Saved in:
Bibliographic Details
Main Authors: Nowmi, Saeefa Rubaiyet, Lopez, Jesus, Imon, Md Mahmudul Alam, Pouryousef, Shahrooz, Rahman, Mohammad Saidur
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2511.14989
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911706016382976
author Nowmi, Saeefa Rubaiyet
Lopez, Jesus
Imon, Md Mahmudul Alam
Pouryousef, Shahrooz
Rahman, Mohammad Saidur
author_facet Nowmi, Saeefa Rubaiyet
Lopez, Jesus
Imon, Md Mahmudul Alam
Pouryousef, Shahrooz
Rahman, Mohammad Saidur
contents Quantum Machine Learning (QML) integrates quantum computational principles into learning algorithms, offering improved representational capacity and computational efficiency. However, the security and robustness of QML systems remain underexplored, particularly under adversarial conditions. We present the first comprehensive systematization of adversarial robustness in QML, combining conceptual organization with empirical evaluation across black-box, gray-box, and white-box threat models. We implement five representative attacks: a label-flipping poisoning attack under black-box; an encoder-level indiscriminate poisoning attack and a proxy-model clean-label backdoor attack under gray-box; and a circuit-level backdoor attack (QTrojan) and gradient-based evasion attacks (FGSM and PGD) under white-box. We evaluate these attacks using a Quantum Multilayer Perceptron (QMLP) trained on MNIST and AZ-Class across circuit depths of 2, 5, 10, and 50 layers with angle and amplitude encoding schemes. Our evaluations reveal a fundamental accuracy-robustness trade-off. Amplitude encoding achieves the highest clean accuracy (92.6% on MNIST and 67% on AZ-Class) but collapses under adversarial perturbations and depolarizing noise, whereas shallow angle-encoded models remain more stable. QUID is effective under noiseless conditions but weakened by noise, while the proxy-model backdoor persists unless the circuit itself is overwhelmed. Furthermore, the circuit-level backdoor fails in the multi-class setting, indicating a scalability limitation. Finally, QMLP models are more robust than Classical Multi-Layer Perceptron (CMLP) models under label-flipping attacks but substantially more vulnerable to gradient-based evasion. We conclude by proposing a threat-aware and noise-resilient framework for secure QML deployment.
format Preprint
id arxiv_https___arxiv_org_abs_2511_14989
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle SoK: Critical Evaluation of Quantum Machine Learning for Adversarial Robustness
Nowmi, Saeefa Rubaiyet
Lopez, Jesus
Imon, Md Mahmudul Alam
Pouryousef, Shahrooz
Rahman, Mohammad Saidur
Cryptography and Security
Quantum Machine Learning (QML) integrates quantum computational principles into learning algorithms, offering improved representational capacity and computational efficiency. However, the security and robustness of QML systems remain underexplored, particularly under adversarial conditions. We present the first comprehensive systematization of adversarial robustness in QML, combining conceptual organization with empirical evaluation across black-box, gray-box, and white-box threat models. We implement five representative attacks: a label-flipping poisoning attack under black-box; an encoder-level indiscriminate poisoning attack and a proxy-model clean-label backdoor attack under gray-box; and a circuit-level backdoor attack (QTrojan) and gradient-based evasion attacks (FGSM and PGD) under white-box. We evaluate these attacks using a Quantum Multilayer Perceptron (QMLP) trained on MNIST and AZ-Class across circuit depths of 2, 5, 10, and 50 layers with angle and amplitude encoding schemes. Our evaluations reveal a fundamental accuracy-robustness trade-off. Amplitude encoding achieves the highest clean accuracy (92.6% on MNIST and 67% on AZ-Class) but collapses under adversarial perturbations and depolarizing noise, whereas shallow angle-encoded models remain more stable. QUID is effective under noiseless conditions but weakened by noise, while the proxy-model backdoor persists unless the circuit itself is overwhelmed. Furthermore, the circuit-level backdoor fails in the multi-class setting, indicating a scalability limitation. Finally, QMLP models are more robust than Classical Multi-Layer Perceptron (CMLP) models under label-flipping attacks but substantially more vulnerable to gradient-based evasion. We conclude by proposing a threat-aware and noise-resilient framework for secure QML deployment.
title SoK: Critical Evaluation of Quantum Machine Learning for Adversarial Robustness
topic Cryptography and Security
url https://arxiv.org/abs/2511.14989