Pith

open record

sign in
Browse

arxiv: 2607.06521 · v1 · pith:U4C477DY · submitted 2026-07-07 · quant-ph · cs.CR· cs.IT· math.IT

Differentially private quantum sensor networks

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 reserved 2026-07-08 02:55 UTCglm-5.2pith:U4C477DYrecord.jsonopen to challenge →

Figure 1
Figure 1. Figure 1: Schematic of the physical setup of the entangled [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] reproduced from arXiv: 2607.06521
classification quant-ph cs.CRcs.ITmath.IT PACS 03.67.-a03.67.Dd03.67.Lx
keywords quantumsensingprivacyprotocolsattacksdifferentialnetworknetworks
0
0 comments X

The pith

Quantum sensor networks can keep secrets and Heisenberg precision

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper proves that entangled quantum sensor networks, which use shared quantum states to measure averages of distributed parameters at precision scaling as 1/n-squared, are vulnerable to differencing attacks: an adversary who queries the network twice, once including and once excluding a target node, can isolate that node's individual parameter. To fix this, the authors introduce three differentially private sensing protocols that add calibrated noise to hide individual node data while preserving as much of the quantum sensing advantage as possible. The central object is the noisy Hamiltonian protocol, which injects noise directly into each node's local sensing Hamiltonian rather than adding noise after measurement. In its strongest form, assuming a constant fraction of nodes are honest and a shared randomness source is available, the protocol achieves constant-level differential privacy with arbitrarily small failure probability while retaining Heisenberg-limited 1/n-squared scaling of the mean-squared error, local implementability without a trusted curator, and resilience against both classical and quantum adversaries. The paper also shows that the GHZ state, optimal for sensing, is simultaneously the worst state for privacy, creating a structural tension between sensing optimality and information leakage.

Core claim

The authors show that differential privacy and Heisenberg-limited quantum sensing can coexist in a decentralized network if noise is injected directly into the sensing Hamiltonian at each node, provided a constant fraction of nodes are honest and a common source of randomness enables entanglement verification. The key mechanism is that locally sampled Gaussian noise, held fixed across sensing shots, aggregates in the released function estimate to a level sufficient for differential privacy, while the 1/n-squared variance reduction from entanglement is preserved because the noise averages as 1/n rather than accumulating. This resolves the apparent conflict between local differential privacy,.

What carries the argument

The noisy Hamiltonian protocol: each node replaces its local parameter theta_i with theta_i + eta_i, where eta_i is sampled from a Laplace or Gaussian distribution, before the parameter is coupled to the node's qubit in the GHZ state. Noise is sampled once and held fixed across all sensing shots for a given query. In the honest-fraction variant, the noise scale is calibrated so that the aggregate Gaussian noise from honest nodes in any sufficiently large queried subset meets the Gaussian mechanism's sensitivity threshold for (epsilon, delta)-differential privacy.

If this is right

  • Biomedical quantum sensor networks could estimate population-level statistics (e.g., infection rates) while provably hiding individual patient data, even against quantum adversaries.
  • Geophysical sensor networks owned by competing parties could measure aggregate resource quantities without revealing individual site data, enabling collaborative sensing without trust.
  • The finding that the GHZ state is worst-case for privacy suggests that alternative entangled states might offer better privacy-utility tradeoffs, opening a design space for privacy-optimized sensing states.
  • The structural analogy between local differential privacy noise scaling (1/sqrt(n) for local vs 1/n for global) and the sensing scaling (1/n standard quantum limit vs 1/n-squared Heisenberg limit) suggests a deeper connection between privacy noise geometry and quantum metrological bounds.

Load-bearing premise

The honest-fraction protocol's privacy guarantee depends on a common source of randomness being available for GH state verification, which is treated as a black box without an explicit protocol. If GHZ verification fails or the shared randomness is compromised, the privacy guarantee does not hold.

What would settle it

If an adversary can query a subset S containing only a single honest node (violating the |S| >= beta*n condition), the honest node's parameter is isolated with noise that vanishes as O(1/sqrt(n)), breaking the privacy guarantee entirely.

Figures

Figures reproduced from arXiv: 2607.06521 by Alexey V. Gorshkov, Daniel J. Spencer, Emil T. Khabiboulline, Gorjan Alagic, Kaiyan Shi.

Figure 2
Figure 2. Figure 2: Schematic of the differencing attack, the primary attack considered in this paper. The adversary (either a malicious [PITH_FULL_IMAGE:figures/full_fig_p012_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Centralized entangled sensor network protocol us [PITH_FULL_IMAGE:figures/full_fig_p013_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Decentralized entangled sensor network protocol [PITH_FULL_IMAGE:figures/full_fig_p017_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Probability of failure to achieve ε-differential privacy, δ, as a function of privacy level ε, for varying values of bits of precision K = 1 (blue), K = 2 (green) and noise level b = 0.2, 0.5, 1.0, 2.0. 2. Resampled noise ruins the sensing advantage In this subsection, we show that the protocol in which each node resamples their noise for every shot in the sensing protocol results in a variance for the fun… view at source ↗
read the original abstract

Quantum sensing is a promising technology capable of demonstrating clear advantage over comparable classical techniques for precise measurement. One application of quantum sensing is in function estimation, which can be done using a network of entangled quantum sensors, allowing for measurements with greater optimal sensitivity than unentangled sensing protocols. In cases where quantum sensor networks will be used to measure data that should remain private (e.g., biomedical data), it is imperative that these protocols include a privacy mechanism to hide sensitive information. In this work, we show that entangled sensor networks are vulnerable to certain privacy-violating attacks. To mitigate these attacks, we introduce secure sensing protocols endowed with differential privacy. We reconcile differential privacy with retaining Heisenberg-limited scaling, and introduce several protocols achieving varying balances between the two. We show that our main protocol, an $n$-node network sensing protocol that injects noise directly into the sensing Hamiltonian, exhibits a tradeoff between the desirable $O(1/n^2)$ Heisenberg scaling of the mean-squared error of the function estimate and the level of privacy attainable. Under assumptions on the network (a common source of randomness and a constant fraction of honest parties), we show that this protocol is locally implementable and achieves $(O(1), \delta)$-differential privacy for arbitrarily small $\delta$ while retaining Heisenberg scaling of the mean-squared error. We prove that our protocols are resilient to attacks by broad classes of classical and quantum adversaries, and find advantages in the privacy-utility tradeoff when using quantum techniques.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 7 minor

Summary. This paper introduces differentially private mechanisms for entangled quantum sensor networks, addressing a timely problem at the intersection of quantum metrology and data privacy. The authors consider estimation of the average function q(θ) = (1/n)Σθ_i using GHZ-state-based protocols. Three protocols are presented: (1) a global Laplace mechanism requiring a trusted curator (Sec. III), (2) a local noisy Hamiltonian protocol with a privacy-utility tradeoff parameterized by α (Sec. IV B), and (3) an honest-fraction variant using Gaussian noise that achieves simultaneous Heisenberg scaling and constant (ε, δ)-differential privacy under additional assumptions (Sec. IV C). The paper also demonstrates that naive randomized response destroys the sensing advantage (Sec. IV A), that resampled noise causes exponential variance blowup (Thm. 10, Appendix B 2), and that the GHZ state is among the worst for privacy yet optimal for sensing (Appendix A). The core differential privacy proofs (Thms. 6–9) correctly apply standard DP techniques (Laplace, Gaussian mechanisms, composition) to the quantum sensing setting, and the MSE calculations are straightforward and correct.

Significance. The paper makes a genuine contribution as, to my knowledge, the first explicit application of differential privacy mechanisms to entangled quantum sensor networks. The protocols are built from externally validated DP primitives (Laplace, Gaussian, composition theorem) cited to Dwork et al. and Vadhan, and the quantum hockey-stick divergence equivalence (Thm. 4) is cited to Hirche, Rouzé, and França. The honest-fraction protocol (Thm. 9) achieves a notable combination: Heisenberg-limited O(1/n²) MSE scaling with constant ε and arbitrarily small δ, under stated assumptions. The resampled-noise analysis (Thm. 10) provides a clean negative result with a closed-form variance expression. The GHZ worst-case-privacy analysis (Appendix A, Lemmas 1–3) is a nice structural observation connecting sensing optimality to privacy leakage. The hockey-stick divergence analysis (Appendix B 1) yields an improved ε = Θ((α−1)ln n) bound for the K=1 case, which is a concrete improvement over the generic bound. The paper is transparent about its assumptions and limitations, which is appropriate.

major comments (2)
  1. Theorem 9 (Sec. IV C): The privacy guarantee is proven only for the released aggregate estimate, not for arbitrary transcripts. The paper acknowledges this (Sec. IV C, after Eq. 148): the guarantee extends to arbitrary transcripts only 'when the verified GHZ implementation ensures that the honest parameters enter the adversary's view only through the aggregate phase.' This is a load-bearing structural assumption for the central claim of simultaneous Heisenberg scaling + constant privacy + local implementability. The gap between 'GHZ state is verified' and 'honest parameters enter adversary's view only through aggregate phase' is non-trivial: a verified GHZ state does not automatically prevent adversarial nodes from retaining quantum side information about individual honest parameters or deviating in measurement choices. The paper treats GHZ verification as a black box (Sec. IV, after Def
  2. Sec. IV, paragraph after Def. 17: The GHZ verification is left as a black box ('We treat this GHZ verification step as a black box and leave an explicit protocol tailored to our setting to future work.'). Given that the privacy guarantee of the fully optimal protocol (Thm. 9) depends on this step forcing honest parameters into the aggregate phase, the paper should at minimum state explicitly what properties the GHZ verification must satisfy beyond entanglement confirmation (e.g., no per-node side information leakage), and discuss whether existing verification protocols (e.g., Ref. [55]) provide these properties or whether additional cryptographic assumptions are needed. The current treatment leaves the reader unable to assess whether the central claim is achievable with known techniques.
minor comments (7)
  1. Table I: The 'All criteria of Def. 1?' column uses color coding (green/red/orange) that will not be visible in print or grayscale. Consider replacing with text indicators (e.g., 'Yes'/'No'/'Tunable') or a footnote.
  2. Eq. (131): The noise scale σ_ℓ involves the product of constants c, β, κ, ε, δ in a somewhat opaque way. A brief sentence explaining the role of each constant in the expression would improve readability.
  3. Sec. II D, Eqs. (53)–(59): The derivation of the adversary's success probability bound is correct but the connection between the abstract DP guarantee (Eq. 49) and the concrete sensing transcript is not immediately obvious. A sentence clarifying what T contains in each protocol (single estimate vs. multiple estimates vs. measurement outcomes) would help.
  4. Appendix B 1, Eq. (B21): The mapping t → 1/(θ_max − θ_min) is stated without full justification. A brief explanation of why this substitution is valid in the context of the bit-by-bit learning protocol would help.
  5. The paper uses 'ε_MSE' for mean-squared error, which could be confused with the privacy parameter ε. Consider using a different symbol (e.g., MSE or ε²_MSE) to avoid potential confusion.
  6. Sec. IV C, Eq. (148): The differencing attack discussion is important but somewhat buried. Consider cross-referencing this more prominently in the theorem statement or the protocol description (Alg. 4), since the subset-size restriction is load-bearing for privacy.
  7. References [27] and [39] appear to be 2025/2026 preprints; verify that these are the most recent versions and that any published versions exist.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for a careful and constructive report. The referee correctly identifies that the central claim of Theorem 9 (simultaneous Heisenberg scaling, constant privacy, and local implementability) depends on a structural assumption about GHZ verification that is currently treated as a black box. We agree that this gap should be addressed more explicitly in the manuscript. Below we respond to each major comment.

read point-by-point responses
  1. Referee: Theorem 9: The privacy guarantee is proven only for the released aggregate estimate, not for arbitrary transcripts. The gap between 'GHZ state is verified' and 'honest parameters enter adversary's view only through the aggregate phase' is non-trivial, since a verified GHZ state does not automatically prevent adversarial nodes from retaining quantum side information about individual honest parameters or deviating in measurement choices.

    Authors: The referee is correct that the gap between aggregate-output privacy and transcript-level privacy is non-trivial, and that GHZ verification alone does not automatically close it. In the current manuscript, we are transparent about this: the text after Eq. (148) explicitly states that the guarantee extends to arbitrary transcripts only 'when the verified GHZ implementation ensures that the honest parameters enter the adversary's view only through the aggregate phase.' We agree, however, that the manuscript does not sufficiently analyze what this condition requires. We will revise Sec. IV C to make the following points explicit. First, the aggregate-output guarantee of Theorem 9 is unconditional given the honest-fraction and CSR assumptions: the released noisy subset-average estimate is (ε, δ)-differentially private regardless of adversarial behavior, because the Gaussian noise contributed by honest nodes suffices to mask any single honest parameter's contribution. This part does not depend on GHZ verification. Second, the extension to arbitrary transcripts requires an additional structural property: that the adversary's quantum and classical view, after the honest nodes couple their parameters and measure, depends on the honest parameters only through the aggregate phase nq_S(θ). This is a stronger requirement than mere entanglement verification. Third, we will clarify the specific threats: (a) adversarial nodes retaining quantum side information about individual honest parameters would violate the aggregate-phase-only condition, and (b) adversarial deviation in measurement choices is already partially addressed by the post-processing theorem (Thm. 5), but only if the adversary's measurement acts on the post-coupling state where the honest parameter has already been co-m revision: partial

  2. Referee: Sec. IV, paragraph after Def. 17: The GHZ verification is left as a black box. Given that the privacy guarantee of the fully optimal protocol (Thm. 9) depends on this step forcing honest parameters into the aggregate phase, the paper should state explicitly what properties the GHZ verification must satisfy beyond entanglement confirmation, and discuss whether existing verification protocols provide these properties or whether additional cryptographic assumptions are needed.

    Authors: We agree that the manuscript should state explicitly what properties the GHZ verification must satisfy and discuss whether existing protocols provide them. We will add a new subsection or expanded paragraph in Sec. IV that addresses the following. (1) Required properties: Beyond confirming that the shared state is (close to) a GHZ state, the verification protocol must ensure that (a) adversarial nodes cannot retain quantum side information about individual honest parameters after the coupling phase—i.e., the honest parameters are encoded only in the global phase of the GHZ state, not in any local degree of freedom accessible to adversaries—and (b) the common source of randomness used for verification is not exploited by adversaries to learn honest parameters. (2) Existing protocols: The protocol of Pappa et al. (Ref. [55]) verifies multipartite entanglement resistant to dishonest parties and uses a common source of randomness, which aligns with our CSR assumption. However, that protocol verifies the state before parameter coupling; it does not, by itself, guarantee that adversarial nodes cannot retain side information during or after the sensing phase. Thus, existing verification protocols provide the entanglement confirmation but not the full aggregate-phase-only property. (3) Additional assumptions needed: To fully close the gap, one likely needs to combine GHZ verification with additional cryptographic primitives—e.g., a commitment scheme ensuring that honest nodes couple their parameters before receiving any information that could allow side-channel extraction, or a device-independent certification that the measurement bases are fixed. We will state clearly that the full realization of the aggregate-phase-only condition with known techniques is an open problem, and調 revision: partial

standing simulated objections not resolved
  • The complete characterization of a GHZ verification protocol that forces honest parameters into the aggregate phase—preventing all forms of quantum side information retention by adversarial nodes—remains an open problem. We can state the required properties and discuss existing protocols, but we cannot fully close this gap in the current manuscript. The aggregate-output privacy guarantee of Theorem 9 stands unconditionally, but the extension to arbitrary transcripts depends on resolving this open question.

Circularity Check

0 steps flagged

No circularity found

full rationale

The paper's derivation chain is self-contained and built on externally validated results. The three main protocols each follow standard differential privacy constructions applied to the quantum sensing setting: (1) The global Laplace mechanism (Thm. 6) applies the classical Laplace mechanism (Thm. 1, cited to Vadhan [45]) to the trusted-curator setting, with MSE computed by direct variance addition (Eqs. 66-76). (2) The noisy Hamiltonian protocol (Thm. 8) injects local Laplace noise into each node's parameter; privacy follows from the Laplace mechanism plus post-processing (Thms. 1, 5, 7), and the privacy-utility tradeoff ε = Θ(n^{(α-1)/2}) arises genuinely from combining the noise scale b = Θ(n^{-(α-1)/2}) with the generic bound b ≥ Δ/ε. (3) The honest-fraction protocol (Thm. 9) calibrates Gaussian noise σ_ℓ = κΔ/(ε√((β-1+1/c)n)) so that the aggregate noise from honest nodes meets the Gaussian mechanism requirement (Eqs. 141-147); the Heisenberg scaling follows because σ_ℓ²/n = O(1/n²). The quantum hockey-stick divergence equivalence (Thm. 4) is cited to Hirche, Rouzé, and França [33] (independent group). The sensing protocol is from Eldredge et al. [4] (standard, widely cited). GHZ verification is treated as a black box from Pappa et al. [55] (independent). The composition theorem (Thm. 3) is from Dwork et al. [28, 44]. While Gorshkov appears on Refs. [4, 8], these are published, peer-reviewed sensing protocols used as background, not load-bearing for any privacy claim. No step reduces to its own inputs by construction, and no 'prediction' is a renamed fit. The paper is transparent about its assumptions (CSR, honest fraction, GHZ verification black box, query restrictions), which are correctness/assumption concerns rather than circularity concerns.

Axiom & Free-Parameter Ledger

5 free parameters · 8 axioms · 0 invented entities

No new physical entities, particles, forces, or dimensions are postulated. The protocols use existing quantum sensing hardware (qubit sensors, GHZ states) and existing classical noise distributions (Laplace, Gaussian). The 'noisy Hamiltonian' is a modification of the sensing Hamiltonian, not a new physical entity. The common source of randomness is an assumed resource, not a new entity.

free parameters (5)
  • α (MSE scaling exponent) = user-chosen in [1,2]
    Controls the tradeoff between MSE scaling O(n^{−α}) and privacy ε. Not fitted to data but chosen by the user to set the operating point.
  • b (Laplace scale parameter, noisy Hamiltonian) = Θ(n^{−(α−1)/2})
    Set to achieve desired MSE scaling; directly determines ε via Thm. 7. Not fitted to experimental data but derived from the tradeoff.
  • σ_ℓ (Gaussian noise std, honest-fraction protocol) = κΔ/(ε√((β−1+1/c)n))
    Set by the Gaussian mechanism definition to achieve (ε,δ)-DP. κ² > 2ln(1.25/δ) per Def. 10.
  • c (honest fraction constant) = constant > 1
    Assumed known constant such that at least n/c nodes are honest. Not fitted; an assumption about the network.
  • β (subset size fraction) = constant > 1−1/c
    Restricts allowed queries to subsets of size ≥ βn. Chosen to ensure linear honest nodes per subset.
axioms (8)
  • domain assumption Parameters θ_i ∈ [θ_min, θ_max] with known bounds
    Used throughout to calibrate noise scale (Δ = θ_max − θ_min). Stated in Sec. II A and used in all theorems.
  • domain assumption Common source of randomness (CSR) available for GHZ verification
    Sec. IV C: assumed for the honest-fraction protocol. Needed for efficient entanglement verification per Ref. [55].
  • domain assumption Constant fraction of honest nodes (≥ n/c for known c > 1)
    Sec. IV C, Eq. 126. Load-bearing for Thm. 9; without it, the worst-case Thm. 8 applies with its unfavorable tradeoff.
  • ad hoc to paper GHZ state verification treated as black box
    Sec. IV, after Def. 17: 'We treat this GHZ verification step as a black box and leave an explicit protocol tailored to our setting to future work.' The privacy guarantee for the honest-fraction protocol depends on verified GHZ implementation.
  • domain assumption Noise sampled once and held fixed across all sensing shots
    Thm. 8 and Sec. B 2: resampling noise between shots destroys the sensing advantage (Thm. 10). This is a protocol requirement, not a theorem.
  • standard math Standard quantum sensing protocol from Ref. [4] (GHZ state, parity measurement)
    Sec. II A: the base sensing protocol is taken from Eldredge et al. The MSE = O(1/n²t²) result (Eq. 22) is standard.
  • standard math Classical differential privacy definitions and theorems (Laplace, Gaussian, composition)
    Sec. II B: Defs. 3–10, Thms. 1–3 are from Dwork et al. and Vadhan. Used as building blocks.
  • standard math Quantum differential privacy framework from Ref. [33]
    Sec. II C: Defs. 11–15, Thms. 4–5 are from Hirche, Rouzé, and França. Used for the hockey-stick divergence analysis.

pith-pipeline@v1.1.0-glm · 46160 in / 4282 out tokens · 572353 ms · 2026-07-08T02:55:20.347883+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

67 extracted references · 67 canonical work pages · 11 internal anchors

  1. [1]

    Degen, F

    C. Degen, F. Reinhard, and P. Cappellaro, Quantum sensing, Reviews of Modern Physics89, 035002 (2017)

  2. [2]

    Giovannetti, S

    V. Giovannetti, S. Lloyd, and L. Maccone, Quantum- enhanced measurements: beating the standard quantum limit, Science306, 1330 (2004)

  3. [3]

    Giovannetti, S

    V. Giovannetti, S. Lloyd, and L. Maccone, Quantum metrology, Physical Review Letters96, 010401 (2006)

  4. [4]

    Eldredge, M

    Z. Eldredge, M. Foss-Feig, J. A. Gross, S. L. Rolston, and A. V. Gorshkov, Optimal and secure measurement protocols for quantum sensor networks, Physical Review A97, 042337 (2018)

  5. [5]

    Belliardo and V

    F. Belliardo and V. Giovannetti, Achieving Heisenberg scaling with maximally entangled states: an analytic up- per bound for the attainable root mean square error, Physical Review A102, 042613 (2020)

  6. [6]

    T. Qian, J. Bringewatt, I. Boettcher, P. Bienias, and A. V. Gorshkov, Optimal measurement of field proper- ties with quantum sensor networks, Physical Review A 103, L030601 (2021)

  7. [7]

    Bringewatt, I

    J. Bringewatt, I. Boettcher, P. Niroula, P. Bienias, and A. V. Gorshkov, Protocols for estimating multiple func- tions with quantum sensor networks: geometry and per- formance, Physical Review Research3, 033011 (2021)

  8. [8]

    Ehrenberg, J

    A. Ehrenberg, J. Bringewatt, and A. V. Gorshkov, Min- imum entanglement protocols for function estimation, Physical Review Research5, 033228 (2023)

  9. [9]

    Nabighian, V

    M. Nabighian, V. Grauch, R. Hansen, T. LaFehr, Y. Li, J. Peirce, J. Phillips, and M. Ruder, The historical de- velopment of the magnetic method in exploration, Geo- physics70, 1ND (2005)

  10. [10]

    T. J. Wright, B. E. Parsons, and Z. Lu, Toward mapping surface deformation in three dimensions using InSAR, Geophysical Research Letters31, L01607 (2004)

  11. [11]

    Aslam, H

    N. Aslam, H. Zhou, E. K. Urbach, M. J. Turner, R. L. Walsworth, M. D. Lukin, and H. Park, Quantum sensors for biomedical applications, Nature Reviews Physics5, 157 (2023)

  12. [12]

    E. Boto, N. Holmes, J. Leggett, G. Roberts, V. Shah, S. S. Meyer, L. D. Mu˜ noz, K. J. Mullinger, T. M. Tier- ney, S. Bestmann, G. R. Barnes, R. Bowtell, and M. J. Brookes, Moving magnetoencephalography towards real- world applications with a wearable system, Nature555, 657 (2018)

  13. [13]

    Jensen, M

    K. Jensen, M. A. Skarsfeldt, H. Stærkind, J. Arnbak, M. V. Balabas, S.-P. Olesen, B. H. Bantzen, and E. S. Polzik, Magnetocardiography on an isolated animal heart with a room-temperature optically pumped magnetome- ter, Scientific Reports8, 16218 (2018). 24

  14. [14]

    Jensen, M

    K. Jensen, M. Zugenmaier, J. Arnbak, H. Stærkind, M. V. Balabas, and E. S. Polzik, Detection of low- conductivity objects using eddy current measurements with an optical magnetometer, Physical Review Research 1, 033087 (2019)

  15. [15]

    Deans, L

    C. Deans, L. Marmugi, S. Hussain, and F. Renzoni, Elec- tromagnetic induction imaging with a radio-frequency atomic magnetometer, Applied Physics Letters108, 103503 (2016)

  16. [16]

    S. Xu, V. V. Yashchuk, M. H. Donaldson, and A. Pines, Magnetic resonance imaging with an optical atomic mag- netometer, Proceedings of the National Academy of Sci- ences103, 12668 (2006)

  17. [17]

    A. J. Brady, C. Gao, R. Harnik, Z. Liu, Z. Zhang, and Q. Zhuang, Entangled sensor-networks for dark-matter searches, PRX Quantum3, 030333 (2022)

  18. [18]

    X. Guo, C. R. Breum, J. Borregaard, S. Izumi, M. V. Larsen, T. Gehring, M. Christandl, J. S. Neergaard- Nielsen, and U. L. Andersen, Distributed quantum sens- ing in a continuous-variable entangled network, Nature Physics16, 281 (2020)

  19. [19]

    Huang, C

    Z. Huang, C. Macchiavello, and L. Maccone, Cryp- tographic quantum metrology, Physical Review A99, 022314 (2019)

  20. [20]

    Private network parameter estimation with quantum sensors

    N. Shettell, M. Hassani, and D. Markham, Private network parameter estimation with quantum sensors, arXiv:2207.14450 (2022)

  21. [21]

    Kasai, Y

    H. Kasai, Y. Takeuchi, H. Hakoshima, Y. Matsuzaki, and Y. Tokura, Anonymous quantum sensing, Journal of the Physical Society of Japan91, 074005 (2022)

  22. [22]

    S. W. Moore and J. A. Dunningham, Secure quantum remote sensing without entanglement, arXiv:2302.03617 (2023)

  23. [23]

    S. W. Moore and J. A. Dunningham, Secure quantum- enhanced measurements on a network of sensors, arXiv:2406.19285 (2024)

  24. [24]

    Private and Robust States for Distributed Quantum Sensing

    L. Bugalho, M. Hassani, Y. Omar, and D. Markham, Pri- vate and robust states for distributed quantum sensing, arXiv:2407.21701 (2024)

  25. [25]

    Kasai, Y

    H. Kasai, Y. Takeuchi, Y. Matsuzaki, and Y. Tokura, Di- rect moment estimation of intensity distribution of mag- netic fields with quantum sensing network, New Journal of Physics26, 123013 (2024)

  26. [26]

    Hassani, S

    M. Hassani, S. Scheiner, M. G. Paris, and D. Markham, Privacy in networks of quantum sensors, Physical Review Letters134, 030802 (2025)

  27. [27]

    Precision and Privacy in Distributed Quantum Sensing: A Quantum Fisher Information Duality

    F. Farokhi, Precision and privacy in dis- tributed quantum sensing: a quantum Fisher information duality, arXiv:2605.20765 https://doi.org/10.48550/arXiv.2605.20765 (2026)

  28. [28]

    Dwork, F

    C. Dwork, F. McSherry, K. Nissim, and A. Smith, Cali- brating noise to sensitivity in private data analysis, Pro- ceedings of the Third Conference on Theory of Cryptog- raphy3876, 265 (2006)

  29. [29]

    Dwork, Differential privacy, Proceedings of the 33 rd International Conference on Automata, Languages and Programming—Volume Part II4052, 1 (2006)

    C. Dwork, Differential privacy, Proceedings of the 33 rd International Conference on Automata, Languages and Programming—Volume Part II4052, 1 (2006)

  30. [30]

    Shi, T.-H

    E. Shi, T.-H. H. Chan, E. G. Rieffel, R. Chow, and D. Song, Privacy-preserving aggregation of time-series data, Proceedings of the Network and Distributed Sys- tem Security Symposium, NDSS (2011)

  31. [31]

    Zhou and M

    L. Zhou and M. Ying, Differential privacy in quantum computation, 2017 IEEE 30 th Computer Security Foun- dations Symposium , 249 (2017)

  32. [32]

    Yoshida and M

    Y. Yoshida and M. Hayashi, Classical mechanism is op- timal in classical-quantum differentially private mecha- nisms, 2020 IEEE International Symposium on Informa- tion Theory , 1973 (2020)

  33. [33]

    Hirche, C

    C. Hirche, C. Rouz´ e, and D. S. Fran¸ ca, Quantum differen- tial privacy: an information theoretic perspective, IEEE Transactions on Information Theory69, 5771 (2023)

  34. [34]

    Y. Li, Y. Zhao, X. Zhang, H. Zhong, M. Pan, and C. Zhang, Differential privacy preserving quan- tum computing via projection operator measurements, arXiv:2312.08210 (2023)

  35. [35]

    Guan, Optimal mechanisms for quantum local differ- ential privacy, arXiv:2407.13516 (2024)

    J. Guan, Optimal mechanisms for quantum local differ- ential privacy, arXiv:2407.13516 (2024)

  36. [36]

    Differential Privacy Preserving Distributed Quantum Computing

    H. Zhong, K. Ju, J. Shen, X. Zhang, X. Qin, O. Tomoaki, M. Pan, and Z. Han, Differential privacy preserving dis- tributed quantum computing, arXiv:2412.12387 (2024)

  37. [37]

    W. Li, S. Lu, and D.-L. Deng, Quantum federated learn- ing through blind quantum computing, Science China Physics, Mechanics & Astronomy64, 100312 (2021)

  38. [38]

    L. P. Barnes, W.-N. Chen, and A. Ozgur, Fisher infor- mation under local differential privacy, arXiv:2005.10783 (2020)

  39. [39]

    Farokhi, Tight sample complexity bounds for param- eter estimation under quantum differential privacy for qubits, IEEE Control Systems Letters9, 240 (2025)

    F. Farokhi, Tight sample complexity bounds for param- eter estimation under quantum differential privacy for qubits, IEEE Control Systems Letters9, 240 (2025)

  40. [40]

    Wineland, J

    D. Wineland, J. Bollinger, W. Itano, and D. Heinzen, Squeezed atomic states and projection noise in spec- troscopy, Physical Review A50, 67 (1994)

  41. [41]

    Google COVID-19 Community Mobility Reports: Anonymization Process Description (version 1.1)

    A. Aktay, S. Bavadekar, G. Cossoul, J. Davis, D. Des- fontaines, A. Fabrikant, E. Gabrilovich, K. Gade- palli, B. Gipson, M. Guevara, C. Kamath, M. Kansal, A. Lange, C. Mandayam, A. Oplinger, C. Pluntke, T. Roessler, A. Schlosberg, T. Shekel, S. Vispute, M. Vu, G. Wellenius, B. Williams, and R. J. Wilson, Google COVID-19 Community Mobility Reports: Anonym...

  42. [42]

    Finster and I

    S. Finster and I. Baumgart, Privacy-aware smart meter- ing: a survey, IEEE Communications Surveys & Tutori- als17, 1088 (2015)

  43. [43]

    Par´ e, M

    M. Par´ e, M. Teehan, S. Suffian, J. Glass, A. Scheer, M. Young, and M. Golden, Applying energy differential privacy to enable measurement of the OhmConnect Vir- tual Power Plant (2020), accessed Feb. 20, 2026

  44. [44]

    Dwork, A

    C. Dwork, A. Roth,et al., The algorithmic foundations of differential privacy, Foundations and Trends® in The- oretical Computer Science9, 211 (2014)

  45. [45]

    Vadhan, The complexity of differential privacy, Tuto- rials on the Foundations of Cryptography , 347 (2017)

    S. Vadhan, The complexity of differential privacy, Tuto- rials on the Foundations of Cryptography , 347 (2017)

  46. [46]

    J. P. Near, D. Darais, N. Lefkovitz, and G. S. Howarth, Guidelines for Evaluating Differential Privacy guaran- tees, Tech. Rep. NIST Special Publication (SP) NIST SP 800-226 (National Institute of Standards and Technology, Gaithersburg, MD, 2025)

  47. [47]

    Sweeney, Weaving technology and policy together to maintain confidentiality, Journal of Law, Medicine & Ethics25, 98 (1997)

    L. Sweeney, Weaving technology and policy together to maintain confidentiality, Journal of Law, Medicine & Ethics25, 98 (1997)

  48. [48]

    DeepCABAC: A Universal Compression Algorithm for Deep Neural Networks

    B. Bebensee, Local differential privacy: a tutorial, arXiv:1907.119008v1 (2019)

  49. [49]

    Apple Inc., Differential Privacy Team, Learning with pri- vacy at scale, Apple Machine Learning Research (2017)

  50. [50]

    Erlingsson, V

    U. Erlingsson, V. Pihur, and A. Korolova, Rappor: randomized aggregatable privacy-preserving ordinal re- 25 sponse, Proceedings of the 2014 ACM SIGSAC Confer- ence on Computer and Communications Security , 1054 (2014)

  51. [51]

    S. L. Warner, Randomized response: A survey technique for eliminating evasive answer bias, Journal of the Amer- ican Statistical Association60, 63 (1965)

  52. [52]

    A unifying framework for differentially private quantum algorithms

    A. Angrisani, M. Doosti, and E. Kashefi, A unifying framework for differentially private quantum algorithms, arXiv:2307.04733 (2023)

  53. [53]

    R´ enyi, On measures of entropy and information, The 4th Berkeley Symposium on Mathematics, Statistics, and Probability4.1, 547 (1960)

    A. R´ enyi, On measures of entropy and information, The 4th Berkeley Symposium on Mathematics, Statistics, and Probability4.1, 547 (1960)

  54. [54]

    K´ om´ ar, T

    P. K´ om´ ar, T. Topcu, E. Kessler, A. Derevianko, V. Vuleti´ c, J. Ye, and M. Lukin, Quantum network of atom clocks: a possible implementation with neutral atoms, Physical Review Letters117, 060506 (2016)

  55. [55]

    Pappa, A

    A. Pappa, A. Chailloux, S. Wehner, E. Diamanti, and I. Kerenidis, Multipartite entanglement verification re- sistant against dishonest parties, Physical Review Letters 108, 260502 (2012)

  56. [56]

    T. Chan, E. Shi, and D. Song, Optimal lower bound for differentially private multi-party aggregation, Algorithms — ESA 20127501, ESA 2012 (2012)

  57. [57]

    Dwork, G

    C. Dwork, G. N. Rothblum, and S. Vadhan, Boosting and differential privacy, IEEE 51 st Annual Symposium on Foundations of Computer Science , 51 (2010)

  58. [58]

    K. Qian, Z. Eldredge, W. Ge, G. Pagano, C. Monroe, J. Porto, and A. V. Gorshkov, Heisenberg-scaling mea- surement protocol for analytic functions with quantum sensor networks, Physical Review A100, 042304 (2019)

  59. [59]

    Polino, M

    E. Polino, M. Valeri, N. Spagnolo, and F. Sciarrino, Photonic quantum metrology, AVS Quantum Science2, 024703 (2020)

  60. [60]

    Zhuang, Z

    Q. Zhuang, Z. Zhang, and J. H. Shapiro, Distributed quantum sensing using continuous-variable multipartite entanglement, Physical Review A97, 032329 (2018)

  61. [61]

    Y. Xia, Q. Zhuang, W. Clark, and Z. Zhang, Repeater-enhanced distributed quantum sensing based on continuous-variable multipartite entanglement, Phys- ical Review A99, 012328 (2019)

  62. [62]

    Bringewatt, A

    J. Bringewatt, A. Ehrenberg, T. Goel, and A. V. Gorshkov, Optimal function estimation with photonic quantum sensor networks, Physical Review Research6, 013246 (2024)

  63. [63]

    M. M. Wilde,Quantum Information Theory(Cambridge University Press, 2017). 26 Appendix A: The GHZ state is in the family of states that leak the most information In this appendix, we prove the claim made in Sec. IV B that the GHZ state is among the set of worst states to use from the privacy perspective. We consider the GHZ state because it has been proven...

  64. [64]

    8 that the noisy Hamiltonian protocol isε-differentially private, that is,δ= 0

    Privacy analysis via the quantum hockey-stick divergence Recall from the statement of Thm. 8 that the noisy Hamiltonian protocol isε-differentially private, that is,δ= 0. In this subsection, we analyze privacy using the quantum hockey-stick divergence defined in Def. 15. This allows us to tightly characterize the amount of noise required to achieve privac...

  65. [65]

    (B10) is rather complicated, we are only able to get a simple, analytic result for the case whereK= 1 andν= 1

    As the quantity in Eq. (B10) is rather complicated, we are only able to get a simple, analytic result for the case whereK= 1 andν= 1. ForK >1 andν >1, we make use of numerical techniques. We start by analyzing theK= 1,ν= 1 case. Recall from Sec. II A that the full bit-by-bit learning protocol uses 2ν j samples at stagej, withν j samples measured in theXba...

  66. [66]

    To show this, we will need two probability distributions: the exponential distribution and the gamma distribution

    Resampled noise ruins the sensing advantage In this subsection, we show that the protocol in which each node resamples their noise for every shot in the sensing protocol results in a variance for the function estimate that blows up with timetand the number of partiesn. To show this, we will need two probability distributions: the exponential distribution ...

  67. [67]

    IV B), we drop the scaling ofε MSE down to the standard quantum limit

    Entanglement offers no privacy advantage whenα= 1 Recall from the main text that when we takeα= 1 in the noisy Hamiltonian protocol (see Sec. IV B), we drop the scaling ofε MSE down to the standard quantum limit. As such, there is no benefit in using the entangled protocol, and instead we can just use an unentangled protocol while achieving the same level...