🤖 AI Summary
This work addresses a critical privacy vulnerability in quantum cloud computing, where finite noisy samples from hardware backends can inadvertently leak identifiable “fingerprints” that compromise the anonymity of both users and providers. The study introduces, for the first time, the notion of “routing anonymity” as a formal security requirement and develops a theoretical framework to model backend identifiability as a hypothesis testing problem. By leveraging Chernoff bounds and Pauli transfer matrix analysis, the authors identify intermediate circuit depth as a key window for fingerprint emergence. Empirical validation on Amazon Braket across trapped-ion and superconducting processors demonstrates cross-backend classification accuracy of 87–100%, confirming the robustness of these identity fingerprints and substantiating the proposed trade-off between utility and anonymity.
📝 Abstract
Present-day quantum computing is cloud-based, where a user submits a circuit to a service provider's proprietary backend hardware. While providers may wish to hide implementation details, scheduling choices, or even which physical device was used, noisy finite-shot outputs can carry backend-specific fingerprints: information imprinted in the classical output distribution that can reveal the backend identity. So far, such fingerprints have mostly been studied from a benchmarking perspective, with limited attention to privacy considerations for users and providers. This work develops the first formal framework for backend identifiability and its privacy implications. We introduce a backend-identifiability game and use it to formalise routing anonymity as a security notion for quantum cloud services. We show that backend identifiability is a hypothesis-testing problem and prove that, under passive i.i.d. access to a single backend, routing anonymity decays exponentially at the Chernoff rate. We also establish a utility-anonymity trade-off, imposing fundamental limits on how much backend-specific information can be removed from classical outputs without degrading their usefulness. In addition, we observe that, for noisy quantum hardware, identifying fingerprints are inherently an intermediate-depth phenomenon, and establish a depth principle using Pauli-transfer-matrix tools. We complement the theory with experiments on Amazon Braket on AWS, using ion-trap and superconducting quantum processors. We observe 87-90% classification between superconducting backends and 96-100% classification across physical platforms, and find that identifiability can survive natural forms of post-processing. Overall, these results establish routing anonymity as a distinct security requirement for quantum cloud computing, and provide a framework for quantifying and controlling the utility-anonymity trade-off.