Privacy-Preserving QNN Training Scheme

Updated 18 September 2025

The paper outlines quantum-native, architectural, and cryptographic methods designed to protect sensitive training data in quantum neural network models.
It demonstrates that integrating quantum honesty tests, local differential privacy, and noise injection can effectively guard against adversarial attacks while preserving model utility.
Adaptive noise management and federated learning paradigms balance privacy-utility trade-offs, although scalability and computational overhead remain critical challenges.

A privacy-preserving Quantum Neural Network (QNN) training scheme aims to protect the confidentiality and integrity of sensitive training data, model parameters, and possibly even intermediate gradients or feature representations during quantum or hybrid quantum-classical model learning. The field encompasses a broad spectrum of strategies, spanning quantum-native cryptographic methodologies, adaption of classical privacy-preserving techniques to quantum architectures, and protocols specifically designed to defend against various attack surfaces within quantum ML workflows. This article reviews major classes of such schemes, their security properties, cryptographic and architectural foundations, technical performance, and ongoing research challenges.

1. Quantum Protocols for Data and Model Privacy

The earliest protocols for privacy-preserving QNN training adapt existing quantum information primitives to the ML domain via two principal strategies:

Quantum Privacy-Preserving Perceptron (Ying et al., 2017):

This scheme interleaves quantum "honesty tests" and classical randomization:

The data provider (Alice) does not expose real training data directly; instead, she prepares one of several quantum superposition states—including decoy (test) states—when queried for training data. The genuine and decoy states are constructed such that any attempt by the data user (Bob) to gain extraneous information about the input (e.g., via measurement or entanglement) collapses the state, resulting in a high probability of detection.
After classifier evaluation, private random noise (unknown to Bob) is injected into the training sample before performing the perceptron update. This approach preserves correctness while preventing Bob from reconstructing the original data from noisy updates.
Notably, no quantum database (QRAM) is required; classical training examples are encoded "on the fly" into quantum states. The protocol demonstrates that this cheat-sensitive quantum mechanism achieves better privacy than classical noise-injection and randomization alone.
The detection probability for adversarial behavior satisfies derivations such as $\mathrm{Pr}(\text{detection}) \geq \frac{1}{2}\cdot\frac{n_2-1}{nk}$ when privacy loss is measured as attribute reduction from $2^{n_1}$ to $2^{n_1-n_2}$ possibilities.

These core ideas can be extended, in principle, to general QNNs by performing quantum honesty tests at input layers and incorporating secret noise at each update, although doing so in deep, nonlinear networks is a formidable open challenge.

2. Architectures with Quantum or Classical Distributed Privacy

Several schemes pursue privacy by architectural partitioning and protocol-level mediation, rather than cryptographic obfuscation per se:

Federated and Hierarchical Learning Approaches:

Distributed layer-partitioned training architectures (Yu et al., 2019) process sensitive data locally through the first (convolutional) layer(s), producing task-relevant but irreversible metadata for cloud-based model training. The privacy guarantee is further strengthened by replacing conventional activation functions with step-wise (quantized, piecewise-constant) activations: $g^{\text{step}}(x) = g \left( \operatorname{sign}(x) \cdot \left\lfloor \frac{\min(|x|, v)}{v/n} \right\rfloor \cdot \frac{v}{n} \right)$ This quantization eliminates the invertibility property of standard nonlinearities (e.g., sigmoid, tanh), rendering inversion and input reconstruction intractable, even with model parameter knowledge.
PriPHiT (Privacy-Preserving Hierarchical Training) (Sepehri et al., 9 Aug 2024) utilizes adversarial early-exit modules at the edge to remove sensitive attributes via negative cross-entropy loss applied to an "adversary" branch. Simultaneously, Laplace noise is injected to guarantee $\epsilon$ -differential privacy at the feature level: $x_E = x_{E_2} + \operatorname{Lap}(0, 2T/\epsilon)$ This dual defense (feature obfuscation plus formal DP) yields robust empirical resistance to white-box and deep reconstruction attacks while maintaining utility.

These mechanisms target scenarios where privacy risks stem from infrastructure partitioning or adversarial servers, rather than from active cryptanalytic adversaries.

3. Cryptographic Methods: Homomorphic Encryption and Functional Encryption

Cryptography-centric schemes translate and extend classical multiparty and homomorphic techniques to (hybrid) quantum ML:

Lattice-based and Functional Encryption:

CryptoNN (Xu et al., 2019) employs functional encryption (FE), which supports fine-grained access to function evaluations over ciphertexts without revealing the input. Dot-products, additions, and multiplications are securely computed, enabling encrypted neural network training with plaintext-level accuracy (e.g., CryptoCNN achieves 93–95% on MNIST, matching LeNet-5) but with substantial cryptographic overhead (training time $>$ 10x plain training). Decryption outputs only the result of a permitted function; raw training data remains inaccessible throughout.
Homomorphic encryption (HE) architectures (CKKS and database encoding, (Mihara et al., 2020, Chiang, 2023)) encrypt not just individual gradients or updates, but entire matrix-vector operations, using diagonal packing and ciphertext rotations to avoid intermediate decryption: $P = \sum_{i=0}^{N-1} w_i \otimes \operatorname{rot}(x, -i)$
Private-key HE systems with randomized quantization (Yan et al., 2 Feb 2024) exploit lattice-based learning-with-errors (LWE) security, combining quantization with dither to ensure error cancellation upon ciphertext aggregation.

Quantum HE itself remains a nascent research area, but the above schemes are readily adaptable to hybrid quantum–classical settings, where most privacy-critical computations are handled classically.

4. Privacy in Federated and Collaborative Quantum Learning

Federated QNN training protocols protect data via local training plus secure parameter aggregation:

Quantum Federated Learning (QFL) and Quantum Homomorphic Aggregation

CryptoQFL (Chu et al., 2023): Each client trains a local QNN on private data, and encrypts its gradient updates using a hybrid of Quantum One-Time Pad (QOTP) and classical homomorphic encryption (CHE), summarized as:

$|\phi_g\rangle_e = Z^{z}X^{x}|\phi_g\rangle$

The QOTP keys are managed and updated homomorphically; the aggregation server homomorphically adds encrypted ternary gradients (only nonzero values), using a custom quantum adder designed for efficiency. The aggregation preserves fidelity and privacy, meeting practical scale and latency constraints.

Next-Generation QNNs (Innan et al., 28 Jul 2025): Emphasizes FHE-encrypted parameter updates in QFL. Only encrypted model updates $\{E(\Delta w_i)\}$ are uploaded, aggregated, and decrypted, guaranteeing that raw data and unencrypted intermediate gradients never leave the data owner’s device. Quantum encoding further fortifies this privacy boundary.

Differential privacy (DP) layered atop federated protocols ensures resistance to membership inference and gradient attacks. In particular, protocols calibrate Gaussian or Laplace noise injection per communication round to bound privacy leakage ( $(\epsilon, \delta)$ -DP), with noise $\sigma^2$ set as:

$\sigma^2 = \frac{8T(2L+b)^2 \log(1/\delta)}{K^2\epsilon^2}$

as established in (Phan et al., 4 Sep 2025).

5. Mixed-State and Aggregate Representation for Privacy

A recent innovation exploits quantum mixed-state encoding as a privacy mechanism:

Mixed-State Aggregation (Wang et al., 15 Sep 2025):

Rather than transmitting pure-state encodings of each data instance, each party batches their dataset, encodes each input as a quantum pure state $\rho_u$ , and forms a density matrix (mixed state):

$\rho_\text{glob} = \frac{1}{N} \sum_{u} \rho_u$

This aggregate representation is inherently non-invertible: numerous input combinations yield the same density matrix, quantified via high conditional entropy $H(b|\rho_\text{glob}) \propto \ln|B|$ . Hence, any attempt to recover individual inputs from $\rho_\text{glob}$ is information-theoretically obstructed.
Empirically, this protocol demonstrates $(\epsilon, \delta)$ -differential privacy in membership inference tasks, with $\epsilon\to0$ as batch size increases. The approach yields single-shot communication per batch and can be generalized for arbitrary tasks without further participant interaction.

6. Adaptive Noise, Gradient Management, and Robustness Enhancements

Federated QNN training introduces unique noise and convergence challenges:

Adaptive Differential Privacy for QFL (Phan et al., 4 Sep 2025): The gradient variance problem (barren plateaus in QNN optimization) is mitigated via stagewise decay of DP noise:

$\sigma_t^2 = \sigma_0^2 \frac{1}{1 + \alpha t}$

High initial noise prevents privacy leakage when gradients are large; later reduction aids convergence as gradients diminish. Model estimation is used to sparsify transmitted updates, reducing communication and filtering device noise.

Adversarial robustness is systematically integrated via adversarial pre-testing and quantum-resilient circuit design (Innan et al., 28 Jul 2025), increasing resilience against FGSM and PGD attacks by up to 60% in low-perturbation regimes.

7. Limitations, Trade-offs, and Future Directions

Privacy-preserving QNN training schemes face significant practical and theoretical obstacles:

Deep QNNs challenge the extension of quantum honesty tests due to error/noise propagation and the complexity of nonlinear activations compatible with quantum operations (Ying et al., 2017).
Cryptographic approaches (HE, FE, MPC) incur heavy computational or communication overhead, with HE-based training often 10–15 $\times$ slower than plaintext baselines (Mihara et al., 2020, Xu et al., 2019).
Privacy/utility trade-offs are evident: increased noise or quantization for DP or obfuscation may degrade model accuracy (Phan et al., 4 Sep 2025, Yu et al., 2019).
The design of efficient, quantum-compatible primitives (hashing, quantization, DP noise) for complex-valued quantum amplitudes and entanglement remains underexplored (Colombo et al., 26 Jun 2024).
Key management (e.g., of rotation phases in quaternion or phase-encoded schemes), and the threat model (e.g., semi-honest vs. malicious adversaries) are critical considerations for deployment (Zhang et al., 2020, Liu et al., 2020).

Continued research aims to close the utility–privacy gap, develop quantum-specific privacy notions (e.g., quantum differential privacy), and create scalable, hardware-adaptable protocols that harmonize quantum ML’s unique data, noise, and adversarial landscape with rigorous privacy guarantees.