Abstract
Ensuring data privacy in machine learning models is critical, particularly indistributed settings where model gradients are typically shared among multipleparties to allow collaborative learning. Motivated by the increasing success ofrecovering input data from the gradients of classical models, this studyaddresses a central question: How hard is it to recover the input data from thegradients of quantum machine learning models? Focusing on variational quantumcircuits (VQC) as learning models, we uncover the crucial role played by thedynamical Lie algebra (DLA) of the VQC ansatz in determining privacyvulnerabilities. While the DLA has previously been linked to the classicalsimulatability and trainability of VQC models, this work, for the first time,establishes its connection to the privacy of VQC models. In particular, we showthat properties conducive to the trainability of VQCs, such as apolynomial-sized DLA, also facilitate the extraction of detailed snapshots ofthe input. We term this a weak privacy breach, as the snapshots enable trainingVQC models for distinct learning tasks without direct access to the originalinput. Further, we investigate the conditions for a strong privacy breach wherethe original input data can be recovered from these snapshots by classical orquantum-assisted polynomial time methods. We establish conditions on theencoding map such as classical simulatability, overlap with DLA basis, and itsFourier frequency characteristics that enable such a privacy breach of VQCmodels. Our findings thus play a crucial role in detailing the prospects ofquantum privacy advantage by guiding the requirements for designing quantummachine learning models that balance trainability with robust privacyprotection.