Quantum Pufferfish Privacy: A Flexible Privacy Framework for Quantum Systems

TL;DR

This paper advances privacy for quantum data by introducing Quantum Pufferfish Privacy (QPP), a flexible framework that lets practitioners choose private secrets, discriminative pairs, prior distributions, and feasible measurements. It establishes a first operational interpretation of the Datta–Leditzky information spectrum divergence via QPP and provides an SDP-based toolset to compute it, along with strong properties such as convexity, post-processing invariance, and (adaptive) composability. The authors characterize privacy-utility tradeoffs with a depolarization mechanism, derive parameter regimes guaranteeing $\varepsilon$-QPP, and present an auditing pipeline for verifying QDP/QPP guarantees on quantum devices. They also connect QPP to quantum fairness and extend the framework to Rényi-divergence and entanglement-aware variants, outlining practical implications for privacy-preserving quantum data analysis and learning. Overall, QPP offers a versatile, information-theoretic approach to privacy in quantum settings with operational, computational, and auditing advantages.

Abstract

We propose a versatile privacy framework for quantum systems, termed quantum pufferfish privacy (QPP). Inspired by classical pufferfish privacy, our formulation generalizes and addresses limitations of quantum differential privacy by offering flexibility in specifying private information, feasible measurements, and domain knowledge. We show that QPP can be equivalently formulated in terms of the Datta-Leditzky information spectrum divergence, thus providing the first operational interpretation thereof. We reformulate this divergence as a semi-definite program and derive several properties of it, which are then used to prove convexity, composability, and post-processing of QPP mechanisms. Parameters that guarantee QPP of the depolarization mechanism are also derived. We analyze the privacy-utility tradeoff of general QPP mechanisms and, again, study the depolarization mechanism as an explicit instance. The QPP framework is then applied to privacy auditing for identifying privacy violations via a hypothesis testing pipeline that leverages quantum algorithms. Connections to quantum fairness and other quantum divergences are also explored and several variants of QPP are examined.

Figures (9)

• Figure 1: Depiction of a setup where the goal is to hide whether the amount entanglement $\mathsf{V}$ present in the bipartite states $\rho_1$, $\rho_2$, $\sigma_1$, and $\sigma_2$ equals $a$ or $b$. In this diagram, large squares represent the entire quantum state, while small rectangles correspond to a specific attribute of that state (i.e., the amount of entanglement as quantified by the function $\mathsf{V}$). The specific attribute can take on one of two values, $a$ or $b$, represented by solid or dotted lines, respectively. As the goal is to conceal only the entanglement level, and not necessarily the specific quantum state, we want the sets $\mathcal{R}=\{\rho_1,\rho_2\}$ and $\mathcal{T}=\{\sigma_1,\sigma_2\}$ to be indistinguishable.
• Figure 2: Properties of QPP mechanisms: (a) refers to post-processing of QPP algorithm $\mathcal{A}$; If $\mathcal{A}$ satisfies QPP, then $\mathcal{N} \circ \mathcal{A}$ also satisfies QPP. (b) refers to parallel composition of $k$ QPP mechanisms; composition of $k$ mechanisms independently in a parallel fashion satisfies QPP if each $\mathcal{A}_i$ satisfies QPP.
• Figure 3: Setup for adaptive composition: On the top system, the channel $\mathcal{A}_1$ is followed by the quantum instrument $\{ \mathcal{E}_y\}_{y \in \mathcal{Y}}$, and then the random classical outcome $Y$ is used to choose the channel $\mathcal{A}_2^Y$. In this setting, we analyse how well an adversary can learn properties of the input state $\sigma_I$ by applying measurements on the output state.
• Figure 4: Depolarization mechanism to achieve QPP: This corresponds to a channel $\mathcal{E}$ followed by a depolarizing channel. Note that we can choose $\mathcal{E}=\mathcal{I}$ to be the identity channel as well.
• Figure 5: Generation of classical PP mechanisms from QPP mechanism $\mathcal{A}$: First the classical data is encoded using quantum encoding techniques, then the QPP mechanism $\mathcal{A}$, and if needed any other channel $\mathcal{J}$, and finally the measurement channel.

Theorems & Definitions (66)

• Definition 1: Classical differential privacy
• Definition 2: Classical pufferfish privacy
• Definition 3: Quantum differential privacy QDP_computation17hirche2023quantum
• Remark 1: Designing QPP frameworks
• Definition 4: Quantum pufferfish privacy
• Remark 2: Semantics of the QPP framework
• Remark 3: Incorporating entanglement
• Proposition 1: Equivalent formulation of $(\varepsilon,\delta)$-QPP
• Remark 4: Classical PP through DL divergence
• Remark 5: Operational interpretation of DL divergence