Quantum-secure multiparty deep learning

TL;DR

This work addresses theprivacy challenges of cloud-based deep learning by proposing a quantum-secure, information-theoretic secure multiparty computation framework implemented with a coherent optical linear algebra engine. The server-hardware encodes DNN weights into optical amplitudes and the client computes inner products via unitary transformations, returning a verification state whose excess noise bounds potential leakage. The authors derive rigorous, information-theoretic bounds on weight leakage with the Holevo theorem and data leakage with (quantum) Cramér–Rao bounds, demonstrating secure MNIST classification with over $96\%$ accuracy and leakage well below practical bit-precision thresholds. The approach highlights how photonic quantum resources can enable secure cloud deep learning with provable security guarantees, and it points to near-term hardware extensions and training-stage applications. Overall, the paper lays foundational work for practical, information-theoretic security in distributed deep learning workflows and informs future quantum-enabled ML security research.

Abstract

Secure multiparty computation enables the joint evaluation of multivariate functions across distributed users while ensuring the privacy of their local inputs. This field has become increasingly urgent due to the exploding demand for computationally intensive deep learning inference. These computations are typically offloaded to cloud computing servers, leading to vulnerabilities that can compromise the security of the clients' data. To solve this problem, we introduce a linear algebra engine that leverages the quantum nature of light for information-theoretically secure multiparty computation using only conventional telecommunication components. We apply this linear algebra engine to deep learning and derive rigorous upper bounds on the information leakage of both the deep neural network weights and the client's data via the Holevo and the Cramér-Rao bounds, respectively. Applied to the MNIST classification task, we obtain test accuracies exceeding $96\%$ while leaking less than $0.1$ bits per weight symbol and $0.01$ bits per data symbol. This weight leakage is an order of magnitude below the minimum bit precision required for accurate deep learning using state-of-the-art quantization techniques. Our work lays the foundation for practical quantum-secure computation and unlocks secure cloud deep learning as a field.

Figures (6)

• Figure 1: Coherent Linear Algebra Engine. (a) Secure multiparty computation enables joint evaluation of a function $f(\vec{x},\vec{w})$ across distributed users while ensuring the privacy of the local inputs $\vec{x},\vec{w}$. (c) Deep neural network (DNN) weights are encoded into the complex amplitudes of coherent states $w_i$ (of variance $1 \text{ SNU}$ (Shot-Noise-Units)). (b) The client uses these weights for inference with their local data $\vec{x}$ and transmits the residual light, called the verification state, back to the server. (d) The verification state has the same mean as the original DNN weight $w_i$ but a higher variance of $(1+\eta_i) \text{ SNU}$, where $\eta_i$ is the excess noise. (b) The client receives the coherent states that encode the weights (left) and calculates the inner product $\vec{w}\cdot\vec{x}$ using: (i) unitary transformation $U_{\hat{x}}$, (ii) measurement and feedforward of the complex amplitude $\vec{w}\cdot\hat{x}$, which adds noise (marked in red) to the last mode, (iii) and the unitary $U_{\hat{x}}^{\dagger}$. After applying $U_{\hat{x}}^{\dagger}$, the excess noise from the measure and feedforward step is spread over the output modes (right).
• Figure 2: Classification accuracy versus weights leakage and data leakage. The classification accuracy of the secure optical neural network, which uses our coherent linear algebra engine (Fig. \ref{['Fig_Ilus']}), is first numerically calculated as a function of the average photon occupation per weight and the amplification gain. We also use these parameters to upper bound the weight leakage $I_{w_i}$ (Eq. \ref{['eq:wleakage']}) and the data leakage $I_{x_i}$ (Eq. \ref{['eq:xleakage']}). This chain of reasoning enables the presentation of the classification accuracy as a function of the weights and data leakages. The classification accuracy increases with both leakages and achieves the digital noiseless accuracy. For small data leakages, the weight leakage is inversely proportional to the data leakage for any given fixed classification accuracy. Our protocol achieves a classification accuracy of $>96\%$ while leaking less than $I_{w_i}=0.1$ bits per weight symbol less than $I_{x_i}=0.01$ bits per data symbol. This level of bit precision in the weights is currently known to be insufficient for achieving high accuracy in state-of-the-art deep neural networks.
• Figure 3: Information leakage versus channel loss and neurons per layer. (a) In the presence of loss, the server can increase the average photon occupation per weight to conserve classification accuracy. This increases the weights leakage while the data leakage remains unaffected. The client cannot compensate for high losses, as the classification accuracy saturates as a function of the gain. A weight leakage of up to $4$ bits per weight is obtained for standard losses in local-area networks (LAN) and metropolitan-area networks (MAN). (b) Both weight and data leakages diminish with an increasing number of neurons per layer. Therefore, advanced DNNs, which are much larger than the model used in this work, are expected to suffer from even smaller leakages.
• Figure 4: Optical implementation. (a) The server transmits neural network weights, encoded by complex amplitudes of weak coherent states generated by an attenuated laser. The encoding can be either temporal or spatial. (b, c) The client performs a series of linear operations on the beam to measure the inner product of a local data vector with the distributed vector (see main text). After these operations, the client returns the residual light as a verification state to the server, which measures the excess noise to compute the leakage of its weights. In the spatial domain (c), the client uses an MZI mesh to interfere spatially adjacent modes, resulting in the uppermost output mode having a complex amplitude representing the desired inner product. This mode is then amplified (green loop) and split by a weighted beam splitter (top) into a coherent homodyne detector (green detectors) and into another MZI mesh. The second MZI mesh implements the inverse of the first mesh. In the time domain (b), the first MZI mesh is replaced with a single MZI and a fiber loop, while the second MZI mesh is replaced by nested fiber loops.
• Figure 5: Classification accuracy versus the physical scaling parameter $F$. We calculate the classification accuracy considering an additive noise to each inner product, using weights trained for a digital noiseless model. We present the classification accuracy as a function of the the physical scaling parameter $F$. The classification accuracy increases monotonically with $F$, asymptotically obtaining the digital noiseless accuracy. This parameter capture the hardware-dependent prefactor in the SNR, allowing to calculate the the mutual effect of the average photon number $\mu$ and the amplification gain $G$. We fit the classification accuracy using a logistic curve.