Adversarial Quantum Machine Learning: An Information-Theoretic Generalization Analysis
Abstract
In a manner analogous to their classical counterparts, quantum classifiers are vulnerable to adversarial attacks that perturb their inputs. A promising countermeasure is to train the quantum classifier by adopting an attack-aware, or adversarial, loss function. This paper studies the generalization properties of quantum classifiers that are adversarially trained against bounded-norm white-box attacks. Specifically, a quantum adversary maximizes the classifier’s loss by transforming an input state into a state that is -close to the original state in -Schatten distance. Under suitable assumptions on the quantum embedding , we derive novel information-theoretic upper bounds on the generalization error of adversarially trained quantum classifiers for and . The derived upper bounds consist of two terms: the first is an exponential function of the 2-Rényi mutual information between classical data and quantum embedding, while the second term scales linearly with the adversarial perturbation size . Both terms are shown to decrease as over the training set size . An extension is also considered in which the adversary assumed during training has different parameters and as compared to the adversary affecting the test inputs. Finally, we validate our theoretical findings with numerical experiments for a synthetic setting.
I Introduction
Motivation: Quantum machine learning (QML) has emerged as a design paradigm for current noisy intermediate scale quantum (NISQ) computers [1, 2]. Among the main projected application of QML is data analytics, of which classification is a prototypical example. As shown in Fig. 1(a), in a typical quantum classification problem, a classical input – such as an image, a text, or a vector of tunable parameters for a physical experiment – is mapped to a quantum state , which is known as a quantum embedding. The quantum embedding map may be implemented by a quantum circuit or by some physical mechanism, possibly encompassing also quantum sensing [3]. The design goal is to find a classifier, consisting of a positive operator valued measure (POVM), that can predict the true class associated with input with reasonable accuracy.
Despite quantum classifiers having shown promising results [4], recent works [5, 6, 7] have highlighted their vulnerability to adversarial attacks. A quantum adversary can perturb the input quantum state via the application of a quantum channel, producing a state for which the classifier is less likely to identify the true class .
Adversarial training was found to be a promising defense strategy [5, 7]. In adversarial training, the classifier replaces the conventional classification loss with an adversarial loss that accounts for the worst-case effect of an adversarial perturbation of the quantum embedding. This approach results in a min-max optimization problem with outer minimization over POVMs and inner maximization over adversarial perturbations. Our aim is to understand how well an adversarially trained classifier generalizes to new, previously unseen quantum states subjected to a possibly different adversarial attack.
Related Work: While the theory of adversarial generalization has recently garnered attention in classical adversarial machine learning [8, 9, 10], related efforts have not been reported for QML. Indeed, existing works on the generalization analysis of QML models focus on the conventional non-adversarial setting [11, 12, 13]. Our work is particularly inspired by [11], which presented an information-theoretic analysis of generalization for quantum classifier in the absence of quantum adversaries. Our generalization bounds extend those derived in [11] by accounting for the impact of adversarial training and for the presence of a quantum attacker at test time.
Main Contributions: In this work, we study quantum adversarial attacks which perturb the input quantum state to a state that is -close to in -Schatten distance. Our main contributions are as follows:
We derive new information-theoretic upper bounds on the adversarial generalization error for and . The resulting upper bounds consist of two terms: The first, which coincides with the bound in [11], captures the non-adversarial generalization error via the exponentiated 2-Rényi-mutual information between the classical input and the quantum embedding; while the second term accounts for the impact of adversarial perturbations. Specifically, the second term scales as under attack, and as under attack, where is the dimension of Hilbert space and is the number of training samples. Accordingly, our results bound the increase in sample complexity caused by the presence of an attacker, and they account for the power of the adversary via parameters and .
We study a setting in which the classifier is adversarially trained against a -adversarial attack with -perturbation budget, but it is tested against a -attack with -perturbation budget. We show that in the presence of this training-test mismatch, training with a strong adversary is the preferred strategy, as weak training adversaries may incur a positive non-vanishing term that scales as
Finally, we validate our main theoretical findings with numerical experiments.
II Problem Formulation
In this section, we first introduce the quantum classification problem in the absence of quantum adversary, and define the conventional generalization error of a quantum classifier. We then formulate the adversarial setting, and define the generalization error of an adversarially-trained classifier.
II-A Generalization Error of Quantum Classifiers
As illustrated in Fig. 1(a), a classical input is embedded into a quantum state by a fixed and known quantum embedding map . The state is a density matrix, i.e., a positive semi-definite, unit-trace matrix, defined in a finite-dimensional Hilbert space . Let denote the correct label assigned to input that takes values in one of the classes. The classical tuple is generated from an unknown data distribution . We assume to be discrete-valued to avoid some technicalities, but the analysis can be extended to continuous-valued inputs .
The quantum classifier consists of a POVM applied to the quantum embedding . The POVM is defined by positive semi-definite matrices , for , that satisfy the equality , where denotes the identity matrix. We use to denote the set of all POVMs. By Born’s rule, a POVM applied to a quantum state yields the output class with probability .
Accordingly, we consider as loss function the probability of error
(1) |
which is the probability of misclassifying state given its true label . The goal of the quantum classification problem is to find the POVM that minimizes the population risk,
(2) |
which is the expected loss with respect to the distribution .
However, the population risk cannot be evaluated by the classifier, since the data distribution is unknown. Instead, the optimization of POVM is done with respect to the empirical training risk,
(3) |
which is evaluated using a training set consisting of tuples generated i.i.d. from distribution . The difference between the population risk and the training risk is defined as the generalization error
(4) |
obtained by the POVM .
II-B Adversarial Attacks on Quantum Classifiers
In an adversarial setting, as illustrated in Fig. 1(b), a quantum adversary can perturb the input quantum state via the application of a completely positive trace preserving (CPTP) map, i.e., a quantum channel, with the aim of maximizing the classifier’s loss (1)[5]. Targeting a worst-case scenario, the adversary is assumed to know the quantum classifier , the loss function (1), as well as the quantum embedding map , resulting in white-box attacks.
To define the power of the adversary, we constrain the distance between the density matrices before and after the perturbation. To this end, we adopt the -Schatten norm. For two density matrices and and , the -Schatten distance is defined as
(5) |
where and . In the limiting case of , the distance is defined as where is the set of eigenvalues of .
A -adversarial attack with a perturbation budget can produce any quantum state satisfying . Assuming that the adversary maximizes the loss incurred by the quantum classifier under this perturbation budget, the resulting adversarial loss of the classifier on data tuple is given as
(6) |
where is defined as in (1). In this paper, we will focus on the extreme cases with and adversarial attacks.
In the presence of a -adversarial attack with perturbation budget , the performance of the quantum classifier is measured by the adversarial population risk
(7) |
which is the expected adversarial loss with respect to the unknown distribution .
II-C Generalization Error of Adversarially Trained Classifiers
Suppose that the quantum classifier is aware of the presence of a -adversarial attack with perturbation budget . While the adversarial population risk cannot be directly evaluated, the quantum classifier can be trained by optimizing the adversarial training risk
(8) |
which is the empirical average of the adversarial loss (6) over the training set . This results in a min-max optimization problem with the outer minimization over POVMs and the inner maximization over perturbations of quantum states [5].
In this work, we are interested in characterizing the adversarial generalization error. The adversarial generalization error of a POVM is the difference between adversarial population risk (7) and adversarial training loss (8), i.e.,
(9) |
Note that in the limit as , the adversarial generalization error coincides with the standard generalization error in (4).
III Preliminaries
In this section, we first present the main result of [11], which gives a high-probability, information-theoretic, upper bound on the generalization error (4) for conventional quantum learning. We then outline the key steps in the derivation of the upper bound, which will be useful in the next section to derive the proposed upper bounds on the adversarial generalization error.
Theorem 1 (Banchi et. al [11]).
For any POVM , the following upper bound on the generalization error holds with probability at least , for , with respect to random draws of of the training set ,
(10) |
where denotes the 2-Renyi mutual information between the quantum state space and the classical feature space under state , which is given by
(11) |
The derivation of the upper bound in (10) follows two main steps. In the first step, the generalization error of a POVM is upper bounded as
(12) |
where denotes the uniform deviation bound that depends on the training set and the set of POVMs. In the second step, the uniform deviation bound is upper bounded by leveraging a classical result from statistical learning theory. This result, stated next, hinges on the fact that the loss function in (1) satisfies the inequality .
Lemma 1 (Shalev-Schwartz and Ben David[14]).
With probability at least , for , with respect to random draws of the training set , the following inequality holds
(13) |
where
(14) |
is the Rademacher complexity of the set of POVMs. In (14), denotes a vector of i.i.d Rademacher variables that takes value with equal probability.
IV Generalization Bounds for Adversarially Trained Quantum Classifiers
In this section, we present our main results, which provides information-theoretic upper bounds on the adversarial generalization error defined in (9).
IV-A Key Technical Challenge
To derive upper bounds on the adversarial generalization error , one can follow similar steps as discussed in Sec. III, targeting the adversarial uniform deviation bound
(15) |
on the adversarial generalization error . The uniform deviation bound can be further upper bounded, as in Lemma 1, as a function of the adversarial Rademacher complexity
(16) |
Specifically, as in Lemma 1, with probability at least , for , the following inequality holds
(17) |
However, evaluating the adversarial Rademacher complexity is challenging. The function in (16) is defined using the adversarial loss , which entails a maximization problem over the set of density matrices that satisfy the perturbation constraint. In the corresponding problem studied in [8] for classical adversarial learning, the relevant constraint imposes a bound on the -norm based perturbation of the classical input, and the resulting adversarial loss can be easily evaluated in closed form. In contrast, the constrained optimization underlying the quantum adversarial loss appears not to admit a closed-form solution in general.
IV-B Main Results
To state the main results, we make the following assumption.
Assumption 1.
The quantum embedding map from classical input to density matrix is such that the minimum eigenvalue of the density matrix satisfies the inequality for some , where is the dimension of the Hilbert space.
Assumption 1 imposes a constraint on the entropy of the quantum embedding, requiring all quantum states to have all non-zero eigenvalues, and hence maximum Rényi entropy of order zero [15]. In practice, the quantum embedding may be noisy, which is modelled by a CPTP map , whereby the input classical data is mapped to a noisy state as . The minimal eigenvalue of the resulting noisy state is greater than or equal to that of the clean state, i.e., Thus, noisy quantum states can satisfy Assumption 1 even when corresponding clean states don’t.
The following theorem gives an upper bound on the adversarial generalization error defined in (9) with .
Theorem 2.
The bound in (18) shows that the adversarial generalization error can be upper bounded in terms of the non-adversarial generalization bound (10) with an additional term that is directly proportional to the perturbation budget . This term quantifies the impact of the adversarial perturbation on generalization, and it recovers the bound (10) for . Furthermore, by the upper bound in (18), in the limit of a large number of observations , the adversarial generalization error vanishes. These results hold under the constraint on the power of the adversary, which is more restrictive for less noisy quantum embeddings with a smaller minimum eigenvalue .
We now present an upper bound on the adversarial generalization error under -Schatten norm attacks.
Theorem 3.
For any given perturbation level , -adversarial attacks with are stronger than with , since they allow for perturbations in a larger volume of the Hilbert space. In a manner consistent with this observation, the additional term in the bound (19) is larger than in (18), with the relative increase factor equal to the dimension of the Hilbert space. The result holds under the more restrictive assumption .
The generalization bounds derived in the previous two theorems vanish in the limit of a large number of samples, . These results hold under Assumption 1, which requires the quantum embeddings to be sufficiently noisy, and on the stated upper bounds for the perturbation . As we show next, even when removing these assumptions, it is possible to show that the adversarial generalization error is given by the adversarial generalization bound (10) with the addition of a term proportional to the perturbation level . However, these additional terms do not vanish as increases. We leave it as an open problem to establish tighter bounds in this regime.
Theorem 4.
Assume that the classes are equi-probable and that we have a -adversarial attack with any perturbation budget . For any POVM , the following upper bound on the adversarial generalization error holds with probability at least , for ,
(20) |
V Generalization Bounds Under Adversarial Mismatch
In the previous sections, we have considered the setting in which the quantum classifier is trained by assuming the same type of attacks encountered during testing. This is seldom true in practice: a quantum classifier adversarially trained against -adversarial attacks with an -perturbation budget can encounter a generally different -adversarial attack with -budget during testing. In this section, we quantify the adversarial generalization error under adversarial mismatch.
We define the mismatched adversarial generalization error,
of a POVM as the difference between the adversarial population risk , evaluated under -adversarial attack with -perturbation budget, and the adversarial training risk , evaluated under -adversarial attack with -perturbation budget. To characterize the mismatched adversarial generalization error as a function of the generalization error , we first define the following notion of relative strength of the adversaries.
Definition 1.
A -adversarial attack with perturbation budget is said to be stronger than a -adversarial attack with perturbation budget if the following inclusion condition
(21) |
holds for all density matrices . In this case, we also say that the second attack is weaker than the first.
The definition above is justified by the fact that a stronger attack, satisfying condition (21), would be able to further increase the adversarial loss (6) as compared to a weaker attack. The following lemma provides sufficient conditions that guarantee an adversary to be stronger than another.
Lemma 2.
A -adversarial attack with budget is stronger than a -adversarial attack with budget if
With these definitions, we have the following result.
Theorem 5.
Assume that the quantum classifier is adversarially trained assuming a -adversarial attack with perturbation budget , while a -adversarial attack with perturbation budget affects the quantum embeddings during testing. If the training adversarial attack is stronger than the testing adversarial attack, the following relation holds,
(22) |
where
is a function of the parameters . If the training adversary is weaker than the testing adversary, we have
(23) |
Theorem 5 gives insights on how best to adversarially train the classifier so that it generalizes well when tested against a possibly different adversary. In particular, the upper bound (22) guarantees that if the training adversary is stronger than the testing adversary, the mismatched generalization error is no larger than the generalization error obtained when the stronger attacker is also present at test time. From Lemma 2, a way to ensure a stronger attacker at training time is to train assuming and a sufficiently large . Conversely, by (23), assuming a weaker adversary during training yields a mismatched generalization error that can exceed the generalization error with the weaker test-time attacker by a non-vanishing (with ) term
VI Examples and Final Remarks
We consider a quantum binary classification problem with equi-probable class labels . For each class , we obtain the discrete-valued input by finely quantizing a continuous-valued feature input so that the discrete sum in (11) can be evaluated via numerical integration [11]. The input is sampled from the conditional Gaussian distribution with mean . We consider a depolarized quantum embedding, with noise strength , that maps to the quantum state , where the pure state is obtained as
(24) |
with Here, and are single qubit rotation gates, where denotes the vector of the Pauli matrices. In our experiments, we fix and , which results in .
In Fig. 2, we plot the true non-adversarial and adversarial generalization errors, i.e., and (for ) respectively, for the POVM when (left) and (right) as a function of the training set size . To validate our analysis, we also evaluate numerically the Rademacher complexity based uniform deviation bounds (13) and (17) for non-adversarial and adversarial errors with ; and we plot the derived adversarial upper bounds (18) (left) and (20) (right), along with the non-adversarial bound in (10).
The true generalization bounds follow a similar trend in both plots, with the adversarial generalization error being larger than the non-adversarial counterpart, and with both errors tending to for large values of the data set size . Furthermore, when the adversary’s perturbation is limited as , this behaviour is reproduced by the derived upper bound in Theorem 2. From the uniform deviation bounds it can be seen that the adversarial Rademacher complexity exceeds the non-adversarial Rademacher complexity. For the case when , i.e., when Assumption 1 is not satisfied, while capturing the general decrease with of the generalization error, our bound (20) is loose. We leave it as an open problem to derive tighter bounds in this regime. This observation also suggests that Assumption 1 is only instrumental in facilitating the derivation of the bound, which requires the optimization over the attacker’s channel, rather than indicating a “phase transition” in the generalization behavior.
Acknowledgments
The work of OS was supported by an Open Fellowship of the EPSRC with reference EP/W024101/1, by the EPSRC project EP/X011852/1, and by the European Union’s Horizon Europe Project CENTRIC under Grant 101096379. PG wishes to thank Mr. Charalampos Perdikis for the many useful discussions about code optimization and the use of multiprocessing and multithreading in accelerating his code.
References
- [1] M. Schuld and F. Petruccione, Machine learning with quantum computers. Springer, 2021.
- [2] O. Simeone et al., “An introduction to quantum machine learning for engineers,” Foundations and Trends® in Signal Processing, vol. 16, no. 1-2, pp. 1–223, 2022.
- [3] L. Davidovich, “Quantum sensing: Beyond the classical limits of precision,” 2024.
- [4] V. Havlíček, A. D. Córcoles, K. Temme, A. W. Harrow, A. Kandala, J. M. Chow, and J. M. Gambetta, “Supervised learning with quantum-enhanced feature spaces,” Nature, vol. 567, no. 7747, pp. 209–212, 2019.
- [5] S. Lu, L.-M. Duan, and D.-L. Deng, “Quantum adversarial machine learning,” Physical Review Research, vol. 2, no. 3, aug 2020. [Online]. Available: https://doi.org/10.1103/physrevresearch.2.033212
- [6] M. T. West, S. M. Erfani, C. Leckie, M. Sevior, L. C. Hollenberg, and M. Usman, “Benchmarking adversarially robust quantum machine learning at scale,” Physical Review Research, vol. 5, no. 2, p. 023186, 2023.
- [7] W. Ren, W. Li, S. Xu, K. Wang, W. Jiang, F. Jin, X. Zhu, J. Chen, Z. Song, P. Zhang et al., “Experimental quantum adversarial learning with programmable superconducting qubits,” Nature Computational Science, vol. 2, no. 11, pp. 711–717, 2022.
- [8] D. Yin, R. Kannan, and P. Bartlett, “Rademacher complexity for adversarially robust generalization,” in International conference on machine learning. PMLR, 2019, pp. 7085–7094.
- [9] P. Awasthi, N. Frank, and M. Mohri, “Adversarial learning guarantees for linear hypotheses and neural networks,” in International Conference on Machine Learning. PMLR, 2020, pp. 431–441.
- [10] J. Xiao, Y. Fan, R. Sun, and Z.-Q. Luo, “Adversarial rademacher complexity of deep neural networks,” arXiv preprint arXiv:2211.14966, 2022.
- [11] L. Banchi, J. Pereira, and S. Pirandola, “Generalization in quantum machine learning: A quantum information standpoint,” PRX Quantum, vol. 2, no. 4, p. 040321, 2021.
- [12] M. C. Caro, H.-Y. Huang, M. Cerezo, K. Sharma, A. Sornborger, L. Cincio, and P. J. Coles, “Generalization in quantum machine learning from few training data,” Nature communications, vol. 13, no. 1, p. 4919, 2022.
- [13] M. C. Caro, H.-Y. Huang, N. Ezzell, J. Gibbs, A. T. Sornborger, L. Cincio, P. J. Coles, and Z. Holmes, “Out-of-distribution generalization for learning quantum dynamics,” Nature Communications, vol. 14, no. 1, p. 3751, 2023.
- [14] S. Shalev-Shwartz and S. Ben-David, Understanding machine learning: From theory to algorithms. Cambridge university press, 2014.
- [15] M. Müller-Lennert, F. Dupuis, O. Szehr, S. Fehr, and M. Tomamichel, “On quantum rényi entropies: A new generalization and some properties,” Journal of Mathematical Physics, vol. 54, no. 12, 2013.
- [16] U. Haagerup, “The best constants in the khintchine inequality,” Studia Mathematica, vol. 70, no. 3, pp. 231–283, 1981.
- [17] E. H. L. Keith Ball, Eric A. Karlsen, “Sharp uniform convexity and smoothness inequalities for trace norms.” Inventiones Mathematicae, vol. 115, p. 463–482, 1994.
Appendix A Proof of Theorem 2 and Theorem 3
The key idea of the proofs is to upper bound the adversarial Rademacher complexity (16) via the non-adversarial Rademacher complexity (14) and an additional term that accounts for the impact of perturbation. To this end, we equivalently write the adversarial Rademacher complexity (16) as
(25) |
Using the inequality in the upper bound (25), we obtain
(26) |
where is as defined in (14), and
may be defined as the perturbation Rademacher complexity.
We continue by writing the POVM elements in terms of their eigendecomposition as , where denotes the diagonal matrix of eigenvalues. Using the cyclic property of the trace, can be equivalently written as
(27) |
where we have defined .
We now proceed to upper bound for the case of , which gives the required upper bound in Theorem 2.
A-A perturbation Rademacher complexity
For fixed , the inner maximization in (27) is achieved when is diagonal with entries
(28) |
where and respectively denote the maximum and minimum eigenvalues of ‘’. It can be verified that this choice of yields a physical density matrix . In particular, the condition guarantees that the minimal eigenvalue of is positive (for 2 linear operators , , we have ).
Now, defining we can re-write (27) as
Applying Hölder’s inequality, we get the relation since . Subsequently, we have
Since is diagonal, the trace norm evaluates as the sum of the absolute values of its diagonal elements. We thus have
(29) |
Let denote the number of examples in the training set that belongs to class . Then, for equiprobable classes, the upper bound (29) evaluates as
Using Khintchine’s inequality (see, e.g., [16]), we have . This results in
where the last inequality is due to Jensen’s inequality. Finally, noting that the classes are equi-probable, the expected value of evaluates as , yielding
Using this in (26), together with the upper bound in (10) returns the upper bound of (18).
We now upper bound for , which gives the required upper bound in Theorem 3.
A-B perturbation Rademacher complexity
To upper bound in (27), we start by arranging the set of eigenvalues of in increasing order in . Then, define the median eigenvalue as
For fixed , the inner maximization in (27) is achieved when is diagonal with entries
It can be verified that this choice of yields a physical density matrix . As before, the condition ensures that the minimum eigenvalue of is positive.
We now proceed with the same steps as in the previous proof for the attack. We define and use it to re-write . Applying Hölder’s inequality and evaluating the trace norm as the sum of the absolute values of its diagonal elements, we arrive at an inequality analogous to (29), namely
(30) |
Again, following the same steps as before, we get
Using this in (26), together with the upper bound in (10) returns the upper bound of (19).
Appendix B Proof of Theorem 4
To obtain the required bound, we proceed as in the proof of Theorem 2 in Appendix A. An upper bound on the adversarial Rademacher complextiy can be obtained as in (26), in terms of the standard Rademacher complexity and the perturbation Rademacher complexity. The latter then evaluates as in (27). Let denote the perturbation matrix that achieves the inner maximization in (27). Subsequently, defining we re-write as
Employing Hölder’s inequality yields that , where the last inequality follows since . This results in the following upper bound
(31) |
We now evaluate the 2-norm , which can be written as
(32) |
In the following subsections, we consider the two cases and , and obtain respective upper bounds on (32).
Furthermore, using the shorthand notation , we note that
(33) |
which will be used to obtain a worst case upper bound on .
B-A perturbation Rademacher complexity
Using Hölder’s inequality, we get that , where . We now consider . We write in its diagonal basis via a unitary transform as a matrix of positive (P) and a matrix of negative (N) eigenvalues . The trace condition implies that . The -Schatten norm gives the eigenvalue of with maximal absolute value, which according to the norm bounds on and cannot exceed . Thus which together with yields . Using this in (33) yields
Using this in (32), we get the following worst case upper bound:
Plugging this in (31) for , and assuming equiprobable classes, we can now upper bound as
Finally, taking the expectation over the training set inside the square root by application of Jensen’s inequality yields the following upper bound
Plugging this in (26) and using the upper bound in (10) yields the required bound.
B-B perturbation Rademacher complexity
Under the distance we have that , which implies that . Using Hölder’s inequality, we have which together with (33) yields:
Using this, we get the following worst case upper bound on
Appendix C Proof of Lemma 2
To derive the required relation, we start by noting that -Schatten distance between the states and is defined as Thus, defining the matrix , the distance condition can be written as
Furthermore, we remind ourselves of the generalized version of Hölder’s inequality [17] for matrices
Firstly we prove the inequality for the case . Assume that for some . Then the following set of relations hold,
where in the first line we inserted the identity operator and in the second applied Hölder’s inequality. This in turn implies that
(34) |
The inequality (34) implies that a -adversary with perturbation budget can access all states within the set
Thus, if we have a -adversary with perturbation budget at training, and a -adversary with perturbation budget during testing, the training adversary is stronger than the testing adversary if
(35) |
We now proceed to the case of . Consider the set . With the definitions above, this can be equivalently written as . Holder’s inequality implies that . Furthermore, as shown in appendix B, . Thus
To lower bound we again use Hölder’s inequality; . Thus
Therefore a sufficient condition to enforce the inclusion condition is that the lower bound on the -Schatten norm of the -adversarial attack is greater than the upper bound on the -Schatten norm of the -adversarial attack
(36) |
This concludes the proof.
Appendix D Proof of Theorem 5
To obtain bounds on the mismatched adversarial generalization error, we first decompose it as
(37) |
where is the difference in adversarial population risks due to adversarial mismatch and , defined as in (9), is the adversarial generalization error with no adversarial mismatch.
We now derive the bounds stated in Theorem 5. To this end we consider the following two cases:
- •
-
•
The training adversary is weaker than the testing adversary i.e. . Then we have
This in turn implies that Combining this with (37) gives the following lower bound on the mismatched adversarial generalization error in the case of a weak training adversary
To obtain a lower bound in the case of a strong training adversary, and an upper bound in the case of a weak adversary, we need to bound the term . To this end, we start by expressing the mismatch as
where is the optimal adversarial example for a -adversarial attack with perturbation budget , and likewise for . The matrix is a trace zero matrix thus may take both positive and negative values. Using this, we write
(38) |
We now proceed to upper bound the term .
(39) |
where the first inequality follows from Jensen’s inequality, and the second inequality follows from Hölder’s using . The trace norm can be further upper bounded as
(40) |
where the first inequality follows by adding and subtracting the term and then applying the triangle inequality. The second inequality is an application of Hölder’s inequality with . The last inequality follows since is the optimal perturbed quantum state satisfying the constraint,
Thus we can bound the mismatch as follows:
Using this again in (37) gives the following lower bound for when the training adversary is stronger,
and the following upper bound for when the training adversary is weaker,
This concludes the proof.
Appendix E Noisy Quantum Embedding Satisfies Assumption 1
In this section, we show that the minimum eigenvalue of the quantum state resulting due to a noisy quantum embedding is at least the minimum eigenvalue of the noiseless state . To this end, we note that the CPTP map can be equivalently written as where is the set of Kraus operators satisfsying the completeness relation, .
To compute the minimal eigenvalue of the noisy state , we use the variational principle as
(41) |
In (41), the first term is an upper bound on the minimal eigenvalue of . Using this, we have
Furthermore, equality holds only if there exists a state such that
This is because in equation (41) if does not exist, then
is not attainable for all simultaneously, hence cannot be achieved.