A black-box attack method of machine learning algorithms based on quantum autoencoders

2025-11-07

Dong Tan, Lili Yan, Jiayu Zhao, Yan Chang, Shibin Zhang,
A black-box attack method of machine learning algorithms based on quantum autoencoders,
Physica A: Statistical Mechanics and its Applications,
Volume 680,
2025,
131033,
ISSN 0378-4371,
https://doi.org/10.1016/j.physa.2025.131033.
(https://www.sciencedirect.com/science/article/pii/S0378437125006855)
Abstract: Currently, researchers have conducted extensive studies on adversarial attacks in the field of machine learning. With the development of quantum computing technology, quantum computing has provided new ideas and methods for implementing machine learning algorithms. Meanwhile, the issue of adversarial attacks in quantum machine learning has increasingly become a research hotspot. This paper proposes a new black-box attack method against quantum machine learning models based on a quantum autoencoder (QAE). The method first obtains a basic dataset through a small number of queries to the model, then expands this basic dataset to obtain a training dataset. The training dataset is used to train a surrogate model to generate adversarial examples, and then the transferability of the adversarial examples is utilized to launch attacks, ultimately achieving a black-box attack on the target model. Experiments show that the proposed method only requires 20 queries to the target model. Based on the results of these queries, the quantum autoencoder can be used to expand the basic dataset, and the accuracy of the surrogate model for attacking the target model is improved by 8% on the generated test set. Moreover, compared with the deep convolutional generative adversarial network (DCGAN) model, this method can achieve faster fitting. After training, the effectiveness of transfer based attacks on the surrogate model only decreases by less than 20% under strong perturbation conditions, and under certain conditions, the attack effect on the target model is stronger than that on the surrogate model itself. In addition, using the surrogate model to attack another quantum neural network model also achieves similar effects to those on the target model, thereby further verifying the universality of the proposed attack method.
Keywords: Adversarial samples; Quantum machine learning; Few queries; Quantum autoencoders