Adversarial Examples from Cryptographic Pseudo-Random Generators
This addresses the problem of adversarial examples in machine learning by showing inherent computational hardness, which is foundational for understanding security limitations.
The paper constructs a binary classification task where a maximally robust classifier exists, but learning it is computationally hard under a standard cryptographic assumption, strengthening previous results on adversarial examples.
In our recent work (Bubeck, Price, Razenshteyn, arXiv:1805.10204) we argued that adversarial examples in machine learning might be due to an inherent computational hardness of the problem. More precisely, we constructed a binary classification task for which (i) a robust classifier exists; yet no non-trivial accuracy can be obtained with an efficient algorithm in (ii) the statistical query model. In the present paper we significantly strengthen both (i) and (ii): we now construct a task which admits (i') a maximally robust classifier (that is it can tolerate perturbations of size comparable to the size of the examples themselves); and moreover we prove computational hardness of learning this task under (ii') a standard cryptographic assumption.