Quantum machine learning (QML) continues to be an area of tremendous interest from research and industry. While QML models have been shown to be vulnerable to adversarial attacks much in the same manner as classical machine learning models, it is still largely unknown how to compare adversarial attacks on quantum versus classical models. In this paper, we show how to systematically investigate the similarities and differences in adversarial robustness of classical and quantum models using transfer attacks, perturbation patterns and Lipschitz bounds. More specifically, we focus on classification tasks on a handcrafted dataset that allows quantitative analysis for feature attribution. This enables us to get insight, both theoretically and experimentally, on the robustness of classification networks. We start by comparing typical QML model architectures such as amplitude and re-upload encoding circuits with variational parameters to a classical ConvNet architecture. Next, we introduce a classical approximation of QML circuits (originally obtained with Random Fourier Features sampling but adapted in this work to fit a trainable encoding) and evaluate this model, denoted Fourier network, in comparison to other architectures. Our findings show that this Fourier network can be seen as a "middle ground" on the quantum-classical boundary. While adversarial attacks successfully transfer across this boundary in both directions, we also show that regularization helps quantum networks to be more robust, which has direct impact on Lipschitz bounds and transfer attacks.

翻译：量子机器学习（QML）仍然是研究与工业领域高度关注的焦点。尽管QML模型已被证明与经典机器学习模型类似地易受对抗攻击影响，但如何对比量子与经典模型上的对抗攻击仍缺乏系统认知。本文通过迁移攻击、扰动模式和李普希茨边界，系统研究了经典与量子模型对抗鲁棒性的异同。我们特别针对人工构建的数据集开展分类任务，该数据集支持对特征归因进行定量分析，从而从理论与实验层面揭示分类网络的鲁棒性机理。首先比较了典型QML模型架构（如带变分参数的振幅编码与重上传编码电路）与经典卷积神经网络架构；随后引入QML电路的经典近似模型（最初通过随机傅里叶特征采样获得，本文调整为可训练编码形式），并将其命名为傅里叶网络，与其他架构进行对比评估。研究发现，该傅里叶网络可视为量子-经典边界上的"中间态"模型。尽管对抗攻击能够在该边界两侧双向成功迁移，但正则化方法能有效增强量子网络的鲁棒性，这对李普希茨边界约束与迁移攻击特性具有直接影响。