Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Computable Model-Independent Bounds for Adversarial Quantum Machine Learning

Bacui Li, Tansu Alpcan, Chandra Thapa, Udaya Parampalli

TL;DR

This work introduces the first computation of an approximate lower bound for adversarial error when evaluating model resilience against sophisticated quantum-based adversarial attacks, and provides a precise reference bound for the future development of robust QML algorithms.

Abstract

By leveraging the principles of quantum mechanics, QML opens doors to novel approaches in machine learning and offers potential speedup. However, machine learning models are well-documented to be vulnerable to malicious manipulations, and this susceptibility extends to the models of QML. This situation necessitates a thorough understanding of QML's resilience against adversarial attacks, particularly in an era where quantum computing capabilities are expanding. In this regard, this paper examines model-independent bounds on adversarial performance for QML. To the best of our knowledge, we introduce the first computation of an approximate lower bound for adversarial error when evaluating model resilience against sophisticated quantum-based adversarial attacks. Experimental results are compared to the computed bound, demonstrating the potential of QML models to achieve high robustness. In the best case, the experimental error is only 10% above the estimated bound, offering evidence of the inherent robustness of quantum models. This work not only advances our theoretical understanding of quantum model resilience but also provides a precise reference bound for the future development of robust QML algorithms.

Computable Model-Independent Bounds for Adversarial Quantum Machine Learning

TL;DR

This work introduces the first computation of an approximate lower bound for adversarial error when evaluating model resilience against sophisticated quantum-based adversarial attacks, and provides a precise reference bound for the future development of robust QML algorithms.

Abstract

By leveraging the principles of quantum mechanics, QML opens doors to novel approaches in machine learning and offers potential speedup. However, machine learning models are well-documented to be vulnerable to malicious manipulations, and this susceptibility extends to the models of QML. This situation necessitates a thorough understanding of QML's resilience against adversarial attacks, particularly in an era where quantum computing capabilities are expanding. In this regard, this paper examines model-independent bounds on adversarial performance for QML. To the best of our knowledge, we introduce the first computation of an approximate lower bound for adversarial error when evaluating model resilience against sophisticated quantum-based adversarial attacks. Experimental results are compared to the computed bound, demonstrating the potential of QML models to achieve high robustness. In the best case, the experimental error is only 10% above the estimated bound, offering evidence of the inherent robustness of quantum models. This work not only advances our theoretical understanding of quantum model resilience but also provides a precise reference bound for the future development of robust QML algorithms.

Paper Structure

This paper contains 35 sections, 2 theorems, 41 equations, 9 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background and Literature review
  3. Challenges in Quantum Machine Learning
  4. Adversarial Quantum Machine Learning
  5. Adversarial Attacks to QML
  6. Bounds on Adversarial Errors
  7. A Theoretical Bound on QML Adversarial Error for Evasion Attacks
  8. Adversarial Attack and Error
  9. Adversarial Risk
  10. Characterising Adversarial Error Region
  11. Efficient Algorithms for Computation of Bounds
  12. Computing Adversarial Quantum ML Bound
  13. QUANTUM PERTURBATION ATTACK
  14. Perturbation detection
  15. Expansion of quantum hyper-sphere for bound calculation
  16. ...and 20 more sections

Key Result

Theorem 1

In the metric space $(\mathcal{P}(\mathcal{H}), ||\cdot||_{\textrm{TD}})$ of pure states and trace distance, where $Sphere_{c,r}^\epsilon$ is the expansion of the set defined by the surface and interior of a sphere, i.e., $Sphere_{c,r} = \{x\;|\;|x-c|\leq r\}$. $Sphere_{c, r'}$ is the sphere with the same centre $c$ but a larger radius $r'$, where

Figures (9)

  • Figure 1: Illustration of classical and quantum input perturbation attack for QML when considering classical data as input.
  • Figure 2: An illustration of non-adversarial error and adversarial error. The machine learning problem here is classifying the two-moon dataset with SVM. The solid line represents the decision boundary (chosen to be linear for simplicity). Samples within the green circles cause non-adversarial errors. Samples within the purple circles contribute to adversarial errors. With a gradient-based attack of strength $\epsilon$, these additional adversarial samples will be perturbed across the boundary, as shown by the purple arrow.
  • Figure 3: Schematic diagram of encoding and quantum circuit step. From the left to the right, the quantum circuit consists of an input layer, ansatz, and measurement gates. The input layer is the amplitude encoding procedure. The ansatz consists of a pattern of parameterized quantum gates. Two such layers are shown here. The single qubit gates denoted by "R" are general $u_3$ gates with 3 parameters. In the $j$th layer {($i$, $i+j \mod M$)} qubits are entangled by CZ gate. We use 200 layers of these gates for all the models in the result section. At the end of the circuit, we measure and output the expectation $\langle \sigma_z^{(i)} \rangle$ for each of the 10 qubits corresponding to the 10 classes.
  • Figure 4: An illustration of the TD-PGD attack for the amplitude encoding. For visual clarity, instead of using a spherical surface, we denote the spherical normalized vector space of input real quantum amplitude with a flat surface. Step ① projects the gradient (blue arrow) to the normalized vector space and assigns an amplitude of step-wise attack strength (blue circle). Step ② clip and project the step-wise perturbation to the overall attack strength (green circle) if necessary and update the attack (green arrow).
  • Figure 5: The evolution of non-adversarial and adversarial error rates under classical perturbation attacks. The results show the error rate evolution during the training of 3 different instances of QVC models on MNIST and FMNIST datasets. The attack is $l$-PGD attack of strength $\epsilon=100/255$. (a) and (b) shows the estimates of the non-adversarial error rate. Each data point is generated by 10000 samples in the testing sets of MNIST and FMNIST datasets. (b) and (c) shows the estimates of the adversarial error rate. Each data point is generated by 2500 samples of 250 samples per class. This ensures that the standard deviation of the adversarial error rate is smaller than 0.04. For the aforementioned 4 diagrams, we also least-square fitted power functions with negative power to the estimated error. These results are used to construct Fig. \ref{['fig:trajectoryC']}.
  • ...and 4 more figures

Theorems & Definitions (7)

  • Definition 1: Adversarial Error Rate
  • Definition 2: Adversarial Risk
  • Definition 3: Non-adversarial Risk (Error Rate)
  • Definition 4: Minimizing Adv. Risk via Error Region
  • Theorem 1
  • proof
  • Theorem 2: triangle inequality for Bures angles