log(\rho)-\log(\sigma)))$ is the usual relative entropy in quantum information theory. The $\upsilon$-relative entropy and the trace distance also satisfy the following relationship $\nu/(1-\nu)\|\rho-\sigma\|_{1}\leq D^{\upsilon}(\rho\|\sigma)$ [23]. The smooth max-relative entropy is defined as $D^{\upsilon}_{\max}(\rho\|\sigma)=\inf_{\tau\in\mathcal{B}^{\upsilon}(\rho)}D_{\max}(\tau\|\sigma)$, where $D_{\max}(\tau\|\sigma)=\inf\{\lambda\geq 0\,|\,\rho\preceq\exp(\lambda)\sigma\}$ and $\mathcal{B}^{\upsilon}(\rho):=\{\tau\,|\,\tau^{\dagger}=\tau\succeq 0,\|\rho-\tau\|_{1}\leq 2\upsilon\}$.

Depolarizing channel is an important type of quantum noise that is represented by

where $D$ is the dimension of the Hilbert space to which the system belongs and $p\in[0,1]$ is a probability parameter.

Consider a quantum hypothesis testing scenario where a decision maker aims to distinguish between two quantum states $\rho$ (null hypothesis) and $\sigma$ (alternative hypothesis). This is done by performing POVM $M:=\{M_{1},M_{2}\}$ with $M_{1}+M_{2}=I$ and $0\preceq M_{i}\preceq I$ for $i=1,2$. If measurement outcome corresponding to the operator $M_{1}$ is realized, the decision maker guesses that the state is $\rho$ while, if measurement outcome corresponding to the operator $M_{2}$ is realized, the decision maker guesses that the state is $\sigma$. The probability of a type-I error (false positive) is equal

The probability of a type-II error (false negative) is given by

The optimal test, which seeks to minimize the false negative probability subject to a constraint on maintaining the false positive probability below $\eta\in[0,1]$, is given by

This is referred to as asymmetric quantum hypothesis testing [24]. The following well-known result (see, e.g., [22]) can be easily derived based on the definition of $\beta_{\eta}(\rho,\sigma)$ and $\eta$-relative entropy $D^{\eta}(\rho\|\sigma)$.

Alternatively, a combination of false positive and false negative probabilities can be minimized:

where $p_{\rho}\in[0,1]$ and $p_{\sigma}\in[0,1]$, respectively, denote the prior probability that quantum state $\rho$ and the prior probability that quantum state $\sigma$ are prepared. Clearly, by construct, $p_{\rho}+p_{\sigma}=1$. This is referred to as symmetric quantum hypothesis testing [24].

The most indistinguishable quantum states are $\rho=\sigma$. In this case, a decision maker would not be able to identify the quantum states because their observable are equivalent. Therefore, we can define

Therefore, for general density operators, we have

In quantum data privacy, it is desired to protect the quantum state of a system (which is being used for quantum computation) from being accurately estimated. Particularly, given a quantum state $\rho$, we want to make sure that no decision maker can identify whether the quantum state of the system is $\rho$ or another similar quantum state $\sigma$. Similarity is modelled or captured using the neighbourhood relationship, c.f., differential privacy [20].

An example of neighbouring or similarity relationship is the notion defined using trace distance in [18]. In this case, we say $\rho\sim\sigma$ if and only if $\mathcal{T}(\rho,\sigma)\leq d$ for some constant $d>0$. However, we may select another notion of similarity that ensures that two quantum states are neighbouring if they are constructed based on two private datasets that differ in the data of one individual. Such a definition is well-suited for quantum machine learning with privacy guarantees [25].

This definition implies that, if two states are similar $\rho\sim\sigma$, a quantum channel $\mathcal{E}$ is private if it makes distinguishing the reported or output states $\mathcal{E}(\rho)$ and $\mathcal{E}(\sigma)$ difficult by any decision maker. In fact, Proposition 1 shows that probability of false negatives $\beta(M_{1})$ for any detection mechanism $M=\{M_{1},M_{2}\}$ is lower bounded by $2^{-\epsilon}$ if the probability of false positives bounded by $\alpha(M_{2})\leq\eta$. Therefore, as $\epsilon$ tends to zero (privacy guarantee is strengthened/privacy budget is reduced), the probability of false negatives move towards one (i.e., the decision maker would become overwhelmed by false negatives).

The following corollary, building on Proposition 2, shows that $(\varepsilon,0)$-privacy against hypothesis testing adversary is the strongest notion of privacy and thus, $(\varepsilon,\eta)$-privacy can be thought of as relaxations of $(\varepsilon,0)$-privacy.

Although privacy is here defined in terms of asymmetric quantum hypothesis testing, we prove the following important bound on the power of symmetric quantum hypothesis testing.

Theorem 2 shows that, by decreasing $\varepsilon$, the combined probabilities of false positive and false negative denoted by $p_{\rm err}(\mathcal{E}(\rho),\mathcal{E}(\sigma))$ increases towards its maximum value $p_{\max}$. Figure 1 illustrates the lower bound $\Gamma_{p_{\rho},p_{\sigma}}(\varepsilon,\eta)$ on $p_{\rm err}(\mathcal{E}(\rho),\mathcal{E}(\sigma))$ versus the privacy budget $\varepsilon$ for various choices of $\eta$ for the case that $p_{\rho}=p_{\sigma}=\frac{1}{2}$. As expected, reducing the privacy budget $\varepsilon$ strengthens the privacy guarantees.

It is stipulated that any useful notion of privacy should admit two important properties of post processing and composition [20]. In the remainder of this section, we discuss these properties and their application to privacy against hypothesis testing adversary.

Theorem 3 shows that an adversary cannot weaken the privacy guarantees by processing the received quantum information in any way.

In practical data processing applications, there is often a need to deal with complicated algorithms in which responses from several queries based on private user data are fused together to extract useful statistical information from the data. For instance, when training machine learning models, iterative gradient descent algorithms can be used and the gradient at each epoch can be modelled as a query on the private data used for training [27]. In this case, it is desirable to establish composition rules for combination of several privacy-preserving quantum operations. Theorem 4 provides such a result for privacy against hypothesis testing adversaries.

The gold standard of privacy analysis and enforcement in the computer science literature is differential privacy, which has been recently extended to quantum computing algorithms [18]. In this section, we establish a relationship between differential privacy and privacy against hypothesis testing adversaries.

We can prove the following result regarding the relationship between quantum differential privacy and privacy against hypothesis testing adversaries.

We finish this section with analysing the performance of hypothesis testing adversaries for differentially-private quantum channels.

Theorem 7 provides a lower bound for the false negative rate for the best asymmetric hypothesis testing mechanism. The lower bound grows, and thus the decision maker would get overwhelmed by false negatives, with decreasing $\epsilon$ and $\delta$. Therefore, the privacy guarantees strengthens as the privacy budget reduces in quantum differential privacy. This is illustrated in Figure 2 [top].

Theorem 8 provides a lower bound for the combined false positive and negative rates of the best symmetric hypothesis testing mechanism. The lower bound grows towards $p_{\max}$ as $\epsilon$ and $\delta$ become smaller, which demonstrates that the privacy guarantees strengthen as the privacy budget reduces in quantum differential privacy. This is illustrated in Figure 2 [bottom].

We presented a novel definition for privacy in quantum computing based on quantum hypothesis testing. Important properties of post processing and composition were proved for this new notion of privacy. We then examined the relationship between privacy against hypothesis-testing adversaries, defined in this paper, and quantum differential privacy are then examined. In the composition rules for privacy against hypothesis adversaries, we only considered the case of $\eta=0$. Future work can expand these results for general case of $\eta\in[0,1]$. Furthermore, we only showed that $(\epsilon,0)$-differential privacy can be translated to privacy against hypothesis testing adversaries (the inverse results are more general in this paper). Therefore, another avenue for future research is to expand these results to general $(\epsilon,\delta)$-differential privacy. Finally, an important direction for future research is to use the proposed framework in numerical setups based on real-world data.