量子人工智能是一个探究人工智能与量子物理交叉的领域: 一方面人工智能的方法和技术可以用来解决量子科学中的问题; 另一方面, 量子计算的发展也可能为人工智能, 尤其是机器学习, 提供新的范式, 极大促进人工智能的发展. 然而, 量子机器学习和经典学习系统对于对抗样本同样具有脆弱性: 在原始数据样本上添加精心制作的微小扰动将很可能导致系统做出错误的预测. 本文介绍经典与量子对抗机器学习的基本概念、原理、以及最新进展. 首先从经典和量子两个方面介绍对抗学习, 通过二维经典伊辛模型和三维手征拓扑绝缘体的对抗样本揭示出经典机器学习在识别物质相时的脆弱性, 同时利用手写字体的对抗样本直观展示出量子分类器的脆弱性. 随后从理论层面上分别阐述经典与量子的“没有免费午餐”定理, 并探讨了量子分类器的普适对抗样本. 最后, 分析并讨论了相应的防御策略. 量子人工智能中对抗学习的研究揭示了量子智能系统潜在的风险以及可能的防御策略, 将对未来量子技术与人工智能的交叉产生深刻影响.Quantum artificial intelligence exploits the interplay between artificial intelligence and quantum physics: on the one hand, a plethora of tools and ideas from artificial intelligence can be adopted to tackle intricate quantum problems; on the other hand, quantum computing could also bring unprecedented opportunities to enhance, speed up, or innovate artificial intelligence. Yet, quantum learning systems, similar to classical ones, may also suffer adversarial attacks: adding a tiny carefully-crafted perturbation to the legitimate input data would cause the systems to make incorrect predictions at a notably high confidence level. In this paper, we introduce the basic concepts and ideas of classical and quantum adversarial learning, as well as some recent advances along this line. First, we introduce the basics of both classical and quantum adversarial learning. Through concrete examples, involving classifications of phases of two-dimensional Ising model and three-dimensional chiral topological insulators, we reveal the vulnerability of classical machine learning phases of matter. In addition, we demonstrate the vulnerability of quantum classifiers with the example of classifying hand-written digit images. We theoretically elucidate the celebrated no free lunch theorem from the classical and quantum perspectives, and discuss the universality properties of adversarial attacks in quantum classifiers. Finally, we discuss the possible defense strategies. The study of adversarial learning in quantum artificial intelligence uncovers notable potential risks for quantum intelligence systems, which would have far-reaching consequences for the future interactions between the two areas.
- quantum artificial intelligence /
- quantum adversarial learning /
- quantum classifiers /
- topological phases of mater
图 1 量子与经典对抗学习示意图 输入的原始熊猫图像样本可以编码为经典或量子数据, 分类器(包含变分量子线路或人工神经网络)能够以非常高的准确率识别出熊猫; 但添加少量精心制作的噪声后, 同一分类器将以非常高的置信度把轻微修改过的熊猫图像错误分类为长臂猿
Fig. 1. A schematic illustration of quantum and classical adversarial learning. The image of a panda can be encoded as classical or quantum data. A classifier, which uses either variational quantum circuits or classical artificial neural networks, can successfully identify the image as a panda with the state-of-the-art accuracy. However, adding a small amount of carefully crafted noise will cause the same classifier to misclassify the slightly modified image into a gibbon with a notably high confidence.
图 2 机器学习物质相中的对抗样本 (a)一个原始的经典二维伊辛模型铁磁相的自旋构型; (b)被分类器错误识别成顺磁相的对抗样本, 其相对于(a)只改变了一个自旋; (c)一个原始的三维手征拓扑绝缘体的拓扑相样本; (d)被分类器错误识别成其他相的对抗样本, 其相对于(c)只有肉眼难以识别的细微差别
Fig. 2. Adversarial examples in machine learning phases of matter: (a) A legitimate sample of the spin configuration in the ferromagnetic phase of the two-dimensional (2D) classical Ising model; (b) an adversarial example misclassified as the paramagnetic phase, which only differs from the original legitimate one shown in (a) by a single pixel; (c) a legitimate sample of the topological phase of three-dimensional (3D) chiral topological insulators; (d) an adversarial example misclassified as the other phase, which only differs from the original legitimate one shown in (c) by a tiny amount of noises that are imperceptible to human eyes.
图 3 量子分类器在识别MNIST中手写字体图片时的对抗样本 (a)经过无差别攻击, 量子分类器以极高置信度将数字7, 9分别识别成9, 7, 即使对抗样本和初始样本的差别非常微小; (b)通过针对性攻击, 量子分类器将把对抗样本预测为给定错误标签, 尽管对抗样本和初始样本相差无几
Fig. 3. Adversarial examples in quantum learning of MNIST hand-written images: (a) After untargeted attacks, the quantum classifier will misclassify the images of digit 7 (9) as digit 9 (7) with notably high confidence, although the differences between the adversarial and legitimate images are tiny; (b) after targeted attack, the quantum classifier will misclassify the adversarial examples into the category with the targeted label, even though the adversarial and legitimate images only differ slightly from each other.
