ML Security PapersDifferentiable Architecture Search for Adversarially Robust Quantum Computer Vision
Mohamed Afane 1, Quanjiang Long 1, Haoting Shen 2, Ying Mao 1, Junaid Farooq 3, Ying Wang 4, Juntao Chen 1
Published on arXiv
2601.18058
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
The DQAS-CNL framework achieves consistently higher clean and adversarial accuracy than existing quantum architecture search baselines across FGSM, PGD, BIM, and MIM attacks at ε=0.3 on MNIST, FashionMNIST, and CIFAR.
DQAS-CNL (Differentiable Quantum Architecture Search with Classical Noise Layer)
Novel technique introduced
Current quantum neural networks suffer from extreme sensitivity to both adversarial perturbations and hardware noise, creating a significant barrier to real-world deployment. Existing robustness techniques typically sacrifice clean accuracy or require prohibitive computational resources. We propose a hybrid quantum-classical Differentiable Quantum Architecture Search (DQAS) framework that addresses these limitations by jointly optimizing circuit structure and robustness through gradient-based methods. Our approach enhances traditional DQAS with a lightweight Classical Noise Layer applied before quantum processing, enabling simultaneous optimization of gate selection and noise parameters. This design preserves the quantum circuit's integrity while introducing trainable perturbations that enhance robustness without compromising standard performance. Experimental validation on MNIST, FashionMNIST, and CIFAR datasets shows consistent improvements in both clean and adversarial accuracy compared to existing quantum architecture search methods. Under various attack scenarios, including Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), Basic Iterative Method (BIM), and Momentum Iterative Method (MIM), and under realistic quantum noise conditions, our hybrid framework maintains superior performance. Testing on actual quantum hardware confirms the practical viability of discovered architectures. These results demonstrate that strategic classical preprocessing combined with differentiable quantum architecture optimization can significantly enhance quantum neural network robustness while maintaining computational efficiency.
Key Contributions
- Hybrid DQAS framework augmented with a Classical Noise Layer (CNL) that jointly optimizes quantum circuit structure and adversarial robustness via gradient-based methods
- Lightweight classical preprocessing that injects trainable perturbations before quantum processing, improving robustness without degrading clean accuracy or quantum circuit integrity
- Empirical validation on MNIST, FashionMNIST, and CIFAR under FGSM, PGD, BIM, and MIM attacks, plus verification on real quantum hardware
🛡️ Threat Analysis
The paper proposes a defense (Classical Noise Layer + DQAS) against standard inference-time adversarial perturbations (FGSM, PGD, BIM, MIM) that cause misclassification in quantum neural networks — directly addressing the input manipulation attack threat.