Robust in Practice: Adversarial Attacks on Quantum Machine Learning

TL;DR

This paper investigates the robustness of quantum machine learning models against adversarial attacks, showing that models classifying realistically generated states are more resilient than those classifying Haar-random states, indicating potential for practical applications.

Contribution

The study provides the first analysis of adversarial robustness of QML models on realistic data, revealing weaker vulnerabilities compared to Haar-random state classification.

Findings

Robustness decreases mildly polynomially with qubits for realistic states.

Haar-random state classification exhibits exponential robustness decline.

Quantum classifiers show promise for real-world applications due to increased robustness.

Abstract

State-of-the-art classical neural networks are observed to be vulnerable to small crafted adversarial perturbations. A more severe vulnerability has been noted for quantum machine learning (QML) models classifying Haar-random pure states. This stems from the concentration of measure phenomenon, a property of the metric space when sampled probabilistically, and is independent of the classification protocol. In order to provide insights into the adversarial robustness of a quantum classifier on real-world classification tasks, we focus on the adversarial robustness in classifying a subset of encoded states that are smoothly generated from a Gaussian latent space. We show that the vulnerability of this task is considerably weaker than that of classifying Haar-random pure states. In particular, we find only mildly polynomially decreasing robustness in the number of qubits, in contrast to the exponentially decreasing robustness when classifying Haar-random pure states and suggesting that QML models can be useful for real-world classification tasks.