From Membership-Privacy Leakage to Quantum Machine Unlearning

TL;DR

The paper addresses membership privacy leakage in quantum machine learning by showing that two QNN architectures (basic QNN and HQNN) leak information via Membership Inference Attacks (MIA) in both simulation and real quantum hardware. It then introduces Quantum Machine Unlearning (QMU), a framework with three MU mechanisms—Gradient Ascent (GA), Fisher-based (SSD), and Relative Gradient Ascent (RGA)—to revoke the influence of withdrawn data while preserving performance on retained data. Across MNIST classification tasks and hardware experiments, MIA leakage is substantial in unprotected models, and QMU methods successfully reduce MIA risk with varying trade-offs in data dependence, computational cost, and robustness. The work demonstrates a potential path toward privacy-preserving QML and motivates extending QMU to broader quantum learning settings and secure quantum workflows.

Abstract

Quantum Machine Learning (QML) has the potential to achieve quantum advantage for specific tasks by combining quantum computation with classical Machine Learning (ML). In classical ML, a significant challenge is membership privacy leakage, whereby an attacker can infer from model outputs whether specific data were used in training. When specific data are required to be withdrawn, removing their influence from the trained model becomes necessary. Machine Unlearning (MU) addresses this issue by enabling the model to forget the withdrawn data, thereby preventing membership privacy leakage. However, this leakage remains underexplored in QML. This raises two research questions: do QML models leak membership privacy about their training data, and can MU methods efficiently mitigate such leakage in QML models? We investigate these questions using two QNN architectures, a basic Quantum Neural Network (basic QNN) and a Hybrid QNN (HQNN), evaluated in noiseless simulations and on quantum hardware. For the first question, we design a Membership Inference Attack (MIA) tailored to QNN in a gray-box setting. Our experiments indicate clear evidence of leakage of membership privacy in both QNNs. For the second question, we propose a Quantum Machine Unlearning (QMU) framework, comprising three MU mechanisms. Experiments on two QNN architectures show that QMU removes the influence of the withdrawn data while preserving accuracy on retained data. A comparative analysis further characterizes the three MU mechanisms with respect to data dependence, computational cost, and robustness. Overall, this work provides a potential path towards privacy-preserving QML.

Figures (4)

• Figure 1: Membership Inference Attack Workflow on QML Models. (Stage 1) the initial training of the target QML model, (Stage 2) the training of a specialized attack model that observes the target model's behavior on known member and non-member data, and (Stage 3) the final inference step to predict a query sample’s membership status.
• Figure 2: Architecture and data flow of the QNN model. The model consists of a quantum encoding layer $E(x)$ that encodes classical input $x$ into a quantum state, a PQC layer $U(\theta)$ that evolves this quantum state based on trainable parameters, and a measurement layer that performs Pauli-Z measurements to extract classical observables. Classical pre-processing is employed to reduce the input dimension to match the available number of qubits, while post-processing maps the measurement results to the final prediction space. During the training phase, the predicted output $y'$ is compared with the ground truth label $y$ to compute the loss, which subsequently guides the iterative parameter updates via gradient descent.
• Figure 3: Attack and Unlearning Workflow for QML. (1) Training: the original QML model $A_o$ is trained on the full dataset $D$; the subset to be revoked is $D_u \subset D$, and the retained data are $D_r = D \setminus D_u$; the target QML model $A_t$ is trained on the dataset $D_r$; (2) Privacy attack: adversaries launch MIA on $A_o$ to test whether traces of $D_u$ are exposed. (3) Unlearning: an algorithm $U$ acts on $A_o$ to produce the unlearned model $A_u$ that should discard information about $D_u$ while preserving performance on $D_r$. (4) Evaluating: comparing $A_u$ with the ideal baseline $A_t$ on multiple evaluation metrics, which include accuracy, the success rate of MIA, and computational cost.
• Figure 4: Performance Comparison of QMU. This figure presents the performance comparison of QMU methods: GA (left), RGA (middle), and SSD (right) on two types of QNN (top) and HQNN (bottom). The first two columns display the relationship between the number of epochs and classification accuracy on retained data ($ACC_R$) and unlearned data ($ACC_U$), along with MIA success rate. The heatmaps on the right show the performance of the SSD method across varying values of alpha and lambda parameters, specifically highlighting accuracy on the $D_{r}$ dataset when both the MIA success rate and accuracy on the $D_{u}$ dataset are minimized. These results demonstrate the trade-offs in effectiveness and efficiency of the different unlearning methods across the two models.