Next Article in Journal
Distilling Vision Foundation Models into LiDAR Networks via Manifold-Aware Topological Alignment
Previous Article in Journal
Autoencoders in Natural Language Processing: A Comprehensive Review
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Adversarial Robustness in Quantum Machine Learning: A Scoping Review

by
Yanche Ari Kustiawan
and
Khairil Imran Ghauth
*
Faculty of Computing and Informatics, Multimedia University, Cyberjaya 63000, Malaysia
*
Author to whom correspondence should be addressed.
Computers 2026, 15(4), 233; https://doi.org/10.3390/computers15040233
Submission received: 2 March 2026 / Revised: 27 March 2026 / Accepted: 7 April 2026 / Published: 9 April 2026

Abstract

Quantum machine learning (QML) is emerging as a promising paradigm at the intersection of quantum computing and artificial intelligence, yet its security under adversarial conditions remains insufficiently understood. This scoping review aims to systematically map empirical research on adversarial robustness in QML and to identify dominant threat models, defense strategies, evaluation approaches, practical constraints, and future research directions. Following PRISMA-ScR guidelines, four major databases were searched, resulting in 53 eligible empirical studies published between 2020 and 2026. The findings show that most research concentrates on input-level evasion attacks, particularly adversarial examples, and primarily evaluates robustness in classification-oriented models such as variational quantum circuits and quantum neural networks. Defense strategies are largely adapted from classical adversarial training and noise-based mitigation, with limited deployment on real quantum hardware. Robustness assessment is predominantly empirical, relying on accuracy degradation and attack success rate, while formal certification methods remain less common. The literature also highlights substantial constraints related to hardware limitations, NISQ noise, computational cost, and dataset scale. Overall, the evidence indicates that adversarial robustness research in QML is expanding but remains methodologically concentrated, underscoring the need for standardized benchmarking, scalable defenses, and hardware-validated robustness evaluation frameworks.

1. Introduction

Quantum machine learning (QML) stands at the intersection of quantum computing and artificial intelligence [1]. It aims to improve how machines learn from data by using quantum principles, such as superposition and entanglement [2], to achieve greater computational power and more efficient learning. As quantum hardware continues to mature and move closer to real-world use, QML is expected to play an important role in areas such as cybersecurity, healthcare, and autonomous systems [3,4,5]. In these fields, the accuracy, reliability, and security of machine learning models are especially critical.
In the past few years, researchers have shown that classical machine learning models can be easily fooled by adversarial attacks. These attacks involve small, carefully designed changes to the input or feature that causes the model to make incorrect predictions [6,7]. As a result, adversarial machine learning has become an important area of study. Several defense methods have been developed, including adversarial training [8,9] adding noise to inputs or features [10], and using ensemble models [11] to reduce these risks. However, each of these approaches has its own strengths and limitations.
As QML continues to develop, similar security concerns are beginning to surface. Recent studies indicate that quantum classifiers, despite their fundamentally different computational foundations, are also susceptible to adversarial attacks originating from both classical and quantum sources [12]. This growing overlap of threats highlights the need for a deeper understanding of adversarial robustness in QML, including clear classifications of attack types and a careful evaluation of available defense strategies.
Despite recent progress, current approaches to adversarial robustness in QML remain limited. Many proposed defenses are adapted directly from classical machine learning and do not fully exploit quantum-specific properties [1,13]. Other methods are evaluated only under narrow experimental conditions, making it difficult to assess their effectiveness across diverse attack scenarios [14]. Furthermore, the lack of standardized benchmarks, comprehensive threat models, and consistent evaluation metrics [15], makes it difficult to compare methods and build truly robust QML models. If these issues are not addressed, using QML in safety-critical and high-risk applications could be risky, reducing confidence in the technology and slowing its broader adoption.
A key research gap lies in the limited exploration of quantum-specific adversarial threat vectors and the absence of systematic, QML-focused frameworks for evaluating defense strategies. While classical adversarial machine learning has established mature taxonomies and evaluation protocols, the quantum setting introduces additional challenges, including quantum data encoding, entanglement, and hardware noise, which are not adequately addressed by existing models.
Previous work has shown that quantum classifiers can be vulnerable to both white-box and black-box attacks [16], and that universal adversarial perturbations may generalize across multiple quantum models. However, the available evidence remains fragmented. Most studies focus on isolated attack scenarios or individual defense techniques, often lacking rigorous comparative analysis or consideration of scalability to real-world quantum hardware.
The objective of this scoping review is to systematically map and synthesize the current body of research on adversarial robustness in quantum machine learning, with a focus on understanding how security challenges are addressed in QML systems. This review aims to provide a structured overview of the threat landscape, model vulnerabilities, defense mechanisms, evaluation practices, and research limitations reported in the literature. Specifically, this study seeks to identify and classify the types of adversarial threat vectors that have been investigated in QML models, and to map the QML model families that have been examined under adversarial conditions. It further aims to describe and categorize the defense strategies proposed to improve adversarial robustness, and to examine how robustness is defined and evaluated across existing studies. In addition, this review intends to identify the practical and technological constraints that influence adversarial robustness research in QML. Finally, it aims to synthesize the future research directions and open challenges reported in the literature in order to guide the development of more robust, secure, and scalable QML systems.
To achieve these objectives, this paper presents a structured synthesis of existing research on adversarial robustness in QML. This study aims to serve as a useful reference for researchers and practitioners seeking to improve the security and reliability of quantum machine learning systems by reviewing known threat vectors and defense strategies and highlighting unresolved challenges and research gaps.
The remainder of this paper is organized as follows. Section 2 describes the SLR methodology, including the search strategy, screening, and selection process. Section 3 presents and categorizes the results. Section 4 discusses and interprets the findings. Section 5 outlines the study’s limitations. Section 6 concludes the paper and highlights broader directions for future research.

2. Methodology

We conducted a scoping review in line with the PRISMA-ScR guidelines [17]. We selected a scoping review because QML is a relatively new research area. Scoping reviews are exploratory and designed to rapidly map key concepts and evidence within a field [18]. They also help summarize and share existing findings, identify gaps in the literature, and describe the scope and nature of research activity [18].
We adapted the framework proposed by Arksey and O’Malley [18], which includes: Identifying the research question; identifying relevant studies; study selection; charting the data; and collating, summarizing, and reporting the results. Figure 1 presents the PRISMA flow diagram of the study selection process. The review protocol was registered on OSF (DOI: 10.17605/OSF.IO/CN8MT) and the Supplementary Material can be downloaded at https://www.prisma-statement.org/s/PRISMA-ScR-Fillable-Checklist_10Sept2019.docx.

2.1. Related Studies Search Method

We formulated a set of research questions (RQs) to achieve this study’s objectives and Table 1 lists each question along with a brief description.
Our analysis begins by mapping the types of adversarial threat vectors investigated in QML and the models examined under adversarial settings. It then focuses on the defense strategies proposed to improve adversarial robustness and the evaluation approaches used to assess robustness in existing studies. This scoping review is limited to empirical research that reports experimental implementation and evaluation, regardless of whether robustness outcomes are favorable or unfavorable. Based on this evidence, we synthesize the practical and technological constraints influencing adversarial robustness research, as well as the research directions identified for advancing robust quantum machine learning.

2.2. Identification of Studies

We searched three major bibliographic databases to identify relevant studies, namely ACM, IEEE Xplore, and Scopus, complemented by a targeted search of the MDPI publisher platform to capture relevant open-access studies. The search was performed using the predefined search strings and the inclusion and exclusion criteria outlined in Table 2.
Figure 1 summarizes the number of records retrieved from each database. The search targeted the title, abstract, and keywords fields, combining core terms related to adversarial attack and QML using the Boolean operators AND and OR. In particular, we used phrases such as “adversarial attacks” together with “quantum machine learning” and closely related technique terms, to capture studies that explicitly frame their methods within QML. We avoided relying only on abbreviations (for example, “QML”) because many papers index the full term, and abbreviation-only queries can miss relevant records. The literature search was conducted up to end of December 2025. Although no explicit publication year restriction was applied, the retrieved records were predominantly published between 2020 and 2026. Studies labeled as 2026 correspond to peer-reviewed articles available as early access or in-press publications at the time of the search. We collected 250 records using this procedure.

2.3. Screening

All retrieved records (n = 250) were exported in Research Information Systems (RIS) format and imported into Rayyan [19,20] which is a software specialized to support the screening workflow in systematic and scoping reviews. We first performed deduplication, removing duplicate entries (n = 36) and retaining (n = 214) unique records. Next, we conducted title and abstract screening of the remaining records against the predefined inclusion and exclusion criteria. Records that were clearly out of scope were excluded at this stage (n = 127), including studies not focused on quantum machine learning, not addressing adversarial threats or robustness, not proposing defenses, or not primary research.
Then, we sought the full texts of potentially eligible articles (n = 87). Some records could not be retrieved due to limitations in the access, or unavailable full text (n = 8). The retrieved full texts (n = 79) were assessed for eligibility, and additional studies were excluded with documented reasons (n = 26), such as lacking an explicit adversarial threat vector, not evaluating robustness under attack, presenting methods without a quantum machine learning, providing no substantive discussion of defense strategies or not written in English. Finally, the screening process resulted in (n = 53) selected studies and any disagreements between the reviewers at each stage of the screening process were resolved through discussion until a mutual agreement was reached.

2.4. Included Studies

As shown in the lower part of Figure 1, a total of 53 studies met the inclusion criteria and addressed the research question. A reviewer independently cross checked the final set, and any discrepancies were discussed and resolved. Table 3 provides an overview of the included studies, grouped by year of publication, and digital library.

2.5. Quality Appraisal

As scoping reviews are not focused on the quality of retrieved articles, a formal quality appraisal was not undertaken [74].

2.6. Data Extraction

Data extraction was divided between two reviewers. Each reviewer extracted data from half of the included studies and then cross checked the extracted data to ensure consistency and accuracy. For each included study, the extracted information covers specific details on the six research questions: adversarial threat vectors investigated (RQ1), QML models examined (RQ2), defense strategies proposed (RQ3), adversarial robustness evaluation methods (RQ4), practical and technological constraints influencing robustness research (RQ5), and future research directions reported by the authors (RQ6).

3. Results

3.1. RQ1-What Types of Adversarial Threat Vectors Have Been Investigated?

Table 4 presents the summary of adversarial threat vectors identified across the included studies. For clarity, adversarial threats are grouped into three levels: (i) classical input-level attacks applied before quantum encoding, (ii) quantum state-level attacks affecting encoded states or circuit evolution, and (iii) hardware-level or physical attacks exploiting device characteristics.
The findings indicate a strong concentration on input-level evasion mechanisms, with adversarial examples emerging as the dominant category, accounting for 38 occurrences (40.4%) [21,22,23,24,26,27,28,30,31,33,35,36,37,38,39,40,41,42,43,44,46,50,51,54,57,58,59,60,61,62,63,64,65,66,69,71,73]. This confirms that most existing research prioritizes perturbation-based attacks designed to induce misclassification at inference time, reflecting a clear focus on input manipulation in QML robustness studies. However, this dominance also indicates an overwhelming concentration on input-level evasion, while other adversarial surfaces across the QML lifecycle remain comparatively underexplored. Existing literature tends to prioritize gradient-based adversarial examples, often within white-box settings, leaving broader threat models insufficiently validated in rigorous experimental frameworks.
The second place of investigated threats includes poisoning attacks [26,37,47,55,61,62,70,72], and transfer attacks [22,23,28,31,33,41,50,59] each reported eight times (8.5%). Poisoning attacks primarily target the training phase through label flipping or data manipulation, whereas transfer attacks rely on surrogate models to craft adversarial examples that generalize to target quantum or hybrid models. Their comparable frequencies suggest balanced attention between training-time vulnerabilities and cross-model generalization risks. Nevertheless, the literature highlights a methodological gap between conceptual discussions of diverse threat settings, such as black-box and targeted attacks, and their systematic empirical evaluation, which often remains confined to white-box scenarios.
Another representation is observed for noise/corruption attacks (7 occurrences, 7.4%) [24,29,38,39,50,53,71], and functional/physical attacks (6 occurrences, 6.4%) [22,27,55,56,60,68]. These categories reflect concerns specific to quantum environments, where hardware noise, decoherence, and physical constraints influence attack feasibility. Yet, despite acknowledging hardware-level vulnerabilities, there remains a lack of QML-native threat models that explicitly exploit quantum phenomena and NISQ-era hardware characteristics. Current approaches frequently adapt classical gradient-based paradigms rather than formulating attacks grounded in quantum-specific properties. This indicates a structural gap in modeling functional, physical, and hardware-induced adversarial behaviors within realistic deployment settings.
Additionally, fault injection/crosstalk attacks appear four times (4.3%) [26,37,55,60], indicating emerging attention to hardware-level exploitations in noisy intermediate-scale quantum devices. However, broader ecosystem-level threats, including unreliable cloud or device assignment environments, compilation-oriented attacks such as circuit tampering or IP theft, and encoding vulnerabilities, remain insufficiently investigated, suggesting limited exploration beyond direct input manipulation.
Several categories show moderate but consistent presence, each contributing three occurrences (3.2%). These include universal adversarial perturbations [23,30,34], model stealing/extraction attacks [49,55,67], side-channel attacks [48,55,67], backdoor/trojan attacks [37,55,56], data obfuscation/evasion [48,53,66], and quantum state poisoning attacks [25,56,70]. Although individually limited in frequency, collectively they demonstrate the growing diversification of adversarial surfaces beyond conventional perturbation-based strategies. Nevertheless, the security of the broader QML pipeline, including model extraction, side-channel leakage, and cross-layer exploitation from encoding to deployment, remains underexplored and requires more comprehensive investigation.
Less frequently examined threats include inference/membership attacks [48,55] and denial of service/availability attacks [48,72], each reported twice (2.1%). These threats directly impact data privacy and system reliability, yet they remain significantly under-researched within QML security studies. Finally, adversarial metric learning attacks represent the least explored area [27], with only one recorded occurrence (1.1%), suggesting that attacks targeting objective functions or representation learning mechanisms remain largely overlooked. This further emphasizes that adversarial investigations remain predominantly classification-boundary centric, while deeper structural, functional, and lifecycle-level vulnerabilities across the QML ecosystem remain insufficiently addressed.

3.2. RQ2-Which QML Models Have Been Studied in Adversarial Robustness Research

Figure 2 presents the proportional distribution of QML model types examined in adversarial robustness research. It is important to note that several model categories in the literature, particularly Variational Quantum Circuits (VQCs), Parameterized Quantum Circuits (PQCs), and Quantum Neural Networks (QNNs), are conceptually overlapping. In many cases, these terms refer to parameterized quantum circuit frameworks with different naming conventions rather than fundamentally distinct architectures. For clarity, these models are interpreted as part of a broader parameterized quantum circuit family, while retaining their original labels to remain consistent with the terminology used in the primary studies.
VQCs represented the largest category, accounting for 23% of the total. VQCs are parameterized quantum circuits used for data encoding and classification, typically employing various ansatz structures and encoding strategies such as angle or amplitude encoding [22,23,26,27,28,30,31,34,35,36,38,40,41,42,44,45,46,47,48,58]. Their dominance reflects the central role of trainable quantum circuits in contemporary QML research. At the same time, this concentration suggests that adversarial robustness investigations remain heavily centered on classification-oriented VQC frameworks, while other advanced quantum paradigms receive comparatively limited attention.
QNNs followed at 18%. These models are quantum circuits structured explicitly as neural networks, often overlapping conceptually with VQCs but framed within neural network terminology. Many implementations are hybrid, combining classical preprocessing layers with quantum trainable circuits [26,28,29,33,37,38,39,40,41,43,48,49,50,52,55]. However, similar to VQCs, robustness evaluations largely focus on shallow NISQ-compatible circuits and small-scale experimental settings, indicating limited scalability assessments beyond toy datasets and restricted qubit ranges.
PQCs accounted for 14%. PQCs function as general trainable circuit architectures used primarily for classification tasks [25,41,45,46,48,49,55,59,64,67,69,70]. Although closely related to VQCs and QNNs, they are frequently treated as broader parameterized models without strict architectural categorization. This further reinforces the structural imbalance in the literature, where classification-driven PQC frameworks dominate, while optimization-oriented or task-diverse quantum models remain insufficiently examined under adversarial conditions.
Kernel-based approaches are also prominent. Quantum Support Vector Machines (QSVMs) and Quantum Convolutional Neural Networks (QCNNs) each contribute 11%. QSVMs utilize quantum feature maps and quantum kernels, such as ZZ-feature or Pauli feature maps, to enhance separability in Hilbert space [21,25,35,48,53,60,63,65,66]. QCNNs adapt convolution and pooling operations into quantum circuits, enabling hierarchical feature extraction in quantum-native frameworks [23,28,30,35,37,43,48,57,60]. Despite their architectural diversity, robustness studies often treat encoding strategies as default components rather than systematically evaluating the comparative resilience of amplitude, angle, or other encoding schemes across diverse attack types. The lack of standardized and comprehensive evaluation of encoding robustness represents a clear methodological gap.
Hybrid approaches show moderate representation. Hybrid Classical–Quantum Neural Networks (HCQNN/HQNN) comprise 7%, integrating classical front-end components, such as autoencoders or classical neural layers, with quantum circuits to enhance robustness and feature extraction [26,29,33,39,44,56]. Quanvolutional Neural Networks (QuNNs) contribute 5%, employing quantum convolutional layers within hybrid architectures using various ansatz configurations [41,44,52,57]. Although hybridization is often proposed as a robustness enhancement strategy, many defenses remain empirically demonstrated and attack-specific, lacking unified frameworks or provable robustness guarantees tailored to quantum settings.
Less frequently investigated architectures include Quantum Generative Adversarial Networks (QGANs) at 4%, which are used for adversarial example generation or defense mechanisms, either fully quantum or hybrid [48,53,63]. While QGANs appear in several studies, deeper investigation into the robustness of their generative processes under poisoning or evasion attacks, particularly in complex data synthesis contexts, remains limited.
Quantum Annealing-based Models [24,32], and Quantum Federated Learning (QFL) [64,72], each account for 2%, reflecting emerging exploration into hardware-specific and distributed quantum learning settings. Notably, advanced quantum optimization algorithms such as Quantum Approximate Optimization Algorithm (QAOA) and Variational Quantum Eigensolver (VQE), as well as Quantum Reinforcement Learning (QRL), are largely absent from dedicated adversarial robustness evaluations, often appearing only as benchmarks or conceptual references rather than as primary objects of security analysis. This highlights limited extension of adversarial investigations beyond supervised classification toward optimization, reinforcement, and distributed quantum paradigms.
Finally, several specialized architectures appear minimally at 1% each, including Quantum Autoencoders (QAE) [54], Quantum Transfer Learning (QTL) [51], and Quantum Hybrid One-Class SVM (kernel-based) models [62]. These models are typically applied to anomaly detection, transfer learning scenarios, or representation learning tasks. Their limited representation suggests that adversarial robustness research in QML remains narrowly concentrated on mainstream classification architectures, with insufficient exploration of diverse learning paradigms, large-scale deployment settings, standardized benchmarking practices, and reproducibility frameworks.

3.3. RQ3-What Defense Strategies Have Been Proposed to Improve Adversarial Robustness?

Figure 3 shows the distribution of defense strategies proposed to enhance adversarial robustness in quantum machine learning models. The results indicate a clear dominance of training-based and noise-based mitigation techniques, with comparatively fewer studies focusing on certification, sampling, or game-theoretic defenses.
Adversarial Training (AT) emerges as the most frequently reported strategy, with 17 occurrences. This approach involves training QML models using adversarially perturbed samples to improve robustness against evasion attacks. Its prominence reflects the strong influence of classical adversarial machine learning paradigms on QML research [22,27,28,31,38,39,42,51,52,55,57,59,60,61,63,65,69]. However, the adaptation and rigorous implementation of advanced classical adversarial training techniques into quantum settings remains limited. Many implementations remain basic or empirically demonstrated, with limited exploration of stronger adversaries, advanced loss formulations, or the robustness–accuracy trade-off under NISQ constraints. Moreover, the challenges of limited circuit depth, quantum noise, and cloud-based data pipelines complicate the direct transfer of classical adversarial training paradigms into practical quantum workflows.
The second most common category is quantum randomized smoothing/noise injection, with eight occurrences. This strategy adds controlled quantum noise, such as depolarizing or phase-damping channels, to smooth decision boundaries and reduce sensitivity to perturbations [25,28,35,38,45,61,64,69]. Unlike classical smoothing, this method leverages quantum-native noise models to enhance stability. Nevertheless, most smoothing-based defenses remain heuristic in nature, and there is a lack of scalable, theoretically grounded certification guarantees that can be consistently integrated into larger and more complex QML systems.
Two structural defense categories follow, each reported four times. Circuit architecture optimization focuses on designing ansatz structures that maximize expressibility, entanglement, or inherent robustness [41,44,55,57]. Hardware-level defenses and obfuscation include hardware identity verification, circuit obfuscation, insertion of dummy gates, and compilation splitting across vendors to reduce exposure to attacks and reverse engineering [26,37,67,68]. While these approaches demonstrate growing awareness of hardware-layer vulnerabilities, the literature highlights a gap in systematic, end-to-end frameworks that jointly evaluate hardware-centric defenses and algorithmic mitigation strategies across diverse quantum platforms. Many proposals remain conceptual or partially implemented, rather than comprehensively benchmarked under realistic adversarial conditions.
Several mid-frequency categories appear with three occurrences each. Hybrid classical–quantum architectures combine classical front-end components, such as spiking networks or autoencoders, with quantum circuits to improve noise tolerance [29,39,50]. Adversarial sample detection/purification employs detection mechanisms or purification pipelines, including fuzzy logic networks and autoencoder frameworks, to filter adversarial inputs [36,50,71]. Differential privacy and noise for privacy integrates differential privacy mechanisms with quantum noise to protect against data leakage and poisoning [55,64,72]. Preprocessing and data augmentation uses denoising autoencoders or GAN-based augmentation to strengthen training data [21,50,73]. Randomized encoding/cloaking introduces random rotations or cloaking layers to mask encoding fingerprints and create barren plateaus [35,55,68]. Quantum noise exploitation leverages intrinsic hardware noise, such as crosstalk or shot noise, as a natural defensive mechanism [43,64,66]. Despite this diversity, translation of advanced classical defenses, such as defensive distillation and GAN-based purification, into fully realized quantum-native counterparts remains limited. Many of these strategies are discussed as future directions or conceptual extensions rather than thoroughly validated, standardized defenses within quantum pipelines. In addition, the limited scalability of purification and distillation mechanisms under NISQ noise constraints restricts their practical deployment.
Lower-frequency strategies, each appearing twice, include sampling-based defenses [21,24], regularization techniques [46,55], ensemble and game-theoretic approaches [32,65], robustness certification and verification [25,52], advanced aggregation and federated learning [57,72], and gradient masking or defensive distillation [22,60]. Although robustness certification methods and hypothesis-testing frameworks have begun to emerge, they remain insufficiently widespread and are rarely integrated into standard QML development workflows. Most defenses continue to rely on empirical improvements without providing tight, provable robustness bounds or model-independent guarantees.

3.4. RQ4-How Is Adversarial Robustness Evaluated in Existing Studies?

Table 5 summarizes the evaluation methods employed to assess adversarial robustness in quantum machine learning studies. The findings reveal that robustness assessment is predominantly empirical, with limited but notable use of theoretical guarantees and formal statistical validation. Across the included studies, the majority of evaluations are conducted in classical simulation environments, with only a limited subset validated on real quantum hardware. This distinction is explicitly noted to differentiate simulation-based robustness evidence from hardware-backed results.
The most widely adopted approach is empirical performance metrics under attack, where studies measure classification or regression performance, including accuracy, F1-score, precision, recall, mean squared error (MSE), and R2, on perturbed inputs. This category accounts for the largest number of references, indicating that most research evaluates robustness through observable performance degradation under adversarial conditions. However, this empirical dominance also reflects the absence of a universally adopted, standardized benchmarking framework for QML robustness across diverse models, datasets, and attack configurations. Studies frequently rely on specific datasets such as MNIST and selected attack parameters, making cross-study comparison and reproducibility challenging.
Closely related is robust accuracy or adversarial accuracy, which quantifies model accuracy specifically on adversarial test sets. Rather than reporting general performance, this metric directly reflects robustness under attack scenarios, making it a central benchmark in QML robustness studies. Nonetheless, evaluations often remain limited to accuracy degradation without systematically comparing adversarial perturbations to random noise baselines, which restricts deeper interpretation of whether performance drops stem from structured adversarial manipulation or general noise sensitivity.
A smaller but significant portion of studies employs theoretical or provable robustness guarantees. These methods rely on mathematical bounds or certification techniques derived from fidelity measures, trace distance, Uhlmann fidelity, semidefinite programming formulations, Lipschitz constants, or quantum hypothesis testing. Although less frequent than empirical metrics, these approaches provide stronger formal assurances of robustness. Yet, a clear theoretical–empirical gap persists, as many formal guarantees are not consistently validated under realistic noise conditions or diverse attack settings, limiting their practical applicability in NISQ environments. The scalability and integration of certification protocols into standard QML development workflows remain open challenges.
Several studies evaluate robustness using similarity and fidelity metrics, measuring closeness between clean and adversarial quantum states to quantify perturbation impact at the state level. This quantum-native evaluation method reflects the physical properties of quantum systems rather than purely classical output metrics. However, deeper interpretability of how specific quantum state perturbations, entanglement variations, or decoherence mechanisms translate into robustness degradation is still insufficiently explored. More granular analysis of how different quantum noise models interact with adversarial strategies would strengthen the robustness assessment framework.
Another recurring category is robustness under different attack types, where models are evaluated across multiple adversarial settings, including fast gradient sign method (FGSM), basic iterative method (BIM), projected gradient descent (PGD), momentum iterative method (MIM), universal attacks, and both white-box and black-box configurations. This approach assesses robustness consistency rather than performance under a single threat model. Nevertheless, only a limited number of studies systematically examine transferability across architectures or conduct comprehensive cross-model evaluations, indicating a need for broader comparative robustness testing.
Transferability and generalizability evaluations examine whether adversarial examples transfer between models or whether defenses generalize across attack types. These analyses provide insight into cross-model vulnerabilities and defense stability. Still, transfer-based benchmarking remains relatively sparse and lacks standardized protocol.
In addition, Attack Success Rate (ASR) and accuracy drop are used to measure how frequently adversarial attacks succeed and the magnitude of performance degradation. These metrics complement robust accuracy by emphasizing attack effectiveness. However, evaluation remains largely model-centric, with limited integration of broader system-level or operational metrics such as latency, throughput, or deployment-level impacts, which are essential for real-world QML applications.
Security-oriented assessments are reflected in privacy and security related metrics, where robustness is evaluated within broader security frameworks such as total variation distance, privacy budget analysis, and CIA (confidentiality, integrity, and availability) triad considerations. While this indicates emerging alignment between adversarial robustness and system-level security evaluation, the ethical and societal implications of QML failures remain largely unexplored in robustness assessment frameworks.
Other specialized methods include adversarial risk or error rates, measuring differences between training and population risk under attack; noise injection or randomized encoding analyses, studying the effect of noise layers on robustness; visualizations and geometric proxies, such as Hilbert space separability and t-SNE analysis; and statistical testing and hypothesis tests, including paired significance tests to validate improvements. Despite this methodological diversity, robustness evaluation of specific QML sub-components, such as encoding schemes, data poisoning pipelines, and model stealing resilience, remains underdeveloped and requires more dedicated, component-level assessment strategies.

3.5. RQ5-What Practical and Technological Constraints Influence Adversarial Robustness Research?

Table 6 presents the main practical and technological constraints influencing adversarial robustness research in quantum machine learning. The findings indicate that hardware-related limitations and noise remain the most frequently reported barriers.
Hardware Limitations are the most commonly cited constraint, mentioned in 28 studies. These include a limited number of qubits, restricted qubit connectivity, and architectural constraints that limit circuit depth and model size. Such limitations directly restrict the complexity of QML models and reduce the feasibility of large-scale adversarial robustness experiments. This concentration reflects persistent challenges in scaling and hardware efficiency as current models are often confined to low-dimensional data representations and shallow circuits due to qubit scarcity. There is a pressing need for more hardware-efficient architectures and encoding schemes capable of utilizing limited qubit resources without aggressive dimensionality reduction that may sacrifice critical information.
Closely following are NISQ (Noisy Intermediate-Scale Quantum) noise and errors, reported in 22 studies. Gate errors, decoherence, measurement noise, and crosstalk reduce state fidelity and increase vulnerability to adversarial perturbations. Noise not only affects performance but also complicates the interpretation of robustness results, as it becomes difficult to separate adversarial effects from intrinsic hardware noise. The literature highlights a gap in developing comprehensive, noise-aware robustness guarantees and integrated error mitigation strategies that do not introduce excessive computational overhead. Moreover, the interaction between intrinsic quantum noise and adversarial perturbations remains insufficiently understood, limiting the reliability of empirical robustness claims. A deeper and often overlooked issue is that quantum noise in physical learning systems is not simply an engineering flaw to be reduced, but a fundamental part of how learning occurs. A study by Milburn [75] shows that any physical quantum learning machine operates as an open, dissipative system far from thermal equilibrium, where quantum noise, such as spontaneous emission in a quantum optical perceptron, actively drives the switching processes that enable learning. Importantly, the energy dissipated in each trial decreases as the learning error declines. This means that as a QML model converges, it naturally shifts into a lower-dissipation, lower-noise regime. This behavior has important implications for adversarial robustness that are not reflected in classical threat models. When adversarial perturbations push the model away from its learned configuration, they do more than reduce accuracy, they force the system back into a higher-dissipation, higher-noise state, effectively undoing the thermodynamic progress achieved during training. This creates a fundamentally different failure mode from classical neural networks, where noise and learning are typically treated as separate and independent factors. This issue becomes severe in architectures that depend on non-classical quantum properties as their core computational resource. For instance, kernel machines based on Kerr nonlinearity rely on the negativity of the Wigner function to form decision boundaries that enable data separation [76]. However, photon loss rapidly suppresses the off-diagonal coherence terms that generate this negativity, with a decay rate of γ|α0|2, which is significantly faster than the standard amplitude decay rate γ. As a result, noise in such systems does not simply reduce model performance but fundamentally destroys the underlying mechanism that enables learning, representing a distinct and more critical failure mode compared to those observed in qubit-based circuit models. Overall, insights from both the thermodynamic perspective of quantum learning systems and specific models such as Kerr nonlinearity-based kernels indicate the need for a broader theoretical framework. This framework should explain how adversarial perturbations interact with the dissipative dynamics of quantum learning, moving beyond the current emphasis on gate-level noise analysis and empirical fidelity measures.
Simulation and computational resource limits are mentioned in 21 studies. High computational cost for classical simulation of quantum systems, restricted data dimensions due to qubit limits, and slow training processes constrain experimental scalability. These factors often force researchers to rely on small-scale benchmarks. This dependency reflects a methodological gap in designing scalable experimental protocols and efficient simulation techniques that can better approximate real-world deployment scenarios.
Model training challenges, cited in 18 studies, include barren plateaus characterized by vanishing gradients, high computational cost of adversarial training, gradient estimation overhead, and limited backpropagation support. These challenges make robust training particularly demanding in quantum settings. The barren plateau phenomenon and expensive parameter-shift gradient estimation rules highlight the need for more efficient optimization algorithms tailored to robust QML training. Current optimization pipelines often lack scalability and practicality when adversarial training or multi-attack evaluation is introduced.
Data dimensionality and encoding issues, reported in 17 studies, reflect the need for dimensionality reduction techniques such as principal component analysis and the difficulty of encoding classical data into quantum states with limited qubits. Encoding constraints directly affect the realism and complexity of adversarial evaluation. The literature emphasizes a gap in developing encoding mechanisms that preserve high-dimensional structure without excessive compression, as dimensionality reduction may obscure adversarial vulnerabilities or distort robustness evaluation.
Defense and robustness trade-offs, mentioned in 11 studies, highlight tensions between accuracy and robustness. Oversmoothing due to noise injection may degrade accuracy, and defenses often show limited generalization across attack types. This trade-off is not simply a byproduct of specific defense techniques but reflects a deeper physical limitation. In dissipative learning systems, both classical and quantum, there is an optimal noise level where learning is most efficient, and the free energy change per trial is minimized when learning is complete [77]. When defenses push the system away from this optimal point, either by reducing noise through error mitigation or increasing it through randomized smoothing, they introduce a physical cost that appears as reduced predictive performance. This suggests that the observed tension between accuracy and robustness cannot be fully addressed through defense design alone, without considering the fundamental relationship between noise and learning dynamics in the underlying hardware. This reflects the absence of unified frameworks capable of balancing robustness, efficiency, and predictive performance within realistic hardware constraints.
Both algorithmic and theoretical constraints and practical dataset constraints are cited in 10 studies each. The former includes lack of closed-form solutions and difficulty in providing robustness guarantees for multi-class or high-dimensional tasks. The latter involves small or downscaled datasets, such as reduced versions of MNIST, limited training samples, and task-specific benchmarks that restrict generalizability. These limitations expose a broader gap in theoretical foundations and standardized certification tools for QML robustness, particularly model-independent bounds and scalable verification protocols.
Less frequently mentioned constraints include security and trust issues (7 studies), such as cloud opacity, untrusted compilers, multi-tenant risks, intellectual property leakage, and adversarial access, as well as measurement and testing constraints (5 studies), which involve the need for large numbers of shots, statistical estimation challenges, and verification difficulties due to continuous quantum states. These findings indicate that beyond algorithmic and hardware issues, ecosystem-level vulnerabilities and verification bottlenecks remain underdeveloped research areas requiring more systematic investigation.

3.6. RQ6-What Future Research Directions Are Proposed for Advancing Adversarial Robustness?

Table 7 presents the main future research directions proposed in the literature to advance adversarial robustness in quantum machine learning. The results show a strong emphasis on practical deployment, robustness certification, and architectural innovation.
The most frequently proposed direction, mentioned in eight studies, is developing experiment-feasible and scalable adversarial defense mechanisms on real quantum hardware. This highlights the need to move beyond simulation-based evaluations toward implementation and validation on physical quantum devices. The literature explicitly indicates limited empirical validation, as many robustness claims remain confined to simulated environments without accounting for real hardware noise, device variability, and deployment-level constraints. Bridging this simulation-to-hardware gap is essential for translating theoretical robustness into practical security guarantees.
The second most common direction, cited in seven studies, is improving robustness certification and verification tools, including tighter generalization bounds and stronger robustness guarantees. This reflects recognition of the current lack of formal, provable security assurances in QML robustness research. The literature emphasizes the need for principled certification frameworks, model-independent robustness bounds, and mathematically grounded robustness formulations that can be integrated into real development workflows. The absence of unified benchmarking and verification standards further reinforces this methodological gap.
Several directions are mentioned six times each. These include extending adversarial robustness studies beyond supervised learning to unsupervised, reinforcement learning, and continual learning settings, indicating a call to broaden robustness evaluation across learning paradigms. The literature highlights a gap in evaluating robustness in diverse tasks such as reinforcement learning environments, entanglement classification, Hamiltonian learning, and fully quantum data processing. This suggests that current robustness research remains heavily concentrated on supervised classification scenarios. Extending adversarial analysis to reinforcement learning settings is increasingly important, especially with the rise in deep reinforcement learning-based quantum control systems that function through closed measurement–feedback loops [78]. In these architectures, adversarial perturbations targeting the measurement signals, reward functions, or environmental dynamics can systematically distort the agent’s learned policy. Such vulnerabilities are not adequately addressed by current adversarial QML frameworks, which remain limited in their ability to detect or defend against these forms of attack.
Another key theme is studying specific quantum architectures or ansatz designs to inherently improve robustness, suggesting that robustness should be embedded at the circuit design level. Researchers call for hardware-efficient architectures, automated quantum architecture search, and circuit optimization techniques that address barren plateaus and connectivity constraints. This reflects a gap in architectural-level robustness engineering, where robustness is not merely an add-on defense but an intrinsic property of model design.
Additionally, developing robustness against advanced and universal adversarial attacks, including transfer attacks and poisoning, reflects growing awareness of more sophisticated threat models. The literature points to the need for deeper characterization of universal perturbations, transferability from classical to quantum models, and robustness under adaptive adversaries. This indicates that existing defenses may not yet be sufficiently resilient against evolving and cross-model attack strategies.
Moderately cited directions include integrating quantum noise or randomized encodings as defense mechanisms and benchmarking robustness across various QML architectures, data types, and attack settings, each mentioned in five studies. These directions emphasize systematic evaluation and leveraging quantum-native properties for defense. However, the literature identifies a gap in standardized benchmarking frameworks capable of comparing QML robustness across hardware platforms, model families, and adversarial configurations.
Less frequently proposed but still notable directions include optimizing model architectures and training strategies to balance robustness and accuracy (4 studies) and combining classical and quantum methods for hybrid defense frameworks (3 studies). These themes suggest ongoing interest in hybrid approaches and trade-off optimization. Nevertheless, researchers highlight the need for reducing the computational overhead of robust training, improving data loading assumptions such as qRAM feasibility, and enhancing scalability beyond small benchmark datasets.

4. Discussion

This scoping review set out to map the evidence on adversarial robustness in QML, specifically, the threat vectors studied, the QML model families examined, the defense strategies proposed, how robustness is evaluated, the practical and technological constraints shaping the field, and the future directions recommended by the literature. Overall, the mapped evidence suggests a research area that is expanding but still methodologically concentrated, with many studies adapting classical adversarial machine learning assumptions and tooling to QML, while fewer studies evaluate quantum native threat models, end to end deployment risks, or scalable defenses on real hardware.
Table 8 synthesizes the extent to which current adversarial robustness research in QML is driven by elements directly inherited from classical adversarial machine learning versus those that are genuinely quantum-specific to further clarify this structural concentration. This comparison highlights the underlying imbalance shaping the current evidence base.
The evidence base is strongly concentrated on input level evasion, with adversarial examples representing the dominant threat category (40.4%). While this has established a baseline understanding of perturbation-driven misclassification in QML, the mapping also highlights a clear gap, namely the comparatively limited attention to other adversarial surfaces across the QML lifecycle, beyond mostly white box, gradient-based settings. The mapped taxonomy shows that training time poisoning and transfer attacks appear, but at much lower frequency (8 occurrences each, 8.5%), with additional categories such as noise or corruption attacks (7, 7.4%), functional or physical attacks (6, 6.4%), and hardware level fault injection or crosstalk (4, 4.3%). Collectively, the distribution indicates that the field is still developing breadth with privacy, availability, extraction, and side channel-oriented threats present but not yet systematically evaluated at scale.
The mapped evidence is similarly concentrated at the model level. Variational Quantum Circuits (VQC) account for the largest proportion of studied models (23%), followed by QNNs (18%), PQCs (14%), QSVMs (11%), and QCNNs (11%). Hybrid classical quantum models appear with moderate representation (for example, HCQNN or HQNN at 7%, QuNNs at 5%), while architectures such as QGANs (4%), quantum annealing based models (2%), QFL (2%), and several specialized paradigms (QAE, QTL, one class SVM variants, each around 1%) remain marginal in adversarial robustness studies. The mapping also notes an absence of robustness evaluations for optimization, reinforcement, and distributed quantum paradigms, where methods like QAOA, VQE, or QRL are largely missing as primary objects of security analysis. This suggests that current evidence is strongest for supervised, classification centric settings, and weaker for the broader range of QML tasks that are likely to matter for real world deployments.
Defense research is dominated by training-based and noise-based mitigation. Adversarial training is the most frequently reported strategy (17 occurrences), reflecting a strong transfer of classical adversarial training thinking into QML. Quantum randomized smoothing or noise injection follows (8 occurrences), using controlled quantum noise channels to reduce sensitivity to perturbations, although many proposals remain heuristic and lack scalable certification guarantees. Circuit architecture optimization and hardware level defenses or obfuscation are present (4 occurrences each), indicating growing awareness that robustness may depend on ansatz design and hardware layer vulnerabilities, but the mapping highlights limited end to end evaluation across platforms and threat models. Beyond these, a long tail of mid and low frequency strategies exists (purification, detection, differential privacy, preprocessing, cloaking, certification), but many are discussed as conceptual extensions or are insufficiently validated under realistic adversarial conditions and NISQ constraints.
The comparative analysis in Table 9 shows a clear cost–robustness trade-off across different defense strategies. At one end, Adversarial Training and Robustness Certification provide the strongest robustness guarantees. Adversarial training achieves high empirical resilience, with detection accuracy reaching up to 96.3% under attack, while certification methods offer formal guarantees through techniques such as quantum hypothesis testing and SDP formulations. However, both come with substantial computational costs, with adversarial training increasing training time by 3×–30× and certification methods requiring expensive mixed-integer linear programming and semidefinite programming computations. In contrast, most other approaches, including Gradient Masking and Defensive Distillation, Adversarial Sample Detection and Purification, Preprocessing and Data Augmentation, and hardware-level Obfuscation, deliver strong or competitive robustness at much lower computational cost.
This suggests that lightweight defenses can be practically effective, especially under NISQ constraints. The most significant accuracy trade-offs appear in Differential Privacy, where stronger privacy budgets reduce clean accuracy, and in Adversarial Training, which can also degrade performance beyond certain robustness levels. Most other methods either maintain or improve clean accuracy, indicating that the accuracy–robustness tension is not universal but mainly associated with training-based and privacy-focused strategies. Overall, no single defense performs best across robustness, cost, and accuracy simultaneously. This highlights the need for hybrid or layered approaches that combine the formal guarantees of certification methods with the efficiency of quantum-native techniques such as randomized encoding and noise-based defenses.
Robustness evaluation is predominantly empirical, focused on performance degradation under attack (accuracy and related metrics), and robust accuracy on adversarial test sets. A key implication of the mapping is that there is no universally adopted benchmarking framework across models, datasets, and attack configurations, with frequent reliance on common datasets like MNIST and selected attack parameter settings, limiting cross study comparability and reproducibility. The evidence base includes a smaller but important set of theoretical or provable robustness approaches (for example, bounds and certification using fidelity, trace distance, SDP formulations, Lipschitz constants, or quantum hypothesis testing), yet these guarantees are not consistently validated under realistic noise and diverse attack settings, creating a persistent theory practice gap. The mapping also shows that fidelity and similarity metrics are used as quantum native evaluation signals, but the interpretability of how state level perturbations translate to downstream robustness degradation remains under explored.
The mapped evidence indicates that robustness research is strongly shaped by tradeoffs, compute limits, and hardware realities. Defense and robustness tradeoffs are explicitly mentioned across 11 studies, including oversmoothing effects and limited generalization of defenses across attack types. Algorithmic and theoretical constraints (10 studies) and practical dataset constraints (10 studies) further limit progress, including difficulty in scaling guarantees, the use of downscaled datasets, and restricted generalizability. Security and trust issues such as cloud opacity, untrusted compilers, and multi-tenant risks appear (7 studies), and measurement and testing constraints, including shot costs and verification difficulty for continuous quantum states, appear as additional bottlenecks (5 studies). At a more operational level, constraints noted in the mapped primary studies include the high cost of QPU access, queue times, and gradient estimation burdens linked to quantum training mechanics, which collectively slow iterative experimentation and robust training at scale.
Future directions concentrate on translating robustness from simulation to practice, strengthening certification, and expanding the scope of tasks and threats. The most frequently proposed direction is scalable, experiment feasible defenses validated on real quantum hardware (8 studies), followed by improved robustness certification and verification tools with tighter bounds (7 studies). The literature also prioritizes extending robustness beyond supervised learning to settings like unsupervised, reinforcement, and continual learning (6 studies), studying architectures and ansatz designs that inherently improve robustness (6 studies), and improving robustness against advanced and universal attacks including transfer and poisoning (6 studies). Additional mapped directions include integrating quantum noise or randomized encodings as defenses (5 studies) and benchmarking robustness across architectures, data types, and attacks (5 studies). At the individual study level, the future agenda also includes deeper integration of quantum error correction, hardware efficient architectures, and automated architecture search, reinforcing that robustness is expected to co-evolve with quantum hardware maturity.
The evidence suggests the field is still in a “first wave” phase: transferring classical adversarial ML assumptions into QML and validating on limited benchmarks. The next wave should broaden the threat model and the task model space, and align evaluation with quantum realities (noise, sampling, and deployment constraints). The lack of standardized protocols and the limited validation of formal guarantees under realistic noise conditions indicate that robustness claims can be fragile when moved across devices, encodings, and attack settings.
For practitioners deploying QML systems, the current evidence points to several practical steps. Threat modeling should move beyond input-level evasion and include pipeline-level risks such as data poisoning, model extraction, side-channel leakage, and vulnerabilities in multi-tenant QPU environments, as highlighted in studies addressing security and trust constraints under RQ5. Defense strategies must also align with hardware limitations. Although adversarial training is the most commonly reported approach, it often introduces a training cost increase of 3×–30× and is rarely feasible in NISQ settings. Lighter alternatives, including quantum randomized smoothing, noise injection, and robustness-aware architectural design, offer more practical starting points. Importantly, robustness results obtained from classical simulations should not be interpreted as deployment guarantees. Physical factors such as gate errors, decoherence, and crosstalk interact with adversarial perturbations in ways that simulations cannot fully capture. As a result, validation on real quantum hardware, even at a small scale, is essential before making credible robustness claims. Prior to deployment, evaluation should include at least two attack types beyond FGSM, report both clean and robust accuracy to clarify trade-offs, and, where APIs are exposed, assess adversarial transferability using surrogate models.
For researchers developing robust quantum architectures, the review highlights five key priorities that remain underexplored. First, robustness should be treated as a design objective from the outset, with ansatz depth, qubit connectivity, and encoding schemes considered as tunable variables rather than fixed choices. Evidence suggests that entanglement topology alone can yield robustness improvements of up to 60%. Second, simulation-based findings should be complemented by at least one hardware-based experiment to establish a physically grounded baseline, a direction widely recommended in RQ6 but still rarely implemented. Third, standardized reporting practices should be adopted, including full disclosure of attack configurations, evaluation on datasets beyond simplified benchmarks such as reduced MNIST, and public release of code. The lack of such standards remains a major barrier to reproducibility and cross-study comparison, as identified in RQ4. Fourth, robustness studies should expand beyond supervised classification to include areas such as quantum reinforcement learning, federated learning, and optimization frameworks like QAOA and VQE, where robustness analysis is largely absent despite known vulnerabilities in measurement-feedback systems. Finally, new defense methods should, where possible, incorporate partial theoretical guarantees, such as Lipschitz bounds, fidelity-based perturbation limits, or quantum hypothesis testing assurances. These provide a stronger foundation than relying solely on empirical accuracy under limited attack scenarios, which the evidence suggests is insufficient for safety-critical deployment.
The mapped gaps argue for the early development of shared robustness and security standards for QML systems. The absence of universal benchmarking and the limited uptake of certification methods make it difficult to compare systems or set minimum assurance thresholds. The prominence of future directions focused on certification and verification tools further supports the need for governance mechanisms that promote reproducible testing, reporting checklists, and procurement requirements for transparent threat models and evaluation protocols.
A key strength of the mapping exercise is the structured consolidation of fragmented literature into coherent taxonomies across threats, model families, defenses, evaluation methods, constraints, and future directions, enabling readers to see where evidence is concentrated and where it is sparse. The quantitative mapping of frequencies and proportions supports the transparent identification of dominant themes (for example, the predominance of adversarial examples, VQC centric studies, and adversarial training) and makes research gaps visible in a way that narrative summaries often do not.
As an evidence-mapping exercise, the synthesis is best interpreted as describing the landscape of what has been studied, rather than establishing definitive effect sizes or ranking defenses by effectiveness. The frequency-based summaries reflect what the literature reports and how it is distributed, but they do not, by themselves, resolve differences in experimental rigor, reproducibility, or external validity across studies.
Based on the observed concentrations and gaps, the following areas appear most in need of targeted primary studies:
  • QML native and lifecycle threat models, including attacks grounded in quantum specific properties and pipeline level vulnerabilities beyond input perturbations, such as cloud, compiler, scheduling, and side channel risks.
  • Benchmarking and reporting standards, including shared datasets, attack parameter reporting, hardware condition reporting, and reproducibility protocols to address the lack of standardized benchmarking.
  • Scalable defenses validated on real hardware, explicitly addressing device variability, noise, and deployment constraints, since this is the top future direction and a major current gap.
  • Robustness certification integrated with practice, focusing on methods that provide tight bounds and remain meaningful under NISQ noise, closing the theory practice gap highlighted in evaluation methods.
  • Broadening model and task coverage, especially robustness for non-classification QML (optimization, reinforcement, continual learning) and underrepresented model families, addressing both RQ2 gaps and RQ6 priorities.
  • Robustness under realistic constraints and tradeoffs, including the systematic study of accuracy robustness tradeoffs, defense transferability across attacks, and measurement cost aware evaluation, since these constraints repeatedly shape what is feasible.

5. Limitations

This scoping review has several limitations that should be considered when interpreting the findings. First, as a scoping review, the objective was to map and categorize the existing evidence rather than to critically appraise study quality or quantify effect sizes. Consequently, the synthesis reflects the distribution and focus of published studies, but it does not evaluate the methodological rigor, reproducibility, or comparative effectiveness of the reported defense strategies.
Second, the review was restricted to four major bibliographic databases and to studies published in English. Although these sources capture a substantial portion of the peer-reviewed literature, relevant studies indexed elsewhere or published in other languages may have been missed. In addition, preprints and non–peer-reviewed manuscripts were excluded, which may omit emerging findings in this rapidly evolving field.
Third, the inclusion criteria focused exclusively on empirical studies with experimental evaluation. While this strengthens the practical orientation of the mapping, it excludes purely theoretical or conceptual contributions that may provide important foundational insights into robustness certification and quantum-specific threat modeling.
Finally, frequency-based mapping does not necessarily reflect importance or effectiveness. Categories with higher occurrence indicate research attention rather than proven superiority, while less frequently reported areas may represent underexplored but potentially critical research directions. Therefore, the findings should be interpreted as a structured overview of the current landscape rather than as definitive guidance on optimal robustness strategies.

6. Conclusions

This scoping review mapped 53 empirical studies, with the retrieved records published predominantly from 2020 to 2026. Overall, the literature is concentrated on input-level evasion attacks and a limited set of commonly used QML architectures, with robustness evidence still largely shaped by ideas and experimental templates inherited from classical adversarial machine learning.
The mapped evidence indicates that most defenses remain empirical and are not yet consistently validated under deployment-realistic conditions, particularly when hardware noise, limited resources, and execution constraints are taken into account. Evaluation practices are also fragmented, with variability in datasets, attack configurations, and reporting choices limiting comparability and making it difficult to draw robust cross-study conclusions.
Implications for future research and practice are clear. Future work should expand beyond perturbation-based threat models to include broader lifecycle risks, strengthen evaluation through standardized benchmarks and reproducible reporting, and prioritize defenses that remain effective under realistic NISQ conditions and real-hardware execution. At the same time, the literature points to the need for more rigorous robustness assurance, including verification and certification approaches that better bridge the gap between theoretical guarantees and practical performance.
A key strength of this review is the structured mapping of an emerging and rapidly evolving field, which makes concentrations and gaps visible and supports research prioritization. However, as a scoping review, the synthesis is limited to what studies report and does not estimate pooled effects or rank defenses, while the available evidence itself is constrained by heterogeneous designs and current hardware limitations.

Supplementary Materials

The following supporting information can be downloaded at: https://www.mdpi.com/article/10.3390/computers15040233/s1, The full PRISMA checklist and flow diagram.

Author Contributions

Conceptualization, Y.A.K. and K.I.G.; methodology, Y.A.K. and K.I.G.; software, Y.A.K.; validation, Y.A.K. and K.I.G.; formal analysis, Y.A.K.; writing—original draft preparation, Y.A.K. and K.I.G.; writing—review and editing, Y.A.K. and K.I.G.; visualization, Y.A.K.; supervision, K.I.G.; project administration, K.I.G.; funding acquisition, K.I.G. All authors have read and agreed to the published version of the manuscript.

Funding

The APC was funded by Multimedia University.

Data Availability Statement

The original contributions presented in this study are included in the article/Supplementary Materials. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
ASRAttack Success Rate
ATAdversarial Training
BIMBasic Iterative Method
CIAConfidentiality, Integrity, and Availability
FGSMFast Gradient Sign Method
HCQNNHybrid Classical–Quantum Neural Network
HQNNHybrid Quantum Neural Network
MIMMomentum Iterative Method
MNISTModified National Institute of Standards and Technology dataset
MSEMean Squared Error
NISQNoisy Intermediate-Scale Quantum
PCAPrincipal Component Analysis
PGDProjected Gradient Descent
PQCParameterized Quantum Circuit
PRISMA-ScRPreferred Reporting Items for Systematic Reviews and Meta-Analyses Extension for Scoping Reviews
QAEQuantum Autoencoder
QAOAQuantum Approximate Optimization Algorithm
QCNNQuantum Convolutional Neural Network
QFLQuantum Federated Learning
QGANQuantum Generative Adversarial Network
QMLQuantum Machine Learning
QNNQuantum Neural Network
QPUQuantum Processing Unit
QRLQuantum Reinforcement Learning
QSVMQuantum Support Vector Machine
QTLQuantum Transfer Learning
RISResearch Information Systems
SDPSemidefinite Programming
t-SNEt-Distributed Stochastic Neighbor Embedding
VQCVariational Quantum Circuit
VQEVariational Quantum Eigensolver

References

  1. Klusch, M.; Lässig, J.; Müssig, D.; Macaluso, A.; Wilhelm, F.K. Quantum Artificial Intelligence: A Brief Survey. Künstl. Intell. 2024, 38, 257–276. [Google Scholar] [CrossRef]
  2. Lamichhane, P.; Rawat, D.B. Quantum Machine Learning: Recent Advances, Challenges, and Perspectives. IEEE Access 2025, 13, 94057–94105. [Google Scholar] [CrossRef]
  3. Kalinin, M.; Krundyshev, V. Security Intrusion Detection Using Quantum Machine Learning Techniques. J. Comput. Virol. Hacking Technol. 2022, 19, 125–136. [Google Scholar] [CrossRef]
  4. Ullah, U.; Garcia-Zapirain, B. Quantum Machine Learning Revolution in Healthcare: A Systematic Review of Emerging Perspectives and Applications. IEEE Access 2024, 12, 11423–11450. [Google Scholar] [CrossRef]
  5. Rattan, A.; Rudra Pal, A.; Gurusamy, M. Quantum Computing for Advanced Driver Assistance Systems and Autonomous Vehicles: A Review. IEEE Access 2025, 13, 17554–17582. [Google Scholar] [CrossRef]
  6. Liu, N.; Du, M.; Guo, R.; Liu, H.; Hu, X. Adversarial Attacks and Defenses: An Interpretation Perspective. SIGKDD Explor. Newsl. 2021, 23, 86–99. [Google Scholar] [CrossRef]
  7. Kariya, M. Paper Discussion: Explaining and Harnessing Adversarial Examples. Medium. 2018. Available online: https://medium.com/@mahendrakariya/paper-discussion-explaining-and-harnessing-adversarial-examples-908a1b7123b5 (accessed on 11 November 2025).
  8. Zhao, W.; Alwidian, S.; Mahmoud, Q.H.; Zhao, W.; Alwidian, S.; Mahmoud, Q.H. Adversarial Training Methods for Deep Learning: A Systematic Review. Algorithms 2022, 15, 283. [Google Scholar] [CrossRef]
  9. Tian, J.; Wang, B.; Li, J.; Konstantinou, C. Adversarial Attack and Defense Methods for Neural Network Based State Estimation in Smart Grid. IET Renew. Power Gener. 2022, 16, 3507–3518. [Google Scholar] [CrossRef]
  10. Vyas, D.; Kapadia, V.V. Designing Defensive Techniques to Handle Adversarial Attack on Deep Learning Based Model. PeerJ Comput. Sci. 2024, 10, e1868. [Google Scholar] [CrossRef]
  11. Nowroozi, E.; Mohammadi, M.; Savaş, E.; Mekdad, Y.; Conti, M. Employing Deep Ensemble Learning for Improving the Security of Computer Networks Against Adversarial Attacks. IEEE Trans. Netw. Serv. Manag. 2023, 20, 2096–2105. [Google Scholar] [CrossRef]
  12. West, M.T.; Tsang, S.-L.; Low, J.S.; Hill, C.D.; Leckie, C.; Hollenberg, L.C.L.; Erfani, S.M.; Usman, M. Towards quantum enhanced adversarial robustness in machine learning. arXiv 2023, arXiv:2306.12688. [Google Scholar] [CrossRef]
  13. Montalbano, G.; Banchi, L. Quantum Adversarial Learning for Kernel Methods. Quantum Mach. Intell. 2025, 7, 15. [Google Scholar] [CrossRef]
  14. Nowmi, S.R.; Lopez, J.; Imon, M.M.A.; Pouryousef, S.; Rahman, M.S. Critical evaluation of quantum machine learning for adversarial robustness. arXiv 2025, arXiv:2511.14989. [Google Scholar] [CrossRef]
  15. Suryotrisongko, H.; Musashi, Y.; Tsuneda, A.; Sugitani, K. Adversarial Robustness in Hybrid Quantum-Classical Deep Learning for Botnet DGA Detection. J. Inf. Process. 2022, 30, 636–644. [Google Scholar] [CrossRef]
  16. Afane, M.; Ebbrecht, G.; Wang, Y.; Chen, J.; Farooq, J. ATP: Adaptive Threshold Pruning for Efficient Data Encoding in Quantum Neural Networks. arXiv 2025, arXiv:2503.21815. [Google Scholar] [CrossRef]
  17. Tricco, A.C.; Lillie, E.; Zarin, W.; O’Brien, K.K.; Colquhoun, H.; Levac, D.; Moher, D.; Peters, M.D.J.; Horsley, T.; Weeks, L.; et al. PRISMA Extension for Scoping Reviews (PRISMA-ScR): Checklist and Explanation. Ann. Intern. Med. 2018, 169, 467–473. [Google Scholar] [CrossRef]
  18. Arksey, H.; O’Malley, L. Scoping Studies: Towards a Methodological Framework. Int. J. Soc. Res. Methodol. 2005, 8, 19–32. [Google Scholar] [CrossRef]
  19. Rayyan: AI-Powered Systematic Review Management Platform. Available online: https://www.rayyan.ai/ (accessed on 30 January 2026).
  20. Johnson, N.; Phillips, M. Rayyan for Systematic Reviews. J. Electron. Resour. Librariansh. 2018, 30, 46–48. [Google Scholar] [CrossRef]
  21. Casares, P.A.M.; Martin-Delgado, M.A. A Quantum Active Learning Algorithm for Sampling against Adversarial Attacks. New J. Phys. 2020, 22, 073026. [Google Scholar] [CrossRef]
  22. Lu, S.; Duan, L.-M.; Deng, D.-L. Quantum Adversarial Machine Learning. Phys. Rev. Res. 2020, 2, 033212. [Google Scholar] [CrossRef]
  23. Gong, W.; Deng, D.-L. Universal Adversarial Examples and Perturbations for Quantum Classifiers. Natl. Sci. Rev. 2021, 9, nwab130. [Google Scholar] [CrossRef]
  24. Kehoe, A.; Wittek, P.; Xue, Y.; Pozas-Kerstjens, A. Defence against Adversarial Attacks Using Classical and Quantum-Enhanced Boltzmann Machines. Mach. Learn. Sci. Technol. 2021, 2, 045006. [Google Scholar] [CrossRef]
  25. Weber, M.; Liu, N.; Li, B.; Zhang, C.; Zhao, Z. Optimal Provable Robustness of Quantum Classification via Quantum Hypothesis Testing. npj Quantum Inf. 2021, 7, 76. [Google Scholar] [CrossRef]
  26. Kundu, S.; Ghosh, S. Security Aspects of Quantum Machine Learning: Opportunities, Threats and Defenses. In Proceedings of the Great Lakes Symposium on VLSI 2022; Association for Computing Machinery: New York, NY, USA, 2022; pp. 463–468. [Google Scholar]
  27. Hou, Y.-Y.; Li, J.; Chen, X.-B.; Ye, C.-Q. Quantum Adversarial Metric Learning Model Based on Triplet Loss Function. EPJ Quantum Technol. 2023, 10, 24. [Google Scholar] [CrossRef]
  28. Huang, C.; Zhang, S. Enhancing Adversarial Robustness of Quantum Neural Networks by Adding Noise Layers. New J. Phys. 2023, 25, 083019. [Google Scholar] [CrossRef]
  29. Konar, D.; Sarma, A.D.; Bhandary, S.; Bhattacharyya, S.; Cangi, A.; Aggarwal, V. A Shallow Hybrid Classical–Quantum Spiking Feedforward Neural Network for Noise-Robust Image Classification. Appl. Soft Comput. 2023, 136, 110099. [Google Scholar] [CrossRef]
  30. Qiu, Y.-Z. Universal Adversarial Perturbations for Multiple Classification Tasks with Quantum Classifiers. Mach. Learn. Sci. Technol. 2023, 4, 045009. [Google Scholar] [CrossRef]
  31. West, M.T.; Erfani, S.M.; Leckie, C.; Sevior, M.; Hollenberg, L.C.L.; Usman, M. Benchmarking Adversarially Robust Quantum Machine Learning at Scale. Phys. Rev. Res. 2023, 5, 023186. [Google Scholar] [CrossRef]
  32. Akash, A.R.; Khot, A.; Kim, T. Quantum Annealing-Based Machine Learning for Battery Health Monitoring Robust to Adversarial Attacks. In Proceedings of the 2023 IEEE Energy Conversion Congress and Exposition (ECCE), Nashville, TN, USA, 29 October–2 November 2023; pp. 6307–6311. [Google Scholar]
  33. Akter, M.S.; Shahriar, H.; Iqbal, I.; Hossain, M.; Karim, M.A.; Clincy, V.; Voicu, R. Exploring the Vulnerabilities of Machine Learning and Quantum Machine Learning to Adversarial Attacks Using a Malware Dataset: A Comparative Analysis. In Proceedings of the 2023 IEEE International Conference on Software Services Engineering (SSE), Chicago, IL, USA, 2–8 July 2023; pp. 222–231. [Google Scholar]
  34. Anil, G.; Vinod, V.; Narayan, A. Generating Universal Adversarial Perturbations for Quantum Classifiers. In Proceedings of the AAAI Conference on Artificial Intelligence; Association for the Advancement of Artificial Intelligence: Washington, DC, USA, 2024; Volume 38, pp. 10891–10899. [Google Scholar] [CrossRef]
  35. Gong, W.; Yuan, D.; Li, W.; Deng, D.-L. Enhancing Quantum Adversarial Robustness by Randomized Encodings. Phys. Rev. Res. 2024, 6, 023020. [Google Scholar] [CrossRef]
  36. Huang, C.; Zhang, S. Adversarial Examples Detection Based on Quantum Fuzzy Convolution Neural Network. Quantum Inf. Process. 2024, 23, 143. [Google Scholar] [CrossRef]
  37. Reers, V.; Maußner, M. Comparative Analysis of Vulnerabilities in Classical and Quantum Machine Learning. In Proceedings of the Jahrestagung der Gesellschaft für Informatik (INFORMATIK 2024), Wiesbaden, Germany, 24–26 September 2024. [Google Scholar] [CrossRef]
  38. Winderl, D.; Franco, N.; Lorenz, J.M. Quantum Neural Networks under Depolarization Noise: Exploring White-Box Attacks and Defenses. Quantum Mach. Intell. 2024, 6, 83. [Google Scholar] [CrossRef]
  39. Yang, Y.; Zhang, S.; Yan, L.; Chang, Y. Hybrid Classical Quantum Neural Network with High Adversarial Robustness. In Proceedings of the 2024 International Conference on Machine Learning and Intelligent Computing, Wuhan, China, 26–28 April 2024. [Google Scholar]
  40. Akter, M.S.; Shahriar, H.; Cuzzocrea, A.; Wu, F. Quantum Adversarial Attacks: Developing Quantum FGSM Algorithm. In Proceedings of the 2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC), Osaka, Japan, 2–4 July 2024; pp. 1073–1079. [Google Scholar]
  41. El Maouaki, W.; Marchisio, A.; Said, T.; Shafique, M.; Bennai, M. RobQuNNs: A Methodology for Robust Quanvolutional Neural Networks against Adversarial Attacks. In Proceedings of the 2024 IEEE International Conference on Image Processing Challenges and Workshops (ICIPCW), Abu Dhabi, United Arab Emirates, 27–30 October 2024; pp. 4090–4095. [Google Scholar]
  42. Georgiou, P.; Jose, S.T.; Simeone, O. Adversarial Quantum Machine Learning: An Information-Theoretic Generalization Analysis. In Proceedings of the 2024 IEEE International Symposium on Information Theory (ISIT), Athens, Greece, 7–12 July 2024; pp. 789–794. [Google Scholar]
  43. Kundu, S.; Choudhury, N.; Das, S.; Raha, A.; Basu, K. QNAD: Quantum Noise Injection for Adversarial Defense in Deep Neural Networks. In Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Tysons Corner, VA, USA, 6–9 May 2024; pp. 1–11. [Google Scholar]
  44. Maouaki, W.E.; Marchisio, A.; Said, T.; Bennai, M.; Shafique, M. AdvQuNN: A Methodology for Analyzing the Adversarial Robustness of Quanvolutional Neural Networks. In Proceedings of the 2024 IEEE International Conference on Quantum Software (QSW), Shenzhen, China, 7–13 July 2024; pp. 175–181. [Google Scholar]
  45. Saxena, A.; Wollschläger, T.; Franco, N.; Lorenz, J.M.; Günnemann, S. Certifiably Robust Encoding Schemes. In Proceedings of the 2024 IEEE International Conference on Quantum Computing and Engineering (QCE), Montreal, QC, Canada, 15–20 September 2024; Volume 1, pp. 1571–1582. [Google Scholar]
  46. Wendlinger, M.; Tscharke, K.; Debus, P. A Comparative Analysis of Adversarial Robustness for Quantum and Classical Machine Learning Models. In Proceedings of the 2024 IEEE International Conference on Quantum Computing and Engineering (QCE), Montreal, QC, Canada, 15–20 September 2024; Volume 1, pp. 1447–1457. [Google Scholar]
  47. Yu, S.; Zhou, Y. Quantum Adversarial Machine Learning for Robust Power System Stability Assessment. In Proceedings of the 2024 IEEE Power & Energy Society General Meeting (PESGM), Seattle, WA, USA, 21–25 July 2024; pp. 1–5. [Google Scholar]
  48. Kundu, S.; Ghosh, S. SoK Paper: Security Concerns in Quantum Machine Learning as a Service. In Proceedings of the International Workshop on Hardware and Architectural Support for Security and Privacy 2024; Association for Computing Machinery: New York, NY, USA, 2024; pp. 28–36. [Google Scholar]
  49. Kundu, S.; Kundu, D.; Ghosh, S. Evaluating Efficacy of Model Stealing Attacks and Defenses on Quantum Neural Networks. In Proceedings of the Great Lakes Symposium on VLSI 2024; Association for Computing Machinery: New York, NY, USA, 2024; pp. 556–559. [Google Scholar]
  50. Khatun, A.; Usman, M. Classical Autoencoder Distillation of Quantum Adversarial Manipulations. Phys. Rev. Res. 2025, 7, L042054. [Google Scholar] [CrossRef]
  51. Khatun, A.; Usman, M. Quantum Transfer Learning with Adversarial Robustness for Classification of High-Resolution Image Datasets. Adv. Quantum Technol. 2025, 8, 2400268. [Google Scholar] [CrossRef]
  52. Lin, Y.; Guan, J.; Fang, W.; Ying, M.; Su, Z. VeriQR: A Robustness Verification Tool for Quantum Machine Learning Models. In Proceedings of the Formal Methods; Platzer, A., Rozier, K.Y., Pradella, M., Rossi, M., Eds.; Springer Nature: Cham, Switzerland, 2025; pp. 403–421. [Google Scholar]
  53. Sihare, S.R. Decoherence and Quantum Threats in Voice Biometric Authentication with Post-Quantum Countermeasures. Quantum Inf. Process. 2025, 24, 370. [Google Scholar] [CrossRef]
  54. Tan, D.; Yan, L.; Zhao, J.; Chang, Y.; Zhang, S. A Black-Box Attack Method of Machine Learning Algorithms Based on Quantum Autoencoders. Phys. A Stat. Mech. Its Appl. 2025, 680, 131033. [Google Scholar] [CrossRef]
  55. Debus, P.; Wendlinger, M.; Tscharke, K.; Herr, D.; Brügmann, C.; De Mello, D.O.; Ulmanis, J.; Erhard, A.; Schmidt, A.; Petsch, F. Entangled Threats: A Unified Kill Chain Model for Quantum Machine Learning Security. In Proceedings of the 2025 IEEE International Conference on Quantum Computing and Engineering (QCE), Albuquerque, NM, USA, 31 August–5 September 2025; Volume 1, pp. 1653–1664. [Google Scholar]
  56. Ergu, Y.A.; Nguyen, V.-L.; Lin, P.-C.; Hwang, R.-H. Q-Poison: Quantum Adversarial Attacks against QML-Driven Interference Classification in O-RAN. In Proceedings of the 2025 IEEE International Conference on Machine Learning for Communication and Networking (ICMLCN), Barcelona, Spain, 26–29 May 2025; pp. 1–6. [Google Scholar]
  57. Innan, N.; Kashif, M.; Marchisio, A.; Bennai, M.; Shafique, M. Next-Generation Quantum Neural Networks: Enhancing Efficiency, Security, and Privacy. In Proceedings of the 2025 IEEE 31st International Symposium on On-Line Testing and Robust System Design (IOLTS), Ischia, Italy, 7–9 July 2025; pp. 1–4. [Google Scholar]
  58. Li, B.; Alpcan, T.; Thapa, C.; Parampalli, U. Computable Model-Independent Bounds for Adversarial Quantum Machine Learning. IEEE Trans. Quantum Eng. 2025, 6, 3102322. [Google Scholar] [CrossRef]
  59. Marchiori, F.; Conti, M. ATTAQ: Adversarial Robustness of Quantum Machine Learning. In Proceedings of the 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), Naples, Italy, 23–26 June 2025; pp. 200–207. [Google Scholar]
  60. Nguyen, V.-L.; Nguyen, L.-H.; Hwang, R.-H.; Canberk, B.; Duong, T.Q. Quantum Machine Learning for 6G Network Intelligence and Adversarial Threats. IEEE Commun. Stand. Mag. 2025, 9, 40–48. [Google Scholar] [CrossRef]
  61. Nowmi, S.R.; Lopez, J.; Imon, M.M.A.; Cadena, V.; Pouryousef, S.; Rahman, M.S. Towards Robust Quantum Machine Learning. In Proceedings of the 2025 IEEE International Conference on Quantum Computing and Engineering (QCE), Albuquerque, NM, USA, 31 August–5 September 2025; Volume 2, pp. 632–633. [Google Scholar]
  62. Onim, M.S.H.; Thapliyal, H. Detection of Physiological Data Tampering Attacks with Quantum Machine Learning. In Proceedings of the 2025 IEEE International Symposium on Circuits and Systems (ISCAS), London, UK, 25–28 May 2025; pp. 1–5. [Google Scholar]
  63. Pathak, I.P.; Yilmazer, N.; Pankajkumar Patel, D. Quantum GAN-Based Adversarial Attack Generation for Network Intrusion Detection System. In Proceedings of the 2025 IEEE International Carnahan Conference on Security Technology (ICCST), San Antonio, TX, USA, 13–17 October 2025; pp. 1–6. [Google Scholar]
  64. Pokharel, A.; Rahman, R.; Shaon, S.; Morris, T.; Nguyen, D.C. Differentially Private Federated Quantum Learning via Quantum Noise. In Proceedings of the 2025 IEEE International Conference on Quantum Computing and Engineering (QCE), Albuquerque, NM, USA, 31 August–5 September 2025; Volume 1, pp. 1559–1565. [Google Scholar]
  65. Quadri, H.; Wang, H.; Islam, S.; Li, B.; Li, X. Quantum SVM Algorithms for Efficient Defense Against Gradient-Based Adversarial Attacks. In Proceedings of the 2025 International Conference on Networking and Network Applications (NaNA), Tashkent City, Uzbekistan, 8–11 August 2025; pp. 458–464. [Google Scholar]
  66. Bhaskar, S.V.; Spoorthi, K.R.; Harshith, C.M.; Santhosh Krishna, B.V.; Ramani, D.R.; Vijayasekaran, G. Quantum-Driven Machine Learning Framework for Enhanced Detection of Malicious URLs in Cybersecurity. In Proceedings of the 2025 3rd International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), Erode, India, 6–8 August 2025; pp. 360–367. [Google Scholar]
  67. Upadhyay, S.; Ghosh, S. Quantum Data Breach: Reusing Training Dataset by Untrusted Quantum Clouds. In Proceedings of the 2025 26th International Symposium on Quality Electronic Design (ISQED), San Francisco, CA, USA, 23–25 April 2025; pp. 1–7. [Google Scholar]
  68. Upadhyay, S.; Ghosh, S. Quantum Quandaries: Unraveling Encoding Vulnerabilities in Quantum Neural Networks. In Proceedings of the 2025 26th International Symposium on Quality Electronic Design (ISQED), San Francisco, CA, USA, 23–25 April 2025; pp. 1–7. [Google Scholar]
  69. Winderl, D.; Franco, N.; Lorenz, J.M. Constructing Optimal Noise Channels for Enhanced Robustness in Quantum Machine Learning. In Proceedings of the 2025 IEEE International Conference on Quantum Computing and Engineering (QCE), Albuquerque, NM, USA, 31 August–5 September 2025; Volume 1, pp. 1566–1577. [Google Scholar]
  70. Kundu, S.; Ghosh, S. Adversarial Data Poisoning Attack on Quantum Machine Learning in the NISQ Era. In Proceedings of the Great Lakes Symposium on VLSI 2025; Association for Computing Machinery: New York, NY, USA, 2025; pp. 976–981. [Google Scholar]
  71. Shi, J.; Xiao, Z.; Shi, H.; Jiang, Y.; Li, X. QuanTest: Entanglement-Guided Testing of Quantum Neural Network Systems. ACM Trans. Softw. Eng. Methodol. 2025, 34, 32. [Google Scholar] [CrossRef]
  72. Addo, K.; Kabeya, M.; Ojo, E.E. Federated Quantum Machine Learning for Distributed Cybersecurity in Multi-Agent Energy Systems. Energies 2025, 18, 5418. [Google Scholar] [CrossRef]
  73. Li, Y.; Ma, C.; Li, Y.; Li, S.; Chen, Y.; Dong, Z. QSTAformer: A Quantum-Enhanced Transformer for Robust Short-Term Voltage Stability Assessment against Adversarial Attacks. Appl. Energy 2026, 405, 127196. [Google Scholar] [CrossRef]
  74. Peters, M.D.J.; Marnie, C.; Tricco, A.C.; Pollock, D.; Munn, Z.; Alexander, L.; McInerney, P.; Godfrey, C.M.; Khalil, H. Updated Methodological Guidance for the Conduct of Scoping Reviews. JBI Evid. Synth. 2020, 18, 2119–2126. [Google Scholar] [CrossRef] [PubMed]
  75. Milburn, G.J. Quantum Learning Machines. arXiv 2023, arXiv:2305.07801. [Google Scholar] [CrossRef]
  76. Wood, C.; Shrapnel, S.; Milburn, G.J. A Kerr Kernel Quantum Learning Machine. arXiv 2024, arXiv:2404.01787. [Google Scholar] [CrossRef]
  77. Milburn, G.J.; Basiri-Esfahani, S. The Physics of Learning Machines. Contemp. Phys. 2022, 63, 34–60. [Google Scholar] [CrossRef]
  78. Borah, S.; Sarma, B.; Kewming, M.; Milburn, G.J.; Twamley, J. Measurement-Based Feedback Quantum Control with Deep Reinforcement Learning for a Double-Well Nonlinear Potential. Phys. Rev. Lett. 2021, 127, 190403. [Google Scholar] [CrossRef]
Figure 1. PRISMA-ScR flow diagram tailored for the study.
Figure 1. PRISMA-ScR flow diagram tailored for the study.
Computers 15 00233 g001
Figure 2. Percentage distribution of QML model types investigated.
Figure 2. Percentage distribution of QML model types investigated.
Computers 15 00233 g002
Figure 3. Frequency distribution of defense strategy categories proposed for adversarial robustness in QML.
Figure 3. Frequency distribution of defense strategy categories proposed for adversarial robustness in QML.
Computers 15 00233 g003
Table 1. Description and purpose of the RQs in the scoping review.
Table 1. Description and purpose of the RQs in the scoping review.
Research Question (RQ)Description and Purpose
RQ1. What types of adversarial threat vectors have been investigated?Identify and classify the adversarial threat surfaces studied in QML.
RQ2. Which QML models have been studied in adversarial robustness research?Map the QML model families examined under adversarial conditions.
RQ3. What defense strategies have been proposed to improve adversarial robustness?Describe and categorize defense mechanisms proposed in the literature.
RQ4. How is adversarial robustness evaluated in existing studies?Examine how studies define and measure robustness.
RQ5. What practical and technological constraints influence adversarial robustness research?Identify constraints shaping study design and outcomes.
RQ6. What future research directions are proposed for advancing adversarial robustness?Synthesize prospective research directions and open challenges reported across studies
Table 2. Description of searching criteria for the scoping review.
Table 2. Description of searching criteria for the scoping review.
AspectDescription
DatabasesScopus, ACM, and IEEE Xplore; MDPI (supplementary source)
Search Strings• ACM: “quantum machine learning” AND adversarial attacks
• IEEE Xplore: (“All Metadata”: “quantum machine learning”) AND (“All Metadata”: adversarial attacks)
• MDPI: “quantum machine learning” AND adversarial attacks
• Scopus: TITLE-ABS-KEY ((“quantum machine learning”) AND (adversarial attacks))
Inclusion Criteria• Empirical studies examining adversarial robustness in QML, including the design, analysis, or evaluation of threat vectors and defense strategies.
• Language: English.
• Type of study: Primary research (original experiments, benchmarks, or formal analyses conducted by the authors, including robustness evaluation under attack or defense conditions).
Exclusion CriteriaStudies outside the scope of adversarial robustness in QML, classical only adversarial ML without a quantum component, QML articles with no adversarial or robustness focus, not in English, not primary research, preprints and non-peer reviewed manuscripts.
Total Record ObtainedScopus (77), ACM (132), MDPI (2), IEEE Xplore (39).
Total Records: 250
Table 3. Summary of included studies.
Table 3. Summary of included studies.
Published YearDatabaseRefs.
2020Scopus[21,22]
2021Scopus[23,24,25]
2022ACM[26]
2023Scopus[27,28,29,30,31]
IEEE Xplore[32,33]
2024Scopus[34,35,36,37,38,39]
IEEE Xplore[40,41,42,43,44,45,46,47]
ACM[48,49]
2025Scopus[50,51,52,53,54]
IEEE Xplore[55,56,57,58,59,60,61,62,63,64,65,66,67,68,69]
ACM[70,71]
MDPI[72]
2026Scopus[73]
Table 4. Summary of investigated adversarial threat vectors.
Table 4. Summary of investigated adversarial threat vectors.
Threat CategoryDescriptionOccurrencePercentage
Adversarial ExamplesEvasion attacks using perturbations on input data to cause misclassification.3840.4%
Poisoning AttacksTraining-time manipulations such as label flips, data poisoning, or removal of training data.88.5%
Transfer AttacksCrafting adversarial examples on surrogate models and transferring to target quantum/classical models.88.5%
Noise/Corruption AttacksRandom noise perturbations or naturally occurring/engineered noise manipulation.77.4%
Functional/Physical AttacksPerturbations constrained by physical realizability.66.4%
Fault Injection/Crosstalk AttacksAttacks exploiting hardware effects to degrade or manipulate performance.44.3%
Universal Adversarial PerturbationsSpecific class of adversarial inputs that generalize across inputs or models.33.2%
Model Stealing/Extraction AttacksAttacker queries to clone or extract the model.33.2%
Side-Channel AttacksUsing power, timing, crosstalk to infer or leak model information.33.2%
Backdoor/Trojan AttacksMalicious circuit insertions or embedded triggers causing targeted misclassification.33.2%
Data Obfuscation/EvasionObfuscation of circuit or input data to evade detection or degrade performance.33.2%
Quantum State Poisoning AttacksManipulating quantum states directly in training or inference.33.2%
Inference/Membership AttacksAttacks revealing sensitive information from models and data.22.1%
Denial of Service/Availability AttacksAttacks aimed at disrupting service availability.22.1%
Adversarial Metric Learning AttacksAttacks targeting metric learning objectives.11.1%
Table 5. Summary of evaluation method.
Table 5. Summary of evaluation method.
Evaluation Method CategoryDescriptionEvaluation EnvironmentRefs.
Empirical Performance Metrics under AttackMeasuring classification or regression performance (accuracy, F1, precision, recall, MSE, R2, etc.) on perturbed inputs.Classical Simulators[22,24,27,28,29,30,31,32,33,34,36,39,40,41,43,44,46,47,50,51,52,54,56,57,59,61,62,64,65,66,67,68,69,71,72,73]
Robust Accuracy or Adversarial AccuracyQuantifying robustness as classification accuracy specifically on adversarial test sets or robust accuracy metrics. Classical Simulators[22,23,24,26,27,28,30,31,32,34,38,39,41,43,44,45,46,50,51,52,57,59,64,65,69,73]
Theoretical/Provable Robustness GuaranteesUsing mathematical guarantees, bounds, or certification methods based on fidelity, distance metrics (Uhlmann, trace), SDP formulations, Lipschitz constants, or quantum hypothesis testing.Mathematical Modeling and Formal Analysis[21,23,25,35,38,42,45,52,55,58,69]
Similarity and Fidelity MetricsEmploying fidelity or closeness metrics between clean and adversarial quantum states to quantify perturbation impact. Classical Simulators[22,23,30,34,37,40,50,54,56,57,60,63,69]
Robustness under Different Attack TypesEvaluation across varying adversarial methods (FGSM, BIM, PGD, MIM, universal, white-box, black-box, targeted, untargeted)Classical Simulators[22,23,28,30,31,33,34,38,40,41,43,44,54,59,64,65]
Transferability and GeneralizabilityEvaluating if adversarial examples transfer between models or how defense generalizes across attacks.Classical Simulators[23,26,34,36,40,44,54,59]
Attack Success Rate (ASR) and Accuracy DropMeasuring how often adversarial attacks successfully mislead models and corresponding drops in accuracy. Classical Simulators[22,33,37,40,54,59,64]
Privacy and Security Related MetricsRobustness evaluated within broader security frameworks including Total Variation Distance, Privacy budget analysis, CIA triad.Hybrid (Classical simulators combined with formal security analysis)[26,48,55,60,67,72]
Adversarial Risk/Error RatesMeasuring difference in population risk and training risk under adversarial conditions, or adversarial error rates.Theoretical/
Statistical Analysis
[42,52,58,59]
Noise Injection or Randomized EncodingsStudy how noise layers or randomized encodings improve robustness under attack.Classical Simulators[28,35,43,69]
Visualizations and Geometric ProxiesVisualization of data separations, Hilbert space separability, t-SNE, or other geometry-based proxies for robustness. Simulation-based visual analytics[27,62,63]
Statistical Testing and Hypothesis TestsUsing paired significance tests (e.g., Wilcoxon signed-rank test) to validate improvements in robustness.Simulation-based statistical validation[29]
Table 6. Practical and technological constraints influencing adversarial robustness research in QML.
Table 6. Practical and technological constraints influencing adversarial robustness research in QML.
Constraint CategoryDescriptionNo of Studies MentionedRefs.
Hardware LimitationsSmall number of qubits, limited qubit connectivity, device architecture constraints. Limits model size and circuit depth.28[21,24,26,27,31,32,33,34,35,37,38,39,40,42,44,46,47,48,49,55,56,57,58,59,61,69,70,72,73]
NISQ Noise and ErrorsGate errors, decoherence, measurement noise, crosstalk, limiting fidelity and increasing vulnerability.22[22,24,25,26,27,31,36,37,38,42,43,46,47,48,49,52,55,57,58,59,60,70]
Simulation and Computational Resource LimitsHigh cost and limits on classical simulation of quantum systems; constrained data dimension due to qubit limits; slow training.21[21,23,26,27,28,29,31,33,34,36,37,42,44,46,48,49,52,58,61,64,71]
Model Training ChallengesBarren plateaus (vanishing gradients), expensive adversarial training, gradient estimation overhead, lack of backpropagation.18[22,26,27,28,38,39,42,48,49,53,54,57,58,59,60,61,70,73]
Data Dimensionality/Encoding IssuesNecessity of dimension reduction (e.g., PCA), difficulty encoding classical data into quantum states due to limited qubits.17[21,27,30,33,34,39,40,46,47,51,54,57,65,66,68,69]
Defense and Robustness Trade-offsTrade-off between accuracy and robustness; oversmoothing noise can degrade accuracy; limited generalization across attacks.11[22,24,25,35,44,45,46,57,59,60,61]
Algorithmic and Theoretical ConstraintsLack of closed-form solutions, difficulty in guaranteeing robustness for multi-class or large spaces, limited theoretical tools.10[22,25,30,38,42,44,45,46,54,58]
Practical Dataset ConstraintsSmall or downscaled datasets (e.g., MNIST 7 × 7, 16 × 16), limited number of training samples, task-specific benchmarks.10[24,29,33,34,36,44,50,54,61,66]
Security and Trust IssuesCloud opacity, untrusted compilers, multi-tenant cloud risks, reusing datasets, data leakage, leak of IP, adversarial access.7[26,37,52,55,67,68,73]
Measurement and Testing ConstraintsNeed for large number of shots/samples, statistical estimation, verification challenges due to continuous quantum states.5[25,48,52,58,71]
Table 7. Proposed Future Research Directions for Advancing Adversarial Robustness in QML.
Table 7. Proposed Future Research Directions for Advancing Adversarial Robustness in QML.
Proposed Research DirectionNo of MentionedRefs.
Developing experiment-feasible and scalable adversarial defense mechanisms on real quantum hardware8[21,23,24,28,31,34,39,73]
Improving robustness certification and verification tools including tight generalization and robustness bounds7[25,42,45,52,58,61,69]
Extending adversarial robustness studies beyond current supervised learning to unsupervised, reinforcement learning, and continual learning settings6[22,23,30,35,37,61]
Studying specific quantum architectures or ansatz designs to inherently improve robustness6[24,38,41,44,57,68]
Developing robustness against advanced and universal adversarial attacks, including transfer attacks and poisoning6[23,26,30,40,55,70]
Integrating quantum noise or randomized encodings as a defense mechanism5[28,35,43,59,69]
Benchmarking robustness across various QML architectures, data types, and attacks5[31,37,46,55,71]
Optimizing model architectures and training strategies to balance robustness and accuracy4[27,44,46,51]
Combining classical and quantum methods for hybrid defense frameworks3[24,41,59]
Table 8. Classical Inheritance vs. Quantum-Specific Innovation in QML Robustness.
Table 8. Classical Inheritance vs. Quantum-Specific Innovation in QML Robustness.
AspectDirectly Inherited from Classical Adversarial MLGenuinely Quantum-Specific Elements
Adversarial Threat Vectors (RQ1)Input-level evasion attacks using gradient-based perturbations such as FGSM, PGD, and BIM; training-time poisoning (e.g., label flipping); model stealing and extraction attacks.Quantum state-level attacks (e.g., quantum state poisoning); functional or physical perturbations targeting unitary operations; hardware-level attacks such as fault injection and crosstalk exploitation.
Defense Strategies (RQ3)Adversarial Training (dominant approach); defensive distillation; gradient masking; classical data augmentation and differential privacy mechanisms.Quantum randomized smoothing using native noise channels (e.g., depolarizing, phase damping); randomized encoding or cloaking to induce barren plateaus; ansatz and circuit architecture optimization for inherent robustness.
Evaluation Methods (RQ4)Empirical performance metrics under attack (accuracy, F1-score, precision, recall); attack success rate (ASR); evaluation on perturbed classical datasets.Quantum state-level metrics such as fidelity (e.g., Uhlmann fidelity) and trace distance; robustness certification via quantum hypothesis testing and semidefinite programming formulations.
Practical and Technological Constraints (RQ5)Accuracy–robustness trade-offs; computational resource limitations; reliance on simplified or downscaled datasets (e.g., MNIST).NISQ-era constraints including decoherence, gate errors, and measurement noise; barren plateaus (vanishing gradients); limited qubit connectivity; no-cloning theorem affecting gradient estimation and data reuse.
Research Methodology (RQ2 and RQ6)Focus on supervised classification tasks; reliance on white-box and black-box attack paradigms adapted from classical deep learning.Exploration of quantum-native tasks (e.g., entanglement classification, Hamiltonian learning); consideration of thermodynamic and dissipative learning dynamics in quantum systems.
Table 9. Comparison of Adversarial Defense Strategies in QML.
Table 9. Comparison of Adversarial Defense Strategies in QML.
Defense StrategyRobustness GainAccuracy ImpactComputational Cost
Adversarial Training (AT)HighModerateVery High
Sampling-Based DefensesHighLowLow
Regularization TechniquesModerateLowLow
Ensemble and Game-Theoretic ApproachesModerate-Moderate
Robustness Certification and VerificationHigh-High
Advanced Aggregation and Federated LearningHighLowLow
Gradient Masking and Defensive DistillationHighLowLow
Hybrid Classical-Quantum ArchitecturesModerateLowModerate
Adversarial Sample Detection/PurificationHighLowLow
Differential Privacy (DP) and Noise for PrivacyModerateHighModerate
Preprocessing and Data AugmentationHighLowLow
Randomized Encoding/CloakingModerateLowLow
Quantum Noise ExploitationHighModerateLow
Circuit Architecture OptimizationHighLow-
Hardware-level Defenses and ObfuscationLowLowLow
Quantum Randomized Smoothing/Noise InjectionModerateModerateHigh
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kustiawan, Y.A.; Ghauth, K.I. Adversarial Robustness in Quantum Machine Learning: A Scoping Review. Computers 2026, 15, 233. https://doi.org/10.3390/computers15040233

AMA Style

Kustiawan YA, Ghauth KI. Adversarial Robustness in Quantum Machine Learning: A Scoping Review. Computers. 2026; 15(4):233. https://doi.org/10.3390/computers15040233

Chicago/Turabian Style

Kustiawan, Yanche Ari, and Khairil Imran Ghauth. 2026. "Adversarial Robustness in Quantum Machine Learning: A Scoping Review" Computers 15, no. 4: 233. https://doi.org/10.3390/computers15040233

APA Style

Kustiawan, Y. A., & Ghauth, K. I. (2026). Adversarial Robustness in Quantum Machine Learning: A Scoping Review. Computers, 15(4), 233. https://doi.org/10.3390/computers15040233

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop