Quantum noise protects quantum classifiers against adversaries

Noise in quantum information processing is often viewed as a disruptive and difficult-to-avoid feature, especially in near-term quantum technologies. However, noise has often played beneficial roles, from enhancing weak signals in stochastic resonance to protecting the privacy of data in differential privacy. It is then natural to ask, can we harness the power of quantum noise that is beneficial to quantum computing? An important current direction for quantum computing is its application to machine learning, such as classification problems. One outstanding problem in machine learning for classification is its sensitivity to adversarial examples. These are small, undetectable perturbations from the original data where the perturbed data is completely misclassified in otherwise extremely accurate classifiers. They can also be considered as `worst-case' perturbations by unknown noise sources. We show that by taking advantage of depolarisation noise in quantum circuits for classification, a robustness bound against adversaries can be derived where the robustness improves with increasing noise. This robustness property is intimately connected with an important security concept called differential privacy which can be extended to quantum differential privacy. For the protection of quantum data, this is the first quantum protocol that can be used against the most general adversaries. Furthermore, we show how the robustness in the classical case can be sensitive to the details of the classification model, but in the quantum case the details of classification model are absent, thus also providing a potential quantum advantage for classical data that is independent of quantum speedups. This opens the opportunity to explore other ways in which quantum noise can be used in our favour, as well as identifying other ways quantum algorithms can be helpful that is independent of quantum speedups.


I. INTRODUCTION
Noise in quantum information processing has long been viewed as a feature to avoid and remove, notably in quantum computation. However, in the Noisy Intermediate-Scale Quantum (NISQ) era of near-term quantum computing [33], the presence of noise is inevitable. The focus is both on reducing the effects of quantum noise, for example using errormitigation [9,40] and for finding protocols whose integrity can nevertheless withstand this noise. However, a parallel approach can be taken to instead study noise under a positive lens. In classical information processing, noise is actively leveraged in many applications including strengthening security and privacy using differential privacy [8], enhancing weak signals using stochastic resonance [12], improving signal resolution after truncating data with dithering [34] and speeding convergence rates in neural networks [20]. Can we look at quantum noise in this same positive light and use it to our advantage?
One important proposed application of these quantum devices is performing machine-learning tasks like classification [5,16] and classification algorithms can be less vulnerable against noise. An intuitive reason behind this is that classification only has few possible outputs and machine learning can still provide accurate classification in the classical world despite the 'messiness' of real-life data like images and sound * Electronic address: Nana.Liu@quantumlah.org recordings. Indeed, a recent work [22] showed how quantum binary classifiers can be made robust against common sources of quantum noise by choosing a right encoding of classical data into quantum states.
However, despite being tolerant to small amounts of noise with known sources, classification algorithms are generally not protected against unknown 'worst-case' noise sources, such as adversarial attacks. In fact, classification algorithms in machine learning are often very sensitive to adversarial attacks and this presents a key obstacle for the future development of classical machine learning [39]. These adversaries perturb the original data point by only a small undetectable amount, yet the new datapoint, known as an adversarial example, is completely misclassified in otherwise extremely accurate classifiers. This observation presents an impetus for the vibrant field called adversarial machine learning [18,21] and this has recently been extended to the quantum domain in adversarial quantum learning [24,26,41]. While many important methods focus on finding new and more robust versions of existing algorithms [14], including on quantum devices [26,41], this approach is generally vulnerable to counterattacks and don't provide theoretical guarantees against all possible adversaries [43].
We take a different approach that does not require inventing new algorithms to improve robustness, yet can provide a robustness guarantee against any unknown perturbation, such as from an adversary. We begin from our intuition that noise is a kind of scrambling mechanism. It can 'scramble' the effects of disturbances made to one's original data, for instance by adversaries, thus diminishing the effects adversarial attacks can have. Therefore we can ask whether noise, instead of hindering the computation, can in fact assist in the presence of adversarial attacks?
More specifically, noise in the classical realm has been associated with improving the privacy of algorithms, providing a property called differential privacy [8]. Differential privacy is the property of an algorithm whose output cannot distinguish small changes in the initial dataset, like the presence or absence of one party's datapoint, hence in this way preserving privacy of that party. This is in fact the very property we want in making our algorithm robust against adversarial examples, which are small changes to the initial dataset that induce misclassification.
We demonstrate that by including depolarisation in one's quantum circuit for classification, we can achieve quantum differential privacy and in turn, be able to provide robustness bounds in the presence of adversaries which were not possible before. This is the most natural mechanism to exploit noise to protect quantum data, which appear in condensed matter systems, quantum communication networks, quantum simulation, quantum metrology and quantum control. In addition, we show how the robustness bound in the classical case can be sensitive to the details of the classification model but in the quantum case this bound is dependent only on the number of possible class categories and no other feature of the classification model. This therefore demonstrates an important example of a security advantage in performing a classification algorithm on a quantum device versus a purely classical device, for both quantum and classical data.
We begin by defining classification, adversarial examples and differential privacy. Then we demonstrate how adding depolarisation noise in quantum classifiers can induce quantum differential privacy which can in turn provide protection against adversarial examples.

II. BACKGROUND
We briefly review the classification problem in both the classical and quantum domains before introducing the concept of adversarial examples. We then define classical and quantum differential privacy, which we later employ as a key tool to achieve robustness of our classifier against adversarial examples.

A. Classification task
A classification task is a mapping from a set of classical or quantum input states to a label chosen from a finite set. If the size of this finite set is K ≥ 2, we have a K-multiclass classification problem [13]. K = 2 is the special case of binary classification, e.g., given images of only ants or cicadas, to decide which picture belongs to which insect.
Definition 1 (K-multiclass classification). The algorithm A : Σ → C is called a K-multiclass classification algorithm if it maps the set of input states Σ onto the set C = {0, ..., K − 1}.
Let the state σ ∈ Σ and C ∈ C. If A(σ) = C, then C is the predicted class label assigned to σ.
In machine learning, the algorithm A does not need to be pre-defined and can instead be learned through a training dataset D.
consists of M pairs of input states σ i and their corresponding class labels represented by the K-dimensional vector Y(σ i ). Its k th entry Y k (σ i ) = 1 if the class label of σ i is k and every other entry of Y k (σ i ) is zero otherwise. To learn A, we first define a parameterised function f (θ, σ i ) ∈ R K where θ are free parameters that can be tuned. The learning happens as θ is optimized to minimize the empirical risk where L refers to a predefined loss function. The goal in learning is to minimise this empirical risk Eq. (1) for one's given training dataset D, where the optimized parameters are denoted θ * . Given test state σ, we can define y(σ) = f (θ * , σ)/ f (θ * , σ) 1 as the score vector among K labels, where · 1 denotes the l 1 -norm and y(σ) ∈ R K is the normalized vector of f (θ * , σ). Then the k th entry of the vector function f (θ * , σ) = y k (σ) ∈ [0, 1] can be interpreted as the probability that σ is assigned the label k. Then the learned classification algorithm A outputs the class label C for a input state σ using the condition where the final class label C is decided by identifying the class label with the highest corresponding probability. For the quantum K-multiclass classification task with quantum test state σ we can employ a quantum circuit, see Fig. 1(a), to compute y(σ) instead of using a classical circuit. We can identify y k (σ) to be the probability of the final measurement outcome of the quantum circuit being k, where Π k is a POVM, E is a quantum operation that contains information about the trained parameters θ * [4] and |a a| is an ancilla. However, precise values of the probabilities y k (σ) can only be obtained in the infinite sampling regime. This means that if only N measurements are allowed at the output of the circuit, we can only obtain an estimated value y (N ) k (σ) of the output probabilities.

B. Adversarial examples
Adversarial examples are attacks on input examples to classification problems that lead to misclassification. In particular, these include worst-case attacks where the adversary can craft small imperceptible perturbations σ → ρ about a given correctly classified input σ that result in misclassification [15]. This means that while the true labels σ and ρ are identical, FIG. 1: (a) A generic quantum circuit to estimate y k (σ), which is the probability that test state σ is assigned a class label k in a K-multiclass classification problem. |a is an ancilla state where σ ⊗ |a a| is D-dimensional and Π k is Dmeas-dimensional, where Dmeas ≥ K. With finite N measurements at the output, one obtains an estimate y (N ) k (σ) for y k (σ). (b) Adding depolarisation noise channels Np i along the circuit, where i = 1, ..., l, the output in the N → ∞ sampling limit becomesỹ k (σ). With finite N measurements at the output, one obtains the estimateỹ if ρ is an adversarial example, A will class them differently. We can define adversarial examples more formally as follows [38]. Definition 2 (Adversarial example). Suppose we are given a well-trained classification function A(·) as defined in Eq. (2), an input example (σ, C), a distance metric h(·, ·) and a small enough threshold value L. Then ρ is said to be an adversarial example if the following is true If σ, ρ are classical states, suitable distance metrics are the l p -norms, so h(σ, ρ) = ||σ, ρ|| p . If σ, ρ are quantum states, we will use the trace distance h(σ, ρ) = τ (σ, ρ) = Tr(|ρ − σ|)/2.
In the rest of this paper, we will use Greek letters to refer to quantum states and bold Roman letters to refer to classical states unless otherwise specified.

C. Differential privacy
Differential privacy is an important concept in computer science that quantifies the sensitivity of the outputs of algorithms to changes in their input data. The less sensitive it is, the better the algorithm can preserve the privacy of the input data. Here we can formulate the definition of classical differential privacy as follows [8].
Definition 3 (Classical differential privacy). Suppose M is a classical algorithm that takes as input entries x ∈ X of some classical database X and outputs values belonging to the set S. Then M is said to satisfy classical ( , δ)-differential privacy if, for all x ∈ X, x ∈ X which are separated by a small distance, e.g., Hamming distance h(x, x ) ≤ 1 and all measurable sets S ⊆ Range(M), where P r(·) denotes the probability of (·) and , δ > 0. We call ( , δ) the privacy budget for the algorithm.
Informally, this definition says that for two input data points separated by a small distance, a small privacy budget means that the output of the algorithm differs very little, hence the input information is partially kept private. The selection of this distance h(·, ·) varies depending on the task, e.g., Hamming distance or l p distance [8]. A natural distance h(·, ·) for quantum data is the trace distance, which we can employ in a definition for quantum differential privacy [44] which we will use throughout this paper. An alternative definition for quantum differential privacy [1] does not require quantum data σ and τ to be close in trace distance, but rather that ρ is obtainable by applying a quantum operation on only a single register of σ. See also [2] for a related definition applied to PAC learning. However, for our purposes of working directly with quantum states σ and ρ, the use of trace distance is the most appropriate.
Suppose M(σ, Π S ) is a quantum algorithm that takes input state σ, applies a quantum operation E before applying the POVM {Π k }, where the set of final measurement results k ∈ S. These set of outcomes are then observed with probability Pr(M(σ, Π S ) ∈ S) = k∈S Tr(Π k E(σ)). By analogy with Definition 1, we can write a definition of quantum differential privacy following Zhou and Ying [44].
Definition 4 (Quantum differential privacy). The quantum algorithm M satisfies ( , δ)-quantum differential privacy if for all input quantum states σ and ρ with τ (σ, ρ) < τ D and for all measurable sets S ⊆ Range(M) (equivalently, for every For the rest of the paper, we focus on the case δ = 0, which is referred to as -quantum differential privacy. To illustrate a simple example, suppose we have a binary classification problem where we choose the POVM {Π 0 , Π 1 = 1 − Π 0 }. The probability σ is assigned class labels k = 0, 1 by a quantum binary classifier isỹ 0 (σ) ≡ Tr(Π 0 (E(σ)) andỹ 1 (σ) = 1 −ỹ 0 (σ) respectively. Then if M satisfies -quantum differential privacy, Definition 4 requires that we must satisfy

III. IMPROVING ROBUSTNESS OF QUANTUM CLASSIFIERS AGAINST ADVERSARIES BY ADDING NOISE
In this section, we show how the presence of depolarisation noise in quantum circuits for classification improves robustness against adversarial examples. We begin with our definition of adversarial robustness.
Definition 5 (Adversarial robustness). Let the test state σ have the class label A(σ) under a classification algorithm A. Then A is said to possess adversarial robustness of size τ D if for all σ that is perturbed σ → ρ by an unknown source where τ (σ, ρ) ≤ τ D , the class label of ρ does not change, i.e., A(ρ) = A(σ).
We must emphasise here the difference between robustness bounds against a known noise source versus an unknown adversary. Protection against an unknown adversary is a robustness guarantee against a worst-case scenario, whereas commonly-appearing known noise sources are usually far from the worst-case scenario.
Our goal is to demonstrate how a naturally-occurring known noise source can be used to protect a quantum classifier against worst-case adversarial perturbations. This can be done in three main steps. We first show the robustness of quantum classifiers to this known noise source, then demonstrate how this gives rise to quantum differential privacy for the classifier. Finally we prove how quantum differential privacy can be used to derive a theoretical bound against general adversaries.
One such naturally-occurring quantum noise source is the depolarisation noise channel N p , which acts on a D- where I D is the D × D identity matrix and p ∈ [0, 1]. Before the final measurement, we can represent our quantum classifier as a unitary U gate acting on an input state σ ⊗ |a a|, as represented in Fig. 1(a). We can then add N pi after each unitary U i where U = U 1 ...U l and i = 1, ..., l. Here l is the total number of depolarisation channels with noise parameters p i > 0. This noisy circuit is depicted in Fig. 1(b). The output of this noisy K-multiclass classification circuit given test state σ can be written as where it can be shown [45] This leads to the interesting observation that the noisy test scoreỹ k (σ) is independent of where depolarisation channels are placed in the circuit. Furthermore, the effect of all depolarisation channels with parameters p i can be replaced by a single depolarisation channel with parameter In the trivial case p i = 0 for all i, p = 0. For the rest of this paper, we will for simplicity replace the effect of all noise parameters p i with p unless stated otherwise.
Before achieveing our goal, we first need Eq. (10) to prove the following lemma showing that the K-multiclass classification algorithm performed by the noisy circuit is robust against depolarisation noise for any 0 ≤ p i < 1. This is a generalisation of a recent result from LaRose and Coyle [46] to the case of K-multiclass classification. Lemma 1. Let y k (σ) denote the output for the noiseless circuit in Fig. 1(a), i.e., p i = 0 for all i. Then if the class label C is assigned to σ by the noiseless circuit, i.e., C = arg max k y k (σ), then the same label is also assigned by the noisy circuit, which has p i > 0 for at least one i. This means arg max kỹk (σ) = C for any σ and 0 ≤ p i < 1. Furthermore, if arg max kỹk (σ) = C then C = arg max k y k (σ).
Proof of Lemma 1. For details please see Appendix A.
The above result demonstrates robustness of quantum classifiers against depolarisation noise if one has access to the exact probabilitiesỹ k (σ). However, this is only possible in the limit of infinite sampling. If one is only able to sample the circuit N times, one instead obtains only the estimated values y (N ) k (σ). Then to guarantee robustness against depolarisation noise to high probability, we find the following required sampling complexity N increases only with increasing depolarisation noise p, but is not dependent on the dimensionality of σ.
Proposition 1. Let the predicted classification label of σ using the noiseless K-multiclass classification circuit be C.
In the corresponding circuit with depolarisation noise parameters p 1 , ..., p l , one samples the circuit N times for each k to obtain the estimatesỹ Proof of Proposition 1. A basic sketch of the proof is the following. It can be shown that η ≡ỹ C (σ) − max k =Cỹk (σ) = pξ. Thus one requires sufficient N to resolve the differencẽ y (N ) k (σ) to within 2η. We then employ Hoeffding's inequality [29] to bound the sample complexity. Please see Appendix B for details. Now we show how adding depolarisation noise gives rise to quantum differential privacy for our algorithm. This is an application of a result from Zhou and Ying [44] for our quantum classifier.
Lemma 2. Let the algorithm M correspond to the Kmulticlass classification circuit defined in Fig. 1 Then for two quantum test states σ and ρ obeying τ (σ, ρ) ≤ τ D with 0 ≤ τ D ≤ 1, M satisfies -quantum differential privacy where and D meas ≥ K is the dimension of the operators {Π k } K k=1 .
Proof of Lemma 2. This is equivalent to Theorem 3 from [44] applied to our quantum classifier, but we extend to the case where we can apply multiple depolarisation channels N pi . For details please see Appendix C.
Lemma 2 states that the privacy budget in the presence of depolarisation noise decreases with increasing p ≡ 1 − l i=1 (1 − p i ), hence higher depolarisation noise parameters gives greater differential privacy. Furthermore, this privacy is independent of where one inserts depolarisation noise because the product l i=1 (1 − p i ) is invariant under permutation of its factors. It is also independent of any details of the classifier except D meas , which serves as an upper-bound to the number of class labels in our classifier. We will return to these points later.
Using the results of Lemmas 1 and 2, the following theorem demonstrates that by increasing the strength of depolarisation noise in our circuit, this also increases our K-multiclass classifier's robustness against adversarial examples.
Theorem 1 (Infinite sampling case). We begin with our Kmulticlass classification circuit with depolarisation noise pa- Let infinite sampling of the output be allowed, so we can find y k (ρ) for k = 0, ..., K − 1 for any test state ρ given. Sup- Then ρ is also labelled as C, i.e., C = arg max kỹk (ρ) = arg max k y k (ρ) for any ρ where τ (σ, ρ) ≤ τ D .
Proof of Theorem 1. Please refer to Appendix D for the proof.
This means that if a test state σ undergoes an arbitrary adversarial perturbation σ → ρ, the classification of ρ will remain identical to that of σ for a larger range of τ (σ, ρ) if p increases. Furthermore, if τ D remains constant, then the extra condition required of the input stateỹ C (σ) > e 2 max j =Cỹj (σ) also becomes easier to satisfy as p increases. A similar result holds for the finite sampling case.
Theorem 2 (Finite sampling case). Suppose one samples the output of the circuit N times for the estimation of each y k (σ). Letỹ which implies σ has the class label C. Then the class label of ρ is also C, i.e., C = arg max k y k (ρ) = arg max kỹk (ρ) to probability at Proof of Theorem 2. We employ Hoeffding's inequality [29] to showỹ . This relates the finitely sampled estimatesỹ Then we can apply the results of Theorem 1 for infinite sampling to prove our results. Please see Appendix E for details of the proof.
As special examples, we now explore the robustness property of two discriminative learning models for binary classification: quantum neural network and quantum kernel classifiers.

A. Quantum neural network
The quantum neural network (QNN), proposed by [10], is a building block for various quantum learning models [3,6,10,17,19,35]. The basic scheme of QNN is illustrated in Figure 2 (a), which is a special case of the circuit in Fig. 1(a). The D-dimensional quantum input state is σ ⊗ |a a|, where σ refers to either the training or test states and |a is an ancilla. The trainable unitary U (θ) ∈ C D×D is then applied, which consists of trainable single-qubit gates and fixed two-qubit gates. Our protocol for QNN, as shown in Figure 2 (b), employs the depolarisation channels N pi that can appear within the QNN circuit before final measurements with POVM {Π k }.
The typical application of QNN is for binary classification, broadly used in [3,6,10,19], where one makes single-qubit measurements using {Π 0 , Π 1 = 1 − Π 0 } and D meas = 2. We can apply Theorem 1 directly to our scenario and we have the following corollary. Corollary 1. Let the given input σ be given the classification label '0' and defineỹ 0 (σ)/ỹ 1 (σ) ≡ B. In binary classification, QNN, with depolarisation channels N pi and Since D meas = 2 for binary classification, we note that the privacy budget is now independent of the dimension of the problem. Therefore, even as the feature dimension of the input σ grows, it does not affect the robustness of the classifier against adversarial examples so long as some depolarisation noise with 0 < p < 1 has been added to the circuit. This independence is an interesting contrast to the result in [24] which states that robustness should decrease as dimensionality of σ grows. This contradiction is resolved by observing that, unlike in [24] which places no constraints on distribution from which the input states σ are selected, here we have Eq. (12) which imposes a constraint.
In the finite sampling limit, we can employ Theorem 2 to apply to our binary classifier and we have the following corollary.
Corollary 2. Let the input σ be given the classification label '0' and define (ỹ The trainable unitary W (θ) (yellow region) is composed of trainable single-qubit gates and fixed two qubits gates, which has the same architecture as in QNN. For example, at the end we can measure in the basis |0 ⊗n and this circuit can be used to compute the kernel K(θ, x) ≡ 0| ⊗n W (θ)V (x)|0 ⊗n . (b) For our protocol, we can include depolarisation noise channels Np i (pink region) anywhere along the quantum kernel classifier.
The main idea of kernel methods is to map complex input data x to a higher-dimensional feature space that can then be efficiently separated [13]. The generic form of a quantum kernel classifier [17,28,37] is shown in Figure  3. The output of the kernel classifier can be written as K(θ, x) ≡ 0| ⊗n W (θ)V (x)|0 ⊗n , where K(θ, x) is identified with a classical kernel with test state x and weight vector captured by the trained θ values. Here W (θ) contains the trainable parameters with the aim of minimizing the predefined loss function where the optimal occurs at θ * and V (x)|0 ⊗n refers to the kernel state that maps the input data into the higher-dimensional feature space. Thus the probability of obtaining the measurement values all '0' after ap-plying Π 0 ≡ (|0 0|) ⊗n in the noiselss circuit is given by For a binary classification problem, the class label of x is 0 if y 0 (x) > y 1 (x) ≡ 1 − y 0 (x). In this case, D meas = D, thus the privacy budget becomes = ln(1 + D(1 − p)τ D /p). which grows with increasing dimensionality D of the input state. Corollaries 1 and 2 then hold for the quantum kernel classifier with this modified .

IV. NUMERICAL SIMULATIONS
We now conduct numerical simulations to illustrate our protocol for a binary QNN classifier. In particular, by leveraging the depolarisation channel, we show how a trained QNN binary classifier has the ability to achieve certified robustness under bounded-norm adversarial attacks at testing time. In this section, we first introduce our training dataset and the preprocessing step. We then explain the attack method that is used to evaluate the performance of our protocol. Lastly we analyse the performance of our proposed protocol.

A. Preprocessing and training procedure
We choose to conduct our numerical simulations on the Iris dataset [11], which has been broadly used in classical machine learning. The Iris dataset Afterwards, we apply l 2 normalization to each example, i.e., σ i 2 = 1 for any σ i ∈ D. Then we need to efficiently encode this classical data into quantum states [36]. We can then carry out the amplitude encoding method [30] to encode the normalized σ i into a quantum state.
Given the preprocessed dataset D, we randomly split it into a training dataset D T r and a test dataset D T e with n ≡ |D T r | = 60, |D T e | = 40, and D = D T r ∪ D T e . In the training procedure, we randomly sample an example (σ i , c * i ) from D T r and forward σ i to a binary QNN classifier. For details on the circuit see Appendix H. We employ the squared loss function to train this QNN, i.e., wherec i = max k y k (σ i ) ∈ [0, 1] is the score vector of QNN as formulated in Subsection II A and y k (σ) denotes the ideal output of the QNN. We use the zeroth-order gradient method [28] to optimize trainable parameters θ of the QNN to minimize the loss function L. We set the number of training epochs to 50. The learning rate is set to 0.01 and the total number of trainable parameters is 24. Figure 4

B. Evaluation metrics and adversarial attack methods
To evaluate the performance of our protocol, we adopt an adversarial attack method that is widely employed in classical machine learning. It is known as the iterative-fast gradient sign method (I-FGSM) with l 2 -bounded norm [7,25,27] that aims to attack the test dataset D Te to make incorrect predictions when using a trained classifier. If we denote the original input by x and the adversarial example at the t th updating step when using the I-FGSM by x (t), then where α = L/T is the learning rate with x − x 2 ≤ L and L is the loss function formulated in Eq. (14).   (15) and (16).

C. Adversarial attack at test time
Here we employ our trained classifier and the adversarial attack method formulated above to quantify the performance of our protocol. Recall that Corollaries 1 and 2 are the special cases of Theorems 1 and 2 when applied to binary QNN classifiers and work in the regime of using infinite and finite sampling of the output probabilities respectively. Here we explore how our protocol protects the binary QNN classifier against adversarial attacks under these two settings.
The infinite sampling case. At testing time, we randomly sample an example (ρ = |x x|,ỹ) from D T e to investigate its robustness τ D with respect to different level of depolarisation noise p. Without loss of generality, the original test example has labelỹ = 0. We set three different values of p and τ D : To validate the correctness of our theoretical results, we employ I-FGSM to attack our trained classifier, where we identify the l 2 -norm bound with its corresponding τ D value. The left panel of Figure 6 demonstrates the simulation results and Table I  samp . Following the results of Theorem 2 and Corollary 2, with probability at least 1 − 2 exp −2n samp ζ 2 , the trained classifier with added depolarisation noise is robust to adversarial attacks if B > e 2 . By setting ζ = 0.95, a simple inspection shows that n samp = 5000 guarantees robustness. Analogous to the infinite sampling case, we employ a bounded-norm adversary to confirm the correctness of our theory result, where the simulation results are shown in the right panel of Figure 6.
For more details on the implementation of the classifier and perfomance analysis of our protocol please see Appendix H.

V. ADVANTAGES OF PROTOCOL
Adversarial settings naturally occur when data needs to be delegated to different parties, for instance in a client-server setting and in multiparty computing. When this data is in the form of quantum states before processing using a quantum classifier, our protocol currently provides the only exisiting method to protect the general quantum classifier against arbitrary adversarial examples and also includes a theoretically provable bound. Furthermore, it can take advantage of certain exisiting quantum noise in a quantum classifier, like depolarisation noise, to provide protection against adversarial examples thus obviating the need for error-correction or error-mitigation if no other noise sources are present. Moreover, even if the test score is diminished in presence of depolarisation noise, its original value in the absence of any quantum noise can be retrieved by simply increasing the number of times one samples from the classifier. This sample complexity increases with the amount of exisiting depolarisation noise and is independent of the dimension of the state itself.
Utilizing quantum noise like depolarisation noise also has certain advantages over classical methods for classical data in improving robustness against adversarial examples. We discuss this below.

A. Comparison to the best known classical protocol
While in the quantum case the theoretical bound on robustness is independent of the details of the classification model and is simple to compute, this is not true in the best known classical protocol. Before elaborating on this quantum advantage, we briefly review the classical results.
Following the results of [23], classical -differential privacy of a classification algorithm is obtained by adding noise sampled from the Laplacian distribution N (z, κ) to the trained classifier. This is commonly known as the Laplace mechanism. For numerical functions [47], the only other common method to attain differential privacy is the Gaussian mechanism, which adds noise sampled from the Gaussian distribution. However, this leads to classical ( , δ)-differential privacy where δ = 0, so cannot be directly compared to our quantum scenario where δ = 0. The Laplacian distribution used in the Laplace mechanism can be written as where κ refers to the variance of the Laplacian distribution and L is the upper-bounded l 2 norm between original input x and attacked input x such that classical -differential privacy is preserved. The sensitivity ∆f of the function f (·) applied at a layer of the neural network classifier just before the Laplacian noise is injected is defined as The classical protocol runs in the following way. In the testing phase, the adversarial example x , where x − x 2 ≤ L and x is the original test example, is inserted into the trained classifier y(·). The predicted label for x is obtained by invoking y(x ) a total N times. For every run of y(x ), the noise z i,j with i = 1, ..., N is independently sampled from N L (z, κ) and applied to the input to some layer j of the neural network realising the classifier. Let N k denote the number of times that the predicted label is k, so the probability of the predicted label being k is given by N k /N . Then, similarly to Theorem 2, we can write the following condition for robustness of the K-class classifier under the Laplace mechanism.
Lemma 3 (modified from [23]). Let x be the input to the K-multiclass classifier, which is endowed with classicaldifferential privacy under the Laplace mechanism, with = ∆f L/κ, as formulated in Eq. (18). Let C be the label of x. Then with probability at least 1 − ζ, the classifier is robust to This means that this best available classical theoretical bound to L depends on ∆f , which in general is dependent on both the details of the classification model used and the layer of the neural network in which the Laplacian noise is injected. However, in the quantum scenario with depolarisation noise, we see that the robustness bound is independent of both U , the circuit realising the quantum classifier, as well as the location or locations of noise injection. This means that the adversarial robustness bound is universal for all quantum classifiers.
We can see this from the fact that the final state of the quantum circuit after applying depolarisation noise in layers 1 to l depends only on the product l i=1 (1 − p i ), which is indepen-dent of U and invariant under any re-ordering of the layers. This simplicity in the quantum case results from two facts: that the 'noisy' part of depolarisation noise lies in injecting a maximally-mixed channel with a certain probability and that unitary U operations realising any quantum classifier are unital (i.e., the identity operator 1 remains invariant under U ). On the other hand, there is no known classical equivalent of this property that also gives rise to differential privacy.
The dependence of ∆f on the details of the classifier in the most general cases also leads to a difficulty in the computation of ∆f and is often intractable except in the simplest cases [23]. This means that, unlike in the quantum case, the corresponding classical bound on robustness L cannot be derived in closed form from Eq. (20) in the most general case.
However, in special simple cases we can provide quantitative examples of this quantum advantage. As a simple illustration, we can look at the binary classifier for the kernel perceptron, which can be written as where are trained parameters of the classifier. We can consider the polynomial kernel where n is the kernel degree and n = 1 is the special case of the linear kernel. We now have the following theorem.
Theorem 3. We have a binary classifier y(x) = (y 0 (x), 1 − Let x denote all correctly labelled test examples. We now implement the Laplace mechanism in this classifier where the sensitivity is ∆f ≡ ||y(x) − y(x )|| 2 /||x − x || 2 and the privacy budget is = ∆f L/κ. Let us chooseỹ 0 (x) > exp(2 )ỹ 1 (x) and define B ≡ y 0 (x)/y 1 (x). We can define the function g(·) for our noisy classifier where g(B) =ỹ 0 (x)/ỹ 1 (x). Then the classifier is robust under any adversarial example x where ||x − x || 2 ≤ L and Proof of Theorem 3. We compute an upper-bound for ∆f in terms of classification model parameters in y(x) and use L = κ/∆f < κ ln g(B)/(2∆f ). Please see Appendix C for details.
From this we see that we can guarantee only a smaller robustness bound for a more nonlinear kernel (i.e., higher n). We can also use a quantum classifier below to realise the same polynomial kernel and find a robustness bound that is now independent of degree of nonlinearity of the kernel.
Proof of Theorem 4. We use the expression for -quantum differential privacy with depolarisation noise that relates τ D with and relate to the fraction B. Please see Appendix G for details.
The trace distance τ D can be turned into a corresponding l 2 norm distance L if an encoding of the classical data x into a quantum state σ x is chosen. For instance, we can choose the most widely used amplitude encoding x → D i=1 x i |i where x i is the i th element of x and we assume for simplicity the normalisation ||x|| 2 = 1. Then the trace distance τ (σ x , σ x ) = 1 − Tr(σ x σ x ) = 1 − (x · x ) 2 and l 2 ≡ ||x − x || 2 = 2 − 2(x · x ). Therefore we can write τ (σ x , σ x ) = l 2 1 − l 2 2 /2 ≥ l 2 . This means Theorem 4 still holds if we replace τ D with L and can compare results directly with Theorem 3 with the same chosen constant B. Then we see how the robustness bound in the classical case is dependent on details of the kernel function like the nonlinearity n whereas the robustness bound can be completely independent of the kernel function.
While in Theorems 3 and 4 we have provided only sufficient though not necessary conditions for robustness, this was only for the purpose of illustrating a clearer interpretation of robustness in terms of a model parameter like the degree of nonlinearly n. Necessary conditions can also be found since we already have the exact expressions for L and τ D . We know that the former is dependent on the details of the classification model through ∆f in the most general case whereas the latter is dependent only on p, D meas and , which can be chosen to be constants independent of the details of the kernel or any other classifier. This latter property of τ D we have already learned is not consistent with any known classical mechanism for differential privacy.
Another advantage of the quantum mechanism is that depolarisation noise can occur naturally in quantum systems especially for NISQ devices, whereas the Laplace mechanism needs to be artifically injected into the classifier. From [44] it is known that other quantum noise like amplitude and phase damping and generalised amplitude damping also have thequantum differential privacy property in the single-qubit case. It remains exciting work for future investigation to see in the general multiqubit case if other natural sources of quantum noise can be harnessed for adversarial protection.

VI. DISCUSSION
We demonstrated how depolarisation noise placed anywhere in a quantum circuit used for classification can be exploited to protect the classification algorithm against arbitrary 'worst-case' attacks like adversarial examples. A theoretical bound for robustness can be proved without any assumptions on the type of adversary or the classification model and applies to both quantum and classical data. This bound relies on a new relationship we introduced between quantum differential privacy and adversarial robustness in the quantum setting. In particular, depolarisation noise allows the theoretical robustness bound to be dependent only on the number of classes in the classification model and no other feature of the classifier. However, all known classical noise that can give rise to differential privacy results in robustness bounds that would generally depend on more details of the classification model, for instance the degree of nonlinearity of the classification boundary.
This result raises many intriguing possibilities for exploring other naturally-occuring quantum noise sources that could offer similar advantages against adversarial attacks, which become pertinent concerns as quantum data are shared in a future quantum internet. We see that the fruitful merging of concepts in security and quantum machine learning potentially leads to quantum advantages that is independent of quantum speedups. This also highlights how noise in the NISQ era for quantum computation can be used as a positive feature and can be employed in parallel with other methods to demon-strate quantum advantage.
From Lemma 1, we know that if σ is labelled as C in the noiseless circuit then in the infinite sampling limit this label is maintained in the corresponding circuit with depolarisation noise, soỹ C (σ) > max k =Cỹk (σ). However, in the finite sampling limit with sample complexity N , we only have access to the estimateỹ (N ) k (σ). So we want to find the smallest N soỹ From results in Lemma 1, we see that sinceỹ k (σ) = 1−p/K +py k (σ) and ξ ≡ y C (σ)−max k =C y k (σ), then η ≡ y C − max k =Cỹk (σ) = pξ. Thus we need large enough sampling to resolve the differenceỹ (N ) k (σ) to at least 2η = 2pξ. It is then sufficient to find N that estimates y (N ) k (σ) to precision 2η. To find N , we can employ Hoeffding's inequality in the following. Lemma A. (Hoeffding's inequality [29]) Let Z 1 , ..., Z N be independent bounded random variables with Z i ∈ [a, b] for all i ∈ [N ], where −∞ < a ≤ b < ∞. Then the probability In our case, we can use b − a = 1, ζ = 2η, (1/N ) k (σ) and E(Z i ) =ỹ k (σ). Thus if we require the probability Pr(|ỹ Appendix C: Proof of Lemma 2 This proof follows Zhou and Ying [44], applied to the case where the dimension of the final projector is D meas and we can apply multiple depolarisation channels N pi for i = 1, ..., l To show -differential privacy, we must show that when τ (σ, ρ) ≤ τ D , the following relation must hold, i.e., where from Eq. (9) By employing the definition of depolarisation noise with noise parameter p acting on an arbitrary quantum state σ, from Eq. (8) we can derivẽ and similarly forỹ k (σ). From this we can writẽ where F ≡ (1 − p)Tr(I D−Dmeas ⊗ Π k U (σ)U † ) > 0. In the first inequality we used the relation Tr(U (ρ − σ)U † Λ k ) ≤ τ D Tr(Λ k ) and the inequality τ (U (σ)U † , U (ρ)U † ) ≤ τ (σ, ρ) ≤ τ D [31,44].
To satisfy Eq. (C2), we upper-bound this final term by e −1 and find the privacy budget Here we prove that ifỹ k (σ) > e 2 max k =Cỹk (σ) where = ln(1+D meas (1−p)τ D /p), thenỹ C (ρ) > max k =Cỹk (ρ) for all ρ where τ (σ, ρ) ≤ τ D . First we employ Lemma 2, which states that given depolarisation noise with parameter p, the algorithm implemented by the noisy circuit has -quantum differential privacy. Then from Eq. (7) following Definition 4, we see that in our case it states which holds true for when = ln(1 + D meas (1 − p)τ D /p) and all ρ where τ (σ, ρ) ≤ τ D . Then if we insertỹ k (σ) > e 2 max k =Cỹk (σ) into the above we can writẽ Then the left-hand side inequality in Eq. (D1), we find From Lemma 1, we see that this is also equivalent to the claim y k (ρ) ≥ max k =C y k (ρ).

Evaluation
An evaluation metric broadly used in classical adversarial learning is the conventional accuracy, which measures the prediction accuracy of the test dataset under adversarial attacks with respect to different bounded-norms [23,42]. The mathematical expression for the conventional accuracy Acc c is where |D Te | is the size of the test dataset,c i and c * i are the predicted and real labels the i th test example. Here 1c i =c * i is the indicator function, which takes the value '1' whenc i = c * i and is '0' otherwise. Using the depolarisation noise p = 0.5, 0.8 We denote L as the maximum l2 bounded-norm used in the adversarial attack. The conventional accuracy corresponding to p = 0.5, 0.8 is with respect to L is in red and blue respectively. The label 'baseline' refers to the conventional accuracy with when p = 0. and τ D = 0.015, we explore the tradeoff between adversarial robustness and the conventional accuracy for our classifier. Let L ∈ (0, 0.7] and n samp = 300. The number of iterations used to generate adversarial attacks is set to 50 without early stopping. Figure 8 illustrates the simulation results under p = 0, 0.5, 0.8. We can see how our protocol increases the robustness against l 2 norm attacks with increasing p. For instance, the conventional accuracy of our baseline (p = 0) drops to zero when L = 0.4, while the conventional accuracy remains non-zero for both p = 0.5 and p = 0.8. In addition, a larger depolarisation noise p promises a better robustness against large L. Specifically, when L = 0.1, the conventional accuracy when p = 0.8 is slightly less than when p = 0.5. However, with increased L, the conventional accuracy when p = 0.8 outperforms the case when p = 0.5. Also when L = 0.5, both baseline and p = 0.5 cases have the zero conventional accuracy, while the setting p = 0.8 gives non-zero conventional accuracy.