Decoupling the Dual Impact of NISQ Noise on Quantum Adversarial Robustness

As quantum machine learning modules become increasingly integrated into NISQ-era infrastructures, it remains unclear whether intrinsic device noise can be regarded as a passive defense against adversarial examples, or whether it in fact introduces a new attack surface. To answer this question, we propose a noise-aware four-path evaluation protocol that decouples the noise assumed at attack generation from the noise present at inference, and we systematically test it on a 4-qubit variational quantum classifier over four datasets with depolarizing probabilities in the range p∈[0,0.3], using both standard gradient attacks and expectation over transformation (EOT)-based attacks. The results show that for some datasets, higher noise does suppress attacks, whereas for others attacks remain effective even at p=0.3, and in several cases a moderate noise level even maximizes the attack success rate. Moreover, we find that adversarial examples generated under moderate noise often attack the clean model more successfully than those generated in an ideal setting, demonstrating that noise can be actively exploited by an adversary to discover more transferable adversarial directions. Therefore, ambient noise should not be treated as a built-in security guarantee, and future quantum machine learning (QML) robustness evaluations must explicitly model such noise-aware threats.