Enhancing Quantum Adversarial Robustness via Randomized Encodings

The interplay between quantum physics and machine learning gives rise to an emergent frontier of quantum machine learning, where advanced quantum learning models may outperform their classical counterparts in solving certain challenging problems. However, quantum learning systems are vulnerable to adversarial attacks: adding tiny carefully-crafted perturbations on legitimate input samples can cause misclassifications. Here, we propose a general scheme to protect quantum learning systems from adversarial attacks by randomly encoding legitimate data samples and analytically study the effectiveness of our approaches. We first rigorously prove that both global and local random unitary encoder on any input data leads to exponentially vanishing gradients (i.e. barren plateaus) for adversary variational quantum circuits that add perturbations, regardless of the inner structures of adversarial circuits and classifiers. We apply this random encoding technique to the classification of topological phases of matter and numerically demonstrate the robustness improvement through exponentially vanishing adversarial gradients. Based on the observation that experimental noise is mostly local, we provide an analytical bound on the vulnerability of quantum classifiers under local unitary adversarial attacks. We additionally show that random black-box quantum error correction encoders can protect quantum classifiers against local adversarial noise and the robustness increases as we concatenate error correction codes in fault-tolerant quantum computation. To quantify the robustness, we adapt the concept of quantum differential privacy to measure the stability of the prediction given by a quantum classifier. Our work sparks new connections among concepts and techniques for evaluating and improving the security of quantum learning systems, which will provide valuable guidance for both near-term and future quantum machine learning technologies.