Privacy-Preserved QGR in Quantum Learning

• Privacy-preserved quantum generative replay is a technique that integrates pseudorandom quantum state encryption with synthetic sample generation to enable secure continual learning.
• It employs trapdoor-keyed unitaries and quantum-secure pseudorandom functions to encrypt training data, ensuring IND-CPA security and robust resistance to membership inference attacks.
• QGR underpins continual learning architectures like QCL-IDS, demonstrating improved attack detection and reduced catastrophic forgetting while adhering to strict privacy mandates.

Privacy-preserved quantum generative replay (QGR) integrates methods from quantum cryptography and quantum generative modeling to enable continual or adversarial learning workflows wherein privacy guarantees are enforced by design. These systems allow for the synthesis and use of representative, privacy-shielded data samples in training, while precluding explicit storage or re-exposure of sensitive raw information. QGR can be implemented as a stand-alone privacy wrapper for classical or quantum generative models using trapdoor-keyed quantum unitaries (Chatterjee et al., 2023), or as a privacy module within continual quantum learning architectures such as QCL-IDS (Zhu et al., 29 Jan 2026). The core mechanisms rely on the generation of pseudorandom quantum states or the retention of generator parameters, rather than raw samples, with privacy properties established under cryptographic or regulatory criteria.

1. Fundamental Principles of Privacy-Preserved Quantum Generative Replay

QGR is characterized by two orthogonal traditions: quantum cryptographic privacy through pseudorandom quantum states (PRS), and quantum continual learning via generator freezing and synthetic rehearsal. In the cryptographic setting, private data and generated outputs are encoded as quantum states and encrypted using a keyed unitary operation (built from quantum-secure pseudorandom functions or unitaries), ensuring that, to any polynomial-time adversary (classical or quantum), the result is computationally indistinguishable from a random Haar state. This achieves IND-CPA or IND-CCA security, effectively defeating all known membership inference attacks without imposing a utility penalty on the model's discriminative objectives (Chatterjee et al., 2023).

Within quantum continual learning, as in QCL-IDS, privacy-preserved replay is realized by freezing the task-conditioned quantum generator after learning, retaining only its circuit parameters, and discarding the original data. Rehearsal is enabled by generating synthetic samples from these frozen generative models, with privacy maintained by design since only class prototypes or summary statistics are recoverable from the retained parameters (Zhu et al., 29 Jan 2026).

2. Cryptographic Architectures and Formal Guarantees

The cryptographic instantiation of QGR employs a family of keyed unitaries $g=g_k$ that transform any real versus generated sample pair $(x, x')$ into encrypted states $(|g(x)\rangle, |g(x')\rangle)$. Security derives from the following properties:

• Pseudorandom Quantum State (PRS) Security: For a keyed state family $\{|PRS_k\rangle\}_k$, no quantum polynomial-time distinguisher with black-box access to a preparation oracle can distinguish these states from Haar random ones to better than negligible advantage:

$$\left| \Pr[A_Q(PRS_k)=1] - \Pr[A_Q(Haar)=1] \right| \leq \mathrm{negl}(n).$$

• Unitary Distance Preservation: For any unitary $U$ and quantum states $|\psi\rangle$, $|\phi\rangle$, fidelity is preserved:

$$\text{Fidelity}(U|\psi\rangle, U|\phi\rangle) = |\langle\psi|\phi\rangle|.$$

This ensures that adversarial models cannot exploit encrypted representations, but the generator–discriminator loss remains unchanged for training (Chatterjee et al., 2023).

• Adversary Model: Security is defined against all non-malicious adversaries (polynomial-time classical or quantum) with oracle access to encrypted samples, excluding access to the encryption key.

No explicit $(\varepsilon, \delta)$-differential privacy parameters are introduced in this model, nor does the literature specify resource requirements beyond high-level estimates (e.g., $n$ qubits per $n$-bit sample, depth at least that of QPRF or pseudorandom unitary circuits).

3. Protocol Implementations and Variants

In (Chatterjee et al., 2023), three plug-in quantum encryption architectures are provided:

• Phase-Encoded PRS: Encode classical $x \in \{0,1\}^n$ as $|\phi_x\rangle = Z^x |+\rangle^{\otimes n}$, then apply a QPRF-based unitary to generate $|PRS(x,k)\rangle$.
• Parameterized Phase-Encoded: As above, with $RZ(\theta_i)^{x_i}$ rotations, supporting flexible data embeddings.
• Basis-Encoded PRS: Implement PRS with a sequence of random single-qubit Pauli gates interleaved with pseudorandom unitaries, for enhanced cryptographic hardness.

The training protocol universally substitutes the original sample tuple $(x, x')$ with their unitary encryptions, proceeding with fully standard adversarial or generative training. Neither the encryption key nor the intermediate encrypted states are ever released, revealing only the final trained model.

Quantum continual learning architectures, such as QCL-IDS (Zhu et al., 29 Jan 2026), deploy shallow conditional quantum circuits (e.g., conditional quantum circuit Born machines, QCBM) as generative modules. After each task $t$, a generator $\mathcal{G}_{\phi_t}$ is trained and frozen. Only its parameter set $\phi_t^*$ and Gaussian-noise seeds are retained for later replay. Synthetic rehearsal samples are drawn via

$$x_{\mathrm{rep}} = f_{\phi_k^*}(c) + \xi, \quad \xi \sim \mathcal{N}(0, \sigma^2 I),$$

with a per-replay budget, and only $\phi_k^*$ passing a fidelity threshold are admitted for replay.

4. Privacy Mechanisms and Theoretical Analysis

QGR fully eliminates the need to store raw $(x, y)$ pairs. For generator-freezing approaches, all that persists is a condensed generator parameterization summarizing class means, in compliance with data minimality criteria such as those encoded in the GDPR. In the cryptographic constructions, unitarity and PRS/PRU-based trapping guarantee that even exposure of all quantum computation transcripts except the encryption key conveys no usable information about the training data.

A tabular overview delineates these dual mechanisms:

Approach	Privacy Mechanism	Information Retained
Quantum cryptographic	IND-CPA via pseudorandom states	Only final model outputs
Generator-freezing	Retain frozen generator params	$\{\phi_k^*\}$, no $x,y$

Calibration of $\sigma$ in generator-based QGR can, in principle, yield standard $(\varepsilon,\delta)$-DP guarantees through analytic Gaussian noise. However, the dominant implementations to date opt for privacy by summary release rather than formal DP.

5. Practical Constraints and Resource Requirements

Current realizations of cryptographic QGR are infeasible on NISQ-scale devices. The implementation of trapdoor or pseudorandom unitaries, necessary for PRS generation, requires quantum fault tolerance and long circuit depth. For generator-freezing protocols (as in QCL-IDS), experimental settings are NISQ-accessible:

• Qubits: $q=6$ for generator and classifier.
• Generator circuit depth: $L=2$ layers.
• Generator training: 300 SPSA steps; 1024 measurement shots.
• Replay ratio: $\alpha=0.3$ (plain QGR); $\alpha=0.1$ (with Q-FISH).
• Replay noise: $\sigma=0.1$.
• No explicit hardware benchmarks exist for cryptographic QGR (Chatterjee et al., 2023), but QCL-IDS demonstrates simulated feasibility (Zhu et al., 29 Jan 2026).

6. Empirical Results and Continuous Learning Impact

The integration of QGR as sole rehearsal yields measurable but limited improvements in retention and plasticity. In QCL-IDS, QGR without additional state or gradient anchors delivers mean Attack-F1 = 0.791 and forgetting = 0.149 on UNSW-NB15 (lower than classical controls), while state- and gradient-anchored QGR achieves Attack-F1 of 0.934–0.941 with forgetting as low as 0.005, outperforming classical replay and sequential fine-tuning baselines. Results on CICIDS2017 with QGR only yield Attack-F1 = 0.862, forgetting = 0.076, while QGR plus gradient-anchored stability achieve Attack-F1 = 0.944, forgetting = 0.004 (Zhu et al., 29 Jan 2026). Ablation confirms that QGR alone does not eliminate catastrophic forgetting; however, as a privacy-bound rehearsal module paired with fidelity-based anchoring, it enhances forward transfer and overall continual performance.

7. Comparative Analysis with Classical Privacy Mechanisms

Unlike classical differential privacy, which induces accuracy–privacy trade-offs by stochastic noise injection and is susceptible to membership inference attacks at nonzero $\delta$, quantum cryptographic QGR offers security against all polynomial-time adversaries, with zero utility penalty for discriminative objectives due to ideal unitarity. Generator-freezing approaches achieve privacy by collapsing replay content to class-centric synthetic data, sidestepping raw sample exposure and aligning with summary-release regimes. These distinct properties position QGR as orthogonal and, in some scenarios, strictly stronger than classical DP in both theory and, prospectively, practice (Chatterjee et al., 2023).

---

References:

• "Quantum Solutions to the Privacy vs. Utility Tradeoff" (Chatterjee et al., 2023)
• "QCL-IDS: Quantum Continual Learning for Intrusion Detection with Fidelity-Anchored Stability and Generative Replay" (Zhu et al., 29 Jan 2026)