Sound Randomized Smoothing in Floating-Point Arithmetics
This addresses a critical flaw in randomized smoothing for practitioners in adversarial machine learning, ensuring reliable robustness certifications in real-world floating-point systems.
The paper identifies that randomized smoothing, a method for certifying robustness against adversarial attacks, becomes unsound when implemented with limited floating-point precision, as it can produce false certificates (e.g., certifying a radius of 1.26 when an adversarial example exists at distance 0.8). It proposes a sound approach for floating-point precision that maintains similar speed and matches certificates of the standard unsound practice for tested classifiers.
Randomized smoothing is sound when using infinite precision. However, we show that randomized smoothing is no longer sound for limited floating-point precision. We present a simple example where randomized smoothing certifies a radius of $1.26$ around a point, even though there is an adversarial example in the distance $0.8$ and extend this example further to provide false certificates for CIFAR10. We discuss the implicit assumptions of randomized smoothing and show that they do not apply to generic image classification models whose smoothed versions are commonly certified. In order to overcome this problem, we propose a sound approach to randomized smoothing when using floating-point precision with essentially equal speed and matching the certificates of the standard, unsound practice for standard classifiers tested so far. Our only assumption is that we have access to a fair coin.