A Cross-layer Provenance-Protection Architecture for Repeated Quantum Measurements in the Cloud
Discuss this preprint
Start a discussion What are Sciety discussions?Listed in
This article is not in any list yet, why not save it to one of your lists.Abstract
Quantum cloud users access remote processors through classical measurement transcripts. The repeated shots that are operationally required for reliable quantum readout can systematically resolve microscopic, quasi-static hardware variations into stable statistical fingerprints. On IBM superconducting processors, we show that a transcript-only adversary can identify the backend with up to $89.3\%$ attack success rate at $T = 20$ repetition rounds under multi-interface aggregation. This exposes a privacy locus mismatch: many channel-centric quantum privacy formulations regulate distinguishability at the level of quantum states or channels, whereas the operational attack in Quantum-Computing-as-a-Service (QCaaS) targets repeated classical transcripts and the latent service provenance they reveal after measurement. We therefore formulate privacy for repeated quantum workloads as a cross-layer provenance-protection problem. We protect the latent service provenance behind a released transcript, namely the service provenance that jointly reflects backend realization and serving context in QCaaS settings where this provenance is not fully disclosed to the observing party. At the measurement interface, we formulate Measurement-Agnostic Quantum Differential Privacy (MA-QDP) as an operational transcript-level privacy criterion for repeated quantum workloads, uniform over physically admissible POVMs and arbitrary classical post-processing. MA-QDP specifies the privacy locus and protected secret appropriate to QCaaS transcript release, and is instantiated via atomic outcome randomization before aggregation. At the orchestration layer, we incorporate context decorrelation to suppress persistent linkage of repeated sessions to a stable service provenance. In controlled simulations, the integrated framework suppresses provenance inference under realistic shot budgets while preserving task-relevant information, yielding a favorable privacy-utility frontier compared to channel-level and classical-level perturbations. Together, our results identify repetition as an intrinsic fingerprint amplifier in QCaaS and motivate a cross-layer provenance-protection architecture for secure, repeated quantum workloads.
