ADVERSARIAL ROBUSTNESS BASED ON RANDOMIZED SMOOTHING IN QUANTUM MACHINE LEARNING

Abstract

We present an end-to-end Quantum Machine Learning algorithm for Quantum Adversarial Robustness (QuAdRo) that provides a certified radius for a base classifier, with robustness guarantees based on randomized smoothing -the state-of-the-art defense against adversarial attacks. Classically, the number of samples, also the number of queries to the base classifier scale with O(1/ϵ 2 ) where ϵ is the desired error bound in the expected value of the probability measure ρ defined over the randomized smoothing neighborhood around the input. Our algorithm solves the same problem for a Quantum Computing classifier. We prove that the number of queries to the base classifier is O(1/ϵ) for the same confidence and error bound. We also present the unitary circuit for QuAdRo, which includes the state preparation methods and circuits for smoothing distributions used to defend against common adversaries -modelled using l 0 , l 1 , l 2 norms, and other metrics. The results of the comparison between the classical and the simulation of the quantum algorithm are also discussed.

1. INTRODUCTION

Machine Learning (ML) models have become ubiquitous over the last decade. There has also been a massive interest in Quantum Computing (QC) and Quantum Machine Learning (QML) (Aaronson, 2015) , with algorithms like Shor's factoring (Shor, 1999) , HHL (Harrow et al., 2009) algorithm for solving a linear system of equations, etc providing an exponential speedup over their classical counterparts. There exists another class of QC algorithms with a polynomial speedup -Grover's algorithm (Grover, 1996) for random database search, Quantum Amplitude Estimation (QAE) (Brassard et al., 2002) for counting problem, Bernstein-Vazirani (Bernstein & Vazirani, 1997) algorithm for parity problem, etc. Shortcomings of classical ML algorithms against malicious actors is a widely-studied sub-domain (Goodfellow et al., 2014; Madry et al., 2017) of ML. Common attack vectors include data poisoning, backdoor attacks, and adversarial attacks. Adversarial attacks can easily trick well-trained classifiers into misclassifying an input perturbed by a small, usually imperceptible, noise. QML algorithms are prone to the same problems (Weber et al., 2021; Liao et al., 2021; Guan et al., 2020; Lu et al., 2020; Ren et al., 2022) . Popular methods for adversarial defense (Madry et al., 2017) find it challenging to train large, robust classifiers, which are essential to solving real-world problems at the scale of ImageNet(Deng et al., 2009) or larger. These methods do not offer certifiable guarantees of robustness, even when they work well in practice. Randomized smoothing is a state-of-the-art method that offers provable robustness against adversarial attacks without any assumptions about the underlying classifier. The defense works by aggregating a classifier's output in a region around the input -henceforth called the smoothing neighborhood -and computing the average probability of a class ρ c . It is prohibitively expensive to compute the exact value of ρ c over the smoothing neighborhood since the number of points is exponential in the input dimension. In practice, Monte Carlo sampling algorithms are used to estimate ρ c . Typically, randomized smoothing for adversarial robustness (Cohen et al., 2019; Yang et al., 2020; Lee et al., 2019) requires N classical ≈ 10 5 -10 6 samples from the smoothing neighborhood. Contributions In this paper, we discuss a purely QC approach to implementing randomized smoothing by using an orthogonal representation for the input space and use existing formalism for the Quantum Counting problem (Brassard et al., 2002) . We create a superposition of the smoothing neighborhood of the input image and use our quantum circuit to output the average probability of prediction for a class ρ c . We also design qubit state encoding and state preparation circuits for l 0 , l 1 and other l p norm adversaries, and provide results from the simulation of the algorithm in Section 6. Theorem 1 QuAdRo encodes an input x into a quantum state |ψ⟩ and, for error ϵ and confidence 1 -δ, requires total M = O(1/ϵ) queries to the base classifier QN N c to return certified radius for x. In comparison, any classical implementation of randomized smoothing based certification requires M = O(1/ϵ 2 ) queries for the same guarantees. Theorem 1 has been proved in Sec 4, and QuAdRo is presented in Alg 1.

2. RELATED WORK

2.1 RANDOMIZED SMOOTHING Randomized smoothing (Cohen et al., 2019; Yang et al., 2020) method has achieved provable robustness against adversarial attacks. Given an input, one can define a smoothing neighborhood based on the threat model of the adversary described by l p norm and scale parameter λ. Such a robust model outputs the most likely class in the smoothing neighborhood returned by a base classifier, and this output is stable against l p perturbations. Cohen et al. ( 2019) first proved tight robustness guarantees for l 2 norm adversary using Gaussian smoothing. Later, Yang et al. ( 2020) provided guarantees for a larger set of adversaries and smoothing distributions, except l 0 norm, which was provided by Lee et al. (2019) .

2.2. QUBIT STATE PREPARATION

Qubits are logical units of information for Quantum Computers, equivalent to bits in classical computers. Any QC device is made up of qubits that have the following two properties -superposition and entanglement. Superposition refers to a qubit's ability to exist in multiple states at the same time, while entanglement refers to the ability of multiple qubits to exist in a shared state such that an operation on one qubit also affects the state of another qubit instantaneously, without any additional transfer of information. Generally, n qubits encompass a 2 n dimensional space where if bitstring i = b n-1 ...b 1 b 0 , then state |i⟩ = ⊗ n-1 j=0 |b j ⟩ where b j ∈ {0, 1}. There are numerous methods for encoding information into qubit states, often optimized for the target problem. For example, Novel Enhanced Quantum Representation (NEQR) (Zhang et al., 2013) and Flexible Representation of Quantum Images (FRQI) (Le et al., 2011) used for QC Image algorithms differ from variational heuristics for calculating molecular energies like Unitary Coupled-Cluster ansatz (Romero et al., 2018) . Encoding methods popular in QML applications use the amplitude of a quantum state |i⟩ as the representation of input vector element x[i] to be encoded. This representation is really efficient but has the drawback that quantum search, amplitude estimation, etc., cannot be applied to such qubit states due to a lack of orthogonality. Amplitude encoding uses the same number of gates but a logarithmic number of qubits compared to the basis state encoding. A number of distributions can be prepared as a superposed qubit state(Rattew & Koczor, 2022) -Log concave distributions (Grover & Rudolph, 2002) , Uniform distribution using Quantum Fourier Transform (Deutsch, 1985) , etc. Distribution parameters can be modified, either during state preparation, or using circuits like QADD (Koch et al., 2022) mid-circuit. QFT and inverse QFT, in particular, are a common pair of pre-and post-processing circuits that concentrate information from a superposition via a Fourier transform. 



Given a boolean objective function f defined over unstructured space S of size N such that ∃x ∈ S : f (x) = 1 and a QC Oracle O operator O |x⟩ |y⟩ = |x⟩ |y f (x)⟩, Grover's Search algorithm (Grover, 1996) allows searching for x in O( √ N ) calls to O. Using state preparation subroutine U

