A Comparative Analysis of Adversarial Robustness for Quantum and Classical Machine Learning Models

TL;DR

This work addresses the robustness gap between quantum and classical machine learning by systemically comparing adversarial attacks across PQCs and classical models on a handcrafted four-class dataset. It introduces a classical Fourier-network surrogate as a middle-ground between quantum and classical representations and analyzes the role of data encoding and regularization on adversarial susceptibility through transfer attacks and Lipschitz-bound estimation. The study demonstrates that regularization can reduce Lipschitz constants and improve robustness in quantum models, while transfer patterns reveal that the quantum-classical boundary is nuanced and highly architecture-dependent. Overall, the findings offer practical guidance for designing more robust QML systems and clarify when quantum models may or may not exhibit robustness advantages in realistic adversarial settings.

Abstract

Quantum machine learning (QML) continues to be an area of tremendous interest from research and industry. While QML models have been shown to be vulnerable to adversarial attacks much in the same manner as classical machine learning models, it is still largely unknown how to compare adversarial attacks on quantum versus classical models. In this paper, we show how to systematically investigate the similarities and differences in adversarial robustness of classical and quantum models using transfer attacks, perturbation patterns and Lipschitz bounds. More specifically, we focus on classification tasks on a handcrafted dataset that allows quantitative analysis for feature attribution. This enables us to get insight, both theoretically and experimentally, on the robustness of classification networks. We start by comparing typical QML model architectures such as amplitude and re-upload encoding circuits with variational parameters to a classical ConvNet architecture. Next, we introduce a classical approximation of QML circuits (originally obtained with Random Fourier Features sampling but adapted in this work to fit a trainable encoding) and evaluate this model, denoted Fourier network, in comparison to other architectures. Our findings show that this Fourier network can be seen as a "middle ground" on the quantum-classical boundary. While adversarial attacks successfully transfer across this boundary in both directions, we also show that regularization helps quantum networks to be more robust, which has direct impact on Lipschitz bounds and transfer attacks.

Figures (11)

• Figure 1: Examples of images in the corresponding classes of the synthetic dataset used for image classification.
• Figure 2: Accuracy under PGD($\varepsilon$) attack for each investigated model. While all models are susceptible to attacks, the number of training epochs of the re-upload encoding model makes a difference in robustness.
• Figure 3: Perturbed images resulting from PGD($0.1$) attacks for each model. The attacks clearly add a bar ($\pm 10$ degrees) to the left of each image, however differences in areas that do not bear semantic meaning are visible, e.g. in the amplitude encoding model we observe perturbations scattered across all parts of the image.
• Figure 4: Accuracies under PGD($0.1$) transfer attacks from source model (row) to target model (column) for each pair of models in question. Attacks tranfer notably better between ConvNet, Fourier net and re-upload encoding models than from/to amplitude encoding models.
• Figure 5: Accuracies for transfer attacks from the classical Fourier net to regularized re-upload encoding PQC architectures.