A Numerical Gradient Inversion Attack in Variational Quantum Neural-Networks

TL;DR

This work demonstrates a practical gradient inversion attack on trainable Variational Quantum Neural Networks (VQNNs), showing that input data can be reconstructed from shared gradients despite challenging loss landscapes with many local minima. The authors introduce a numerical scheme that blends finite-difference gradient estimation with adaptive low-pass filtering to locate the global minimum, and further improve convergence using a Kalman-filter-based update. Across multiple datasets and VQNN architectures, the attack recovers inputs with extremely low mean-squared error (down to ~1e-10 in many cases), and is effective even in batch settings, though batch size can reduce recoverability. By comparing to classical neural nets and differential privacy mechanisms, the study provides a practical privacy benchmark for distributed learning with VQNNs and highlights privacy-performance trade-offs inherent to these quantum-classical models. The results underscore data-leakage risks in gradient-based federated or decentralized training and offer a framework for evaluating defenses and model designs against gradient-inversion attacks.

Abstract

The loss landscape of Variational Quantum Neural Networks (VQNNs) is characterized by local minima that grow exponentially with increasing qubits. Because of this, it is more challenging to recover information from model gradients during training compared to classical Neural Networks (NNs). In this paper we present a numerical scheme that successfully reconstructs input training, real-world, practical data from trainable VQNNs' gradients. Our scheme is based on gradient inversion that works by combining gradients estimation with the finite difference method and adaptive low-pass filtering. The scheme is further optimized with Kalman filter to obtain efficient convergence. Our experiments show that our algorithm can invert even batch-trained data, given the VQNN model is sufficiently over-parameterized.

Figures (17)

• Figure 1: Generic architecture of a VQNN. It consists of a quantum feature map $\Phi(\mathbf{x})$ that encodes classical input data $\mathbf{x}$ into a quantum state. The horizontal lines represent the qubits in the quantum circuit. The ansatz $V(\boldsymbol{\theta})$ is designed with trainable parameters $\boldsymbol{\theta}$ to explore the solution space. The trainable parameters are optimized by adjusting $\boldsymbol{\theta}$ to minimize a defined loss function ($\mathrm{Loss}$).
• Figure 2: The surface shows the value of the VQNN model loss gradients for each combination of input values. The ansatz VQNN model is used also in our experiments, $EfficientSU2$arxiv.2402.16465 with Fraud data as described in Table \ref{['tab:experiments']} and with input parameters $x_{1}$ (qubit 1) and $x_{2}$ (qubit 2). $ZZFeatureMap$ is used here for embeddings arxiv.2207.11449arxiv.2408.10274.
• Figure 3: In a standard pipeline of a Federated Learning model, clients ($C_l$) locally train the neural network on their data and share only the gradients or weights with the server, without exposing the data itself. Then the server aggregates the gradients ($\mathbf{g}$) or weights ($\boldsymbol{\theta}$) and calibrates a global model. Next, it broadcasts the updated global model back to the clients.
• Figure 4: The plots show the gradient loss landscape (Eq.\ref{['eq:grad_cost_fun']}) with multiple local minima, which can hinder the success of gradient inversion attacks kumar2023expressivevariationalquantumcircuitsPhysRevResearch.6.02302010821342. Each plot shows a different viewpoint of the multiple local minima of a VQNN model. In the 3-D and surface plots ($a$), the $x$-axis and $y$-axis represent the input parameters $x_1$ (qubit 1) and $x_2$ (qubit 2), ranging from 0 to $2\pi$. The $z$-axis depicts the gradient loss $(\mathbf{g}' - \mathbf{g})^2$. The line plot ($b$) shows the multiple local minima across the dimension $x_1$. The VQNN model used in these plots is named 'Complex' and depicted in Table \ref{['tab:experiments']}.
• Figure 5: Gradient inversion attack profile on two qubits 'Complex' VQNN model (thick orange line), shows a close-up near the global minimum of the inversion error with $log10$ MSE distance ($\mathbf{x}', \mathbf{x}$) versus the squared gradient loss $(\mathbf{g}' - \mathbf{g})^2$. As the attack is progressed, $\mathbf{g}'$ approaches $\mathbf{g}$ which leads to reveal the hidden $\mathbf{x}$. The fluctuating $\mathbf{x}$ space is plotted (thin blue line) by sampling small random differences of $(\mathbf{x}'-\mathbf{x})^{2}$.