figure a

1 Introduction

In the last few years, the successful interplay between machine learning and quantum physics shed new light on both fields. On the one hand, machine learning has been dramatically developed to satisfy the need of the industry over the past two decades. At the same time, many challenging quantum physical problems have been solved by automated learning. Notably, inaccessible quantum many-body problems have been solved by neural networks, one instance of machine learning [1]. On the other hand, as the new model of computation under quantum mechanics, quantum computing has been proved that it can (exponentially) speed up classical algorithms for some important problems [2]. This motivates the development of quantum machine learning and provides the possibility of improving the existing computational power of machine learning to a new level (see the review papers [3, 4] for the details). After that, quantum machine learning was integrated into solving real world problems in quantum physics. One essential example is that quantum convolutional neural networks inspired by machine learning were proposed to implement quantum phase recognition [5]. Quantum phase recognition asks whether a given input quantum state belongs to a particular quantum phase of matter. At the same time, more provable advantages of quantum machine learning than the classical counterpart have been reported. For instance, the training complexity of quantum models has an exponential improvement on certain tasks [6]. Stepping into industries, Google recently built up a framework TensorFlow Quantum for the design and training of quantum machine learning within its famous classical machine learning platform—TensorFlow [7].

Even though quantum machine learning outperforms the classical counterpart in some way, the difficulties in the classical world are expected to be encountered in the quantum case. Classical machine learning has been found to be vulnerable to intentionally crafted adversarial examples (e.g. [8, 9]). Adversarial examples are inputs to a machine learning algorithm that an attacker has crafted to cause the algorithm to make a mistake. One essential mission of machine learning is to prove the absence of or detect adversarial examples used in the defense strategy—adversarial training [10]—appending adversarial examples to the training dataset and retraining the machine learning algorithm to be robust to these examples. However, this goal is not easily achieved [11]. The machine learning community has developed several interesting ideas on designing specific attack algorithms (e.g. [10, 12]) to generate adversarial examples, which is far from measuring the robustness against any adversary. Recently, the formal method community has taken initial steps in this direction [13,14,15,16], by verifying the robustness of classical machine learning algorithms in a provable way: either a formal guarantee that the algorithms are robust for a given input or a counter-example (adversarial example) is provided if an input is not robust. Some tools have been developed, such as VerifAI [17] and NNV [18]. This phenomenon of vulnerability is more common in the quantum world since quantum noise is inevitable in quantum computation, at least in the current NISQ (Noisy Intermediate-Scale Quantum) era, and thus led to a series of recent works on quantum machine learning robustness against specific noises. For example, Lu et al. [19] studied the robustness to various classical adversarial attacks; Du et al. [20] proved that by appending depolarization noise in quantum circuits for classifications, a robust bound against adversaries can be derived; Liu and Wittek [21] gave a robust bound for the quantum noise coming from a special unitary group. Very recently, Weber et al. [22] formalized a link between binary quantum hypothesis testing [23] and robust quantum machine learning algorithms for classification tasks.

Up to our best knowledge, the existing studies of quantum machine learning robustness only consider the situation of a known noise source. However, a fundamental difference between quantum and classical machine learning is that the quantum attacker is usually the surroundings instead of humans in the classical case, and the information of the environment is unknown. To protect against an unknown adversary, we need to derive a robust guarantee against a worst-case scenario, from which the commonly-assumed known noise sources (e.g. depolarization noise [20]) are usually far. Yet in the case of unknown noise, several basic issues are still unsolved:

  • In theory, it is unclear how to compute a tight and even the optimal bound of the robustness for any given quantum machine learning algorithm.

  • In practice, an efficient way to find an adversarial example, which can be used to retraining the algorithm to defense the noise, is lacking. Indeed, we do not even know which metric is a better choice measuring the robustness against noise, the same as the classical case against human attackers [24].

In this work, we define a formal framework for the robustness verification and analysis of quantum machine learning algorithms against noises in which the above problems can be studied in a principled way. More specifically, we choose to use fidelity as the metric measuring the robustness as it is one of the most widely used quantities to quantify the uncertainty of noise in the process of quantum computation, and commonly used in quantum engineering and experimental communities (e.g. [25, 26]). Based on this, an analytical robust bound for any quantum machine learning classification algorithm is obtained and can be applied to approximately checking the robustness of quantum machine learning algorithms. Furthermore, we show that computing the optimal robust bound can be reduced to solving a Semidefinite Programming (SDP) problem. These results lead to an algorithm to exactly and efficiently check whether or not a quantum machine learning algorithm is robust with respect to the training data. A special strength of this algorithm is that it can identify useful new training data (adversarial examples) during checking, and these data can be used to implement adversarial training as the same as classical robustness verification. The effectiveness of our robust bound and algorithms is confirmed by the case studies of quantum bits classification as the “Hello World” example of quantum machine learning algorithms, quantum phase recognition and cluster excitation detection from real world intractable physical problems, and the classification of MNIST from the classical world.

In summary, the main technical contributions of the paper are as follows.

  • Computing the optimal robust bound of quantum machine classification algorithms is reduced to an SDP (Semidefinite Programming) problem;

  • An efficient algorithm to check the robustness of quantum machine learning algorithms and detect adversarial examples is developed;

  • The implementation of the robustness verification algorithm on Google’s TensorFlow Quantum;

  • Case studies – Checking the robustness of several popular quantum machine learning algorithms for quantum bits classification, cluster excitation detection and the classification of MNIST (which are all implemented in Google’s TensorFlow Quantum), and quantum phase recognition.

2 Quantum Data and Computation Models

For the convenience of the reader, in this section, we recall some basic concepts of quantum data (states) and the quantum computation model.

The basic data of classical computers are bits, represented by two digits 0 and 1. In quantum computing, quantum bits (qubit) play the same role. A qubit is expressed by a normalized complex vector \(| \phi \rangle =\left( \begin{array}{cc}a\\ b\end{array}\right) =a| 0 \rangle +b| 1 \rangle \) with complex numbers a and b satisfying the normalization condition \(|a|^2+|b|^2=1\). Here, \(| 0 \rangle =\left( \begin{array}{cc}1\\ 0\end{array}\right) \), \(| 1 \rangle =\left( \begin{array}{cc}0\\ 1\end{array}\right) \) correspond to bits 0, 1 respectively, and \(\{| 0 \rangle \), \(| 1 \rangle \}\) is an orthonormal basis of a 2-dimensional Hilbert (linear) space. In general, for a quantum computer consisting of n qubits, a quantum datum is a normalized complex vector \(| \psi \rangle \) in a \(2^n\)-dimensional Hilbert space \(\mathcal {H}\). Such a \(| \psi \rangle \) is usually called a pure state in the literature of quantum computation.

As a model for computation, a quantum circuit consists of a sequence of, say m quantum logic gates. Each quantum gate can be mathematically represented by a unitary matrix \(U_i\) on \(\mathcal {H}\), i.e., \(U_i^\dagger U_i=U_iU_i^\dagger =I\), where \(U_i^\dagger \) is the conjugate transpose of \(U_i\) and I is the identity matrix on \(\mathcal {H}\). Then the circuit is represented by the unitary matrix \(U= U_m\cdots U_1\). If the quantum datum \(| \psi \rangle \) is inputted to the circuit, then the output is a quantum datum:

$$\begin{aligned} | \psi ' \rangle = U| \psi \rangle . \end{aligned}$$

In practice, a quantum datum may not be completely known and can be thought of as a mixed state or ensemble \(\{(p_{k},| \psi _{k} \rangle )\}_{k}\), meaning that it is at \(| \psi _{k} \rangle \) with probability \(p_{k}\). Mathematically, it can be described by a density operator \(\rho \) (Hermitian positive semidefinite matrix with unit traceFootnote 1) on \(\mathcal {H}\):

$$\begin{aligned} \rho = \sum _{k} p_{k}| \psi _{k} \rangle \langle \psi _{k} |, \end{aligned}$$

where \(\langle \psi _{k} |\) is the conjugate transpose of \(| \psi _{k} \rangle \), i.e., \(| \psi _{k} \rangle =\langle \psi _{k} |^\dagger \). In this case, the model of quantum computation is tuned to be a super-operator \(\mathcal {E}\), i.e. a mapping from matrices to matrices. It can be written as

$$\begin{aligned} \rho '=\mathcal {E}(\rho ). \end{aligned}$$

Here, \(\rho \) and \(\rho '\) are the input and output data (mixed states) of quantum computation \(\mathcal {E}\), respectively. Not every super-operator \(\mathcal {E}\) is meaningful in physics. It is required to satisfy the following conditions:

  • \(\mathcal {E}\) is trace-preserving: \(\mathrm{tr}(\mathcal {E}(\rho )) = \mathrm{tr}(\rho )\) for all mixed state \(\rho \) on \(\mathcal {H}\);

  • \(\mathcal {E}\) is completely positive: for any Hilbert space \(\mathcal {H}'\), the trivially extended operator \({{\,\mathrm{id}\,}}_{\mathcal {H}'} \otimes \mathcal {E}\) maps density operators to density operators on \(\mathcal {H}' \otimes \mathcal {H}\), where \(\otimes \) denotes the tensor product and \({{\,\mathrm{id}\,}}_{\mathcal {H}'}\) is the identity map on \(\mathcal {H}'\).

Such a super-operator \(\mathcal {E}\) admits a Kraus matrix form [2]: there exists a set of matrices \(\{E_k\}_k\) on \(\mathcal {H}\) such that

$$\mathcal {E}(\rho )=\sum _{k}E_k\rho E_k^\dagger .$$

Here \(\{E_k\}_k\) is called Kraus matrices of \(\mathcal {E}\) [2].

The behind dynamics of quantum computers is governed by quantum mechanics, which is applied at the microscopic scale (near or less than \(10^{-9}\) meters). At this level, we cannot directly readout the quantum data as the same as the classical counterpart. The only way to extract information from it is through a quantum measurement, which is mathematically modeled by a set \(\{M_{k}\}_{k=1}^m\) of matrices on its state (Hilbert) space \(\mathcal {H}\) with \(\sum _{k} M_{k}^\dagger M_{k}=I\). This observing process is probabilistic: if the system is currently in state \(\rho \), then a measurement outcome k is obtained with probability

$$\begin{aligned} p_{k}=\mathrm{tr}(M_{k}^\dagger M_{k}\rho ). \end{aligned}$$

After the measurement, the system’s state will be collapsed (changed), depending on the measurement outcome k, which is vitally different from the classical computation. If the outcome is k, the post-measurement state becomes

$$\begin{aligned} \rho '_k=\frac{M_{k}\rho M_{k}^\dagger }{\mathrm{tr}(M_{k}^\dagger M_{k}\rho )}. \end{aligned}$$

This special property makes it hard to accurately estimate the distribution \(\{p_k\}_k\) unless enough many copies of \(\rho \) are provided.

In summary, quantum data have two different forms—pure state \(| \psi \rangle \) and mixed state \(\rho \) corresponding to the computation model as a unitary matrix U or a super-operator \(\mathcal {E}\), respectively. Not surprisingly, the latter is a generalization of the former by putting:

$$\begin{aligned} \rho =| \psi \rangle \langle \psi |, \qquad \qquad \mathcal {E}(\rho )=U\rho U^\dagger . \end{aligned}$$

Because of this, the results obtained for mixed states \(\rho \) can also be applied to pure states \(| \psi \rangle \). Thus, in this paper, we mainly consider mixed states as the quantum data and super-operators as the model of quantum computation.

3 Quantum Classification Algorithms

In this section, we briefly recall quantum classification algorithms. They are designed for classification of quantum data. Essentially, they share the same basic ideas with their classical counterparts but deal with quantum data in the quantum computation model.

3.1 Basic Definitions

In this paper, we focus on a specific learning model called quantum supervised classification. Given a Hilbert space \(\mathcal {H}\), we write \(\mathcal {D(H)}\) for the set of all (mixed) quantum states on \(\mathcal {H}\) (see its definition in Eq. (2)).

Definition 1

A quantum classification algorithm \(\mathcal {A}\) is a mapping \(\mathcal {D(H)}\rightarrow \mathcal {C}\), where \(\mathcal {C}\) is the set of classes we are interested in.

Following the training strategy of classical machine learning, the classification \(\mathcal {A}\) is learned through a dataset T instead of being pre-defined. This training dataset \(T=\{(\rho _i,c_i)\}_{i=1}^N\) consists of \(N<\infty \) pairs \((\rho _i,c_i)\), meaning that quantum state \(\rho _i\) belongs to class \(c_i\). To learn \(\mathcal {A}\), we initialize a quantum learning model—a parameterized quantum circuit (including measurement control) \(\mathcal {E}_{\theta }\) and a measurement \(\{M_k\}_{k\in \mathcal {C}}\). Mathematically, the circuit can be modelled as a quantum super-operator \(\mathcal {E}_{\theta }\) (see its definition in Eq. (3)), and \(\theta \) is a set of free parameters that can be tuned. Then for each \(k\in \mathcal {C}\), we can compute the probability of the measurement outcome being k:

$$\begin{aligned} f_k(\theta , \rho ) = \mathrm{tr}(M_{k}^\dagger M_{k}\mathcal {E}_{\theta }(\rho )). \end{aligned}$$

It is worth noting that, as we mentioned before, measuring quantum state \(\rho \) is probabilistic and \(\rho \) will be changed after measuring. So, in practice, accurately estimating \(f_k(\theta , \rho )\) for all \(k\in \mathcal {C}\) requires enough many copies of \(\rho \), which is not the same as the classical case, where a single copy of classical data often meets the training process.

The quantum classification algorithm \(\mathcal {A}\) outputs the class label c for a quantum state \(\rho \) using the following condition:

$$\begin{aligned} \mathcal {A}(\theta ,\rho )=\arg \max _k\mathrm{tr}(M_{k}^\dagger M_{k}\mathcal {E}_\theta (\rho )). \end{aligned}$$

The learning is carried out as \(\theta \) is optimized to minimize the empirical risk

$$\begin{aligned} \min _{\theta }\frac{1}{N}\sum _{i=1}^N \mathcal {L}(f(\theta ,\rho _i),c_i), \end{aligned}$$

where \(\mathcal {L}\) refers to a predefined loss function, \(f(\theta ,\rho )\) is a probability vector with each \(f_k(\theta , \rho ), k\in \mathcal {C}\) as its element, and \(c_i\) is also seen as a probability vector with the entry corresponding to \(c_i\) being 1 and others being 0. The goal is to find the optimized parameters \(\theta ^*\) minimizing the risk in Eq. (8) for the given dataset T. Mean-squared error (MSE) is the most popular instance of the empirical risk, i.e., the loss function \(\mathcal {L}\) is squared error:

$$\begin{aligned} \mathcal {L}(f(\theta ,\rho _i),c_i)=\frac{1}{C}\Vert f(\theta ,\rho _i)-c_i\Vert _2^2, \end{aligned}$$

where C is the number of classes in \(\mathcal {C}\), and \(\Vert \cdot \Vert _2\) is the \(l_2\)-norm.

As one can see in the above learning process, the main differences between classical and quantum machine learning algorithms are the learning models and data.

In this paper, we focus on the well-trained quantum classification algorithm \(\mathcal {A}\), usually called a quantum classifier. Here, \(\mathcal {A}\) is said to be well-trained if training and validation accuracy are both high (\(\ge \)95%). The training (validation) accuracy is the frequency that \(\mathcal {A}\) successfully classifies the data in a training (validation) dataset. A validation dataset is mathematically equivalent to a training dataset but only for testing \(\mathcal {A}\) rather than learning \(\mathcal {A}\). In this context, \(\theta ^*\) is naturally omitted, i.e., \(\mathcal {A}(\rho )=\mathcal {A}(\theta ^*,\rho )\) and \(\mathcal {E}(\rho )=\mathcal {E}_{\theta ^*}(\rho )\). Briefly, \(\mathcal {A}\) only consists of a super-operator \(\mathcal {E}\) and a measurement \(\{M_{k}\}_k\), denoted by \(\mathcal {A}=(\mathcal {E},\{M_{k}\}_k)\).

3.2 An Illustrative Example

Let us further illustrate the above definitions by a concrete example—Quantum Convolutional Neural Networks (QCNNs) [5], one of the most popular and successful quantum learning models. QCNN extends the main features and structures of the Convolutional Neural Networks (CNNs) to quantum computing.

Fig. 1.
figure 1

Simple example of CNN and QCNN. QCNN, like CNN, consists of a convolution layer that finds a new state and a pooling layer that reduces the size of the model. Here, MCUG stands for measurement control unitary gate, i.e., unitary matrix \(V_1\) is applied on the circuit if and only if the measurement outcome is 1.

The model of QCNN applies the convolution layer and the pooling layer from CNNs to quantum systems, as shown in Fig. 1(b). The layout proceeds as follows:

  1. 1

    The convolution layer (circuit) applies multiple qubit gates \(U_i\) between adjacent qubits to find a new state;

  2. 2

    The pooling layer reduces the size of the quantum system by measuring a fraction of qubits, and the outcomes determine unitary \(V_i\) applied to nearby qubits;

  3. 3

    Repeat the convolution layer and pooling layer defined in 1–2;

  4. 4

    When the size of the system is sufficiently small, the fully connected layer is applied as a unitary matrix F on the remaining qubits.

The input of QCNNs is an unknown quantum state \(\rho _{in}\) and the output is obtained by measuring a fixed number of output qubits. As in the classical case, the learning model (defined as the number of convolution and pooling layers) is fixed, but the involved quantum gates (i.e. unitary matrices) \(U_{i}, V_{j}, F\) themselves are learned by the above learning process.

Remark 1

Quantum machine learning can also be used to do classical machine learning tasks. Image classification, for example, is one of the most successful applications of Neural Networks (NNs). To explore the possible advantage of quantum computing, Quantum Neural Networks (QNNs) have been used to classify images in [27, 28]. It is shown that by encoding images to a quantum state \(\rho _{in}\), QNNs can achieve high accuracy in image classification. We will present a quantum classifier for the classification of MNIST as an example in the evaluation section.

4 Robustness

An important issue in classical machine learning is: how robust is a classification algorithm to adversarial perturbations. A similar issue exists for quantum classifiers against quantum noise. Intuitively, the robustness of quantum classifier \(\mathcal {A}\) is the ability to make correct classification with a small perturbation to the input states. Then a quantum state \(\sigma \) is considered as an adversarial example if it is similar to a benign state \(\rho \), but \(\rho \) is correctly classified and \(\sigma \) is classified into a class different from that of \(\rho \). Formally,

Definition 2

(Adversarial Example). Suppose we are given a quantum classifier \(\mathcal {A}(\cdot )\), an input example \((\rho ,c)\), a distance metric \(D(\cdot ,\cdot )\) and a small enough threshold value \(\varepsilon >0\). Then \(\sigma \) is said to be an \(\varepsilon \)-adversarial example of \(\rho \) if the following is true

$$\begin{aligned} (\mathcal {A}(\rho )=c)\wedge (\mathcal {A}(\sigma )\not =c)\wedge (D(\rho ,\sigma )\le \varepsilon ). \end{aligned}$$

The leftmost condition \(\mathcal {A}(\rho ) = c\) asserts that \(\rho \) is correctly classified, the middle condition \(\mathcal {A}(\sigma )\not =c\) means that \(\sigma \) is incorrectly classified, and the rightmost condition \(D(\rho ,\sigma )\le \varepsilon \) indicates that \(\rho \) and \(\sigma \) are similar (i.e., their distance is small). Sometimes, without any ambiguity, \(\sigma \) is called an adversarial example of \(\rho \) if \(\varepsilon \) is preset. Notably, by the above definition, if \(\mathcal {A}\) incorrectly classifies \(\rho \), then we do not need to consider the corresponding adversarial examples. This is the correctness issue of quantum classifier \(\mathcal {A}\) rather than the robustness issue. Hence, in the following discussions, we only consider the set of all correctly recognized states.

The absence of adversarial examples leads to robustness.

Definition 3

(Adversarial Robustness). Let \(\mathcal {A}\) be a quantum classifier. Then \(\rho \) is \(\varepsilon \)-robust for \(\mathcal {A}\) if there is no adversarial example of \(\rho \).

The major problem concerning us in this paper is the following:

Problem 1

(Robustness Verification Problem). Given a quantum classifier \(\mathcal {A}(\cdot )\) and an input example \((\rho ,c)\). Check whether or not \(\mathcal {A}(\sigma )=c\) for all \(\sigma \in \mathcal {N}_{\varepsilon }(\rho )\), where \(\mathcal {N}_{\varepsilon }(\rho )\) is the \(\varepsilon \)-neighbourhood of \(\rho \) as

$$\begin{aligned} \mathcal {N}_{\varepsilon }(\rho )=\{\sigma \in \mathcal {D(H)}: D(\rho ,\sigma )\le \varepsilon )\}. \end{aligned}$$

If not, then an adversarial example (counter-example) \(\sigma \in \mathcal {N}_{\varepsilon }(\rho )\) is provided.

Obviously, if \(\delta \) is a robust bound for an input example \((\rho ,c)\) such that \(\mathcal {A}(\sigma )=c \text { for any state } \sigma \in \mathcal {N}_{\delta }(\rho ),\) then for any \(\varepsilon \le \delta \) (i.e. \(\mathcal {N}_{\varepsilon }(\rho )\subseteq \mathcal {N}_{\delta }(\rho )\)), there is no \(\varepsilon \)-adversarial example of \(\rho \). It is a challenging problem to compute the optimal robust bound \(\delta ^*=\max \delta \) so that there is no \(\varepsilon \)-adversarial example if and only if \(\varepsilon \le \delta ^*\).

The above adversarial robustness of quantum states can be generalized to a notion of robustness for quantum classifiers:

Definition 4

(Robust Accuracy). Let \(\mathcal {A}\) be a quantum classifier. The \(\varepsilon \)-robust accuracy of \(\mathcal {A}\) is the proportion of \(\varepsilon \)-robust states in the training dataset.

Remark 2

Here, the robust accuracy is defined with respect to the training dataset. In some applications, the dataset can be chosen as another set of quantum states with correct classifications, such as a validation dataset or a combination of it with the training dataset.

The reader should notice that the above definitions of robustness for quantum classifiers are similar to those for classical classifiers. But an intrinsic distinctness between them comes from the choice of distance \(D(\cdot ,\cdot )\). In the classical case, humans play the role of the adversary, and then such a distance should promise that a small perturbation is imperceptible to humans, and vice versa. Otherwise, we cannot take the advantage of machine learning over human’s distinguishability. For instance, in image recognition, the distance should reflect the perceptual similarity in the sense that humans would consider adversarial examples generated by it perceptually similar to benign image [24]. In the quantum case, it is essential to choose a distance D that is meaningful in quantum physics. In this paper, we choose to use the distance:

$$\begin{aligned} D(\rho ,\sigma )=1-F(\rho ,\sigma ) \end{aligned}$$

defined by fidelity

$$F(\rho ,\sigma )=[\mathrm{tr}(\sqrt{\sqrt{\rho }\sigma \sqrt{\rho }})]^2.$$

Here \(\sqrt{\rho }=\sum _{k}\sqrt{\lambda _{k}}| \psi _k \rangle \langle \psi _k |\) if \({\rho }\) admits the spectral decomposition \(\sum _{k}\lambda _{k}| \psi _k \rangle \langle \psi _k |.\) Fidelity is one of the most widely used quantities to quantify such uncertainty of noise by the experimental quantum physics and quantum engineering communities (see e.g. [29, 30]).

Remark 3

The trace distance has been used in recent literature (e.g. [20]) for some issues related to quantum robustness verification:

$$T(\rho ,\sigma )=\frac{1}{2}\Vert \rho -\sigma \Vert _{tr}=\frac{1}{2}\mathrm{tr}[\sqrt{(\rho -\sigma )^\dagger (\rho - \sigma )}].$$

It is a generalization of the total variation distance, which is a distance measure for probability distributions. So far, to the best of our knowledge, there is no discussion about which distance is better in the literature. Here, we argue that fidelity is better than trace distance in the context of quantum machine learning against quantum noise. As we know, state distinguishability is the basis of measuring the effect of noise on quantum computation. The main difference between trace distance \(T(\rho ,\sigma )\) and fidelity \(F(\rho ,\sigma )\) is the number of copies of states \(\rho \) and \(\sigma \) as the resource required in the experiments for distinguishing them. More precisely, trace distance quantifies the maximum probability of correctly guessing through a measurement whether \(\rho \) or \(\sigma \) was prepared, while fidelity asserts the same quantity whence infinitely many samples of \(\rho \) and \(\sigma \) can be supplied (See Appendix A of the extended version of this paper [31] for more details). In quantum machine learning, a large enough number of copies of the states are the precondition of statistics in Eq. (6) for learning and classification. Thus, fidelity is more suitable than trace distance for our purpose.

5 Robust Bound

In this section, we develop a theoretic basis for robustness verification of quantum classifiers. After setting the distance D to be the one defined by fidelity, a robust bound can be derived.

Lemma 1

(Robust Bound). Given a quantum classifier \(\mathcal {A}=(\mathcal {E},\{M_k\}_{k\in \mathcal {C}})\) and a quantum state \(\rho \). Let \(p_1\) and \(p_2\) be the first and second largest elements of \(\{\mathrm{tr}(M_{k}^\dagger M_k\mathcal {E}(\rho ))\}_k\), respectively. If \(\sqrt{p_1}-\sqrt{p_2}>\sqrt{2\varepsilon }\), then \(\rho \) is \(\varepsilon \)-robust.


See Appendix B of the extended version of this paper [31].

The above robust bound gives us a quick robustness verification by the measurement outcomes of \(\rho \) without searching any possible adversarial examples. Furthermore, it also can be used to compute an under-approximation of the robust accuracy of \(\mathcal {A}\) by one-by-one checking the robustness of quantum states in the training dataset. We will see that the robust bound and the induced robust accuracy scales well in the later experiments. However, \(\sqrt{p_1}-\sqrt{p_2}>\sqrt{2\varepsilon }\) is not a necessary condition of \(\varepsilon \)-robustness. Fortunately, when \(\sqrt{p_1}-\sqrt{p_2}\le \sqrt{2\varepsilon }\), we can compute the optimal robust bound by Semidefinite Programming (SDP). Recall that SDP is a convex optimization concerned with the optimization of a linear objective function over the intersection of the cone of positive semidefinite matrices with an affine space. It has the form

$$\begin{aligned} \min \quad&\mathrm{tr}(C X) \\ \text {subject to} \quad&\mathrm{tr}(A_k X) \le b_k, \quad \text {for } k = 1, \ldots , m \\&X \ge 0 \end{aligned}$$

where \(C, A_1, \ldots , A_m\) are all Hermitian \(n\,\times \, n\) matrices (i.e. \(A^\dagger =A\)), and X is the optimization variable \(n\times n\) matrix with \(X\ge 0\), i.e., X is positive semidefinite. Many efficient solvers have been developed for solving SDPs—not only compute the minimal value, but also output a corresponding optimal solution X. The following two theorems show that checking \(\varepsilon \)-robustness and computing optimal robust bound of quantum states can both be reduced to an SDP.

Theorem 1

(\(\varepsilon \)-robustness Verification). Let \(\mathcal {A}=(\mathcal {E},\{M_k\}_{k\in \mathcal {C}})\) be a quantum classifier and \(\rho \) be a state with \(\mathcal {A}(\rho )=l\). Then \(\rho \) is \(\varepsilon \)-robust if and only if for all \(k\in \mathcal {C}\) and \(k\not =l\), the following problem has no solution (feasibility problem):

$$\begin{aligned} \min _{\sigma \in \mathcal {D(H)}}\quad&0\\ \text {subject to} \quad&\sigma \ge 0 \\&\mathrm{tr}(\sigma )=1 \\&\mathrm{tr}[(M_{l}^\dagger M_l-M_{k}^{\dagger }M_k)\mathcal {E}(\sigma )]\le 0\\&1-F(\rho ,\sigma )\le \varepsilon \end{aligned}$$


See Appendix C of the extended version of this paper [31].

Actually, the objective function 0 in the above theorem can be chosen as any constant number.

Theorem 2 (Optimal Robust Bound)

[Optimal Robust Bound] Let \(\mathcal {A}\) and \(\rho \) be as in Theorem 1 with \(\mathcal {A}(\rho )=l\), and let \(\delta _k\) be the solution of the following problem:

$$\begin{aligned} \delta _k=\min _{\sigma \in \mathcal {D(H)}}\quad&1-F(\rho ,\sigma )\\ \text {subject to} \quad&\sigma \ge 0 \\&\mathrm{tr}(\sigma )=1 \\&\mathrm{tr}[(M_{l}^\dagger M_l-M_{k}^{\dagger }M_k)\mathcal {E}(\sigma )]\le 0 \end{aligned}$$

where if the problem is unsolved, then \(\delta _k=+\infty .\) Then \(\delta =\min _{k\not =l}\delta _k\) is the optimal robust bound of \(\rho \).


The proof is similar to Theorem 1.

Remark 4

One may wonder why checking \(\varepsilon \)-robustness and computing the optimal robust bound can always be reduced to an SDP. This is indeed implied by the basic quantum mechanics postulate of linearity; more specifically, all of the super-operators and measurements used in quantum machine learning algorithms are linear. In contrast, the functions represented by the neural networks in classical machine learning may be nonlinear as the pooling layer is not linear. As a result, the reduced optimization problem for the robustness verification is not convex (e.g. [32]). For overcoming this difficulty, many different methods have been developed to encode the nonlinear activation functions as linear constraints. Examples include NSVerify [33], MIPVerify [34], ILP [35] and ImageStar [13].

figure b

6 Robustness Verification Algorithms

In this section, we develop several algorithms for verifying the robustness of quantum classifiers based on the theoretic results presented in the last section.

First, let us consider the robustness of a given quantum state \(\rho \). In many applications (as shown in our experiments in Sect. 7), we are required to check whether \(\rho \) is \(\varepsilon \)-robust for an arbitrarily given threshold \(\varepsilon \). Note that once we computed the optimal robust bound \(\delta \), checking \(\varepsilon \)-robustness of \(\rho \) is equivalent to compare \(\varepsilon \) and \(\delta \); that is, \(\varepsilon \le \delta \) if and only if \(\rho \) is \(\varepsilon \)-robust. Combining with this simple observation with Theorem 1, we obtain Algorithm 1 for checking the \(\varepsilon \)-robustness of \(\rho \) and finding the minimum adversarial perturbation \(\delta \) caused by quantum noise. The main cost of Algorithm 1 incurs in solving SDPs in Line 2, which scales as \(O(n^{6.5})\) by interior-point methods [36], where n is the number of rows of the semidefinite matrix \(\rho \) in SDP, i.e., the dimension of Hilbert space of the quantum states in our case. As we need to apply an SDP solver for \(|\mathcal {C}|-1\) times in Line 1, the total complexity is as follows.

Theorem 3

The worst case complexity of Algorithm 1 is \(O(|\mathcal {C}|\cdot n^{6.5})\), where n is the dimension of input state \(\rho \) and \(|\mathcal {C}|\) is the number of the set \(\mathcal {C}\) of classes we are interested in.

Now we turn to consider the robustness of a quantum classifier \(\mathcal {A}\). Algorithm 2 is designed for checking robustness of \(\mathcal {A}\) by combining Algorithm 1 with Lemma 1 (see the discussion in the paragraph after Lemma 1). A major benefit of formal robustness verification for classical classifiers is perhaps that it can be used to detect a counter-example (adversarial example) for a given input (see e.g. [13,14,15,16]). This benefit is kept in Algorithm 2 for the robustness verification of quantum classifiers. In particular, we are able to extend the technique of adversarial training in classical machine learning [10] into the quantum case: an adversarial example \(\sigma \) is automatically generated once \(\varepsilon \)-robustness of \(\rho \) fails, and then by appending \((\sigma , l)\) into the training dataset, we can retrain \(\mathcal {A}\) to improve the robustness of the classifier.

figure c

To analyze the complexity of Algorithm 2, we first see by Theorem 2 that for evaluating the robustness of \(\mathcal {A}\)—computing its robust accuracy and finding its adversarial examples, one need to call Algorithm 1 for each quantum state in the training dataset, which costs \( O(|\mathcal {C}|\cdot n^{6.5})\). Thus, the total complexity of robustness verification is \(O(|T|\cdot |\mathcal {C}|\cdot n^{6.5})\), where |T| is the number of elements in the training dataset T. However, the robust bound given in Lemma 1 can help to speed up the process by quickly finding all potential non-robust states, as the complexity of finding the bound is only \(O(|\mathcal {C}|\cdot n^3)\), which is the cost of \(|\mathcal {C}|\) times of the multiplication of two \(n\times n\) matrices. In practice, this bound scales well, as confirmed by our experiments presented in Sect. 7. Therefore, a good strategy for implementing the robustness verification is that we first use robust bound to pick up all potential non-robust states from the given training dataset T and store them in a set \(T'\). Then we check all left candidates in the training dataset T one-by-one using Algorithm 1 and use a set R to record the found adversarial examples and the corresponding indexes of states. This strategy can significantly reduce the complexity to \(O(|T'|\cdot |\mathcal {C}| \cdot n^{6.5})\). Indeed, our experiments show that the robust bound given in Lemma 1 scales very well in the sense of \(|T'|\ll |T|\).

Remark 5

Thanks to the linearity of the quantum learning model determined by the basic postulate of quantum mechanics, the robustness verification of quantum classifiers can be done in an efficient way (with polynomial time complexity in the size of the input state). It is usually not the case in verifying the robustness of classical machine learning algorithms. For example, DNNs are often non-linear and non-convex, and verifying even some simple properties of them can be an NP-complete problem [37].

Surprisingly, the robustness verification problem for quantum classifiers becomes much harder if we are required to find adversarial examples in pure states. Roughly speaking, the reason is that the set of all pure states is not convex, and thus computing the optimal robust bound for pure states is not an SDP, as in Theorem 2. We can prove that it is a Quadratically Constrained Quadratic Program (QCQP), an optimization problem where both the objective function and the constraints are quadratic functions (see Appendix D of the extended version of this paper [31] for the proof), which is NP-hard. Algorithm 1 can be adapted to this pure state robustness verification by calling a QCQP solver instead of an SDP solver in Line 2. Subsequently, Algorithm 2 can use this new version of Algorithm 1 as a subroutine to compute the corresponding robust accuracy and find adversarial examples of pure states. We will evaluate the QCQP-based robustness verification in the case study of MNIST classification in which handwritten digits are encoded in pure states.

7 Evaluation

Algorithm 2 is implemented on TensorFlow Quantum—a platform of Google for designing and training quantum machine learning algorithms, by calling an SDP solver—CVXPY: Python Software for Disciplined Convex Programming [38]. This section aims to evaluate our approach with experiments on some concrete examples. This section is arranged as follows. In Subsects. 7.17.4, we present several well-trained quantum classifiers. Then the evaluation is carried out in Subsect. 7.5 by applying Algorithm 2 to check the robustness verification of these classifiers and find their adversarial examples if existing.

To demonstrate our method as sufficiently as possible, we check the robustness of four quantum classifiers. We begin with a “Hello World” example—qubits classification, and then we step in two quantum classifiers applied to real world tasks—quantum phase recognition and cluster excitation detection, which are both fundamental and hard problems in quantum physics. At last, to compare with classical robustness verification, we consider the classification of MNIST by encoding handwritten digital images into quantum data. These experiments cover all illustrated examples of TensorFlow Quantum.

Fig. 2.
figure 2

Training model of quantum bits classification: the left figure shows the samples of the quantum training dataset represented on the Bloch sphere. Samples are divided into two categories, marked by red and yellow, respectively. The vectors are the states around which the samples were taken. The first part of the right figure is a parameterized rotation gate, whose job is to remove the super-positions in the quantum data. The second part is a measurement M along the Z-axis of the Bloch sphere converting the quantum data into classes. (Color figure online)

7.1 Quantum Bits Classification

A “Hello World” example of quantum machine learning is quantum bits classification [7]. The aim is to implement a binary classification for regions on a single qubit, i.e., a perceptron for qubits. Specifically, two random normalized vectors \(| a \rangle \) and \(| b \rangle \) (pure states) in the X-Z plane of the Bloch sphere are chosen. Around these two vectors, we randomly sample two sets of quantum data points; the objective is to learn a quantum gate to distinguish the two sets. A concrete instance of this type is shown in Fig. 2. In this example, the angles with \(| 0 \rangle \) (Z-axis) of the two states \(| a \rangle \) and \(| b \rangle \) are \(\theta _a=1\) and \(\theta _b=1.23\), respectively; see the first figure in Fig. 2. Around these two vectors, we randomly sample two sets (one for category “a” and one for category “b”) of quantum data points on the sphere, forming a dataset. The dataset consists of 800 samples for the training and 200 samples for the validation. As shown in Fig. 2, we use a parameterized rotation gate \(R_y(\theta ) = e^{-i\sigma _y\theta /2}\) and a measurement \(M = \{M_a = | 0 \rangle \langle 0 |, M_b = | 1 \rangle \langle 1 |\}\) to do the classification. Targeting to minimizing the MSE form of Eq. (8), we use Adam optimizer [39] to update \(\theta \). After training, we achieve both \(100\%\) training and validation accuracy, and the final parameter \(\theta \) is 0.4835.

7.2 Quantum Phase Recognition

Quantum phase recognition (QPR) of one dimensional many-body systems has been attacked by quantum convolutional neural networks (QCNNs) proposed by Cong et al. [5]. Consider a \(Z_2\times Z_2\) symmetry-protected topological (SPT) phase \(\mathcal {P}\) and the ground states of a family of Hamiltonians on spin-1/2 chain with open boundary conditions:

$$\begin{aligned} H = -J\sum _{i=1}^{N-2}Z_iX_{i+1}Z_{i+2} - h_1\sum _{i=1}^N X_i - h_2\sum _{i=1}^{N-1} X_i X_{i+1} \end{aligned}$$

where \(X_i,Z_i\) are Pauli matrices [2] for the spin at site i, and the \(Z_2\times Z_2\) symmetry is generated by \(X_{\text {even}(\text {odd})} = \prod _{i\in \text {even}(\text {odd})}X_i.\) The goal is to identify whether the ground state \(| \psi \rangle \) of H belongs to phase \(\mathcal {P}\) when H is regarded as a function of \((h_1/J, h_2/J)\). For small N, a numerical simulation can be used to exactly solve this problem [5]; See Fig. 4a in Appendix E of the extended version of this paper [31] for the exact phase boundary points (blue and red diamonds) between SPT phase and non-SPT (paramagnetic or antiferromagnetic) phase for \(N=6\). Thus the 6-qubit instance is an excellent testbed for different new methods and techniques of QPR. Here, we train a QCNN model to implement 6-qubit QPR in this setting.

To generate the dataset for training, we sample a serials of Hamiltonian H with \(h_2/J=0\), uniformly varying \(h_1/J\) from 0 to 1.2 and compute their corresponding ground states; see the gray line of Fig. 4a in Appendix E of the extended version of this paper [31]. For the testing, we uniformly sample a set of validation data from two random regions of the 2-dimensional space \((h_1/J, h_2/J)\); see the two dashed rectangles of Fig. 4a. Finally, we obtain 1000 training data and 400 validation data. Our parameterized QCNN circuit is shown in Fig. 4b in Appendix E of the extended version of this paper [31], and the unitaries \(U_i, V_j, F\) are parameterized with generalized Gell-Mann matrix basis [40]: \(U = \exp (-i\sum _j \theta _j\Lambda _j)\), where \(\Lambda _j\) is a matrix and \(\theta _j\) is a real number; the total number of parameters \(\theta _j\), \(\Lambda _j\) is 114. For the outcome measurement of one qubit, we use measurement \(M = \{M_0 = | + \rangle \langle + |, M_1 = | - \rangle \langle - |\}\) to predict that input states belongs to \(\mathcal {P}\) with output 0, where \(| \pm \rangle =\frac{1}{\sqrt{2}}(| 0 \rangle \pm | 1 \rangle )\). Targeting to minimizing the MSE form of Eq. (8), we use Adam optimizer to update the 114 parameters. After training, 97.7% training accuracy and 95.25% validation accuracy are obtained. At the same time, our classifier conducts a phase diagram (the colorful figure in Fig. 4a), where the learned phase boundary almost perfectly matches the exact one gotten by the numerical simulation. All these results indicate that our classifier is well-trained.

7.3 Cluster Excitation Detection

The task of cluster excitation detection is to train a quantum classifier to detect if a prepared cluster state is “excited” or not [7]. Excitations are represented with a X rotation on one qubit. A large enough rotation is deemed to be an excited state and is labeled by 0, while a rotation that isn’t large enough is labeled by 1 and is not deemed to be an excited state. Here, we demonstrate this classification task with 6 qubits. We use the circuit shown in Fig. 5a of Appendix E in the extended version of this paper [31] to generate training (840) and validation (360) samples. The circuit generates a cluster state by performing a X rotation (we omit angle \(\theta \)) on one qubit. The rotation angle \(\theta \) is ranging from \(-\pi \) to \(\pi \) and if \(-\pi /2 \le \theta \le \pi /2\), the label of the output state is 1; otherwise, the label is 0. The classification circuit model (a quantum convolutional neural network) uses the same structure in TensorFlow Quantum [7], shown in Fig. 5b of Appendix E in the extended version of this paper [31]. The explicit parameterization of \(C_i,P_j\) can be found in [7]. The final measurement \(M = \{M_0 = | 0 \rangle \langle 0 |, M_1 = | 1 \rangle \langle 1 |\}\). Targeting to minimizing the MSE form of Eq. (8), we use Adam optimizer to update all \(C_i,P_j\). We achieve \(99.76\%\) training accuracy and \(99.44\%\) validation accuracy.

7.4 The Classification of MNIST

Handwritten digit recognition is one of the most popular tasks in the classical machine learning zoo. The archetypical training and validation data come from the MNIST dataset which consists of 55,000 training samples handwritten digits [41]. These digits have been labeled by humans as representing one of the ten digits from number 0 to 9, and are in the form of gray-scale images that contains \(28\times 28\) pixels. Each pixel has a grayscale value ranging from 0 to 255. Quantum machine learning has been used to distinguish a too simplified version of MNIST by downscaling the image sizes to \(8\times 8\) pixels. Subsequently, the numbers represented by this version of MNIST can not be perceptually recognized [7]. Here, we build up a quantum classifier to recognize a MNIST version of \(16\times 16\) pixels (see second column images of Fig. 3). As demonstrated in [7], we select out 700 images of number 3 and 700 images of number 6 to form our training (1000 images) and validation (400 images) datasets. Then we downscale those \(28\times 28\) images to \(2^4\times 2^4\) images (fitting the size of quantum data), and encode them into the pure states of 8 qubits via amplitude encoding. Amplitude encoding uses the amplitude of computational basis to represent vectors with normalization:

$$\begin{aligned} (x_0, x_2, \dots , x_{n-1}) \rightarrow \sum _{i=0}^{n-1}\frac{x_i}{\sqrt{\sum _{j=0}^{n-1}\vert x_j\vert ^2}}| i \rangle . \end{aligned}$$

where \(\{| i \rangle \}\) is a set of orthogonal basis of the 8 qubits state space. The normalization doesn’t change the pattern of those images. For learning a quantum classifier, we use the QCNN model in Fig. 6 of Appendix E in the extended version of this paper [31] and use measurement \(M = \{M_0 = | + \rangle \langle + |, M_1 = | - \rangle \langle - |\}\). The output of measurement M indicates the numbers: output 1 for number 3 and output 0 for number 6. The explicit parameterization of those \(C_i,P_j\) can be found in [7]. Again we use Adam optimizer to update the model parameters minimizing the MSE form of Eq. (8). We finally achieve \(98.4\%\) training accuracy and \(97.5\%\) validation accuracy.

7.5 Robustness Verification

Now, we start to check the \(\varepsilon \)-robustness for the above four well-trained classifiers presented in the previous four subsections.

In practical applications, the value of robustness \(\varepsilon \) in Definition 3 represents the ability of state preparation by quantum controls. For example, the state-of-the-art is that a single qubit can be prepared with fidelity 99.99% (e.g. [29, 30]). Here, we choose four different values of \(\varepsilon \) in each experiment.

Table 1. Verification results of quantum bits classification
Table 2. Verification results of quantum phase recognition.

To show the scalability of our robust bound given in Lemma 1, we use it to develop an algorithm (Algorithm 3 in Appendix F of the extended version of this paper [31]) to under-approximate the robust accuracy, which is computed by Algorithm 2. Algorithm 3 is a subroutine of Algorithm 2 without calling an SDP solver (whenever a potential non-robust state can be detected by the robust bound in Lemma 1). We compare the verification times by Algorithms 2 and 3.

The experiments are done on a computer with the following configurations: Intel(R) Core(TM) i7-9700 CPU @ 3.00 GHz \(\times \) 8 Processor, 15.8 GiB Memory, Ubuntu 18.04.5 LTS, with CVXPY: Python Software for Disciplined Convex Programming [38] for solving SDP, and a SciPy solver for finding the minimum of constrained nonlinear multivariable function for solving QCQP.

Table 3. Verification results of cluster excitation detection
Table 4. Verification results of the classification of MNIST

The experimental results are given in Tables 1, 2, 3 and 4. As an example, we illustrate the details of the result for the case of \(\varepsilon =0.001\) in Table 1. First, we only apply our robust bound in Lemma 1 to pick up all potential non-robust states from the 800 points in the training dataset. Then 95 points are left. Thus, the under-approximation of the robust accuracy computed by Algorithm 3 (in Appendix F of the extended version of this paper [31]) is 88.13%. Next, we check the 0.001-robustness by Algorithm 2. Indeed, only 80 of the points detected by the above robust bound are non-robust and the exact robust accuracy is 90.00%. We also compare the verification time of the two approaches to the robust accuracy. See the second column in Table 1 for the detail, and other experiment results of \(\varepsilon \)-robustness are also summarized in the same table. Tables 1, 2, 3 and 4 for the verification results show that in all of these experiments, the robust bound obtained in Lemma 1 scales very well, and the robustness verification by Algorithm 3 costs significantly less time (<2 s) than the way of computing the optimal robust bound by Algorithm 2. For example, for quantum phase recognition, for \(\varepsilon =0.0001,0.0002\) and 0.0003, the under-approximation of the robust accuracy is the same as the real value. Even for the last case of \(\varepsilon =0.0004\), only the \(0.1\%\) difference is got. Furthermore, from the tables, the verification time of Algorithm 2 is increasing with the value of \(\varepsilon \), while the running time of the method by the robust bound is almost unchanged. This is because the former algorithm uses an SDP or QCQP solver to search all possible adversarial examples for the potential non-robust states picked up by the robust bound, and the number of these states are growing up with the value of \(\varepsilon \). These counter-examples detected by the algorithm confirm that our robustness framework is effective. For instance, see Fig. 3 for two visualized adversarial examples generated by Algorithm 2 with a QCQP solver. As we can see, the benign and adversarial images are perceptually similar. This also proves that our robustness verification algorithm can detect not only quantum but also classical adversarial examples.

Fig. 3.
figure 3

Two training states and their adversarial examples generated by Algorithm 2 with a QCQP solver: the first column images are \(28\times 28\) benign data from MNIST; The second column shows the two downscaled \(16\times 16\) grayscale images; The last column images are decoded from adversarial examples founded by Algorithm 2. The third column images are the grayscale difference between benign and adversarial images.

8 Conclusion

In this work, we initiate the research of the formal robustness verification of quantum machine learning algorithms against unknown quantum noise. We found an analytical robustness bound which can be efficiently computed to under-approximate the robust accuracy in practical applications. Furthermore, we developed a robustness verification algorithm that can exactly verify the \(\varepsilon \)-robustness of quantum machine learning algorithms and provides useful counter-examples for the adversarial training.

For topics for future research, it should be useful in practical applications to find an efficient method that over-approximates the robust accuracy of quantum classifiers. Combined with the under-approximation approach developed in this work, it can help us to more accurately and fast estimate the robust accuracy. In classical machine learning, there exist some works in the literature to achieve this task. For instance, ImageStars, a new set representation, was introduced in [13] to perform efficient set-based analysis by combining operations on concrete images with linear programming, which leads to efficient over-approximative analysis of classical convolutional neural networks.

Tensor networks are one of the best-known data structures for implementing large-scale quantum classifiers (e.g. QCNNs with 45 qubits in [5]). For practical applications, we are going to incorporate tensor networks into our robustness verification algorithm so that it can scale up to achieve the demand of NISQ devices (of \(\ge \)50 qubits).

More generally, further investigations are required to better understand the role of robustness in quantum machine learning, especially through more experiments on real world applications like learning phases of quantum many-body systems.