Robust in Practice: Adversarial Attacks on Quantum Machine Learning
Haoran Liao, Ian Convy, William J. Huggins, K. Birgitta Whaley
AAdversarial Robustness of Quantum Machine Learning Models
Haoran Liao,
1, 2, ∗ Ian Convy,
3, 2
William J. Huggins,
3, 2 and K. Birgitta Whaley
3, 2 Department of Physics, University of California, Berkeley, CA 94720, USA Berkeley Quantum Information and Computation Center,University of California, Berkeley, CA 94720, USA Department of Chemistry, University of California, Berkeley, CA 94720, USA (Dated: October 19, 2020)State-of-the-art classical neural networks are observed vulnerable to small crafted adversarialperturbations. Similar behaviors are followed by quantum machine learning models classifying Haar-random pure states, in that they exhibit exponentially decreasing robustness in the number of qubitsagainst adversarial perturbations. This stems from the concentration of measure phenomenon, aproperty of the metric space when sampled probabilistically, and is independent of the classificationprotocol. In this paper, we discuss these vulnerabilities in classifying Haar-random pure states, aswell as in classifying a subset of encoded states smoothly generated from a Gaussian latent space.We derive the prediction-change potential adversarial robustness of any quantum classifier in thissetting resulted from the measure concentration in the latent space. Our analysis provides insightsinto the adversarial robustness of any quantum classifier in real-world classification tasks, and bycontrast, shows only mildly polynomially decreasing potential robustness in the number of qubits.
I. INTRODUCTION
Quantum machine learning (QML) protocols, by ex-ploiting quantum mechanics principles, such as superpo-sition, tunneling, and entanglement [1], have given hopeof outperforming their classical counterparts, even withnoisy intermediate-scale quantum (NISQ) [2] hardware inthe near-term [3]. For classification tasks where statisti-cal patterns can be revealed in complex feature spaces,the high-dimensional Hilbert space of sizable quantumsystems offers a naturally advantageous starting groundfor QML models. However, many state-of-the-art clas-sical machine learning models, such as deep neural net-works with complicated internal feature mappings, havebeen shown vulnerable to small crafted perturbations tothe input, namely adversarial examples. These are in-tentional worst-case perturbations to the original sam-ples with an imperceptible difference that are neverthe-less misclassified by the classifier [4, 5]. This not onlyraises questions as to why well-performing classifiers suf-fer from such instabilities but also poses security threatsto machine learning applications that emphasize relia-bility, such as in spam filtering [6]. To understand thisunreliable behavior, the transferability of these attacksacross different architecture and the robustness againstperturbations has led to extensive investigations in theclassical machine learning community in recent years [7–9]. Notably, some geometric and probabilistic arguments,based on curvatures of decision boundaries [10] and theconcentration of measure [11–15], have been employedto quantify the risk of adversarial attacks in various set-tings. With the concentration of measure in certain met-ric probability spaces, the robustness of any classifier,independent of its specifics, is shown to be suppressedby the dimension of the space on which it classifies [11].This has raised attention in the QML community where the models take advantage of the high dimensionality ofquantum systems [16–18].The concentration of measure is a phenomenon thatpoints tend to gather around partitions with sufficientprobability measure in certain metric probability spaces,and thus, for any reasonably smooth function on whichevaluates, there is a high probability of obtaining val-ues close to the average [19–23]. In our context, itmeans if samples are selected from such a concentratedspace, their classifier predicted confidence, if not varyingtoo rapidly, tends to the critical value. As such, smallcrafted perturbations can move the samples across thedecision boundary. In particular, this phenomenon canlead to extreme vulnerabilities of any quantum classifieron high-dimensional Haar-random pure states. Neverthe-less, there is no indication of whether such vulnerabilityexists when classifying on a subset of encoded pure states.In this paper, we regard quantum states and classi-fiers as geometric objects. We hope to use this perspec-tive to study aspects of the problem that are relevantto practical applications of QML and we leave out con-siderations on the number of copies of a state that arerequired. We derive the potential robustness of generalquantum classifiers in classifying a subset of encoded purestates whose distribution can be smoothly mapped froma concentrated latent representation [15]. This resem-bles a real-world application of QML models, such asin recognizing natural images generated from a Gaus-sian latent space by various commonly-used generativemodels [24–29]. The success of these generative mod-els for real-world data generation implies that our re-sults shed light on QML models processing real-worlddata. We demonstrate that the adversarial robustnessin this setting decreases as O (1 / √ n ) in the number ofqubits n , with the scaling measured in the trace norm.This decline in the potential robustness is mild, indi- a r X i v : . [ qu a n t - ph ] O c t cating a quantum classifier can be robust to attacks onhigh dimensional quantum states. In contrast, when con-sidering prediction-change adversarial settings where theinputs are pure states drawn Haar-randomly, we showthat the robustness decreases as O (1 / n ) in the numberof qubits, implying extreme vulnerabilities to attacks inhigh-dimensional quantum systems [16].The paper is structured as follows: in Section II, weintroduce the set-ups and preliminaries in both classicaland quantum adversarial attacks. In Section III, we showthe prediction-change adversarial robustness of any quan-tum classifier on Haar-randomly selected pure states andexplain its practical limitations. In Section IV, we de-rive the main results on the adversarial robustness of anyquantum classifier classifying a smoothly generated dis-tribution from a concentrated latent representation overa subset of encoded states of interest, and propose a feasi-ble modification to any quantum classifier to lower boundunconstrained adversarial robustness. In Section V, asummary and discussion of the derived robustness in thetwo settings are presented. II. BACKGROUNDA. Classical Adversarial Attacks
Classical adversarial attacks were introduced to ana-lyze the instability of deep neural networks caused by asmall change to the input sample. Classically, confidenceis often quantified as the probability corresponding tothe label class in the output normalized discrete distribu-tion, e.g., the largest softmax value in the output vectorin a multi-class logistic-regression convolutional neuralnetwork. As numerically shown in various works, suchan attack results in a significant drop in the confidencein the correct class [4, 8, 30, 31], and may also bringan significant increase in the confidence in the incorrectclass [5]. So far, some arguments have been proposed toexplain the vulnerabilities of various classifiers to adver-sarial attacks and their transferability [5, 14, 32–34], yetno conclusive consensus has been established [35].The most common type of adversarial attack is the eva-sion attack where the adversary does not interfere withthe training phase of a classifier and perturbs only thetesting samples [7]. The adversary can devise white-boxattacks if it possesses total knowledge about the classi-fier architecture, or otherwise, it can devise black-box at-tacks relying on the transferability [7, 8]. We shall focuson white-box evasion attacks.We introduce some notations and definitions used inthis paper. Let ( X , d , µ ) denote the sample set X witha metric d and a probability measure µ . The notation x ← µ denotes that a sample x is drawn with a proba-bility measure µ . L denotes the countable label set. Fora subset S ⊆ X , we let d( x, S ) = inf { d( x, y ) | y ∈ S} and let B (cid:15) ( x ) = { x (cid:48) | d( x, x (cid:48) ) ≤ (cid:15) } be the (cid:15) -neighborhoodof x , where d is the metric on X . We also let S (cid:15) = { x | d( x, S ) ≤ (cid:15) } be the (cid:15) -expansion of S . h is a hypoth-esis or a trained classifier that maps each x ∈ X to apredicted label l ∈ L . c is the ground-truth functionthat maps each x ∈ X to a correct label l ∈ L . h l denotes the set of samples classified as label l , namely h l = { x ∈ X | h ( x ) = l } . The error region M is the setof samples on which the hypothesis disagrees with theground-truth, namely M = { x | h ( x ) (cid:54) = c ( x ) } . We definethe risk as R ( h, c ) = Pr x ← µ [ h ( x ) (cid:54) = c ( x )] = µ ( M ) .The two relevant types of evasion attacks studied hereare based on the error region and the prediction change.In an error-region attack, the ground-truth function c is accessible and an attack occurs when a perturbationin the sample causes h to disagree with c . In contrast,a prediction-change attack emphasizes the instability of h : an attack occurs when a perturbation results in adifferent prediction by h , and c is irrelevant. The precisedefinitions of these two types of attacks are as follows. Definition 1 .
The error-region adversarial risk under (cid:15) -perturbation is the probability of drawing a sample suchthat its (cid:15) -neighborhood intersects with the error region, R ER(cid:15) ( h, c, µ ) = Pr x ← µ [ ∃ x (cid:48) ∈ B (cid:15) ( x ) | h ( x (cid:48) ) (cid:54) = c ( x (cid:48) )] . Definition 2 .
The prediction-change adversarial riskunder (cid:15) -perturbation is the probability of drawing a sam-ple such that its (cid:15) -neighborhood contains a sample with adifferent label, R P C(cid:15) ( h, µ ) = Pr x ← µ [ ∃ x (cid:48) ∈ B (cid:15) ( x ) | h ( x ) (cid:54) = h ( x (cid:48) )] , equivalently, R P C(cid:15) ( h, µ ) = Pr x ← µ (cid:20) min x (cid:48) ∈X { d( x (cid:48) , x ) | h ( x (cid:48) ) (cid:54) = h ( x ) } ≤ (cid:15) (cid:21) . In either type of attack, we call the nearest misclassi-fied examples as the adversarial examples. We say that h is more robust if the induced risk of either type is lowerfor a certain (cid:15) -perturbation. We shall refer to the mini-mal (cid:15) -perturbation to x resulting in an adversarial exam-ple as the adversarial perturbation or the robustness of x with h . In contrast, we shall refer to the adversarial ro-bustness of h as the size of (cid:15) necessary for the adversarialrisk of h to be upper bounded by some constant. B. Quantum Adversarial Attacks
For our work, a quantum classifier is a quantum chan-nel E that assigns labels with some set of positive-operator-valued measures (POVMs) { Π s } . The quan-tum classifier takes in an ensemble of identically preparedcopies of a state and assigns the state a label. The con-fidence of a prediction is quantified as the expectationvalue of the POVM for the prediction, namely tr ( E ( ρ )Π s ) for an input density matrix ρ . To measure the perturba-tion size, the natural choice of metric on quantum states– the trace distance – can be shown to generate an upperbound on the difference between their quantum classifi-cation confidence (see Appendix A), which implies thatno small variation can induce a large swing in the predic-tive confidence. This property of the trace distance is aconsequence of its interpretation as the achievable upperbound on the total variation distance [36] between proba-bility distributions arising from measurements performedon those quantum states [37]. Furthermore, we show inAppendix A that the Hilbert-Schmidt norm, the Buresdistance, and the Hellinger distance between two quan-tum states all generate a similar upper bound. As a re-sult, in quantum adversarial attacks, the adversary eitherperturbs the states near the decision boundary minimallyto seek misclassification, or aims to maximize confidencechange to any state with associated perturbations thatare upper bounded by some considerable size in thesenorms. Our work analyzes primarily the risks due tothe former objective. In Appendix B, we also propose amethod for the latter objective exploiting the reversibilityof parametrized quantum circuits (see e.g. [38, 39]). Wenote that the latter adversarial setting is justified, sincein order to assess the security of a classifier under attack,it is reasonable – given a feasible space of modificationsto the input data – to assume that the adversary aims tomaximize the classifier’s confidence in wrong predictions,rather than merely perturbing minimally [8].There are two natural set-ups of adversarial attacks inQML that can be specified. The first is when the in-put data to the classifier is already quantized and anydata transmitted through the quantum communicationnetwork comes from an untrusted party. The adversarycan be a sender or an interceptor who either transmitsdensity matrices that are all undesirably perturbed a lit-tle, or substitutes a small portion of the state copies (seeAppendix A). In a broader context, our analysis can beextended to the instability of classifying quantum statessubject to decoherence. We focus on this first set-upin the paper. The second set-up is when the input tothe quantum classifier is classical. The quantum classi-fier encodes the classical data before classifying. Sincethe adversary is perturbing the classical input data, itis effectively attacking classically. Viewing such a quan-tum classifier as a black-boxed hypothesis function, anyclassifier-agnostic classical theory (see e.g., [10, 15]) canbe directly applied. C. Quantum Data Encoding
Considering a normalized positive vector u of length n , without loss of generality, we intuitively refer to it asa gray-scale image with n pixels in this paper. We focus on a particular set of encoding schemes where each pixel u i ∈ [0 , is featurized into a qubit-encoding state | φ i (cid:105) .To be classified is the product state | φ (cid:105) of them in the n -dimensional Hilbert space [40–43], namely | φ (cid:105) = n (cid:79) i =1 | φ i (cid:105) = n (cid:79) i =1 (cid:104) cos (cid:16) π u i (cid:17) | (cid:105) + sin (cid:16) π u i (cid:17) | (cid:105) (cid:105) . (1)The qubit-encoding states, Eq. (1), do not require a quan-tum random access memory (QRAM) [44] and are effi-cient in time to prepare. Other schemes including ampli-tude encoding (see e.g., [45]) are not considered here. Wenote that some of our results are general and independentof the encoding scheme. We further generalize Eq. (2) toqudits where each pixel is mapped to a Hilbert space ofhigher dimension d ≥ , in which the j -th component ofthe qudit state is | φ i (cid:105) j = (cid:115)(cid:18) d − j − (cid:19) cos d − j (cid:16) π u i (cid:17) sin j − (cid:16) π u i (cid:17) . (2)These qudit states are special cases of what are known asspin-coherent states [40], and the qubit states in Eq. (1)correspond to d = 2 . D. Concentration of Measure Phenomenon
Let Σ ⊆ X be a Borel set [46]. The concentrationfunction, defined as α ( (cid:15) ) = 1 − inf Σ ⊆X (cid:26) µ (Σ (cid:15) ) (cid:12)(cid:12) µ (Σ) ≥ (cid:27) , (3)has a smaller value when more points are aggregated inthe (cid:15) -expansion of a sufficiently large Σ , for a fixed (cid:15) . In-formally, a space X exhibits a concentration of measureif α ( (cid:15) ) decays very fast as (cid:15) grows, and we shall refer to itas a concentrated space. This is true for a simple exam-ple – the standard Gaussian distribution ( R , (cid:96) , N (0 , .Looking at the Borel set Σ = ( −∞ , whose probabil-ity measure is / , the cumulative density outside its (cid:15) -expansion, namely R \ Σ (cid:15) = ( (cid:15), + ∞ ) , decreases at leastas fast as exp( − (cid:15) / by the tail bound [47]. One can in-voke isoperimetric inequality [48] to show that this clus-tering occurs around any Borel set with measure at least / and applies to any canonical m -dimensional Gaus-sian measure in the Euclidean space (see Appendix G).More formally, a family of N -dimensional spaces withcorresponding concentration functions α N ( · ) is called a( k , k )-normal Lévy family if α N ( (cid:15) ) ≤ k exp( − k (cid:15) N ) ,where k and k are particular constants. Consequently,the measure is more concentrated for a higher dimen-sion. Two notable normal Lévy families are SU ( N ) and SO ( N ) , both of which are equipped with the Hilbert-Schmidt norm L and the Haar probability measure ν [49, 50]. An implication of this phenomenon is that whenpoints x are drawn from a highly concentrated space, forany function f varying not rapidly, we have f ( x ) ≈ (cid:104) f (cid:105) with high probability. Lévy’s Lemma [19, 20] constitutesa specific example of this. E. Related Work
The work in [11] considered any normal Lévy familyand derived the potential robustness for error-region ad-versarial attacks. The results show that for a nice clas-sification problem [51], if µ ( M ) = Ω(1) , the size of per-turbations must be O (1 / √ N ) in order to have the error-region adversarial risk upper bounded by some constant,where N is the dimension of the concentrated space. Ref-erences [12, 13] studied some specific concentrated spacesand revealed the same scaling.Reference [16] transforms the classification of purestates | φ (cid:105) into that of unitaries U in | φ (cid:105) = U | (cid:126) (cid:105) forsome fixed initial state | (cid:126) (cid:105) . These quantum classifiersthen classify samples drawn from SU ( N ) equipped withthe Haar probability measure ν and the Hilbert-Schmidtnorm, which is a ( √ , / -normal Lévy family. There-fore, if µ ( M ) > , the necessary condition on the per-turbation size for the error-region adversarial risk to bebounded above by − γ for some γ ∈ [0 , is O (1 / √ N ) .Precisely, to have R ER(cid:15) ( h, c, ν ) ≤ − γ , the (cid:15) -perturbationto any unitary must be upper bounded as [52] (cid:15) ≤ (cid:114) N (cid:118)(cid:117)(cid:117)(cid:116) ln (cid:32) √ µ ( M ) (cid:33) + (cid:118)(cid:117)(cid:117)(cid:116) ln (cid:32) √ γ (cid:33) . (4) III. PROBLEMS WITH PRACTICALCLASSIFICATIONS
The result in Eq. (4) claims that when classifying uni-taries in SU ( N ) with the Haar measure, given that anadversary can devise white-box attacks and µ ( M ) notexponentially suppressed by N , the robustness of anyquantum classifier decreases polynomially in the dimen-sion of the input N . This is daunting since the input hasa dimension N = d n exponential in the number of qudits.To apply any result related to Eq. (4), a ground-truthfunction c on SU ( N ) is needed to obtain the risk µ ( M ) .However, c may not be easily defined in a real-world ma-chine learning task. For instance, it is challenging todefine what constitutes a mistake for visual object recog-nition. After adding a perturbation to an image, it likelyno longer corresponds to a photograph of a real physicalscene [53]. Furthermore, it is difficult to define the labelsfor images undergoing gradual semantic change. All ofthese factors complicate the evaluation of µ ( M ) . It thusmotivates us to focus on prediction-change adversarial risks (see e.g., [10, 13, 53]) in order to avoid requiringaccess to the ground-truth. The following theorem andcorollary then apply. Theorem 1 .
Let SU ( N ) be equipped with the Haar mea-sure ν and the Hilbert-Schmidt norm L . For any hypoth-esis h : SU ( N ) → L that is not a constant function, let η ∈ [0 , / determine the measure of the dominated classsuch that ν ( h l ) ≤ − η, ∀ l ∈ L . Suppose U ∈ h l , V / ∈ h l and a perturbation U → V occurs, where (cid:107) U − V (cid:107) ≤ (cid:15) . Ifthe prediction-change adversarial risk R P C(cid:15) ( h, ν ) ≤ − γ ,then (cid:15) must satisfy (cid:15) ≤ (cid:114) N (cid:118)(cid:117)(cid:117)(cid:116) ln (cid:32) √ η (cid:33) + (cid:118)(cid:117)(cid:117)(cid:116) ln (cid:32) √ γ (cid:33) . (5) Corollary 1 .
With ρ = U | (cid:126) (cid:105)(cid:104) (cid:126) | U † and σ = V | (cid:126) (cid:105)(cid:104) (cid:126) | V † ,Eq. (5) translates to a necessary upper bound in the tracenorm between the pure-state density matrices (cid:107) ρ − σ (cid:107) ≤ N λ = Ω( d − n ) . With the qudit encoding in Eq. (2) , a naive translation ofthis necessary upper bound to that in the (cid:96) norm of theencoding vectors u and v gives, (cid:107) u − v (cid:107) ≤ nπ cos − (cid:34)(cid:18) − N λ (cid:19) d − n (cid:35) = Ω( d − n √ n ) , where N = d n and λ = [ln(2 √ /η )] / + [ln(2 √ /γ )] / with η and γ defined in Theorem 1. The proofs can be found in Appendix D and E. The in-terpretation of Theorem 1 and Corollary 1 is clear: giventhat no class occupies Haar-measure , any quantum clas-sifier on quantum states is more vulnerable to prediction-change adversarial attacks on higher-dimensional purestates drawn Haar-randomly, with the robustness decay-ing exponentially in the number of qudits.In what follows, we apply this theorem to a practicaltask by presenting two perspectives on the application,in order to illustrate the limitations of the theorem. Sup-pose that the objective of the practical task is to classifya subset of quantum states, for example, the pure prod-uct states in Section II C that encode images displayinga digit or . On one hand, if we label unitaries notrelated to an actual image, together with unitaries asso-ciated with noisy images not displaying a digit 0 or 1, in athird-class, this class will have measure 1, since the set ofall unitaries that evolve the initial | (cid:126) (cid:105) to some final pureproduct state | φ (cid:105) has Haar measure 0 in SU ( N ) [54]. Forexample when n = 1 , this can be seen by recognizing thatthe encoded states {| φ (cid:105)} correspond to only a fraction ofthe circle going through | (cid:105) and | (cid:105) on the Bloch Sphere.This labeling renders Theorem 1 useless for any h trainedin this way because η = 0 . On the other hand, if wetrain a binary h to classify half of SU ( N ) , including uni-taries corresponding to 0-digit images, to l = 0 , and theother half, including unitaries corresponding to 1-digitimages, to l = 1 , then η = 1 / . Using Eq. (5) then gives O (1 / √ d n ) robustness against prediction-change adver-sarial attacks, again suggesting extreme vulnerabilitiesin high dimensions.However, the interpretation of this result is not of prac-tical interest, for the following reasons. We emphasizethat in applying Theorem 1 or Eq. (4), the notion of ad-versarial risks by Definition 2 represents the probabilityof perturbing a Haar-randomly selected unitary by some (cid:15) to its adversarial example. It does not represent, for in-stance, the probability of perturbing a particular unitaryassociated with a real image to its adversarial example,nor does it represent the risk of attacking a unitary drawnfrom any other distribution over some subset. Therefore,if the task is to train and generalize a quantum classifieron a subset of quantum states with some distribution,this theorem cannot claim vulnerabilities that are expo-nential in the number of qudits. It is also noted that, asfar as how Eq. (4) and Theorem 1 are formulated, theperturbed states cannot be mixed states since these aremapped from | (cid:126) (cid:105)(cid:104) (cid:126) | by a completely positive and tracingpreserving (CPTP) maps rather than by unitaries. InSection IV, we shall see that this is an example of an in-distribution attack, which applies to scenarios whereboth the original and perturbed states are pure. IV. CLASSIFICATIONS ON GENERATOROUTPUT DISTRIBUTIONSA. Concentration in Generated Distributions
In practice, one is interested in the performance of aclassifier on a distribution over some subset of mean-ingful samples, such as the subset of images displayingdigits including the MNIST data set. It is this distribu-tion on which the adversarial risk should be computedin order to infer the extent of the vulnerability. To en-sure that the probability measure on the classifier-inputspace covers meaningful samples, we resort to approxi-mating the distribution over meaningful samples usingthe image of a smooth generator function on a concen-trated latent space, trained on samples of interest [15].Following convention, we refer to the latter as a real-datamanifold. Such a generator can be a Normalizing Flowmodel [24–26] or the generator of a Generative Adversar-ial Network (GAN) [27–29], both with a Gaussian latentspace, trained on the same data set that the classifier willbe trained on. A generative model serving this purposeis also referred to as a spanner [55]. In this way, a majorfraction of the samples in the generator output S can berelated to samples of interest, despite the fact that, thesmoothness of the generator may introduce some sam- ples off the real-data manifold, such as those undergoinggradual semantic change during interpolations. This gen-erative set-up can be generalized to multiple generatorson the same latent space. However, each generator mapsto a disjoint part of the real-data manifold, overcomingthe problem of covering the off real-data manifold whenthe latent space is globally connected [56]. This gener-alization requires relaxing the demand that ω (0) = 0 inthe Eq. (6) below. As a result, no data off the real-datamanifold is generated in S .The reason that we require the latent space to be con-centrated is so that we can study the concentration ofsamples in the generator-output space resulted from theconcentration of the latent space. This connection ismade by the assumption that the generator is smooth, inthe sense that it admits a modulus of continuity (i.e., it isuniformly continuous), namely if there exists a monotoneinvertible function ω ( · ) such that (cid:107) g ( z ) − g ( z (cid:48) ) (cid:107) ≤ ω ( (cid:107) z − z (cid:48) (cid:107) ) , ∀ z, z (cid:48) ∈ Z , (6)where (cid:107)·(cid:107) is the metric equipped by the image of g . Thisis a weaker condition than the Lipschitz continuity whichresults when ω ( · ) is a linear function. In this paper, weassume ω ( · ) to yield a tight upper bound in Eq. (6), andwe demand ω ( τ ) to be small for small τ for a smoothgenerator. The idea is that any tendency to concentra-tion of measure in the latent space is preserved by sucha smooth mapping to its image, and the generated sam-ples then follow a modified concentrated distribution. Wecan imagine that if some pairs of latent variables fromdifferent classes are within distance b across the classboundary in the generator domain, their generator im-ages must be accordingly within distance at most ω ( b ) across the boundary. This can also display a clustering.Although the tendency to cluster is preserved, the ex-tent to which the points in the generator image gatheris mediated by the modulus of continuity. A tight up-per bound with ω ( · ) that yields distances larger than thetypical distances in the output space means that gener-ated samples can be further apart, and vice versa. Asfar as adversarial robustness is concerned, a larger ω ( · ) is then favorable since it implies that larger perturba-tions are needed to definitively perturb a larger numberof generated samples across decision boundaries.In generating these to-be-classified samples, the factthat a large probability density resides near the deci-sion boundary is not at odds with a trained classifierthat predicts training samples with high confidence. Thetraining samples comprise only a subset of the support ofthe generator-output distribution. High confidence train-ing samples result from the classifier drawing the deci-sion boundaries away from them. When such a decisionboundary encloses a sufficiently large measure, it theninevitably encounters large probability densities – as dic-tated by the concentration of measure phenomenon onthese distributions – that do not contribute to training.As a result, when generalizing to test samples that aresimilar to the training samples, some test samples maylocate near the boundary and be the vulnerable targetsto adversarial attacks. B. Robustness of QML Models
We consider the quantum adversarial attack set-upwhere the input to the classifier is already quantized andtransmitted through a quantum communication network.Let our latent space Z be, for example in this paper,the R m with the Euclidean metric (cid:96) and the canonical m -dimensional Gaussian measure N m ≡ N (0 , I m ) so it isa concentrated space. Let z ← N m in Z . Suppose that asmooth generator g : Z → S ⊆ X is trained to generatea distribution ξ of concern, such as some distributionof natural images, on a subset S of X . For a sample g ( z ) ∈ S , we then have ξ ( g ( z )) = N m ( z ) .Incorporated in the generator g = g ◦ g , g maps thelatent space to a subset of n -pixel natural images, g thenencodes the natural image into a density matrix definedin Eq. (2). That is, g ( z ) = | φ ( z ) (cid:105)(cid:104) φ ( z ) | = ρ ( z ) ∈ S ⊆ X ,where S – the image of g – is a subset of all densitymatrices X . The metric on density matrices is the tracenorm L unless otherwise specified. The probability mea-sure ξ , which is a distribution mapped by g from the m -dimensional Gaussian measure N m on Z , is only sup-ported on S over density matrices capturing the naturalimage distribution. Any quantum classifier h then clas-sifies the d n × d n density matrices in ( X , L , ξ ) . Let usdenote the intermediate stage – the set of images with n pixels (normalized vectors with length n) – as I , thenthe corresponding measure on I can be denoted as ξ ◦ g .The metric on I is, for instance, the (cid:96) norm. Diagram-matically, these mappings are Z g −→ I g −→ g S ⊆ X −→ h L . It is noted that smoothness is a desirable property ofgenerative models. It is hinted at gradual transitions inthe features in the generated samples, which imply thatthe generator has learned relevant factors of variation[57]. We are then justified in assuming that the real-data manifold on I can be covered by a smooth genera-tor g (see e.g., [25–29]). In what follows, we show thatthe overall generator g , mapping from Z to the real-datamanifold in the set of density matrices X , is also smooth. Proposition 1 .
Assuming that g : Z → I is smoothwith a modulus of continuity ω ( · ) and the qudit encodingscheme, Eq. (2) , is applied, then the generator g = g ◦ g : Z → S ⊆ X is also smooth and admits a modulus ofcontinuity ω ( · ) that is lower bounded as ω ( τ ) ≥ (cid:114) − cos n ( d − (cid:16) π n ω ( τ ) (cid:17) , ∀ τ ≥ . The proof can be found in Appendix F. In terms of thescaling with respect to n and d , when ω ( · ) scales as Ω(1) , for instance, when g is Lipschitz continuous (e.g.,the generator in [58, 59]), the modulus of continuity ofthe overall generator g , ω ( · ) , scales as Ω( (cid:112) d/n ) . It isdesirable to enforce Lipschitz continuity on some genera-tors, for example when imposing spectral normalization[60] on the generator of a GAN to improve training [59].A distinction can be made concerning whether the ad-versarial example σ must be also in the subset S . If so,the adversarial attack is called in-distribution, since theattacker only looks for an adversarial example within thedata manifold S . Otherwise, we call it an unconstrainedadversarial attack since the perturbation is arbitrary in X , i.e., it is not confined to the data manifold. We statethe precise definitions, based on prediction-change adver-sarial risks in Definition 2, as follows. Definition 3 .
An in-distribution adversarial attack, ora data-manifold attack, attempts to find the perturbation ε in ( ρ ) = min r ∈Z {(cid:107) g ( z + r ) − ρ (cid:107) | h ( g ( z + r )) (cid:54) = h ( ρ ) } = min σ ∈S {(cid:107) σ − ρ (cid:107) | h ( σ ) (cid:54) = h ( ρ ) } , which is within the data manifold ( S , L , ξ ) . It inducesan in-distribution adversarial risk, R P C(cid:15) in ( h, ξ ) = Pr ρ ← ξ [ ε in ( ρ ) ≤ (cid:15) in ] . Definition 4 .
An unconstrained adversarial attack at-tempts to find ε unc ( ρ ) = min σ ∈X {(cid:107) σ − ρ (cid:107) | h ( σ ) (cid:54) = h ( ρ ) } , which is in ( X , L ) not restricted to the data manifold S .It induces an unconstrained adversarial risk, R P C(cid:15) unc ( h, ξ ) ≡ R P C(cid:15) ( h, ξ ) = Pr ρ ← ξ [ ε unc ( ρ ) ≤ (cid:15) ] . It is noted that when the generator is surjective on X , i.e., S = X , there is no distinction between the twotypes of attacks.The set-ups in Theorem 1 and Eq. (4)consider classifying on the subset of all pure-state den-sity matrices in X on which a Haar-random distribution ν is supported. Since this requires both the original andperturbed states be pure, the adversarial risks are consid-ered in-distribution, although we shall see in Section IV Bthat the same upper bound applies to the unconstrainedrobustness for a general quantum classifier. In-distribution Adversarial Robustness
The following theorem, depending on the distributionto be classified as well as the specific classical-data gen-erator g in terms of ω ( · ) , then applies. Theorem 2 .
Let h : X → L be any quantum clas-sifier on the set of density matrices. Considering in-distribution adversarial attacks on the image of g , if ξ ( h l )) ≤ / , ∀ l , i.e., the classes are not too unbalanced,then for the prediction-change risk R P C(cid:15) in ( h, ξ ) ≤ − γ , thedistance between two density matrices (cid:15) in must satisfy (cid:15) in ≤ ω (cid:32)(cid:115) ln (cid:18) π γ (cid:19)(cid:33) , (7) with the modulus of continuity ω ( · ) in Proposition 1. The proof can be found in Appendix G. This result isindependent of the quantum data encoding scheme. Itcan be generalized to quantum classifiers with arbitrarydecision boundaries, but in this case, the necessary upperbound on the in-distribution robustness will not have aclosed-form (see Appendix G). This upper bound is satu-rated when Eq. (6) is an equality and the quantum classi-fier induces linearly separable regions in the latent space,namely when h ◦ g is a linear function on Z , giving riseto the maximally robust quantum classifier. The non-saturation of this upper bound when class regions are notlinearly separable in Z can be seen in the example of thestandard Gaussian in Section II D above. Suppose onelooks at Σ (cid:48) = ( −∞ , − δ ) ∪ (0 , δ ) for some δ > , whichhas the same probability measure / as Σ = ( −∞ , but is not linearly separable in R . The measure out-side the δ -expansion of Σ (cid:48) , i.e., R \ Σ (cid:48) δ = (3 δ, + ∞ ) , issmaller than that outside of the δ -expansion of Σ , namely R \ Σ δ = ( δ, + ∞ ) , implying more concentration outsideand near Σ (cid:48) than Σ .The non-saturation of this upper bound for non-linearly separable classification regions in Z also impliesthat it is prone to misclassification with an increasingnumber of equiprobable classes. The proof for caseswith at least 5 equiprobable classes can be found in Ap-pendix G. Informally, more equiprobable classes lead tomore boundaries, enclosing classes with sufficiently largetotal measure, that border distinct classes. Then withina fixed distance beyond more of those boundaries, thereare more samples subject to some prediction change.We note that this upper bound is usually not satu-rated in practice, since a quantum classifier is usuallylinear, such as a parametrized quantum circuit and aunitary tensor network, while the generator g is usuallynon-linear, given that g is usually non-linear and g , thequantum feature map, is non-linear. Classically, somehighly-nonlinear state-of-the-art neural networks have ro-bustness one or two orders of magnitude smaller in the (cid:96) norm on some data sets than the corresponding upperbound derived with similar arguments [15]. It would beinteresting to examine the amount of deviation from theupper bound for QML models in future works.Theorem 2 shows that, when the to-be-classified quan-tum states encode classical data generated with a mod- ulus of continuity that scales as Ω(1) , the potentialin-distribution robustness of any quantum classifier de-creases polynomially in the number of qudits and in-creases polynomially in the qudit dimension. To be spe-cific, as suggested in Proposition 1, when ω ( · ) = Ω(1) for generators such as those enforcing Lipschitz continu-ity, ω ( · ) is lower bounded by a function that scales as Ω( (cid:112) d/n ) . As such, the potential vulnerability increasesslightly with a larger number of qudits n and by contrast,decreases slightly with qudits of higher dimension d ≥ .When the encoded classical data manifold comes fromgenerators for which Lipschitz continuity is not enforced,it requires numerical approximations of the modulus ofcontinuity ω ( · ) to determine its scaling in the outputspace, before obtaining the potential robustness scaling.Compared to Theorem 1 where samples are Haar-randompure states, the states to be classified here, which char-acterise the adversarial risk, are similar to those consid-ered in practical tasks. Specifically, they are a subset ofencoded states with a distribution smoothly generatedfrom a Gaussian latent space. Theorem 2 demonstratedthat, contrary to previous claims [16], there is no guaran-tee that quantum classifiers are exponentially more vul-nerable to in-distribution attacks in higher-dimensionalHilbert space. Moving forward, we shall see that thetheorem applies to unconstrained attacks as well. Unconstrained Adversarial Robustness
Unconstrained adversarial attacks are arbitrary per-turbations in X to a sample ρ . In a broader contextin which the instability of the quantum classifier is con-cerned, this may derive from density matrices subjectto decoherence in a classification task. It is clear that ε unc ( ρ ) ≤ ε in ( ρ ) , ∀ ρ ∈ X and thus, it holds by changingthe in-distribution perturbations in Theorem 2 to uncon-strained ones, and the same bound in Eq. (7) applies.We argue that there does not exist a tighter upperbound that holds for general quantum classifiers for un-constrained robustness. Consider a particular familyof quantum classifiers that project any state onto thedata manifold, namely to map any state to its closestin-distribution state, before classifying. These classi-fiers can be shown to satisfy / ε in ( ρ ) ≤ ε unc ( ρ ) ≤ ε in ( ρ ) , ∀ ρ ∈ X [61]. Even in the worst case where ε unc ( ρ ) = 1 / ε in ( ρ ) , ∀ ρ ∈ X , their unconstrained ro-bustness is as large as half of the in-distribution one.We stress that, although robust, such a quantum classi-fier is inefficient in our setting since there is no apparenttractable way to obtain the closest pure product state toan arbitrary state.Inspired by this strategy, we propose that one can con-struct a family of efficient quantum classifiers ˜ h on n -qubit density matrices X with unconstrained robustness ε unc ( ρ ) lower bounded for any ρ ∈ X . To be specific, we ≤ − γ (cid:107) ρ − σ (cid:107) ≤ (cid:107) u − v (cid:107) ≤ R PC(cid:15) ( h, ν ) 4 d − n λ = Ω( d − n ) nπ cos − (cid:104)(cid:0) − d − n λ (cid:1) d − n (cid:105) = Ω( d − n √ n ) R PC(cid:15) ( h, ξ ) ω ( λ ) ≥ (cid:113) − cos n ( d − (cid:0) π n ω ( λ ) (cid:1) = Ω (cid:18)(cid:113) dn (cid:19) ω ( λ ) = Ω(1) TABLE I. The potential adversarial robustness of any quantum classifier classifying encoded pure states in Eq. (2), when theprediction-change adversarial risks over the Haar-random distribution ν and over a smoothly generated distribution ξ are upperbounded by − γ . Define λ = [ln(2 √ /η )] / + [ln(2 √ /γ )] / and λ = (cid:112) ln ( π/ (2 γ )) . Recall that d denotes the quditdimension as in Eq. (2) and n denotes the number of encoded qudits or the length of the encoding vectors. In the top row, wereport the potential robustness when a state ρ sampled from the Haar-random distribution ν is perturbed to a σ in the tracenorm, and the translation of it to that measured in the set of vectors in the (cid:96) norm (from Theorem 1). Both upper boundsexponentially decrease in n . In the bottom row, we report the potential robustness when a ρ sampled from a smoothly generateddistribution ξ from a Gaussian latent space is perturbed to a σ , and the potential robustness when the intermediately generatedvector u is perturbed to v (from Proposition 1 and Theorem 2). When the potential robustness in adversarially perturbing avector scales as Ω(1) , that in perturbing an encoded pure state scales as Ω( (cid:112) d/n ) . construct ˜ h from any h with the following procedure.Let the original sample ρ ∈ S be a pure product-statedensity matrix with n qudits as in Eq. (1). A perturba-tion (cid:15) unc ≡ (cid:15) leads to a sample σ ∈ X . First, we performsingle qubit tomography on every qubit of σ to recon-struct a product-state density matrix from these singlequbits. We denote this mapping as P : X → X , σ (cid:55)→ (cid:78) ni =1 tr { j (cid:54) = i } ( σ ) . Subsequently, we numerically fit thepixel values { s i } to P ( σ ) to find its closest density ma-trix ˜ σ within our data manifold S . We use a symbol ˜ σ to represent the density matrix attained from this pro-cedure. ˜ σ is then replacing σ when fed to the quantumclassifier h . We have the following theorem, Theorem 3 .
For every n -qubit ρ ∈ S ⊆ X , let ˜ ρ be thedensity matrix within the data manifold attained fromthe above procedure. For any quantum classifier h , let ˜ h : X → L be such that ˜ h ( ρ ) = h (˜ ρ ) , then − (cid:18) − ε in ( ρ ) (cid:19) ne ≤ ε unc ( ρ ) ≤ ε in ( ρ ) , where n e = n for even n and n e = n + 1 for odd n . The proof can be found in Appendix H. We note thatthe procedure and the theorem are general and inde-pendent of the quantum data encoding scheme. Thisprocedure yields an explicit lower bound to the uncon-strained adversarial perturbation when it is possible toestimate the in-distribution adversarial perturbation by,for example, sampling in the latent space [62] or gradientdescent search in the latent space [55] before mapping tothe density matrices. This ˜ h constructed from h amountsto a feasible tomographic preprocessing of input states.It guarantees that the unconstrained robustness of eachsample ρ is bounded from below and may be used as a de-fense strategy against unconstrained adversarial attacksin practice. However, we note that when n is large, this lower bound can be several orders of magnitude smallerthan the upper bound. V. DISCUSSION
A summary of the upper bounds on the size of per-turbation required to generate upper bounds for differ-ent adversarial risk is presented in Table I. We showthe prediction-change adversarial robustness on Haar-random pure states based on the concentration of mea-sure phenomenon, and compared this with the previouslydemonstrated error-region robustness in [16]. However,we note that the guaranteed vulnerabilities in both casesdue to the exponential size of Hilbert space in the num-ber of qudits are not of practical interest. Rather, in de-sirable situations where the generative model is smoothwith some modulus of continuity (see Eq. (6)), the samephenomenon is used to derive the robustness of any quan-tum classifier that classifies a subset of encoded stateswith a commonly used qubit encoding scheme. As such,the results present practical perspectives on the potentialrobustness of general quantum classifiers. In particular,they argue for only mildly polynomially decreasing ro-bustness in the number of such encoded qubits, specifi-cally as O ( (cid:112) /n ) in the trace norm. We also proposea feasible modification of any quantum classifier – byperforming single qubit tomography before numericallyfitting the closest encoded qubit state – to obtain a lowerbound on the unconstrained robustness and to defendagainst unconstrained adversarial attacks.We note that the polynomially decreasing robustnessin n is contributed from the qudit encoding scheme. Theconcentration of measure due to the Gaussian isoperi-metric inequality for the latent space only contributes tothe argument of Eq. (7). It will be interesting to exam-ine if a different encoding scheme can give better scalingin the robustness, and if quantum data that naturallycomes from a distribution other than the Haar-randomdistribution is robust to attacks. In Appendix B, we pro-pose a method to perform white-box adversarial attackson classically intractable input states and QML models.It will be interesting to further explore white-box attacksassuming the adversary is capable of devising these. Inpractice, with current NISQ-era hardware, it will be in-teresting to examine how robust QML models are againstadversarial attacks under noise and decoherence. ACKNOWLEDGEMENT
H. L. was supported by the National Aeronautics andSpace Administration under Grant/Contract/AgreementNo.80NSSC19K1123 issued through the Aeronautics Re-search Mission Directorate. I.C. was supported by theUS Department of Energy, Office of Science, Office ofAdvanced Scientific Computing Research, Quantum Al-gorithm Teams Program, under contract number DE-AC02-05CH11231. W. H. was supported by a grant fromthe Siemens Corporation. ∗ E-mail: [email protected][1] Jacob Biamonte, Peter Wittek, Nicola Pancotti, PatrickRebentrost, Nathan Wiebe, and Seth Lloyd, “Quantummachine learning,” Nature , 195–202 (2017).[2] John Preskill, “Quantum Computing in the NISQ Eraand Beyond,” Quantum , 79 (2018).[3] Yi Xia, Wei Li, Quntao Zhuang, and Zheshen Zhang,“Quantum-enhanced Data Classification with a Varia-tional Entangled Sensor Network,” arXiv: 2006.11962(2020).[4] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever,Joan Bruna, Dumitru Erhan, Ian Goodfellow, and RobFergus, “Intriguing Properties of Neural Networks,” in ICLR (2014).[5] Ian J. Goodfellow, Jonathon Shlens, and ChristianSzegedy, “Explaining and Harnessing Adversarial Exam-ples,” in
ICLR (2015).[6] Nilesh Dalvi, Pedro Domingos, Mausam, Sumit Sanghai,and Deepak Verma, “Adversarial Classification,” in
ACM (2004) p. 99.[7] Anirban Chakraborty, Manaar Alam, Vishal Dey, Anu-pam Chattopadhyay, and Debdeep Mukhopadhyay, “Ad-versarial Attacks and Defences: A Survey,” ProcediaComputer Science (2018).[8] Battista Biggio and Fabio Roli, “Wild Patterns: TenYears After the Rise of Adversarial Machine Learning,”Pattern Recognition , 317–331 (2018).[9] Ling Huang, Anthony D. Joseph, Blaine Nelson, Ben-jamin I.P. Rubinstein, and J. D. Tygar, “AdversarialMachine Learning,” in ACM (2011) pp. 43–57.[10] Alhussein Fawzi, Seyed-Mohsen Moosavi-Dezfooli, andPascal Frossard, “Robustness of classifiers: from adver-sarial to random noise,” in
NIPS (2016) pp. 1632–1640. [11] Saeed Mahloujifar, Dimitrios I. Diochnos, and Moham-mad Mahmoody, “The Curse of Concentration in RobustLearning: Evasion and Poisoning Attacks from Concen-tration of Measure,” in
AAAI , Vol. 33 (2019) pp. 4536–4543.[12] Justin Gilmer, Luke Metz, Fartash Faghri, Samuel SSchoenholz, Maithra Raghu, Martin Wattenberg, IanGoodfellow, and Google Brain, “The Relationship Be-tween High-Dimensional Geometry and Adversarial Ex-amples,” arXiv:1801.02774v3 (2018).[13] Dimitrios I. Diochnos, Saeed Mahloujifar, and Mo-hammad Mahmoody, “Adversarial Risk and Robustness:General Definitions and Implications for the UniformDistribution,” in
NIPS (2018) pp. 10380–10389.[14] Alhussein Fawzi, Omar Fawzi, and Pascal Frossard,“Analysis of Classifiers’ Robustness to Adversarial Per-turbations,” Machine Learning , 481–508 (2018).[15] Alhussein Fawzi, Hamza Fawzi, and Omar Fawzi,“Adversarial Vulnerability for Any Classifier,” in
NIPS (2018) pp. 1186–1195.[16] Nana Liu and Peter Wittek, “Vulnerability of QuantumClassification to Adversarial Perturbations,” Physical Re-view A (2020).[17] Sirui Lu, Lu-Ming Duan, and Dong-Ling Deng, “Quan-tum Adversarial Machine Learning,” Physical Review Re-search (2020).[18] Yuxuan Du, Min-Hsiu Hsieh, Tongliang Liu, DachengTao, and Nana Liu, “Quantum Noise Protects Quan-tum Classifiers Against Adversaries,” arXiv: 2003.09416(2020).[19] Michel Ledoux, The Concentration of Measure Phe-nomenon , Mathematical Surveys and Monographs,Vol. 89 (American Mathematical Society, 2001).[20] Vitali D. Milman, Gideon Schechtman,
Asymptotic The-ory of Finite Dimensional Normed Spaces: IsoperimetricInequalities in Riemannian Manifolds , Lecture Notes inMathematics (Springer, 2002).[21] Jarrod R. McClean, Sergio Boixo, Vadim N. Smelyanskiy,Ryan Babbush, and Hartmut Neven, “Barren Plateaus inQuantum Neural Network Training Landscapes,” NatureCommunications (2018).[22] Sandu Popescu, Anthony J. Short, and Andreas Winter,“Entanglement and the Foundations of Statistical Me-chanics,” Nature Physics , 754–758 (2006).[23] Markus P. Müller, David Gross, and Jens Eisert, “Con-centration of Measure for Quantum States with a FixedExpectation Value,” Communications in MathematicalPhysics , 785–824 (2011).[24] Danilo Jimenez Rezende and Shakir Mohamed, “Vari-ational Inference with Normalizing Flows,” in PMLR ,Vol. 37 (2015) pp. 1530–1538.[25] Diederik P. Kingma and Max Welling, “Auto-EncodingVariational Bayes,” in
ICLR (2014).[26] Laurent Dinh, Jascha Sohl-Dickstein, and Samy Bengio,“Density Estimation Using Real NVP,” in
ICLR (2017).[27] Ian J Goodfellow, Jean Pouget-Abadie, Mehdi Mirza,Bing Xu, David Warde-Farley, Sherjil Ozair, AaronCourville, and Yoshua Bengio, “Generative AdversarialNets,” in
NIPS (2014) pp. 2672–2680.[28] Piotr Bojanowski, Armand Joulin, David Lopez-Paz,and Arthur Szlam, “Optimizing the Latent Space of Gen-erative Networks,” in
PMLR , Vol. 80 (2018) pp. 600–609.[29] Martin Arjovsky, Soumith Chintala, and Leon Bot-tou, “Wasserstein Generative Adversarial Networks,” in PMLR , Vol. 70 (2017) pp. 214–223.[30] Alexey Kurakin, Ian J. Goodfellow, and Samy Ben-gio, “Adversarial Machine Learning at Scale,” in
ICLR (2017).[31] Alexey Kurakin, Ian J. Goodfellow, and Samy Bengio,“Adversarial Examples in the Physical World,” in
ICLR (2019).[32] Sébastien Bubeck, Eric Price, and Ilya Razen-shteyn, “Adversarial Examples from Computational Con-straints,” in
PMLR , Vol. 97 (2019) pp. 831–840.[33] Zachary Charles, Harrison Rosenberg, and Dimitris Pa-pailiopoulos, “A Geometric Perspective on the Trans-ferability of Adversarial Directions,” in
PMLR , Vol. 89(2018) pp. 1960–1968.[34] Logan Engstrom, Justin Gilmer, Gabriel Goh, DanHendrycks, Andrew Ilyas, Aleksander Madry, ReiichiroNakano, Preetum Nakkiran, Shibani Santurkar, BrandonTran, Dimitris Tsipras, and Eric Wallace, “AdversarialExamples Are Not Bugs, They Are Features,” in
NIPS (2019) pp. 125–136.[35] Jan Philip Göpfert, André Artelt, Heiko Wersing, andBarbara Hammer, “Adversarial Attacks Hidden in PlainSight,” Advances in Intelligent Data Analysis (2020).[36] Informally, total variation distance is the largest possibledifference between the probabilities that the two distri-butions can assign to the same event.[37] Michael A. Nielsen and Isaac L. Chuang,
Quantum Com-putation and Quantum Information (Cambridge Univer-sity Press, 2010).[38] William Huggins, Piyush Patil, Bradley Mitchell, K. Bir-gitta Whaley, and E. Miles Stoudenmire, “TowardsQuantum Machine Learning with Tensor Networks,”Quantum Science and Technology , 24001 (2019).[39] Marcello Benedetti, Erika Lloyd, Stefan Sack, and Mat-tia Fiorentini, “Parameterized Quantum Circuits as Ma-chine Learning Models,” Quantum Science and Technol-ogy , 043001 (2019).[40] E. Miles Stoudenmire and David J. Schwab, “SupervisedLearning with Quantum-Inspired Tensor Networks,” in NIPS (2016) pp. 4799–4807.[41] Edward Grant, Marcello Benedetti, Shuxiang Cao, An-drew Hallam, Joshua Lockhart, Vid Stojevic, Andrew G.Green, and Simone Severini, “Hierarchical QuantumClassifiers,” Quantum Information , 65 (2018).[42] Shuxiang Cao, Leonard Wossnig, Brian Vlastakis, PeterLeek, and Edward Grant, “Cost-function Embeddingand Dataset Encoding for Machine Learning with Pa-rameterized Quantum Circuits,” Physical Review A ,052309 (2020).[43] John Martyn, Guifre Vidal, Chase Roberts, and StefanLeichenauer, “Entanglement and Tensor Networks for Su-pervised Image Classification,” arXiv:2007.06082 (2020).[44] Vittorio Giovannetti, Seth Lloyd, and Lorenzo Maccone,“Quantum Random Access Memory,” Physical ReviewLetters , 160501 (2008).[45] Ryan Larose and Brian Coyle, “Robust Data Encodingsfor Quantum Classifiers,” Physical Review A , 032420(2020).[46] Borel sets are sets that can be constructed from open orclosed sets through countable union, countable intersec-tion, and relative complement.[47] Roman Vershynin, “Four lectures on probabilistic meth-ods for data science,” arXiv:1612.06661 (2017). [48] Christer Borell, “The Brunn-Minkowski inequality inGauss space,” Inventiones Mathematicae , 207–216(1975).[49] M. Gromov and V. D. Milman, “A Topological Applica-tion of the Isoperimetric Inequality,” American Journalof Mathematics , 843–854 (1983).[50] Thierry Giordano and Vladimir Pestov, “Some ExtremelyAmenable Groups Related to Operator Algebras and Er-godic Theory,” Journal of the Institute of Mathematicsof Jussieu (2007).[51] The precise definition of a nice classification problem canbe found in Definition 2.3 in [11].[52] A concise proof of Eq. (4) can be found in Appendix C.[53] Gamaleldin F. Elsayed, Nicolas Papernot, ShreyaShankar, Alexey Kurakin, Brian Cheung, Ian Goodfel-low, and Jascha Sohl-Dickstein, “Adversarial ExamplesThat Fool Both Computer Vision and Time-limited Hu-mans,” in NIPS (2018) pp. 3910–3920.[54] Robert Lockhart, “Low-rank Separable States Are A Setof Measure Zero Within the Set of Low-rank States,”Physical Review A , 064304 (2002).[55] Ajil Jalal, Andrew Ilyas, and Constantinos Daskalakis,“The Robust Manifold Defense: Adversarial Training us-ing Generative Models,” arXiv: 1712.09196v5 (2019).[56] Mahyar Khayatkhoei, Maneesh K. Singh, and AhmedElgammal, “Disconnected Manifold Learning for Gener-ative Adversarial Networks,” in NIPS (2018) pp. 7343–7353.[57] Alec Radford, Luke Metz, and Soumith Chintala, “Un-supervised Representation Learning with Deep Con-volutional Generative Adversarial Networks,” in
ICLR (2016).[58] Jens Behrmann, Will Grathwohl, Ricky T. Q. Chen,David Duvenaud, and Jörn-Henrik Jacobsen, “Invert-ible Residual Networks,” in
PMLR , Vol. 97 (2019) pp.573–582.[59] Han Zhang, Ian Goodfellow, Dimitris Metaxas, andAugustus Odena, “Self-Attention Generative AdversarialNetworks,” in
PMLR , Vol. 97 (2019) pp. 7354–7363.[60] Takeru Miyato, Toshiki Kataoka, Masanori Koyama, andYuichi Yoshida, “Spectral Normalization for GenerativeAdversarial Networks,” in
ICLR (2018).[61] It is proven in Theorem 2 in [15].[62] Zhengli Zhao, Dheeru Dua, and Sameer Singh, “Gener-ating Natural Adversarial Examples,” in
ICLR (2018).[63] Patrick J. Coles, M. Cerezo, and Lukasz Cincio, “Strongbound between trace distance and Hilbert-Schmidt dis-tance for low-rank states,” Physical Review A ,022103 (2019).[64] D Spehner, F Illuminati, M Orszag, and W Roga, “Ge-ometric Measures of Quantum Correlations with Buresand Hellinger Distances,” Lectures on General QuantumCorrelations and their Applications (2017).[65] Alexander S. Holevo, “On Quasiequivalence of LocallyNormal States,” Theoretical and Mathematical Physics , 1071–1082 (1972).[66] Roman Orus and Rolf Tarrach, “Weakly-entangled Statesare Dense and Robust,” Physical Review A , 050101(2004). APPENDICESAppendix A: Confidence Difference and Distancebetween States
We show that the predictive confidence difference inany QML protocol is upper bounded by the distance be-tween the input density matrices up to some constant fac-tor, measured in the trace norm L , the Hilbert-Schmidtnorm L , the Bures distance, and the Hellinger distance.Considering density matrices ρ and σ , the trace normbetween them is defined to be (cid:107) ρ − σ (cid:107) = tr ( | ρ − σ | ) .Consider a set of POVMs { Π s } and a quantum channel E such that E ( ρ ) = (cid:80) i M i ρM † i and (cid:80) i M † i M i = I . Wehave,tr ( E ( ρ )Π s ) − tr ( E ( σ )Π s ) = tr (cid:32)(cid:88) i M i ( ρ − σ ) M † i Π s (cid:33) = tr (cid:32) ( ρ − σ ) (cid:88) i M † i Π s M i (cid:33) ≡ tr (( ρ − σ ) E ∗ (Π s )) . We note that E ∗ is the dual map of E and {E ∗ (Π s ) } is stilla set of POVMs, since E ∗ (Π s ) is hermitian, non-negativebecause tr ( ρ E ∗ (Π s )) = tr ( E ( ρ )Π s ) ≥ , and completebecause (cid:80) i,s M † i Π s M i = (cid:80) i M † i M i = I .For each particular measurement, we can expand inits eigenbasis E ∗ (Π s ) = (cid:80) k b k | φ k (cid:105)(cid:104) φ k | ≡ (cid:80) k b k P k . Let {| ψ i (cid:105)} and { λ i } be the eigenbasis and eigenvalues of ( ρ − σ ) , so (cid:107) ρ − σ (cid:107) = (cid:80) i | λ i | ∈ [0 , . We then expand E ∗ (Π s ) = (cid:80) i,j,k b k a ik | ψ i (cid:105) a ∗ jk (cid:104) ψ j | such that (cid:80) i | a ik | =1 , ∀ k and (cid:80) k b k = tr ( E ∗ (Π s )) ≥ due to the non-negativity. We havetr (( ρ − σ ) E ∗ (Π s )) = tr ( ρ − σ ) (cid:88) i,j,k b k a ik | ψ i (cid:105) a ∗ jk (cid:104) ψ j | = (cid:88) k b k tr (cid:88) i,j a ik a ∗ jk (cid:104) ψ j | ( ρ − σ ) | ψ i (cid:105) = (cid:88) i,k b k | a ik | λ i ≤ (cid:88) k b k (cid:107) ρ − σ (cid:107) = tr ( E ∗ (Π s )) (cid:107) ρ − σ (cid:107) . (A1)Therefore, for the trace norm, | tr ( E ( ρ )Π s ) − tr ( E ( σ )Π s ) | ≤ tr ( E ∗ (Π s )) (cid:107) ρ − σ (cid:107) . When tr ( E ∗ (Π s )) is small, the above inequality suggeststhat the confidence change be small when the trace normbetween the two density matrices is small. However,tr ( E ∗ (Π s )) can be very large in high dimensions and inthat case, the upper bound becomes very weak. We re-sort to the physical interpretation of trace distance being a generalization of the classical total variation distance.The trace distance between two quantum states is anachievable upper bound on the total variation distancebetween probability distributions arising from measure-ments performed on those states [37]: (cid:107) ρ − σ (cid:107) = 12 max { Π s } (cid:88) s | tr [( ρ − σ )Π s ] | , where the maximization is over all POVMs { Π s } . Usingthe contractive property the trace norm under any CPTPmap, we conclude that the trace norm forms an upperbound to the sum of confidence change of all POVMs, (cid:88) s | tr ( E ( ρ − σ )Π s ) | ≤ (cid:107)E ( ρ ) − E ( σ ) (cid:107) ≤ (cid:107) ρ − σ (cid:107) . (A2)As for the Hilbert-Schmidt norm defined as (cid:107) ρ − σ (cid:107) = tr [( ρ − σ ) ] , if we regard (cid:107) ρ − σ (cid:107) as the inner product ofthe two vectors (1 , , · · · , and ( | λ | , | λ | , · · · , | λ N − | ) ,then from the Cauchy-Schwarz inequality we find (cid:107) ρ − σ (cid:107) ≤ √ N (cid:107) ρ − σ (cid:107) . But this bound is very weak inhigh dimensional Hilbert space. A better upper boundis given in [63] that (cid:107) ρ − σ (cid:107) ≤ √ R (cid:107) ρ − σ (cid:107) , where R = rank ( ρ ) rank ( σ ) / [ rank ( ρ ) + rank ( σ )] . This impliesthat, even when one state is full rank, if the other stateis low rank, then the Hilbert-Schmidt norm is of the sameorder of magnitude as the trace norm. This is the casewhen we consider any perturbation to an encoded purestate density matrix ρ whose rank is . Combined withEq. (A2), we arrive at a similar upper bound, (cid:88) s | tr ( E ( ρ )Π s ) − tr ( E ( σ )Π s ) | ≤ √ R (cid:107) ρ − σ (cid:107) . As for the Bures distance defined as (cid:107) ρ − σ (cid:107) B =2(1 − (cid:112) F ( ρ, σ )) , it is an extension to mixed states of theFubini-Study distance for pure states [64]. We have (cid:107) ρ − σ (cid:107) ≤ (cid:115) − (cid:18) − (cid:107) ρ − σ (cid:107) B (cid:19) = 2 (cid:114) (cid:107) ρ − σ (cid:107) B − (cid:107) ρ − σ (cid:107) B ≤ (cid:107) ρ − σ (cid:107) B , where the first inequality is proven in [64, 65] and satu-rated for pure states. Therefore, together with Eq. (A2),we conclude that (cid:88) s | tr ( E ( ρ )Π s ) − tr ( E ( σ )Π s ) | ≤ (cid:107) ρ − σ (cid:107) B . (A3)As for the Hellinger distance defined as (cid:107) ρ − σ (cid:107) H =2 − tr ( √ ρ √ σ ) , it is shown that (cid:107) ρ − σ (cid:107) B ≤ (cid:107) ρ − σ (cid:107) H [64] and thus, the same upper bound applies by changing (cid:107) ρ − σ (cid:107) B to (cid:107) ρ − σ (cid:107) H in Eq. (A3).In QML, If ρ and σ are close in these norms and acrossany class boundary, say between class l = s and class2 l = t , then tr ( E ( ρ )Π s ) > tr ( E ( σ )Π s ) while tr ( E ( ρ )Π t ) < tr ( E ( σ )Π t ) . It suggests that no small perturbation todensity matrices in these norms can significantly changethe measurement outcome and thus, alter the prediction,unless the original sample is near the boundary. In otherwords, viewing tr ( E ( ρ )Π s ) as the confidence of predicting l = s , it implies that no small perturbations can result ina high-confidence sample in one class perturbed to a low-confidence sample in the same class, or a high-confidencesample in a different class. Appendix B: Adversarial Attacks ExploitingQuantum Classifier Reversibility
We propose a method to perform adversarial attacksin our first set-up in Section II B on quantized data. Thismethod can be carried out on a quantum hardware whenthe computation is classically intractable. We assumea noiseless QML model for this analysis, so the quan-tum channel is unitary. Considering, for example, theunitary tree tensor network (TTN) in [38] among othertypes of parametrized unitary quantum circuits, the ad-versary can run it reversely starting from a density ma-trix with any designated wrong class label l = t suchthat tr ( σ (cid:48) Π t ) = 1 while tr ( σ (cid:48) Π l (cid:54) = t ) = 0 . Any qubitthat is traced out in the forward direction is initializedto an arbitrary state and passes through the network inthe reverse direction. The output of the reversal circuitis a set of density matrices { U † σ (cid:48) U } ≡ { σ } such thattr ( U σU † Π t ) = 1 whereas tr ( U σU † Π l (cid:54) = t ) = 0 . Thus, thisset of density matrices will be classified in the wrongclass by the POVM Π t with high-confidence. Supposethat the original samples are { ρ } in the class s (cid:54) = t andtr ( U ρU † Π s ) = 1 / δ with some δ ∈ (0 , / . The adver-sary then replaces an (cid:15) -portion of the transmitted quan-tum states { ρ } with the { σ } to attack the receiver.To achieve a prediction change, the adversary demandstr ( U [(1 − (cid:15) ) ρ + (cid:15)σ ] U † Π s ) < / . This requires (cid:15) > −
11 + 2 δ , (B1)which means that the portion of { ρ } being substitutedwith { σ } increases with higher-confidence of { ρ } . Wenote that this effectively creates a perturbation of size (cid:107) ρ − [(1 − (cid:15) ) ρ + (cid:15)σ ] (cid:107) ≥ (cid:15) (cid:88) l | tr ( U ( ρ − σ ) U † Π l ) | = (cid:15) (cid:104) (cid:88) l (cid:54) = t tr ( U ρU † Π l ) + (1 − tr ( U ρU † Π t )) (cid:105) = (cid:15) [2 − tr ( U ρU † Π t )] ≥ (cid:15) (1 + 2 δ ) , where the first inequality follows from Eq. (A2). As aresult, a misclassification by the attack demands a per-turbation of size (cid:107) ρ − [(1 − (cid:15) ) ρ + (cid:15)σ ] (cid:107) ≥ δ where wesubstituted in Eq. (B1). Appendix C: Proof of Eq. (4)
We present a condensed proof based on the proof toTheorem 3.7 in [11]. Let (cid:15) > (cid:112) / ( N k ) ln ( k /µ ( M )) and (cid:15) > (cid:112) / ( N k ) ln ( k /γ ) . Then the concentrationfunction satisfies α ( (cid:15) ) < µ ( M ) and α ( (cid:15) ) < γ . As such,by directly applying Part 2 of Theorem 3.2 in [11], weconclude R ER(cid:15) ( h, c, ν ) > − γ for (cid:15) = (cid:15) + (cid:15) . It can beshown that SU ( N ) is a ( √ , / -normal Lévy family andso k = √ and k = 1 / [16]. The contrapositive state-ment on R ER(cid:15) ( h, c, ν ) ≤ − γ then gives the necessarycondition Eq. (4). Appendix D: Proof of Theorem 1
Proof.
We let (cid:15) > (cid:112) / ( N k ) ln (2 k /η ) and (cid:15) > (cid:112) / ( N k ) ln (2 k /γ ) , then the concentration functionsatisfies α ( (cid:15) ) < η/ and α ( (cid:15) ) < γ/ . Therefore, by ap-plying Part 1 of Theorem A.2 in [11], we conclude thatfor (cid:15) = (cid:15) + (cid:15) , R P C(cid:15) ( h, ν ) > − γ . For completeness, wepresent our explained version of the proof below.Let (cid:15) = (cid:15) + (cid:15) . By assumption that ν ( h l ) ≤ − η, ∀ l ∈L , it can be easily verified by contradiction that ∃ l ∈ L s.t. ν ( h l ) ∈ ( η/ , / . Let h l ,C = X \ h l . On onehand, we know that ν ( h l ) > η/ > α ( (cid:15) ) where the lastinequality is given by our assumption. We prove by con-tradiction that ν ( h l (cid:15) ) > / . Suppose not, then we havefor S = X \ h l (cid:15) , ν ( S ) = 1 − ν ( h l (cid:15) ) ≥ / . Then bythe definition of the concentration function in Eq. (3), ν ( S (cid:15) ) ≥ − α ( (cid:15) ) . Combining with what we obtainedthat ν ( h l ) > α ( (cid:15) ) , we have ν ( S (cid:15) ) + ν ( h l ) > . Thus, ∃ x ∈ ν ( S (cid:15) ) ∪ ν ( h l ) . This implies ∃ y ∈ S| d( y, x ) ≤ (cid:15) .But this same y must also be in h l (cid:15) since the same x isalso in h l . However, this raises a contradiction since S and h l (cid:15) are disjoint by definition, i.e., (cid:64) y | y ∈ S , y ∈ h l (cid:15) .Now, ν ( h l (cid:15) ) > / means, by the definition of the con-centration function in Eq. (3), as well as the assumptionthat γ/ > α ( (cid:15) ) , we have ν ( h l (cid:15) ) ≥ − α ( (cid:15) ) > − γ/ .On the other hand, knowing that ν ( h l ,C ) ≥ / , wehave that ν ( h l ,C(cid:15) ) > − γ/ followed by simply replac-ing the h l (cid:15) in the previous sentence with h l ,C sincethey both have measure at least / . We then alsohave ν ( h l ,C(cid:15) ) > − γ/ . Hence, using the inequality µ ( ∩ ni =1 A i ) ≥ (cid:80) ni =1 µ ( A i ) − ( n − , one can conclude that ν ( h l (cid:15) ∩ h l ,C(cid:15) ) > − γ and so, by the prediction-changerisk’s definition, R P C(cid:15) ( h, ν ) ≥ ν ( h l (cid:15) ∩ h l ,C(cid:15) ) > − γ .It can be shown that SU ( N ) is a ( √ , / -normal Lévyfamily and so k = √ and k = 1 / [16]. The contra-positive statement on R P C(cid:15) ( h, ν ) ≤ − γ then gives thenecessary condition Eq. (5).3 Appendix E: Proof of Corollary 1
Proof.
We have from Theorem 1 that the necessary con-dition for R P C(cid:15) ( h, ν ) ≤ − γ on SU ( N ) is (cid:107) U − V (cid:107) ≤ (cid:112) /N λ where λ = (cid:2) [ln(2 √ /η )] / + [ln(2 √ /γ )] / (cid:3) .Let σ = V | (cid:126) (cid:105)(cid:104) (cid:126) | V † . From the Proof of Theorem 3 in [16],we have (cid:107) U − V (cid:107) ≥ N (1 − |(cid:104) φ | ψ (cid:105)| ) . The Fuchs–van deGraaf inequality for pure states is − (cid:112) F ( ρ, σ ) ≤ (cid:107) ρ − σ (cid:107) = 2 (cid:112) − F ( ρ, σ ) , (E1)where the fidelity F ( ρ, σ ) = |(cid:104) φ | ψ (cid:105)| . Based on Eq. (E1),we obtain N (1 − |(cid:104) φ | ψ (cid:105)| ) ≥ N T ( ρ, σ ) (1 + |(cid:104) φ | ψ (cid:105)| ) ≥ N T ( ρ, σ ) , where T is the trace distance. As such, we need (cid:114) N λ ≥ (cid:107) U − V (cid:107) ≥ √ N T ( ρ, σ ) = √ N (cid:107) ρ − σ (cid:107) , which gives (cid:107) ρ − σ (cid:107) ≤ /N λ = 4 d − n λ .We translate this upper bound on the distance betweentwo density matrices to that between their encoding vec-tors g ( z ) and g ( z (cid:48) ) . Altogether with the necessary con-dition and Eq. (E1), we have d − n λ ≥ (cid:107) ρ − σ (cid:107) ≥ − (cid:112) F ( ρ, σ ) . (E2)For density matrices ρ, σ ∈ X respective to two images,we have ρ = | φ (cid:105)(cid:104) φ | = (cid:78) i | φ i (cid:105) (cid:78) i (cid:104) φ i | = (cid:78) i | φ i (cid:105)(cid:104) φ i | = (cid:78) i ρ i and σ = (cid:78) i | ψ i (cid:105)(cid:104) ψ i | = (cid:78) i σ i , which are mappedfrom images g ( z ) = (cid:126)s and g ( z (cid:48) ) = (cid:126)t , respectively. All i -indices run from to n . And | φ i (cid:105) and | ψ i (cid:105) are featurizedfrom pixels of value s i and t i , respectively. It can beshown by induction that F ( ρ, σ ) = Y i cos d − (cid:16) | s i − t i | π (cid:17) . (E3)For d = 2 , we have that F ( ρ, σ ) = tr ( (cid:78) i ρ i (cid:78) i σ i ) = Q i tr ( ρ i σ i ) = Q i |(cid:104) φ i | ψ i (cid:105)| = Q i cos ( | s i − t i | π/ . Itthen suffices to show (cid:104) φ i | ψ i (cid:105) = cos d − ( | s i − t i | π/ forthe qudit encoding d > . We drop all π/ factors andthe subscripts i in s i and t i hereafter. Suppose for d = k ,we have (cid:104) φ i | ψ i (cid:105) equal to k (cid:88) j =1 (cid:18) k − j − (cid:19) cos k − j ( s ) cos k − j ( t ) sin j − ( s ) sin j − ( t )= cos k − ( s − t ) . (E4) Then for d = k + 1 , we have (cid:104) φ i | ψ i (cid:105) equal to k +1 (cid:88) j =1 (cid:18) kj − (cid:19) cos k +1 − j ( s ) cos k +1 − j ( t ) sin j − ( s ) sin j − ( t )= cos( s ) cos( t ) k (cid:88) j =1 β (cid:18) kj − (cid:19) cos k − j ( s ) cos k − j ( t )sin j − ( s ) sin j − ( t ) + sin( s ) sin( t ) k +1 (cid:88) j =2 (1 − β ) (cid:18) kj − (cid:19) cos k +1 − j ( s ) cos k +1 − j ( t ) sin j − ( s ) sin j − ( t ) , (E5)where β = ( k + 1 − j ) /k .Identifying the two expressions in the square bracketsas both equal to Eq. (E4), we obtain the desired outcome (cid:104) φ i | ψ i (cid:105) = cos k ( s − t ) , and the induction completes.Combining Eq. (E2) and Eq. (E3), we have d − n λ ≥ − Y i cos d − (cid:16) | s i − t i | π (cid:17) ≥ − ( d − n (cid:18) (cid:80) i | s i − t i | n π (cid:19) . (E6)where the last inequality follows from the inequality cos n ( (cid:80) i x i /n ) ≥ Q i cos( x i ) . It can be readily shown for n ≥ using the following trick. Consider any pair x i and x j and let x m be their arithmetic average so x i = x m + d and x j = x m − d for some d (cid:54) = 0 . Then cos( x i ) cos( x j ) =cos( x m + d ) cos( x m − d ) = cos ( x m ) − sin ( d ) ≤ cos ( x m ) .Therefore, one can maximize the overall cosine product,while maintaining the sum of the arguments, by replacingany pair cos( x i ) and cos( x j ) with cos( x m ) and cos( x m ) ,and successively replacing every pair till every factor con-verges to cos( (cid:80) i x i /n ) with the same argument.Solving for (cid:80) i | s i − t i | = (cid:107) g ( z ) − g ( z (cid:48) ) (cid:107) in Eq. (E6)yields the upper bound on the perturbation size in ( I , (cid:96) ) . Appendix F: Proof of Proposition 1
Proof.
We decompose g into g ◦ g where g : ( Z , (cid:96) ) → ( I , (cid:96) ) is desired to be smooth in practice. It can begeneralized to (cid:96) p norm on I and similar proof followssince the (cid:96) p norm of any given vector does not grow with p . We have (cid:107) g ( z ) − g ( z (cid:48) ) (cid:107) ≤ ω ( (cid:107) z − z (cid:48) (cid:107) ) , ∀ z, z (cid:48) ∈ Z .We show that it is also smooth for the qudit encoding g : ( I , (cid:96) ) → ( X , L ) as in Eq. (2). Applying the quditfeature map and similar to that in Appendix E, it can beshown that (cid:107) ρ − σ (cid:107) = 2 (cid:115) − Y i cos d − (cid:16) | s i − t i | π (cid:17) . (F1)4Since ω ( · ) is used in an upper bound in Theorem 2,we need to obtain the scaling of a lower bound to ω ( · ) .The ω ( · ) that forms a tight upper bound in Eq. (6) musthave ω ( (cid:107) z − z (cid:48) (cid:107) ) upper bounding Eq. (F1) for arbitrary z, z (cid:48) ∈ Z . Hence, it is equivalent to find the scaling of alower bound to Eq. (F1). That is, we have ∀ z, z (cid:48) ∈ Z , ω ( (cid:107) z − z (cid:48) (cid:107) ) ≥ (cid:115) − Y i cos d − (cid:16) | s i − t i | π (cid:17) ≥ (cid:115) − cos d − n (cid:18) (cid:80) i | s i − t i | n π (cid:19) = 2 (cid:114) − cos d − n (cid:16) π n (cid:107) g ( z ) − g ( z (cid:48) ) (cid:107) (cid:17) , where the second inequality follows from the inequality cos n ( (cid:80) i x i /n ) ≥ Q i cos( x i ) proven for Eq. (E6). Sincethe above inequality holds for any z, z (cid:48) such that (cid:107) z − z (cid:48) (cid:107) = τ for any τ , and since we assume ω ( · ) forms atight upper bound in Eq. (6), g is smooth with ω ( τ ) ≥ (cid:114) − cos n ( d − (cid:16) π n ω ( τ ) (cid:17) , ∀ τ > . In terms of the scaling with respect to n and d , if ω ( · ) = Ω(1) , such as when g is Lipschitz continuous,we have ω ( · ) = Ω( (cid:112) d/n ) . Appendix G: Proof of Theorem 2
Proof.
If letting (cid:15) in ≥ ω ( (cid:112) ln [ π/ (2 γ )]) , then γ ≥ (cid:112) π/ − ω − ( (cid:15) in ) / . By the definition of the gen-erator and the latent space, we have N m ( g − ( ρ )) = ξ ( ρ ) , ∀ ρ ∈ S ⊆ X . Let us define h i → = { ρ ∈ h i | d( ρ, ∪ j (cid:54) = i h j ) ≤ (cid:15) in } which is the set of density matri-ces that are at positive distance at most (cid:15) in from ∪ j (cid:54) = i h j ,then following Definition 3, R P C(cid:15) in ( h, ξ ) = Pr ρ ← ξ [min σ ∈S {(cid:107) σ − ρ (cid:107) | h ( σ ) (cid:54) = h ( ρ ) } ≤ (cid:15) in ]= ξ ( ∪ i h i → )) = N m ( g − ( ∪ i h i → )) , (G1)since h i → are disjoint for different class i . Hence, it can beshown that R P C(cid:15) in ( h, ξ ) ≥ − γ when ξ ( h i ) ≤ / , ∀ i fromTheorem 1 in [15]. The contrapositive yields the neces-sary condition Eq. (7). For completeness, we present ourcondensed version of the proof below.We write the cumulative distribution function ofthe standard Gaussian distribution N (0 , as Φ( x ) =1 / √ π (cid:82) x −∞ exp( − u / u . Theorem 4 (Gaussian isoperimetric inequality)[19, 48].
Let N m be the canonical Gaussian measure on R m . Let Σ ⊆ R m be any Borel set and let Σ (cid:15) = { z ∈ R m |∃ z (cid:48) ∈ Σ s.t. (cid:107) z − z (cid:48) (cid:107) ≤ (cid:15) } . If N m (Σ) = Φ( a ) then N m (Σ (cid:15) ) ≥ Φ( a + (cid:15) ) . Lemma 1 [15].
Let p ∈ [1 / , , we have for all η > , Φ(Φ − ( p ) + η ) ≥ − (1 − p ) (cid:114) π e − η . (G2) If p = 1 − /K for K ≥ and η ≥ , we have Φ(Φ − (1 − K ) + η ) ≥ − K (cid:114) π e − η e − η (cid:114) log (cid:16) K π log( K ) (cid:17) . (G3)We first introduce the following sets in the la-tent space ( R m , (cid:96) , N m ) : H i = g − ( h i ) and H i → = { z ∈ H i | d( z, ∪ j (cid:54) = i H j ) ≤ ω − ( (cid:15) in ) } . We note that H i → (cid:83) ∪ j (cid:54) = i H j is the set of points that are at distance atmost ω − ( (cid:15) in ) from ∪ j (cid:54) = i H j . Then by Theorem 4 appliedwith Σ = ∪ j (cid:54) = i H j and a = a (cid:54) = i ≡ Φ − ( N m ( ∪ j (cid:54) = i H j )) , wehave N m ( H i → ) + N m ( ∪ j (cid:54) = i H j ) ≥ Φ( a (cid:54) = i + ω − ( (cid:15) in )) . Re-arranging, N m ( H i → ) ≥ Φ( a (cid:54) = i + ω − ( (cid:15) in )) − Φ( a (cid:54) = i ) . As H i → are disjoint for different class i , we have N m ( ∪ i H i → ) ≥ K (cid:88) i =1 (cid:2) Φ( a (cid:54) = i + ω − ( (cid:15) in )) − Φ( a (cid:54) = i ) (cid:3) . By the definition of ω ( · ) , we have g ( H i → ) ⊆ h i → . It leadsto N m ( g − ( h i → )) ≥ N m ( H i → ) and N m ( ∪ i g − ( h i → )) ≥N m ( ∪ i H i → ) . Therefore, we obtain the result for arbitrarydecision boundary, N m ( ∪ i g − ( h i → )) ≥ K (cid:88) i =1 (cid:2) Φ( a (cid:54) = i + ω − ( (cid:15) in )) − Φ( a (cid:54) = i ) (cid:3) . Equivalently by Eq. (G1), R P C(cid:15) in ( h, ξ ) ≥ K (cid:88) i =1 (cid:2) Φ( a (cid:54) = i + ω − ( (cid:15) in )) − Φ( a (cid:54) = i ) (cid:3) . Suppose ξ ( h i ) = N m ( H i ) ≤ / and N m ( ∪ j (cid:54) = i H j ) ≥ / , ∀ i . Using Eq. (G2) in Lemma 1 in the second in-equality below, R P C(cid:15) in ( h, ξ ) ≥ K (cid:88) i =1 (cid:2) Φ(Φ − ( N m ( ∪ j (cid:54) = i H j )) + ω − ( (cid:15) in )) −N m ( ∪ j (cid:54) = i H j ) (cid:3) ≥ K (cid:88) i =1 (cid:20) − (1 − N m ( ∪ j (cid:54) = i H j )) (cid:114) π e − ω − (cid:15)in )22 −N m ( ∪ j (cid:54) = i H i ) (cid:105) = (cid:18) − (cid:114) π e − ω − (cid:15)in )22 (cid:19) K (cid:88) i =1 (cid:2) − N m ( ∪ j (cid:54) = i H i ) (cid:3) = 1 − (cid:114) π e − ω − (cid:15)in )22 > − γ, γ > (cid:112) π/ − ω − ( (cid:15) in ) / . The con-trapositive yields the results in our Theorem 2 that (cid:15) in ≤ ω ( (cid:112) ln [ π/ (2 γ )]) is necessary for R P C(cid:15) in ( h, ξ ) ≤ − γ .When there are at least 5 equiprobable classes [15],substituting Eq. (G3) in Lemma 1 into the above inequal-ity yields R P C(cid:15) in ( h, ξ ) ≥ − (cid:114) π e − ω − (cid:15)in )22 e − (cid:15) in (cid:114) log (cid:16) K π log( K ) (cid:17) . Hence, the in-distribution robustness of h decreases withthe number of equiprobable classes.Alternatively, a numerically looser upper bound on (cid:15) in can be derived from the fact that ( R m , (cid:96) , N m ) re-sembles a normal Lévy family but the concentrationfunction decays independently of N . By Theorem 4,any Borel set Σ there such that N m (Σ) = Φ( a ) satis-fies N m (Σ (cid:15) ) ≥ Φ( a + (cid:15) ) . In particular, for all Borelsets A with measure at least / , we have a ≥ andthus, − N m ( A (cid:15) ) ≤ − Φ( (cid:15) ) ≤ exp( − (cid:15) / where thelast inequality follows from the Gaussian tail bound.By definition of the concentration function in Eq. (3), α ( (cid:15) ) = sup A { − N m ( A (cid:15) ) } ≤ exp( − (cid:15) / .By substituting the statement and the proof of Theo-rem 1 with k = 1 and k = 1 / √ and N = 1 , we havethe following. Let η ∈ [0 , / be such that N m ( H l ) = ξ ( h l ) ≤ − η, ∀ l ∈ L . If (cid:15) in ≥ ω ( (cid:112) ln(4 /γ )+ (cid:112) ln(4 /η )) ,then by acting ω − ( · ) , which is a strictly increasing func-tion, on both sides, we obtain ω − ( (cid:15) in ) ≥ (cid:112) ln(4 /γ ) + (cid:112) ln(4 /η ) . This implies that R P Cω − ( (cid:15) in ) ( h, N m ) ≥ − γ .Since R P Cω − ( (cid:15) in ) ( h, N m ) ≤ R P C(cid:15) in ( h, ξ ) (this is equivalentto g ( H i → ) ⊆ h i → ), it therefore implies R P C(cid:15) in ( h, ξ ) ≥ − γ .The contrapositive yields, for R P C(cid:15) in ( h, ξ ) ≤ − γ , it is nec-essary to have (cid:15) in ≤ ω ( (cid:112) ln(4 /γ ) + (cid:112) ln(4 /η )) . When η = 1 / , it can be verified that this necessary upperbound is looser than that in Theorem 2 for the same γ . Appendix H: Proof of Theorem 3
Proof.
We have the mapping to obtain a product statedensity matrix P : X → X , σ (cid:55)→ (cid:78) ni =1 tr { j (cid:54) = i } σ where n is the number of qubits. This is not a CPTP map on theset of d n × d n density matrices X since it is non-linear.Nonetheless, it can be viewed as a CPTP map Λ on X ⊗ n as Λ : X ⊗ n → X , σ ⊗ n (cid:55)→ tr { j (cid:54) = i } ([ σ ⊗ n ] i ) where [ σ ⊗ n ] i denotes the i -th copy of σ , which involves only partialtracing. In particular, for a product state ρ ⊗ a with theinteger a ≥ , Λ( ρ ⊗ a ) = ρ .Consider ρ ∈ S ⊆ X an n -qubit density matrix, namely ρ = g ( z ) for some z ∈ Z . Let σ ∈ X . We have (cid:107) ρ − P ( σ ) (cid:107) = (cid:107) Λ( ρ ⊗ n ) − Λ( σ ⊗ n ) (cid:107) ≤ (cid:107) ρ ⊗ n − σ ⊗ n (cid:107) ≤ (cid:112) − F ( ρ ⊗ n , σ ⊗ n ) = 2 (cid:112) − F ( ρ, σ ) n , where the first inequality follows from the contractiveproperty of the trace norm under any CPTP map and thelast equality follows from the multiplicativity of fidelitywith respect to tensor products. By Eq. (E1), we have F ( ρ, σ ) ≥ (1 − (cid:107) ρ − σ (cid:107) / . Substituting in, we obtain (cid:107) ρ − P ( σ ) (cid:107) ≤ (cid:115) − (cid:18) − (cid:107) ρ − σ (cid:107) (cid:19) n . Let ˜ σ ∈ S be the closest in-distribution sample to P ( σ ) ,which can be found by fitting parameters { s i } in Eq. (1).Therefore, (cid:107) P ( σ ) − ˜ σ (cid:107) ≤ (cid:107) P ( σ ) − ρ (cid:107) . We then obtain (cid:107) ρ − ˜ σ (cid:107) ≤ (cid:107) ρ − P ( σ ) (cid:107) + (cid:107) P ( σ ) − ˜ σ (cid:107) ≤ (cid:115) − (cid:18) − (cid:107) ρ − σ (cid:107) (cid:19) n . (H1)Recall that for the quantum classifier ˜ h , ˜ h ( σ ) = h (˜ σ ) .Taking minimum over all σ such that ˜ h ( σ ) (cid:54) = ˜ h ( ρ ) (i.e., h (˜ σ ) (cid:54) = h ( ρ ) ), ε in ( ρ ) ≤ min {(cid:107) ρ − ˜ σ (cid:107) }≤ (cid:115) − (cid:18) − min {(cid:107) ρ − σ (cid:107) } (cid:19) n , (H2)we obtain ε in ( ρ ) ≤ (cid:115) − (cid:18) − ε unc ( ρ )2 (cid:19) n . (H3)Notice that to obtain an inequality between ε in ( ρ ) and ε unc ( ρ ) like in Eq. (H3), it is sufficient to have Eq. (H2)hold after taking the minimum, and it is not necessaryto have Eq. (H1) hold for a generic σ . Since for n -qubitdensity matrices which are separable with respect to someequal bipartition of the system, denoted as { ρ b } , form adense subset [66], we can effectively realize the same min-imum in Eq. (H2) over σ ∈ { ρ b } such that ˜ h ( σ ) (cid:54) = ˜ h ( ρ ) instead. For equal bipartite states, the number of copiesto make a CPTP map Λ (cid:48) acting on them to obtain P ( σ ) reduces to n/ if n is even and reduces to ( n + 1) / if n is odd. For instance, given a 4-qubit σ whose qubit is only entangled with and qubit is only entan-gled with , Λ (cid:48) ( σ ⊗ ) = tr { , } ( σ ) ⊗ tr { , } ( σ ) = P ( σ ) =Λ( ρ ⊗ ) . Therefore, we can replace the exponent / (2 n ) in Eq. (H3) with /n for even n and / ( n + 1) for odd n .We recall ε unc ( ρ ) ≤ ε in ( ρ ) , ∀ ρ ∈ X and rearrange, − (cid:18) − ε in ( ρ ) (cid:19) ne ≤ ε unc ( ρ ) ≤ ε in ( ρ ) , where n e = n for even n and n e = n + 1 for odd nn