\hideLIPIcs\ccsdesc

[300]Theory of computation Mathematical optimization University of Wisconsin-Madison, Madison, WI, [email protected] University of Wisconsin-Madison, Madison, WI, [email protected] Wayne State University, Detroit, MI, [email protected] University of Wisconsin-Madison, Madison, WI, [email protected] \CopyrightChangyu Gao, Andrew Lowy, Xingyu Zhou, and Stephen J. Wright

Optimal Rates for Robust Stochastic Convex Optimization

Changyu Gao Andrew Lowy Xingyu Zhou Stephen J. Wright

Abstract

Machine learning algorithms in high-dimensional settings are highly susceptible to the influence of even a small fraction of structured outliers, making robust optimization techniques essential. In particular, within the $\epsilon$ -contamination model, where an adversary can inspect and replace up to an $\epsilon$ -fraction of the samples, a fundamental open problem is determining the optimal rates for robust stochastic convex optimization (SCO) under such contamination. We develop novel algorithms that achieve minimax-optimal excess risk (up to logarithmic factors) under the $\epsilon$ -contamination model. Our approach improves over existing algorithms, which are not only suboptimal but also require stringent assumptions, including Lipschitz continuity and smoothness of individual sample functions. By contrast, our optimal algorithms do not require these restrictive assumptions, and can handle nonsmooth but Lipschitz population loss functions. We complement our algorithmic developments with a tight lower bound for robust SCO.

keywords:

Optimization Algorithm, Robust Optimization, Stochastic Convex Optimization

category:

\relatedversion

1 Introduction

Machine learning models are increasingly deployed in security-critical applications, yet they remain vulnerable to data manipulation. A particular threat is data poisoning, where adversaries deliberately insert malicious points into training data to degrade model performance (biggio2012poisoning, ). Even in non-adversarial settings, naturally occurring outliers can significantly impact learning algorithms, especially in high-dimensional settings. These challenges motivate our study of optimization algorithms for training machine learning models in the presence of outliers, both natural and adversarial.

Motivation for our work traces to Tukey’s pioneering research on robust estimation (tukey1960survey, ). Recent breakthroughs have produced efficient algorithms for high-dimensional robust estimation under the $\epsilon$ -contamination model, where an adversary can arbitrarily replace up to $\epsilon$ fraction of the samples. Notable advances include polynomial-time algorithms for robust mean estimation in high dimensions (diakonikolas2017being, ; diakonikolas2019robust, ). See diakonikolas2019recent for a comprehensive survey of recent developments in high-dimensional robust estimation.

These developments in robust estimation naturally lead to a fundamental question: Can we solve stochastic optimization problems, under the $\epsilon$ -contamination model? Stochastic optimization is a fundamental problem in machine learning, where we aim to find the parameter that minimizes the population risk using training samples. We focus specifically on robust stochastic optimization with convex objective functions whose gradients exhibit bounded covariance, a standard assumption in robust mean estimation (diakonikolas2020outlier, ). While our goal aligns with classical stochastic convex optimization in minimizing population risk, the presence of adversarial contamination introduces significant new challenges.

Prior research in robust optimization has primarily concentrated on narrow domains. A line of work focuses on robust linear regression (klivans2018efficient, ; diakonikolas2019efficient, ; cherapanamjeri2020optimal, ). While (jambulapati2021robust, ; prasad2020robust, ) have explored general problems, they focus on robust regression. To our best knowledge, SEVER (diakonikolas2019sever, ) is the only work that considers general stochastic optimization problems. However, their approach has several limitations. First, it focuses only on achieving dimension-independent error due to corruption, with a suboptimal sample complexity. Second, the results for SEVER depend on several stringent assumptions, including Lipschitzness and smoothness conditions on sample functions. These constraints restrict the applicability of SEVER. Consequently, optimal excess risk bounds for robust stochastic convex optimization, and under what conditions they can be achieved, remain unknown.

Our work addresses these limitations by developing efficient algorithms for robust stochastic convex optimization that achieve optimal excess risk bounds (up to logarithmic factors) under the $\epsilon$ -contamination model. Notably, Algorithm 1 handles even non-smooth population risks. Moreover, we prove a matching lower bound to show the minimax-optimality of our algorithms.

1.1 Problem Setup and Motivation

Notations. Throughout the paper, we use the following notation for vectors and matrices. For a vector $v\in\mathbb{R}^{d}$ , let $\|v\|$ denote the $\ell_{2}$ norm of $v$ . For a matrix $A\in\mathbb{R}^{d\times d}$ , let $\|A\|$ denote the spectral norm of $A$ . For symmetric matrices $A$ and $B$ , we write $A\preceq B$ if $B-A$ is positive semidefinite (PSD). We use $\tilde{O}$ and $\tilde{\Omega}$ to hide logarithmic factors in our bounds.

Let $\mathcal{W}\subset\mathbb{R}^{d}$ be a closed convex set. Consider a distribution $p^{\ast}$ over functions $f:\mathcal{W}\to\mathbb{R}$ . Stochastic optimization aims to find a parameter vector $w^{\ast}\in\mathcal{W}$ minimizing the population risk $\overline{f}(w):=\mathbb{E}_{f\sim p^{\ast}}[f(w)]$ . For example, function $f$ can take the form of a loss function $f_{x}(w)$ dependent on the data point $x$ , and the data distribution on $x$ induces the function distribution $p^{\ast}$ . In robust stochastic optimization, some data samples may be corrupted. We adopt the strong $\epsilon$ -contamination model, following (diakonikolas2019sever, ).

Definition 1.1 ( $\epsilon$ -contamination model).

Given $\epsilon>0$ and a distribution $p^{\ast}$ over functions $f:\mathcal{W}\to\mathbb{R}$ , data is generated as follows: first, $n$ clean samples $f_{1},\ldots,f_{n}$ are drawn from $p^{\ast}$ . An adversary is then permitted to examine the samples and replace up to $\epsilon n$ of them with arbitrary samples. The algorithm is subsequently provided with this modified set of functions, which we refer to as $\epsilon$ -corrupted samples (with respect to $p^{\ast}$ ).

The $\epsilon$ -contamination model allows the adversary to replace up to $\epsilon$ fraction of samples. This model is strictly stronger than the Huber contamination model (huber1964robust, ), in which the samples are drawn from a mixture of the clean and adversarial distributions of the form $p^{\ast}=(1-\epsilon)p+\epsilon q$ , where $p$ is the clean distribution and $q$ is the adversarial distribution.

Our objective is to develop an efficient algorithm that minimizes the population risk $\overline{f}(w)$ , even when the data is $\epsilon$ -corrupted. The following is assumed throughout the paper.

Assumption 1.2.

$\mathcal{W}\subset\mathbb{R}^{d}$ is a compact convex set with diameter bounded by $D$ , that is, $\sup_{w,w^{\prime}\in\mathcal{W}}\|w-w^{\prime}\|\leq D$ . The population risk $\overline{f}(w)$ is a convex function.

We also assume that the gradients of the functions have bounded covariance as in diakonikolas2019sever , which is a typical assumption used in robust mean estimation.

Assumption 1.3.

For all $w\in\mathcal{W}$ , the covariance matrix of the gradients, defined by $\Sigma_{w}:=\mathbb{E}_{f\sim p^{*}}[(\nabla f(w)-\nabla\overline{f}(w))(\nabla f(w)-\nabla\overline{f}(w))^{T}]$ satisfies $\Sigma_{w}\preceq\sigma^{2}I$ for some $\sigma>0$ .

We will additionally assume that the population risk $\overline{f}(w)$ satisfies certain properties, or that certain properties are satisfied almost surely for functions $f$ from distribution $p^{*}$ , as needed.

To our best knowledge, SEVER (diakonikolas2019sever, ) is the only work that studies robust stochastic optimization for general convex losses. While SEVER focuses on finding approximate critical points, our work focuses on minimizing the population risk $\overline{f}(w)$ , and we measure the performance of our algorithm in terms of the excess risk $\overline{f}(\hat{w})-\min_{w}\overline{f}(w)$ , where $\hat{w}$ is the output of the algorithm.

We remark that SEVER also derives excess risk bounds. To contrast with SEVER, we decompose the excess risk of a stochastic optimization algorithm as follows¹¹1 We omit the term due to optimization error that depends on the number of iterations of the algorithm, since it will be dominated by the other terms when we run the optimization algorithm for a sufficient number of iterations. :

\text{Excess risk}=\text{Error due to corruption}+\text{Statistical error},

where “error due to corruption” refers to the error due to the presence of corruption in the data, whereas “statistical error” denotes the error that accrues even when no corruption is present. SEVER (diakonikolas2019sever, ) focuses only on the error due to corruption The statistical error term is implicit in their requirement on the sample complexity $n$ , that is,

\text{Excess risk}=\text{Error due to corruption},\;\text{if }n\geq\,\text{[sample complexity]}.

Specifically, they design a polynomial-time algorithm that achieves the error due to corruption term $O(D\sigma\sqrt{\epsilon})$ for $n=\tilde{\Omega}\left(\frac{dL^{2}}{\epsilon\sigma^{2}}+\frac{dL^{4}}{\sigma^{4}}\right)$ , provided that $f-\overline{f}$ is $L$ -Lipschitz and $\beta$ -smooth almost surely for $f\in p^{*}$ , and that $f$ is smooth almost surely. (We fixed their wrong sample complexity result. See Appendix A for details.) This sample complexity can be huge, or even infinite, as some functions in the distribution may have a very large, possibly unbounded, Lipschitz constant. Moreover, SEVER implicitly requires that $f$ is smooth almost surely.

Consider functions of the form $f_{x}(w)=-\tfrac{1}{2}x\cdot\|w\|^{2}$ for $w$ such that $\|w\|\leq D$ , where $x\sim P$ for a probability distribution $P$ with bounded mean and variance but takes unbounded values, e.g. normal distribution. We have $\nabla f_{x}(w)=-2x\cdot w$ . Since $x$ is unbounded, the worst case Lipschitz parameter and smoothness of $f$ are both infinite. However, the population risk $\overline{f}(w)=-\tfrac{1}{2}\|w\|^{2}\cdot\mathbf{E}[x]$ is smooth and Lipschitz. This motivating example demonstrates that the assumptions in SEVER that assume properties uniformly for individual functions $f\sim p^{*}$ can be too stringent. In this paper, we aim to answer the following question:

Can we design computationally efficient algorithms that achieve the optimal excess risk for robust SCO, under much milder conditions?

We give positive answers to this question and summarize our contributions below.

1.2 Our Contributions

1. Optimal Rates for Robust SCO (Section 3): We develop algorithms that achieve the following minimax-optimal (up to logarithmic factors) excess risk:

\overline{f}(\hat{w}_{T})-\min_{w\in\mathcal{W}}\overline{f}(w)=\tilde{O}\left(D\left(\sigma\sqrt{\epsilon}+\sigma\sqrt{\frac{d\log(1/\tau)}{n}}\right)\right).

Compared with SEVER, we achieve the same error due to corruption $O(D\sigma\sqrt{\epsilon})$ provided $n=\tilde{\Omega}(d/\epsilon)$ , a significant improvement in sample complexity.²²2 We remark that in excess risk bounds, $\tilde{O}$ always hides logarithmic factors only in the statistical error term, and the robust term is always $O(D\sigma\sqrt{\epsilon})$ .
2. Much Weaker Assumptions for Robust SCO: Algorithm 1 achieves the optimal rates while only assuming the smoothness of the population risk, which is significantly weaker than the assumptions used in SEVER. By contrast, SEVER requires $f-\overline{f}$ to have bounded worst-case Lipschitz and smoothness parameter, and that individual functions $f$ is smooth almost surely. Algorithm 1 can also handle nonsmooth but Lipschitz population risks using Moreau smoothing. Additionally, the algorithm can be adapted to the case when the covariance parameter $\sigma$ is unknown.
3. A Matching Lower Bound for Robust SCO: We prove a matching lower bound (see Appendix B), demonstrating that our excess risk bound is minimax-optimal (up to logarithmic factors). Consequently, our sample complexity for achieving the error due to corruption $O(D\sigma\sqrt{\epsilon})$ is also minimax-optimal.
4. A Straightforward Algorithm for Robust SCO (Section 4): We provide a simple projected gradient descent algorithm (Algorithm 2) that achieves the same optimal excess risk, under slightly weaker assumptions compared to SEVER. Our approach builds on the “many-good-sets” assumption, which SEVER briefly introduced without providing a concrete analysis.

Our results might be surprising, as cover-based approaches (e.g., uniform convergence) typically suffers from suboptimal error. Our results, however, imply that the cover-based approach can indeed achieve the optimal excess risk for the corruption case. See Section G.2 for discussions. A high-level summary of our results is outlined in the table below.

Algorithm

Assumptions

Excess Risk

Sample Complexity

SEVER (diakonikolas2019sever, )

f-\overline{f}

has bounded worst-case Lipschitz

and smoothness param 2.

f

is smooth a.s.

suboptimal

\tilde{\Omega}\left(\frac{dL^{2}}{\epsilon\sigma^{2}}+\frac{dL^{4}}{\sigma^{4}}\right)

Algorithm 1

\overline{f}

is smooth or Lipschitz

optimal

\tilde{\Omega}\left(d/\epsilon\right)

Algorithm 2

f-\overline{f}

has bounded worst-case Lipschitz

and smoothness param 2.

\overline{f}

is smooth or Lipschitz

optimal

\tilde{\Omega}\left(d/\epsilon\right)

Table 1: Comparison of assumptions, rates, and sample complexity of SEVER and our two algorithms. All algorithms assume 1.2, and bounded covariance of the gradients, that is, the covariance matrix

\Sigma_{w}

satisfies

\Sigma_{w}\preceq\sigma^{2}I

for all

w

. Optimality is up to logarithmic factors.

2 Revisiting SEVER

In this section, we revisit SEVER (diakonikolas2019sever, ) to motivate our work. Below we fix the corruption parameter $\epsilon$ and the covariance boundedness parameter $\sigma>0$ . Given $\epsilon$ -corrupted function samples $f_{1},\ldots,f_{n}$ , we say a subset of functions is “good” with respect to $w$ if their sample mean and covariance at $w$ are close to those of the true distribution, as defined below.

Definition 2.1 (“Good” set).

We say a set $S_{\text{good}}\subseteq[n]$ with $|S_{\text{good}}|\geq(1-\epsilon)n$ is “good” with respect to (w.r.t) $w$ if the functions $\{f_{i}\}_{i\in S_{\text{good}}}$ satisfy the following,

	$\displaystyle\left\\|\frac{1}{\|S_{\text{good}}\|}\sum_{i\in S_{\text{good}}}\big{(}\nabla f_{i}(w)-\nabla\bar{f}(w)\big{)}\big{(}\nabla f_{i}(w)-\nabla\bar{f}(w)\big{)}^{T}\right\\|$	$\displaystyle\leq\sigma^{2},$		(1)
	$\displaystyle\left\\|\frac{1}{\|S_{\text{good}}\|}\sum_{i\in S_{\text{good}}}(\nabla f_{i}(w)-\nabla\bar{f}(w))\right\\|$	$\displaystyle\leq\sigma\sqrt{\epsilon}.$		(1)

A “good” set w.r.t. $w$ allows us to robustly estimate the gradient at $w$ . SEVER requires the existence of a set that is uniformly good for all $w$ , which we refer to as the “uniform-good-set” assumption.

Assumption 2.2 (“Uniform good set”, Assumption B.1 diakonikolas2019sever ).

There exists a set $S_{\text{good}}\subseteq[n]$ with $|S_{\text{good}}|\geq(1-\epsilon)n$ such that $S_{\text{good}}$ is “good” with respect to $w$ , for all $w\in\mathcal{W}$ .

SEVER operates through an iterative filtering framework built around a black-box learner. Its core algorithm consists of three main steps: (1) The black-box learner processes the current set of functions to find approximate critical points. (2) A filtering mechanism identifies and removes outlier functions. (3) The algorithm updates its working set with the remaining functions. This process repeats until convergence. Crucially, SEVER’s theoretical guarantees rely on its “uniform-good-set” assumption. Without this assumption (as opposed to “many-good-sets” assumption introduced later), the set of “good” functions can change at each iteration, potentially preventing the iterative filtering process from converging.

We argue that the “uniform-good-set” assumption can be too strong. Recall that SEVER requires a sample complexity of $n=\tilde{\Omega}\left(\frac{dL^{2}}{\epsilon\sigma^{2}}+\frac{dL^{4}}{\sigma^{4}}\right)$ . When $n=\tilde{\Omega}(d/\epsilon)$ , the “uniform-good-set” assumption can no longer be guaranteed to hold. In contrast, the “many-good-sets” assumption, which we will introduce later, is weaker and aligns with the general framework of robustly estimating gradients in each iteration.

Besides the “uniform-good-set” assumption, SEVER additionally assumes the existence of a black box approximate learner.

Definition 2.3 ( $\gamma$ -approximate learner).

A learning algorithm $\mathcal{L}$ is called $\gamma$ -approximate if, for any functions $f_{1},\ldots,f_{m}:\mathcal{W}\to\mathbb{R}$ each bounded below on a closed domain $\mathcal{H}$ , the output $w$ of $\mathcal{L}$ is a $\gamma$ -approximate critical point of $\hat{f}(x):=\frac{1}{m}\sum_{i=1}^{m}f_{i}(x)$ , that is, there exists $\delta>0$ such that for all unit vectors $v$ where $w+\delta v\in\mathcal{W}$ , we have that $v\cdot\nabla\hat{f}(w)\geq-\gamma$ .

Remark 2.4.

We remark that the existence of a $\gamma$ -approximate learner implies that the learner can find a $\gamma$ -approximate critical point of any function $f$ by choosing $f_{1}=\ldots=f_{m}=f$ . To our best knowledge, any polynomial-time algorithm that finds approximate critical points requires smoothness of the objective. Therefore, SEVER does not apply to problems where some functions in the distribution are nonsmooth. For example, consider a distribution $p^{*}$ consisted of two functions with equal probability, $h+g$ and $h-g$ , where $h$ is smooth but $g$ is nonsmooth. The population risk is smooth, but the individual functions are not.

In the appendix of diakonikolas2019sever , the authors consider the “many-good-sets” assumption, an alternative weaker assumption that allows the good set to be dependent on the point $w$ .

Assumption 2.5 (“Many good sets”, Assumption D.1 in diakonikolas2019sever ).

For each $w$ , there exists a set $S_{\text{good}}=S_{\text{good}}(w)\subseteq[n]$ with $|S_{\text{good}}|\geq(1-\epsilon)n$ such that $S_{\text{good}}$ is “good” with respect to $w$ .

We remark that the “many-good-sets” assumption allows us to do robust gradient estimation in each iteration. The SEVER paper mentions without going into detail that, under “many-good-sets” assumption, projected gradient descent can be used to find a $(O(\sigma\sqrt{\epsilon}))$ -approximate critical point. It is unclear that under what conditions “many-good-sets” assumption can be satisfied, and hence no excess risk bound or sample complexity is provided.

In this paper, we utilize a further relaxed assumption stated below, which only requires the existence of good sets at points in a dense covering of the domain.

Assumption 2.6 (“Dense good sets”).

There exists a covering $\mathcal{C}$ of the domain $\mathcal{W}$ such that for each $w\in\mathcal{C}$ , there exists a set $S_{\text{good}}=S_{\text{good}}(w)\subseteq[n]$ with $|S_{\text{good}}|\geq(1-\epsilon)n$ such that $S_{\text{good}}$ is “good” with respect to $w$ , where a $\xi$ -covering $\mathcal{C}$ of $\mathcal{W}$ is such that for any $w\in\mathcal{W}$ , there exists $w^{\prime}\in\mathcal{C}$ such that $\|w-w^{\prime}\|\leq\xi$ for some small $\xi>0$ .

Throughout our paper, we will refer to $\mathcal{C}$ as a cover of $\mathcal{W}$ for simplicity³³3Technically, the cover consists of the family of open balls $\{B(w,\xi)\}_{w\in\mathcal{C}}$ , where $B(w,\xi)$ is the open ball centered at $w$ with radius $\xi$ .. The idea of “dense good sets” is that, if we can estimate the gradient robustly at each point in the cover, then we can estimate the gradient robustly at any point in the domain $\mathcal{W}$ by the smoothness of the population risk, provided that the cover is fine enough (parameter $\xi$ will depend on $\sigma$ , as we will see in Algorithm 1). This relaxed assumption allows us to circumvent the technical difficulties of dealing with infinite many $w$ with a net argument, and thus remove the requirement of uniform Lipschitzness and smoothness of $f-\overline{f}$ for all $f$ as used in SEVER. As a consequence, we are able to achieve the same corruption error as SEVER with a significantly reduced sample complexity. The next section presents our algorithm that achieves this result.

3 Optimal Rates for Robust SCO under Weak Distributional Assumptions

We now present a cover-based algorithm that achieves the minimax-optimal excess risk under the weak assumption that the population risk $\overline{f}$ is smooth or Lipschitz.

Assumption 3.1.

Let $p^{*}$ be a distribution over functions $f:\mathcal{W}\rightarrow\mathbb{R}$ with $\overline{f}=\mathbf{E}_{f\sim p^{*}}[f]$ so that:

1.

For each $w\in\mathcal{W}$ and unit vector $v$ , $\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq\sigma^{2}$ .
2.

$\overline{f}$ is $\bar{\beta}$ -smooth or $\bar{L}$ -Lipschitz.

Individual functions $f$ can be allowed to nonsmooth and non-Lipschitz, as long as their average, the population risk is smooth or Lipschitz. We remark that the first condition is equivalent to the assumption that the covariance matrix $\Sigma_{w}$ of the gradients $\nabla f(w)$ satisfies $\Sigma_{w}\preceq\sigma^{2}I$ . See Appendix G for a proof. Below, due to space limit, we only consider smooth population risks. The case of (non-smooth) Lipschitz population risks can be reduced to the smooth case via Moreau smoothing. See Section 3.2 for details.

We outline our algorithm below, see Algorithm 1. The algorithm is based on projected gradient descent with a robust estimator. Here, we treat the robust gradient estimator RobustEstimator as a black box, which can be any deterministic stability-based algorithm (e.g. iterative filtering, see Appendix I).

The key innovation lies in its gradient estimation strategy: rather than computing gradients at arbitrary points, it leverages a cover of the domain $\mathcal{W}$ . In each iteration, the gradient is estimated at the nearest point $w^{\prime}$ in the cover to the current iterate $w$ . The smoothness of the population risk ensures this approximation remains accurate. As mentioned at the end of Section 2, this strategy helps us avoid the technical challenges of handling infinitely many $w$ with a net argument, thereby achieving optimal rates under significantly weaker distributional assumptions compared to SEVER.

Algorithm 1 Cover-based Projected Gradient Descent with Robust Gradient Estimator

1:Input:

\epsilon

-corrupted set of functions

f_{1},\ldots,f_{n}

, stepsize parameters

\{\eta_{t}\}_{t\in[T]}

, robust gradient estimator

\texttt{RobustEstimator}(w)

(\sigma\sqrt{\epsilon}/\bar{\beta})

-cover of

\mathcal{W}

denoted

\mathcal{C}

2:Initialize

w_{0}\in\mathcal{W}

and

t=1

3:for

t\in[T]

4: Let

w_{t-1}^{\prime}:=\operatornamewithlimits{arg\,min}_{w\in\mathcal{C}}\|w-w_{t-1}\|

denote the closest point to

w_{t-1}

in the cover.

5: Robustly estimate gradient at

w_{t-1}^{\prime}

, denoted

\tilde{g}_{t}:=\texttt{RobustEstimator}(w_{t-1}^{\prime})

w_{t}\leftarrow\text{Proj}_{\mathcal{W}}(w_{t-1}-\eta_{t}\tilde{g}_{t})

7:end for

8:Output:

\hat{w}_{T}=\frac{1}{T}\sum_{t=1}^{T}w_{t}

Efficient Implementation. For implementation efficiency, we propose a grid-based cover construction. Let $\xi=\sigma\sqrt{\epsilon}/\bar{\beta}$ . We can use grid points spaced $\xi/\sqrt{d}$ apart in each dimension, i.e.,

\left\{\frac{\xi}{\sqrt{d}}\cdot z=\left(\frac{\xi}{\sqrt{d}}\cdot z_{1},\frac{\xi}{\sqrt{d}}\cdot z_{2},\ldots,\frac{\xi}{\sqrt{d}}\cdot z_{d}\right):z=(z_{1},z_{2},\ldots,z_{d})\in\mathbb{Z}^{d},\left\|\frac{\xi}{\sqrt{d}}\cdot z\right\|_{2}\leq D\right\}

to construct a $\xi$ -cover.⁴⁴4Technically, we can choose a grid spaced $2\xi/\sqrt{d}$ apart in each dimension, and add additional points to cover the boundary of the feasible set. This would reduce the size of grid points by almost a factor of $2^{d}$ . Given a point $w$ , we can find a cover point within $\xi$ distance in $O(d)$ time through: (1) Scaling: Divide $w$ by $\xi/\sqrt{d}$ . (2) Rounding: Convert to the nearest integral vector in $\mathbb{Z}^{d}$ . (3) Rescaling: Multiply by $\xi/\sqrt{d}$ .

This construction yields a cover of size $|\mathcal{C}|=O\left(D\sqrt{d}/\xi\right)^{d}$ , which is larger than the optimal covering number $O((D/\xi)^{d})$ . While this introduces an extra $\log d$ factor in the excess risk bound (due to union bound over cover points), it offers two significant practical advantages: (1) Implicit cover: No need to explicitly construct and store the cover. (2) Efficient computation: $O(d)$ time for finding the nearest cover point. An exponential-time algorithm that achieves the excess risk without the $\log d$ factor is described in Appendix H.

Algorithm 1 has the following guarantees.

Theorem 3.2.

Grant 3.1. There are choices of stepsizes $\{\eta_{t}\}_{t=1}^{T}$ and $T$ such that, with probability at least $1-\tau$ , we have

\overline{f}(\hat{w}_{T})-\min_{w\in\mathcal{W}}\overline{f}(w)=\tilde{O}\left(\sigma D\sqrt{\epsilon}+\sigma D\sqrt{\frac{d\log(1/\tau)}{n}}\,\right).

As a consequence, the algorithm achieves excess risk of $O(D\sigma\sqrt{\epsilon})$ with high probability whenever $n=\tilde{\Omega}(d/\epsilon)$ . The expected excess risk is bounded by $\tilde{O}\left(\sigma D\sqrt{\epsilon}+\sigma D\sqrt{d/n}\right)$ .

Remark 3.3.

Theorem 3.2 is minimax-optimal (up to logarithmic factors) For comparison, our sample complexity $n=\tilde{\Omega}(d/\epsilon)$ , significant improves over the sample complexity of SEVER $n=\tilde{\Omega}\left(\frac{dL^{2}}{\epsilon\sigma^{2}}+\frac{dL^{4}}{\sigma^{4}}\right)$ .

Lower Bound for Robust SCO: In Appendix B, we derive the following matching lower bound, showing the minimax-optimality of Algorithm 1.

Theorem 3.4.

There exist a closed bounded set $\mathcal{W}\subset\mathbb{R}^{d}$ with diameter at most $2D$ , and a distribution $p^{*}$ over functions $f:\mathcal{W}\rightarrow\mathbb{R}$ that satisfy the following: Let $\overline{f}=\mathbf{E}_{f\sim p^{*}}[f]$ . We have that for each $w\in\mathcal{W}$ and unit vector $v$ that $\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq\sigma^{2}$ . There exist parameters $L,\beta>0$ such that $f$ are convex, $L$ -Lipschitz and $\beta$ -smooth almost surely. The output $\hat{w}$ of any algorithm with access to an $\epsilon$ -corrupted set of functions $f_{1},\dots,f_{n}$ sampled from $p^{*}$ satisfies the following,

\mathbb{E}\overline{f}(\hat{w})-\overline{f}^{*}=\Omega\left(D\sigma\sqrt{\epsilon}+D\sigma\sqrt{\frac{d}{n}}\right).

(2)

3.1 Analysis of Algorithm 1 for Smooth Population Risks

To prove Theorem 3.2 for smooth population risks, we will use the following robust estimation results.

Lemma 3.5 (diakonikolas2020outlier ).

Let $S$ be an $\epsilon$ -corrupted set of $n$ samples from a distribution in $\mathbb{R}^{d}$ with mean $\mu$ and covariance $\Sigma$ such that $\Sigma\preceq\sigma^{2}I$ . Let $\epsilon^{\prime}=\Theta(\log(1/\tau)/n+\epsilon)\leq c$ be given, for a constant $c>0$ . Then any stability-based algorithm on input $S$ and $\epsilon^{\prime}$ , efficiently computes $\widehat{\mu}$ such that with probability at least $1-\tau$ , we have

\|\widehat{\mu}-\mu\|=O(\sigma\cdot\delta(\tau)),\;\text{where}\;\delta(\tau)=\sqrt{\epsilon}+\sqrt{d/n}+\sqrt{\log(1/\tau)/n}.

(3)

Recall that in each iteration, given current $w$ , we estimate the gradient at $w^{\prime}=\operatornamewithlimits{arg\,min}_{z\in\mathcal{C}}\|z-w\|$ , the nearest point in the cover to $w$ . The above lemma allows us to bound the robust estimation error.

We defer the full proof to Appendix C and sketch the high level ideas below.

1.

We use robust mean estimation results to establish an upper bound on the gradient estimator error at $w^{\prime}$ , specifically $\|\tilde{g}(w^{\prime})-\nabla\overline{f}(w^{\prime})\|$ . Subsequently, we leverage the smoothness property of the population risk to bound the error resulting from estimating the gradient at $w^{\prime}$ instead of $w$ , i.e., $\|\nabla\overline{f}(w)-\nabla\overline{f}(w^{\prime})\|$ . By combining these two bounds, we obtain a bound on the bias of our gradient estimator at $w$ , that is, $\|\tilde{g}(w^{\prime})-\nabla\overline{f}(w)\|$ .
2.

The robust gradient estimator has a failure probability $\tau$ at fixed $w$ . Since we apply the robust gradient estimator exclusively at grid points, it suffices to employ the union bound across all grid points to account for the total failure probability.
3.

We utilize the projected biased gradient descent analysis framework to establish an upper bound on the excess risk.

3.2 Handling Nonsmooth but Lipschitz Population Risks

For $\bar{L}$ -Lipschitzness but nonsmooth population risk $\overline{f}$ , we use Nesterov’s smoothing (nesterov2005smooth, ) and run Algorithm 1 on the smoothed objective. Nesetrov’s smoothing has following properties.

Lemma 3.6 ((nesterov2005smooth, )).

Given a convex and $L$ -Lipschitz loss function $f(w)$ , $\beta$ -Moreau envelope of $f$ is defined as $f_{\beta}(w)=\min_{u}\left\{f(u)+\frac{1}{2\beta}\|u-w\|_{2}^{2}\right\}$ . The following properties hold:

1.

$f_{\beta}$ is convex, $\beta$ -smooth and $2L$ -Lipschitz.
2.

For any $w$ , $f_{\beta}(w)\leq f(w)\leq f_{\beta}(w)+\frac{L^{2}}{2\beta}$ .
3.

We have $\min f(w)=\min f_{\beta}(w)$ .

Therefore, running Algorithm 1 on the smoothed objective $f_{\beta}$ (smooth function samples $f_{1},f_{2},\ldots,f_{n}$ accordingly), with $\hat{w}$ as the output, we have that

\overline{f}(w)-\min_{w\in\mathcal{W}}f(w)\leq\overline{f}_{\beta}(\hat{w})-\min_{w\in\mathcal{W}}\overline{f}_{\beta}(w)+\frac{\bar{L}^{2}}{2\beta},

and $\overline{f}_{\beta}(\hat{w})-\min_{w\in\mathcal{W}}\overline{f}_{\beta}(w)$ is bounded by the same bound as in Theorem 3.2. It suffices to choose $\beta=O\left(\frac{\bar{L}^{2}}{\sigma D}\min\left(1/\sqrt{\epsilon},\sqrt{n/(d\log(1/\tau))}\right)\right)$ to achieve the same optimal excess risk bound. Note that while the size of the cover depends on $\beta$ , the excess risk bound only depends on $\beta$ through logarithmic terms.

3.3 Handling Unknown Covariance Parameter $\sigma$

Algorithm 1 can be adapted to handle the case where the covariance parameter $\sigma$ is unknown. In particular, we can first use robust estimation at any point to obtain a lower bound on $\sigma$ , and then run the algorithm with this lower bound. This gives the same optimal excess risk up to logarithmic factors, with high probability. Details can be found in Appendix J.

4 Projected Gradient Descent with Robust Gradient Estimator

Algorithm 1 uses a cover-based strategy to estimate gradients robustly. A more straightforward approach is to estimate gradients at arbitrary points using a robust gradient estimator. We will show that the simple projected gradient descent algorithm can achieve the same optimal rate as Algorithm 1 under stronger assumptions. Even so, our new assumptions are still slightly weaker than those used in SEVER diakonikolas2019sever . Concretely, following assumptions on the distribution over functions are assumed.

Assumption 4.1.

Let $p^{*}$ be a distribution over functions $f:\mathcal{W}\rightarrow\mathbb{R}$ with $\overline{f}=\mathbf{E}_{f\sim p^{*}}[f]$ so that:

1.

For each $w\in\mathcal{W}$ and unit vector $v$ , $\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq\sigma^{2}$ .
2.

$f-\overline{f}$ is $L$ -Lipschitz and $\beta$ -smooth almost surely, where⁵⁵5 Without loss of generality, see Appendix G. $L\geq\sigma$ .
3.

$\overline{f}$ is $\bar{\beta}$ -smooth or $\bar{L}$ -Lipschitz. Note that we put an overline to reflect properties of $\overline{f}$ .

Remark 4.2.

Compared to the assumptions used in SEVER, our algorithm additionally covers the case where each individual function is Lipschitz and possibly nonsmooth.

Algorithm 2 follows the “many-good-sets” assumption. We are able to robustly estimate the gradient of the population risk $\overline{f}$ at any point $w$ with high probability, at the cost of requiring additional almost-sure assumptions on $f-\overline{f}$ compared to Algorithm 1.

Algorithm 2 Projected Gradient Descent with Robust Gradient Estimator

1:Input:

\epsilon

-corrupted set of functions

f_{1},\ldots,f_{n}

, stepsize parameters

\{\eta_{t}\}_{t\in[T]}

, robust gradient estimator

\texttt{RobustEstimator}(w)

2:Initialize

w_{0}\in\mathcal{W}

and

t=1

3:for

t\in[T]

4: Apply robust gradient estimator to get

\tilde{g}_{t}=\texttt{RobustEstimator}(w_{t-1})

w_{t}\leftarrow\text{Proj}_{\mathcal{W}}(w_{t-1}-\eta_{t}\tilde{g}_{t})

6:end for

7:Output:

\hat{w}_{T}=\frac{1}{T}\sum_{t=1}^{T}w_{t}

Algorithm 2 achieves the same optimal excess risk bounds as in Theorem 3.2.

Theorem 4.3.

Grant 4.1. There are choices of stepsizes $\{\eta_{t}\}_{t=1}^{T}$ and $T$ such that, with probability at least $1-\tau$ , we have

\overline{f}(\hat{w}_{T})-\min_{w\in\mathcal{W}}\overline{f}(w)=\tilde{O}\left(\sigma D\sqrt{\epsilon}+\sigma D\sqrt{\frac{d\log(1/\tau)}{n}}\,\right).

The proof of our results is similar to the one used in li2024robust . The high level idea is as follows. For simplicity, we say $w$ is “good” if there exists a good set of functions at $w$ . We need to show that with high probability, there exists a good set for all $w$ , so that we can robustly estimate the gradient at all $w$ . To do this, we use a net argument. We will show that if $w$ is “good”, then all points in a small neighborhood of $w$ are also “good”. After choosing a proper cover of $\mathcal{W}$ , it suffices to apply the union bound to show that with high probability, all points in the cover are “good”. The full proof can be found in Appendix D.

5 Conclusion and Future Work

In this work, we have advanced robust stochastic convex optimization under the $\epsilon$ -contamination model. While previous the state of the art SEVER (diakonikolas2019sever, ) focused on finding approximate critical points under stringent assumptions, we have developed algorithms that directly tackle population risk minimization, obtaining the optimal excess risk under more practical assumptions. Our first algorithm (Algorithm 1) achieves the minimax-optimal excess risk by leveraging our relaxed “dense-good-sets” assumption and estimating gradients only at points in a cover of the domain, removing the stringent requirements used in SEVER. Our second algorithm (Algorithm 2) provides a simple projected gradient descent approach that achieves the same optimal excess risk, concretely addressing the “many-good-sets” assumption briefly noted in their paper. Both of our algorithms significantly reduce the sample complexity compared to the state-of-the-art SEVER algorithm.

For future work, it would be interesting to explore following directions: (1) For our grid-based implementation of Algorithm 1, there is a $\log d$ factor in the excess risk bound. Under the same assumptions, can we design a polynomial-time algorithm that achieves the same optimal rate without the $\log d$ factor? (2) Robustness has been shown to be closely related to differential privacy (hopkins2023robustness, ). Can we design optimization algorithms that are both robust and differentially private?

References

(1) Battista Biggio, Blaine Nelson, and Pavel Laskov. Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389, 2012.
(2) Yeshwanth Cherapanamjeri, Efe Aras, Nilesh Tripuraneni, Michael I Jordan, Nicolas Flammarion, and Peter L Bartlett. Optimal robust linear regression in nearly linear time. arXiv preprint arXiv:2007.08137, 2020.
(3) Ilias Diakonikolas, Gautam Kamath, Daniel Kane, Jerry Li, Ankur Moitra, and Alistair Stewart. Robust estimators in high-dimensions without the computational intractability. SIAM Journal on Computing, 48(2):742–864, 2019.
(4) Ilias Diakonikolas, Gautam Kamath, Daniel Kane, Jerry Li, Jacob Steinhardt, and Alistair Stewart. SEVER: A robust meta-algorithm for stochastic optimization. In International Conference on Machine Learning, pages 1596–1606. PMLR, 2019.
(5) Ilias Diakonikolas, Gautam Kamath, Daniel M Kane, Jerry Li, Ankur Moitra, and Alistair Stewart. Being robust (in high dimensions) can be practical. In International Conference on Machine Learning, pages 999–1008. PMLR, 2017.
(6) Ilias Diakonikolas and Daniel M Kane. Recent advances in algorithmic high-dimensional robust statistics. arXiv preprint arXiv:1911.05911, 2019.
(7) Ilias Diakonikolas and Daniel M Kane. Algorithmic high-dimensional robust statistics. Cambridge university press, 2023.
(8) Ilias Diakonikolas, Daniel M Kane, and Ankit Pensia. Outlier robust mean estimation with subgaussian rates via stability. Advances in Neural Information Processing Systems, 33:1830–1840, 2020.
(9) Ilias Diakonikolas, Weihao Kong, and Alistair Stewart. Efficient algorithms and lower bounds for robust linear regression. In Proceedings of the Thirtieth Annual ACM-SIAM Symposium on Discrete Algorithms, pages 2745–2754. SIAM, 2019.
(10) Vitaly Feldman. Generalization of erm in stochastic convex optimization: The dimension strikes back. Advances in Neural Information Processing Systems, 29, 2016.
(11) Samuel B Hopkins, Gautam Kamath, Mahbod Majid, and Shyam Narayanan. Robustness implies privacy in statistical estimation. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, pages 497–506, 2023.
(12) Peter J Huber. Robust estimation of a location parameter. In Breakthroughs in statistics: Methodology and distribution, pages 492–518. Springer, 1992.
(13) Arun Jambulapati, Jerry Li, Tselil Schramm, and Kevin Tian. Robust regression revisited: Acceleration and improved estimation rates. Advances in Neural Information Processing Systems, 34:4475–4488, 2021.
(14) Adam Klivans, Pravesh K Kothari, and Raghu Meka. Efficient algorithms for outlier-robust regression. In Conference On Learning Theory, pages 1420–1430. PMLR, 2018.
(15) Shuyao Li, Yu Cheng, Ilias Diakonikolas, Jelena Diakonikolas, Rong Ge, and Stephen Wright. Robust second-order nonconvex optimization and its application to low rank matrix sensing. Advances in Neural Information Processing Systems, 36, 2024.
(16) Andrew Lowy and Meisam Razaviyayn. Private stochastic optimization with large worst-case lipschitz parameter: Optimal rates for (non-smooth) convex losses and extension to non-convex losses. In International Conference on Algorithmic Learning Theory, pages 986–1054. PMLR, 2023.
(17) Yu Nesterov. Smooth minimization of non-smooth functions. Mathematical programming, 103:127–152, 2005.
(18) Adarsh Prasad, Arun Sai Suggala, Sivaraman Balakrishnan, and Pradeep Ravikumar. Robust estimation via robust gradient estimation. Journal of the Royal Statistical Society Series B: Statistical Methodology, 82(3):601–627, 2020.
(19) John Wilder Tukey. A survey of sampling from contaminated distributions. Contributions to probability and statistics, pages 448–485, 1960.

Appendix A Fixing SEVER’s Sample Complexity Result

In this section, we fix SEVER’s sample complexity result in their Proposition B.5. Their proof is incorrect due to the error in the application of Hoeffding’s inequality, resulting in a wrong sample complexity bound ( $n=\tilde{\Omega}(dL^{2}/(\epsilon\sigma^{2}))$ ).

We will provide a correct, more rigorous proof for their result. The correct bound is worse than the one claimed in their paper, as we show below.

Lemma A.1 (Fixed from Proposition B.5 in diakonikolas2019sever ).

Let $p^{*}$ be a distribution over functions $f:\mathcal{W}\rightarrow\mathbb{R}$ with $\overline{f}=\mathbf{E}_{f\sim p^{*}}[f]$ so that $f-\overline{f}$ is $L$ -Lipschitz and $\beta$ -smooth almost surely. Assume further that for each $w\in\mathcal{W}$ and unit vector $v$ that $\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq\sigma^{2}$ . If $n=\tilde{\Omega}\left(\frac{dL^{2}}{\epsilon\sigma^{2}}+\frac{dL^{4}}{\sigma^{4}}\right),$ then with high probability, any an $\epsilon$ -corrupted set of functions $f_{1},\dots,f_{n}$ (with respect to $p^{\ast}$ ) satisfy 2.2.

Proof A.2.

For any set of functions $A=\{f_{i}\}_{i\in A}$ and functional $g$ , we denote $\mathbb{E}_{i\in A}[g(f_{i})]$ as the empirical average of $g(f_{i})$ over $A$ , i.e., $\frac{1}{|A|}\sum_{i\in A}g(f_{i})$ . Let $T$ denote the original uncontaminated samples, and let $S$ denote the $\epsilon$ -contaminated samples of $T$ . Let $S_{\text{good}}\subset S$ be the set of uncorrupted functions $f_{i}$ . It is then the case that $S_{\text{good}}\subset T$ and that $|S_{\text{good}}|\geq(1-\epsilon)n$ .

Let $|\mathcal{C}|$ be the size of the cover $\mathcal{C}$ , where $\mathcal{C}$ is a cover of $\mathcal{W}$ and will be determined later. We have $\log|\mathcal{C}|=\tilde{O}(d)$ . By the bounded covariance assumption,

\mathbb{E}_{p^{\ast}}[(v\cdot(\nabla f(w)-\overline{f}(w)))^{2}]\leq\sigma^{2}.

Observe that the term inside the expectation is bounded by $L^{2}$ . By Hoeffding’s Inequality, with probability at least $1-\exp(-2n(L^{4}\log(2|\mathcal{C}|/n)\tau)/L^{4})$ , that is, $1-\tau/(2|\mathcal{C}|)$ , we have

\mathbb{E}_{i\in T}[(v\cdot(\nabla f(w)-\overline{f}(w)))^{2}]\leq\sigma^{2}+L^{2}\sqrt{\frac{1}{n}\log(|\mathcal{C}|/\tau)}=O(\sigma^{2}).

(4)

Now, since $S_{\text{good}}\subset T$ and they differ by at most $\epsilon n$ samples, we know that we have

\mathbb{E}_{i\in S_{\text{good}}}[(v\cdot(\nabla f_{i}(w)-\overline{f}(w)))^{2}]\leq O(\sigma^{2}).

(5)

For the other part, we start by observing that,

\mathbb{E}_{p^{\ast}}[(v\cdot(\nabla f(w)-\overline{f}(w)))]=0.

By Chernoff (Hoeffding) bound, with probability at least $1-\tau/(2|\mathcal{C}|)$ , we have that

\mathbb{E}_{i\in T}[(v\cdot(\nabla f_{i}(w)-\overline{f}(w)))]\leq O(L\sqrt{\frac{1}{n}\log(|\mathcal{C}|/\tau)})=O(\sigma\sqrt{\epsilon}).

(6)

For any subset $S_{1}\subset T$ with $\sqrt{|S_{1}|}\leq\epsilon n$ , by Cauchy-Schwarz inequality, we have

	$\displaystyle\frac{1}{n}\sum_{i\in S_{1}}v\cdot(\nabla f_{i}(w)-\overline{f})$	$\displaystyle\leq\frac{1}{n}\|S_{1}\|\left(\sum_{i\in T}(v\cdot(\nabla f_{i}(w)-\overline{f}))^{2}\right)^{1/2}$		(7)
		$\displaystyle\leq\frac{1}{n}\sqrt{\epsilon n}\sqrt{O(\sigma^{2}n)}=O(\sigma\sqrt{\epsilon}),$		(7)

where we used (4). Therefore, removing $\epsilon$ -fraction of these samples cannot change this value by more than $\sigma\sqrt{\epsilon}$ . Since $S_{\text{good}}\subset T$ and they differ by at most $\epsilon n$ samples, we know that the above bound holds for $S_{\text{good}}$ as well, that is

\mathbb{E}_{i\in S_{\text{good}}}[(v\cdot(\nabla f_{i}(w)-\overline{f}(w)))]\leq O(\sigma\sqrt{\epsilon}).

(8)

We now proceed with a net argument and show (5) and (8) hold for all $w$ with high probability. Suppose they hold for some $w$ , then by $L$ -Lipschitzness and $\beta$ -smoothness of $f(w)-\overline{f}(w)$ , we have that (8) holds for all $w^{\prime}$ within distance $\sigma\sqrt{\epsilon}/\beta$ from $w$ , and (5) holds for all $w^{\prime}$ within distance $\sigma^{2}/(2L\beta)$ from $w$ , where the first statement follows directly from the Lipschitzness and the second statement is due to the following calculation:

		$\displaystyle\left\|\left\{v\cdot\left(\nabla f_{i}(w)-\overline{f}(w)\right)\right\}^{2}-\left\{v\cdot\left(\nabla f_{i}(w^{\prime})-\overline{f}(w^{\prime})\right)\right\}^{2}\right\|$
		$\displaystyle\phantom{\qquad}=\left\{v\cdot\left(\nabla f_{i}(w)-\overline{f}(w)\right)+v\cdot\left(\nabla f_{i}(w^{\prime})-\overline{f}(w^{\prime})\right)\right\}\cdot\left\{v\cdot\left(\nabla f_{i}(w)-\overline{f}(w)\right)-v\cdot\left(\nabla f_{i}(w^{\prime})-\overline{f}(w^{\prime})\right)\right\}$
		$\displaystyle\phantom{\qquad}\leq 2L\cdot\beta\\|w-w^{\prime}\|,$

for any unit vector $v$ . Tt suffices to choose a cover $\mathcal{C}$ such that for any $w$ , there exists a point in the cover within distance $\min(\sigma\sqrt{\epsilon}/\beta,\sigma^{2}/(2L\beta))$ from $w$ .

Applying a union bound over cover $\mathcal{C}$ , we have that (5) and (8) hold for all $w$ with probability at least $1-\tau$ .

Appendix B Lower Bound for Robust Stochastic Optimization

In this section, we demonstrate a matching lower bound for robust stochastic optimization under $\epsilon$ -strong contamination with bounded covariance, showing that our algorithm achieves the minimax-optimal excess risk rate (up to logarithmic factors). Formally we will show the following,

Theorem B.1.

There exist a closed bounded set $\mathcal{W}\subset\mathbb{R}^{d}$ with diameter at most $2D$ , and a distribution $p^{*}$ over functions $f:\mathcal{W}\rightarrow\mathbb{R}$ that satisfy the following: Let $\overline{f}=\mathbf{E}_{f\sim p^{*}}[f]$ . We have that for each $w\in\mathcal{W}$ and unit vector $v$ that $\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq\sigma^{2}$ . Both $f$ and $\overline{f}$ are convex, Lipschitz and smooth. The output $\hat{w}$ of any algorithm with access to an $\epsilon$ -corrupted set of functions $f_{1},\dots,f_{n}$ sampled from $p^{*}$ satisfies the following,

\mathbb{E}\overline{f}(\hat{w})-\overline{f}^{*}=\Omega\left(D\sigma\sqrt{\epsilon}+D\sigma\sqrt{\frac{d}{n}}\right).

(9)

Remark B.2.

Our construction of hard instances meets the superset of the assumptions of our algorithms and SEVER, i.e., Lipschitzness and smoothness of the individual functions (consequently the same holds for the population risk), and bounded covariance of the gradients. The lower bound consists of two terms. The first term is due to corruption and the second term is necessary even without corruption. We will prove these two terms separately.

B.1 Lower Bound: Term due to Corruption

We will leverage the following proposition that characterizes the information-theoretic limit of robust estimation.

Proposition B.3 (diakonikolas2023algorithmic ).

Let $X$ and $Y$ be distributions with $d_{\text{TV}}(X,Y)\leq 2\epsilon$ for some $0<\epsilon<1$ . A distribution $\mathcal{D}$ is taken to be either $X$ or $Y$ . Then an algorithm, given any number of samples from $\mathcal{D}$ under $\epsilon$ -contamination, cannot reliably distinguish between the cases $\mathcal{D}=X$ and $\mathcal{D}=Y$ .

Consider a random variable $X_{1}$ that takes value 0 with probability $1-\epsilon$ and takes value $\pm\sigma/\sqrt{\epsilon}$ with probability $\epsilon/2$ each. That is,

X_{1}=\begin{cases}0&\text{with probability }1-\epsilon\\ \sigma/\sqrt{\epsilon}&\text{with probability }\epsilon/2\\ -\sigma/\sqrt{\epsilon}&\text{with probability }\epsilon/2\end{cases}.

(10)

The variance of $X_{1}$ is $\sigma^{2}$ . Now, consider $X_{1}^{\prime}$ that takes value 0 with probability $1-\epsilon$ and takes value $\sigma/\sqrt{\epsilon}$ with probability $\epsilon$ . The mean of $X_{1}^{\prime}$ is $\sigma\sqrt{\epsilon}$ , and the variance of $X_{1}^{\prime}$ is

$\displaystyle\text{Var}(X_{1}^{\prime})$	$\displaystyle=\mathbb{E}[X_{1}^{\prime 2}]-\left(\mathbb{E}[X_{1}^{\prime}]\right)^{2}$	(11)
	$\displaystyle=\epsilon\cdot\frac{\sigma^{2}}{\epsilon}+0-(\sigma\sqrt{\epsilon})^{2}$
	$\displaystyle=\sigma^{2}-\sigma^{2}\epsilon<\sigma^{2}.$

Let $\mathcal{D}_{1}$ and $\mathcal{D}_{1}^{\prime}$ denote the probability distributions of $X_{1}$ and $X_{1}^{\prime}$ respectively.

Consider the following robust optimization instance. Let $\{w\mid|w|\leq D\}$ denote the feasible set. Define the loss function as $f_{x}(w)=-w\cdot x$ . We know that $\nabla f_{x}(w)=-x$ , so that both $f$ and $\overline{f}$ are Lipschitz and smooth. Let $\overline{f}(w,\mathcal{D})=\mathbb{E}_{X\sim\mathcal{D}}[f_{X}(w)]$ denote the population risk for a given distribution $\mathcal{D}$ .

Expanding the expectation, we have that

	$\displaystyle-\overline{f}(w,\mathcal{D}_{1})$	$\displaystyle=(1-\epsilon)w\cdot 0+\frac{\epsilon}{2}w\cdot\frac{\sigma}{\sqrt{\epsilon}}+\frac{\epsilon}{2}w\cdot-\frac{\sigma}{\sqrt{\epsilon}}=0,$		(12)
	$\displaystyle-\overline{f}(w,\mathcal{D}_{1}^{\prime})$	$\displaystyle=(1-\epsilon)w\cdot 0+\epsilon w\cdot\frac{\sigma}{\sqrt{\epsilon}}=w\cdot\sigma\sqrt{\epsilon}.$		(12)

So we have

\min_{w}\overline{f}(w,\mathcal{D}_{1})=0\quad\text{and}\quad\min_{w}\overline{f}(w,\mathcal{D}_{1}^{\prime})=-D\sigma\sqrt{\epsilon}.

(13)

Therefore,

\min_{w}\overline{f}(w,\mathcal{D}_{1})-\min_{w}\overline{f}(w,\mathcal{D}_{1}^{\prime})=D\cdot\sigma\sqrt{\epsilon}.

(14)

The total variation distance between $\mathcal{D}_{1}$ and $\mathcal{D}_{1}^{\prime}$ is $\epsilon$ . Therefore, by Proposition B.3, given $\epsilon$ -corrupted samples, no algorithm can reliably distinguish when these samples are generated from $\mathcal{D}_{1}$ or $\mathcal{D}_{1}^{\prime}$ . If an algorithm could optimize the population risk within $D\cdot\sigma\sqrt{\epsilon}$ , then it could use the output to distinguish between $\mathcal{D}_{1}$ and $\mathcal{D}_{1}^{\prime}$ , which is a contradiction.

B.2 Lower Bound: Term due to Stochastic Optimization

lowy2023private proves the lower bound for stochastic optimization for heavy-tailed distribution. (Note that their result is for private optimization; we only use the nonprivate part of the lower bound.) We state the hard instance and the result below.

Lemma B.4 (lowy2023private [Theorem 36, part 3 for $k=2$ and $\gamma=\sigma^{2}$ ]).

There exists a product distribution (the distribution of product of independent random variables) $Q_{\nu}$ that is supported on $\{\pm\sigma\}^{d}$ . Let the feasible set be $\mathcal{W}=B_{2}^{d}(0,D)$ . Define the loss $f_{x}(w)=-\langle w,x\rangle$ , $\overline{f}(w):=\mathbb{E}_{x\sim Q_{\nu}}f_{x}(w)$ . We have that $\sup_{w\in\mathcal{W}}\mathbb{E}_{x\sim Q_{\nu}}|\langle\nabla f_{x}(w)-\overline{f}(w),e_{j}\rangle|^{2}\leq\sigma^{2}$ , for all $j\in[d]$ , where $e_{j}$ denotes the $j$ -th standard basis vector in $\mathbb{R}^{d}$ .

Let $X\sim Q_{\nu}^{n}$ . Any algorithm $\mathcal{A}$ has the following excess risk lower bound:

\mathbb{E}\overline{f}(\mathcal{A}(X))-\overline{f}^{*}=\Omega\left(D\sigma\sqrt{\frac{d}{n}}\right).

(15)

We now verify that this hard instance satisfies the assumptions used in our algorithms. We know that $\nabla_{w}f_{x}(w)=-x$ , so that both $f$ and $\overline{f}$ are Lipschitz and smooth. It remains to show that this hard instance satisfies the bounded covariance assumption. For any unit vector $u\in\mathbb{R}^{d}$ , write $u=\sum_{j=1}^{d}u_{j}e_{j}$ . Then

$\displaystyle\mathbb{E}[(\langle u,\nabla f(w)-\nabla\overline{f}(w)\rangle)^{2}]$	$\displaystyle=\mathbb{E}\left(\sum_{j=1}^{d}u_{j}\langle e_{j},\nabla f(w)-\nabla\overline{f}(w)\rangle\right)^{2}$	(16)
	$\displaystyle\stackrel{{\scriptstyle(*)}}{{=}}\mathbb{E}\left[\sum_{j=1}^{d}u_{j}^{2}(\langle e_{j},\nabla f(w)-\nabla\overline{f}(w)\rangle)^{2}\right]$
	$\displaystyle=\sum_{j=1}^{d}u_{j}^{2}\mathbb{E}[(\langle e_{j},\nabla f(w)-\nabla\overline{f}(w)\rangle)^{2}]$
	$\displaystyle\leq\sum_{j=1}^{d}u_{j}^{2}\sigma^{2}=\sigma^{2},$

where in $(*)$ we use the fact that $Q_{\nu}$ is a product distribution and thus cross terms vanish in the expectation. Therefore, the lower bound in (15) is also a lower bound for our problem. Combining this with the lower bound term due to corruption, we have the lower bound in (2).

Appendix C Analysis of Algorithm 1 for Smooth Population Risks

First, recall the robust estimation result. See 3.5

Proof C.1.

1. Bound the bias of the gradient estimator at $w$ . By Lemma 3.5, for given $w$ , we have that with probability at least $1-\tau^{\prime}$ , the robust gradient estimator at $w^{\prime}=\operatornamewithlimits{arg\,min}_{z\in\mathcal{C}}\|z-w\|$ satisfies

\|\tilde{g}(w^{\prime})-\nabla\overline{f}(w^{\prime})\|=\sigma\cdot\tilde{O}\left(\sqrt{\epsilon}+\sqrt{d/n}+\sqrt{\log(1/\tau^{\prime})/n}\right).

(17)

We have $\|w-w^{\prime}\|\leq\sigma\sqrt{\epsilon}/\bar{\beta}$ by definition of the cover. By $\bar{\beta}$ -smoothness of the population risk $\overline{f}$ , we have

\|\nabla\overline{f}(w)-\nabla\overline{f}(w^{\prime})\|\leq\bar{\beta}\|w-w^{\prime}\|\leq\sigma\sqrt{\epsilon}.

(18)

Combining the two bounds, we have

\|\tilde{g}(w^{\prime})-\nabla\overline{f}(w)\|=\sigma\cdot\tilde{O}\left(\sqrt{\epsilon}+\sqrt{d/n}+\sqrt{\log(1/\tau^{\prime})/n}\right).

2. Apply the union bound over all grid points. By union bound, setting $\tau^{\prime}=\tau/|\mathcal{C}|$ , we have that with probability at least $1-\tau$ , (17) holds for all $w^{\prime}\in\mathcal{C}$ . Recall $|\mathcal{C}|=O\left(D\sqrt{d}/\xi\right)^{d}$ . We have $\log|\mathcal{C}|=\tilde{O}(d)$ . It follows that, with probability at least $1-\tau$ , simultaneously for all $w\in\mathcal{W}$ , let $w^{\prime}=\operatornamewithlimits{arg\,min}_{z\in\mathcal{C}}\|z-w\|$ , we have

\|\tilde{g}(w^{\prime})-\nabla\overline{f}(w)\|=\sigma\cdot\tilde{O}\left(\sqrt{\epsilon}+\sqrt{d/n}+\sqrt{d\log(1/\tau)/n}\right).

(19)

Therefore, with probability at least $1-\tau$ , the bias of the gradient estimator at $w$ is bounded by the above expression, simultaneously for all $w\in\mathcal{W}$ .

3. Apply the projected biased gradient descent analysis. By Lemma E.2, choosing a constant step size $\eta=1/\bar{\beta}$ , the excess risk of the algorithm is bounded by

\overline{f}(\hat{w}_{T})-\min_{w\in\mathcal{W}}\overline{f}(w)=\tilde{O}\left(\frac{\bar{\beta}D^{2}}{T}+D\cdot\left(\sigma\sqrt{\epsilon}+\sigma\sqrt{\frac{d\log(1/\tau)}{n}}\right)\right).

(20)

Choosing $T=\tilde{\Omega}\left(\frac{\bar{\beta}D}{\sigma\sqrt{\epsilon}+\sigma\sqrt{\frac{d\log(1/\tau)}{n}}}\right)$ gives the optimal rate. To convert the high probability bound to an in-expectation bound, we apply Lemma F.1.

Appendix D Analysis of Algorithm 2

Before proving Theorem 4.3, we need some results from robust estimation literature.

D.1 Results from Robust Mean Estimation

Recall Definition 2.1. The “good” set property is a special case of stability, defined as follows.

Definition D.1 (Stability diakonikolas2019robust ).

Fix $0<\epsilon<1/2$ and $\delta\geq\epsilon$ . A finite set $S\subset\mathbb{R}^{d}$ is $(\epsilon,\delta)$ -stable with respect to mean $\mu\in\mathbb{R}^{d}$ and $\sigma^{2}$ if for every $S^{\prime}\subseteq S$ with $|S^{\prime}|\geq(1-\epsilon)|S|$ , the following conditions hold: (i) $\|\mu_{S^{\prime}}-\mu\|\leq\sigma\delta$ , and (ii) $\|\overline{\Sigma}_{S^{\prime}}-\sigma^{2}I\|\leq\sigma^{2}\delta^{2}/\epsilon$ .

With the stability condition, we can robustly estimate the mean of a distribution with bounded covariance.

Lemma D.2 (Robust Mean Estimation Under Stability diakonikolas2019robust ).

Let $T\subset\mathbb{R}^{d}$ be an $\epsilon$ -corrupted version of a set $S$ with the following properties: $S$ contains a subset $S^{\prime}\subseteq S$ such that $\left|S^{\prime}\right|\geq(1-\epsilon)|S|$ and $S^{\prime}$ is $(C\epsilon,\delta)$ stable with respect to $\mu\in\mathbb{R}^{d}$ and $\sigma^{2}$ , for a sufficiently large constant $C>0$ . Then there is a polynomial-time algorithm, that on input $\epsilon,T$ , computes $\widehat{\mu}$ such that $\|\widehat{\mu}-\mu\|=O(\sigma\delta)$ .

Remark D.3.

In Algorithm 2, we use the robust gradient estimator $\texttt{RobustEstimator}(w)$ as a black box, and assume that it satisfies the property in this lemma. See Appendix I for a specific instantiation of the robust gradient estimator.

The following results due to diakonikolas2020outlier achieve subgaussian rates for robust mean estimation for bounded covariance distributions.

Lemma D.4 (diakonikolas2020outlier ).

Fix any $0<\tau^{\prime}<1$ . Let $S$ be a multiset of $n$ i.i.d. samples from a distribution on $\mathbb{R}^{d}$ with mean $\mu$ and covariance $\Sigma$ such that $\Sigma\preceq\sigma^{2}I$ . Let $\epsilon^{\prime}=\Theta(\log(1/\tau^{\prime})/n+\epsilon)\leq c$ , for a sufficiently small constant $c>0$ . Then, with probability at least $1-\tau^{\prime}$ , there exists a subset $S^{\prime}\subseteq S$ such that $|S^{\prime}|\geq(1-\epsilon^{\prime})n$ and $S^{\prime}$ is $(2\epsilon^{\prime},\delta^{\prime})$ -stable with respect to $\mu$ and $\sigma^{2}$ , where $\delta^{\prime}=\delta(\tau^{\prime})$ depends on $\tau^{\prime}$ as $\delta(\tau^{\prime})=O(\sqrt{(d\log d)/n}+\sqrt{\epsilon}+\sqrt{\log(1/\tau^{\prime})/n})$ .

D.2 Proof of Theorem 4.3

As long as the stability condition holds, we can use deterministic stability-based algorithms (e.g. deterministic filtering) to robustly estimate the mean. Using union bound over the covering, it suffices to argue that at a given point $w$ , given the existence of a stable subset of the form $\{\nabla f_{i}(w)\}_{i\in\mathcal{I}}$ , where $\mathcal{I}$ denotes the index set of the stable subset at $w$ , such subset is also stable within a small neighborhood of $w$ , that is, $\{\nabla f_{i}(w^{\prime})\}_{i\in\mathcal{I}}$ is stable for all $w^{\prime}$ in a small neighborhood of $w$ . We have the following stability result, which corresponds to “many-good-sets” 2.5.

Lemma D.5.

Under 4.1, let $f_{1},\ldots,f_{n}$ denote an $\epsilon$ -corrupted set of functions sampled from $p^{*}$ . Let $\epsilon^{\prime}=\Theta(\log(1/\tau)/n+\epsilon)\leq c$ be given, for a constant $c>0$ . With probability at least $1-\tau$ , for all $w\in\mathcal{W}$ , there exists index set $\mathcal{I}\subseteq[n]$ (here $\mathcal{I}$ depends on the choice of $w$ ) such that $|\mathcal{I}|\geq(1-\epsilon^{\prime})n$ and $\{\nabla f_{i}(w)\}_{i\in\mathcal{I}}$ is $(2\epsilon^{\prime},\delta(\tau^{\prime}))$ -stable with respect to $\nabla\overline{f}(w)$ and $\sigma^{2}$ , where $\tau^{\prime}=\tau/\exp(\tilde{O}(d))$ and $\delta(\tau^{\prime})=\tilde{O}\left(\sqrt{\epsilon}+\sqrt{d\log(1/\tau)/n}\right)$ .

Proof D.6.

We use a net argument to show that the stability condition holds for all $w$ , following similar proof techniques used in li2024robust . For fixed $w$ , by Lemma D.4, with probability at least $1-\tau^{\prime}$ , there exists a subset $\mathcal{I}\subseteq[n]$ such that $|\mathcal{I}|\geq(1-\epsilon^{\prime})n$ and $\{\nabla f_{i}(w)\}_{i\in\mathcal{I}}$ is $(2\epsilon^{\prime},\delta^{\prime})$ -stable where $\delta^{\prime}=\delta(\tau^{\prime})$ , with respect to $\nabla\overline{f}(w)$ and $\sigma^{2}$ , that is

	$\left\\|\frac{1}{\|\mathcal{I}\|}\sum_{i\in\mathcal{I}}\nabla f_{i}(w)-\nabla\overline{f}(w)\right\\|\leq O(\sigma\delta^{\prime}),$		(21a)
	$\left\\|\frac{1}{\|\mathcal{I}\|}\sum_{i\in\mathcal{I}}(\nabla f_{i}(w)-\nabla\overline{f}(w))(\nabla f_{i}(w)-\nabla\overline{f}(w))^{\top}-\sigma^{2}I\right\\|\leq O(\sigma^{2}\delta^{\prime 2}/\epsilon^{\prime}).$		(21b)

By $\beta$ -smoothness of $f_{i}-\overline{f}$ , we have

	$\displaystyle\left\\|\frac{1}{\|\mathcal{I}\|}\sum_{i\in\mathcal{I}}\nabla f_{i}(w^{\prime})-\nabla\overline{f}(w^{\prime})\right\\|$	$\displaystyle\leq\left\\|\frac{1}{\|\mathcal{I}\|}\sum_{i\in\mathcal{I}}\left(\nabla f_{i}(w^{\prime})-\nabla f_{i}(w)\right)\right\\|+\left\\|\nabla f_{i}(w)-\nabla\overline{f}(w)\right\\|$		(22)
		$\displaystyle\leq\beta\\|w^{\prime}-w\\|+O(\sigma\delta^{\prime}).$		(22)

Therefore, (21a) holds for all $w^{\prime}$ such that $\|w-w^{\prime}\|\leq\sigma\delta^{\prime}/\beta$ . We note that Equation 21b is equivalent to the following condition: for any unit vector $v$ , we have that

\left|\frac{1}{|\mathcal{I}|}\sum_{i\in\mathcal{I}}(v\cdot(\nabla f_{i}(w)-\nabla\overline{f}(w)))^{2}-\sigma^{2}\right|\leq O(\sigma^{2}\delta^{\prime 2}/\epsilon^{\prime}).

By $L$ -Lipschitzness and $\beta$ -smoothness of $f_{i}-\overline{f}$ , for any unit vector $v$ , we have the following

		$\displaystyle\left\|\left\{v\cdot\left(\nabla f_{i}(w)-\overline{f}(w)\right)\right\}^{2}-\left\{v\cdot\left(\nabla f_{i}(w^{\prime})-\overline{f}(w^{\prime})\right)\right\}^{2}\right\|$		(23)
		$\displaystyle\phantom{\qquad}=\left\{v\cdot\left(\nabla f_{i}(w)-\overline{f}(w)\right)+v\cdot\left(\nabla f_{i}(w^{\prime})-\overline{f}(w^{\prime})\right)\right\}\cdot\left\{v\cdot\left(\nabla f_{i}(w)-\overline{f}(w)\right)-v\cdot\left(\nabla f_{i}(w^{\prime})-\overline{f}(w^{\prime})\right)\right\}$
		$\displaystyle\phantom{\qquad}\leq 2L\cdot\beta\\|w-w^{\prime}\|,$

It follows that (21b) holds for $w^{\prime}$ such that $\|w-w^{\prime}\|\leq\sigma^{2}\delta^{\prime 2}/(\epsilon^{\prime}L\beta)$ .

Let $\xi=\min\left(\sigma\delta^{\prime}/\beta,\sigma^{2}\delta^{\prime 2}/(\epsilon^{\prime}L\beta)\right)$ . Then, for all $w^{\prime}$ such that $\|w-w^{\prime}\|\leq\xi$ , $\{\nabla f_{i}(w^{\prime})\}_{i\in\mathcal{I}}$ is $(2\epsilon^{\prime},\delta^{\prime})$ -stable with respect to $\nabla\overline{f}(w^{\prime})$ and $\sigma^{2}$ . It suffices to choose a $\xi$ -cover $\mathcal{C}$ of $\mathcal{W}$ , where the optimal size of the cover is $|\mathcal{C}|=O((D/\xi)^{d})$ , and choose $\tau^{\prime}=\tau/|\mathcal{C}|$ . By union bound, with probability at least $1-|\mathcal{C}|\tau^{\prime}$ , the stable subset exists for all $w\in\mathcal{C}$ simultaneously. Since we have argued that for fixed $w$ , the same stable subset applies for all $w^{\prime}$ within distance $\xi$ from $w$ , the subset stability holds simultaneously for all $w$ with probability at least $1-\tau$ , as claimed.

Proof D.7 (Proof of Theorem 4.3).

Combining Lemma D.5 and Lemma D.2, in each iteration, we can estimate the gradient up to a bias as follows:

\|\tilde{g}(w_{t})-\overline{f}(w_{t})\|=O(\sigma\cdot\delta(\tau^{\prime}))=\sigma\cdot\tilde{O}\left(\sqrt{\epsilon}+\sqrt{d\log(1/\tau)/n}\right).

The excess risk bound then follows by applying Lemma E.2 for smoothness loss, or Lemma E.4 for Lipschitz loss with corresponding choices of stepsizes and large enough $T$ . When $\sigma$ is unknown, we can use the approach in Appendix J to get a lower bound $\hat{\sigma}$ of $\sigma$ and choose large enough $T$ so that optimization error term that depends on $T$ is dominated by $\hat{\sigma}\cdot\tilde{O}\left(\sqrt{\epsilon}+\sqrt{d\log(d)/n}+\sqrt{d\log(1/\tau)/n}\right)$ .

Appendix E Projected Biased Gradient Descent

In this section, we analyze the convergence of the projected gradient descent algorithm with a biased gradient estimator. We assume the loss function is convex throughout this section. The general form is stated below.

Algorithm 3 Projected Gradient Descent with Biased Gradient Estimator

1:Input: Convex function

F

, stepsize parameters

\{\eta_{t}\}_{t\in[T]}

, biased gradient estimator

\texttt{BiasedEstimator}(w)

, feasible set

\mathcal{W}

2:Initialize

w_{0}\in\mathcal{W}

and

t=1

3:for

t\in[T]

4: Let

\tilde{g}_{t}=\texttt{BiasedEstimator}(w_{t})

w_{t}\leftarrow\Pi_{\mathcal{W}}(w_{t-1}-\eta_{t}\tilde{g}_{t})

6:end for

7:Output:

\hat{w}_{T}=\frac{1}{T}\sum_{t=1}^{T}w_{t}

Here, $\Pi_{\mathcal{W}}(\cdot)$ denotes the projection operator onto the feasible set $\mathcal{W}$ , that is,

\Pi_{\mathcal{W}}(y)=\arg\min_{w\in\mathcal{W}}\|w-y\|^{2}.

The projection operation ensures that the iterates $w_{t}$ remain within the feasible set $\mathcal{W}$ throughout the optimization process. The projection step is crucial when the optimization problem is constrained, as it guarantees that the updates do not violate the constraints defined by $\mathcal{W}$ .

We analyze the convergence of the algorithm for (1) smooth loss, (2) Lipschitz loss. For convenience, we always write $\tilde{g}_{t}=g_{t}+b_{t}$ , where $g_{t}$ is the true gradient and $b_{t}$ is the bias for the BiasedEstimator. We assume that the bias term is bounded, i.e., $\|b_{t}\|\leq B$ , for all iterations $t$ .

We will use the following property of the projection operator.

Lemma E.1.

Let $w\in\mathcal{W}$ and $y\in\mathbb{R}^{d}$ . We have

\left(\Pi_{\mathcal{W}}(y)-y\right)^{\top}\left(w-\Pi_{\mathcal{W}}(y)\right)\geq 0.

E.1 Smooth Loss

Lemma E.2.

Suppose $F$ is $\beta$ -smooth. Running Algorithm 3 with constant step size $\eta=\frac{1}{\beta}$ , we have

F\left(\frac{1}{T}\sum_{t=1}^{T}w_{t}\right)-F(w^{*})\leq\frac{\beta}{2T}\left(\|w_{0}-w^{*}\|^{2}-\|w_{T}-w^{*}\|^{2}\right)+BD.

(24)

Proof E.3.

By convexity, we have

F(w_{t})\leq F(w^{*})+g_{t}^{\top}(w_{t}-w^{*}).

(25)

By $L$ -smoothness, we have

F(w_{t+1})\leq F(w_{t})+g_{t}^{\top}(w_{t+1}-w_{t})+\frac{\beta}{2}\|w_{t}-w_{t+1}\|^{2}.

(26)

Using Lemma E.1, we have

(w_{t+1}-w_{t}+\eta_{t}\tilde{g}_{t})^{\top}(w^{*}-w_{t+1})\geq 0.

(27)

We break the left hand into two terms $(w_{t+1}-w_{t})^{\top}(w^{*}-w_{t+1})$ and $\eta_{t}\tilde{g}_{t}^{\top}(w^{*}-w_{t+1})$ . We can write the first term as

(w_{t+1}-w_{t})^{\top}(w^{*}-w_{t+1})=\tfrac{1}{2}\left(\|w_{t}-w^{*}\|^{2}-\|w_{t+1}-w_{t}\|^{2}-\|w_{t+1}-w^{*}\|^{2}\right)

(28)

For the second term, we have

\eta_{t}\tilde{g}_{t}^{\top}(w^{*}-w_{t+1})=\eta_{t}g_{t}^{\top}(w^{*}-w_{t})+\eta_{t}g_{t}^{\top}(w_{t}-w_{t+1})+\eta_{t}b_{t}^{\top}(w^{*}-w_{t+1})

(29)

Using (25), (26), and Cauchy-Schwarz inequality to bound the three terms respectively, we have

\eta_{t}\tilde{g}_{t}^{\top}(w^{*}-w_{t+1})\leq\eta_{t}(F(w^{*})-F(w_{t}))+\eta_{t}(F(w_{t})-F(w_{t+1}))+\tfrac{L\eta_{t}}{2}\|w_{t}-w_{t+1}\|^{2}+\eta_{t}BD.

(30)

Now going back to (27), we can combine the above inequalities and choose $\eta_{t}=1/\beta$ to get

F(w_{t+1})-F(w^{*})\leq\tfrac{\beta}{2}\|w_{t}-w^{*}\|^{2}-\tfrac{\beta}{2}\|w_{t+1}-w^{*}\|^{2}+BD

(31)

Summing over $t=0,\ldots,T-1$ and divided by $T$ , we have

	$\displaystyle\frac{1}{T}\sum_{t=1}^{T}\left(F(w_{t})-F(w^{*})\right)$	$\displaystyle\leq\frac{\beta}{2T}\left(\\|w_{0}-w^{}\\|^{2}-\\|w_{T}-w^{}\\|^{2}\right)+BD$		(32)
		$\displaystyle\leq\frac{\beta D^{2}}{2T}+BD.$		(32)

The result then follows by convexity.

E.2 Lipschitz Loss

Alternatively, we can consider the case where the loss function $F(w)$ is convex and $L$ -Lipschitz. The following lemma holds.

Lemma E.4.

Suppose $F$ is $L$ -Lipschitz. Running Algorithm 3 with constant step size $\eta=\frac{1}{\beta}$ , we have

F\left(\frac{1}{T}\sum_{t=1}^{T}w_{t}\right)-F(w^{*})\leq\frac{DL}{\sqrt{T}}+\left(\frac{1}{\sqrt{T}}+1\right)BD.

(33)

Proof E.5.

Let us denote $y_{t+1}=w_{t}-\eta_{t}\tilde{g}_{t}$ . Using Lemma E.1, we have

\|w_{t}-w^{*}\|\leq\|y_{t}-w^{*}\|.

By the update rule, we have

$\displaystyle\tilde{g}_{t}(w_{t}-w^{*})$	$\displaystyle=\frac{1}{\eta}(w_{t}-y_{t+1})^{\top}(w_{t}-w^{*})$	(34)
	$\displaystyle\leq\frac{1}{2\eta}\left(\\|w_{t}-w^{}\\|^{2}-\\|w_{t}-y_{t+1}\\|^{2}-\\|y_{t+1}-w^{}\\|^{2}\right)$
	$\displaystyle\leq\frac{1}{2\eta}\left(\\|w_{t}-w^{}\\|^{2}-\\|w_{t}-y_{t+1}\\|^{2}-\\|w_{t+1}-w^{}\\|^{2}\right)$
	$\displaystyle=\frac{1}{2\eta}\left(\\|w_{t}-w^{}\\|^{2}-\\|w_{t+1}-w^{}\\|^{2}\right)+\frac{\eta}{2}\\|\tilde{g}_{t}\\|^{2}.$

Now by convexity, we have

F(w_{t})-F(w^{*})\leq g_{t}^{\top}(w_{t}-w^{*})=\tilde{g}_{t}^{\top}(w_{t}-w^{*})-b_{t}^{\top}(w_{t}-w^{*}).

(35)

Recall our assumptions on $g_{t}$ and $b_{t}$ . We have $\|\tilde{g}_{t}\|^{2}=\|g_{t}+b_{t}\|^{2}\leq(L+B)^{2}$ . Summing over $t=0,\ldots,T-1$ and divided by $T$ gives

	$\displaystyle\frac{1}{T}\sum_{t=0}^{T-1}\left(F(w_{t})-F(w^{*})\right)$	$\displaystyle\leq\frac{1}{2\eta T}\left(\\|w_{0}-w^{}\\|^{2}-\\|w_{T+1}-w^{}\\|^{2}\right)+\frac{\eta}{2}(L+B)^{2}+BD$		(36)
		$\displaystyle\leq\frac{D^{2}}{2\eta T}+\frac{\eta}{2}(L+B)^{2}+BD.$		(36)

Choosing $\eta=\frac{D}{(L+B)\sqrt{T}}$ and using convexity of $F$ gives the desired result.

Appendix F A Lemma for Converting High Probability Bounds to Expectation Bounds

Lemma F.1.

Let $X$ be a nonnegative random variable such that for all $\tau\in(0,1)$ ,

P(X\leq a+b\sqrt{\log(1/\tau)})\geq 1-\tau,

where $a$ and $b$ are positive constants. Then the expectation of $X$ satisfies

\mathbb{E}[X]\leq a+b\cdot\frac{\sqrt{\pi}}{2}.

Proof F.2.

The expectation of $X$ can be expressed as:

\mathbb{E}[X]=\int_{0}^{\infty}P(X>t)\,dt.

From the given condition, we have $P(X>a+b\sqrt{\log(1/\tau)})\leq\tau$ . Set $t=a+b\sqrt{\log(1/\tau)}$ , then solving for $\tau$ gives $\tau=e^{-\left(\frac{t-a}{b}\right)^{2}}$ , so that for $t\geq a$ , we have

P(X>t)\leq e^{-\left(\frac{t-a}{b}\right)^{2}}.

Thus, the expectation can be bounded by:

\mathbb{E}[X]\leq\int_{0}^{a}1\,dt+\int_{a}^{\infty}e^{-\left(\frac{t-a}{b}\right)^{2}}\,dt=a+b\int_{0}^{\infty}e^{-u^{2}}\,du.

The Gaussian integral evaluates to $\int_{0}^{\infty}e^{-u^{2}}\,du=\frac{\sqrt{\pi}}{2}$ , giving the final bound:

\mathbb{E}[X]\leq a+b\cdot\frac{\sqrt{\pi}}{2}.

Appendix G Discussions on the Assumptions

G.1 On the bounded covariance assumption

The reason for the assumption $\sigma\leq L$ is as follows. Due to Lipschitzness, we have $\|\nabla f(w)-\nabla\overline{f}(w)\|\leq L$ almost surely. It follows from Cauchy-Schwarz Inequality that $\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq L^{2}$ holds for any unit vector $v$ . For the other direction, $L$ can be much larger than $\sigma$ since the Lipschitzness needs to hold almost surely.

The assumption $\mathbf{E}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq\sigma^{2}$ is equivalent to the assumption that the covariance matrix of the gradients $\nabla f(w)$ satisfies $\Sigma\preceq\sigma^{2}I$ .

Proposition G.1.

Let $\Sigma_{w}$ denote the covariance matrix of the gradients $\nabla f(w)$ . For given $w$ , the following two assumptions are equivalent:

1.

For every unit vector $v$ , we have $\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]\leq\sigma^{2}$ .
2.

The covariance matrix satisfies $\Sigma_{w}$ $\preceq\sigma^{2}I$ .

Furthermore, since $\Sigma_{w}$ is positive semidefinite, by definition of the spectral norm, the latter assumption can be equivalently written as $\|\Sigma_{w}\|\leq\sigma^{2}$ .

Proof G.2.

By definition,

\Sigma_{w}=\mathbf{E}_{f\sim p^{*}}[(\nabla f(w)-\nabla\overline{f}(w))(\nabla f(w)-\nabla\overline{f}(w))^{\top}].

(37)

We have

	$\displaystyle\mathbf{E}_{f\sim p^{*}}[(v\cdot(\nabla f(w)-\nabla\overline{f}(w)))^{2}]$	$\displaystyle=\mathbf{E}_{f\sim p^{*}}[v\cdot(\nabla f(w)-\nabla\overline{f}(w))(\nabla f(w)-\nabla\overline{f}(w))^{\top}\cdot v]$		(38)
		$\displaystyle=v^{\top}\cdot\mathbf{E}_{f\sim p^{*}}[(\nabla f(w)-\nabla\overline{f}(w))(\nabla f(w)-\nabla\overline{f}(w))^{\top}]\cdot v=v^{\top}\Sigma_{w}v.$		(38)

Therefore, the two assumptions are equivalent.

G.2 Compare bounded covariance assumption with bounded variance assumption

Cover-based approaches (e.g. uniform convergence) often suffer from suboptimal error (feldman2016generalization, ). However, Algorithm 1 indeed achieves the optimal rate. We believe the reason is due to the bounded covariance assumption $\Sigma\preceq\sigma^{2}I$ . Below, we provide a discussion on the bounded covariance assumption and compare it with the bounded variance assumption.

The bounded covariance assumption $\Sigma\preceq\sigma^{2}I$ is different from the bounded variance assumption $\mathbf{E}\left\|\nabla f(w)-\nabla\overline{f}(w)\right\|^{2}\leq\Phi^{2}$ as commonly used in optimization literature without corruption. Using the property $\operatorname{tr}{(AB)}=\operatorname{tr}{(BA)}$ , this is equivalent to $\operatorname{tr}{(\Sigma)}\leq\Phi^{2}$ .

We comment that neither assumption implies the other. For isotropic Gaussian distribution, where the covariance matrix is $\Sigma=\sigma^{2}I$ , we have $\operatorname{tr}{(\Sigma)}=d\sigma^{2}$ . On the other hand, consider the distribution where the variance is concentrated in one direction, i.e., $\Sigma=\Phi^{2}\cdot vv^{\top}$ for some unit vector $v$ . We have $\operatorname{tr}{(\Sigma)}=\Phi^{2}$ and $\|\Sigma\|=\Phi^{2}$ . In general, we only know that $\|\Sigma\|\leq\operatorname{tr}{(\Sigma)}\leq d\|\Sigma\|$ .

Recall Lemma D.4. The complete version of the lemma is as follows.

Lemma G.3 (diakonikolas2020outlier ).

Fix any $0<\tau<1$ . Let $S$ be a multiset of $n$ i.i.d. samples from a distribution on $\mathbb{R}^{d}$ with mean $\mu$ and covariance $\Sigma$ . Let $\epsilon^{\prime}=\Theta(\log(1/\tau)/n+\epsilon)\leq c$ , for a sufficiently small constant $c>0$ . Then, with probability at least $1-\tau$ , there exists a subset $S^{\prime}\subseteq S$ such that $|S^{\prime}|\geq(1-\epsilon^{\prime})n$ and $S^{\prime}$ is $(2\epsilon^{\prime},\tau(\tau))$ -stable with respect to $\mu$ and $\|\Sigma\|$ , where $\tau(\tau)=O(\sqrt{(\operatorname{r}(\Sigma)\log\operatorname{r}(\Sigma))/n}+\sqrt{\epsilon}+\sqrt{\log(1/\tau)/n})$ . Here we use $\operatorname{r}(M)$ to denote the stable rank (or intrinsic dimension) of a positive semidefinite matrix, i.e., $\operatorname{r}(M):=\operatorname{tr}(M)/\|M\|$ .

Following identical proof steps (recall proofs for our algorithms), we can express our excess risk bound in terms of the covariance matrix $\Sigma$ as follows:

D\cdot\tilde{O}\left(\sqrt{\|\Sigma\|\epsilon}+\sqrt{\operatorname{tr}{(\Sigma)}/n}+\sqrt{d\|\Sigma\|\log(1/\tau)/n}\right).

(39)

In our paper, we consider the bounded covariance assumption $\Sigma\preceq\sigma^{2}I$ , which is a standard assumption in robust optimization literature. Otherwise, we cannot control the error term $\sqrt{\|\Sigma\|\epsilon}$ due to corruption. In the worse case (e.g. isotropic Gaussian), we have $\|\Sigma\|=\sigma^{2}$ and $\operatorname{tr}{(\Sigma)}=d\sigma^{2}$ , so the bound reduces to

\sigma\cdot O\left(\sqrt{\epsilon}+\sqrt{d/n}+\sqrt{d\log(1/\tau)/n}\right).

(40)

We see that the second term already contains the dependence on $d$ . Therefore, the $d$ factor in the last term due to our cover-based approach, specifically the use of the union bound over the cover points, does not affect the rate.

Appendix H An exponential time algorithm that achieves the minimax-optimal excess risk bound without $\log d$ factor

Our two algorithms achieve the minimax-optimal excess risk bound up to logarithmic factors. In this section, we show that the minimax-optimal excess risk bound can be achieved without the $\log d$ factor, but at the cost of exponential time complexity.

Based on Lemma D.4, we can remove the $\log d$ factor when estimating the gradients, by using the following framework, as shown in diakonikolas2020outlier .

1.

Set $k=\lfloor\epsilon^{\prime}n\rfloor$ . Randomly partition $S$ into $k$ buckets of size $\lfloor n/k\rfloor$ (remove the last bucket if $n$ is not divisible by $k$ ).
2.

Compute the empirical mean within each bucket and denote the means as $z_{1},\ldots,z_{k}$ .
3.

Run stability-based robust mean estimation on the set $\{z_{1},\ldots,z_{k}\}$ .

Here, the first two steps serve as preprocessing before feeding the data into the robust mean estimation algorithm. We now restate the robust estimation result without $\log d$ factor below.

Lemma H.1.

Let $S$ be an $\epsilon$ -corrupted set of $n$ samples from a distribution in $\mathbb{R}^{d}$ with mean $\mu$ and covariance $\Sigma\preceq\sigma^{2}I$ . Let $\epsilon^{\prime}=\Theta(\log(1/\tau)/n+\epsilon)\leq c$ be given, for a constant $c>0$ . Then any stability-based algorithm on input $S$ and $\epsilon^{\prime}$ , efficiently computes $\widehat{\mu}$ such that with probability at least $1-\tau$ , we have $\|\widehat{\mu}-\mu\|=\sigma\cdot O\left(\sqrt{\epsilon}+\sqrt{d/n}+\sqrt{\log(1/\tau)/n}\right)$ .

We recall that our efficient implementation using grid points cost a $\log d$ factor due to the suboptimal cover size. Using a cover with size matching the cover number $O((D/\xi)^{d})$ will remove the $\log d$ factor, but at the cost of exponential time complexity for constructing the cover and finding a point within $O(\xi)$ distance for a given point.

Following the same proof steps, as in Section 3.1, we can derive the excess risk bound without the $\log d$ factor, at the cost of exponential time complexity.

Appendix I Iterative Filtering Algorithm for Robust Mean Estimation

In our algorithms, we treat the robust mean estimation as a black box. In this section, we provide an instantiation of such algorithms due to diakonikolas2020outlier . Recall the robust mean estimation result. See D.2 The following algorithm achieves the robust mean estimation result.

Algorithm 4 Iterative Filtering diakonikolas2020outlier

1:Input:

\epsilon

-corrupted set

A\subset\mathbb{R}^{d}

n

samples that satisfies the properties in Lemma D.2.

2:Initialize weight function

h:A\to\mathbb{R}_{\geq 0}

with

h(x)=1/|A|

for all

x\in A

3:while

\|h\|_{1}<1-2\epsilon

4: Compute

\mu(h)=\frac{1}{\|h\|_{1}}\sum_{x\in A}h(x)x

5: Compute

\Sigma(h)=\frac{1}{\|h\|_{1}}\sum_{x\in A}h(x)(x-\mu(h))(x-\mu(h))^{A}

6: Compute approximate largest eigenvector

v

\Sigma(h)

7: Define

g(x)=|v\cdot(x-\mu(h))|^{2}

for all

x\in A

8: Find largest

t

such that

\sum_{x\in A:g(x)\geq t}h(x)\geq\epsilon

9: Define

f(x)=\begin{cases}g(x)&\text{if }g(x)\geq t\\ 0&\text{otherwise}\end{cases}

10: Let

m=\max\{f(x):x\in A,h(x)\neq 0\}

11: Update

h(x)\leftarrow h(x)(1-f(x)/m)

for all

x\in A

12:end while

13:Output:

\mu(h)

In each iteration, we iteratively filter out points that are “far” from the sample mean in a large variance direction. Note that this algorithm is deterministic and runs in polynomial time. Notably, this algorithm modifies the terminal condition of the algorithm described in diakonikolas2019recent so that it works even when $\sigma$ is unknown.

Appendix J Dealing with Unknown $\sigma$

We can adapt Algorithm 1 to work without knowing $\sigma$ by first getting a lower bound on $\sigma$ using the filtering algorithm in Appendix I.

In Algorithm 1, we use $\sigma$ only to determine the fineness of the covering via $\xi=\sigma\sqrt{\epsilon}/\bar{\beta}$ . A smaller $\xi$ results in a finer covering and consequently reduces the error when evaluating gradients at the cover point $w^{\prime}$ instead of $w$ , that is, (18) still holds with a smaller $\xi$ . Since the excess risk depends on $\xi$ only through logarithmic terms, the same analysis (see Appendix C) holds with a smaller $\xi$ . It then suffices to choose $xi=\hat{\sigma}\delta/\bar{\beta}$ , where $\hat{\sigma}$ is a lower bound on $\sigma$ . We also need to choose $T=\tilde{\Omega}\left(\frac{\beta D}{\hat{\sigma}\sqrt{\epsilon}+\hat{\sigma}\sqrt{\frac{d\log(1/\tau)}{n}}}\right)$ where we use $\hat{\sigma}$ in place of $\sigma$ . When using smoothing to handle nonsmooth losses, we can choose $\beta$ similarly by replacing $\sigma$ with $\hat{\sigma}$ .

Recall that Algorithm 4 works even when $\sigma$ is unknown. Moreover, the output $h$ satisfies $\|\Sigma(h)\|\leq\sigma^{2}(1+O(\delta^{2}/\epsilon))$ (see diakonikolas2020outlier ). It follows that we can use $\|\Sigma(h)\|$ to obtain a lower bound on $\sigma$ . Using Lemma D.4, at any fixed $w$ , we can run Algorithm 4 with input $A=\{\nabla f_{i}(w)\}_{i=1}^{n}$ to obtain a lower bound $\hat{\sigma}$ on $\sigma$ . We have that (plugging in $\delta(\tau^{\prime})$ in Lemma D.4), with probability at least $1-\tau^{\prime}$ ,

\|\Sigma(h)\|\leq\sigma^{2}(1+O(\delta^{2}/\epsilon)),

(41)

where $\delta=\tilde{O}\left(\sqrt{\epsilon}+\sqrt{d/n}+\sqrt{\log(1/\tau^{\prime})/n}\right)$ . Therefore, $\hat{\sigma}:=\sqrt{\|\Sigma(h)\|}/\sqrt{1+O(\delta^{2}/\epsilon)}$ is a lower bound on $\sigma$ with probability at least $1-\tau^{\prime}$ .

Our modified algorithm is as follows. (1) Estimate $\sigma$ : Choose a point $w$ and run Algorithm 4 with input $A=\{\nabla f_{i}(w)\}_{i=1}^{n}$ to obtain an lower bound $\hat{\sigma}$ . (2) Then run Algorithm 1 with $\xi=\hat{\sigma}\delta/\bar{\beta}$ .

To compensate the failure probability for estimation of $\hat{\sigma}$ , we can set $\tau^{\prime}=\tau/(1+\|\mathcal{C}\|)$ , so that the overall failure probability is at most $\tau$ .

	$\displaystyle\left\\|\frac{1}{\|\mathcal{I}\|}\sum_{i\in\mathcal{I}}\nabla f_{i}(w^{\prime})-\nabla\overline{f}(w^{\prime})\right\\|$	$\displaystyle\leq\left\\|\frac{1}{\|\mathcal{I}\|}\sum_{i\in\mathcal{I}}\left(\nabla f_{i}(w^{\prime})-\nabla f_{i}(w)\right)\right\\|+\left\\|\nabla f_{i}(w)-\nabla\overline{f}(w)\right\\|$		(22)
		$\displaystyle\leq\beta\\|w^{\prime}-w\\|+O(\sigma\delta^{\prime}).$		(22)

Optimal Rates for Robust Stochastic Convex Optimization

Abstract

keywords:

category:

1 Introduction

1.1 Problem Setup and Motivation

Definition 1.1 (ϵ\epsilon-contamination model).

Assumption 1.2.

Assumption 1.3.

1.2 Our Contributions

2 Revisiting SEVER

Definition 2.1 (“Good” set).

Assumption 2.2 (“Uniform good set”, Assumption B.1 diakonikolas2019sever ).

Definition 2.3 (γ\gamma-approximate learner).

Remark 2.4.

Assumption 2.5 (“Many good sets”, Assumption D.1 in diakonikolas2019sever ).

Assumption 2.6 (“Dense good sets”).

3 Optimal Rates for Robust SCO under Weak Distributional Assumptions

Assumption 3.1.

Theorem 3.2.

Remark 3.3.

Theorem 3.4.

3.1 Analysis of Algorithm 1 for Smooth Population Risks

Lemma 3.5 (diakonikolas2020outlier ).

3.2 Handling Nonsmooth but Lipschitz Population Risks

Lemma 3.6 ((nesterov2005smooth, )).

3.3 Handling Unknown Covariance Parameter σ\sigma

4 Projected Gradient Descent with Robust Gradient Estimator

Assumption 4.1.

Remark 4.2.

Theorem 4.3.

5 Conclusion and Future Work

References

Appendix A Fixing SEVER’s Sample Complexity Result

Lemma A.1 (Fixed from Proposition B.5 in diakonikolas2019sever ).

Proof A.2.

Appendix B Lower Bound for Robust Stochastic Optimization

Theorem B.1.

Remark B.2.

B.1 Lower Bound: Term due to Corruption

Proposition B.3 (diakonikolas2023algorithmic ).

B.2 Lower Bound: Term due to Stochastic Optimization

Lemma B.4 (lowy2023private [Theorem 36, part 3 for k=2k=2 and γ=σ2\gamma=\sigma^{2}]).

Appendix C Analysis of Algorithm 1 for Smooth Population Risks

Proof C.1.

Appendix D Analysis of Algorithm 2

D.1 Results from Robust Mean Estimation

Definition D.1 (Stability diakonikolas2019robust ).

Lemma D.2 (Robust Mean Estimation Under Stability diakonikolas2019robust ).

Remark D.3.

Lemma D.4 (diakonikolas2020outlier ).

D.2 Proof of Theorem 4.3

Lemma D.5.

Proof D.6.

Proof D.7 (Proof of Theorem 4.3).

Appendix E Projected Biased Gradient Descent

Lemma E.1.

E.1 Smooth Loss

Lemma E.2.

Proof E.3.

E.2 Lipschitz Loss

Lemma E.4.

Proof E.5.

Appendix F A Lemma for Converting High Probability Bounds to Expectation Bounds

Lemma F.1.

Proof F.2.

Appendix G Discussions on the Assumptions

G.1 On the bounded covariance assumption

Proposition G.1.

Proof G.2.

G.2 Compare bounded covariance assumption with bounded variance assumption

Lemma G.3 (diakonikolas2020outlier ).

Appendix H An exponential time algorithm that achieves the minimax-optimal excess risk bound without log⁡d\log d factor

Lemma H.1.

Appendix I Iterative Filtering Algorithm for Robust Mean Estimation

Appendix J Dealing with Unknown σ\sigma

Definition 1.1 ( $\epsilon$ -contamination model).

Definition 2.3 ( $\gamma$ -approximate learner).

3.3 Handling Unknown Covariance Parameter $\sigma$

Lemma B.4 (lowy2023private [Theorem 36, part 3 for $k=2$ and $\gamma=\sigma^{2}$ ]).

Appendix H An exponential time algorithm that achieves the minimax-optimal excess risk bound without $\log d$ factor

Appendix J Dealing with Unknown $\sigma$