Quantum-aided secure deep neural network inference on real quantum computers

Deep neural networks (DNNs) are phenomenally successful machine learning methods broadly applied to many different disciplines. However, as complex two-party computations, DNN inference using classical cryptographic methods cannot achieve unconditional security, raising concern on security risks of DNNs’ application to sensitive data in many domains. We overcome such a weakness by introducing a quantum-aided security approach. We build a quantum scheme for unconditionally secure DNN inference based on quantum oblivious transfer with an untrusted third party. Leveraging DNN’s noise tolerance, our approach enables complex DNN inference on comparatively low-fidelity quantum systems with limited quantum capacity. We validated our method using various applications with a five-bit real quantum computer and a quantum simulator. Both theoretical analyses and experimental results demonstrate that our approach manages to operate on existing quantum computers and achieve unconditional security with a negligible accuracy loss. This may open up new possibilities of quantum security methods for deep learning.

www.nature.com/scientificreports/data holder and the inference results are hidden from the model provider in the protocol.Second, information about the DNN model is hidden from the data holder except what can be logically inferred from the data and the inference results.Finally, no information from either party is leaked to the eavesdropper through the channels used in the protocol.
The basic idea is to first achieve a noisy version of secure quantum oblivious transfer (QOT), an universal primitive that can be used to compose arbitrary secure two-party computations 27 , with the help of an untrusted third party.Based on that, we can thereby compose unconditionally secure DNN inference.However, several challenges need to be resolved to make this practical.First, the oblivious transfer-based secure computing methods mostly rely on high-fidelity computing, that significantly hinders complex computations.In addition, a great number of oblivious transfer operations are required in general secure computations, but the quantum capacity of real quantum computers is seriously limited.In this Article, we design a coding and computing protocol for DNN inference that overcomes such limits in today's quantum computers.Based on the intrinsic noise tolerance of DNNs 28,29 , a scheme is introduced into the DNN model training that enables DNN model to tolerate a high computation error rate during the inference.Thus, we relax the fidelity requirement of the QOT protocol, and consequently make our QOT protocol and secure DNN inference feasible on comparatively lowfidelity quantum computers with modest quantum capacity.
Here we introduce the system design for secure DNN inference based on QOT.The security of our method against classical and quantum adversaries is theoretically guaranteed as long as sufficient quantum capacity is available.The overall framework of the proposed design is shown in Fig. 1.A DNN, just like other artificial neural networks, consists of several layers of neurons, and the neurons are interconnected layer by layer 30,31 .This architecture can be modelled with a cascade of affine transformations followed by nonlinear activation functions.In our approach, the deep neural network is first split into several basic blocks such as vector addition and matrix multiplication.The blocks' inputs and parameters are provided by the data holder and the model provider, respectively.
The blocks are evaluated with a stochastic protocol based on QOT to prevent unnecessary information revelation to either the data holder or the model provider.We design an algorithm and the corresponding coding to evaluate the basic blocks for DNN inference with an oblivious transfer primitive, and the quantum protocol to implement the oblivious transfer, which requires low quantum capacity and is suitable for fairly noisy quantum channels.
Finally, we demonstrate the effectiveness of the proposed approach for basic operators and DNN inference tasks through extensive experiments on the IBMQ quantum computer 32 .We also validate our method's effectiveness on large DNNs using quantum simulators with several DNN models for different tasks, including general image and medical image classifications.We show that our approach enables secure inference for mainstream DNN models and common machine learning tasks.

Quantum protocol for oblivious transfer
For DNN inference in an unconditionally secure manner in real world, a practical secure quantum cryptographic primitive has to be established first.Here we propose a quantum oblivious transfer (QOT) protocol that is applicable to commercially available quantum infrastructures with limited fidelity and quantum capacity, and provide a theoretical security guarantee.Figure 2a shows the schematic diagram of one-out-of-two oblivious transfer, a certain type of oblivious transfer, where a sender (say Alice) prepares and transfers two one-bit messages b 0 and b 1 to a receiver (say Bob).Bob can choose to learn either one of the two messages, b s , s ∈ {0, 1} , but learns nothing about the remaining one b 1−s .Obviously, Alice can also prepare two Bernoulli distributions B 0 and B 1 , and send the samplings of these two distributions as messages.
The MLC no-go theorem implies that the ideal one-sided two-party oblivious transfer is impossible to be unconditionally secure, with either classical or quantum methods 14,16,33 .Hence, we adopt a three-party model where any party can be dishonest, but the third party cannot collude with the communicating parties.We will elucidate why this assumption does not violate the requirements of unconditional security.To achieve the concept of oblivious transfer, we refer to this third party as Trent.
In our method, Trent serves as a quantum state generator not directly involved in the computation.We first assume that Trent can operate the Hadamard gate H , Toffoli gate CCNOT , and Pauli X gate X , while Alice and Bob can measure the quantum state.During computing, we suppose that Trent can be fully dishonest but not collude with any of the other participants, which is a feasible setting, because the dishonesty of Trent's can be detected by Alice and Bob with certain pre-agreed ways (see Supplementary Information S1).Trent only use public and unconditionally secure channels and therefore such checking will not affect the security.Note that all unidirectional communications of classical information are implemented in a strictly confidential manner that were strictly confirmed to be feasible with Quantum Key Distribution 26 .
The entire process can be divided into three stages: state preparation, validation and transfer.For the state preparation stage, Trent prepares a sequence of entangled quantum states and sends the entangled pairs to Alice and Bob.First, Trent generates a sequence of identical states {|ψ ab �} in the state space for four qubits H , such that each state satisfies where a 4-qubit quantum state is written as summation of tensor products of pairs of two-qubit quantum states.The first part is represented using the corresponding binary values (e.g., |1� ⊗ |1� is written as |3� ), while the second part is depicted using conventional notation (e.g., |1� ⊗ |1� is written as |1, 1� ).The quantum circuit to generate such a state is shown in Fig. 3b.Each state is split into two sub-states (1) where |ψ a � ∈ H a , |ψ b � ∈ H b , and H a , H b are two-dimensional subspaces of H = H a ⊗ H b .Then, Trent sends the entangled states |ψ a � , |ψ b � to Alice and Bob, respectively, and repeats this process for n times until both Alice and Bob separately get a sequence of quantum states.In this stage, the decoy bits technique 34 is applied to prevent eavesdropping by outside attackers, which is achieved by inserting decoy particles randomly selected in |0� , |1� , |+� , and |−� into the particles prepared for sending to Alice and Bob.Trent will then publish the insertion location and the measurement bases of the decoy particles.If an eavesdropper try to measure the states sent by Trent, some of the decoy particles will not be at the eigenstates of the measurement bases, and this will change the states of the decoy particles.Then Alice and Bob will find that the states of the decoy particles do not match the expected results, and the eavesdropper will be detected.After that, the decoy particles are discarded for the next stage.
For the validation stage, Alice and Bob receive the corresponding states and randomly choose some of the states for validation.Alice and Bob measure the bits of |ψ ab � chosen for validation with thewith the Pauli Z matrix ( |1� �1| − |0� �0| ).Note that the four bits should follow the one-out-of-two oblivious transfer relationship among b 0 , b 1 , s, and b s .Alice and Bob share the indices of states for validation, and exchange the measurement results of the states they both selected for validation.If the portion of results following the one-out-of-two oblivious transfer relationship is less than a pre-agreed threshold based on the channel noise, Alice and Bob would find the protocol to be unreliable and abort the protocol.Otherwise, Alice and Bob will preserve a sub-sequence of the quantum states that none of them selected for validation, for the next stage.We denote such sub-sequences Alice and Bob kept as S a = |ψ a � i n i=0 and S b = |ψ b � i n i=0 , respectively.The final stage is transfer, where Bob measures the quantum states in S b and saves the indices of states whose first bit is s, s ∈ {0, 1} .The index set of states chosen by Bob is denoted as I b .If I b is empty, Bob claims the process has failed and all parties start over from the state preparation stage.Otherwise, Bob sends I b to Alice.Alice measures the states in S a at the indices in I b , and stores the indices where the measurement result is equal to 2b 1 + b 0 as I a .Finally, Alice randomly chooses an index i a in I a and sends it to Bob.The second bit of Bob's measurement at position i a is the output of the QOT process.The overall process is depicted in Fig. 2b and introduced in more detail in the Supplementary Information S1.
The output bit is the QOT output for the following reason.Denoting the measurements of i a -th sub-states as M i a a1 , M i a a2 , M i a b1 , and M i a b2 , respectively, we have M i a b1 = s and 2M i a a1 + M i a a2 = 2b 1 + b 0 .According to Eq. (1), we have M i a b2 = b s .
(2)  Note that, since neither our protocol itself nor its security proof depends on the low error rate assumption, QOT can tolerate high error rates (noise levels) in quantum computing and quantum communication.Particularly, our protocol passes the error in quantum computing and quantum channels to the next step for DNNs to deal with.Therefore, the overall noise tolerance level only depends on the noise tolerance of DNNs, which can be set by manually introducing noises during DNN training.This is explicitly discussed in Methods.

Implementing deep neural networks with quantum-aided blocks
To compose a DNN model with the QOT primitive, the basic blocks of DNN models have to be implemented first.As shown in Fig. 2b, the basic DNN blocks are affine transformations naturally composed of vector inner product and vector addition where Theoretically, a QOT protocol enables us to conduct certain kinds of secure twoparty computation with a noisy channel.Here we show how to implement secure vector inner product with our QOT protocol, and the implementation of secure vector addition is shown in Methods.The process contains encoding, secure computation, and decoding.All unidirectional communications are assumed to be strictly confidentially.
Say Alice holds a vector � u = (u 1 , u 2 , . . ., u m ) such that u i > 0, u i < 1, i = 1, 2, . . ., m , and Bob holds Each of the vectors corresponds to a categorical distribution of a one-hot binary vector.For example, we have an m-dimensional binary vector � B u = (0, 0, . . ., 1, . . ., 0) , Treating the computation of � u • � v as an example, for encoding, Alice first samples a binary vector b a according to u and so does Bob.Alice encodes the binary vector with a random binary one-time pad k, Then Alice prepares a sequence of encoded AND gates with QOT (OT 1 , OT 2 , . ..) to compare Alice's encoded binary vector with Bob's, where OT n represents a oblivious transfer operation that returns the corresponding value.Each encoded AND takes encoded bits as input and outputs the encoded results, which follows For secure computation, Bob evaluates the sequence of the oblivious transfer gates with his own binary vector b b and gets Bob's output is obtained with an exclusive-or computation (exclusive or) on c .Similarly, Alice computes the decoding key with on k .Bob's and Alice's results are respectively given as The final output of secure computation is given by For decoding, the final multiplication result is obtained either by Alice sending k to Bob or by Bob sending c to Alice.The inner product, as the final computation object, � u • � v is given by the probability below.
implying that we can sample the binary value of the vector inner product with this process.A single binary evaluation is called a shot, and a more accurate result can be obtained by repeating the process above for more shots.More details about the implementation of other operators for DNNs are demonstrated in Methods.An outline of a two-dimensional affine transformation based on QOT is shown in Fig. 3.
( According to the discussion above, we have the basic building blocks for secure deep learning via QOT.These provide us with an operator set for DNNs, and the next step is to set up a neural network with such operators.The general architecture of quantum-aided DNNs is shown in Fig. 2, which is divided into the operator and network layers.Figure 2a,b show the operator layer of quantum-aided DNNs.First, QOT and quantum secure communication make up the basic operator set, including secure inner product and secure addition.By composing the basic operators, we have an operator set consisting of affine transformations.Figure 2c,d show the network layer of quantum-aided DNNs.A DNN can be comprised of affine transformation blocks.Some layers can remain to be evaluated with classical computing for speeding up, and the rest are evaluated with the quantum protocol to ensure security.

Simulation and experiment results
We implemented the QOT gate on both real quantum computers on the Cloud and noisy classical quantum simulators.In this Article we used a quantum computer from the IBM Quantum Experience Program 35 to validate QOT's core characteristics, including the introduced noise.The error rate for a single QOT operation is 0.179, and more details are given in Methods.Additionally, the error rate can be further reduced with an application-specific quantum computer like a photon computer.
Firstly the computation error of basic blocks was evaluated.Figure 4a illustrates the products of threedimensional vector multiplication using simulated quantum systems with different CNOT error levels, where the ideal product is 0.3.It is obvious that the products disperse as the CNOT error increases, and converge to the ideal product when shot number increases.To achieve an acceptable product error, we take 2000 shots of evaluations for each DNN inference to balance the resource usage and accuracy.The error rate also limits the scale of affine transformations.Although the product error can be corrected by adjusting parameter (see Methods), a higher error rate does introduce higher noise to the result.Specifically, we applied an affine transformation with five-dimensional inputs as the basic secure operator in the experiment.
For real quantum computer validations, we used a fully connected neural network for the binary MNIST classification task 36 , where the model was trained on 12,000 handwritten 0 and 1 digits and validated on 2000 digits.Our model comprised an input layer with 784 ( 28 × 28 ) neurons, three hidden layers with 512, 128 and five neurons respectively, and a 5 × 2 fully connected output layer.The output layer was implemented with the quantum protocol.The model was trained with classical backpropagation and tested (inference) with quantum-aided evaluation.According to Fig. 4c, the classical-quantum hybrid model identifies the digits without a noticeable classification accuracy loss.
We also conducted extensive simulations with the Qiskit linear-algebra-based simulator to demonstrate our protocol's applicability to larger DNNs with special-purpose quantum infrastructures.The noise was imported so that the final oblivious transfer error rate was 5 × 10 −3 , under which the input width of the neural network can be up to 100.We used a modified AlexNet 37 to classify the CIFAR-10 dataset 38 in simulations, which is a common image classification benchmarking setting.The modified AlexNet consists of five convolutional layers and three fully connected layers with widths 100, 84, and 10, respectively.The last two layers were implemented with the quantum protocol.The classical-quantum hybrid model was trained for 10 epochs when the accuracy converged.The accuracy of the quantum and classical models is compared in Fig. 4d and the result is also summarized in Table 1, implying that the quantum-aided model brings little accuracy loss (less than 2%).
To further validate our approach on real-world sensitive data, we conducted simulations on the common dataset for medical image classification, MedNIST 2 .The noise was imported so that the CNOT error rate was 5 × 10 −2 , comparable to that of the available quantum infrastructure 39 .A modified AlexNet with two convolutional layers and four fully connected layers with widths 120, 84, 12 and 6, respectively was adopted as the classifier.The last two layers were implemented with the quantum-aided protocol.The model was trained for 10 epochs.The classification results and accuracy curve are illustrated in Fig. 4b,e, demonstrating that our method has comparable performance with the classical DNN model on real medical images.Experimental results above are summarized in Table 1, showing that the loss brought by our quantum protocol is insignificant ( ≤ 1.58% ) in these tasks.

Discussion
In summary, we propose a methodology for secure DNN inference augmented by quantum technology, utilizing commercially available quantum computing infrastructures.Our approach introduces a classical-quantum hybrid architecture to implement DNNs while ensuring secure inference.Notably, we present a Quantum Oblivious Transfer (QOT) protocol that has been proven to be unconditionally secure, forming the basis for a fundamental set of operators supporting secure DNN inference.
In principle, our work demonstrates the advantages of quantum information technologies in achieving unconditional security for DNN inference, primarily by involving an untrusted third party.However, it's important to note that the fidelity of quantum computing and quantum channels can impact the efficiency of our method.This challenge may be particularly pertinent when applying our approach to large DNN models using commercially available quantum infrastructures 31 .Future research and development efforts will enable the extension of our methodology to handle larger and more complex DNNs with additional layers and diverse operators.Ultimately, our work represents an exciting initial step towards achieving unconditionally secure deep learning, offering promising prospects for the intersection of quantum technology and machine learning security.

Implementation of quantum oblivious transfer
We implemented our quantum circuit with the Qiskit framework and the ibmq_santiago cloud quantum computer provided by IBM Quantum Experience.The ibmq_santiago has five qubits, which is sufficient for our protocol which requires four qubits, and the average error rate of CNOT gate is 6.746 × 10 −3 .The Toffoli gate used in the quantum circuit was implemented with the single-bit quantum gates and the CNOT gates.The decomposition of the proposed QOT circuit is shown in Fig. 5.For both real quantum computer and quantum simulator, the quantum circuit was built and executed with the Qiskit Python quantum programming framework 40 .

Security of quantum oblivious transfer
In this part, we demonstrate that the proposed Quantum Oblivious Transfer (QOT) protocol remains secure against any malicious adversaries, as long as Trent does not engage in collusion with any party.We begin by assuming the confidentiality of quantum channels among all parties, employing established techniques such as decoying and privacy amplification for securing quantum channel establishment 34 .These security measures can be implemented through the use of quantum decoy particles or via quantum teleportation across a confidential classical channel 34,41 .Notably, we emphasize that classical communication between Alice and Bob is kept Moreover, as eavesdropping cannot yield any more valuable information, collusion between participants and an eavesdropper is tantamount to an attack by a single participant.
Regarding attacks from participants, we first consider Trent's attempt to pilfer information.Trent may act dishonestly and deviate from the protocol by preparing states entangled with Trent's personal state |f (b 1 , b 0 , s)�: In this case, Trent might gain access to Alice's or Bob's measurement results.However, Trent can only ascertain the exact values of b 0 , b 1 , or s if and only if Trent possesses knowledge of indices I a ( I b ).Nevertheless, the transmission of states in the QOT protocol is presumed to occur via strictly confidential channels, such as a one-time pad with quantum key distribution.Consequently, Trent can glean no information about Alice's or Bob's private data, but only a sequence of random bits resulting from Trent's entanglement attack.
Next, we consider the possibility of an attack from either Alice or Bob attempting to intercept quantum communication between the other party and Trent.However, this scenario is equivalent to an external attack, which has already been demonstrated to be infeasible above.The sole information available is derived from I b or i a .Importantly, for c ∈ {0, 1} , the conditional probabilities P(s = c|I b ) and P(b s−1 = c|I b , i a ) consistently hold at 1 2 , ensuring that no unnecessary information leaks from I b or i a .

Secure evaluation for basic blocks of DNNs
The secure evaluation of matrix multiplication is introduced in Results.Here we introduce the secure evaluation for vector addition.
The process is similar to secure vector multiplication.Suppose that Alice holds an m-dimensional vector u such that u i > 0, u i = γ < 1 , and similarly Bob holds v with the same property.In the encoding stage, Alice samples a binary vector b a according to u and so does Bob in the same way of secure vector multiplication.Bob's vector is encoded with a binary one-time pad k b that is only known to Bob, Alice also holds a secret one-time pad k a , then prepares a sequence of encoded OR gates to simulate the addition with QOT (OT 1 , OT 2 , . . ., OT m ) .Each encoded OR gate follows (10) In the secure computing stage, Bob evaluates the sequence of the oblivious transfer gates with his own binary vector and gets In the final decoding stage, Alice could either send the key k a to Bob to reveal the computation result, or keep the output encoded as the input for the next secure operator.
As mentioned above, in both addition and multiplication setting, the vectors are required to be non-negative, and the L1-norm of the vector should not exceed γ , which is not mathematically complete for building a general neural network.However, a common neural network can be built with limited operators without losing accuracy using weight clamping and scaling 42 , which is applied in this Article.

The impact of QOT noise for inference
Here the impact of noise in QOT for inference is analyzed.As long as the oblivious transfer error rate ǫ satisfies 2mǫ ≪ 1 , the final approximate result follows (see Supplementary Information S1) where is the computation error rate, which follows Thus, the corrected final result follows Usually, such a probabilistic approximation can bring substantial noise to computation.However, due to the noise tolerance of DNNs, the computation errors incur little to no degradation of accuracy as long as the noise caused by computation errors is below a threshold.Assuming that the maximum noise tolerance of the DNN layer after the quantum-aided block is given in the form of max variance σ max of the noise, the upper bound of the computation error rate is (see Supplementary Information S1) During the training of the DNN model, first, a noise tolerance requirement is estimated according to Eq. (17).Then the corresponding Gaussian noise is added to the quantum-aided blocks of the DNN model to enhance the noise tolerance of DNNs 43 .The trained DNN model is tolerant to noise lower than the additional noise, which guarantees that the DNN model can handle the noise brought by quantum errors with a lower level in terms of standard deviation of noise.

Figure 1 .
Figure 1.Securing DNN inference with (a) QOT and (b) classical two-party secure computing.In the secure inference with QOT, the data holder (Alice) and the model provider (Bob) collaborate by measuring the entangled pairs from the third party (Trent) and exchanging the index of some of their measurements, while in the classical case Alice sends encrypted data to Bob.

Figure 2 .
Figure 2. The architecture of quantum-aided secure DNN inference.(a) The basic component of quantumaided secure DNN inference is QOT.(b) The basic operator is securely evaluated with QOT, and the affine transformation is composed with the basic operators.(c) The neural network is implemented with affine transformations as the basic blocks.(d) Complex DNNs are split into classical layers and quantum layers.Layers considered to be sensitive (e.g., the layer directly outputs the result) are implemented with QOT to avoid privacy leakage.

Figure 3 .
Figure 3. Overview of affine transformation based on QOT.(a) The flow chart of 2-dimensional affine transformation.First, Alice prepares input x and Bob prepares A and b .Then the matrices are scaled so that the norms of matrices are lower than 1, and are sampled as input binary matrices.The secure affine transformation is conducted through encoding and encoded operations based on QOT.(b) The diagram of encoded AND gate implementation based on QOT.Trent sends entangled pairs.Alice and Bob perform the encoded AND by transmitting the indices.(c) The quantum circuit for Trent to prepare entangled pairs.

Figure 4 .
Figure 4.The experiment results on real quantum computer and simulator.(a) The computation results for QOT-based vector product.(b) Classification results of medical images in MedNIST dataset.(c-e) The classification accuracy curves on MNIST, CIFAR-10 and MedNIST, respectively.

Figure 5 .
Figure 5.The implementation of the quantum oblivious transfer circuit.
We claim that QOT is unconditionally secure, because neither Alice nor Bob can interfere with Trent's state generations, making attacks from Alice or Bob impossible.Meanwhile, as the measurement results of Bob's or Alice's alone contain no secret information, Trent gets no information by attacking Alice or Bob.The formal security proof is demonstrated in Methods.

Table 1 .
The accuracy of quantum-aided DNNs compared with classical DNNs.