Adversarial Robustness Guarantees for Quantum Classifiers

TL;DR

This paper demonstrates that quantum classifiers can inherently resist certain adversarial attacks due to their quantum properties, providing a theoretical foundation for quantum advantages in adversarial robustness.

Contribution

It offers a theoretical analysis showing how quantum features confer robustness against specific adversarial attacks in quantum machine learning.

Findings

Quantum classifiers are protected against weak perturbations.

Protection against local attacks if classifiers are insufficiently scrambling.

Evidence of robustness against universal attacks if classifiers are sufficiently chaotic.

Abstract

Despite their ever more widespread deployment throughout society, machine learning algorithms remain critically vulnerable to being spoofed by subtle adversarial tampering with their input data. The prospect of near-term quantum computers being capable of running {quantum machine learning} (QML) algorithms has therefore generated intense interest in their adversarial vulnerability. Here we show that quantum properties of QML algorithms can confer fundamental protections against such attacks, in certain scenarios guaranteeing robustness against classically-armed adversaries. We leverage tools from many-body physics to identify the quantum sources of this protection. Our results offer a theoretical underpinning of recent evidence which suggest quantum advantages in the search for adversarial robustness. In particular, we prove that quantum classifiers are: (i) protected against weak perturbations of data drawn from the trained distribution, (ii) protected against local attacks if they are insufficiently scrambling, and (iii) show evidence that they are protected against universal adversarial attacks if they are sufficiently chaotic. Our analytic results are supported by numerical evidence demonstrating the applicability of our theorems and the resulting robustness of a quantum classifier in practice. This line of inquiry constitutes a concrete pathway to advantage in QML, orthogonal to the usually sought improvements in model speed or accuracy.