Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Discrete Randomized Smoothing Meets Quantum Computing

Tom Wollschläger, Aman Saxena, Nicola Franco, Jeanette Miriam Lorenz, Stephan Günnemann

TL;DR

The paper targets certifiable robustness for ML models operating on discrete data by marrying discrete randomized smoothing with quantum amplitude estimation, achieving a quadratic reduction in the number of model evaluations required for certification. It formulates a discrete smoothing framework, encodes all perturbations in quantum superposition, and uses Quantum Amplitude Estimation to estimate the smooth classifier $g(\boldsymbol{x})$ more efficiently; the smooth classifier can also be interpreted as a phase via a Grover-like operator and extracted with phase estimation. The authors extend the framework to continuous data under discrete attacks, introducing a data-mapping strategy that preserves robustness guarantees, and validate the approach across Binary-MNIST, graph classification, and sentiment analysis. Collectively, the work demonstrates a practical quantum route to faster certifiable robustness for discrete data representations, with a clear path toward scalable robust QML and broader application across NLP, vision, and graph domains.

Abstract

Breakthroughs in machine learning (ML) and advances in quantum computing (QC) drive the interdisciplinary field of quantum machine learning to new levels. However, due to the susceptibility of ML models to adversarial attacks, practical use raises safety-critical concerns. Existing Randomized Smoothing (RS) certification methods for classical machine learning models are computationally intensive. In this paper, we propose the combination of QC and the concept of discrete randomized smoothing to speed up the stochastic certification of ML models for discrete data. We show how to encode all the perturbations of the input binary data in superposition and use Quantum Amplitude Estimation (QAE) to obtain a quadratic reduction in the number of calls to the model that are required compared to traditional randomized smoothing techniques. In addition, we propose a new binary threat model to allow for an extensive evaluation of our approach on images, graphs, and text.

Discrete Randomized Smoothing Meets Quantum Computing

TL;DR

The paper targets certifiable robustness for ML models operating on discrete data by marrying discrete randomized smoothing with quantum amplitude estimation, achieving a quadratic reduction in the number of model evaluations required for certification. It formulates a discrete smoothing framework, encodes all perturbations in quantum superposition, and uses Quantum Amplitude Estimation to estimate the smooth classifier more efficiently; the smooth classifier can also be interpreted as a phase via a Grover-like operator and extracted with phase estimation. The authors extend the framework to continuous data under discrete attacks, introducing a data-mapping strategy that preserves robustness guarantees, and validate the approach across Binary-MNIST, graph classification, and sentiment analysis. Collectively, the work demonstrates a practical quantum route to faster certifiable robustness for discrete data representations, with a clear path toward scalable robust QML and broader application across NLP, vision, and graph domains.

Abstract

Breakthroughs in machine learning (ML) and advances in quantum computing (QC) drive the interdisciplinary field of quantum machine learning to new levels. However, due to the susceptibility of ML models to adversarial attacks, practical use raises safety-critical concerns. Existing Randomized Smoothing (RS) certification methods for classical machine learning models are computationally intensive. In this paper, we propose the combination of QC and the concept of discrete randomized smoothing to speed up the stochastic certification of ML models for discrete data. We show how to encode all the perturbations of the input binary data in superposition and use Quantum Amplitude Estimation (QAE) to obtain a quadratic reduction in the number of calls to the model that are required compared to traditional randomized smoothing techniques. In addition, we propose a new binary threat model to allow for an extensive evaluation of our approach on images, graphs, and text.
Paper Structure (28 sections, 3 theorems, 32 equations, 11 figures, 1 algorithm)

This paper contains 28 sections, 3 theorems, 32 equations, 11 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background
  4. Certifiable Robustness
  5. Randomized Smoothing
  6. Discrete Randomized Smoothing
  7. Quantum Phase Estimation
  8. Discrete Quantum Randomized Smoothing
  9. Discrete smoothing and QAE
  10. Smooth classifier as the phase of a quantum operator
  11. Discrete Perturbations on Continuous Data
  12. Threat Model and Smoothing Distribution
  13. Smooth Classifier and Robustness Certification
  14. Experiments
  15. Binary-MNIST Classification
  16. ...and 13 more sections

Key Result

Lemma 4.1

Let $\mathbf{x} \in \{0,1\}^n$ represent our binary data, $f: \mathbf{x}\mapsto \{0,1\}$ be the base classifier, and $p_{-}, p_{+} \in [0,1]$ be the probability of addition and deletion, respectively, as used in eq:drs_dist. Define, Then the following holdsThis is only true up to a global phase but as we discuss in the proof, it will still lead to the desired Grover's operator and therefore for a

Figures (11)

  • Figure 1: Example of the worst-case classifier in one dimension; $c^* = 1$ and $c_{\text{other}} = 0$. In this figure $h(.)$ implies $h^*(.)$.
  • Figure 2: (a) Randomly selected validation image; (b) Window of perturbation, only the highlighted pixels are allowed to be perturbed and the subsequent robustness guarantees are only against attacks within that window; (c) Validation image randomly perturbed within the window.
  • Figure 3: Heatmaps showing the percentage of 50 validation images in consideration that are robust against the indicated set of perturbations in the grid corresponding to the quantum smooth classifier($p_- = 0.3, p_+=0.3$) with (a) $5$ (b) $6$ (c) $7$ counting qubits and (d) corresponding to the actual smooth classifier.
  • Figure 4: Certified ratio, exact classifier vs quantum classifiers ($p_- = 0.3, p_+=0.3$) using $4$, $5$, $6$ and $7$ counting qubits evaluated for randomly selected $50$ images.
  • Figure 5: Convergence of error with number of calls to the oracle. Comparison for Classical vs Quantum algorithm with errors averaged over $50$ images from the MNIST testset.
  • ...and 6 more figures

Theorems & Definitions (6)

  • Lemma 4.1
  • Lemma 4.2
  • Theorem 4.3
  • proof : Proof of Lemma \ref{['lemma:dist_load']}
  • proof : Proof of Lemma \ref{['lemma:convergence_quantum']}
  • proof : Proof of Theorem \ref{['thm:main']}