AI summaryⓘ
The authors study how quantum computers accessed over the cloud can reveal which specific backend device processed a user's computation, even when providers want to keep that secret. They create a formal game to measure how easily the backend can be identified from output data, linking this to users' privacy and security. Their math shows it's possible to guess the backend with high confidence, but hiding backend details too much can reduce the usefulness of the output. They also find that these identifying features appear mainly at certain circuit depths. Experiments on real quantum hardware confirm these identification chances. Their work highlights the need to protect 'routing anonymity' in quantum cloud services while balancing privacy and utility.
Quantum computingCloud quantum servicesBackend identifiabilityRouting anonymityHypothesis testingChernoff rateNoisy intermediate-scale quantum (NISQ) devicesPauli transfer matrixQuantum circuit depthQuantum hardware fingerprinting
Abstract
Present-day quantum computing is cloud-based, where a user submits a circuit to a service provider's proprietary backend hardware. While providers may wish to hide implementation details, scheduling choices, or even which physical device was used, noisy finite-shot outputs can carry backend-specific fingerprints: information imprinted in the classical output distribution that can reveal the backend identity. So far, such fingerprints have mostly been studied from a benchmarking perspective, with limited attention to privacy considerations for users and providers. This work develops the first formal framework for backend identifiability and its privacy implications. We introduce a backend-identifiability game and use it to formalise routing anonymity as a security notion for quantum cloud services. We show that backend identifiability is a hypothesis-testing problem and prove that, under passive i.i.d. access to a single backend, routing anonymity decays exponentially at the Chernoff rate. We also establish a utility-anonymity trade-off, imposing fundamental limits on how much backend-specific information can be removed from classical outputs without degrading their usefulness. In addition, we observe that, for noisy quantum hardware, identifying fingerprints are inherently an intermediate-depth phenomenon, and establish a depth principle using Pauli-transfer-matrix tools. We complement the theory with experiments on Amazon Braket on AWS, using ion-trap and superconducting quantum processors. We observe 87-90% classification between superconducting backends and 96-100% classification across physical platforms, and find that identifiability can survive natural forms of post-processing. Overall, these results establish routing anonymity as a distinct security requirement for quantum cloud computing, and provide a framework for quantifying and controlling the utility-anonymity trade-off.