Papers
Topics
Authors
Recent
Search
2000 character limit reached

Q-LEAK: Diverse Quantum Leakage Analysis

Updated 5 July 2026
  • Q-LEAK is a polysemous term defining controlled and adversarial leakage across quantum foundations, hardware, cryptography, and detector physics.
  • The framework outlines formal leakage constructs in process theories, distinguishing minimally leaking quantum systems from maximally leaking classical systems.
  • In practice, Q-LEAK supports quantum-assisted side-channel verification, error modeling in quantum hardware, and black-box extraction of cloud-based quantum neural networks.

Q-LEAK is not a single standardized term. In the research literature it appears across several distinct domains: as a process-theoretic notion of “leaks” in categorical quantum foundations; as a label for leakage characterization, detection, and mitigation in quantum hardware; as a quantum-assisted framework for verifying side-channel leakage countermeasures; as a model-extraction attack against cloud-hosted quantum neural networks; and, separately, as the name of a Leak Microstructure detector architecture (Selby et al., 2017, Maouaki et al., 25 May 2026, Fu et al., 2024, Lombardi et al., 2020). This suggests a polysemous usage in which the common thread is controlled or adversarial disclosure, but the technical objects, threat models, and performance criteria differ substantially.

1. Disambiguation of the term

Usage Core object Representative paper
Process theory Leak LA:AALL_A:A\to A\otimes L with right-counitality (Selby et al., 2017)
Side-channel verification CNF-encoded leakage predicate searched by Grover/BBHT (Maouaki et al., 25 May 2026)
Quantum ML security Extraction of a black-box QNN from NISQ outputs (Fu et al., 2024)
Quantum hardware leakage Population leaving the computational subspace (Wood et al., 2017, Varbanov et al., 2020)
Detector physics Leak Microstructure gaseous detector (Lombardi et al., 2020)

The most exact title match is "Q-LEAK: Quantum-Based LEAKage Verification for Side-Channel Countermeasures" (Maouaki et al., 25 May 2026). However, the broader literature associates the label with at least four other technical strands. For researchers, disambiguation is therefore essential: in one context Q-LEAK is a Grover-based SAT workflow, in another it refers to subspace leakage in transmons, and in another it denotes a cloud attack on variational quantum circuits.

2. Process-theoretic leaks and the quantum–classical boundary

In general process theories, a leak on system AA is a causal process LA:AALL_A:A\to A\otimes L satisfying right-counitality,

$(\id_A\otimes\discard_L)\circ L_A=\id_A.$

Leaks are causal and are closed under sequential and parallel composition (Selby et al., 2017). This definition is structural rather than operational: it does not presuppose Hilbert spaces, only a symmetric monoidal category with discarding maps.

Within finite-dimensional quantum theory, any leak L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K}) must be a constant leak of the form

$L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$

The counitality condition therefore forces separation, and quantum theory admits only trivial leakage; in the terminology of the paper, it is minimally leaking. The leak-quality construction likewise yields qual(L)=0\mathsf{qual}(L)=0 for all quantum leaks (Selby et al., 2017).

Classical theory is the opposite extreme. It admits a nontrivial leak given by broadcasting,

copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),

satisfying both right- and left-counitality. Every classical leak on an nn-state system factors as

L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),

that is, as a stochastic map followed by copying (Selby et al., 2017). In this sense classical theory is maximally leaking.

A central construction adjoins leaks to a theory. Using the decoherence idempotent

AA0

and restricting to maps AA1 satisfying AA2, one recovers exactly the stochastic maps. In the adjoined theory the pre-leaks AA3 become genuine leaks. The same construction, with different idempotents, yields all finite-dimensional AA4-algebras, i.e. quantum systems with classical superselection (Selby et al., 2017).

The same paper argues that purity cannot be defined in leaking theories by the naive criterion “no nontrivial dilation.” In any theory with a non-constant leak, that criterion trivializes the identity. The refined definition requires that every dilation factor through the built-in leak of the system. Under this definition, quantum purity reduces to Kraus-rank-1 CPTP maps; classical purity reduces to deterministic processes AA5, with pure stochastic matrices exactly the AA6–AA7 permutation-sub-matrices; and in classical–quantum composites every pure map splits into a classical read-out followed by a family of pure quantum maps, and vice versa (Selby et al., 2017).

3. Leakage as a quantum-hardware error model

In quantum control and fault tolerance, leakage denotes population transfer from a computational subspace AA8 into its complement AA9. A general framework introduces the average leakage rate

LA:AALL_A:A\to A\otimes L0

and seepage rate

LA:AALL_A:A\to A\otimes L1

for a CPTP map LA:AALL_A:A\to A\otimes L2, together with a restricted average gate fidelity LA:AALL_A:A\to A\otimes L3 on the computational subspace (Wood et al., 2017). Leakage-randomized benchmarking estimates LA:AALL_A:A\to A\otimes L4, LA:AALL_A:A\to A\otimes L5, and LA:AALL_A:A\to A\otimes L6 simultaneously via

LA:AALL_A:A\to A\otimes L7

with LA:AALL_A:A\to A\otimes L8, LA:AALL_A:A\to A\otimes L9, and $(\id_A\otimes\discard_L)\circ L_A=\id_A.$0 (Wood et al., 2017).

A related randomized-benchmarking protocol separates incoherent from coherent leakage by using unitary $(\id_A\otimes\discard_L)\circ L_A=\id_A.$1-designs. The incoherent protocol yields a single exponential $(\id_A\otimes\discard_L)\circ L_A=\id_A.$2, while the coherent protocol yields a bi-exponential governed by eigenvalues $(\id_A\otimes\discard_L)\circ L_A=\id_A.$3, from which $(\id_A\otimes\discard_L)\circ L_A=\id_A.$4 and $(\id_A\otimes\discard_L)\circ L_A=\id_A.$5 are recovered (Wallman et al., 2014). This establishes leakage as a distinct control metric rather than a mere fidelity defect.

For transmon-based QEC, leakage has been analyzed at the qutrit level in Surface-17 using two-state HMMs with states $(\id_A\otimes\discard_L)\circ L_A=\id_A.$6 and $(\id_A\otimes\discard_L)\circ L_A=\id_A.$7. Leakage is sharply projected by stabilizer measurements, and neighboring defect probabilities rise toward $(\id_A\otimes\discard_L)\circ L_A=\id_A.$8 when a data qubit leaks. HMM tracking of data-qubit leakage achieves average optimality AUC $(\id_A\otimes\discard_L)\circ L_A=\id_A.$9; with analog ancilla readout, bulk ancilla AUC reaches L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})0 and boundary ancilla L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})1. Post-selecting out leakage discards about L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})2 of the data and restores the logical error rate below the memory break-even point, with L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})3 per cycle, compared with L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})4 and L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})5 (Varbanov et al., 2020).

Adaptive suppression frameworks move from measurement to intervention. ERASER speculates leaked qubits from failed parity-check patterns and schedules LRCs only on flagged qubits; ERASER and ERASER+M improve the logical error rate by up to L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})6 and L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})7, respectively, compared to always using LRC (Vittal et al., 2023). GLADIATOR generalizes this idea with a code-aware error-propagation graph, classifying syndrome patterns as leakage-dominated when L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})8 with L:B(H)B(H)B(K)L:\mathcal{B}(\mathcal{H})\to\mathcal{B}(\mathcal{H})\otimes\mathcal{B}(\mathcal{K})9. It eliminates up to $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$0 unnecessary LRCs, delivers $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$1–$L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$2 speedups, and reduces logical error rate by $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$3 (Mude et al., 29 Oct 2025).

4. Q-LEAK as quantum-assisted side-channel verification

In the exact-title usage, Q-LEAK is a framework for formal verification of one-bit leakage under two-trace conditions in time-unrolled cryptographic circuits (Maouaki et al., 25 May 2026). The model considers two executions $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$4 and $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$5 under keys $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$6 and $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$7, common plaintext $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$8, and one-bit state trajectories $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$9, qual(L)=0\mathsf{qual}(L)=00. Leakage bits are identified with state bits, qual(L)=0\mathsf{qual}(L)=01 and qual(L)=0\mathsf{qual}(L)=02. In “notequal” mode the leakage predicate is

qual(L)=0\mathsf{qual}(L)=03

while “equal” mode uses

qual(L)=0\mathsf{qual}(L)=04

Transition clauses, leakage clauses, the selected predicate, and optionally qual(L)=0\mathsf{qual}(L)=05 are conjoined into a CNF formula qual(L)=0\mathsf{qual}(L)=06, satisfiable iff a violating key-pair and state evolution exist (Maouaki et al., 25 May 2026).

Q-LEAK then compiles the CNF into a quantum phase oracle

qual(L)=0\mathsf{qual}(L)=07

The BuildOracle procedure allocates clause ancillas qual(L)=0\mathsf{qual}(L)=08 and a flag qubit qual(L)=0\mathsf{qual}(L)=09, computes clause violations, derives copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),0 as the no-violation indicator, applies a controlled copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),1, and uncomputes all ancillas. Each call costs copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),2 multi-controlled gates and uses copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),3 qubits (Maouaki et al., 25 May 2026).

Search is performed by Grover iteration copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),4, with the usual rotation angle determined by copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),5, where copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),6 is the number of satisfying assignments and copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),7. Because copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),8 is unknown, the implementation uses Boyer-Brassard-Høyer-Tapp: initialize copy:XXX:  x(x,x),\mathsf{copy}:X\to X\otimes X:\;x\mapsto (x,x),9, grow by a factor nn0 such as nn1, sample a random number of Grover steps nn2, measure, classically verify nn3, and repeat until success or nn4. The expected oracle complexity is nn5; since each oracle costs nn6 and the diffuser costs nn7, the total gate-call complexity is nn8 (Maouaki et al., 25 May 2026).

Benchmarks were assembled for nn9, L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),0, L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),1, and exactly L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),2 satisfying assignments in SAT cases. In noiseless simulation, Q-LEAK consistently recovered a satisfying assignment within L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),3–L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),4 tries. Case 1 used L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),5, L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),6, L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),7, and “notequal” leakage with keys unconstrained; it required L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),8 qubits, had depth L(x)=yp(yx)(x,y),L(x)=\sum_y p(y|x)\,(x,y),9 per Grover iteration, average BBHT tries AA00, and measured peak probabilities AA01 on the two true solutions against background AA02. Case 2 used AA03, AA04, AA05, “equal” leakage, AA06 qubits, depth AA07, average tries AA08, and true-solution peaks AA09–AA10. Case 3 used AA11, AA12, AA13, “notequal” plus AA14, AA15 qubits, depth AA16, average tries AA17, and true-solution peaks AA18. The UNSAT control produced a uniform histogram, with a AA19-goodness-of-fit consistent with uniformity and Hoeffding-based AA20 certification that no bin exceeded AA21 (Maouaki et al., 25 May 2026).

Real-hardware experiments on the AA22-qubit ibm_marrakesh device preserved the qualitative signal. For Case 1, one true solution AA23 emerged as the highest-probability peak at about AA24–AA25, while spurious bitstrings reached about AA26–AA27 against background noise levels of about AA28–AA29. For Case 2, the true solution AA30 again appeared highest at about AA31, with a few false positives at AA32–AA33 and uniform background raised to about AA34–AA35. Each experiment returned at least one classically valid SAT assignment among its top peaks (Maouaki et al., 25 May 2026).

5. QuantumLeak and extraction of cloud-based quantum neural networks

A separate use of leakage terminology appears in quantum machine learning. QuantumLeak targets black-box victim QNNs AA36 hosted on cloud-based NISQ machines, assuming only query access to classical inputs AA37 and the return of raw probability vectors AA38, with no knowledge of the victim’s ansatz, dataset, hyperparameters, or device-specific error rates (Fu et al., 2024).

The attack has three phases: query and data bagging, ensemble substitute initialization and training, and decision fusion. A candidate set AA39 is built from public data; each input is queried over AA40 spread-out rounds and averaged as

AA41

forming a noisy dataset AA42. The dataset is bootstrapped into AA43 bags; for each bag, an attacker selects an ansatz from a zoo AA44, initializes AA45, trains a substitute AA46, and fuses the trained models by majority vote on raw-probability or class votes (Fu et al., 2024).

Training minimizes either NLL or coordinate-wise Huber loss,

AA47

with gradients estimated by the parameter-shift rule and parameters updated by Adam or SGD. The design explicitly addresses SPAM error, gate depolarization with AA48, AA49, and AA50, as well as crosstalk and coherent miscalibrations (Fu et al., 2024).

Experiments used IBM_Auckland, four-qubit victim VQCs with amplitude encoding and two parameterized layers, and MNIST/Fashion-MNIST tasks preprocessed to AA51 vectors. Against CloudLeak, QuantumLeak’s ensemble with Huber loss improved substitute accuracy by AA52 on MNIST AA53, AA54 on MNIST AA55, AA56 on Fashion-MNIST t-shirt/trouser, and AA57 on Fashion-MNIST pullover/dress. Each result was averaged over AA58 independent runs, with standard deviation AA59 and AA60 confidence interval AA61 (Fu et al., 2024). The attack is limited by high-dimensional inputs, many-qubit models, ansatz mismatch, and detectable query budgets; proposed defenses include watermarking, quantum PUFs, dummy gates and circuit obfuscation, and access throttling with anomaly detection (Fu et al., 2024).

6. Adjacent leakage frameworks and other uses of the label

In classical security analysis, adjacent work studies leakage quantitatively rather than using the exact title string. CHALICE models cache attacks by symbolic execution and computes how many secrets remain consistent with observed hit/miss behavior; for AES-128 on Linux it finds that a cache attack can leak as much as AA62 out of AA63 bits of the encryption key (Chattopadhyay et al., 2016). A bounded-model-checking framework for quantitative leak vulnerabilities reduces a policy of “at most AA64 distinctions” to CBMC queries over generated drivers and was applied to Linux-kernel CVEs, SRP, and IMSPD, including proofs that official patches eliminate the leaks (Heusser et al., 2010). Source-level reasoning for QIF uses gain-functions and hyper-distributions to express leakage properties directly in a small imperative language, while a later dynamic-leakage measure AA65 decouples the adversary’s belief AA66 from a baseline distribution AA67 and proves non-interference together with single-step monotonicity and single-step data-processing inequalities (Chen et al., 2024, Soares et al., 23 Oct 2025). For RTL hardware, QTFlow extends Bayes-vulnerability analysis to sequential circuits by extracting the FSM, pruning infeasible paths, and detecting timing channels; on the reported benchmarks it diminishes all false positives arising from time-agnostic analysis and identifies AA68 timing channels in each Trojan-infested RSA design (Reimann et al., 2024).

In quantum cryptography and communication, “leaky source” work generalizes the notion of leakage to side information emitted by modulators. Decoy-state QKD with arbitrary IM and PM leakage introduces trace-distance constraints AA69 between leaked states and shows key rates similar to those obtained in a perfectly shielded environment in practical cases, especially with optical isolation and active phase randomization (Tamaki et al., 2018). The MDI-QKD analogue develops a fully composable finite-key proof for three-intensity and four-intensity protocols with source leakage, combining trace-distance decoy bounds, Azuma’s inequality, Serfling’s inequality, and a quantum-coin phase-error analysis (Wang et al., 2020). A different measure, gentle quantum leakage,

AA70

optimizes over weakly gentle POVMs, satisfies positivity and unitary invariance, decreases under global depolarizing noise, and in the BB84 example yields the lower bound AA71 bits (Farokhi et al., 2024).

Finally, Q-LEAK is also the name of a compact gaseous imaging detector based on a matrix of Leak Microstructures. The detector uses a AA72 LM matrix on a AA73 board with AA74 pitch, achieves gains AA75 for AA76 X-rays at AA77 bar isobutane and AA78 for single electrons in propane at AA79–AA80, shows spatial linearity with deviation AA81 over AA82, attains overall resolution AA83 FWHM without software correction, reaches AA84 relative efficiency for AA85-particle detection compared with a silicon detector, and yields single-electron multiplication efficiency up to AA86 (Lombardi et al., 2020).

Across these literatures, the unifying theme is not a single formalism but a family of leakage-centric problems: structural leakage in process theories, subspace leakage in quantum hardware, information leakage in cryptographic verification and QIF, side-channel leakage in real devices and implementations, and even signal leakage in instrumentation. This suggests that “Q-LEAK” functions best as a context-dependent research label rather than as a uniquely defined term.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Q-LEAK.