In an article submitted to the ArXiv* server, researchers introduced a quantum-secure linear algebra engine for multiparty computation using conventional telecommunication components. They applied it to deep learning (DL), demonstrating less than 0.1 bits of weight and 0.01 bits of data leakage while achieving over 96% accuracy on the Modified National Institute of Standards and Technology (MNIST) classification task. Using the Holevo and Cramér-Rao bounds, they derived upper limits on information leakage, which were significantly lower than current quantization techniques. This work laid the groundwork for secure cloud-based DL.
Background
Previous work in secure computation focused on homomorphic encryption, enabling computations on encrypted data while preserving input and output privacy. Though adapted for secure machine learning, these methods faced limitations due to high computational overhead and emerging security vulnerabilities.
Additionally, they relied on computational complexity rather than offering information-theoretic security. Recent advancements demonstrated optical deep neural networks (DNNs) using integrated photonics, free-space optics, and fiber optics, with a delocalized optical DNN introduced to shield client data while still revealing weights to the client.
Weight and Data Leakage
The weight leakage is bounded using the Holevo theorem, which analyzes dishonest client actions and confirms them through the entangling cloner attack. The server sends DNN model invariants under affine transformations to minimize leakage after multiple queries.
For data leakage, the Cramér-Rao inequality calculates a lower bound on the server's ability to estimate the client's data. Leakage depends on the gain in the client's amplification step, with zero leakage at a gain of one. The bound increases with gain but is limited by the Cramér-Rao inequality for both classical and quantum cases.
Leakage Analysis Overview
The Holevo theorem bounds the weight leakage, analyzing dishonest client actions and confirmed through the entangling cloner attack. The server sends DNN model invariants under affine transformations to minimize leakage after multiple queries.
For data leakage, the Cramér-Rao inequality calculates a lower bound on the server's ability to estimate the client’s data. Leakage depends on the gain in the client’s amplification step, with zero leakage at a gain of one. The bound increases with gain but is constrained by the Cramér-Rao inequality for both classical and quantum cases.
Optical Neural Security
The server comprises two modules: a transmitter and a receiver. The transmitter in-phase/quadrature (I/Q) modulates neural network weights onto weak coherent states produced by attenuating a continuous-wave laser to the few-photon limit. The receiver measures the modulated quadratures of the incoming verification state using homodyne detection with a reference local oscillator.
The optical power difference between the two output arms corresponds to the I or Q quadrature of the verification state, depending on the local oscillator's phase. Multiple optical implementations of the unitaries are proposed, utilizing either time domain encoding with optical loops or spatial domain encoding with a mesh of interferometers.
In the time domain, optical modes are defined by separate pulses, with a Mach-Zehnder interferometer (MZIs) and fiber loop computing the inner product, which is then amplified and measured via homodyne detection. MZIs mix adjacent modes in the spatial domain to shift phase and amplitude, enabling coherent homodyne detection and amplification.
The performance of the proposed protocol was tested on the MNIST classification task, achieving 98% accuracy using a two-layer network. Despite variations from quantum shot noise, the custom secure neural network showed consistent accuracy with the digital model.
The signal-to-noise ratio (SNR) at the homodyne detector outputs was defined, capturing the impact of the physical scaling parameter, which influenced classification accuracy as a function of gain and average photon occupation. The classification accuracy increased with gain and average photon occupation, approaching digital noiseless accuracy.
A logistic function was employed to model the relationship between classification accuracy and the scaling parameter, facilitating predictions without extensive numerical calculations. This model allowed the researchers to demonstrate how classification accuracy could be maintained despite variations in hardware-dependent parameters.
The team structured security analysis within the continuous-variable quantum key distribution (CVQKD). It examined the potential leakage of weights and client data during operations involving honest and malicious parties. The analysis focused on individual attacks by an eavesdropper, who could perform measurements on the quantum states and introduced methods to prevent weight information accumulation through strategic weight manipulation during broadcasts.
Additionally, classical leakage from the server was addressed, calculating the precision of estimating client data under malicious conditions using the Cramér-Rao bound, which provided insights into the potential information leakage through the verification states.
Conclusion
To sum up, the research successfully introduced a quantum-based linear algebra engine for secure multiparty computation, ensuring minimal information leakage during DL tasks. By applying this engine to the MNIST classification task, the model achieved over 96% accuracy while limiting weight leakage to less than 0.1 bits per symbol. This leakage was significantly lower than the precision required for modern DL. The study established a strong foundation for practical quantum-secure computation in cloud-based DL.
Journal Reference
Sulimany, K., et al. (2024). Quantum-secure multiparty deep learning. ArXiv. DOI:10.48550/arXiv.2408.05629, https://arxiv.org/abs/2408.05629
Disclaimer: The views expressed here are those of the author expressed in their private capacity and do not necessarily represent the views of AZoM.com Limited T/A AZoNetwork the owner and operator of this website. This disclaimer forms part of the Terms and conditions of use of this website.