CERTIFIED ROBUSTNESS OF QUANTUM CLASSIFIERS AGAINST ADVERSARIAL EXAMPLES THROUGH QUANTUM NOISE

2025-09-29 2 0 319.65KB 6 页 10玖币

侵权投诉

CERTIFIED ROBUSTNESS OF QUANTUM CLASSIFIERS AGAINST ADVERSARIAL

EXAMPLES THROUGH QUANTUM NOISE

Jhih-Cing Huang1Yu-Lin Tsai2Chao-Han Huck Yang3Cheng-Fang Su2

Chia-Mu Yu2Pin-Yu Chen4Sy-Yen Kuo1

1National Taiwan University, Taiwan 2National Yang Ming Chiao Tung University, Taiwan

3Georgia Institute of Technology, GA, USA 4IBM Research, NY, USA

ABSTRACT

Recently, quantum classiﬁers have been found to be vulner-

able to adversarial attacks, in which quantum classiﬁers are

deceived by imperceptible noises, leading to misclassiﬁcation.

In this paper, we propose the

ﬁrst theoretical study

demon-

strating that

adding quantum random rotation noise can

improve robustness

in quantum classiﬁers against adversarial

attacks. We link the deﬁnition of differential privacy and show

that the quantum classiﬁer trained with the natural presence

of additive noise is differentially private. Finally, we derive a

certiﬁed robustness bound to enable quantum classiﬁers to de-

fend against adversarial examples, supported by experimental

results simulated with noises from IBM’s 7-qubits device.

1. INTRODUCTION

The joint study of quantum computing and machine learning

opens a new research area named quantum machine learning

[

]. For example, quantum classiﬁers [

] solve clas-

siﬁcation problems similar to the classical ones. Furthermore,

the data availability of quantum classiﬁers is wider since quan-

tum data, which is generated from natural or artiﬁcial quantum

systems, can also be included. In particular, quantum neural

network (QNN) is a pure quantum model [

] that

contains trainable parameters. Thus, QNN is also identiﬁed

as a parameterized quantum circuit. Aside from classical ma-

chine learning, QNNs predict labels of data by measuring the

ancilla qubits that are carried through along with the training

data. Based on the training data, QNNs utilize optimizers sim-

ilar to the classical ones to optimize parameters with speciﬁc

techniques [

] to calculate the gradient. However,

recent ﬁndings also suggest that the QNNs-based model is also

sensitive to small gradient-based perturbation with malicious

misclassiﬁcation results. To deal with the adversarial examples

on QNNs, Weber et al. [

] ﬁnd out a tight condition for the

robustness against the adversarial perturbation for QNNs. Fur-

thermore, Du et al. [

] propose that QNN can resist against

the adversarial perturbation via depolarization noise.

Contribution

In this paper, inspired by [

], we propose

one

formal theoretical analysis on robustness of QNNs

where the robustness can be improved via the added quan-

tum random rotation noise. The quantum rotation noise in our

theoretical solution additionally applied to QNNs enables us

to derive a certiﬁed robustness bound.

1.1. Related Work

Randomized Smoothing

Classical randomized smoothing

[

] protects classical classiﬁers through adding noise, such

as Gaussian Noise, and by sampling multiple times, the label

with the highest probability is assigned to the data point; i.e.,

g(x) = arg max

c∈κ

P(f(x+) = c)

, where

is the set of all

possible classes and ∼N(0, σ2I).

Differential Privacy

Differential privacy [

] is one of

the de facto standard in the realm of data privacy. Furthermore,

differential privacy quantiﬁes the amount of privacy protection.

Formally, we can deﬁne the notion



-differential privacy in

the following. Let



be a positive real number and

be a

randomized algorithm that takes a dataset as input. Let

im A

denote the image of

. The algorithm

is said to provide



differential privacy if, for all datasets

and

that differ on

a single element (i.e., the data of one person), and all subsets

im A

, we have

Pr[A(D1)∈S]≤e·Pr[A(D2)∈S]

where the probability is taken over the randomness used by

the algorithm.

Certiﬁed Robustness

For a certiﬁably robust [

] clas-

sical classiﬁer with robustness bound

, the predictions of input

data points

and

are guaranteed to be the same where

and

are neighboring data points with

distance of

and

less than threshold

. The deﬁnition of certiﬁed robustness

of quantum classiﬁers with robustness bound

τD

is similar to

classical one.

Namely, for two quantum states

and

, if

||σ−ρ|| <

τD

, where the distance is deﬁned by the trace distance(i.e.

||σ−ρ|| := T r(||σ−ρ||)

), the majority of output labels of

and ρare guaranteed to be the same.

QNN Robustness

Recently, some research efforts have

been on developing the robustness for QNNs. For example,

Weber et al. [

] formulate this adversarial robustness topic on

QNNs as semideﬁnite programs and considers higher statistical

arXiv:2211.00887v2 [quant-ph] 28 Apr 2023

moments of the observable and generalized bounds. Weber et

al. [

] establsih a link between binary quantum hypothesis

testing and provably robust QNNs, resulting in a robustness

condition for the amount of noise a classiﬁer can tolerate. Du

et al. [

] ﬁnds that the depolarization noise in QNNs helps

derive a robustness bound, where the robustness improves with

increasing noise.

2. BACKGROUND KNOWLEDGE

Quantum Classiﬁer

Parameterized quantum circuits are quan-

tum frameworks that depend on trainable parameters, and can

therefore be optimized [

]. Variational quantum classiﬁer al-

gorithm is under this framework, being the predominant basis

of quantum classiﬁers. Several optimization methods are de-

veloped and different quantum classiﬁers are proposed. In our

work, we use the optimization method called parameter-shift

rule [

]. That is, the output of a variational quantum circuit,

denoted by f(θ), is parameterized by θ=θ1, θ2, . . . .

To optimize

, we need to acquire the partial derivative of

f(θ)

which can be expressed as a linear combination of other

quantum functions, typically derived from the same circuit

with a shift of

. That is, the same variational quantum circuit

can be used to compute the partial derivatives of

f(θ)

. Besides,

we need to encode our classical data and int this aspect we

adopt the amplitude encoding method [

] . To encode

data efﬁciently, amplitude encoding is to transform classical

data into linear combination of independent quantum states

with the magnitudes of features being the weights which can

be expressed as

Sx|0i=1

|x|P2n

n=1 xi|ii

, where each

a feature (component) of data point

, and

|ii

is a basis of

-qubit space. In our work, we assume a

-class quantum

classiﬁer of which the output is the predicted label of the input

state.

Let

Πk

be a positive operator-valued measure (POVM)

and

be quantum operations of the quantum classiﬁer. Deﬁne

yk(σ)≡T r(ΠkE(σ⊗ |aiha|))

which denotes the probabil-

ity with which input state

is assigned to the label

k, k ∈

0,1,2, ...., K −1.

and

∼

yk(σ) = T r(ΠkE(Rσ ⊗ |aiha|))

which denotes the probability with which input state

assigned to the label

k, k ∈0,1,2, ...., K −1

under noise,

where

is the noise operator. Since it is impossible to derive

actual

yk(σ)

and

∼

yk(σ)

, we sample N times to estimate

and

∼

with

y(N)

k(σ)

and

∼

(N)(σ)

, respectively. In our work,

we assume

K= 2

(binary classiﬁcation) for convenience

but similar reasoning can also be applied in the multiclass

scenario.

Quantum Differential Privacy

Similar to classical



differential privacy, we adopt the quantum version of



differential privacy from [

]. Furthermore, we express a

quantum classiﬁer under

-class classiﬁcation problem to

have satisﬁed -differential privacy if the following holds.

Let



be a positive real number and

be a quantum

algorithm that takes a quantum state as input. The al-

gorithm

is said to provide quantum



-differential pri-

vacy if, for all input quantum states

and

such that

τ(σ, ρ)< τD

, and for all

Πi, i ∈0,1,2,3..., K −1

, we

have

Pr[M(σ, Πi)] ≤exp ()·Pr[M(ρ, Πi)]

, and therefore

e−≤

∼

yk(ρ)

∼

yk(σ)≤e.

3. PROPOSED METHOD

We begin with the idea of simulating randomized smoothing

in quantum machine learning. We aim to add perturbation

on qubits and consider random rotations on the Bloch sphere

as a counterpart of randomized smoothing. Then, we apply

rotation gates, as shown in Fig. 1, on each input qubit and

set up rotation angles with random variables generated from

classical computers.

Fig. 1: The rotation circuit with output density matrix (σ).

Our proposed method is summarized in Algorithm 1. Our

method does not assume details of quantum classiﬁers, and

thus is general for model agnostic. Our method guarantees the

accuracy of original quantum classiﬁers, and the corresponding

robustness bound is also applicable for all kinds of quantum

classiﬁers. Further analysis of Algorithm 1 is also proven in

subsequent section.

Algorithm 1 Quantum model under quantum noise rotation

Input σ: where σis density matrix of n-dim data.

Output f(θ∗, σ)

1. For a chosen quantum classiﬁer, add Pauli-X operators

before each input qubit.

2. Generate n random variables

θ1, θ2, ..., θn

subject to

0< h1<tan θi< h2for all i∈ {1,2, . . . , n}.

3. Set up rotation angles of additional Pauli-X operators

with θ1, θ2, ..., θn

4. Execute the quantum classiﬁer

times to get the score

vector f(θ∗, σ).

4. THEORETICAL ANALYSIS

Our goal is to demonstrate that random rotation noises can

be used to protect quantum classiﬁers against adversarial per-

turbations. This can be divided into three main steps. We

ﬁrst show the invariance of outcomes between noisy classiﬁers

and original ones. Then we demonstrate how random rotation

noises improve quantum differential privacy for the classi-

ﬁers. Ultimately, we can show the connection between the

differential privacy and the better robustness against general

adversaries of classiﬁers.

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

CERTIFIEDROBUSTNESSOFQUANTUMCLASSIFIERSAGAINSTADVERSARIALEXAMPLESTHROUGHQUANTUMNOISEJhih-CingHuang1Yu-LinTsai2Chao-HanHuckYang3Cheng-FangSu2Chia-MuYu2Pin-YuChen4Sy-YenKuo11NationalTaiwanUniversity,Taiwan2NationalYangMingChiaoTungUniversity,Taiwan3GeorgiaInstituteofTechnology,GA,USA4IBMResearch,NY,US...

展开>> 收起<<

CERTIFIED ROBUSTNESS OF QUANTUM CLASSIFIERS AGAINST ADVERSARIAL EXAMPLES THROUGH QUANTUM NOISE.pdf

共6页,预览2页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

CERTIFIED ROBUSTNESS OF QUANTUM CLASSIFIERS AGAINST ADVERSARIAL EXAMPLES THROUGH QUANTUM NOISE

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: