Optimal Provable Robustness of Quantum Classification via Quantum Hypothesis Testing

Quantum machine learning models have the potential to offer speedups and better predictive accuracy compared to their classical counterparts. However, these quantum algorithms, like their classical counterparts, have been shown to also be vulnerable to input perturbations, in particular for classification problems. These can arise either from noisy implementations or, as a worst-case type of noise, adversarial attacks. In order to develop defence mechanisms and to better understand the reliability of these algorithms, it is crucial to understand their robustness properties in presence of natural noise sources or adversarial manipulation. From the observation that measurements involved in quantum classification algorithms are naturally probabilistic, we uncover and formalize a fundamental link between binary quantum hypothesis testing and provably robust quantum classification. This link leads to a tight robustness condition which puts constraints on the amount of noise a classifier can tolerate, independent of whether the noise source is natural or adversarial. Based on this result, we develop practical protocols to optimally certify robustness. Finally, since this is a robustness condition against worst-case types of noise, our result naturally extends to scenarios where the noise source is known. Thus, we also provide a framework to study the reliability of quantum classification protocols beyond the adversarial, worst-case noise scenarios.


I. INTRODUCTION
The flourishing interplay between quantum computation and machine learning has inspired a wealth of algorithmic invention in recent years [1][2][3]. Among the most promising proposals are quantum classification algorithms which aspire to leverage the exponentially large Hilbert space uniquely accessible to quantum algorithms to either drastically speed up computational bottlenecks in classical protocols [4][5][6][7], or to construct quantumenhanced kernels that are practically prohibitive to compute classically [8][9][10]. Although these quantum classifiers are recognised as having the potential to offer quantum speedup or superior predictive accuracy, they are shown to be just as vulnerable to input perturbations as their classical counter-parts [11][12][13][14]. These perturbations can occur either due to imperfect implementation which is prevalent in the noisy, intermediate-scale quantum (NISQ) era [15], or, more menacingly, due to adversarial attacks where a malicious party aims to fool a classifier by carefully crafting practically undetectable noise patterns which trick a model into misclassifying a given input.
In order to address these short-comings in reliability and security of quantum machine learning, several protocols in the setting of adversarial quantum learning, i.e. learning under the worst-case noise scenario, have been developed [11,12,[16][17][18]. More recently, data encoding * ce.zhang@inf.ethz.ch † zhikuan.zhao@inf.ethz.ch schemes are linked to robustness properties of classifiers with respect to different noise models in Ref. [19]. The connection between provable robustness and quantum differential privacy is investigated in Ref. [17], where naturally occurring noise in quantum systems is leveraged to increase robustness against adversaries. A further step towards robustness guarantees is made in Ref. [18] where a bound is derived from elementary properties of the trace distance. These advances, though having accumulated considerable momentum toward a coherent strategy for protecting quantum machine learning algorithms against adversarial input perturbations, have not yet provided an adequate framework for deriving a tight robustness condition for any given quantum classifier. In other words, the known robustness conditions are sufficient but not, in general, necessary.
Thus, a major open problem remains which is significant on both the conceptual and practical levels. Conceptually, adversarial robustness, being an intrinsic property of the classification algorithms under consideration, is only accurately quantified by a tight bound, the absence of which renders the direct robustness comparison between different quantum classifiers implausible. Practically, an optimal robustness certification protocol, in the sense of being capable of faithfully reporting the noise tolerance and resilience of a quantum algorithm can only arise from a robustness condition which is both sufficient and necessary. Here we set out to confront both aspects of this open problem by generalising the state-of-the-art classical wisdom on certifiable adversarial robustness into the quantum realm.
The pressing demand for robustness against adversar-arXiv:2009.10064v2 [quant-ph] 26 May 2021 ial attacks is arguably even more self-evident under the classical setting in the present era of wide-spread industrial adaptation of machine learning [13,14,20]. Many heuristic defence strategies have been proposed but have subsequently been shown to fail against suitably powerful adversaries [21,22]. In response, provable defence mechanisms that provide robustness guarantees have been developed. One line of work, interval bound propagation, uses interval arithmetic [23,24] to certify neural networks. Another approach makes use of randomizing inputs and adopts techniques from differential privacy [25] and, to our particular interest, statistical hypothesis testing [26,27] which has a natural counter-part in the quantum domain. Since the pioneering works by Helstrom [28] and Holevo [29], the task of quantum hypothesis testing (QHT) has been well-studied and regarded as one of the foundational tasks in quantum information, with profound linkages with topics ranging from quantum communication [30,31], estimation theory [32], to quantum illumination [33,34].
In this work, we lay bare a fundamental connection between quantum hypothesis testing and the robustness of quantum classifiers against unknown noise sources. The methods of QHT enable us to derive a robustness condition which, in contrast to other methods, is both sufficient and necessary and puts constraints on the amount of noise that a classifier can tolerate. Due to tightness, these constraints allow for an accurate description of noise-tolerance. Absence of tightness, on the other hand, would underestimate the true degree of such noise tolerance. Based on these theoretical findings, we provide (1) an optimal robustness certification protocol to assess the degree of tolerance against input perturbations (independent of whether these occur due to natural or adversarial noise), (2) a protocol to verify whether classifying a perturbed (noisy) input has had the same outcome as classifying the clean (noiseless) input, without requiring access to the latter, and (3) tight robustness conditions on parameters for amplitude and phase damping noise. In addition, we will also consider randomizing quantum inputs, what can be seen as a quantum generalisation to randomized smoothing, a technique that has recently been applied to certify the robustness of classical machine learning models [26]. The conceptual foundation of our approach is rooted in the inherently probabilistic nature of quantum classifiers. Intuitively, while QHT is concerned with the question of how to optimally discriminate between two given states, certifying adversarial robustness aims at giving a guarantee for which two states can not be discriminated. These two seemingly contrasting notions go hand in hand and, as we will see, give rise to optimal robustness conditions fully expressible in the language of QHT. Furthermore, while we focus on robustness in a worst-case scenario, our results naturally cover narrower classes of known noise sources and can potentially be put in context with other areas such as error mitigation and error tolerance in the NISQ era. Finally, while we treat robustness in the context of quantum machine learning, our results in principle do not require the decision function to be learned from data. Rather, our results naturally cover a larger class of quantum algorithms whose outcomes are determined by the most likely measurement outcome. Our robustness conditions on quantum states are then simply conditions under which the given measurement outcome remains the most likely outcome.
The remainder of this paper is organized as follows: We first introduce the notations and terminologies and review results from QHT essential for our purpose. We then proceed to formally define quantum classifiers and the assumptions on the threat model. In 'Results', we present our main findings on provable robustness from quantum hypothesis testing. Additionally, these results are demonstrated and visualised with a simple toy example for which we also consider the randomized input setting and analyse specifically randomization with depolarization channel. In 'Discussion' we conclude with a higher-level view on our findings and layout several related open problems with an outlook for future research. Finally, in 'Methods', we give proofs for central results: the robustness condition in terms of type-II error probabilities of QHT, the tightness of this result and, finally, the method used to derive robustness conditions in terms of fidelity.

A. Preliminaries
Notation. Let H be a Hilbert space of finite dimension d := dim(H) < ∞ corresponding to the quantum system of interest. The space of linear operators acting on H is denoted by L(H) and the identity operator on H is written as 1. If not clear from context, the dimensionality is explicitly indicated through the notation 1 d . The set of density operators (i.e. positive semi-definite trace-one Hermitian matrices) acting on H, is denoted by S(H) and elements of S(H) are written in lowercase Greek letters. The Dirac notation will be adopted whereby Hilbert space vectors are written as |ψ and their dual as ψ|. We will use the terminology density operator and quantum state interchangeably. For two Hermitian For a Hermitian operator A ∈ L(H). with spectral decomposition A = i λ i P i , we write {A > 0} := i : λi>0 P i (and analogously {A < 0} := i : λi<0 P i ) for the projection onto the eigenspace of A associated with positive (negative) eigenvalues. The Hermitian transpose of an operator A is written as A † and the complex conjugate of a complex number z ∈ C asz. For two density operators ρ and σ, the trace distance is defined as T (ρ, σ) := 1 2 ρ − σ 1 where · 1 is the Schatten 1-norm defined on L(H) and given by In this work, we establish a fundamental connection between QHT and the robustness of quantum classification algorithms against adversarial input perturbations. This connection naturally leads to a robustness condition formulated as a semi-definite program in terms of optimal type-II error probabilities of distinguishing between benign and adversarial states (QHT condition: Theorem 1). Under certain practical assumptions about the class probabilities on benign input, we prove that the QHT condition is optimal (Theorem 2). We then show that the QHT condition implies closed form solutions in terms of explicit robustness bound on the fidelity, Bures metric and trace distance. We numerically compare an alternative robustness bound directly implied by the definition of trace distance and application of Hölder duality (Lemma 2 & Ref. [18]) with the explicit forms of the robustness bounds arising from QHT (FIG. 2). Based on these technical findings, we provide a practical protocol to asses the resilience of a classifier against adversarial perturbations, a protocol to certify whether a given noisy input has been classified the same as the noiseless input, without requiring access to the latter, and we derive robustness bounds on noise parameters in amplitude and phase damping. Finally, we instantiate our results with a single-qubit pure state example both in the noiseless and depolarization smoothing input scenarios, which allows for numerical comparison of all the known robustness bounds, arising from Hölder duality, differential privacy [17] and QHT (FIG. 5). Tight robustness conditions are indicated in bold font in the Mixed a Robustness condition expressed in terms of type-II error probabilities β * associated with an optimal quantum hypothesis test. b Independently discovered in Ref. [18].
Uhlmann fidelity between density operators ρ and σ is denoted by F and defined as F (ρ, σ) := Tr √ ρσ √ ρ 2 which for pure states reduces to the squared overlap F (|ψ , |φ ) = | ψ|φ | 2 . Finally, the Bures metric is denoted by d B and is closely related to the Uhlmann Quantum Hypothesis Testing. Typically, QHT is formulated in terms of state discrimination where several quantum states have to be discriminated through a measurement [28]. In binary quantum hypothesis testing, the aim is to decide whether a given unknown quantum system is in one of two states corresponding to the null and alternative hypothesis. Any such test is represented by an operator 0 ≤ M ≤ 1 d , which corresponds to rejecting the null in favor of the alternative. The two central quantities of interest are the probabilities of making a type-I or type-II error. The former corresponds to rejecting the null when it is true, while the latter occurs if the null is accepted when the alternative is true. Specifically, for density operators σ ∈ S(H) and ρ ∈ S(H) describing the null and alternative hypothesis, the type-I error probability is defined as α(M ) and the type-II error probability as β(M ), so that In the Bayesian setting, the hypotheses σ and ρ occur with some prior probabilities π 0 and π 1 and are concerned with finding a test which minimizes the total error probability. A Bayes optimal test M is one that minimizes the posterior probability π 0 · α(M ) + π 1 · β(M ).
In this paper, we consider asymmetric hypothesis testing (Neyman-Pearson approach) [32], where the two types of errors are associated with a different cost. Given a maximal allowed probability for the type I error, the goal is to minimize the probability of the type II error. Specifically, one aims to solve the semidefinite program (SDP) Optimal tests can be expressed in terms of projections onto the eigenspaces of the operator ρ − tσ where t is a non-negative number. More specifically, for t ≥ 0 let P t,+ := {ρ − tσ > 0}, P t,− := {ρ − tσ < 0} and P t,0 := 1 − P t,+ − P t,− be the projections onto the eigenspaces of ρ − tσ associated with positive, negative and zero eigenvalues. The quantum analogue to the Neyman-Pearson Lemma [35] shows optimality of operators of the form The choice of the scalar t ≥ 0 and the operator X t is such that the preassigned type-I error probability α 0 is attained. An explicit construction for these operators is based on the inequalities where α 0 ∈ (0, 1) and τ (α 0 ) is the smallest nonnegative number such that α(P τ (α0),+ ) ≤ α 0 , i.e. τ (α 0 ) := inf{t ≥ 0 : α(P t,+ ) ≤ α 0 }. These inequalities can be seen from the observation that the function t → α(P t,+ ) is non-increasing and right-continuous while t → α(P t,+ + P t,0 ) is non-increasing and left-continuous. A detailed proof for this is given in Supplementary Note 1. Adversarial attack. a A quantum classifier correctly classifies the (toxic) mushroom as "poisonous". b An adversary perturbs the image to fool the classifier into believing that the mushroom is "edible".
1 and 2. We will henceforth refer to operators of the form (4) as Helstrom operators [32].
Quantum classifiers. We define a K-class quantum classifier of states of the quantum system H, described by density operators, as a map A : S(H) → C which maps states σ ∈ S(H) to class labels k ∈ C = {1, . . . , K}. Any such classifier is described by a completely positive and trace-preserving (CPTP) map E and a POVM {Π k } k . Formally, a quantum state σ is passed through the quantum channel E and then the measurement {Π k } k is performed. Finally, the probability of measuring outcome k is identified with the class probability y k (σ), i.e.
We treat the positive-operator valued measure (POVM) element Π k as a projector Π k = |k k| ⊗ 1 d/K which determines whether the output is classified into class k. This can be done without loss of generality by Naimark's dilation since E is kept arbitrary and potentially involves ancillary qubits and a general POVM element can be expressed as a projector on the larger Hilbert space. The final prediction is given by the most likely class Throughout this paper, we refer to A as the classifier and to y as the score function. In the context of quantum machine learning, the input state σ can be an encoding of classical data by means of, for example, amplitude encoding or otherwise [19,36], or inherently quantum input data, while E can be realized, for example, by a trained parametrized quantum circuit potentially involving ancillary registers [37]. However, it is worth noting that the above-defined notion of quantum classifier more generally describes the procedure of a broader class of quantum algorithms whose output is obtained by repeated sampling of measurement outcomes.
Quantum adversarial robustness. Adversarial examples are attacks on classification models where an adversary aims to induce a misclassification using typically imperceptible modifications of a benign input example. Specifically, given a classifier A and a benign input state σ, an adversary can craft a small perturbation σ → ρ which results in a misclassification, i.e. A(ρ) = A(σ). An illustration for this threat scenario is given in FIG. 1. In this paper, we seek a worst-case robustness guarantee against any possible attack: as long as ρ does not differ from σ by more than a certain amount, then it is guaranteed that A(σ) = A(ρ) independently of how the adversarial state ρ has been crafted. Formally, suppose the quantum classifier A takes as input a benign quantum state σ ∈ S(H) and produces a measurement outcome denoted by the class k ∈ C with probability y k (σ) = Tr [Π k E(σ)]. Recall that the prediction of A is taken to be the most likely class k A = arg max k y k (σ). An adversary aims to alter the output probability distribution so as to change the most likely class by applying an arbitrary quantum operation E A : S(H) → S(H) to σ resulting in the adversarial state ρ = E A (σ). Finally, we say that the classifier y is provably robust around σ with respect to the robustness condition R, if for any ρ which satisfies R, it is guaranteed that A(ρ) = A(σ).
In the following, we will derive a robustness condition for quantum classifiers with the QHT formalism, which provides a provable guarantee for the outcome of a computation being unaffected by the worst-case input noise or perturbation under a given set of constraints. In the regime where the most likely class is measured with probability lower bounded by p A > 1/2 and the runner up class is less likely than p B = 1 − p A , we prove tightness of the robustness bound, hence demonstrating that the QHT condition is at least partially optimal. The QHT robustness condition, in its full generality, has an SDP formulation in terms of the optimal type-II error probabilities. We then simplify this condition and derive closed form solutions in terms of Uhlmann fidelity, Bures metric and trace distance between benign and adversarial inputs. The closed form solutions in terms of fidelity and Bures metric are shown to be sufficient and necessary for general states and in the same regime where the SDP formulation is proven to be tight. In the case of trace distance, this can be claimed for pure states, while the bound for mixed states occurs to be weaker. These results stemming from QHT considerations are then contrasted and compared with an alternative approach which directly applies Hölder duality to trace distances to obtain a sufficient robustness condition. The different robustness bounds and robustness conditions are summarized in Table I.

B. Robustness condition from quantum hypothesis testing
Recall that quantum hypothesis testing is concerned with the question of finding measurements that optimally discriminate between two states. A measurement is said to be optimal if it minimizes the probabilities of identifying the quantum system to be in the state σ, corresponding to the null hypothesis, when in fact it is in the alternative state ρ, and vice versa. When consider-ing provable robustness, on the other hand, one aims to find a neighbourhood around a benign state σ where the class which is most likely to be measured is constant or, expressed differently, where the classifier can not discriminate between states. It becomes thus clear that quantum hypothesis testing and classification robustness aim to achieve a similar goal, although viewed from different angles. Indeed, as it turns out, QHT determines the robust region around σ to be the set of states (i.e. alternative hypotheses) for which the optimal type-II error probability β * is larger than 1/2.
To establish this connection more formally, we identify the benign state with the null hypothesis σ and the adversarial state with the alternative ρ. We note that, in the Heisenberg picture, we can identify a the score function y of a classifier A with a POVM {Π k } k . For k A = A(σ), the operator 1 − Π kA (and thus the the classifier A) can be viewed as a hypothesis test discriminating between σ and ρ. Notice that, for Thus, it is guaranteed that k A = A(ρ) for any ρ with β * 1−pA (σ, ρ) > 1/2. The following theorem makes this reasoning concise and extends to the setting where the probability of measuring the second most likely class is upper-bounded by p B .
Theorem 1 (QHT robustness bound). Let σ, ρ ∈ S(H) be benign and adversarial quantum states and let A be a quantum classifier with score function y. Suppose that for k A ∈ C and p A , p B ∈ [0, 1], the score function y satisfies Then, it is guaranteed that A(ρ) = A(σ) for any ρ with To get some more intuition of Theorem 1, we first note that for p B = 1 − p A , the robustness condition (10) simplifies to With this, the relation between quantum hypothesis testing and robustness becomes more evident: if the optimal hypothesis test performs poorly when discriminating the two states, then a classifier will predict both states to belong to the same class. In other words, viewing a classifier as a hypothesis test between the benign input σ and the adversarial ρ, the optimality of the Helstrom operators implies that the classifier y is a worse discriminator and will also not distinguish the states, or, phrased differently, it is robust. This result formalizes the intuitive connection between quantum hypothesis testing and robustness of quantum classifiers.
While the former is concerned with finding operators that are optimal for discriminating two states, the latter is concerned with finding conditions on states for which a classifier does not discriminate.
Optimality. The robustness condition (10) from QHT is provably optimal in the regime of p A + p B = 1, which covers binary classifications in full generality and multiclass classification where the most likely class is measured with probability larger than p A > 1 2 . The robustness condition is tight in the sense that, whenever condition (10) is violated, then there exists a classifier A which is consistent with the class probabilities (9) on the benign input but which will classify the adversarial input differently from the benign input. The following theorem demonstrates this notion of tightness by explicitly constructing the worst-case classifier A .
Theorem 2 (Tightness). Suppose that p A + p B = 1. Then, if the adversarial state ρ violates condition (10), there exists a quantum classifier A that is consistent with the class probabilities (9) and for which A (ρ) = A (σ).
The main idea of the proof relies on the explicit construction of a "worst-case" classifier with Helstrom operators and which classifies ρ differently from σ while still being consistent with the class probabilities (9). We refer the reader to 'Methods' for a detailed proof. Whether or not the QHT robustness condition is tight for p A +p B < 1 is an interesting open question for future research. It turns out that a worst-case classifier which is consistent with p A and p B for benign input but leads to a different classification on adversarial input upon violating condition (10), if exists, is more challenging to construct for these cases. If such a tightness result for all class probability regimes would be proven, there would be a complete characterization for the robustness of quantum classifiers.

C. Closed form robustness conditions
Although Theorem 1 provides a general condition for robustness with provable tightness, it is formulated as a semidefinite program in terms of type-II error probabilities of QHT. To get a more intuitive and operationally convenient perspective, we wish to derive a condition for robustness in terms of a meaningful notion of difference between quantum states. Specifically, based on Theorem 1, here we derive robustness conditions expressed in terms of Uhlmann's fidelity F , Bures distance d B and in terms of the trace distance T . To that end, we first concentrate on pure state inputs and will then leverage these bounds to mixed states. Finally, we show that expressing robustness in terms of fidelity or Bures distance results in a tight bound for both pure and mixed states, while for trace distance the same can only be claimed in the case of pure states.
Pure states. We first assume that both the benign and the adversarial states are pure. This assumption allows us to first write the optimal type-II error probabilities β * α (ρ, σ) as a function of α and the fidelity between ρ and σ. This leads to a robustness bound on the fidelity and subsequently to a bound on the trace distance and on the Bures distance. Finally, since these conditions are equivalent to the QHT robustness condition (10), Theorem 2 implies tightness of these bounds. Lemma 1. Let |ψ σ , |ψ ρ ∈ H and let A be a quantum classifier. Suppose that for k A ∈ C and p A , p B ∈ [0, 1], we have k A = A(ψ σ ) and suppose that the score function y satisfies (9). Then, it is guaranteed that where the function g is given by This condition is equivalent to (10) and is hence both sufficient and necessary whenever p A + p B = 1.
This result thus provides a closed form robustness bound which is equivalent to the SDP formulation in condition (10) and is hence sufficient and necessary in the regime p A + p B = 1. We remark that, under this assumption, the robustness bound (12) has the compact form Due to its relation with the Uhlmann fidelity, it is straight forward to obtain a robustness condition in terms of Bures metric. Namely, the condition is equivalent to (10). Furthermore, since the states are pure, we can directly link (12) to a bound in terms of the trace distance via the relation is equivalent to (10). Due to the equivalence of these bounds to (10), Theorem 2 applies and it follows that both bounds are sufficient and necessary in the regime where p A + p B = 1. In the following, we will extend these results to mixed states and show that both the fidelity and Bures metric bounds are tight.
Mixed states. Reasoning about the robustness of a classifier if the input states are mixed, rather than just for pure states, is practically relevant for a number of reasons. Firstly, in a realistic scenario, the assumption that an adversary can only produce pure states is too restrictive and gives an incomplete picture. Secondly, if we wish to reason about the resilience of a classifier against a given noise model (e.g. amplitude damping), then the robustness condition needs to be valid for mixed states as these noise models typically produce mixed states. Finally, in the case where we wish to certify whether a classification on a noisy input has had the same outcome as on the noiseless input, a robustness condition for mixed states is also required. For these reasons, and having established closed form robustness bounds which are both sufficient and necessary for pure states, here we aim to extend these results to the mixed state setting. The following theorem extends the fidelity bound (12) for mixed states. As for pure states, it is then straight forward to obtain a bound in terms of the Bures metric.
Theorem 3. Let σ, ρ ∈ S(H) and let A be a quantum classifier. Suppose that for k A ∈ C and p A , p B ∈ [0, 1], we have k A = A(σ) and suppose that the score function y satisfies (9). Then, it is guaranteed that where g is defined as in (13). This condition is both sufficient and necessary if p A + p B = 1.
Proof. To show sufficiency of (17), we notice that y can be rewritten as where |ψ σ is a purification of σ with purifying system E and Tr E denotes the partial trace over E. We can thus view y as a score function on the larger Hilbert space which admits the same class probabilities for σ and any purification of σ (and equally for ρ). It follows from Uhlmann's Theorem that there exist purifications |ψ σ and |ψ ρ such that F (ρ, σ) = | ψ σ |ψ ρ | 2 . Robustness at ρ then follows from (17) by (18) and Lemma 1. To see that the bound is necessary when p A + p B = 1, suppose that there exists somer F < r F such that F (σ, ρ) >r F implies that A(ρ) = A(σ). Since pure states are a subset of mixed states, this bound must also hold for pure states. In particular, suppose |ψ ρ is such thatr F < | ψ ρ |ψ σ | 2 ≤ r F . However, this is a contradiction, since | ψ ρ |ψ σ | 2 ≥ r F is both sufficient and necessary in the given regime, i.e. by Theorem 2, there exists a classifier A whose score function satisfies (9) and for which A (ψ σ ) = A (ψ ρ ). It follows thatr F ≥ r F and hence the claim of the theorem.
Due to the close relation between Uhlmann fidelity and the Bures metric, we arrive at a robustness condition for mixed states in terms of d B , namely which inherits the tightness properties of the fidelity bound (17). In contrast to the pure state case, here it is less straight forward to obtain a robustness bound in terms of trace distance. However, we can still build on Lemma 1 and the trace distance bound for pure states (16) to obtain a sufficient robustness condition. Namely, when assuming that the benign state is pure, but the adversarial state is allowed to be mixed we have the following result.

Corollary 1 (Pure Benign & Mixed Adversarial States).
Let σ, ρ ∈ S(H) and suppose that σ = |ψ σ ψ σ | is pure. Let A be a quantum classifier and suppose that for k A ∈ C and p A , p B ∈ [0, 1], we have k A = A(σ) and suppose that the score function y satisfies (9). Then, it is guaranteed that A(ρ) = A(σ) for any ρ with We refer the reader to supplementary note 4 for a detailed proof of this result. Intuitively, condition (21) is derived by noting that any convex mixture of robust pure states must also be robust, thus membership of the set of mixed states enclosed by the convex hull of robust pure states (certified by equation (16) is a natural sufficient condition for robustness. As such, the corresponding robustness radius in condition (21) is obtained by lower-bounding, with triangle inequalities, the radius of the maximal sphere centered at σ within the convex hull. However, the generalization from Lemma 1 and equation (16) to Corollary 1, mediated by the above geometrical argument, results in a sacrifice of tightness. How or to what extent such loosening of the explicit bound in the cases of mixed states may be avoided or ameliorated remains an open question. In the following, we compare the trace distance bounds from QHT with a robustness condition derived from an entirely different technique.
We note that a sufficient condition can be obtained from a somewhat straightforward application of Hölder duality for trace norms: Lemma 2 (Hölder duality bound). Let σ, ρ ∈ S(H) be arbitrary quantum states and let A be a quantum classifier. Suppose that for k A ∈ C and p A , p B ∈ [0, 1], we have k A = A(σ) and the score function y satisfies (9). Then, it is guaranteed that A(ρ) = A(σ) for any ρ with Proof. Let δ := 1 2 ρ − σ 1 = sup 0≤P ≤I Tr [P (ρ − σ)], which follows from Hölder duality.
We have that Comparison between robustness bounds in terms of trace distance. a Difference rQ − rH between the pure state bound derived from QHT rQ, given in Eq. (16) and the Hölder duality bound rH from Lemma 2. b Difference rH −rQ between the Hölder duality bound rH and the boundrQ derived from the convex hull approximation to the QHT robustness condition from Theorem 1 for mixed adversarial states. It can be seen that the pure state bound rQ is always larger than rH which in turn is always larger than the convex hull approximation boundrQ.
We acknowledge the above robustness bound from Hölder duality was independently discovered in Lemma 1 of Ref. [18]. For intuitive insights, it is worth remarking that the condition (22) stems from comparing the maximum probability of distinguishing σ and ρ with the optimal measurement (Hölder measurement) with the gap between the first two class probabilities on σ. Since no classifier can distinguish σ and ρ better than the Hölder measurement by definition, (22) is clearly a sufficient condition. However, the Hölder measurement on σ does not necessarily result in class probabilities consistent with equation (9). Without additional constraints on desired class probabilities on the benign input, the robustness condition (22) from Hölder duality is stronger than necessary. In contrast, the QHT bound from Theorem 1, albeit implicitly written in the language of hypothesis testing, naturally incorporates such desired constraints. Hence, as expected, this gives rise to a tighter robustness condition.
In summary, the closed form solutions in terms of fidelity and Bures metric completely inherit the tightness of Theorem 1, while for trace distance, tightness is inherited for pure states, but partially lost in Corollary 1 for mixed adversarial states. The numerical comparison between the trace distance bounds from QHT and the Hölder duality bound is shown in a contour plot in FIG. 2.

D. Toy example with single-qubit pure states
We now present a simple example to highlight the connection between quantum hypothesis testing and classification robustness. We consider a single-qubit system which is prepared either in the state σ or ρ described by with θ 0 ∈ [0, π) and φ 0 ∈ [0, 2π). The state σ corresponds to the null hypothesis in the QHT setting and to the benign state in the classification setting. Similarly, ρ corresponds to the alternative hypothesis and adversarial state. The operators which are central to both QHT and robustness are the Helstrom operators (4) which are derived from the projection operators onto the eigenspaces associated with the non-negative eigenvalues of the operator ρ − tσ. For this example, the eigenvalues are functions of t ≥ 0 and given by where γ is the overlap between σ and ρ and given by γ = cos(θ 0 /2). For t > 0, the Helstrom operators are then given by the projection onto the eigenspace associated with the eigenvalue η 1 > 0. The projection operator is given by M t = |η 1 η 1 | with where A 1 is a normalization constant ensuring that η 1 |η 1 = 1. Given a preassigned probability α 0 for the maximal allowed type-I error probability, we determine t such that α(M t ) = α 0 .
Hypothesis testing view. In QHT, we are given a specific alternative hypothesis ρ and error probability α 0 and are interested in finding the minimal type-II error probability. In this example, we pick θ 0 = π/3, φ 0 = π/6 for the alternative state and set the type-I error probability to α 0 = 1 − p A = 0.1. These states are graphically represented on the Bloch sphere in FIG. 3. We note that, for this choice of states, we obtain an expression for the eigenvector |η 1 given by which yields the type-II error probability Example classifier for single-qubit quantum states. The decision boundary is represented by the grey disk passing through the origin of the Bloch sphere. The robust region around σ is indicated by the dark spherical cap. States belonging to different classes are marked with + and − and are color red if not classified correctly. The colorbar indicates different values for the optimal type-II error probability β * 1−p A (σ, ρ). We see that, for the given classifier, the state ρ is not contained in the robust region around σ since the optimal type-II error probability is less than 1/2 as indicated by the colorbar. The state ρ is thus not guaranteed to be classified correctly by every classifier with the same class probabilities. In the asymmetric hypothesis testing view, an optimal discriminator which admits 0.1 type-I error probability for testing σ against ρ has type-II error probability 0.44.
We thus see that the optimal hypothesis test can discriminate σ and ρ with error probabilities less than 1/2 since on the Bloch sphere they are located far enough apart. However, since β(M t ) ≯ 1/2, Theorem 1 implies that ρ is not guaranteed to be classified equally as σ by a classifier which makes a prediction on σ with confidence at least 0.9. In other words, the two states are far enough apart to be easily discriminated by the optimal hypothesis test but too far apart to be guaranteed to be robust.
Classification robustness view. In this scenario, in contrast to the QHT view, we are not given a specific adversarial state ρ, but rather aim to find a condition on a generic ρ such that the classifier is robust for all configurations of ρ that satisfy this condition. Theorem 1 provides a necessary and sufficient condition for robustness, expressed in terms of β * , which, for Recall that the probability and p A > 1/2 is a lower bound to the probability of the most likely class and in this case we set p B = 1 − p A to be the upper bound to the probability of the second most likely class. For example, as the QHT view shows, for α 0 = 1 − p A = 0.1 we have that β * 1−pA (σ, ρ) ≈ 0.44 < 1/2 for a state ρ with θ 0 = π/3. We thus see that it is not guaranteed that every quantum classifier, which predicts σ to be of class k A with probability at least 0.9, classifies ρ to be of the same class. Now, we would like to find the maximum θ 0 , for which every classifier with confidence greater than p A is guaranteed to classify ρ and σ equally. Using the fidelity bound (17), we find the robustness condition on θ 0 In particular, if p A = 0.9, we find that angles θ 0 < 2 · arccos( √ 0.8) ≈ 0.93 < π/3 are certified. Figure 3 illustrates this scenario: the dark region around σ contains all states ρ for which is guaranteed that A(ρ) = A(σ) for any classifier A with confidence at least 0.9.
Classifier example. We consider a binary quantum classifier A which discriminates single-qubit states on the upper half of the Bloch sphere (class +) from states on the lower half (class −). Specifically, we consider the dichotomic POVM {Π θ,φ , 1 2 − Π θ,φ } defined by the projection operator Π θ,φ = |ψ θ,φ ψ θ,φ | where |ψ θ,φ := cos(θ/2)|0 + sin(θ/2)e iφ |1 with θ = 2 · arccos( √ 0.9) ≈ 0.644 and φ = π/2. Furthermore, for the rest of this section, we assume that p A + p B = 1 so that p B is determined by p A via p B = 1 − p A . An illustration of this classification problem is given in Figure 3, where the decision boundary of A is represented by the grey disk crossing the origin of the Bloch sphere. The states marked with a black + correspond to + states which have been classified correctly, states marked with a black − sign correspond to data points correctly classified as − and red states are misclassified by A. It can be seen that, since the state ρ has been shown to violate the robustness condition (i.e. β * 1−pA (σ, ρ) ≈ 0.44 < 1/2), it is not guaranteed that ρ and σ are classified equally. In particular, for the example classifier A we have A(ρ) = A(σ).
In summary, as p A → 1 2 , the robust radius approaches 0. In the QHT view, this can be interpreted in the sense that if the type-I error probability α 0 approaches 1/2, then all alternative states can be discriminated from σ with type-II error probability less than 1/2. As p A → 1, the robust radius approaches π/2. In this regime, the QHT view says that if the type-I error probability α 0 approaches 0, then the optimal type-II error probability is smaller than 1/2 only for states in the lower half of the Bloch sphere.

E. Robustness certification
The theoretical results in Section II C provide conditions under which it is guaranteed that the output of a classification remains unaffected if the adversarial (noisy) state and the benign state are close enough, measured in terms of the fidelity, Bures metric, or trace distance. Here, we show how this result can be put to work and make concrete examples of scenarios where reasoning about the robustness is relevant. Specifically, we first present a protocol to assess how resilient a quantum classifier is against input perturbations. Secondly, in a scenario where one is provided with a potentially noisy or adversarial input, we wish to obtain a statement as to whether the classification of the noisy input is guaranteed to be the same as the classification of a clean input without requiring access to the latter. Thirdly, we analyse the robustness of quantum classifiers against known noise models, namely phase and amplitude damping.
Assessing resilience against adversaries. In security critical applications, such as for example the classification of medical data or home surveillance systems, it is critical to assess the degree of resilience that machine learning systems exhibit against actions of malicious third parties. In other words, the goal is to estimate the expected classification accuracy, under perturbations of an input state within 1 − ε fidelity. In the classical machine learning literature, this quantity is called the certified test set accuracy at radius r, where distance is typically measured in terms of p -norms, and is defined as the fraction of samples in a test set which has been classified correctly and with a robust radius of at least r (i.e. an adversary can not change the prediction with a perturbation of magnitude less than r). We can adapt this notion to the quantum domain and, given a test set consisting of pairs of labelled samples , the certified test set accuracy at fidelity 1 − ε is given by where r F (σ) is the minimum robust fidelity (17) for sample σ and 1 denotes the indicator function. To evaluate this quantity, we need to obtain the prediction and to calculate the minimum robust fidelity for each sample σ ∈ T as a function of the class probabilities y k (σ). In practice, in the finite sampling regime, we have to estimate these quantities by sampling the quantum circuit N times. To that end, we use Hoeffding's inequality so that the bounds hold with probability at least 1 − α. Specifically, we run the following steps to certify the robustness for a given sample σ: 1. Apply the quantum circuit N times to σ and perform the |C|-outcome measurement {Π k } |C| k=1 each time. Store the outcomes in variables n k for every k ∈ C.
3. Ifp A > 1/2, setp B = 1−p A and calculate the minimum robust fidelity r F according to (17) and return (k A , r F ); otherwise abstain from certification.
Executing these steps for a given sample σ returns the true minimum robust fidelity with probability 1 − α, which follows from Hoeffding's inequality with Λ k = E † (Π k ) and setting δ = − ln(α)/2N . In supplementary note 6, this algorithm is shown in detail in Protocol 1.
Certification for noisy inputs. In practice, inputs to quantum classifiers are typically noisy. This noise can occur either due to imperfect implementation of the state preparation device, or due to an adversary which interferes with state or gate preparation. Under the assumption that we know that the state has been prepared with fidelity at least 1 − ε to the noiseless state, we would like to know whether this noise has altered our prediction, without having access to the noiseless state. Specifically, given the classification result, which is based on the noisy input, we would like to have the guarantee that the classifier would have predicted the same class, had it been given the noiseless input state. This would allow the conclusion that the result obtained from the noisy state has not been altered by the presence of noise. To obtain this guarantee, we leverage Theorem 3 in the following protocol. Let ρ be a noisy input with F (ρ, σ) > 1 − ε where σ is the noiseless state and let A be a quantum classifier with quantum channel E and POVM {Π k } k . Similar to the previous protocol, we again need to take into account that in practice we can sample the quantum circuit only a finite number of times. Thus, we again use Hoeffding's inequality to obtain estimates for the class probability p A which holds with probability at least 1 − α. The protocol then consists of the following steps: 1. Apply the quantum circuit N times to the (noisy) state ρ and perform the |C|-outcome measurement {Π k } |C| k=1 each time. Store the outcomes in variables n k for every k ∈ C.
3. Ifp A > 1/2, setp B = 1 −p A and calculate the minimum robust fidelity r F according to (17) usinĝ p A ; otherwise, abstain from certification.
Running these steps, along with a classification, allows to certify that the classification has not been affected by the noise, i.e. that the same classification outcome would have been obtained on the noiseless input state.
Robustness for known noise models. Now, we analyse the robustness of a quantum classifier against known noise models which are parametrized by a noise parameter γ. Specifically, we investigate robustness against phase damping and amplitude damping. Using Theorem 3, we calculate the fidelity between the clean input σ and the noisy input N γ (σ) and rearrange the robustness condition (17) such that it yields a bound on the maximal noise which the classifier tolerates.
Phase damping describes the loss of quantum information without loosing energy. For example, it describes how electronic states in an atom are perturbed upon interacting with distant electrical charges. The quantum channel corresponding to this noise model can be expressed in terms of Kraus operators which are given by where γ is the noise parameter. From this description alone, we can see that a system which is in the |0 or |1 state is always robust against all noise parameters in this model as it acts trivially on |0 and |1 . Any such behaviour should hence be reflected in the tight robustness condition we derive from QHT. Indeed, for a pure state |ψ = α|0 + β|1 , Theorem 3 leads to the robustness condition γ ≤ 1 if α = 0 or β = 0 and, for any α, β = 0, where r F = 1 2 (1 + g(p A , p B )) is the fidelity bound from Theorem 3 and p A , p B are the corresponding class probability bounds. This bound is illustrated in FIG. 4 as a function of |α| 2 and p A . The expected behaviour towards the boundaries can be seen in the plot, namely that when |α| 2 → {0, 1}, then the classifier is robust under all noise parameters γ ≤ 1.
Amplitude damping models effects due to the loss of energy from a quantum system (energy dissipation). For example, it can be used to model the dynamics of an atom which spontaneously emits a photon. The quantum channel corresponding to this noise model can be written in terms of Kraus operators where γ is the noise parameter and can be interpreted as the probability of losing a photon. It is clear from the Kraus decomposition that the |0 state remains unaffected. This again needs to be reflected by a tight robustness condition. For a pure state |ψ = α|0 + β|1 , Theorem 3 leads to the robustness condition γ ≤ 1 if Robustness against known noise models. Both plots show the maximal noise parameter γ for which the classifier A is still guaranteed to be robust, for a phase damping and b amplitude damping, when classifying a pure state input |ψ = α|0 + β|1 . In a, we can see that for states |0 and |1 , the classifier is robust against any γ ≤ 1, while for b the same holds if the input state is |1 . |α| = 1 and, for any α, β = 0, where again r F = 1 2 (1+ g(p A , p B )) is the fidelity bound from Theorem 3. This bound is illustrated in FIG. 4 as a function of |α| 2 and p A . It can be seen again that the bound shows the expected behaviour, namely that when |α| 2 → 1, then the classifier is robust under all noise parameters γ ≤ 1.
We remark that, in contrast to the previous protocol, here we assume access to the noiseless state σ and we compute the robustness condition on the noise parameter based on the classification of this noiseless state. This can be used in a scenario where a quantum classifier is developed and tested on one device, but deployed on a different device with different noise sources.

F. Randomized inputs with depolarization smoothing
In the previous section, we looked at robustness of quantum classifiers against certain types of noise, either with respect to a known noise model, or with respect to unknown, potentially adversarial, noise. Here we take a different viewpoint, and investigate how robustness against unknown noise sources can be enhanced by harnessing depolarization noise. This is led by the intuition that noise can be exploited to increase robustness and privacy. We first provide background on randomized smoothing, a technique for provable robustness from classical machine learning. We then proceed to present provable robustness in terms of trace distance which is equivalent to the robustness condition (10) from Theorem 1 but with depolarized inputs. The bound is then compared numerically with the Hölder duality bound from Lemma 2 and with a result obtained recently from quantum differential privacy [17].

Randomized smoothing. Randomized
Smoothing is a technique that has recently been proposed to certify the robustness and obtain tight provable robustness guarantees in the classical setting [26]. The key idea is to randomize inputs to classifiers by perturbing them with additive Gaussian noise. This results in smoother decision boundaries which in turn leads to improved robustness to adversarial attacks. In this section, we extend this concept to the quantum setting by interpreting quantum noise channels as "smoothing" channels. The idea of harnessing actively induced input noise in quantum classifiers to increase robustness has recently been proposed in Ref. [17] where a robustness bound with techniques from quantum differential privacy has been derived. In the following, we take a similar path and consider a depolarization noise channel and analytically derive a larger robustness radius for pure single-qubit input states.
Quantum channel smoothing: depolarization. Consider depolarization noise which maps a state σ onto a linear combination of itself and the maximally mixed state where p ∈ (0, 1) is the depolarization parameter and d is the dimensionality of the underlying Hilbert space. In single-qubit scenarios, this can geometrically be interpreted as a uniform contraction of the Bloch sphere parametrized by p, pushing quantum states towards the completely mixed state. Analogously to classical randomized smoothing, we apply a depolarization channel to inputs before passing them through the classifier in order to artificially randomize the states and increase robustness against adversarial attacks. We then obtain a robustness guarantee by instantiating Theorem 1 in the following way. Let σ be a benign input state and suppose that the classifier A with score function y satisfies Then A is robust at E dep p (ρ) for any adversarial input state ρ which satisfies the robustness condition (10), where β * is the optimal type-II error probability for testing E dep p (σ) against E dep p (ρ). In particular, if σ and ρ are single-qubit pure states and in the case where we have p A + p B = 1, the robustness condition can be equivalently expressed in terms of the trace distance as T (ρ, σ) < r Q (p) with , Hölder duality rH(p) and quantum differential privacy rDP(p) [17] with different levels of depolarization noise p. where A detailed derivation of this bound is given in supplementary note 5. The Hölder bound from Lemma 2 can also be adapted to the noisy setting. Specifically, since for two states σ and ρ, the trace distance obeys T (E dep p (ρ), E dep p (σ)) = (1 − p) · T (ρ, σ), Lemma 2 implies robustness given that the trace distance is less than T (ρ, σ) < r H (p) where It has been shown in Ref. [17] that naturally occurring noise in a quantum circuit can be harnessed to increase the robustness of quantum classification algorithms. Specifically, using techniques from quantum differential privacy, a robustness bound expressible in terms of the class probabilities p A and the depolarization parameter p has been derived. Written in our notation and for single-qubit binary classification, the bound can be written as and robustness is guaranteed for any adversarial state ρ with T (ρ, σ) < r DP (p). The three bounds are compared graphically in FIG. 5 for different values of the noise parameter p, showing that the QHT bound gives rise to a tighter robustness condition for all values of p.
It is worth remarking that although the QHT robustness bounds can be, as shown here for the case of applying depolarization channel, enhanced by active input randomization, it already presents a valid, non-trivial condition with noiseless (without smoothing) quantum input (Theorems 1, 3, Corollary 1 and Lemma 2). This contrasts with the deterministic classical scenario, where the addition of classical noise sources to the input state is necessary to generate a probability distribution corresponding to the input data, from which an adversarial robustness bound can be derived [26]. This distinction between the quantum and classical settings roots in the probabilistic nature of measurements on quantum states, which of course applies to both pure and mixed state inputs.

III. DISCUSSION
We have seen how a fundamental connection between adversarial robustness of quantum classifiers and quantum hypothesis testing (QHT) can be leveraged to provide a powerful framework for deriving optimal conditions for robustness certification. The robustness condition is provably tight when expressed in the SDP formulation in terms of optimal error probabilities for binary classifications or, more generally, for multiclass classifications where the probability of the most likely class is greater than 1/2. The corresponding closed form expressions arising from the SDP formulation are proved to be tight for general states when expressed in terms of fidelity and Bures distance, whereas in terms of trace distance, tightness holds only for pure states. These bounds give rise to (1) a practical robustness protocol for assessing the resilience of a quantum classifier against adversarial and unknown noise sources; (2) a protocol to verify whether a classification given a noisy input has had the same outcome as a classification given the noiseless input state, without requiring access to the latter, and (3) conditions on noise parameters for amplitude and phase damping channels, under which the outcome of a classification is guaranteed to remain unaffected. Furthermore, we have shown how using a randomized input with depolarization channel enhances the QHT bound, consistent with previous results, in a manner akin to randomized smoothing in robustness certification of classical machine learning.
A key difference between the quantum and classical formalism is that quantum states themselves have a naturally probabilistic interpretation, even though the classical data that could be embedded in quantum states do not need to be probabilistic. We now know that both classical and quantum optimal robustness bounds for classification protocols depend on bounds provided by hypothesis testing. However, hypothesis testing involves the comparison of probability distributions, which can only be possible in the classical case with the addition of stochastic noise sources if the classical data is initially non-stochastic. This means that the optimal robustness bounds in the classical case only exist for noisy classifiers which also require training under the additional noise [26]. This is in contrast to the quantum scenario. Our quantum adversarial robustness bound can be proved independently of randomized input, even though it can be enhanced by it, like through a depolarization channel. Thus, in the quantum regime, unlike in the classical deterministic scenario, we are not forced to consider training under actively induced noise.
Our optimal provable robustness bound and the con-nection to quantum hypothesis testing also provides a first step towards more rigorously identifying the limitations of quantum classifiers in its power of distinguishing between quantum states. Our formalism hints at an intimate relationship between these fundamental limitations in the accuracy of distinguishing between different classes of states and robustness. This could shed light on the robustness and accuracy trade-offs observed in classification protocols [38] and is an important direction of future research. It is also of independent interest to explore possible connections between tasks that use quantum hypothesis testing, such as quantum illumination [33] and state discrimination [39], with accuracy and robustness in quantum classification.

A. Proof of Theorem 1
The proof of this theorem is based on showing that the measurement operators of the classifier can be viewed as an operator which is feasible for the SDP (3). Specifically, note that in the Heisenberg picture we can write the score function y of the classifier A as where Λ k := E † (Π k ). Since E is a CPTP map, its dual is completely positive and unital and thus 0 ≤ Λ k ≤ 1 and Note that the operator 1 − Λ kA is feasible for the SDP β * 1−pA (σ, ρ) since by assumption It follows that Similarly, let k = k A be arbitrary. Then, the operator Λ k is feasible for the SDP β * pB (σ, ρ) since and hence Since k = k A is arbitrary, it follows that if ρ satisfies then it is guaranteed that and thus A(ρ) = A(σ).

B. Proof of Theorem 2
Note that, since p B = 1 − p A by assumption, the robustness condition (10) reads Let M A be an optimizer of the corresponding SDP such that α(M A ) = 1 − p A and Consider the classifier A with score function y defined by the POVM {1 − M A , M A , 0} where the number of 0 operators is such that y has the desired number of classes. The score function y is consistent with the class probabilities (9) since Furthermore, if ρ violates (55), then we have and thus, in particular A (ρ) = k A = A (σ).

C. Fidelity robustness condition
Recall that the robustness condition in Theorem 1 is expressed in terms of the SDP from the Neyman-Pearson approach to quantum hypothesis testing. Thus, in order to use Theorem 1 to obtain robustness bounds in terms of a meaningful distance between quantum states, we need to connect the optimal type-II error with this distance. Here, we look specifically at the fidelity between pure quantum states and sketch the proof for Lemma 1. We refer the reader to supplementary note 3 for details.
Proof of Lemma 1 (sketch). The key challenge to proving this result is connecting the robustness condition (10), written in terms of type-II error probabilities, to the fidelity F which, for pure states, is given by the squared overlap | ψ σ |ψ ρ | 2 . It is well known that optimizers to the SDP (3) are given by Helstrom operators, M t which can be expressed in terms of the projection onto the positive and null eigenspaces of the operator ρ − tσ. The first step is thus to solve the eigenvalue problem which, for pure states, can be expressed in terms of the squared overlap | ψ σ |ψ ρ | 2 . Given these solutions, one then derives an expression for the Helstrom operators M A and M B with type-I error probabilities 1 − p A and p B respectively. This leads to the robustness condition β(M A ; ρ) + β(M B ; ρ) > 1 being an inequality which can be rewritten as a condition on the fidelity which takes the desired form (12).
In a similar manner, one can derive the trace-distance bound for depolarized input states presented in the 'Results' section of this paper. The full proof for the robustness bound in equation (43)

AUTHOR CONTRIBUTIONS
The main idea was conceived by C.Z. in discussion with Z.Z. and M.W. Key insights to adversarial quantum learning were provided by N.L. while B.L. contributed to central insights to robustness in machine learning. The work on QHT, the resulting QHT condition and the derivation for closed form bounds for pure and depolarized states was completed by M.W. The extension of the fidelity bound the the mixed state case was completed by M.W. and Z.Z. The different trace distance bounds for mixed states were derived by Z.Z. The proof for optimality was done by M.W. and Z.Z. The noisy input scenario and the example were initiated by N.L. and completed by M.W. All authors contributed to the manuscript.

Supplementary Information for "Optimal Provable Robustness of Quantum Classification via Quantum Hypothesis
Testing" Here, we provide detailed proofs for the robustness bounds presented in the paper in terms of the fidelity and trace distance, stated in Lemma 1, Corollary 1 and the bound for depolarized inputs (Eq. (43) in the main part). To that end, we first show a collection of technical lemmas related to quantum hypothesis testing with the goal of explicitly constructing Helstrom operators which attain a preassigned level of type-I error probability. These constructions of the Helstrom operators will then be used to derive an expression for the SDP (Eq. (3) in the main part) in terms of the fidelity between the input states.

Supplementary Note 5. TECHNICAL LEMMAS
Preliminaries. We first recall the central quantities of interest. As in the main part of this paper, the null hypothesis corresponds to a benign input state and is described by a density operator σ ∈ S(H) acting on a Hilbert space H of finite dimension d := dim(H) < ∞. The density operator for the alternative hypothesis is denoted by ρ and corresponds the adversarial state in the classification setting. A quantum hypothesis test is defined by a positive semi-definite operator 0 ≤ M ≤ 1 d and the type-I and type-II error probabilities associated with M are denoted by α and β and are defined by Helstrom operators are then defined as Finally, recall the SDP β * (Eq. (3) in the main part) in the Neyman-Pearson approach to quantum hypothesis testing which, for α 0 ∈ [0, 1], is defined as The following Lemmas lead to an explicit construction of Helstrom operators attaining a preassigned level of type-I error probability α 0 and which are optimizers of the SDP β * (Eq. (3) in the main part). We first show that if a sequence of bounded Hermitian operators A n converges in operator norm to a bounded Hermitian operator A from above (below), then the projection {A n < 0} ({A n > 0}) converges to {A < 0} ({A > 0}) in operator norm. This subsequently allows us to show that the function t → α(P t,+ ) is non-increasing and continuous from the right, and that t → α(P t,+ + P t,0 ) is non-increasing and continuous from the left. As a consequence, for α 0 ∈ [0, 1], the quantity is well defined. This implies the chain of inequalities α P τ (α0),+ ≤ α 0 ≤ α P τ (α0),+ + P τ (α0),0 .
Based on this, we construct a Helstrom operator M τ (α0) according to which attains the preassigned type-I error probability α 0 . We will show that these Helstrom operators are optimal for the SDP β * α0 (σ, ρ) in (66), so that Proof. We first show that convergence in operator norm implies that the eigenvalues of A n converge towards the eigenvalues A. For a linear operator M let λ k (M ) denote its k-th largest eigenvalue, λ 1 (M ) ≥ . . . ≥ λ q (M ), where q ≤ d is the number of distinct eigenvalues of M . By the minimax principle (e.g. [40], chapter 3), we can compute λ k for any Hermitian operator M according to Now let ε > 0 and let n ∈ N large enough such that A n − A op < ε. Let |ψ ∈ H be a normalized state and note that by the Cauchy-Schwartz inequality we have and thus ψ|A|ψ − ε < ψ|A n |ψ < ψ|A|ψ + ε.
Hence, for any fixed k ≥ 1 and any subspace V ⊂ H with dim(V ) = k, we have and thus, from (73), we see that and hence Alternatively, this can be seen from Weyl's Perturbation Theorem (e.g. [40], ch. 3): namely, since A and A n are Hermitian, it follows immediately from We will now make use of function theory and the resolvent formalism to show the convergence of the positive and negative eigenprojections. Let M ∈ B(H) be Hermitian, let σ(M ) denote the spectrum of M and, for λ ∈ C \ σ(M ), let be the resolvent of the operator M . The sum is the Neumann series and converges for λ ∈ C \ σ(M ). Since M is Hermitian, we can write its spectral decomposition in terms of contour integrals over the resolvent where P k is the orthogonal projection onto the k-th eigenspace and the integration is to be understood element-wise. The symbol (γ k , −) indicates that the contour encircles λ k (M ) once negatively, but does not encircle any other eigenvalue of M . We refer the reader to [41] for a detailed derivation.
We now show part (i) of the Lemma. For ease of notation, let λ k denote the k-th eigenvalue of A and λ k,n the k-th eigenvalue of A n . Since A n and A are Hermitian operators, we can write the eigenprojections {A n < 0} and {A < 0} in terms of the resolvent as where the symbols (γ k , −) and (γ k,n , −) indicate that the contours encircle only λ k and λ k,n once negatively and no other eigenvalues of A and A n respectively. Since by assumption A n ≥ A and A n , A are Hermitian, it follows from Weyl's Monotonicity Theorem that λ k,n ≥ λ k . Let λ K be the largest negative eigenvalue of A, that is Note that if A is positive semidefinite, then so is A n and the statement follows trivially from {A n < 0} = {A < 0} = 0. Thus, without loss of generality, we can assume that at least one eigenvalue of A is negative. Since λ k,n ≥ λ k , and in particular λ K−1,n ≥ λ K−1 ≥ 0, there exists N 0 ∈ N large enough such that λ K−1,n ≥ 0 > λ K,n for all n ≥ N 0 . Let r 0 be the smallest distance between two eigenvalues of A and let 0 < ε < r0 2 . Choose N 1 ≥ N 0 large enough such that max k≥K |λ k,n − λ k | < ε/2. Let 0 < δ < r0 2 − ε and for k ≥ K let B k δ+ε := B δ+ε (λ k ) be the open ball of radius δ + ε centered at λ k . Note that ∂B k δ+ε encircles both λ k,n and λ k . Then, for k ≥ K and n ≥ N 1 , the mappings are holomorphic functions of λ and each has an isolated (simple) singularity at λ k and λ k,n respectively. Let γ k,n be a contour around λ k,n encircling no other eigenvalue of A n . Note that the contours γ k,n and ∂B k δ+ε are homotopic (in B k δ+ε \ {λ k,n }). Thus, for all k ≥ K and n ≥ N 1 , Cauchy's integral Theorem yields With this, we see that for n ≥ N 1 and thus, by the triangle inequality Furthermore, for any k and λ ∈ ∂B k δ+ε , the second resolvent identity yields We now show that the supremum over λ ∈ ∂B k δ+ε in the right hand side of (91) is bounded. Since both A and A n are Hermitian, it follows that their resolvent is normal and bounded for λ ∈ C \ σ(A n ) and λ ∈ C \ σ(A) respectively. The operator norm is thus given by the spectral radius, Note that the eigenvalues of R λ (A) are given by (λ k (A) − λ) −1 . To see this, let λ ∈ C \ σ(A) and consider Since det(R λ (A)) = 0 it follows that µ = 0 can not be an eigenvalue. Thus, eigenvalues of R λ (A) satisfy The same reasoning yields an expression for eigenvalues of R λ (A n ). Thus Note that, by the definition of δ, for λ ∈ ∂B k δ+ε , the eigenvalue of A which is nearest to λ is given by λ k (A). Since this is exactly the center of the ball B δ+ε , it follows that Similarly, for λ ∈ ∂B k δ+ε , the eigenvalue of A n which is nearest to λ is given λ k (A n ) since n was chosen large enough such that |λ k (A n ) − λ k (A)| < ε and ε < r 0 /2. Since δ < r0 2 − ε, it follows that the smallest distance from ∂B k δ+ε to λ k (A n ) is exactly δ and thus Hence, we find that the RHS in (91) is bounded by for λ ∈ ∂B k δ+ε . Finally, this yields In an analogous way we can show that where R denotes the index of the smallest positive eigenvalue of A. This concludes the proof.
Proof. Let t ≥ 0 and let {t n } n∈N ⊆ [0, ∞) be a sequence such that t n ↓ t (i.e. t n converges to t from above). We show that lim n→∞ α(P tn,+ ) = α(P t,+ ). Define the operators and note that Since, in addition, both A n and A are Hermitian and A − A n = (t n − t)σ ≥ 0, it follows from the second part of Lemma 3 that since operator norm convergence implies convergence in the weak operator topology. This concludes the proof.
Lemma 6. The function t → α(P t,+ + P t,0 ) is continuous from the left.
Proof. Let {t n } n∈N ⊂ [0, ∞) be a sequence of non-negative real numbers such that t n ↑ t (i.e. t n converges to t from below). Let A n and A be the Hermitian operators defined by and note that A − A n = (t n − t)σ ≤ 0 and A n − A op → 0 as n → ∞. It follows from the first part of Lemma 3 that and thus, since operator norm convergence implies convergence in the weak operator topology, we have This concludes the proof.
We notice that for any 0 ≤ X t ≤ P t,0 we have and and adding zero yields We need to show that β and similarly where the inequalities follow from 1 ≥ M ≥ 0. Finally, we see that where the last inequality follows from the assumption and t ≥ 0. Part (ii) now follows directly from part (i) by noting that 0 ≤ M := 1 − M ≤ 1 and This concludes the proof.

Supplementary Note 7. PROOF OF LEMMA 1
Lemma 1 (restated). Let |ψ σ , |ψ ρ ∈ H and let A be a quantum classifier. Suppose that for k A ∈ C and p A , p B ∈ [0, 1], we have k A = A(ψ σ ) and suppose that the score function y satisfies (9). Then, it is guaranteed that A(ψ ρ ) = A(ψ σ ) for any ψ ρ with where the function g is given by This condition is equivalent to (10) and is hence both sufficient and necessary whenever p A + p B = 1.
where τ (α 0 ) := inf{t ≥ 0 : α(P t,+ ) ≤ α 0 }. We now proceed as follows. We first compute the spectral decomposition of the operator ρ − tσ as a function of t. With this, we derive an expression for α(P t,+ ) and subsequently compute τ (α 0 ). This yields an expression for the Helstrom operators with type-I error probabilities 1 − p A and p B which can then be used to solve inequality (10) for the fidelity. We thus start by solving the eigenvalue problem Since σ and ρ are both pure states, the operator ρ − tσ is of rank at most 2. It follows that there are at most two states |η 0 and |η 1 satisfying (138) with nonzero eigenvalues and, in addition, they are linear combinations of |ψ σ and |ψ ρ |η k = z k,σ |ψ σ + z k,ρ |ψ ρ , k = 0, 1 with constants z k,σ and z k,ρ that are to be determined. Substituting this into (138) yields the system of equations where γ := ψ ρ |ψ σ is the overlap between states ρ and σ. The two eigenvalues η k for which these equations possess nonzero solutions are given by with η 0 > 0 and η 1 ≤ 0. With the condition η k |η k = 1, the coefficients z k,σ and z k,ρ are then determined as Recall that P t,+ = k : η k >0 P k and hence P t,+ = |η 0 η 0 |. We thus obtain the expression α(P t,+ ) = Tr [σP t,+ ] = | η 0 |ψ σ | 2 (143) Substituting in the expressions for η 0 and R yields The next step is to compute t A = τ (1 − p A ) and t B = τ (p B ). By Lemma 4, the function t → g(t) := α(P t,+ ) is non-increasing and thus attains its maximum at t = 0 Furthermore, note that the only real non-negative discontinuity of g is located at t = 1 in the case where |γ| 2 = 1. Since this corresponds to two identical states we exclude this case in the following and assume |γ| ∈ [0, 1). Notice that, if α 0 ≥ |γ| 2 , then we have that τ (α 0 ) = 0. Otherwise, if α 0 < |γ| 2 , then we have that α(P t,+ ) = α 0 if t ≥ 0 is the non-negative root of the polynomial which is calculated as Thus, in summary, we find that τ (α 0 ) is given by First, we notice that if |γ| In particular, it follows that the robustness condition β * 1−pA (σ, ρ) + β * pB (σ, ρ) > 1 cannot be satisfied. The same follows in the case where t B = 0. Finally, if |γ| 2 > max{p B , 1 − p A }, then we have that t A > 0 and t B > 0. We notice that α(P t A ,+ ) = 1 − p A and α(P t B ,+ ) = p B and thus M τ (1−pA) = P t A ,+ and M τ (pB) = P t B ,+ . Computing the type-II error for M τ (1−pA) yields where |η 0 corresponds to the eigenvector associated with the eigenvalue η 0 at t = t A . Similarly, computing the type-II error for M τ (pB) yields where |η 0 corresponds to the eigenvector associated with the eigenvalue η 0 at t = t B . With these expressions, it follows that the robustness condition (10), i.e. β(M τ (1−pA) ) + β(M τ (pB) ) > 1, is equivalent to what concludes the proof.
where τ (α 0 ) := inf{t ≥ 0 : α(P t,+ ) ≤ α 0 }. Let M A := M τ (1−pA) and M B := M τ (pB) and note that by assumption p B = 1 − p A and hence M A = M B . The SDP robustness condition then simplifies to β * 1−pA (σ , ρ ) > 1/2. We now proceed as follows. We first compute the spectral decomposition of the operator ρ − tσ as a function of t and relate it to the fidelity between σ and ρ. With this, we derive an expression for α(P t,+ ) and subsequently compute τ (α 0 ).