ADVERSARIAL ROBUSTNESS BASED ON RANDOMIZED SMOOTHING IN QUANTUM MACHINE LEARNING

Abstract

We present an end-to-end Quantum Machine Learning algorithm for Quantum Adversarial Robustness (QuAdRo) that provides a certified radius for a base classifier, with robustness guarantees based on randomized smoothing -the state-of-the-art defense against adversarial attacks. Classically, the number of samples, also the number of queries to the base classifier scale with O(1/ϵ 2 ) where ϵ is the desired error bound in the expected value of the probability measure ρ defined over the randomized smoothing neighborhood around the input. Our algorithm solves the same problem for a Quantum Computing classifier. We prove that the number of queries to the base classifier is O(1/ϵ) for the same confidence and error bound. We also present the unitary circuit for QuAdRo, which includes the state preparation methods and circuits for smoothing distributions used to defend against common adversaries -modelled using l 0 , l 1 , l 2 norms, and other metrics. The results of the comparison between the classical and the simulation of the quantum algorithm are also discussed.

1. INTRODUCTION

Machine Learning (ML) models have become ubiquitous over the last decade. There has also been a massive interest in Quantum Computing (QC) and Quantum Machine Learning (QML) (Aaronson, 2015) , with algorithms like Shor's factoring (Shor, 1999) , HHL (Harrow et al., 2009) algorithm for solving a linear system of equations, etc providing an exponential speedup over their classical counterparts. There exists another class of QC algorithms with a polynomial speedup -Grover's algorithm (Grover, 1996) for random database search, Quantum Amplitude Estimation (QAE) (Brassard et al., 2002) for counting problem, Bernstein-Vazirani (Bernstein & Vazirani, 1997) algorithm for parity problem, etc. Shortcomings of classical ML algorithms against malicious actors is a widely-studied sub-domain (Goodfellow et al., 2014; Madry et al., 2017) of ML. Common attack vectors include data poisoning, backdoor attacks, and adversarial attacks. Adversarial attacks can easily trick well-trained classifiers into misclassifying an input perturbed by a small, usually imperceptible, noise. QML algorithms are prone to the same problems (Weber et al., 2021; Liao et al., 2021; Guan et al., 2020; Lu et al., 2020; Ren et al., 2022) . Popular methods for adversarial defense (Madry et al., 2017) find it challenging to train large, robust classifiers, which are essential to solving real-world problems at the scale of ImageNet(Deng et al., 2009) or larger. These methods do not offer certifiable guarantees of robustness, even when they work well in practice. Randomized smoothing is a state-of-the-art method that offers provable robustness against adversarial attacks without any assumptions about the underlying classifier. The defense works by aggregating a classifier's output in a region around the input -henceforth called the smoothing neighborhood -and computing the average probability of a class ρ c . It is prohibitively expensive to compute the exact value of ρ c over the smoothing neighborhood since the number of points is exponential in the input dimension. In practice, Monte Carlo sampling algorithms are used to estimate ρ c . Typically, randomized smoothing for adversarial robustness (Cohen et al., 2019; Yang et al., 2020; Lee et al., 2019) requires N classical ≈ 10 5 -10 6 samples from the smoothing neighborhood.

