Adversarial Robustness of Partitioned Quantum Classifiers

TL;DR

The paper addresses the adversarial robustness of partitioned quantum classifiers implemented via circuit cutting in the NISQ era. It derives theoretical bounds on how inserting adversarial gates in intermediate layers can shift predictive confidence, and connects these effects to perturbations in wire-cut state preparation. Complementary experiments with parametrized quantum circuits on MNIST and FMNIST (downsampled to 16×16) compare single versus multiple adversarial layers and global versus local perturbations to assess vulnerability across depths. The results highlight security risks in distributed quantum computation and offer guidance for designing more robust quantum classifiers that leverage circuit-distribution techniques.

Abstract

Adversarial robustness in quantum classifiers is a critical area of study, providing insights into their performance compared to classical models and uncovering potential advantages inherent to quantum machine learning. In the NISQ era of quantum computing, circuit cutting is a notable technique for simulating circuits that exceed the qubit limitations of current devices, enabling the distribution of a quantum circuit's execution across multiple quantum processing units through classical communication. We examine how partitioning quantum classifiers through circuit cutting increase their susceptibility to adversarial attacks, establishing a link between attacking the state preparation channels in wire cutting and implementing adversarial gates within intermediate layers of a quantum classifier. We then proceed to study the latter problem from both a theoretical and experimental perspective.

Figures (28)

• Figure 1: A Quantum classifier (a) without exposure to adversarial perturbations, (b) with an adversarial unitary gate impacting the input state, and (c) under the influence of multiple adversarial gates, highlighted in red. Here, $\sigma= \ket{\psi}\bra{\psi}$ and $\ket{a}\bra{a}$ denote the input and ancilla states, respectively. $U= U_n \cdots U_2 U_1$ depends on the parameter $\theta^*$ and each $\hat{U}_i \in S_{adv}$ denotes an adversarial perturbation operator. The adversarial gates may target a few local qubits or all qubits.
• Figure 2: Quantum circuit partitioned using wire cutting. The original circuit in (a) could be simulated by running the subcircuits in (b) and combing the results through classical post-processing.
• Figure 3: Using the decomposition in (\ref{['equ-cut-perturbed-similar-unitaries']}) rather than (\ref{['equ-orig-wire-cut']}) to implement wire cutting would result in a simulated quantum circuit with an additional adversarial gate $\tilde{U}$ compared to the original circuit in Fig. \ref{['fig:quantum_circuit_partitioned']}.(a).
• Figure 4: Architecture of the quantum classifier employed in our experiments. The top $d$-qubits correspond to the input state, while the $d_a$-qubits at the bottom represent the ancilla bits. The measurements at the output are performed on the bottom $\lceil \log_2{K} \rceil$ qubits. Depending on the experimental setup, a number of adversarial layers are added either within the classifier's architecture or before its first layer to perturb the input state. These adversarial layers can target all qubits or act locally on a subset of qubits. Throughout the rest of the paper, the qubit at the topmost wire will be referred to as qubit $1$, the qubit on the next wire below as qubit $2$, and so on, with the qubit at the bottommost wire labeled as qubit $d_+$.
• Figure 5: These plots depict misclassification rate (y-axis) against attack strength (x-axis) for a binary classifier, where an adversarial block consisting of 10 layer is incorporated into a model with 10 existing layers. The plots on the left show the results for the MNIST dataset, with the plots on the right displaying the results for the FMNIST dataset. The performance of these adversarial blocks is compared with two cases where multiple adversarial blocks are inserted at different depths within the architecture. In the first case, the total number of adversarial layers is 10, whereas in the second case, there are 30 adversarial layer, organized into three blocks with 10 layers each. The attack strength is determined by the sum of Hilbert Schmidt distances between the unitary operators the adversarial blocks induce and the identity operator. In the legend, each plot labeled '$q-$th layer' corresponds to an adversarial block located between the $q-$th and $(q+1)-$th layers of the classifier. In contrast, plots labeled '$[q_1, r_1], [q_2, r_2], [q_3, r_3]$' represent three adversarial blocks inserted between the $q_1-$th and $(q_1+1)-$th layers, the $q_2-$th and $(q_2+1)-$th layers, and the $q_3-$th and $(q_3+1)-$th layers, where the first, second, and third block consist of $r_1, r_2$, and $r_3$ adversarial layers, respectively. Note that the maximum Hilbert Schmidt distance between two unitary operators is $\sqrt{2}$. Consequently, the sum of the distances between three unitary perturbation operators and the identity operator is at most $3\sqrt{2}$.

Theorems & Definitions (7)

• Theorem 5.1
• Corollary 5.2
• Theorem 5.3
• Lemma A.1: Subadditivity of diamond distance; Proposition 3.48 in watrous2018theory
• Lemma A.2: Diamond and operator distance of unitaries; Proposition I.6 in haah2023query
• proof
• proof