Qubit leakage is a noticeable source of errors for quantum computing. In quantum processors, leakage excitations traveling between qubits generate correlated errors and perturb gate implementations. Leakage mobility can also be utilized for creating dedicated leakage removal pathways and removal units. To quantitatively characterize leakage mobility and to guide better design of processor architectures, we study here leakage dynamics in transmons with tunable couplers through numerical and analytical methods. Even if the couplers are tuned to cancel the single-excitation exchange or the ZZ interaction, the leakage hopping rates still persists in the range of 0.8-10 MHz due to transmon nonlinearity. In typical operation regimes, however, transmon frequency detuning localizes leakage excitations. The next-nearest-neighbor transmons can be still be near-resonant opening leakage tunneling channels. To suppress longer-range hopping, we find that the frequency spread of the next-nearest-neighbor transmons needs to be in the range of 1-4 MHz. Utilizing leakage mobility, we propose two passive leakage removal units. One is based on a tunable coupler and a pumped transmon, and another on a
Hydraulic systems have been one of the most used technologies in many industries due to their reliance on incompressible fluids that facilitate energy and power transfer. Within such systems, hydraulic cylinders are prime devices that convert hydraulic energy into mechanical energy. Some of the genuine and very common problems related to hydraulic cylinders are leakages. Leakage in hydraulic systems can cause a drop in pressure, general inefficiency, and even complete failure of such systems. The various ways leakage can occur define the major categorization of leakage: internal and external leakage. External leakage is easily noticeable, while internal leakage, which involves fluid movement between pressure chambers, can be harder to detect and may gradually impact system performance without obvious signs. When leakage surpasses acceptable limits, it is classified as a fault or failure. In such cases, leakage is divided into three categories: no leakage, low leakage, and high leakage. It suggests a fault detection algorithm with the basic responsibility of detecting minimum leakage within the Hydraulic system, and minimizing detection time is the core idea of this paper. In order
Retrieval-Augmented Generation (RAG) enables large language models (LLMs) to leverage external knowledge, but also exposes valuable RAG databases to leakage attacks. As RAG systems grow more complex and LLMs exhibit stronger instruction-following capabilities, existing studies fall short of systematically assessing RAG leakage risks. We present LeakDojo, a configurable framework for controlled evaluation of RAG leakage. Using LeakDojo, we benchmark six existing attacks across fourteen LLMs, four datasets, and diverse RAG systems. Our study reveals that (1) query generation and adversarial instructions contribute independently to leakage, with overall leakage well approximated by their product; (2) stronger instruction-following capability correlates with higher leakage risk; and (3) improvements in RAG faithfulness can introduce increased leakage risk. These findings provide actionable insights for understanding and mitigating RAG leakage in practice. Our codebase is available at https://github.com/yeasen-z/LeakDojo.
Test Vector Leakage Assessment (TVLA) based on Welch's $t$-test has become a standard tool for detecting side-channel leakage. However, its mean-based nature can limit sensitivity when leakage manifests primarily through higher-order distributional differences. As our experiments show, this property becomes especially crucial when it comes to evaluating neural network implementations. In this work, we propose Anderson--Darling Leakage Assessment (ADLA), a leakage detection framework that applies the two-sample Anderson--Darling test for leakage detection. Unlike TVLA, ADLA tests equality of the full cumulative distribution functions and does not rely on a purely mean-shift model. We evaluate ADLA on a multilayer perceptron (MLP) trained on MNIST and implemented on a ChipWhisperer-Husky evaluation platform. We consider protected implementations employing shuffling and random jitter countermeasures. Our results show that ADLA can provide improved leakage-detection sensitivity in protected implementations for a low number of traces compared to TVLA.
Concept-based Models aim to improve interpretability by predicting high-level intermediate concepts, representing a promising approach for deployment in high-risk scenarios. However, they are known to suffer from information leakage, whereby models exploit unintended information encoded within the learned concepts. We introduce an information-theoretic framework to rigorously characterise and quantify leakage, and define two complementary measures: the concepts-task leakage (CTL) and interconcept leakage (ICL) scores. We show that these measures are strongly predictive of model behaviour under interventions and outperform existing alternatives. Using this framework, we identify the primary causes of leakage and, as a case study, analyse how it manifests in Concept Embedding Models, revealing interconcept and alignment leakage in addition to the concepts-task leakage present by design. Finally, we present a set of practical guidelines for designing concept-based models to reduce leakage and ensure interpretability.
Concept-based models (CMs), deep neural networks that ground their predictions on representations aligned with human-understandable concepts (e.g., "round", "stripes", etc.), have been shown to learn representations that leak concept-irrelevant information. As the traditional narrative goes, this leakage is undesirable and should be eradicated as it leads to uninterpretable models. In this paper, we posit that this conventional view of leakage in CMs is not only ill-posed, as the evidence of how leakage makes a model less interpretable is often inconclusive, but also bound to lead to impractical CMs under common real-world constraints. Specifically, we argue that in real-world settings where concept incompleteness is the norm, some leakage is often necessary for constructing accurate and intervenable CMs. To this end, we propose that there is such a thing as benign leakage and show that, by optimizing a reframing of the typical CM training objective, CMs can encourage and exploit this form of leakage without sacrificing accuracy or intervenability.
Maximal leakage quantifies the leakage of information from data $X \in \mathcal{X}$ due to an observation $Y$. While fundamental properties of maximal leakage, such as data processing, sub-additivity, and its connection to mutual information, are well-established, its behavior over Bayesian networks is not well-understood and existing bounds are primarily limited to binary $\mathcal{X}$. In this paper, we investigate the behavior of maximal leakage over Bayesian networks with finite alphabets. Our bounds on maximal leakage are established by utilizing coupling-based characterizations which exist for channels satisfying certain conditions. Furthermore, we provide more general conditions under which such coupling characterizations hold for $|\mathcal{X}| = 4$. In the course of our analysis, we also present a new simultaneous coupling result on maximal leakage exponents. Finally, we illustrate the effectiveness of the proposed bounds with some examples.
Leakage is a particularly damaging error that occurs when a qubit leaves the defined computational subspace. Leakage errors limit the effectiveness of quantum error correcting codes by spreading additional errors to other qubits and corrupting syndrome measurements. The effects of leakage errors on the surface code has been studied in various contexts. However, the effects of a leaked data qubit versus a leaked ancilla qubit can be quite different. Here, we study the effects of data leakage and ancilla leakage separately. We show that data leakage is much less damaging. We show that the surface code maintains its distance in the presence of leakage by either confining leakage to data qubits or eliminating aniclla qubit leakage at the critical fault location. We also introduce new techniques for handling leakage by using gates with one-sided leakage and by mixing two types of leakage reducing circuits: one to handle data leakage and one to handle ancilla leakage.
We study the design of mechanisms -- e.g., auctions -- when the designer does not control information flows between mechanism participants. A mechanism equilibrium is leakage-proof if no player conditions their actions on leaked information; a property distinct from ex-post incentive compatibility. Only leakage-proof mechanisms can implement social choice functions in environments with leakage. Efficient auctions need to be leakage-proof, while revenue-maximizing ones not necessarily so. Second-price and ascending auctions are leakage-proof; first-price auctions are not; while whether descending auctions are leakage-proof depends on tie-breaking.
Barycentric and pairwise quantum Renyi leakages are proposed as two measures of information leakage for privacy and security analysis in quantum computing and communication systems. These quantities both require minimal assumptions on the eavesdropper, i.e., they do not make any assumptions on the eavesdropper's attack strategy or the statistical prior on the secret or private classical data encoded in the quantum system. They also satisfy important properties of positivity, independence, post-processing inequality, and unitary invariance. The barycentric quantum Renyi leakage can be computed by solving a semi-definite program and the pairwise quantum Renyi leakage possesses an explicit formula. The barycentric and pairwise quantum Renyi leakages form upper bounds on the maximal quantum leakage, the sandwiched quantum $α$-mutual information, the accessible information, and the Holevo's information. Furthermore, differentially-private quantum channels are shown to bound these measures of information leakage. Global and local depolarizing channels, that are common models of noise in quantum computing and communication, restrict private or secure information leakage. Finally, a privac
Leakage from the computational subspace is a damaging source of noise that degrades the performance of most qubit types. Unlike other types of noise, leakage cannot be overcome by standard quantum error correction techniques and requires dedicated leakage reduction units. In this work, we study the effects of leakage mobility between superconducting qubits on the performance of a quantum stability experiment, which is a benchmark for fault-tolerant logical computation. Using the Fujitsu Quantum Simulator, we perform full density-matrix simulations of stability experiments implemented on the surface code. We observe improved performance with increased mobility, suggesting leakage mobility can itself act as a leakage reduction unit by naturally moving leakage from data to auxiliary qubits, where it is removed upon reset. We compare the performance of standard error-correction circuits with "patch wiggling", a specific leakage reduction technique where data and auxiliary qubits alternate their roles in each round of error correction. We observe that patch wiggling becomes inefficient with increased leakage mobility, in contrast to the improved performance of standard circuits. These o
We introduce the study of information leakage through \emph{guesswork}, the minimum expected number of guesses required to guess a random variable. In particular, we define \emph{maximal guesswork leakage} as the multiplicative decrease, upon observing $Y$, of the guesswork of a randomized function of $X$, maximized over all such randomized functions. We also study a pointwise form of the leakage which captures the leakage due to the release of a single realization of $Y$. We also study these two notions of leakage with oblivious (or memoryless) guessing. We obtain closed-form expressions for all these leakage measures, with the exception of one. Specifically, we are able to obtain closed-form expression for maximal guesswork leakage for the binary erasure source only; deriving expressions for arbitrary sources appears challenging. Some of the consequences of our results are -- a connection between guesswork and differential privacy and a new operational interpretation to maximal $α$-leakage in terms of guesswork.
The ability to perform fast and accurate rotations between the computational basis states of quantum bits is one of the most fundamental requirements for building a quantum computer. Because physical qubits generally contain more than two levels, faster gates often result in a higher leakage rate outside of the computational space. In this letter, we enhance the state-of-the-art single qubit gate by introducing active leakage cancellation. This is accomplished via a second drive tone near the leakage transition such that we cancel the leakage caused by the main drive. Furthermore, we describe a measurement sequence that can be used to calibrate the parameters of this leakage cancellation drive. Finally, we apply the technique to superconducting transmon qubits, suppressing the leakage below the $10^{-5}$ level, and achieving coherence-limited gate infidelity of $7.5\times 10^{-5}$, for a 10 ns $π/2$ gate and 196 MHz qubit anharmonicity.
We introduce a privacy measure called statistic maximal leakage that quantifies how much a privacy mechanism leaks about a specific secret, relative to the adversary's prior information about that secret. Statistic maximal leakage is an extension of the well-known maximal leakage. Unlike maximal leakage, which protects an arbitrary, unknown secret, statistic maximal leakage protects a single, known secret. We show that statistic maximal leakage satisfies composition and post-processing properties. Additionally, we show how to efficiently compute it in the special case of deterministic data release mechanisms. We analyze two important mechanisms under statistic maximal leakage: the quantization mechanism and randomized response. We show theoretically and empirically that the quantization mechanism achieves better privacy-utility tradeoffs in the settings we study.
We introduce a \emph{gain function} viewpoint of information leakage by proposing \emph{maximal $g$-leakage}, a rich class of operationally meaningful leakage measures that subsumes recently introduced leakage measures -- {maximal leakage} and {maximal $α$-leakage}. In maximal $g$-leakage, the gain of an adversary in guessing an unknown random variable is measured using a {gain function} applied to the probability of correctly guessing. In particular, maximal $g$-leakage captures the multiplicative increase, upon observing $Y$, in the expected gain of an adversary in guessing a randomized function of $X$, maximized over all such randomized functions. We also consider the scenario where an adversary can make multiple attempts to guess the randomized function of interest. We show that maximal leakage is an upper bound on maximal $g$-leakage under multiple guesses, for any non-negative gain function $g$. We obtain a closed-form expression for maximal $g$-leakage under multiple guesses for a class of concave gain functions. We also study maximal $g$-leakage measure for a specific class of gain functions related to the $α$-loss. In particular, we first completely characterize the minima
Recent studies have discovered that large language models (LLM) may be ``fooled'' to output private information, including training data, system prompts, and personally identifiable information, under carefully crafted adversarial prompts. Existing red-teaming approaches for privacy leakage either rely on manual efforts or focus solely on system prompt extraction, making them ineffective for severe risks of training data leakage. We propose LeakAgent, a novel black-box red-teaming framework for LLM privacy leakage. Our framework trains an open-source LLM through reinforcement learning as the attack agent to generate adversarial prompts for both training data extraction and system prompt extraction. To achieve this, we propose a novel reward function to provide effective and fine-grained rewards and design novel mechanisms to balance exploration and exploitation during learning and enhance the diversity of adversarial prompts. Through extensive evaluations, we first show that LeakAgent significantly outperforms existing rule-based approaches in training data extraction and automated methods in system prompt leakage. We also demonstrate the effectiveness of LeakAgent in extracting sy
Gentle quantum leakage is proposed as a measure of information leakage to arbitrary eavesdroppers that aim to avoid detection. Gentle (also sometimes referred to as weak or non-demolition) measurements are used to encode the desire of the eavesdropper to evade detection. The gentle quantum leakage meets important axioms proposed for measures of information leakage including positivity, independence, and unitary invariance. Global depolarizing noise, an important family of physical noise in quantum devices, is shown to reduce gentle quantum leakage (and hence can be used as a mechanism to ensure privacy or security). A lower bound for the gentle quantum leakage based on asymmetric approximate cloning is presented. This lower bound relates information leakage to mutual incompatibility of quantum states. A numerical example, based on the encoding in the celebrated BB84 quantum key distribution algorithm, is used to demonstrate the results.
We analyze data leakage in visual datasets. Data leakage refers to images in evaluation benchmarks that have been seen during training, compromising fair model evaluation. Given that large-scale datasets are often sourced from the internet, where many computer vision benchmarks are publicly available, our efforts are focused into identifying and studying this phenomenon. We characterize visual leakage into different types according to its modality, coverage, and degree. By applying image retrieval techniques, we unequivocally show that all the analyzed datasets present some form of leakage, and that all types of leakage, from severe instances to more subtle cases, compromise the reliability of model evaluation in downstream tasks.
This paper proposes a novel solution to address the leakage from the transmitter (TX) to the receiver (RX) in frequency-modulated continuous-wave (FMCW) radars. The proposed scheme replicates the leakage using an in-phase and quadrature mixer (IQ-mixer) and performs leakage cancellation in the radio-frequency (RF) domain. This approach utilizes a Wilkinson power combiner after the RX antenna to subtract the replicated leakage signal from the received signal, ensuring that only the true target signal reaches the low-noise amplifier (LNA). This scheme enhances the dynamic range and the receiver's ability to discern proximate targets from previously indistinguishable low beat-frequency clutter. In addition, the proposed technique incorporates a second IQ-mixer based complex modulator in the transmitter to tune the leakage beat frequency. This allows for accurate estimation of the leakage amplitude and phase without additional hardware. Simulation results show more than 20 dB of leakage cancellation.
The increasing complexity of large language models (LLMs) raises concerns about their ability to "cheat" on standard Question Answering (QA) benchmarks by memorizing task-specific data. This undermines the validity of benchmark evaluations, as they no longer reflect genuine model capabilities but instead the effects of data leakage. While prior work has focused on detecting such leakage, little attention has been given to mitigating its impact and preserving the long-term utility of benchmarks. In this paper, we introduce LastingBench, a novel framework designed to continuously reinforce and safeguard existing benchmarks against knowledge leakage. LastingBench identifies leakage points in the context through perturbation, then rewrites the leakage points to counterfactual ones-disrupting memorization while preserving the benchmark's original evaluative intent. Evaluations of state-of-the-art QA benchmarks show significant performance gaps, highlighting the efficacy of LastingBench in reducing memorization effects. LastingBench offers a practical and scalable solution to ensure benchmark robustness over time, promoting fairer and more interpretable evaluations of LLMs.