arxiv: 2605.10954 · v1 · submitted 2026-04-30 · 🪐 quant-ph · cs.AI

Recognition: 2 theorem links

· Lean Theorem

Controlled Steering-Based State Preparation for Adversarial-Robust Quantum Machine Learning

Sahan Sanjaya , Hari Krishna Parvatham , Emma Andrews , Prabhat Mishra

Authors on Pith no claims yet

Pith reviewed 2026-05-13 06:19 UTC · model grok-4.3

classification 🪐 quant-ph cs.AI

keywords quantum machine learningadversarial robustnessstate preparationsteering mechanismquantum defensegradient attacksquantum encoding

0 comments

The pith

A passive steering method during quantum encoding defends QML models against adversarial attacks by raising accuracy up to 40.19 percent.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes replacing the standard quantum encoding step in machine learning models with a controlled state preparation process that uses passive steering. By repeatedly guiding the prepared quantum state toward an intermediate target through tunable strength and iteration counts, the method reduces how small input changes distort the quantum representation. This produces higher accuracy on adversarially perturbed inputs while leaving performance on clean inputs largely unchanged. A sympathetic reader would care because quantum machine learning systems are otherwise fragile to tiny classical perturbations that propagate through encoding, limiting their reliable use.

Core claim

Replacing conventional quantum encoding with passive steering-based controlled state preparation guides the encoded state toward a controlled intermediate state. Tuning the steering strength and the number of iterations suppresses the effect of adversarial perturbations on the resulting quantum state. Experiments across multiple QML models and datasets show consistent gains in adversarial accuracy under gradient-based attacks, with peak improvements reaching 40.19 percent and no notable drop in clean accuracy.

What carries the argument

Passive steering-based controlled state preparation, which iteratively adjusts the quantum state toward a chosen intermediate target by varying steering strength and iteration count.

If this is right

The same steering step can be inserted into existing QML pipelines without changing the downstream variational circuit.
Parameter tuning offers a single knob that trades off clean versus adversarial performance without attack-specific retraining.
The defense applies uniformly to different model sizes and data types as long as the encoding stage is accessible.
Gradient-based attacks lose effectiveness because the steered state moves away from the directions those attacks exploit.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same steering logic might stabilize other quantum algorithms that begin with data encoding, such as quantum generative models.
Combining steering with classical input preprocessing could produce layered defenses whose total robustness exceeds either alone.
Hardware implementations would need to verify that the extra steering operations do not introduce new noise sources that offset the robustness gain.

Load-bearing premise

That tuning steering strength and iteration count can reliably limit unknown adversarial perturbations without lowering clean accuracy or needing knowledge of the specific attack.

What would settle it

An experiment on a previously untested dataset or attack method where adversarial accuracy fails to rise or clean accuracy falls by more than a few percent when the steering parameters are applied.

Figures

Figures reproduced from arXiv: 2605.10954 by Emma Andrews, Hari Krishna Parvatham, Prabhat Mishra, Sahan Sanjaya.

**Figure 3.** Figure 3: Quantum Convolutional Neural Network (QCNN) [PITH_FULL_IMAGE:figures/full_fig_p002_3.png] view at source ↗

**Figure 4.** Figure 4: Variational Quantum Classifier (VQC) B. Adversarial Attacks Adversarial attacks evaluate the robustness of a classifier by adding carefully designed perturbations to the input so that the prediction changes with minimal perturbations in inputs. In classification, given an input x with label y and a model with loss function L(θ, x, y), an adversarial example x adv is generated by perturbing the original inp… view at source ↗

**Figure 2.** Figure 2: Quanvolution Neural Network (QNN) 2) Quantum Convolutional Neural Networks: As shown in [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗

**Figure 5.** Figure 5: Controlled passive steering–based state preparation at encoding stage as a defense mechanism against adversarial attacks. [PITH_FULL_IMAGE:figures/full_fig_p003_5.png] view at source ↗

**Figure 6.** Figure 6: Passive steering circuit As shown in [PITH_FULL_IMAGE:figures/full_fig_p004_6.png] view at source ↗

**Figure 7.** Figure 7: State-preparation fidelity using passive steering for [PITH_FULL_IMAGE:figures/full_fig_p005_7.png] view at source ↗

**Figure 8.** Figure 8: Quantum kernel circuits used in the QNN. (a) Conventional angle-encoding circuit with single-qubit rotation gates. [PITH_FULL_IMAGE:figures/full_fig_p006_8.png] view at source ↗

**Figure 9.** Figure 9: Visual comparison of the outputs produced by standard [PITH_FULL_IMAGE:figures/full_fig_p006_9.png] view at source ↗

**Figure 10.** Figure 10: Clean test accuracy of the QNN with single-qubit controlled passive steering-based encoding for different steering [PITH_FULL_IMAGE:figures/full_fig_p007_10.png] view at source ↗

**Figure 11.** Figure 11: Adversarial accuracy under the FGSM attack with perturbation strength [PITH_FULL_IMAGE:figures/full_fig_p007_11.png] view at source ↗

**Figure 12.** Figure 12: Model test accuracies under FGSM and PGD attacks across different models and datasets for different perturbation [PITH_FULL_IMAGE:figures/full_fig_p009_12.png] view at source ↗

read the original abstract

Quantum machine learning (QML) provides a promising framework for leveraging quantum-mechanical effects in learning tasks. However, its vulnerability to adversarial perturbations remains a major challenge for practical deployment. In QML systems, small perturbations applied to classical inputs can propagate through the quantum encoding stage and distort the resulting quantum state, thereby degrading model performance. In this work, we propose a defense mechanism that replaces the conventional quantum encoding stage of a QML model with passive steering-based controlled state preparation, which guides the encoded state toward a controlled intermediate state. By tuning the steering strength and the number of steering iterations, the proposed method suppresses the influence of adversarial perturbations while maintaining high clean accuracy and improving adversarial accuracy. Experimental results demonstrate that the passive steering-based defense consistently improves adversarial accuracy across different QML models and datasets under gradient-based adversarial attacks, achieving adversarial accuracy improvements of up to 40.19%.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Steering-based state prep is a fresh encoding tweak for QML robustness but the 40% gain claim rests on thin experimental evidence.

read the letter

The main point is that the authors replace standard quantum encoding in QML models with a passive steering process that guides the state toward an intermediate target. By tuning steering strength and iteration count they report consistent lifts in adversarial accuracy, up to 40%, under gradient attacks while clean accuracy stays high. This is a direct, practical change at the input stage rather than a new model architecture. The idea of using controlled steering specifically to blunt perturbation propagation has not been laid out this way in the cited work, so the application itself counts as new. It targets a genuine deployment barrier in QML where small classical changes distort the quantum representation. The construction is straightforward enough that others could test it on their own encoders. The soft spots are the missing experimental details. No baselines, error bars, statistical tests, or protocol descriptions appear in the abstract, and the full text does not supply them either. The steering parameters are free variables that could easily have been selected after seeing attack performance, which matches the stress-test concern about implicit attack knowledge. Without an analytic bound on how steering distance scales with perturbation size, it is unclear whether the defense holds for new attack strengths or different model depths. The results are presented as empirical outcomes rather than derivations, so the circularity burden is low but the reproducibility burden is high. This paper is for people already running QML experiments who want a simple defense knob to try. A reader working on adversarial robustness or hardware-aware encoding would get a usable idea, but would still need to re-implement and re-test from scratch. It deserves a serious referee because the core mechanism is well-motivated and the empirical direction is worth checking with proper controls, even if heavy revision is likely.

Referee Report

3 major / 2 minor

Summary. The manuscript proposes replacing the standard quantum encoding stage in QML models with a passive steering-based controlled state preparation procedure. By iteratively steering the encoded state toward an intermediate target state and tuning the steering strength together with the number of iterations, the method is claimed to suppress the effect of gradient-based adversarial perturbations on classical inputs while preserving clean accuracy. Experimental results are reported to show consistent adversarial-accuracy gains of up to 40.19 % across multiple QML architectures and datasets.

Significance. If the empirical gains can be reproduced with attack-agnostic, fixed parameter schedules and shown to generalize beyond the tested models and perturbation regimes, the approach would supply a lightweight, training-free defense layer that exploits quantum state control to improve robustness without requiring attack-specific retraining or architectural changes.

major comments (3)

[Experimental Results] Experimental Results section: the claimed adversarial-accuracy improvements of up to 40.19 % are stated without accompanying details on the number of independent trials, error bars, statistical significance tests, exact baseline implementations, or the precise protocol used to select steering strength and iteration count for each model/dataset combination.
[Method] Method section: no analytic bound or scaling relation is derived that relates steering distance or suppression effectiveness to the magnitude of input perturbations; the central claim that a single choice of parameters reliably suppresses unknown gradient-based attacks therefore rests entirely on post-hoc empirical tuning rather than a parameter-free or provably robust construction.
[Experimental Setup] Experimental Setup: if steering parameters are chosen after observing attack performance (as the skeptic notes), the reported gains may encode attack-specific knowledge; the manuscript must demonstrate that the same fixed parameter pair works for held-out attack strengths and architectures, or provide a validation-based selection procedure independent of the test attacks.

minor comments (2)

[Abstract] Abstract: the term 'passive steering-based controlled state preparation' is introduced without a concise definition or pointer to the underlying quantum operation (e.g., the explicit form of the steering operator).
[Notation] Notation: the mathematical definition of the intermediate target state and the steering operator should be stated explicitly in the main text rather than left at a descriptive level.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments, which help clarify the presentation and strengthen the empirical support for our method. We address each major point below and will incorporate the suggested clarifications and additional experiments in the revised manuscript.

read point-by-point responses

Referee: [Experimental Results] Experimental Results section: the claimed adversarial-accuracy improvements of up to 40.19 % are stated without accompanying details on the number of independent trials, error bars, statistical significance tests, exact baseline implementations, or the precise protocol used to select steering strength and iteration count for each model/dataset combination.

Authors: We agree that these statistical and procedural details are essential for reproducibility. In the revised manuscript we will report results averaged over 10 independent trials with different random seeds, include error bars as standard deviations, and add paired t-test p-values comparing the defended model against the baseline. We will explicitly state that the baseline is standard angle encoding without steering, and describe the parameter-selection protocol as a grid search performed on a held-out validation split (20% of training data) that maximizes adversarial accuracy subject to clean accuracy remaining above 85%. revision: yes
Referee: [Method] Method section: no analytic bound or scaling relation is derived that relates steering distance or suppression effectiveness to the magnitude of input perturbations; the central claim that a single choice of parameters reliably suppresses unknown gradient-based attacks therefore rests entirely on post-hoc empirical tuning rather than a parameter-free or provably robust construction.

Authors: We acknowledge that the present work is empirical and does not derive an analytic bound relating steering distance to perturbation magnitude. Such a bound would require a detailed perturbative analysis of the controlled steering operator acting on the encoded state, which lies outside the scope of this initial study. In the revision we will add a dedicated paragraph in the Discussion section that explains the observed robustness in terms of the contraction property of the steering map toward the intermediate target state and why small classical perturbations are attenuated before they reach the variational circuit. revision: partial
Referee: [Experimental Setup] Experimental Setup: if steering parameters are chosen after observing attack performance (as the skeptic notes), the reported gains may encode attack-specific knowledge; the manuscript must demonstrate that the same fixed parameter pair works for held-out attack strengths and architectures, or provide a validation-based selection procedure independent of the test attacks.

Authors: We will clarify that parameter selection was performed exclusively on a validation set generated from training data using a fixed attack strength (ε=0.1) and was never tuned on the test attacks. In the revised version we will add new experiments showing that the same fixed (strength, iteration) pairs, chosen via the validation procedure, maintain adversarial-accuracy gains on held-out attack strengths (ε=0.05 and ε=0.2) and on an additional QML architecture (quantum convolutional network) not used during tuning. These results will be presented in a new subsection titled “Generalization of Steering Parameters.” revision: yes

Circularity Check

0 steps flagged

No significant circularity; results presented as experimental outcomes

full rationale

The paper proposes a passive steering-based state preparation defense for QML and reports empirical improvements (up to 40.19% adversarial accuracy) across models and datasets under gradient attacks. No derivation chain, equations, or self-citations are shown that reduce the claimed gains to fitted parameters by construction or to prior author work. The tuning of steering strength and iterations is described as a method choice whose effectiveness is validated experimentally rather than derived analytically from the inputs themselves. The central claim therefore remains self-contained against external benchmarks and does not exhibit any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 0 invented entities

The central claim rests on standard quantum state evolution under controlled operations plus two tunable parameters whose values are chosen to achieve the reported accuracy gains.

free parameters (2)

steering strength
Tuned parameter that controls how strongly the state is guided toward the intermediate target; directly affects suppression of perturbations.
number of steering iterations
Tuned parameter controlling how many times the steering operation is applied; balances robustness against clean accuracy.

axioms (1)

domain assumption Quantum states can be prepared and steered using sequences of controlled unitary operations without collapsing the state.
Invoked as the physical basis for replacing conventional encoding with the proposed steering process.

pith-pipeline@v0.9.0 · 5454 in / 1213 out tokens · 38816 ms · 2026-05-13T06:19:13.552072+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

the steering unitary is commonly expressed as U=exp(−iJ Hδt), where the coupling parameter J determines the strength... tuning the steering strength and the number of steering iterations

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

30 extracted references · 30 canonical work pages · 4 internal anchors

[1]

Quanvolutional neural networks: powering image recognition with quantum circuits,

M. Henderson, S. Shakya, S. Pradhan, and T. Cook, “Quanvolutional neural networks: powering image recognition with quantum circuits,” Quantum Machine Intelligence, vol. 2, no. 1, p. 2, 2020

work page 2020
[2]

Quantum convolutional neural networks,

I. Cong, S. Choi, and M. D. Lukin, “Quantum convolutional neural networks,”Nature Physics, vol. 15, no. 12, pp. 1273–1278, 2019

work page 2019
[3]

An introduction to quantum machine learning,

M. Schuld, I. Sinayskiy, and F. Petruccione, “An introduction to quantum machine learning,”Contemporary Physics, vol. 56, no. 2, pp. 172–185, Apr. 2015

work page 2015
[4]

Beyond bits: A review of quantum embedding techniques for efficient information processing,

M. A. Khan, M. N. Aman, and B. Sikdar, “Beyond bits: A review of quantum embedding techniques for efficient information processing,” IEEE access, vol. 12, pp. 46 118–46 137, 2024

work page 2024
[5]

Robust in practice: Adversarial attacks on quantum machine learning,

H. Liao, I. Convy, W. J. Huggins, and K. B. Whaley, “Robust in practice: Adversarial attacks on quantum machine learning,”Physical Review A, vol. 103, no. 4, p. 042427, 2021

work page 2021
[6]

Generating universal adversarial perturbations for quantum classifiers,

G. Anil, V . Vinod, and A. Narayan, “Generating universal adversarial perturbations for quantum classifiers,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 38, no. 10, 2024, pp. 10 891– 10 899

work page 2024
[7]

Quantum adversar- ial attacks: Developing quantum fgsm algorithm,

M. S. Akter, H. Shahriar, A. Cuzzocrea, and F. Wu, “Quantum adversar- ial attacks: Developing quantum fgsm algorithm,” in2024 IEEE 48th An- nual Computers, Software, and Applications Conference (COMPSAC). IEEE, 2024, pp. 1073–1079

work page 2024
[8]

Quantum adversarial machine learning,

S. Lu, L.-M. Duan, and D.-L. Deng, “Quantum adversarial machine learning,”Physical Review Research, vol. 2, no. 3, p. 033212, 2020

work page 2020
[9]

Experimental quantum adversarial learning with pro- grammable superconducting qubits,

W. Renet al., “Experimental quantum adversarial learning with pro- grammable superconducting qubits,”Nature Computational Science, vol. 2, no. 11, pp. 711–717, 2022

work page 2022
[10]

A Comparative Analysis of Adversarial Robustness for Quantum and Classical Machine Learning Models,

M. Wendlinger, K. Tscharke, and P. Debus, “A Comparative Analysis of Adversarial Robustness for Quantum and Classical Machine Learning Models,” in2024 IEEE International Conference on Quantum Comput- ing and Engineering (QCE), vol. 01, Sep. 2024, pp. 1447–1457

work page 2024
[11]

Training robust and generalizable quantum models,

J. Berberich, D. Fink, D. Pranji ´c, C. Tutschku, and C. Holm, “Training robust and generalizable quantum models,”Physical Review Research, vol. 6, no. 4, p. 043326, 2024

work page 2024
[12]

Dual-regularized nonlinear quantum encoding for adversarial robustness in quantum machine learning,

Y . Li, X. Deng, R. Xu, W. Xu, and R.-G. Zhou, “Dual-regularized nonlinear quantum encoding for adversarial robustness in quantum machine learning,”New Journal of Physics, vol. 28, no. 1, p. 014511, 2026

work page 2026
[13]

Enhancing adversarial robustness of quantum neural networks by adding noise layers,

C. Huang and S. Zhang, “Enhancing adversarial robustness of quantum neural networks by adding noise layers,”New Journal of Physics, vol. 25, no. 8, p. 083019, 2023

work page 2023
[14]

Quantum noise protects quantum classifiers against adversaries,

Y . Du, M.-H. Hsieh, T. Liu, D. Tao, and N. Liu, “Quantum noise protects quantum classifiers against adversaries,”Physical Review Research, vol. 3, no. 2, p. 023153, 2021

work page 2021
[15]

Enhancing quantum adver- sarial robustness by randomized encodings,

W. Gong, D. Yuan, W. Li, and D.-L. Deng, “Enhancing quantum adver- sarial robustness by randomized encodings,”Physical Review Research, vol. 6, no. 2, p. 023020, 2024

work page 2024
[16]

Adversarial robustness of partitioned quantum classifiers,

P. Kananian and H.-A. Jacobsen, “Adversarial robustness of partitioned quantum classifiers,”arXiv preprint arXiv:2502.20403, 2025

work page arXiv 2025
[17]

Adversarial robustness in distributed quantum machine learning,

——, “Adversarial robustness in distributed quantum machine learning,” arXiv preprint arXiv:2508.11848, 2025

work page arXiv 2025
[18]

Robqunns: A methodology for robust quanvolutional neural networks against adversarial attacks,

W. El Maouaki, A. Marchisio, T. Said, M. Shafique, and M. Bennai, “Robqunns: A methodology for robust quanvolutional neural networks against adversarial attacks,” in2024 IEEE International Conference on Image Processing Challenges and Workshops (ICIPCW). IEEE, 2024, pp. 4090–4095

work page 2024
[19]

Classical autoencoder distillation of quantum adversarial manipulations,

A. Khatun and M. Usman, “Classical autoencoder distillation of quantum adversarial manipulations,”Physical Review Research, vol. 7, no. 4, p. L042054, Dec. 2025

work page 2025
[20]

Explaining and Harnessing Adversarial Examples

I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and Harnessing Adversarial Examples,”arXiv:1412.6572, Mar. 2015

work page internal anchor Pith review Pith/arXiv arXiv 2015
[21]

Towards Deep Learning Models Resistant to Adversarial Attacks

A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks,” arXiv:1706.06083, Sep. 2019

work page internal anchor Pith review Pith/arXiv arXiv 2019
[22]

The MNIST database of handwritten digits,

Y . LeCun, “The MNIST database of handwritten digits,” 1998

work page 1998
[23]

Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms

H. Xiao, K. Rasul, and R. V ollgraf, “Fashion-MNIST: A Novel Image Dataset for Benchmarking Machine Learning Algorithms,” arXiv:1708.07747, Sep. 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[24]

Deep Learning for Classical Japanese Literature

T. Clanuwat, M. Bober-Irizar, A. Kitamoto, A. Lamb, K. Yamamoto, and D. Ha, “Deep Learning for Classical Japanese Literature,” arXiv:1812.01718, Nov. 2018

work page Pith review arXiv 2018
[25]

Circuit-centric quantum classifiers,

M. Schuld, A. Bocharov, K. M. Svore, and N. Wiebe, “Circuit-centric quantum classifiers,”Physical Review A, vol. 101, no. 3, p. 032308, 2020

work page 2020
[26]

State preparation on quantum computers via quantum steering,

D. V olya and P. Mishra, “State preparation on quantum computers via quantum steering,”IEEE Transactions on Quantum Engineering, 2024

work page 2024
[27]

Feedback-based steering for quan- tum state preparation,

D. V olya, Z. Pan, and P. Mishra, “Feedback-based steering for quan- tum state preparation,” inIEEE International Conference on Quantum Computing and Engineering (QCE), 2023, pp. 1308–1318

work page 2023
[28]

Variational quantum algorithms via measurement-induced passive steering,

S. Sanjaya, D. V olya, and P. Mishra, “Variational quantum algorithms via measurement-induced passive steering,” in2024 IEEE International Conference on Quantum Computing and Engineering (QCE), vol. 1. IEEE, 2024, pp. 481–487

work page 2024
[29]

PennyLane: Automatic differentiation of hybrid quantum-classical computations

V . Bergholmet al., “PennyLane: Automatic differentiation of hybrid quantum-classical computations,”arXiv:1811.04968, Jul. 2022

work page internal anchor Pith review Pith/arXiv arXiv 2022
[30]

PyTorch 2: Faster Machine Learning Through Dynamic Python Bytecode Transformation and Graph Compilation,

J. Anselet al., “PyTorch 2: Faster Machine Learning Through Dynamic Python Bytecode Transformation and Graph Compilation,” inProceed- ings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, ser. ASPLOS ’24, vol. 2. New York, NY , USA: Association for Computing Machinery, Apr. 2024, ...

work page 2024