Q-LEAK: Diverse Quantum Leakage Analysis
- Q-LEAK is a polysemous term defining controlled and adversarial leakage across quantum foundations, hardware, cryptography, and detector physics.
- The framework outlines formal leakage constructs in process theories, distinguishing minimally leaking quantum systems from maximally leaking classical systems.
- In practice, Q-LEAK supports quantum-assisted side-channel verification, error modeling in quantum hardware, and black-box extraction of cloud-based quantum neural networks.
Q-LEAK is not a single standardized term. In the research literature it appears across several distinct domains: as a process-theoretic notion of “leaks” in categorical quantum foundations; as a label for leakage characterization, detection, and mitigation in quantum hardware; as a quantum-assisted framework for verifying side-channel leakage countermeasures; as a model-extraction attack against cloud-hosted quantum neural networks; and, separately, as the name of a Leak Microstructure detector architecture (Selby et al., 2017, Maouaki et al., 25 May 2026, Fu et al., 2024, Lombardi et al., 2020). This suggests a polysemous usage in which the common thread is controlled or adversarial disclosure, but the technical objects, threat models, and performance criteria differ substantially.
1. Disambiguation of the term
| Usage | Core object | Representative paper |
|---|---|---|
| Process theory | Leak with right-counitality | (Selby et al., 2017) |
| Side-channel verification | CNF-encoded leakage predicate searched by Grover/BBHT | (Maouaki et al., 25 May 2026) |
| Quantum ML security | Extraction of a black-box QNN from NISQ outputs | (Fu et al., 2024) |
| Quantum hardware leakage | Population leaving the computational subspace | (Wood et al., 2017, Varbanov et al., 2020) |
| Detector physics | Leak Microstructure gaseous detector | (Lombardi et al., 2020) |
The most exact title match is "Q-LEAK: Quantum-Based LEAKage Verification for Side-Channel Countermeasures" (Maouaki et al., 25 May 2026). However, the broader literature associates the label with at least four other technical strands. For researchers, disambiguation is therefore essential: in one context Q-LEAK is a Grover-based SAT workflow, in another it refers to subspace leakage in transmons, and in another it denotes a cloud attack on variational quantum circuits.
2. Process-theoretic leaks and the quantum–classical boundary
In general process theories, a leak on system is a causal process satisfying right-counitality,
$(\id_A\otimes\discard_L)\circ L_A=\id_A.$
Leaks are causal and are closed under sequential and parallel composition (Selby et al., 2017). This definition is structural rather than operational: it does not presuppose Hilbert spaces, only a symmetric monoidal category with discarding maps.
Within finite-dimensional quantum theory, any leak must be a constant leak of the form
$L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$
The counitality condition therefore forces separation, and quantum theory admits only trivial leakage; in the terminology of the paper, it is minimally leaking. The leak-quality construction likewise yields for all quantum leaks (Selby et al., 2017).
Classical theory is the opposite extreme. It admits a nontrivial leak given by broadcasting,
satisfying both right- and left-counitality. Every classical leak on an -state system factors as
that is, as a stochastic map followed by copying (Selby et al., 2017). In this sense classical theory is maximally leaking.
A central construction adjoins leaks to a theory. Using the decoherence idempotent
0
and restricting to maps 1 satisfying 2, one recovers exactly the stochastic maps. In the adjoined theory the pre-leaks 3 become genuine leaks. The same construction, with different idempotents, yields all finite-dimensional 4-algebras, i.e. quantum systems with classical superselection (Selby et al., 2017).
The same paper argues that purity cannot be defined in leaking theories by the naive criterion “no nontrivial dilation.” In any theory with a non-constant leak, that criterion trivializes the identity. The refined definition requires that every dilation factor through the built-in leak of the system. Under this definition, quantum purity reduces to Kraus-rank-1 CPTP maps; classical purity reduces to deterministic processes 5, with pure stochastic matrices exactly the 6–7 permutation-sub-matrices; and in classical–quantum composites every pure map splits into a classical read-out followed by a family of pure quantum maps, and vice versa (Selby et al., 2017).
3. Leakage as a quantum-hardware error model
In quantum control and fault tolerance, leakage denotes population transfer from a computational subspace 8 into its complement 9. A general framework introduces the average leakage rate
0
and seepage rate
1
for a CPTP map 2, together with a restricted average gate fidelity 3 on the computational subspace (Wood et al., 2017). Leakage-randomized benchmarking estimates 4, 5, and 6 simultaneously via
7
with 8, 9, and $(\id_A\otimes\discard_L)\circ L_A=\id_A.$0 (Wood et al., 2017).
A related randomized-benchmarking protocol separates incoherent from coherent leakage by using unitary $(\id_A\otimes\discard_L)\circ L_A=\id_A.$1-designs. The incoherent protocol yields a single exponential $(\id_A\otimes\discard_L)\circ L_A=\id_A.$2, while the coherent protocol yields a bi-exponential governed by eigenvalues $(\id_A\otimes\discard_L)\circ L_A=\id_A.$3, from which $(\id_A\otimes\discard_L)\circ L_A=\id_A.$4 and $(\id_A\otimes\discard_L)\circ L_A=\id_A.$5 are recovered (Wallman et al., 2014). This establishes leakage as a distinct control metric rather than a mere fidelity defect.
For transmon-based QEC, leakage has been analyzed at the qutrit level in Surface-17 using two-state HMMs with states $(\id_A\otimes\discard_L)\circ L_A=\id_A.$6 and $(\id_A\otimes\discard_L)\circ L_A=\id_A.$7. Leakage is sharply projected by stabilizer measurements, and neighboring defect probabilities rise toward $(\id_A\otimes\discard_L)\circ L_A=\id_A.$8 when a data qubit leaks. HMM tracking of data-qubit leakage achieves average optimality AUC $(\id_A\otimes\discard_L)\circ L_A=\id_A.$9; with analog ancilla readout, bulk ancilla AUC reaches 0 and boundary ancilla 1. Post-selecting out leakage discards about 2 of the data and restores the logical error rate below the memory break-even point, with 3 per cycle, compared with 4 and 5 (Varbanov et al., 2020).
Adaptive suppression frameworks move from measurement to intervention. ERASER speculates leaked qubits from failed parity-check patterns and schedules LRCs only on flagged qubits; ERASER and ERASER+M improve the logical error rate by up to 6 and 7, respectively, compared to always using LRC (Vittal et al., 2023). GLADIATOR generalizes this idea with a code-aware error-propagation graph, classifying syndrome patterns as leakage-dominated when 8 with 9. It eliminates up to $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$0 unnecessary LRCs, delivers $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$1–$L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$2 speedups, and reduces logical error rate by $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$3 (Mude et al., 29 Oct 2025).
4. Q-LEAK as quantum-assisted side-channel verification
In the exact-title usage, Q-LEAK is a framework for formal verification of one-bit leakage under two-trace conditions in time-unrolled cryptographic circuits (Maouaki et al., 25 May 2026). The model considers two executions $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$4 and $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$5 under keys $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$6 and $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$7, common plaintext $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$8, and one-bit state trajectories $L(\rho)=\rho\otimes \sigma,\qquad \Tr(\sigma)=1.$9, 0. Leakage bits are identified with state bits, 1 and 2. In “notequal” mode the leakage predicate is
3
while “equal” mode uses
4
Transition clauses, leakage clauses, the selected predicate, and optionally 5 are conjoined into a CNF formula 6, satisfiable iff a violating key-pair and state evolution exist (Maouaki et al., 25 May 2026).
Q-LEAK then compiles the CNF into a quantum phase oracle
7
The BuildOracle procedure allocates clause ancillas 8 and a flag qubit 9, computes clause violations, derives 0 as the no-violation indicator, applies a controlled 1, and uncomputes all ancillas. Each call costs 2 multi-controlled gates and uses 3 qubits (Maouaki et al., 25 May 2026).
Search is performed by Grover iteration 4, with the usual rotation angle determined by 5, where 6 is the number of satisfying assignments and 7. Because 8 is unknown, the implementation uses Boyer-Brassard-Høyer-Tapp: initialize 9, grow by a factor 0 such as 1, sample a random number of Grover steps 2, measure, classically verify 3, and repeat until success or 4. The expected oracle complexity is 5; since each oracle costs 6 and the diffuser costs 7, the total gate-call complexity is 8 (Maouaki et al., 25 May 2026).
Benchmarks were assembled for 9, 0, 1, and exactly 2 satisfying assignments in SAT cases. In noiseless simulation, Q-LEAK consistently recovered a satisfying assignment within 3–4 tries. Case 1 used 5, 6, 7, and “notequal” leakage with keys unconstrained; it required 8 qubits, had depth 9 per Grover iteration, average BBHT tries 00, and measured peak probabilities 01 on the two true solutions against background 02. Case 2 used 03, 04, 05, “equal” leakage, 06 qubits, depth 07, average tries 08, and true-solution peaks 09–10. Case 3 used 11, 12, 13, “notequal” plus 14, 15 qubits, depth 16, average tries 17, and true-solution peaks 18. The UNSAT control produced a uniform histogram, with a 19-goodness-of-fit consistent with uniformity and Hoeffding-based 20 certification that no bin exceeded 21 (Maouaki et al., 25 May 2026).
Real-hardware experiments on the 22-qubit ibm_marrakesh device preserved the qualitative signal. For Case 1, one true solution 23 emerged as the highest-probability peak at about 24–25, while spurious bitstrings reached about 26–27 against background noise levels of about 28–29. For Case 2, the true solution 30 again appeared highest at about 31, with a few false positives at 32–33 and uniform background raised to about 34–35. Each experiment returned at least one classically valid SAT assignment among its top peaks (Maouaki et al., 25 May 2026).
5. QuantumLeak and extraction of cloud-based quantum neural networks
A separate use of leakage terminology appears in quantum machine learning. QuantumLeak targets black-box victim QNNs 36 hosted on cloud-based NISQ machines, assuming only query access to classical inputs 37 and the return of raw probability vectors 38, with no knowledge of the victim’s ansatz, dataset, hyperparameters, or device-specific error rates (Fu et al., 2024).
The attack has three phases: query and data bagging, ensemble substitute initialization and training, and decision fusion. A candidate set 39 is built from public data; each input is queried over 40 spread-out rounds and averaged as
41
forming a noisy dataset 42. The dataset is bootstrapped into 43 bags; for each bag, an attacker selects an ansatz from a zoo 44, initializes 45, trains a substitute 46, and fuses the trained models by majority vote on raw-probability or class votes (Fu et al., 2024).
Training minimizes either NLL or coordinate-wise Huber loss,
47
with gradients estimated by the parameter-shift rule and parameters updated by Adam or SGD. The design explicitly addresses SPAM error, gate depolarization with 48, 49, and 50, as well as crosstalk and coherent miscalibrations (Fu et al., 2024).
Experiments used IBM_Auckland, four-qubit victim VQCs with amplitude encoding and two parameterized layers, and MNIST/Fashion-MNIST tasks preprocessed to 51 vectors. Against CloudLeak, QuantumLeak’s ensemble with Huber loss improved substitute accuracy by 52 on MNIST 53, 54 on MNIST 55, 56 on Fashion-MNIST t-shirt/trouser, and 57 on Fashion-MNIST pullover/dress. Each result was averaged over 58 independent runs, with standard deviation 59 and 60 confidence interval 61 (Fu et al., 2024). The attack is limited by high-dimensional inputs, many-qubit models, ansatz mismatch, and detectable query budgets; proposed defenses include watermarking, quantum PUFs, dummy gates and circuit obfuscation, and access throttling with anomaly detection (Fu et al., 2024).
6. Adjacent leakage frameworks and other uses of the label
In classical security analysis, adjacent work studies leakage quantitatively rather than using the exact title string. CHALICE models cache attacks by symbolic execution and computes how many secrets remain consistent with observed hit/miss behavior; for AES-128 on Linux it finds that a cache attack can leak as much as 62 out of 63 bits of the encryption key (Chattopadhyay et al., 2016). A bounded-model-checking framework for quantitative leak vulnerabilities reduces a policy of “at most 64 distinctions” to CBMC queries over generated drivers and was applied to Linux-kernel CVEs, SRP, and IMSPD, including proofs that official patches eliminate the leaks (Heusser et al., 2010). Source-level reasoning for QIF uses gain-functions and hyper-distributions to express leakage properties directly in a small imperative language, while a later dynamic-leakage measure 65 decouples the adversary’s belief 66 from a baseline distribution 67 and proves non-interference together with single-step monotonicity and single-step data-processing inequalities (Chen et al., 2024, Soares et al., 23 Oct 2025). For RTL hardware, QTFlow extends Bayes-vulnerability analysis to sequential circuits by extracting the FSM, pruning infeasible paths, and detecting timing channels; on the reported benchmarks it diminishes all false positives arising from time-agnostic analysis and identifies 68 timing channels in each Trojan-infested RSA design (Reimann et al., 2024).
In quantum cryptography and communication, “leaky source” work generalizes the notion of leakage to side information emitted by modulators. Decoy-state QKD with arbitrary IM and PM leakage introduces trace-distance constraints 69 between leaked states and shows key rates similar to those obtained in a perfectly shielded environment in practical cases, especially with optical isolation and active phase randomization (Tamaki et al., 2018). The MDI-QKD analogue develops a fully composable finite-key proof for three-intensity and four-intensity protocols with source leakage, combining trace-distance decoy bounds, Azuma’s inequality, Serfling’s inequality, and a quantum-coin phase-error analysis (Wang et al., 2020). A different measure, gentle quantum leakage,
70
optimizes over weakly gentle POVMs, satisfies positivity and unitary invariance, decreases under global depolarizing noise, and in the BB84 example yields the lower bound 71 bits (Farokhi et al., 2024).
Finally, Q-LEAK is also the name of a compact gaseous imaging detector based on a matrix of Leak Microstructures. The detector uses a 72 LM matrix on a 73 board with 74 pitch, achieves gains 75 for 76 X-rays at 77 bar isobutane and 78 for single electrons in propane at 79–80, shows spatial linearity with deviation 81 over 82, attains overall resolution 83 FWHM without software correction, reaches 84 relative efficiency for 85-particle detection compared with a silicon detector, and yields single-electron multiplication efficiency up to 86 (Lombardi et al., 2020).
Across these literatures, the unifying theme is not a single formalism but a family of leakage-centric problems: structural leakage in process theories, subspace leakage in quantum hardware, information leakage in cryptographic verification and QIF, side-channel leakage in real devices and implementations, and even signal leakage in instrumentation. This suggests that “Q-LEAK” functions best as a context-dependent research label rather than as a uniquely defined term.