Framework and theoretical background

We start with the theoretical framework for quantum delegated learning with quantum homomorphic encryption. Given a general n-qubit quantum state |ψ _x 〉, an information-theoretical secure encryption way is to apply the quantum one-time pad to this state:

(1) $$\left| \left.\psi _{x}\right\rangle \right.\rightarrow (Z^{{a_{1}}}\otimes \ldots \otimes Z^{{a_{n}}})(X^{{b_{1}}}\otimes \ldots \otimes X^{{b_{n}}})\left| \left.\psi _{x}\right\rangle \right.,$$

where Z and X denote Pauli-Z and Pauli-X gates respectively, a _i and b _i are encryption keys chosen from {0, 1} randomly and independently (Ambainis et al., Reference Ambainis, Mosca, Tapp and De Wolf2000). For anyone without the keys a _i and b _i , this encrypted state is equivalent to a maximally mixed state and thus no information can be extracted. Since homomorphic encryption works with encrypted data, it would be desirable if compatible schemes could be designed for the above one-time-padded data to achieve high-level security. Yet, this is challenging unless either (1) the client sends over certain quantum states which contain information about the keys and can be exploited to implement quantum operations on the server, or (2) the information-theoretical security, which is strong, is converted to a computation-theoretical one, assuming the hardness of certain problems, such as learning with errors (Broadbent and Jeffery, Reference Broadbent, Jeffery, Gennaro and Robshaw2015; Mahadev, Reference Mahadev2020; Dulek et al., Reference Dulek, Schaffner, Speelman, Robshaw and Katz2016; Brakerski, Reference Brakerski, Shacham and Boldyreva2018; Fisher et al., Reference Fisher, Broadbent, Shalm, Yan, Lavoie, Prevedel, Jennewein and Resch2014; Ouyang et al., Reference Ouyang, Tan and Fitzsimons2018; Tham et al., Reference Tham, Ferretti, Bonsma-Fisher, Brodutch, Sanders, Steinberg and Jeffery2020; Ma and Li, Reference Ma and Li2022).

Here, we adapt the schemes from Refs. (Mahadev, Reference Mahadev2020; Dulek et al., Reference Dulek, Schaffner, Speelman, Robshaw and Katz2016; Brakerski, Reference Brakerski, Shacham and Boldyreva2018; Ma and Li, Reference Ma and Li2022) as technical subroutines for our framework. Instead of only encrypting the quantum data, the homomorphic encryption scheme includes two parallel computations. Let $\hat{f}({\bf a},{\bf b})$ denote the quantum encryption operation in Equations (1) and ${\rm Enc}({\bf a},{\bf b})$ be a classical encryption function, where ${\bf a},{\bf b}$ denote the classical keys a ₁, …, a _n and b ₁, …, b _n , respectively. For a given quantum sample |ψ _x 〉, the client generates classical keys ${\bf a},{\bf b}$ , and sends both the encrypted state $\hat{f}({\bf a},{\bf b})\left| \left.\psi _{x}\right\rangle \right.$ and encrypted classical keys ${\rm Enc}({\bf a},{\bf b})$ to the server. By applying the quantum homomorphic encryption protocol, the server homomorphically applies a target operation U to the original state after receiving these two pieces of information. The data processing can be illustrated as

(2) $$\matrix{ {{\rm{Enc}}\left( {{\bf{a}},{\bf{b}}} \right) \to {\rm{Enc}}\left( {{\bf{a'}},{\bf{b'}}} \right),} \hfill \cr \cr{{\hat f\left( {{\bf{a}},{\bf{b}}} \right)\left| {{\psi _x}\rangle \to \hat f\left( {{\bf{a'}},{\bf{b'}}} \right)U} \right|{\psi _x}\rangle, } }} $$

where the encryption key is updated to ${\bf a}{\rm '},{\bf b}{\rm '}$ and the server can homomorphically compute ${\rm Enc}({\bf a}{\rm '},{\bf b}{\rm '})$ without access to the true values of ${\bf a}{\rm '}$ and ${\bf b}{\rm '}$ (Mahadev, Reference Mahadev2020). Besides, the setting for handling general quantum states can be relaxed to states on the computational basis in certain scenarios, which allows a purely classical client and will be discussed in the section on quantum learning advantages with kernel methods.

Delegated learning with an untrusted server

We first consider variational quantum classifiers, which is applicable to near-term quantum devices, in our delegated learning setting (Cerezo et al., Reference Cerezo, Arrasmith, Babbush, Benjamin, Endo, Fujii, McClean, Mitarai, Yuan, Cincio and Coles2021). The learning model is built on a parameterized quantum circuit denoted by U _θ , where θ represents the collection of trainable parameters. For a training sample |ψ _x (i)〉 indexed by i, the output of this model is an expectation value 〈ψ _x (i)|U _θ ^† OU _θ |ψ _x (i)〉 for a certain observable O. By designing appropriate cost functions to measure the distance between the current output value and the target one, an optimization procedure can be applied to capture the data pattern and update circuit parameters. Assuming the label of this sample is y(i), the mean square error can be used as a cost function:

(3) $${C}_{{\rm MSE}}={1 \over N}\sum _{i} (\left\langle \left.\psi _{x}(i)\right| \right.U_{\boldsymbol{\theta }}^{\dagger }OU_{\boldsymbol{\theta }}\left| \left.\psi _{x}(i)\right\rangle \right.-y(i))^{2},$$

where N denotes the size of the training set.

The delegated learning procedure begins with encrypting the training data according to Equation (2) on the client’s side. To compile the variational quantum learning model in the homomorphic encryption scenario, it is worth considering the encryption protocol allowing efficient implementation of arbitrary single-qubit gates (Ma and Li, Reference Ma and Li2022). After the server homomorphically processes the data, the output quantum state becomes $\hat{f}({\bf a}{\rm '},{\bf b}{\rm '})U_{\boldsymbol{\theta }}|\psi _{x}\rangle$ with updated classical keys. In general, the prediction of the learned model is made according to the expectation value of certain local observables. Without loss of generality, we choose a two-label classification task and a Pauli-Z measurement on qubit indexed by k, that is Z _k , as the prediction. The classification can be made by defining the expectation value of Z _k over zero as class 1, and otherwise as class 2. However, since the output state is encrypted by ${\bf a}{\rm '}$ and ${\bf b}{\rm '}$ , we need to decode the measured values from the server accordingly. We note that $\left\langle \left.\psi _{x}(i)\right| \right.U_{\boldsymbol{\theta }}^{\dagger }\hat{f}^{\dagger }({\bf a}{\rm '},{\bf b}{\rm '})Z_{k}\hat{f}({\bf a}{\rm '},{\bf b}{\rm '})U_{\boldsymbol{\theta }}\left| \left.\psi _{x}(i)\right\rangle \right.$ can be simplified to (−1) ^{b _k ′} 〈ψ _x (i)|U _θ ^† Z _k U _θ |ψ _x (i)〉, where b _k ′ is the k-th element in ${\bf b}{\rm '}$ . This indicates that the sign of the target output is also encrypted. On the server’s side, only the encrypted classical keys and encrypted states are available and it is impossible to obtain the correct output. On the contrary, the client holds the decryption key to the function Enc() and thus can efficiently decrypt the value of b _k ′ after receiving ${\rm Enc}({\bf a}{\rm '},{\bf b}{\rm '})$ , after which the correct output value can be deciphered from the encrypted one.

The above idea has a direct application in delegated inference on a powerful quantum server which, for example, is equipped with a large-scale and fine-tuned quantum learning model. Such models may be built on sophisticated platforms and thus expensive, only deployed on the cloud and allowing clients to send computation queries remotely. For a general quantum state sample, a quantum one-time pad encrypts it first and the quantum learning model can make predictions on the encrypted data following the quantum homomorphic encryption protocol. Assume the output obtained by the server is w. With decryption keys of Enc(), only the client can decipher the classical keys ${\bf a}{\rm '},{\bf b}{\rm '}$ and make correct classification of this sample according to (−1) ^{b _k ′} sign(w).

In addition to delegated inference, learning in a delegated fashion is also important in data-sensitive scenarios, for example an institution holds private health data while a server holds high computational power. This task reduces to implementing optimization under the homomorphic encryption scheme. Back to Equation (3), our goal is to optimize the variational parameters θ to minimize the cost function over the training set. During this procedure, a crucial step is to calculate the gradients of the cost function with respect to these parameters. To this end, we can apply finite difference methods or the parameter-shift rule (Mitarai et al., Reference Mitarai, Negoro, Kitagawa and Fujii2018; Schuld et al., Reference Schuld, Bergholm, Gogolin, Izaac and Killoran2019), both of which boil down to measuring the expectation values of the same observable by shifting certain parameters in the quantum circuit. Under the proposed delegated learning framework, the server can flexibly shift the model parameters and obtain the desired gradients in an encrypted form. The client decrypts the gradients and uploads the updated parameters to the server, which completes an optimization iteration.

Extension to federated learning

Federated machine learning, also known as collaborative training, allows the training of a shared model across multiple parties while keeping their private training data safe (Kairouz et al., Reference Kairouz, McMahan and Avent2021). Developing techniques along this line is crucial for scenarios where the data is sensitive and each party only holds a small share insufficient for training, such as limited patients data held by different hospitals. Federated learning is traditionally achieved by aggregating model updates computed by local parties to a central server (Kairouz et al., Reference Kairouz, McMahan and Avent2021), which has been extended to the quantum domain recently (Li et al., Reference Li, Lu and Deng2021; Chen and Yoo, Reference Chen and Yoo2021; Du et al., Reference Du, Qian, Wu and Tao2022; Zhao, Reference Zhao2023; Chu et al., Reference Chu, Jiang and Chen2023; Ren et al., Reference Ren, Yu, Yan, Xu, Shen, Zhu, Niyato, Dong and Kwek2024; Chehimi et al., Reference Chehimi, Chen, Saad, Towsley and Debbah2024). Yet, such a conventional approach would suffer from a trade-off between privacy preserving and local computational power requirement: if each party computes on their own devices and uploads the gradients to collaboratively train a model, there are high requirements for local computational power; Instead, if they upload their data directly to a central server to release local computational burden, a malicious server may violate their data privacy.

With the federated learning framework built upon quantum homomorphic encryption and delegated learning, we overcome the above trade-off and achieve both data privacy and the utilization of remote computational power. Suppose there are M independent parties, each holding their dataset with a limited size. A learning epoch proceeds by enumerating all the parties. For each party, a subset of samples are randomly selected. The samples are encrypted using the quantum one-time pad before being sent to the quantum server with the encrypted classical keys ${\rm Enc}({\bf a},{\bf b})$ . With a similar idea in delegated learning, by decrypting ${\rm Enc}({\bf a}{\rm '},{\bf b}{\rm '})$ to obtain the updated classical keys, the party can recover the correct gradient values of a given cost function. After taking a weighted sum of the calculated gradients over the selected samples in this party’s dataset, an update of model parameters is then uploaded to the quantum server. Such optimization can be iteratively applied until the training converges (Algorithm 2).

It is worth mentioning that, since the model parameters are publicly trained, there is inevitable private information flowing from training samples to the server. Previous works from both quantum (Li et al., 2021; Li, Kumar et al., Reference Li, Kumar, Song, Chakrabarti and Pistoia2024) and classical (Zhu et al., Reference Zhu, Liu and Han2019) community have shown that the uploaded gradients can be utilized to infer the input data through reverse engineering. This is an intrinsic feature for training a public model. To defend against potential attacks, various strategies can be applied as additional subroutines in the original protocol. An effective way is to adapt differential privacy and add appropriate noise to the calculated gradients, which provides an information-theoretical bound on the leaked privacy (Li et al., Reference Li, Lu and Deng2021; Abadi et al., Reference Abadi, Chu, Goodfellow, McMahan, Mironov, Talwar and Zhang2016). In the quantum learning setting, secure inner product estimation and secure weighted gradient summation techniques have also been explored and can be utilized to enhance privacy protection (Li, Kumar et al., Reference Li, Li, Amer, Shaydulin, Chakrabarti, Wang, Xu, Tang, Schoch, Kumar, Lim, Li, Cappellaro and Pistoia2024).

Algorithm 1. Quantum federated learning

Analysis

The framework introduced for quantum delegated and federated learning through quantum homomorphic encryption bears several intriguing merits. First, this approach reduces local computational burdens, ensuring that training on edge quantum devices is not necessary for data owners. For this point, delegated learning based on blind quantum computing also provides a solution. The difference lies in the fact that, unlike blind quantum computing where the server is treated as an unknowing entity, the server in our framework is fully capable of performing computations and knowing the algorithm without access to the original data. From an information-theoretical point of view, if the client hides all the information about the data and computation from the server - as achieved in the protocols based on blind computing - then for each round of delegated learning, the client has to transfer all the information about the quantum learning model to the server which might be a huge amount even in a classical description. In contrast, here in the proposed scheme we only focus on protecting the private data information, while the server holds the model to manipulate the encrypted data. In this way, the client only needs to send the training samples to the server and participate in the optimization procedure, while there is no need to hold and transfer the model information. A direct consequence of this feature is that there is substantially less communication required between the server and clients during the learning and inference processes, minimizing overhead in a distributed network.

Error correction

Aside from the communication complexity aspect, since the server directly works on the encrypted data and is in full control of executing the quantum circuit, quantum error correction schemes can be naturally applied without involving the client (Terhal, Reference Terhal2015). For protocols based on blind computing subroutines, hiding all the computational details from the server becomes a double-edged sword: On the one hand, perfect privacy can be achieved in single-party delegated learning. On the other hand, however, the client does not have detailed device information on the server, and the server has no knowledge about the delegated computation. Thus, error correction becomes comparably more demanding, with additional overhead and efforts on both the client and server for fault-tolerant delegated quantum learning (Morimae and Fujii, Reference Morimae and Fujii2012; Gheorghiu et al., Reference Gheorghiu, Kashefi and Wallden2015; Chien et al., Reference Chien, Meter and Kuo2015).

Computational learning advantage

In the delegated learning scenario, designing quantum learning tasks with computational advantages is more challenging. On the one hand, transferring training data to the server or preparing initial states remotely will bring additional computational costs, and quantifying quantum speedups becomes more subtle: For example, in the well-known quantum support vector machine protocol (Rebentrost et al., Reference Rebentrost, Mohseni and Lloyd2014), by querying a data oracle, the learning model finally achieves the running time scaling as 𝒪(log(Nd)), where N and d denote the number of samples and dimension of the feature space, respectively. This features an exponential speedup over the classical methods. However, in the delegated learning setting, transferring such a dataset immediately brings 𝒪(Nd) complexity, which nullifies all the speedups. On the other hand, cryptographic methods are applied to operate on encrypted data, which brings additional overheads on the server’s side. To exhibit speedups in quantum learning under our framework, we consider the case of learning with classical data (Liu et al., Reference Liu, Arunachalam and Temme2021; Sweke et al., Reference Sweke, Seifert, Hangleiter and Eisert2021; Jerbi et al., Reference Jerbi, Gyurik, Marshall, Molteni and Dunjko2024). More specifically, we consider a concept class defined based on the discrete logarithm problem (Liu et al., Reference Liu, Arunachalam and Temme2021; Gyurik and Dunjko, Reference Gyurik and Dunjko2023):

Definition 1 For an n-bit prime number p with a generator a of ℤ _p *, we define the concept class based on the discrete logarithm problem as 𝒞 _n ^DLP = {c _i } _{i ∈ ℤ p *}, where

(4) $${c_i}\left( x \right) = \left( {\matrix{ { + 1,} \hfill & {if{\rm{\;lo}}{{\rm{g}}_a}\ x \in \left[ {i,i + {{p - 3} \over 2}} \right],} \hfill \cr { - 1,} \hfill & {otherwise.} \hfill \cr } } \right.$$

Assuming the hardness of the discrete logarithm problem, it is classically intractable to learn the above concept class (Liu et al., Reference Liu, Arunachalam and Temme2021). For a quantum learner, for any sample x, it can efficiently prepare the feature state $|\phi (x)\rangle ={1 \over \sqrt{2^{k}}}\sum _{i=0}^{2^{k}-1} \left| \left.xa^{i}\right\rangle \right.$ where k = n − t log n for a constant t (Liu et al., Reference Liu, Arunachalam and Temme2021). By estimating the inner products of these feature states, we obtain a kernel matrix that further allows a classical computer to build a linear classifier.

In our proposed framework, since the data is in the form of bit strings, the encrypted state $\hat{f}({\bf a},{\bf b})|\psi _{x}\rangle$ is also in the computational basis. Thus, we can instead send the corresponding encrypted classical bit string to the server and let the server prepare the initial state, releasing the requirement of limited quantum power for the clients. In other words, the clients can be purely classical without any quantum power in our scenario. By sending both the data and ancillary bits in encrypted forms and homomorphically applying the feature mappings, the server obtains the encrypted feature state ${1 \over \sqrt{2^{k}}}\sum _{i=0}^{2^{k}-1} \hat{f}({\bf a},{\bf b})\left| \left.xa^{i}\right\rangle \right.$ . To estimate the kernel element between two samples x ₁ and x ₂, we apply the same quantum one-time pad $\hat{f}({\bf a},{\bf b})$ so that the inner product of the two encrypted output states is exactly the desired kernel element. During this process, sending classical bit strings takes 𝒪(N ² d/ϵ ²) additional complexity with N, d, and ϵ being the number of samples, the data dimensionality, and the target additive error, respectively. Meanwhile, quantum homomorphic encryption brings a constant overhead for each gate. Thus in all, the delegated learning framework takes at most polynomial computational overheads, and the exponential quantum-classical learning separation still holds. We mention that the above computational learning advantage is not limited to the discrete logarithm concept class. By designing proper learning problems, similar protocols may be implemented, for example for the discrete cube root problems (Gyurik and Dunjko, Reference Gyurik and Dunjko2023; Kearns and Vazirani, Reference Kearns and Vazirani1994), with a final goal towards practical and real-life applications.

Conclusions and outlooks

In this work, we have developed a quantum delegated and federated learning framework based on quantum homomorphic encryption, which guarantees computation-theoretic privacy while leveraging the computational power of quantum servers. Our framework allows for training and inference on encrypted data with reduced communication complexity, making it a promising approach for future quantum cloud services. The delegation of computation to quantum servers not only removes the computational burden for clients but also preserves provable quantum speedups in certain learning tasks employing kernel methods.

This work makes a primary step forward in enabling delegated, secure, scalable, and efficient quantum machine learning systems. Future studies could focus on extending the framework to more complex learning models and improving the privacy guarantees through advanced cryptographic techniques. In addition, integrating cutting-edge classical learning models into the framework could further enhance its real-world applicability. While promising, several challenges remain to be addressed. One issue involves managing the inevitable information leakage that occurs when publicly trained models, such as federated quantum learning models, are reverse-engineered to infer private training data. Although techniques like differential privacy can mitigate such risks as discussed above, additional work is needed to ensure robust protection in other scenarios. Finally, while the current framework reduces local computational requirements to a certain degree, the quantum homomorphic encryption adds a constant yet large prefactor to the overall complexity on the server’s side. This renders its experimental demonstration with current noisy intermediate-scale quantum devices unattainable. Developing more efficient protocols that could further enhance scalability and minimize computational complexity would be crucial for both near-term and future applications.