{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T04:10:31Z","timestamp":1775880631378,"version":"3.50.1"},"reference-count":33,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,2,5]],"date-time":"2025-02-05T00:00:00Z","timestamp":1738713600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,2,5]],"date-time":"2025-02-05T00:00:00Z","timestamp":1738713600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100021856","name":"Ministero dell\u2019Universit\u00e0 e della Ricerca","doi-asserted-by":"publisher","award":["PRIN-2022WHZ5XH"],"award-info":[{"award-number":["PRIN-2022WHZ5XH"]}],"id":[{"id":"10.13039\/501100021856","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000015","name":"U.S. Department of Energy","doi-asserted-by":"publisher","award":["DE-AC02-07CH11359"],"award-info":[{"award-number":["DE-AC02-07CH11359"]}],"id":[{"id":"10.13039\/100000015","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Quantum Mach. Intell."],"published-print":{"date-parts":[[2025,6]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>We show that hybrid quantum classifiers based on quantum kernel methods and support vector machines are vulnerable against adversarial attacks, namely small engineered perturbations of the input data can deceive the classifier into predicting the wrong result. Nonetheless, we also show that simple defense strategies based on data augmentation with a few crafted perturbations can make the classifier robust against new attacks. Our results find applications in security-critical learning problems and in mitigating the effect of some forms of quantum noise, since the attacker can also be understood as part of the surrounding environment.<\/jats:p>","DOI":"10.1007\/s42484-025-00238-8","type":"journal-article","created":{"date-parts":[[2025,2,5]],"date-time":"2025-02-05T12:44:30Z","timestamp":1738759470000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Quantum adversarial learning for kernel methods"],"prefix":"10.1007","volume":"7","author":[{"given":"Giuseppe","family":"Montalbano","sequence":"first","affiliation":[]},{"given":"Leonardo","family":"Banchi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,2,5]]},"reference":[{"key":"238_CR1","doi-asserted-by":"crossref","unstructured":"Biggio B, Roli F (2018) Wild patterns: ten years after the rise of adversarial machine learning. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp 2154\u20132156","DOI":"10.1145\/3243734.3264418"},{"key":"238_CR2","unstructured":"Carlini N, Athalye A, Papernot N, et\u00a0al (2019) On evaluating adversarial robustness. arXiv:1902.06705"},{"key":"238_CR3","unstructured":"Staib M, Jegelka S (2019) Distributionally robust optimization and generalization in kernel methods. Adv Neural Inf Process Syst 32"},{"key":"238_CR4","first-page":"18116","volume":"35","author":"N Tsilivis","year":"2022","unstructured":"Tsilivis N, Kempe J (2022) What can the neural tangent kernel tell us about adversarial robustness? Adv Neural Inf Process Syst 35:18116\u201318130","journal-title":"Adv Neural Inf Process Syst"},{"key":"238_CR5","unstructured":"Szegedy C, Zaremba W, Sutskever I, et\u00a0al (2014) Intriguing properties of neural networks. In: 2nd International Conference on Learning Representations, ICLR 2014"},{"issue":"2","key":"238_CR6","doi-asserted-by":"publisher","first-page":"172","DOI":"10.1080\/00107514.2014.964942","volume":"56","author":"M Schuld","year":"2015","unstructured":"Schuld M, Sinayskiy I, Petruccione F (2015) An introduction to quantum machine learning. Contemp Phys 56(2):172\u2013185","journal-title":"Contemp Phys"},{"key":"238_CR7","unstructured":"Lloyd S, Schuld M, Ijaz A, et\u00a0al. (2020) Quantum embeddings for machine learning. arXiv:2001.03622"},{"key":"238_CR8","doi-asserted-by":"crossref","unstructured":"Lu S, Duan LM, Deng DL (2020) Quantum adversarial machine learning. Phys Rev Res 2(3):033212","DOI":"10.1103\/PhysRevResearch.2.033212"},{"key":"238_CR9","doi-asserted-by":"crossref","unstructured":"Liu N, Wittek P (2020) Vulnerability of quantum classification to adversarial perturbations. Phys Rev A 101(6):062331","DOI":"10.1103\/PhysRevA.101.062331"},{"issue":"11","key":"238_CR10","doi-asserted-by":"publisher","first-page":"711","DOI":"10.1038\/s43588-022-00351-9","volume":"2","author":"W Ren","year":"2022","unstructured":"Ren W, Li W, Xu S et al (2022) Experimental quantum adversarial learning with programmable superconducting qubits. Nat Comput Sci 2(11):711\u2013717","journal-title":"Nat Comput Sci"},{"key":"238_CR11","doi-asserted-by":"crossref","unstructured":"Gebhart V, Santagati R, Gentile AA et al (2023) Learning quantum systems. Nat Rev Phys 5(3):141\u2013156","DOI":"10.1038\/s42254-022-00552-1"},{"key":"238_CR12","doi-asserted-by":"publisher","unstructured":"Qiskit contributors (2023) Qiskit: an open-source framework for quantum computing. https:\/\/doi.org\/10.5281\/zenodo.2573505","DOI":"10.5281\/zenodo.2573505"},{"key":"238_CR13","volume-title":"Mach Learn Quant Comput","author":"M Schuld","year":"2021","unstructured":"Schuld M, Petruccione F (2021) Mach Learn Quant Comput. Springer"},{"key":"238_CR14","doi-asserted-by":"crossref","unstructured":"Cristianini N, Shawe-Taylor J (2000) An introduction to support vector machines and other kernel-based learning methods. Cambridge University Press","DOI":"10.1017\/CBO9780511801389"},{"issue":"9","key":"238_CR15","doi-asserted-by":"publisher","first-page":"1013","DOI":"10.1038\/s41567-021-01287-z","volume":"17","author":"Y Liu","year":"2021","unstructured":"Liu Y, Arunachalam S, Temme K (2021) A rigorous and robust quantum speed-up in supervised machine learning. Nat Phys 17(9):1013\u20131017","journal-title":"Nat Phys"},{"issue":"3","key":"238_CR16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1961189.1961199","volume":"2","author":"CC Chang","year":"2011","unstructured":"Chang CC, Lin CJ (2011) LIBSVM: a library for support vector machines. ACM Trans Intell Syst Technol (TIST) 2(3):1\u201327","journal-title":"ACM Trans Intell Syst Technol (TIST)"},{"issue":"7747","key":"238_CR17","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1038\/s41586-019-0980-2","volume":"567","author":"V Havl\u00ed\u010dek","year":"2019","unstructured":"Havl\u00ed\u010dek V, C\u00f3rcoles AD, Temme K et al (2019) Supervised learning with quantum-enhanced feature spaces. Nat 567(7747):209\u2013212","journal-title":"Nat"},{"issue":"4","key":"238_CR18","doi-asserted-by":"publisher","first-page":"492","DOI":"10.1016\/j.dcan.2021.12.003","volume":"8","author":"W Li","year":"2022","unstructured":"Li W, Liu X, Yan A et al (2022) Kernel-based adversarial attacks and defenses on support vector classification. Digital Commun Netw 8(4):492\u2013497","journal-title":"Digital Commun Netw"},{"key":"238_CR19","doi-asserted-by":"crossref","unstructured":"Thanasilp S, Wang S, Holmes Z (2022) Exponential concentration and untrainability in quantum kernel methods. arXiv:2208.11060","DOI":"10.21203\/rs.3.rs-2296310\/v1"},{"key":"238_CR20","doi-asserted-by":"crossref","unstructured":"Mitarai K, Negoro M, Kitagawa M et al (2018) Quant Circ Learn. Phys Rev A 98(3): 032309","DOI":"10.1103\/PhysRevA.98.032309"},{"key":"238_CR21","doi-asserted-by":"publisher","first-page":"386","DOI":"10.22331\/q-2021-01-25-386","volume":"5","author":"L Banchi","year":"2021","unstructured":"Banchi L, Crooks GE (2021) Measuring analytic gradients of general quantum evolution with the stochastic parameter shift rule. Quantum 5:386","journal-title":"Quantum"},{"key":"238_CR22","doi-asserted-by":"crossref","unstructured":"Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy, Ieee, pp 39\u201357","DOI":"10.1109\/SP.2017.49"},{"key":"238_CR23","unstructured":"Madry A, Makelov A, Schmidt L, et\u00a0al (2018) Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations"},{"issue":"11","key":"238_CR24","doi-asserted-by":"publisher","first-page":"699","DOI":"10.1038\/s43588-022-00359-1","volume":"2","author":"L Banchi","year":"2022","unstructured":"Banchi L (2022) Robust quantum classifiers via NISQ adversarial learning. Nat Comput Sci 2(11):699\u2013700","journal-title":"Nat Comput Sci"},{"key":"238_CR25","doi-asserted-by":"crossref","unstructured":"Banchi L, Pereira J, Pirandola S (2021) Generalization in quantum machine learning: a quantum information standpoint. PRX Quantum 2(4): 040321","DOI":"10.1103\/PRXQuantum.2.040321"},{"key":"238_CR26","doi-asserted-by":"crossref","unstructured":"Banchi L, Pereira JL, Jose ST, et\u00a0al (2023) Statistical complexity of quantum learning. Adv Quant Technol p 2300311","DOI":"10.1002\/qute.202300311"},{"issue":"1","key":"238_CR27","doi-asserted-by":"publisher","first-page":"2631","DOI":"10.1038\/s41467-021-22539-9","volume":"12","author":"HY Huang","year":"2021","unstructured":"Huang HY, Broughton M, Mohseni M et al (2021) Power of data in quantum machine learning. Nat commun 12(1):2631","journal-title":"Nat commun"},{"issue":"1","key":"238_CR28","doi-asserted-by":"publisher","first-page":"4919","DOI":"10.1038\/s41467-022-32550-3","volume":"13","author":"MC Caro","year":"2022","unstructured":"Caro MC, Huang HY, Cerezo M et al (2022) Generalization in quantum machine learning from few training data. Nat Commun 13(1):4919","journal-title":"Nat Commun"},{"key":"238_CR29","doi-asserted-by":"crossref","unstructured":"Georgiou P, Jose ST, Simeone O (2024) Adversarial quantum machine learning: an information-theoretic generalization analysis. arXiv:2402.00176","DOI":"10.1109\/ISIT57864.2024.10619403"},{"key":"238_CR30","doi-asserted-by":"crossref","unstructured":"Glick JR, Gujarati TP, Corcoles AD, et\u00a0al (2024) Covariant quantum kernels for data with group structure. Nat Phys pp 1\u20135","DOI":"10.1038\/s41567-023-02340-9"},{"key":"238_CR31","doi-asserted-by":"crossref","unstructured":"Cristianini N, Shawe-Taylor J, Elisseeff A, et\u00a0al (2001) On kernel-target alignment. Adv Neural Inf Process Syst 14","DOI":"10.7551\/mitpress\/1120.003.0052"},{"key":"238_CR32","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/s10462-012-9369-4","volume":"43","author":"T Wang","year":"2015","unstructured":"Wang T, Zhao D, Tian S (2015) An overview of kernel alignment and its applications. Art Intell Rev 43:179\u2013192","journal-title":"Art Intell Rev"},{"key":"238_CR33","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1023\/A:1012450327387","volume":"46","author":"O Chapelle","year":"2002","unstructured":"Chapelle O, Vapnik V, Bousquet O et al (2002) Choosing multiple parameters for support vector machines. Mach Learn 46:131\u2013159","journal-title":"Mach Learn"}],"container-title":["Quantum Machine Intelligence"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42484-025-00238-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s42484-025-00238-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42484-025-00238-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,26]],"date-time":"2025-06-26T14:40:27Z","timestamp":1750948827000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s42484-025-00238-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,5]]},"references-count":33,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,6]]}},"alternative-id":["238"],"URL":"https:\/\/doi.org\/10.1007\/s42484-025-00238-8","relation":{},"ISSN":["2524-4906","2524-4914"],"issn-type":[{"value":"2524-4906","type":"print"},{"value":"2524-4914","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,5]]},"assertion":[{"value":"2 January 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 January 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 February 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"15"}}