Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Generalization of Adversarially Trained Quantum Classifiers

Petros Georgiou, Aaron Mark Thomas, Sharu Theresa Jose, Osvaldo Simeone

TL;DR

This work develops a learning-theoretic framework for adversarially trained quantum classifiers, deriving PAC-style bounds via adversarial Rademacher complexity (ARC). It shows the excess generalization cost due to adversarial training scales as $\mathcal{O}(\mathcal{S}_{r,p,\epsilon}^{Q/C}/\sqrt{m})$, with the scale and sign determined by the embedding type (rotation vs amplitude) and the attack (classical vs quantum). Rotation embeddings can preserve adversarial generalization in high dimensions, while amplitude embeddings incur dimension-dependent penalties, and quantum attacks make the bounds depend on the Hilbert-space dimension $d_H$ (with tighter results under noise constraints). The paper extends to multi-class settings, provides numerical validation, and outlines future directions including device noise, stability, and non-uniform convergence analyses.

Abstract

Quantum classifiers are vulnerable to adversarial attacks that manipulate their input classical or quantum data. A promising countermeasure is adversarial training, where quantum classifiers are trained by using an attack-aware, adversarial loss function. This work establishes novel bounds on the generalization error of adversarially trained quantum classifiers when tested in the presence of perturbation-constrained adversaries. The bounds quantify the excess generalization error incurred to ensure robustness to adversarial attacks as scaling with the training sample size $m$ as $1/\sqrt{m}$, while yielding insights into the impact of the quantum embedding. For quantum binary classifiers employing \textit{rotation embedding}, we find that, in the presence of adversarial attacks on classical inputs $\mathbf{x}$, the increase in sample complexity due to adversarial training over conventional training vanishes in the limit of high dimensional inputs $\mathbf{x}$. In contrast, when the adversary can directly attack the quantum state $ρ(\mathbf{x})$ encoding the input $\mathbf{x}$, the excess generalization error depends on the choice of embedding only through its Hilbert space dimension. The results are also extended to multi-class classifiers. We validate our theoretical findings with numerical experiments.

On the Generalization of Adversarially Trained Quantum Classifiers

TL;DR

This work develops a learning-theoretic framework for adversarially trained quantum classifiers, deriving PAC-style bounds via adversarial Rademacher complexity (ARC). It shows the excess generalization cost due to adversarial training scales as , with the scale and sign determined by the embedding type (rotation vs amplitude) and the attack (classical vs quantum). Rotation embeddings can preserve adversarial generalization in high dimensions, while amplitude embeddings incur dimension-dependent penalties, and quantum attacks make the bounds depend on the Hilbert-space dimension (with tighter results under noise constraints). The paper extends to multi-class settings, provides numerical validation, and outlines future directions including device noise, stability, and non-uniform convergence analyses.

Abstract

Quantum classifiers are vulnerable to adversarial attacks that manipulate their input classical or quantum data. A promising countermeasure is adversarial training, where quantum classifiers are trained by using an attack-aware, adversarial loss function. This work establishes novel bounds on the generalization error of adversarially trained quantum classifiers when tested in the presence of perturbation-constrained adversaries. The bounds quantify the excess generalization error incurred to ensure robustness to adversarial attacks as scaling with the training sample size as , while yielding insights into the impact of the quantum embedding. For quantum binary classifiers employing \textit{rotation embedding}, we find that, in the presence of adversarial attacks on classical inputs , the increase in sample complexity due to adversarial training over conventional training vanishes in the limit of high dimensional inputs . In contrast, when the adversary can directly attack the quantum state encoding the input , the excess generalization error depends on the choice of embedding only through its Hilbert space dimension. The results are also extended to multi-class classifiers. We validate our theoretical findings with numerical experiments.

Paper Structure

This paper contains 33 sections, 9 theorems, 121 equations, 6 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Quantum Classifiers
  3. Quantum Embedding Schemes
  4. Generalization Error: Learning-Theoretic Preliminaries
  5. Non-Adversarial Generalization Error
  6. Adversarial Generalization Error
  7. Adversarial Rademacher Complexity of Binary Classifiers
  8. Non-adversarial Rademacher Complexity Bounds
  9. Adversarial Rademacher Complexity Bounds
  10. Impact of Quantum Embeddings
  11. Tighter Bounds for Noisy Embeddings
  12. Sketch of Proof of Theorem \ref{['thm:upperbound_binary']}
  13. Extension to Multi-Class Classifiers
  14. Numerical Examples
  15. Impact of Embedding on Classical Attacks
  16. ...and 18 more sections

Key Result

Theorem 1

shalev2014understanding Assume that the loss function $\ell(g,\rho(\mathbf{x}),y)$ is $[0,B]$-bounded. Then, with probability at least $1-\delta$, for $\delta \in (0,1)$, with respect to the random draws of dataset $\mathcal{D}$, the generalization error $G(g)$ of any classifier $g \in \mathcal{G}_r is the empirical RC of class $\mathcal{G}_r$ evaluated on dataset $\mathcal{D}$, with $\boldsymbol{

Figures (6)

  • Figure 1: (Adversarial) Generalization error (Test error$-$Train error) plotted against number of training samples for an adversarially trained angle embedding based classifier. Despite adversarial training, the adversarial generalization error remains significant. Details about the dataset and quantum classifier used can be found in section \ref{['sec:embeddings']}.
  • Figure 2: The embedding $\rho(\mathbf{x})$ plays a key role in determining the performance of a quantum classifier schuld2021machinesimeone2022introduction. This paper studies the learning requirements for two main classes of embeddings in the presence of adversarial attacks. (Top) Rotation embedding schemes, including angle rotation embedding, dense rotation embedding, and their repeated variants require a number of qubits that scale linearly with the dimension $d$ of the input vector $\mathbf{x}$. (Bottom) Amplitude embedding, which can encode a vector $\mathbf{x}$ of dimension $d$ into a quantum state whose number of qubits scales logarithmically with $d$. In this particular case we embed a $3$-dimensional input $\mathbf{x}$ into a $2$-qubit quantum state.
  • Figure 3: Illustration of a quantum classifier being subject to classical (top) and quantum (bottom) adversarial attacks.
  • Figure 4: Conventional and adversarial generalization errors (Top) and their respective upper bounds (Bottom) as a function of data dimension $d$. The angle embedding-based classifier was adversarially trained on $m=20$ samples against a classical $p=\infty, \epsilon=0.3$ adversary. The conventional and adversarial generalization errors converge in the limit of high dimensional data.
  • Figure 5: Conventional and adversarial generalization errors (Top) and their respective upper bounds (Bottom) as a function of data dimension $d$. The amplitude embedding-based classifier was adversarially trained on $m=20$ samples against a classical $p=\infty, \epsilon=0.3$ adversary. The conventional and adversarial generalization errors diverge in the limit of high dimensional data.
  • ...and 1 more figures

Theorems & Definitions (18)

  • Theorem 1
  • Theorem 2
  • proof
  • Theorem 3
  • proof
  • Proposition 1
  • Theorem 4
  • proof
  • Lemma 1
  • proof
  • ...and 8 more