Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Efficient Quantum Algorithm for Robust Training

Yue Wang, Guangyi He, Liepeng Zhang, Lukas Gonon, Qi Zhao

Abstract

Adversarial training is a standard defense against malicious input perturbations in security-critical machine-learning systems. Its main burden is structural: before every parameter update, the current model must first be attacked to find a new adversarial perturbation, making training increasingly expensive and hard to sustain at large-model scale. Here we give an end-to-end quantum procedure for projected-gradient robust training under local stability and sparsity assumptions. The key step is to reformulate the coupled attacker--learner dynamics as a high-dimensional sparse linear system whose terminal block yields the final network-parameter state. In this formulation, the dominant query cost scales linearly with training time steps, up to logarithmic factors, and polylogarithmically with model size, while the full gate complexity records separate input-preparation and sparse-access overheads. This places core computational tasks for AI security on a concrete quantum footing and identifies a regime in which robust-training overhead can be reduced.

Efficient Quantum Algorithm for Robust Training

Abstract

Adversarial training is a standard defense against malicious input perturbations in security-critical machine-learning systems. Its main burden is structural: before every parameter update, the current model must first be attacked to find a new adversarial perturbation, making training increasingly expensive and hard to sustain at large-model scale. Here we give an end-to-end quantum procedure for projected-gradient robust training under local stability and sparsity assumptions. The key step is to reformulate the coupled attacker--learner dynamics as a high-dimensional sparse linear system whose terminal block yields the final network-parameter state. In this formulation, the dominant query cost scales linearly with training time steps, up to logarithmic factors, and polylogarithmically with model size, while the full gate complexity records separate input-preparation and sparse-access overheads. This places core computational tasks for AI security on a concrete quantum footing and identifies a regime in which robust-training overhead can be reduced.

Paper Structure

This paper contains 11 sections, 12 theorems, 171 equations, 3 figures, 1 algorithm.

Table of Contents

  1. Problem setup and notation
  2. Polynomial update model of one robust-training step
  3. Main finite-step theorem
  4. Sign and clip approximation
  5. Discrete-time Carleman lift for the full-step recurrence
  6. Truncation remainder and Carleman error
  7. QLSA complexity
  8. Quantum preparation of the training trajectory and final-state readout
  9. Appendix discussion
  10. Numerical implementation details for the main-text experiment
  11. Extensions

Key Result

Theorem 1

Fix a final-output accuracy budget $\varepsilon_{\mathrm{out}}>0$. For the horizon system $M Y = B_{\mathrm{rhs}}$ associated with the truncated lifted trajectory of the polynomial surrogate dynamics, choose the cutoff $N$ and internal solver tolerance $\varepsilon_{\mathrm{LS}}$ according to the lo with query complexity and gate complexity where $N_h=(T+1)\Delta_N$ and $\Delta_N=\sum_{j=1}^{N}d

Figures (3)

  • Figure 1: From robust training to a quantum-accessible linear system.(a) A visually subtle perturbation changes the prediction of a fixed image classifier. (b) In robust training, each outer update may contain $K_t$ attack substeps and $L_t$ learner substeps. (c) Our reduction approximates one robust-training outer update by a polynomial map, lifts the training window to a high dimensional sparse linear system, and uses its normalized solution as a coherent encoding of the training trajectory.
  • Figure 2: Numerical verification of the reduced robust-training algorithm on MNIST digits $0$--$4$. Rows show clean-only, robust-only and mixed training ($\alpha=0.50$); columns show robust accuracy, clean accuracy and clean loss. Robust accuracy is evaluated with a $10$-step PGD attack. Each trajectory shows a short transient followed by stable plateaus over $1.2\times 10^5$ steps. The figure illustrates the behavior of the reduced update model used in the analysis.
  • Figure A.1: Logical dependencies among the main propositions and theorems.

Theorems & Definitions (22)

  • Theorem 1: Quantum recovery of the final parameter state over a fixed training window
  • Proposition A.1: Effective degree of the polynomial update
  • proof
  • Proposition A.2: Polynomial sign/clip design and one-step perturbation approximation
  • proof
  • Proposition A.3: From one-step approximation error to the lifted error term
  • proof
  • Proposition A.4: Discrete-time Carleman lift, time-unrolled system, and conditioning
  • proof
  • Proposition A.5: Majorant-based sufficient conditions for contractivity
  • ...and 12 more