Towards Assessment of Randomized Smoothing Mechanisms for Certifying Adversarial Robustness

Tianhang Zheng,¹ Di Wang,^2,3 Baochun Li,¹ Jinhui Xu²
¹ University of Toronto
² State University of New York at Buffalo
³ King Abdullah University of Science and Technology The first two authors contributed equally to this work.

Abstract

As a certified defensive technique, randomized smoothing has received considerable attention due to its scalability to large datasets and neural networks. However, several important questions remain unanswered, such as (i) whether the Gaussian mechanism is an appropriate option for certifying $\ell_{2}$ -norm robustness, and (ii) whether there is an appropriate randomized (smoothing) mechanism to certify $\ell_{\infty}$ -norm robustness. To shed light on these questions, we argue that the main difficulty is how to assess the appropriateness of each randomized mechanism. In this paper, we propose a generic framework that connects the existing frameworks in [1, 2], to assess randomized mechanisms. Under our framework, for a randomized mechanism that can certify a certain extent of robustness, we define the magnitude of its required additive noise as the metric for assessing its appropriateness. We also prove lower bounds on this metric for the $\ell_{2}$ -norm and $\ell_{\infty}$ -norm cases as the criteria for assessment. Based on our framework, we assess the Gaussian and Exponential mechanisms by comparing the magnitude of additive noise required by these mechanisms and the lower bounds (criteria). We first conclude that the Gaussian mechanism is indeed an appropriate option to certify $\ell_{2}$ -norm robustness. Surprisingly, we show that the Gaussian mechanism is also an appropriate option for certifying $\ell_{\infty}$ -norm robustness, instead of the Exponential mechanism. Finally, we generalize our framework to $\ell_{p}$ -norm for any $p\geq 2$ . Our theoretical findings are verified by evaluations on CIFAR10 and ImageNet.

1 Introduction

The past decade has witnessed tremendous success of deep learning in handling various learning tasks like image classification [3], natural language processing [4], and game playing [5]. Nevertheless, a major unresolved issue of deep learning is its vulnerability to adversarial samples, which are almost indistinguishable from natural samples to humans but can mislead deep neural networks (DNNs) to make wrong predictions with high confidence [6, 7]. This phenomenon, referred to as adversarial attack, is considered to be one of the most significant threats to the deployment of many deep learning systems. Thus, a substantial amount of effort has been devoted to developing defensive techniques against it. However, a majority of existing defenses are of heuristic nature (i.e., without any theoretical guarantees), implying that they may be ineffective against stronger attacks. Recent work [8, 9, 10] has confirmed this concern by showing that most of those heuristic defenses actually fail to defend against strong adaptive attacks. This forces us to shift our attention to certifiable defenses as they can classify all the samples in a predefined neighborhood of the natural samples with a theoretically-guaranteed error bound. Among all the existing certifiable defensive techniques, randomized smoothing is becoming increasingly popular due to its scalability to large datasets and arbitrary networks. [1] first relates adversarial robustness to differential privacy, and proves that adding noise is a certifiable defense against adversarial examples. [2] connects adversarial robustness with the concept of Rényi divergence, and improves the estimate on the lower bounds of the robust radii. Recently, [11] successfully certifies $49\%$ accuracy on the original ImageNet dataset under adversarial perturbations with $\ell_{2}$ norm less than $0.5$ .

Despite these successes, there are still several unanswered questions regarding randomized (smoothing) mechanisms^*^**In this paper, “randomized mechanism” is an abbreviation for “randomized smoothing mechanism”.. One such question is, why should we use the Gaussian mechanism for randomized smoothing to certify $\ell_{2}$ -norm robustness, or is there any more appropriate mechanism than the Gaussian mechanism? Another important question is regarding the ability of this method to certify $\ell_{\infty}$ -norm robustness. If randomized smoothing can certify $\ell_{\infty}$ -norm robustness, what mechanism is an appropriate choice? All these questions motivate us to develop a framework to assess the appropriateness of a randomized mechanism for certifying $\ell_{p}$ -norm robustness.

In this paper, we take a promising step towards answering the above questions by proposing a generic and self-contained framework, which applies to different norms and connects the existing frameworks in [1, 2], for assessing randomized mechanisms. Our framework employs the Maximal Relative Rényi (MR) divergence as the probability distance measurement, and thus, the definition of robustness under this measurement is referred to as $D_{MR}$ robustness. Under our framework, we define the magnitude (i.e., the expected $\ell_{\infty}$ -norm) of the noise required by a mechanism to certify a certain extent of robustness as the metric for assessing the appropriateness of this mechanism. To be specific, a more “appropriate” randomized mechanism under this definition refers to a mechanism that can certify a certain extent of robustness with “less” additive noise. Given this definition, it is natural to define the assessment criteria as the lower bounds on the magnitude of the noise required to certify $\ell_{p}$ -norm ( $D_{MR}$ ) robustness, in that we can judge whether a mechanism is an appropriate option based on the gap between the magnitude of noise needed by the mechanism and the lower bounds.

Inspired by the theory regarding the lower bounds on the sample complexity to estimate one-way marginals in differential privacy, we prove lower bounds on the magnitude of additive noise required by any randomized smoothing mechanism to certify $\ell_{2}$ -norm and $\ell_{\infty}$ -norm $D_{MR}$ robustness. We demonstrate the gap between the magnitude of Gaussian noise required by the Gaussian mechanism and the lower bounds is only $O(\sqrt{\log d})$ for both $\ell_{2}$ -norm and $\ell_{\infty}$ -norm, where $d$ is the dimensionality of the data. Note that this gap is small for datasets like CIFAR-10 and ImageNet, which indicates that the Gaussian mechanism is an appropriate option for certifying $\ell_{2}$ -norm or $\ell_{\infty}$ -norm robustness. Moreover, we also show that the Exponential mechanism is not an appropriate option for certifying $\ell_{\infty}$ -norm robustness since the gap scales in $O(\sqrt{d})$ . To summarize, our contribution is four-fold:

•

We propose a generic and self-contained framework for assessing randomized mechanisms, which applies to different norms and connects the existing frameworks such as [1] and [2].
•

We define a metric for assessing randomized mechanisms, i.e., the magnitude of the additive noise to certify adversarial robustness, and we derive the lower bounds on the magnitude of the additive noise to certify $\ell_{2}$ -norm and $\ell_{\infty}$ -norm robustness as the criteria for the assessment. Also, we extend this assessment framework to $\ell_{p}$ -norm for any $p\geq 2$ in Appendix, which indicates the curse of dimensionality on randomized smoothing for certifying $\ell_{p}$ -norm ( $p>2$ ) robustness.
•

We assess the Gaussian mechanism and the Exponential mechanism based on the metric and the lower bounds (i.e., the criteria). We conclude that the Gaussian mechanism is an appropriate option to certify $\ell_{2}$ -norm and $\ell_{\infty}$ -norm robustness, and the Exponential mechanism is not an appropriate option for certifying $\ell_{\infty}$ -norm robustness here.
•

We conduct extensive evaluations to verify our theoretical findings on our framework (with the same certified robust radii as in [2]) and Cohen et al.’s framework [11].

Due to the space limit, all the omitted proofs and some experimental results are included in Appendix (in the supplementary material).

2 Related Work

To our knowledge, there are mainly three approaches to certify adversarial robustness standing out. The first approach formulates the task of adversarial verification as an optimization problem and solves it by tools like convex relaxations and duality [12, 13, 14]. Given a convex set (usually an $\ell_{p}$ ball) as input, the second approach maintains an outer approximation of all the possible outputs at each layer by various techniques, such as interval bound propagation, hybrid zonotope, abstract interpretations, and etc. [15, 16, 17, 18, 19]. The third approach uses randomized smoothing to certify robustness, which is the main focus of this paper. Randomized smoothing for certifying robustness becomes increasingly popular due to its strong scalability to large datasets and arbitrary networks [1, 20, 11, 12, 21]. For this approach, [1] first proves that randomized smoothing can certify the $\ell_{2}$ and $\ell_{1}$ -norm robustness using the differential privacy theory. [20] derives a tighter lower bound on the $\ell_{2}$ -norm robust radius based on a lemma on Rényi divergence. [11] further obtains a tight guarantee on the $\ell_{2}$ -norm robustness using the Neyman-Pearson lemma. [22] proposes a new framework based on f-divergence that applies to different measures. [21] combines [11] with adversarial training, and [23] extends the method in [11] to the top-k classification setting. We note that, compared with [11], the frameworks proposed in [1, 2] are more general. In the following, we briefly review the basic definitions and theorems in the frameworks of [1, 2], which helps us demonstrate the inherent connections between our framework and those two frameworks [1, 2].

3 Preliminaries

In this section, we first introduce several basic definitions and notations. In general, we denote any randomized mechanism by $\mathcal{M}(\cdot)$ , which outputs a random variable depending on the input. We represent any deterministic classifier that outputs a prediction label by $f(\cdot)$ . A commonly-used randomized classifier can be constructed by $g(\cdot)=f(\mathcal{M}(\cdot))$ . We denote a data sample and its label by $\operatorname{\mathbf{x}}$ and $y$ , respectively. An $\ell_{p}$ -norm ball centered at $\operatorname{\mathbf{x}}$ with radius $r$ is represented by $\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ . We say a data sample $\operatorname{\mathbf{x}}^{\prime}$ is in the $\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ iff $\|\operatorname{\mathbf{x}}^{\prime}-\operatorname{\mathbf{x}}\|_{p}\leq r$ . Next, we can detail the frameworks in [1] and [2], i.e., PixelDP and Rényi Divergence-based Bound.

PixelDP

To the best of our knowledge, PixelDP [1] is the first framework to prove that randomized smoothing is a certified defense by connecting the concepts of adversarial robustness and differential privacy. The definition of adversarial robustness in the framework of PixelDP can be stated as follows:

Definition 1 (PixelDP [1])

For any $\operatorname{\mathbf{x}}\in\mathbb{R}^{d}$ and $\forall\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ , if a randomized mechanism $\mathcal{M}(\cdot)$ satisfies

\displaystyle\forall S\subseteq\mathcal{O},P(\mathcal{M}(\operatorname{\mathbf{x}})\in S)\leq e^{\epsilon}P(\mathcal{M}(\operatorname{\mathbf{x}}^{\prime})\in S)+\delta,

(1)

where $\mathcal{O}$ denotes the output space of $\mathcal{M}(\cdot)$ . Then we can say $\mathcal{M}(\cdot)$ is $(\epsilon,\delta)$ -PixelDP (in $\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ ).

[1] connects PixelDP with adversarial robustness by the following lemma.

Lemma 1 (Robustness Condition [1])

Suppose $\operatorname{\mathbf{G}}(\cdot)$ is randomized K-class classifier defined by $\operatorname{\mathbf{G}}(\operatorname{\mathbf{x}})=(\operatorname{\mathbf{G}}_{1}(\operatorname{\mathbf{x}}),...,\operatorname{\mathbf{G}}_{K}(\operatorname{\mathbf{x}}))$ that satisfies $(\epsilon,\delta)$ -PixelDP (in $\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ ). For class $k$ , if

\displaystyle\mathbb{E}[\operatorname{\mathbf{G}}_{k}(\operatorname{\mathbf{x}})]>e^{2\epsilon}\max_{i:i\neq k}\mathbb{E}[\operatorname{\mathbf{G}}_{i}(\operatorname{\mathbf{x}})]+(1+e^{\epsilon})\delta,

(2)

then the classification result $(\mathbb{E}[\operatorname{\mathbf{G}}_{1}(\operatorname{\mathbf{x}})],...,\mathbb{E}[\operatorname{\mathbf{G}}_{K}(\operatorname{\mathbf{x}})])$ is robust‡ ‣ 4.3 in $\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ , i.e., $\forall\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ , $\operatorname*{\mathop{\mathrm{argmax}}}_{i}\mathbb{E}[\operatorname{\mathbf{G}}_{i}(\operatorname{\mathbf{x}}^{\prime})]=k$ .

Note that the definition of the randomized classifier $\operatorname{\mathbf{G}}(\cdot)$ is different from the definition of $g(\cdot)$ since the output of $g(\cdot)$ is a scalar not a vector (prediction label). $g(\cdot)$ is more popular in the follow-up works such as [2, 11]. [1] mainly utilizes two mechanisms, i.e., the Laplace mechanism and Gaussian mechanism, to guarantee PixelDP. Specifically, adding Laplace noise (i.e., $p(z)=\frac{1}{2b}\exp{(-\frac{|z|}{b})}$ ) to the data samples can certify $(\epsilon,0)$ -PixelDP in $\mathbb{B}_{1}(\operatorname{\mathbf{x}},b\epsilon)$ for any $\operatorname{\mathbf{x}}$ , and adding Gaussian noise (i.e., $p(z)=\frac{1}{\sqrt{2\pi}\sigma}\exp{(-\frac{z^{2}}{2\sigma^{2}})}$ ) can certify $(\epsilon,\delta)$ -PixelDP in $\mathbb{B}_{2}(\operatorname{\mathbf{x}},\frac{\sigma\epsilon}{\sqrt{2\log{1.25/\delta}}})$ for any $\operatorname{\mathbf{x}}$ .

Rényi Divergence-based Bound

[2] proves a tighter estimate (compared with [1]) on the robust radii based on the following lemma.

Lemma 2 (Rényi Divergence Lemma [2])

Let $P=(p_{1},p_{2},...,p_{k})$ and $Q=(q_{1},q_{2},...,q_{k})$ be two multinomial distributions. If the indices of the largest probabilities do not match on $P$ and $Q$ , then the Rényi divergence between $P$ and $Q$ , i.e., $D_{\alpha}(P||Q)$ ^†^††For $\alpha\in(1,\infty)$ , $D_{\alpha}(P||Q)$ is defined as $D_{\alpha}(P||Q)=\frac{1}{\alpha-1}\log\mathbb{E}_{x\sim Q}(\frac{P(x)}{Q(x)})^{\alpha}$ ., satisfies

\displaystyle D_{\alpha}(P||Q)\geq-\log(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}}).

where $p_{(1)}$ and $p_{(2)}$ refer to the largest and the second largest probabilities in $\{p_{i}\}$ , respectively.

If the Gaussian mechanism is applied to certify $\ell_{2}$ -norm robustness, then we have the following bound of the robust radii.

Lemma 3 ([2])

Let $f$ be any deterministic classifier and $g(\operatorname{\mathbf{x}})=f(\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}})$ be its corresponding randomized classifier for sample $\operatorname{\mathbf{x}}\in\mathbb{R}^{d}$ , where $\operatorname{\mathbf{z}}\sim\mathcal{N}(0,\sigma^{2}I_{d})$ . Then $\forall\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ , $\operatorname*{\mathop{\mathrm{argmax}}}_{y}P(g(\operatorname{\mathbf{x}})=y)=\operatorname*{\mathop{\mathrm{argmax}}}_{y^{\prime}}P(g(\operatorname{\mathbf{x}}^{\prime})=y^{\prime})$ , i.e., $g(\cdot)$ is robust in $\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ , and the $\ell_{2}$ robust radii $r$ that could be certified is given by

\displaystyle r^{2}\leq\sup_{\alpha>1}-\frac{2\sigma^{2}}{\alpha}\log(

\displaystyle 1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}}).

(3)

$p_{(1)}$ and $p_{(2)}$ refer to the largest and the second largest probabilities in $\{p_{i}\}$ , where $p_{i}$ is the probability that $g(\operatorname{\mathbf{x}})$ returns the $i$ -th class, i.e., $p_{i}=P(g(\operatorname{\mathbf{x}})=i)$ .

4 Framework Overview

In this section, we present a generic framework based on the Definition 2, 3, and 4, for assessing randomized mechanisms. According to Definition 3, our framework applies to different norms. Moreover, we show that our proposed framework connects the existing general frameworks in [1, 2] by Theorem 4.1 & 4.2. Also, we note that it is difficult to involve the framework in [11] since [11] restricts the additive noise of the randomized mechanism to be isotropic such as Gaussian noise, while in our framework, we do not need to specify the type of additive noise.

4.1 Main Definitions

Under our framework, the definition of adversarial robustness is induced by maximal relative Rényi divergence (MR divergence), namely $D_{MR}$ robustness, so we start from introducing the definition of MR divergence.

Definition 2 (Maximal Relative Rényi Divergence)

The Maximal Relative Rényi Divergence $D_{MR}(P\|Q)$ of distributions $P$ and $Q$ is defined as

D_{MR}(P\|Q)=\max_{\alpha\in(1,\infty)}\frac{D_{\alpha}(P\|Q)}{\alpha},

(4)

where $D_{\alpha}(P\|Q)$ is the Rényi Divergence between $P$ and $Q$ . Using $D_{MR}$ as the probability measure, we can define adversarial robustness as follows:

Definition 3 ( $D_{MR}$ Robustness)

We say a randomized (smoothing) mechanism $\mathcal{M}(\cdot)$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust if for any $\operatorname{\mathbf{x}}\in\mathbb{R}^{d}$ and $\forall\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ ,

\displaystyle D_{MR}

\displaystyle(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))\leq\epsilon.

(5)

If a randomized smoothing classifier $g(\cdot)$ satisfies the above condition, we can say it is a $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust classifier or it certifies $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robustness.

A property of $D_{MR}$ robustness we use throughout this paper is its postprocessing property, which can be stated as follows:

Corollary 1 (Postprocessing Property)

Let $g(\operatorname{\mathbf{x}})=f(\mathcal{M}(\operatorname{\mathbf{x}}))$ be a randomized classifier, where $f(\cdot)$ is any deterministic function (classifier). $g(\cdot)$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust if $\mathcal{M}(\cdot)$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust.

This postprocessing property can be easily proved by $D_{\alpha}(f(\mathcal{M}(\operatorname{\mathbf{x}}))\|f(\mathcal{M}(\operatorname{\mathbf{x}}^{\prime})))\leq D_{\alpha}(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ for any $\alpha\in(1,\infty)$ [24]. This property allows us to only concentrate on the randomized mechanism $\mathcal{M}(\cdot)$ without considering the specific form of the deterministic classifier $f(\cdot)$ , and therefore makes the framework applicable to an arbitrary neural network.

4.2 Connections between $D_{MR}$ robustness and the existing frameworks

The framework defined by Definition 2 & 3 is generic since it is closely connected with the existing ones [1, 2]. Here we demonstrate the connections by the following two theorems.

Theorem 4.1 ( $D_{MR}$ Robustness & PixelDP)

If $\mathcal{M}(\cdot):\mathbb{R}^{d}\mapsto\mathbb{R}^{d}$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust, then $\mathcal{M}(\cdot)$ is also $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ -PixelDP in $\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ for any $\operatorname{\mathbf{x}}\in\mathbb{R}^{d}$ .

We note that the opposite of Theorem 4.1 holds only when $\delta=0$ , which indicates our framework is a relaxed version of the PixelDP framework. But this should not be a surprise since most of the following frameworks [2, 11, 22] can somehow be considered more relaxed than the PixelDP framework and thus yield tighter certified bounds. Similarly, our framework can provide the same bound on the robust radius as in [2], which is tighter than the bound in [1] (Theorem 4.2).

Theorem 4.2 ( $D_{MR}$ Robustness & Rényi Divergence-based Bound)

If a randomized classifier $g(\cdot)$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust, then we have $\forall\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ , $\operatorname*{\mathop{\mathrm{argmax}}}_{y}P(g(\operatorname{\mathbf{x}})=y)=\operatorname*{\mathop{\mathrm{argmax}}}_{y^{\prime}}P(g(\operatorname{\mathbf{x}}^{\prime})=y^{\prime})$ as long as

\displaystyle\epsilon\leq\sup_{\alpha>1}-\frac{1}{\alpha}\log(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}}),

(6)

where $p_{(1)}$ and $p_{(2)}$ also refer to the largest and the second largest probabilities in $\{p_{i}\}$ , and $p_{i}$ is the probability that $g(\operatorname{\mathbf{x}})$ returns the $i$ -th class, i.e., $p_{i}=P(g(\operatorname{\mathbf{x}})=i)$ . Based on the above theorem, we can derive the same $\ell_{2}$ robust radius as in Lemma 3 [2]. We will detail how to derive the $\ell_{2}$ robust radius after Theorem 5.1 in Section 5.

An interpretation of Theorem 4.1 and 4.2 is that, as long as we can use a randomized mechanism with a certain amount of noise to certify $D_{MR}$ robustness, we can use the same mechanism with the same amount of noise to certify PixelDP and the Rényi Divergence-based bound. Thus, Theorem 4.1 and 4.2 indicate the assessment results based on the metric defined in Section 4.3 is very likely to generalize to the other frameworks.

4.3 Assessment of Randomized Mechanisms

Since there are infinite randomized mechanisms, a natural problem is to determine whether a certain randomized mechanism is an appropriate option to certify adversarial robustness. However, we note that all the previous work [2, 11, 21] overlook this problem and assume the Gaussian mechanism to be an appropriate mechanism for certifying $\ell_{2}$ -norm robustness without sufficient assessment. While in this paper, we attempt to provide a solution to this problem under our proposed framework. Specifically, we define a metric to assess randomized mechanisms as follows:

Definition 4

Specify a $p$ -norm, a robust radius $r$ , and an epsilon $\epsilon$ , the magnitude (expected $\ell_{\infty}$ -norm) of the additive noise required by a randomized mechanism $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ to certify $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robustness is defined as the metric to assess the appropriateness of $\mathcal{M}(\cdot)$ .

We define this metric for assessing randomized mechanisms because the accuracy of neural networks tends to decrease as the magnitude of the noise added to the inputs increases. Note that if the magnitude of the noise required by a randomized classifier is too large, the accuracy of its predictions on clean samples will be very low, then robustness will be useless^‡^‡‡Certified robustness only guarantees the predictions of the perturbed samples and the predictions of their clean samples are the same.. Given the above metric, we also need criteria to assess the (relative) appropriateness of a randomized mechanism. In this paper, we employ the lower bounds on the magnitude of the noise required by any randomized mechanism to certify $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robustness as the criteria. We consider a randomized mechanism as an appropriate option if the gap between the magnitude of the additive noise required by this mechanism and the corresponding lower bound is small. In the following, we will provide the lower bounds for $\ell_{2}$ -norm and $\ell_{\infty}$ -norm, i.e., the two most popular norms, and assess the appropriateness of the Gaussian and Exponential mechanisms for certifying $\ell_{2}$ -norm and $\ell_{\infty}$ -norm robustness. In Appendix, we generalize our framework to $\ell_{p}$ -norm for any $p\geq 2$ .

5 Assessing Mechanisms for Certifying $\ell_{2}$ -norm Robustness

In this section, we first elaborate on how the Gaussian mechanism certifies $D_{MR}$ robustness, and then provide the lower bound on the magnitude of the additive noise required by any randomized mechanism ( $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ ) to certify $\ell_{2}$ -norm robustness. By comparing the magnitude of the additive noise required by the Gaussian mechanism with the lower bound, we conclude that the Gaussian mechanism is an appropriate option to certify $\ell_{2}$ -norm robustness.

Theorem 5.1 (Gaussian Mechanism for Certifying $\ell_{2}$ -norm robustness)

Let $f$ be any deterministic classifier and $g(\operatorname{\mathbf{x}})=f(\mathcal{M}(\operatorname{\mathbf{x}}))$ be its corresponding randomized classifier for sample $\operatorname{\mathbf{x}}\in\mathbb{R}^{d}$ , where $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ with $\operatorname{\mathbf{z}}\sim\mathcal{N}(0,\sigma^{2}I_{d})$ . Then, $g(\cdot)$ is $(r,D_{MR},\|\cdot\|_{2},\frac{r^{2}}{2\sigma^{2}})$ -robust.

According to Theorem 4.2, if we substitute $\epsilon$ with $\frac{r^{2}}{2\sigma^{2}}$ , $r$ can be given by $r^{2}\leq\sup_{\alpha>1}-\frac{2\sigma^{2}}{\alpha}\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})},$ which is same as the bound of the robust radii in [2] (Lemma 3). To provide a criterion for the assessment of randomized mechanisms in the $\ell_{2}$ -norm case, we prove a lower bound on the magnitude of the additive noise $\operatorname{\mathbf{z}}$ required by any randomized mechanism $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ to ensure that $\mathcal{M}(\operatorname{\mathbf{x}})$ (as well as $f(\mathcal{M}(\operatorname{\mathbf{x}}))$ ) is $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust. As mentioned in Section 4.3, if the magnitude of the additive Gaussian noise is close to the lower bound, then the Gaussian mechanism is considered as an appropriate option. The lower bound is given by the following theorem.

Theorem 5.2 ( $\ell_{2}$ -norm Criterion for Assessment)

For any $\epsilon\leq O(1)$ , if there is an $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust randomized mechanism $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}:\mathbb{R}^{d}\mapsto\mathbb{R}^{d}$ that satisfies

\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha

(7)

for some $\alpha\leq O(1)$ , then it must be true that $\alpha\geq\Omega(\frac{r}{\sqrt{\epsilon}})$ . In another word, $\Omega(\frac{r}{\sqrt{\epsilon}})$ is the lower bound of the (expected) magnitude of the additive random noise.

Note that proving this theorem on $\mathbb{R}^{d}$ is non-trivial, which is detailed in Appendix. Theorem 5.2 indicates that the magnitude (expected $\ell_{\infty}$ -norm) of the additive noise should be at least $\Omega(\frac{r}{\sqrt{\epsilon}})$ to certify $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robustness. For the Gaussian mechanism, the expected $\ell_{\infty}$ -norm of the additive noise is $O(\sigma\sqrt{\log d})$ according to [25], which is $O(\frac{r}{\sqrt{\epsilon}}\sqrt{\log d})$ to guarantee $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robustness, according to Theorem 5.1. This means the gap between the magnitude of the noise required by the Gaussian mechanism and the lower bound is bounded by $O(\sqrt{\log d})$ .

Remark 1

We say Gaussian mechanism is an appropriate option because the gap $O(\sqrt{\log d})$ is small for most commonly-used datasets. For instance, for CIFAR-10 ( $d=3072$ ), $\sqrt{\log_{e}d}\approx 2.83$ , and for ImageNet ( $d=150528$ ), $\sqrt{\log_{e}d}\approx 3.45$ .

Equivalently, if we fix the expected $\ell_{\infty}$ -norm of the additive noise as $\alpha$ , the radius $r$ that can be certified by any $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust randomized mechanism is upper bounded by $O(\alpha\sqrt{\epsilon})$ , according to Theorem 5.2. For the Gaussian mechanism, since $\alpha=O(\sigma\sqrt{\log d})$ , the certified robust radius $r$ is $O(\frac{\alpha\sqrt{\epsilon}}{\sqrt{\log d}})$ ^§^§§The theoretical results of the scales of the robust radii are verified by experiments., according to Theorem 5.1. This means the gap between the upper bound of the robust radius and the radius certified by the Gaussian mechanism is also $O(\sqrt{\log d})$ .

6 Assessing Mechanisms for Certifying $\ell_{\infty}$ -norm Robustness

In this section, we first discuss the possibility of using the Exponential mechanism, an analogue of the Gaussian mechanism in the $\ell_{\infty}$ -norm case, to certify $\ell_{\infty}$ -norm robustness. Then, we prove the lower bound on the magnitude of the additive noise required by any randomized mechanism to certify $\ell_{\infty}$ -norm robustness. By comparing the magnitude of the noise required by the Exponential mechanism with the lower bound, we conclude that the Exponential mechanism is not an appropriate option to certify $\ell_{\infty}$ -norm robustness. Surprisingly, we find that the Gaussian mechanism is a more appropriate option than the Exponential mechanism to certify $\ell_{\infty}$ -norm robustness.

We first recall the form of the density function of Gaussian noise: $p(\operatorname{\mathbf{z}})\propto\exp(-\frac{\|\operatorname{\mathbf{z}}\|_{2}^{2}}{\sigma^{2}})$ . Based on this, we conjecture that, to certify $\ell_{\infty}$ -norm robustness, we can sample the noise using the Exponential mechanism, an analogue of the Gaussian mechanism in the $\ell_{\infty}$ -norm case:

\displaystyle p(\operatorname{\mathbf{z}})\propto\exp{(-\frac{\|\operatorname{\mathbf{z}}\|_{\infty}}{\sigma})}.

(8)

We show in the following theorem that randomized smoothing using the Exponential mechanism can certify $(r,D_{MR},\|\cdot\|_{\infty},\frac{r^{2}}{2\sigma^{2}})$ -robustness, which is seemingly an extension of the $\ell_{2}$ -norm case. However, its required magnitude of noise is $O(d)$ , which implies it is unscalable to high-dimensional data, i.e., The Exponential mechanism should not be an appropriate mechanism to certify $\ell_{\infty}$ -norm robustness. This conclusion is further verified by our assessment method, which will be detailed later.

Theorem 6.1 (Exponential Mechanism for Certifying $\ell_{\infty}$ -norm Robustness)

Let $f$ be any deterministic classifier and $g(\operatorname{\mathbf{x}})=f(\mathcal{M}(\operatorname{\mathbf{x}}))$ be its corresponding randomized classifier for sample $\operatorname{\mathbf{x}}\in\mathbb{R}^{d}$ , where $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ with $\operatorname{\mathbf{z}}$ sampled from the Exponential mechanism. Then, $g(\cdot)$ is $(r,D_{MR},\|\cdot\|_{\infty},\frac{r}{\sigma})$ -robust and also $(r,D_{MR},\|\cdot\|_{\infty},\frac{r^{2}}{2\sigma^{2}})$ -robust.

According to Theorem 4.2, if we substitute $\epsilon$ with $\frac{r}{\sigma}$ or $\frac{r^{2}}{2\sigma^{2}}$ , then $r$ can be given by $r\leq\sup_{\alpha>1}-\frac{\sigma}{\alpha}\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})},$ or $r^{2}\leq\sup_{\alpha>1}-\frac{2\sigma^{2}}{\alpha}\log(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}}).$ Comparing this result and Theorem 5.1, we can see that randomized smoothing via the Exponential mechanism certifies a similar form of the radius as that certified by the Gaussian mechanism in the $\ell_{2}$ -norm case, indicating similarity in their robustness guarantees. However, the following corollary shows that the magnitude of the noise required by the Exponential mechanism is much larger than that of the Gaussian mechanism in the $\ell_{2}$ -norm case.

Corollary 2

For the Exponential mechanism that can guarantee Theorem 6.1, $\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=d\sigma.$

Equivalently, if we fix the expected $\ell_{\infty}$ -norm of the additive noise as $\alpha$ , according to Theorem 6.1 & Corollary 2, the robust radius $r$ certified by the Exponential mechanism is $\max\{O(\frac{\alpha\epsilon}{d}),O(\frac{\alpha\sqrt{\epsilon}}{d})\}$ § ‣ 5. The following theorem shows that there is a huge gap between the additive noise required by the Exponential mechanism and the lower bound, indicating that the Exponential mechanism is indeed not an appropriate option for certifying $\ell_{\infty}$ -norm robustness here.

Theorem 6.2 ( $\ell_{\infty}$ -norm Criterion for Assessment)

For any $\epsilon\leq O(1)$ , if there is an $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robust mechanism $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}:\mathbb{R}^{d}\mapsto\mathbb{R}^{d}$ that satisfies

\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha

(9)

for some $\alpha\leq O(1)$ , then it must be true that $\alpha\geq\Omega(\frac{r\sqrt{d}}{\sqrt{\epsilon}})$ . In another word, $\Omega(\frac{r\sqrt{d}}{\sqrt{\epsilon}})$ is the lower bound of the (expected) magnitude of the additive random noise.

According to Corollary 2 and Theorem 6.1, for the Exponential mechanism, its required magnitude of noise is $O(\frac{rd}{\sqrt{\epsilon}})$ or $O(\frac{rd}{\epsilon})$ to certify $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robustness. Compared with Theorem 6.2, we can see that the gap between the magnitude of the noise required by the Exponential mechanism and the lower bound is $O(\sqrt{d})$ , which can be very large for high-dimensional datasets. Therefore, we can conclude that the Exponential mechanism is probably not an appropriate mechanism for certifying $\ell_{\infty}$ -norm robustness. Surprisingly, the following theorem shows that the Gaussian mechanism is an appropriate choice for certifying $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robustness.

Theorem 6.3 (Gaussian Mechanism for Certifying $\ell_{\infty}$ -norm robustness)

Let $r,\epsilon>0$ be some fixed number and $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ with $\operatorname{\mathbf{z}}\sim\mathcal{N}(0,\frac{dr^{2}}{2\epsilon}I_{d})$ . Then, $\mathcal{M}(\cdot)$ is $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robust, and $\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]$ is upper bounded by $O(\frac{r\sqrt{d\log d}}{\sqrt{\epsilon}})$ .

From Theorem 6.2 and 6.3, we can see that the gap between the magnitude of the noise required by the Gaussian mechanism and the lower bound is also $O(\sqrt{\log d})$ . Thus, we can say the Gaussian mechanism is an appropriate option to certify $\ell_{\infty}$ -norm robustness (see Remark 1). Equivalently, if we fix the expected $\ell_{\infty}$ -norm of the additive noise as $\alpha$ , the certified robust radius is $O(\frac{\alpha\sqrt{\epsilon}}{\sqrt{d\log d}})$ § ‣ 5.

Remark 2

Note that in the previous sections, we only consider $\ell_{2}$ -norm and $\ell_{\infty}$ -norm and the corresponding mechanisms because they are the two most important norms. But actually, we can extend our framework to $\ell_{p}$ -norm for any $p\geq 2$ . See Section D in Appendix.

7 Experiments

Datasets and Models

Our theories are verified on two widely-used datasets, i.e., CIFAR10 and ImageNet^¶^¶¶Pixel value range is $[0.0,1.0]$ . We follow [11, 21] to use a 110-layer residual network and a ResNet-50 as the base models for CIFAR10 and ImageNet. The certified accuracy for radius $R$ is defined as the fraction of the test set whose certified radii are larger than $R$ , and predictions are correct. We note that the lower bounds (criteria) are not verifiable by experiments since we are still not sure if there exist any randomized mechanism that can achieve those lower bounds. So in the following, we mainly verify the theoretical results regarding the Gaussian mechanism and the Exponential mechanism. We provide more details about the numerical method (to compute the robust radii) and more experimental results compared to the other frameworks in Appendix in the supplementary material.

Empirical Results

In the following, we verify our framework by comparing our theoretical results of the $\ell_{2}/\ell_{\infty}$ robust radii with the $\ell_{2}/\ell_{\infty}$ radii at which the Gaussian/Exponential mechanism can certify $40\sim 60\%$ accuracy in the experiments. Note that in the previous literature, $40\sim 60\%$ robust accuracy is considered as a reasonably good performance [26, 11]. Besides, selecting another reasonable accuracy does not affect the verification results too much because what our theories characterize are the asymptotic behaviors rather than the exact values of the robust radii.

In Fig. 1, we demonstrate the results of the Gaussian mechanism for certifying $\ell_{2}$ -norm robustness. The red dashed lines show that the Gaussian mechanism can certify $40\sim 60\%$ accuracy at $\ell_{2}~{}\mbox{radius}~{}=0.34$ (CIFAR-10, $d=3072$ ) and $\ell_{2}~{}\mbox{radius}~{}=0.29$ (ImageNet, $d=150568$ ), i.e., approximately $1/\sqrt{\log d}$ . These results verify that the $\ell_{2}$ radius certified by the Gaussian mechanism is $O(\frac{\alpha\sqrt{\epsilon}}{\sqrt{\log d}})$ ^∥^∥∥ $\alpha\leq O(1)$ , and $\epsilon\leq O(1)$ (equality can hold).. We also argue that, $O(\frac{\alpha\sqrt{\epsilon}}{\sqrt{\log d}})$ is the scale of the largest certified $\ell_{2}$ radius (i.e., $\frac{\sigma}{2}(\Phi^{-1}(p_{(1)})-\Phi^{-1}(p_{(2)}))$ [11]) in the previous literature since the $\ell_{\infty}$ -norm of the Gaussian noise $\alpha$ is $O(\sigma\sqrt{\log d})$ . This argument is verified by Fig. 3 & 4 in Appendix.

Fig. 2 (1&3 subfigures) shows that the Gaussian mechanism certifies $40\sim 60\%$ accuracy at $\ell_{\infty}~{}\mbox{radius}~{}=6e-3$ on CIFAR-10 ( $d=3072$ ) and $\ell_{\infty}~{}\mbox{radius}~{}=1.1e-3$ on ImageNet ( $d=150568$ ), i.e., approximately $O(1/\sqrt{d\log d})$ . These results verify that the $\ell_{\infty}$ radius certified by the Gaussian mechanism is $O(\frac{\alpha\sqrt{\epsilon}}{\sqrt{d\log d}})$ . Fig. 2 (2&4 subfigures) also shows that the Exponential mechanism certifies approximately $40\sim 60\%$ accuracy at $\ell_{\infty}~{}\mbox{radius}~{}=1.5e-4$ on CIFAR-10 and $\ell_{\infty}~{}\mbox{radius}~{}=7e-6$ on ImageNet, i.e., approximately $O(1/d)$ . These results verify that the $\ell_{\infty}$ robust radius certified by the Exponential mechanism scales in $O(\frac{\alpha\epsilon}{d})$ or $O(\frac{\alpha\sqrt{\epsilon}}{d})$ . If we compare the performance of the Gaussian mechanism and the Exponential mechanism in Fig. 2, we can see that the Gaussian mechanism is a much more appropriate option for certifying $\ell_{\infty}$ -norm robustness. It is worth noting that the performance of the Gaussian mechanism can be better with the bound proved in [11], which is comparable to the other state-of-the-art approaches introduced in Section 2. We detail some results regarding the comparison in Appendix.

Refer to caption — Figure 1: Certify $\ell_{2}$ -norm robustness by the Gaussian mechanism: certified accuracy for CIFAR-10 (left two) and ImageNet (right two). Models: noisy training [11] & smooth-adv training [21].

8 Conclusion

In this paper, we present a generic and self-contained framework, which applies to different norms and connects the existing frameworks such as [1, 2], for assessing randomized mechanisms. Under our framework, we define the magnitude of the noise added by a randomized mechanism to certify a certain extent of robustness as the metric for assessing this mechanism. We also provide the general lower bounds on the magnitude of the additive noise as the assessment criteria. Comparing the noise required by the Gaussian and Exponential mechanism and the lower bounds, we conclude that (i) The Gaussian mechanism is an appropriate option to certify $\ell_{2}$ -norm and $\ell_{\infty}$ -norm robustness. (ii) The Exponential mechanism is not an appropriate mechanism to certify $\ell_{\infty}$ -norm robustness. Moreover, we extend our assessment framework to $\ell_{p}$ -norm for any $p\geq 2$ .

References

[1] Mathias Lecuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, and Suman Jana. Certified robustness to adversarial examples with differential privacy. arXiv preprint arXiv:1802.03471, 2018.
[2] Bai Li, Changyou Chen, Wenlin Wang, and Lawrence Carin. Certified adversarial robustness with additive noise. In Advances in Neural Information Processing Systems, pages 9459–9469, 2019.
[3] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems, pages 1097–1105, 2012.
[4] Kyunghyun Cho, Bart Van Merriënboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. Learning phrase representations using rnn encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078, 2014.
[5] David Silver, Aja Huang, Chris J Maddison, Arthur Guez, Laurent Sifre, George Van Den Driessche, Julian Schrittwieser, Ioannis Antonoglou, Veda Panneershelvam, Marc Lanctot, et al. Mastering the game of go with deep neural networks and tree search. nature, 529(7587):484–489, 2016.
[6] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
[7] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
[8] Warren He, James Wei, Xinyun Chen, Nicholas Carlini, and Dawn Song. Adversarial example defense: Ensembles of weak defenses are not strong. In 11th USENIX Workshop on Offensive Technologies (WOOT 17), 2017.
[9] Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420, 2018.
[10] Jonathan Uesato, Brendan O’Donoghue, Pushmeet Kohli, and Aaron Oord. Adversarial risk and the dangers of evaluating against weak attacks. In International Conference on Machine Learning, pages 5032–5041, 2018.
[11] Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning, pages 1310–1320, 2019.
[12] Krishnamurthy Dvijotham, Robert Stanforth, Sven Gowal, Timothy A Mann, and Pushmeet Kohli. A dual approach to scalable verification of deep networks. In UAI, pages 550–559, 2018.
[13] Aditi Raghunathan, Jacob Steinhardt, and Percy Liang. Certified defenses against adversarial examples. arXiv preprint arXiv:1801.09344, 2018.
[14] Eric Wong and Zico Kolter. Provable defenses against adversarial examples via the convex outer adversarial polytope. In International Conference on Machine Learning, pages 5283–5292, 2018.
[15] Matthew Mirman, Timon Gehr, and Martin Vechev. Differentiable abstract interpretation for provably robust neural networks. In International Conference on Machine Learning, pages 3575–3583, 2018.
[16] Shiqi Wang, Kexin Pei, Justin Whitehouse, Junfeng Yang, and Suman Jana. Efficient formal safety analysis of neural networks. In Advances in Neural Information Processing Systems, pages 6367–6377, 2018.
[17] Sven Gowal, Krishnamurthy Dvijotham, Robert Stanforth, Rudy Bunel, Chongli Qin, Jonathan Uesato, Timothy Mann, and Pushmeet Kohli. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715, 2018.
[18] Huan Zhang, Hongge Chen, Chaowei Xiao, Bo Li, Duane Boning, and Cho-Jui Hsieh. Towards stable and efficient training of verifiably robust neural networks. arXiv preprint arXiv:1906.06316, 2019.
[19] Mislav Balunovic and Martin Vechev. Adversarial training and provable defenses: Bridging the gap. In International Conference on Learning Representations, 2020.
[20] Bai Li, Changyou Chen, Wenlin Wang, and Lawrence Carin. Second-order adversarial attack and certifiable robustness. arXiv preprint arXiv:1809.03113, 2018.
[21] Hadi Salman, Jerry Li, Ilya Razenshteyn, Pengchuan Zhang, Huan Zhang, Sebastien Bubeck, and Greg Yang. Provably robust deep learning via adversarially trained smoothed classifiers. In Advances in Neural Information Processing Systems, pages 11289–11300, 2019.
[22] KD Dvijotham, J Hayes, B Balle, Z Kolter, C Qin, A Gyorgy, K Xiao, S Gowal, and P Kohli. A framework for robustness certification of smoothed classifiers using f-divergences. In International Conference on Learning Representations, 2020.
[23] Jinyuan Jia, Xiaoyu Cao, Binghui Wang, and Neil Zhenqiang Gong. Certified robustness for top-k predictions against adversarial perturbations via randomized smoothing. arXiv preprint arXiv:1912.09899, 2019.
[24] Tim Van Erven and Peter Harremos. Rényi divergence and kullback-leibler divergence. IEEE Transactions on Information Theory, 60(7):3797–3820, 2014.
[25] Francesco Orabona and Dávid Pál. Optimal non-asymptotic lower bound on the minimax regret of learning with expert advice. arXiv preprint arXiv:1511.02176, 2015.
[26] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
[27] Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In Theory of cryptography conference, pages 265–284. Springer, 2006.
[28] Ilya Mironov. Rényi differential privacy. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF), pages 263–275. IEEE, 2017.
[29] Thomas Steinke and Jonathan Ullman. Between pure and approximate differential privacy. Journal of Privacy and Confidentiality, 7(2), 2016.
[30] Mark Bun and Thomas Steinke. Concentrated differential privacy: Simplifications, extensions, and lower bounds. In Theory of Cryptography Conference, pages 635–658. Springer, 2016.
[31] Thomas Steinke and Jonathan Ullman. Between pure and approximate differential privacy. arXiv preprint arXiv:1501.06095, 2015.

To make the paper more readable, we first review some definitions about differential privacy [27].

Definition 5

Given a data universe $X$ , we say that two datasets $D,D^{\prime}\subset X$ are neighbors if they differ by only one entry, which is denoted by $D\sim D^{\prime}$ . A randomized algorithm $\mathcal{M}$ is $(\epsilon,\delta)$ -differentially private (DP) if for all neighboring datasets $D,D^{\prime}$ and all events $S$ the following holds

P(\mathcal{M}(D)\in S)\leq e^{\epsilon}P(\mathcal{M}(D^{\prime})\in S)+\delta.

Definition 6

A randomized algorithm $\mathcal{M}$ is $(\alpha,\epsilon)$ -Rényi differentially private (DP) if for all neighboring datasets $D,D^{\prime}$ the following holds

D_{\alpha}(\mathcal{M}(D)\|\mathcal{M}(D^{\prime}))\leq\epsilon.

Appendix A Omitted Proofs in Section 4

Proof [Proof of Theorem 4.1] According to Definition 2, for a fixed $\operatorname{\mathbf{x}}$ , we have $\forall\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ and any $\alpha\in(1,\infty)$ ,

D_{\alpha}(\mathcal{M}(\operatorname{\mathbf{x}})||\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))<\alpha\epsilon.

Therefore, $\mathcal{M}(\cdot)$ satisfies $(\alpha,\alpha\epsilon)$ -Rényi DP ( $\operatorname{\mathbf{x}}\in D,~{}\operatorname{\mathbf{x}}^{\prime}\in D^{\prime}$ , and, $\|\operatorname{\mathbf{x}}^{\prime}-\operatorname{\mathbf{x}}\|_{p}\leq r$ ). According to the following lemma, i.e.,

Lemma 4 ([28])

If a randomized mechanism is $(\alpha,\alpha\epsilon)$ -Rényi DP, then it is $(\alpha\epsilon+\frac{\log(1/\delta)}{\alpha-1},\delta)$ -DP for any $\delta>0$ (we substitude $\epsilon$ with $\alpha\epsilon$ ),

we have $\mathcal{M}(\cdot)$ is $(\alpha\epsilon+\frac{\log(1/\delta)}{1-\alpha},\delta)$ -DP, for all $\alpha\in(1,+\infty)$ . Since

	$\displaystyle\min_{\alpha\in(1,+\infty)}\{\alpha\epsilon+\log(1/\delta)/(\alpha-1)\}$	$\displaystyle\stackrel{{\scriptstyle\beta=\alpha-1}}{{=}}\min_{\beta\in(0,\infty)}\{\epsilon(1+\beta+\frac{\log(1/\delta)}{\epsilon\beta})\}$
		$\displaystyle=\epsilon+2\sqrt{\log{(1/\delta)}\epsilon}.$

Thus, by the definition of Approximate Differential Privacy (Definition 5), in total we have for any $\operatorname{\mathbf{x}}$ , $\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}},r)$ , and any event $S$

P(\mathcal{M}(\operatorname{\mathbf{x}}^{\prime})\in S)\leq e^{\epsilon+2\sqrt{\log{(1/\delta)}\epsilon}}P(\mathcal{M}(\operatorname{\mathbf{x}})\in S)+\delta.

Thus by Definition 1, $\mathcal{M}(\cdot)$ is $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ Pixel-DP.

Proof [Proof of Theorem 4.2] Recall that Lemma 2 indicates that we have $\operatorname*{\mathop{\mathrm{argmax}}}_{y}P(g(\operatorname{\mathbf{x}})=y)=\operatorname*{\mathop{\mathrm{argmax}}}_{y^{\prime}}P(g(\operatorname{\mathbf{x}}^{\prime})=y^{\prime})$ as long as

D_{\alpha}(g(\operatorname{\mathbf{x}})||g(\operatorname{\mathbf{x}}^{\prime}))<\sup_{\alpha>1}-\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})}.

Thus we just need to prove that the above condition holds. Since $g(\cdot)$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust, for any $\operatorname{\mathbf{x}}$ and $\|\operatorname{\mathbf{x}}^{\prime}-\operatorname{\mathbf{x}}\|_{p}\leq r$ we have

D_{\alpha}(g(\operatorname{\mathbf{x}})||g(\operatorname{\mathbf{x}}^{\prime}))<\alpha\epsilon.

If we also have the additional condition:

\epsilon\leq\sup_{\alpha>1}-\frac{1}{\alpha}\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})},

then $D_{\alpha}(g(\operatorname{\mathbf{x}})||g(\operatorname{\mathbf{x}}^{\prime}))<\sup_{\alpha>1}-\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})}$ . Thus, the additional condition to guarantee $\operatorname*{\mathop{\mathrm{argmax}}}_{y}P(g(\operatorname{\mathbf{x}})=y)=\operatorname*{\mathop{\mathrm{argmax}}}_{y^{\prime}}P(g(\operatorname{\mathbf{x}}^{\prime})=y^{\prime})$ can be stated as $\epsilon\leq\sup_{\alpha>1}-\frac{1}{\alpha}\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})}$ .

Appendix B Omitted Proofs in Section 5

Proof [Proof of Theorem 5.1] By the postprocessing property we just need to show $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ is $(r,D_{MR},\|\cdot\|_{2},\frac{r^{2}}{2\sigma^{2}})$ robust.

Fix any $x$ , we have for any $\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{2}(\operatorname{\mathbf{x}},r)$ and $\alpha\in(1,\infty)$

	$\displaystyle D_{\alpha}(\mathcal{M}(\operatorname{\mathbf{x}})\\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$	$\displaystyle=D_{\alpha}(\mathcal{N}(\operatorname{\mathbf{x}},\sigma^{2}I_{d})\\|\mathcal{N}(\operatorname{\mathbf{x}}^{\prime},\sigma^{2}I_{d}))$
		$\displaystyle=\frac{\alpha\\|\operatorname{\mathbf{x}}^{\prime}-\operatorname{\mathbf{x}}\\|_{2}^{2}}{2\sigma^{2}}\leq\frac{r^{2}}{2\sigma^{2}}.$

Proof [Proof of Theorem 5.2] We first show that, in order to prove Theorem 5.2, we only need to prove Theorem B.1. Then we show that, to prove Theorem B.1, we only need to prove Theorem B.2. Finally, we give a formal proof of Theorem B.2.

Theorem B.1

For any $\epsilon\leq O(1)$ , if there is a $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ randomized (smoothing) mechanism $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}:\{0,\frac{r}{2\sqrt{d}}\}^{d}\mapsto\mathbb{R}^{d}$ such that for any $\operatorname{\mathbf{x}}\in\{0,\frac{r}{2\sqrt{d}}\}^{d}$ ,

\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha

for some $\alpha\leq O(1)$ . Then it must be true that $\alpha\geq\Omega(\frac{r}{\sqrt{\epsilon}})$ .

For any $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}:\mathbb{R}^{d}\mapsto\mathbb{R}^{d}$ , in Theorem B.1, we only consider the expected $\ell_{\infty}$ -norm of the noise added by $\mathcal{M}(\operatorname{\mathbf{x}})$ on $\operatorname{\mathbf{x}}\in\{0,\frac{r}{2\sqrt{d}}\}^{d}$ . Thus, the $\alpha$ in Theorem B.1 should be less than or equal to the $\alpha$ in Theorem 5.2 (on $\operatorname{\mathbf{x}}\in\mathbb{R}^{d}$ ). Therefore, the lower bound for the $\alpha$ in Theorem B.1 (i.e., $\Omega(\frac{r}{\sqrt{\epsilon}})$ ) is also a lower bound for the $\alpha$ in Theorem 5.2. That is to say, if Theorem B.1 holds, then Theorem 5.2 also holds true.

Next, we show that if Theorem B.2 holds, then Theorem B.1 also holds.

Theorem B.2

For any $\epsilon\leq O(1)$ , if there is a $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust randomized (smoothing) mechanism $\mathcal{M}(\operatorname{\mathbf{x}}):\{0,\frac{r}{2\sqrt{d}}\}^{d}\mapsto[0,\frac{r}{2\sqrt{d}}]^{d}$ ^**^****This mechanism might not be simply $\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ since it must involve operations to clip the output into $[0,\frac{r}{2\sqrt{d}}]^{d}$ such that for any $\operatorname{\mathbf{x}}\in\{0,\frac{r}{2\sqrt{d}}\}^{d}$

\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha

for some $\alpha\leq O(1)$ . Then it must be true that $\alpha\geq\Omega(\frac{r}{\sqrt{\epsilon}})$ .

For any $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}:\{0,\frac{r}{2\sqrt{d}}\}^{d}\mapsto\mathbb{R}^{d}$ considered in Theorem B.1, there exists a $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust randomized mechanism $\mathcal{M}^{\prime\prime}(\operatorname{\mathbf{x}}):\{0,\frac{r}{2\sqrt{d}}\}^{d}\mapsto[0,\frac{r}{2\sqrt{d}}]^{d}$ considered in Theorem B.2 such that for all $\operatorname{\mathbf{x}}\in\{0,\frac{r}{2\sqrt{d}}\}^{d}$

\mathbb{E}[\|\mathcal{M}^{\prime\prime}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}].

To prove the above statement, we first let $a=\frac{r}{2\sqrt{d}}$ and $\mathcal{M}^{\prime}(\operatorname{\mathbf{x}})=\min\{\mathcal{M}(\operatorname{\mathbf{x}}),a\}$ , where $\min$ is a coordinate-wise operator. Now we fix the randomness of $\mathcal{M}(\operatorname{\mathbf{x}})$ (that is $\mathcal{M}(\operatorname{\mathbf{x}})$ is deterministic), and we assume that $\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}=|\mathcal{M}_{j}(\operatorname{\mathbf{x}})-x_{j}|$ , $\|\mathcal{M}^{\prime}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}=|\mathcal{M}_{i}^{\prime}(\operatorname{\mathbf{x}})-x_{i}|$ . If $\mathcal{M}_{i}(\operatorname{\mathbf{x}})<a$ , then by the definitions, we have $\|\mathcal{M}^{\prime}(\operatorname{\mathbf{x}})-x\|_{\infty}=|\mathcal{M}_{i}^{\prime}(\operatorname{\mathbf{x}})-x_{i}|=|\mathcal{M}_{i}(\operatorname{\mathbf{x}})-x_{i}|\leq\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}$ . If $\mathcal{M}_{i}(\operatorname{\mathbf{x}})\geq a$ , then we have $|\mathcal{M}_{i}^{\prime}(\operatorname{\mathbf{x}})-x_{i}|=|a-x_{i}|$ . Since $x_{i}\in\{0,a\}$ and $\mathcal{M}_{i}(\operatorname{\mathbf{x}})\geq a$ , $|\mathcal{M}_{i}(\operatorname{\mathbf{x}})-x_{i}|\geq|a-x_{i}|$ . $\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}\geq|\mathcal{M}_{i}(\operatorname{\mathbf{x}})-x_{i}|\geq|a-x_{i}|$ . Thus, $\mathbb{E}[\|\mathcal{M}^{\prime}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]$ .

Then, we let $\mathcal{M}^{\prime\prime}(\operatorname{\mathbf{x}})=\max\{\mathcal{M}^{\prime}(\operatorname{\mathbf{x}}),0\}$ where $\max$ is also a coordinate-wise operator. We can use a similar method to prove that $\mathbb{E}[\|\mathcal{M}^{\prime\prime}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\mathbb{E}[\|\mathcal{M}^{\prime}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]$ . Also, we can see that $\mathcal{M}^{\prime\prime}(\operatorname{\mathbf{x}})=\max\{0,\min\{\mathcal{M}(\operatorname{\mathbf{x}}),a\}\}$ , which means $\mathcal{M}^{\prime\prime}$ is also $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust randomized mechanism due to the postprocessing property.

Since $\mathbb{E}[\|\mathcal{M}^{\prime\prime}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]$ , and $\mathcal{M}^{\prime\prime}(\operatorname{\mathbf{x}})$ is a randomized mechanism satisfying the conditions in Theorem B.2, the $\alpha$ in Theorem B.2 should be less than or equal to the $\alpha$ in Theorem B.1. Therefore, the lower bound for the $\alpha$ in Theorem B.2 (i.e., $\Omega(\frac{r}{\sqrt{\epsilon}})$ ) is also a lower bound for the $\alpha$ in Theorem B.1. That is to say, if Theorem B.2 holds, then Theorem B.1 also holds.

Finally, we give a proof of Theorem B.2.

Since $\mathcal{M}$ is $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust on $\{0,\frac{r}{2\sqrt{d}}\}^{d}$ , and for any $\operatorname{\mathbf{x}}_{i},\operatorname{\mathbf{x}}_{j}\in\{0,\frac{r}{2\sqrt{d}}\}^{d}$ , $\|\operatorname{\mathbf{x}}_{i}-\operatorname{\mathbf{x}}_{j}\|_{2}\leq r$ (i.e., $\operatorname{\mathbf{x}}_{j}\in\mathbb{B}_{2}(\operatorname{\mathbf{x}}_{i},r)$ ), $\mathcal{M}$ is $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ -PixelDP on $\{0,\frac{r}{2\sqrt{d}}\}^{d}$ , according to Theorem 4.1. Thus, we also have $\mathcal{M}$ is $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ DP on the database $\{0,\frac{r}{2\sqrt{d}}\}^{d}$ .

Then let us take use of the above condition by connecting the lower bound of the sample complexity to estimate one-way marginals (i.e., mean estimation) for DP mechanisms with the lower bound studied in Theorem B.2. Suppose an $n$ -size dataset $X\in\mathbb{R}^{n\times d}$ , the one-way marginal is $h(D)=\frac{1}{n}\sum_{i=1}^{n}{X_{i}}$ , where $X_{i}$ is the $i$ -th row of $X$ . In particular, when $n=1$ , one-way marginal is just the data point itself, and thus, the condition in Theorem B.2 can be rewritten as

\mathbb{E}[\|\mathcal{M}(D)-h(D)\|_{\infty}]\leq\alpha.

(10)

Based on this connection, we first prove the case where $r=2\sqrt{d}$ , and then generalize it to any $r$ . For $r=2\sqrt{d}$ , the conclusion reduces to $\alpha\geq\Omega(\sqrt{\frac{d}{\epsilon}})$ . To prove this, we employ the following lemma, which provides a one-way margin estimation for all DP mechanisms.

Lemma 5 (Theorem 1.1 in [29])

For any $\epsilon\leq O(1)$ , every $2^{-\Omega(n)}\leq\delta\leq\frac{1}{n^{1+\Omega(1)}}$ and every $\alpha\leq\frac{1}{10}$ , if $\mathcal{M}:(\{0,1\}^{d})^{n}\mapsto[0,1]^{d}$ is $(\epsilon,\delta)$ -DP and $\mathbb{E}[\|\mathcal{M}(D)-h(D)\|_{\infty}]\leq\alpha$ , then we have $n\geq\Omega(\frac{\sqrt{d\log\frac{1}{\delta}}}{\epsilon\alpha}).$

Setting $n=1,\epsilon=\epsilon+2\sqrt{\epsilon\log\frac{1}{\delta}}$ in Lemma 5, we can see that if $\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha$ , then we must have

1\geq\Omega(\frac{\sqrt{d\log\frac{1}{\delta}}}{(\epsilon+2\sqrt{\epsilon\log\frac{1}{\delta}})\alpha})\geq\Omega(\frac{\sqrt{d}}{\sqrt{\alpha^{2}\epsilon}}),

where the last inequality is due to the fact that $\frac{\sqrt{\log\frac{1}{\delta}}}{\epsilon+2\sqrt{\epsilon\log\frac{1}{\delta}}}\geq\Omega(\frac{1}{\sqrt{\epsilon}})$ , since $\epsilon\leq O(1)$ . Therefore, we have the following theorem,

Theorem B.3

For any $\epsilon\leq O(1)$ , if there is a $(2\sqrt{d},D_{MR},\|\cdot\|_{2},\epsilon)$ -robust randomized mechanism $\mathcal{M}:\{0,1\}^{d}\mapsto[0,1]^{d}$ satisfies that for all $\operatorname{\mathbf{x}}\in\{0,1\}^{d}$

\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha,

(11)

for some $\alpha\leq O(1)$ . Then $1\geq\Omega(\sqrt{\frac{d}{\epsilon\alpha^{2}}})$ , i.e., $\alpha\geq\Omega(\sqrt{\frac{d}{\epsilon}})$ .

Apparently, Theorem B.3 is special case of Theorem B.2 where $r=2\sqrt{d}$ . Now we come back to the proof for any $r$ . For any $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust $\mathcal{M}(\operatorname{\mathbf{x}}):\{0,\frac{r}{2\sqrt{d}}\}^{d}\mapsto[0,\frac{r}{2\sqrt{d}}]^{d}$ , we substitute $\frac{2\sqrt{d}}{r}\operatorname{\mathbf{x}}$ with $\tilde{\operatorname{\mathbf{x}}}\in\{0,1\}^{d}$ and construct $\tilde{\mathcal{M}}$ as $\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})=\frac{2\sqrt{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})\in[0,1]^{d}$ . Since $\mathcal{M}(\operatorname{\mathbf{x}})$ satisfies

\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha,

then we have

\mathbb{E}[\|\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})-\tilde{\operatorname{\mathbf{x}}}\|_{\infty}]=\mathbb{E}[\|\frac{2\sqrt{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})-\frac{2\sqrt{d}}{r}\operatorname{\mathbf{x}}\|_{\infty}]\leq\frac{2\sqrt{d}}{r}\alpha.

We claim that $\tilde{\mathcal{M}}:\{0,1\}^{d}\mapsto[0,1]^{d}$ is $(2\sqrt{d},D_{MR},\|\cdot\|_{2},\epsilon)$ -robust since $\mathcal{M}:\{0,\frac{r}{2\sqrt{d}}\}^{d}\mapsto[0,\frac{r}{2\sqrt{d}}]^{d}$ is $(r,D_{MR},\|\cdot\|_{2},\epsilon)$ -robust. This is because $D_{MR}(\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})\|\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}}^{\prime}))=D_{MR}(\frac{2\sqrt{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})\|\frac{2\sqrt{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ , and $D_{MR}(\frac{2\sqrt{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})\|\frac{2\sqrt{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))\leq D_{MR}(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ since $D_{\alpha}(f(\mathcal{M}(\operatorname{\mathbf{x}}))\|f(\mathcal{M}(\operatorname{\mathbf{x}}^{\prime})))\leq D_{\alpha}(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ for any $f(\cdot)$ .

Considering $\tilde{\mathcal{M}}:\{0,1\}^{d}\mapsto[0,1]^{d}$ in Theorem B.3 with $\alpha=\frac{2\sqrt{d}}{r}\alpha\leq O(1)$ (because $\mathbb{E}[\|\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})-\tilde{\operatorname{\mathbf{x}}}\|_{\infty}]\leq\frac{2\sqrt{d}}{r}\alpha$ ), we have

1\geq\Omega(\frac{r}{\sqrt{\epsilon\alpha^{2}}}),~{}~{}~{}\mbox{i.e., }\alpha\geq\Omega(\frac{r}{\sqrt{\epsilon}}).

(12)

Therefore, Theorem B.2 holds true, thus, Theorem B.1 also holds true, and Theorem 5.2 is proved.

Appendix C Omitted Proofs in Section 6

Proof [Proof of Theorem 6.1] We first prove that $D_{\infty}(g(\operatorname{\mathbf{x}})\|g(\operatorname{\mathbf{x}}^{\prime}))\leq\frac{r}{\sigma}$ for all $\operatorname{\mathbf{x}}^{\prime}\in\mathbb{B}_{\infty}(\operatorname{\mathbf{x}},r)$ . Since $\|\operatorname{\mathbf{x}}^{\prime}-\operatorname{\mathbf{x}}\|_{\infty}\leq r$ , for any $\operatorname{\mathbf{y}}$ ,

\displaystyle\frac{p(\operatorname{\mathbf{y}}-\operatorname{\mathbf{x}})}{p(\operatorname{\mathbf{y}}-\operatorname{\mathbf{x}}^{\prime})}=

\displaystyle\frac{\exp(-\frac{\|\operatorname{\mathbf{y}}-\operatorname{\mathbf{x}}\|_{\infty}}{\sigma})}{\exp(-\frac{\|\operatorname{\mathbf{y}}-\operatorname{\mathbf{x}}^{\prime}\|_{\infty}}{\sigma})}\leq

\displaystyle\exp(\frac{\|\operatorname{\mathbf{y}}-\operatorname{\mathbf{x}}^{\prime}\|_{\infty}-\|\operatorname{\mathbf{y}}-\operatorname{\mathbf{x}}\|_{\infty}}{\sigma})\leq

\displaystyle\exp(\frac{\|\operatorname{\mathbf{x}}^{\prime}-\operatorname{\mathbf{x}}\|_{\infty}}{\sigma})\leq\exp(\frac{r}{\sigma}).~{}~{}

Since

D_{\alpha}(g(\operatorname{\mathbf{x}})\|g(\operatorname{\mathbf{x}}^{\prime}))<D_{\infty}(g(\operatorname{\mathbf{x}})\|g(\operatorname{\mathbf{x}}^{\prime}))=\mathbb{E}[\log\frac{p(\operatorname{\mathbf{x}})}{p(\operatorname{\mathbf{x}}^{\prime})}]\leq\frac{r}{\sigma}<\frac{r}{\sigma}\alpha,

$\forall\alpha\in(1,+\infty)$ , $g(\cdot)$ is $(r,D_{MR},\|\cdot\|_{\infty},\frac{r}{\sigma})$ -robust. Also, based on the following lemma,

Lemma 6 ([30])

Let $P$ and $Q$ be two probability distributions satisfying $D_{\infty}(P\|Q)\leq\epsilon$ and $D_{\infty}(Q\|P)\leq\epsilon$ . Then, $D_{\alpha}(P\|Q)\leq\frac{1}{2}\epsilon^{2}\alpha$ ,

we have $D_{\alpha}(g(\operatorname{\mathbf{x}})\|g(\operatorname{\mathbf{x}}^{\prime}))\leq\frac{1}{2}(\frac{r}{\sigma})^{2}\alpha$ , i.e., $g(\cdot)$ is $(r,D_{MR},\|\cdot\|_{\infty},\frac{r^{2}}{2\sigma^{2}})$ -robust.

Proof [Proof of Corollary 2] Define the distribution $D$ on $[0,\infty)$ to be $Z\sim D$ , meaning $Z=\|\operatorname{\mathbf{z}}\|_{\infty}$ for $\operatorname{\mathbf{z}}\sim p(\operatorname{\mathbf{z}})$ , where $p(\operatorname{\mathbf{z}})$ is defined in Eq.(8). The probability density function of $D$ is given by

p_{D}(Z)\propto Z^{d-1}\exp(-\frac{Z}{\sigma}),

which is obtained by integrating the probability density function in Eq. (8) over the infinity ball of radius $Z$ with surface area $d2^{d}Z^{d-1}\propto Z^{d-1}$ . $p_{D}$ is the Gamma distribution with shape $d$ and mean $\sigma$ , and thus $\mathbb{E}[Z]=d\sigma$ .

Proof [Proof of Theorem 6.2] Similar to the proof of Theorem 5.2, in order to prove Theorem 6.2, we only need to prove the following theorem:

Theorem C.1

For any $\epsilon\leq O(1)$ , if there is a $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ robust randomized (smoothing) mechanism $\mathcal{M}(\operatorname{\mathbf{x}}):\{0,\frac{r}{2}\}^{d}\mapsto[0,\frac{r}{2}]^{d}$ such that for any $\operatorname{\mathbf{x}}\in\{0,\frac{r}{2}\}^{d}$ , the following holds

\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha

for some $\alpha\leq O(1)$ . Then it must be true that $\alpha\geq\Omega(\frac{r\sqrt{d}}{\sqrt{\epsilon}})$ .

Since $\mathcal{M}$ is $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robust on $\{0,\frac{r}{2}\}^{d}$ , and for any $\operatorname{\mathbf{x}}_{i},\operatorname{\mathbf{x}}_{j}\in\{0,\frac{r}{2}\}^{d}$ , $\|\operatorname{\mathbf{x}}_{i}-\operatorname{\mathbf{x}}_{j}\|_{\infty}\leq r$ (i.e., $\operatorname{\mathbf{x}}_{j}\in\mathbb{B}_{\infty}(\operatorname{\mathbf{x}}_{i},r)$ ), $\mathcal{M}$ is $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ -PixelDP on $\{0,\frac{r}{2\sqrt{d}}\}^{d}$ , according to Theorem 4.1. Thus, we also have $\mathcal{M}$ is $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ DP on the database $\{0,\frac{r}{2\sqrt{d}}\}^{d}$ .

We first consider the case where $r=2$ . By setting $n=1$ and $\epsilon=\epsilon+2\sqrt{\epsilon\log 1/\delta}$ in Lemma 5, we have a similar result as in Theorem B.3:

Theorem C.2

For any $\epsilon\leq O(1)$ , if there is a $(2,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robust randomized mechanism $\mathcal{M}:\{0,1\}^{d}\mapsto[0,1]^{d}$ satisfies that for all $\operatorname{\mathbf{x}}\in\{0,1\}^{d}$

\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha,

(13)

for some $\alpha\leq O(1)$ . Then $1\geq\Omega(\sqrt{\frac{d}{\epsilon\alpha^{2}}})$ .

For general $r$ , similar to the proof of Theorem B.2, we substitute $\frac{2}{r}\operatorname{\mathbf{x}}$ with $\tilde{\operatorname{\mathbf{x}}}\in\{0,1\}^{d}$ and construct $\tilde{\mathcal{M}}$ as $\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})=\frac{2}{r}\mathcal{M}(\operatorname{\mathbf{x}})\in[0,1]^{d}$ . Since $\mathcal{M}(\operatorname{\mathbf{x}})$ satisfies

\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha,

then we have

\mathbb{E}[\|\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})-\tilde{\operatorname{\mathbf{x}}}\|_{\infty}]=\mathbb{E}[\|\frac{2}{r}\mathcal{M}(\operatorname{\mathbf{x}})-\frac{2}{r}\operatorname{\mathbf{x}}\|_{\infty}]\leq\frac{2}{r}\alpha.

Also, $\tilde{\mathcal{M}}:\{0,1\}^{d}\mapsto[0,1]^{d}$ is $(2,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robust since $\mathcal{M}:\{0,\frac{r}{2}\}^{d}\mapsto[0,\frac{r}{2}]^{d}$ is $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robust. This is because $D_{MR}(\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})\|\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}}^{\prime}))=D_{MR}(\frac{2}{r}\mathcal{M}(\operatorname{\mathbf{x}})\|\frac{2}{r}\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ , and $D_{MR}(\frac{2}{r}\mathcal{M}(\operatorname{\mathbf{x}})\|\frac{2}{r}\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))\leq D_{MR}(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ since $D_{\alpha}(f(\mathcal{M}(\operatorname{\mathbf{x}}))\|f(\mathcal{M}(\operatorname{\mathbf{x}}^{\prime})))\leq D_{\alpha}(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ for any $f(\cdot)$ . Thus by Theorem C.2 with $\alpha=\frac{2}{r}\alpha$ we have

1\geq\Omega(\frac{\sqrt{d}}{\sqrt{\epsilon(2/r\alpha)^{2}}}),

thus we have Theorem C.1.

Proof [Proof of Theorem 6.3] By simple calculation we have

D_{\alpha}(\mathcal{N}(\operatorname{\mathbf{x}},\frac{dr^{2}}{2\epsilon}I_{d})\|\mathcal{N}(\operatorname{\mathbf{x}}^{\prime},\frac{dr^{2}}{2\epsilon}I_{d}))=\frac{\alpha\epsilon\|\operatorname{\mathbf{x}}-\operatorname{\mathbf{x}}^{\prime}\|_{2}^{2}}{dr^{2}}\leq\frac{\alpha d\epsilon\|\operatorname{\mathbf{x}}-\operatorname{\mathbf{x}}^{\prime}\|_{\infty}^{2}}{dr^{2}}\leq\alpha\epsilon.

Therefore, $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ with $\operatorname{\mathbf{z}}\sim\mathcal{N}(0,\frac{dr^{2}}{2\epsilon}I_{d})$ is $(r,D_{MR},\|\cdot\|_{\infty},\epsilon)$ -robust. The bound of $\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]$ can be easily proved by substituting $\sigma$ in $O(\sigma\sqrt{\log d})$ [25] with $\sigma=\sqrt{\frac{dr^{2}}{2\epsilon}}$ .

Appendix D Extension to $\ell_{p}$ -norm robustness for Any $\mathbf{p}\in[2,\infty)$

In previous sections, we studied $\ell_{2}$ -norm and $\ell_{\infty}$ -norm robustness. As we mentioned earlier, our framework can be applied to general norm. In this section, we will study the general $\ell_{p}$ -norm robustness with $p\geq 2$ . Just as the previous sections, here we first investigate the $\ell_{p}$ -norm criteria for assessment.

Theorem D.1

Given $p\geq 2$ , for any $\epsilon\leq O(1)$ , if there is a $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ randomized (smoothing) mechanism $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}:\mathbb{R}^{d}\mapsto\mathbb{R}^{d}$ such that

\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha

for some $\alpha\leq O(1)$ . Then it must be true that $\alpha\geq\Omega(\frac{rd^{\frac{1}{2}-\frac{1}{p}}}{\sqrt{\epsilon}})$ . Note that when $p\rightarrow\infty$ , according to Theorem 6.2, $\alpha\geq\Omega(\frac{rd^{\frac{1}{2}}}{\sqrt{\epsilon}})$

Proof [Proof of Theorem D.1] The proof is also almost the same as that of Theorem 5.2. Following the proof of Theorem 5.2, we can only constrain on the case where $\mathcal{M}(\operatorname{\mathbf{x}}):\{0,\frac{r}{2\sqrt[p]{d}}\}^{d}\mapsto[0,\frac{r}{2\sqrt[p]{d}}]^{d}$ .

Since $\mathcal{M}$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust on $\{0,\frac{r}{2\sqrt[p]{d}}\}^{d}$ , and for any $\operatorname{\mathbf{x}}_{i},\operatorname{\mathbf{x}}_{j}\in\{0,\frac{r}{2\sqrt[p]{d}}\}^{d}$ , $\|\operatorname{\mathbf{x}}_{i}-\operatorname{\mathbf{x}}_{j}\|_{p}\leq r$ (i.e., $\operatorname{\mathbf{x}}_{j}\in\mathbb{B}_{p}(\operatorname{\mathbf{x}}_{i},r)$ ), $\mathcal{M}$ is $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ -PixelDP on $\{0,\frac{r}{2\sqrt[p]{d}}\}^{d}$ , according to Theorem 4.1. Thus, we can also say $\mathcal{M}$ is $(\epsilon+2\sqrt{\log{(1/\delta)}\epsilon},\delta)$ DP on the database $\{0,\frac{r}{2\sqrt[p]{d}}\}^{d}$ .

We first consider the case where $r=2\sqrt[p]{d}$ , then we extend to the general case. When $r=2\sqrt[p]{d}$ , by setting $n=1$ and $\epsilon=\epsilon+2\sqrt{\epsilon\log 1/\delta}$ in Lemma 5, we have the following theorem, similar to Theorem B.3.

Theorem D.2

For any $\epsilon\leq O(1)$ , if a $(2\sqrt[p]{d},D_{MR},\|\cdot\|_{p},\epsilon)$ -robust randomized mechanism $\mathcal{M}:\{0,1\}^{d}\mapsto[0,1]^{d}$ satisfies that for all $\operatorname{\mathbf{x}}\in\{0,1\}^{d}$

\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha,

(14)

for some $\alpha\leq O(1)$ . Then $1\geq\Omega(\sqrt{\frac{d}{\epsilon\alpha^{2}}})$ .

For general $r$ , similar to the proof of Theorem B.2, we substitute $\frac{2\sqrt[p]{d}}{r}\operatorname{\mathbf{x}}$ with $\tilde{\operatorname{\mathbf{x}}}\in\{0,1\}^{d}$ and construct $\tilde{\mathcal{M}}$ as $\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})=\frac{2\sqrt[p]{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})\in[0,1]^{d}$ . Since $\mathcal{M}(\operatorname{\mathbf{x}})$ satisfies

\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]\leq\alpha,

then we have

\mathbb{E}[\|\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})-\tilde{\operatorname{\mathbf{x}}}\|_{\infty}]=\mathbb{E}[\|\frac{2\sqrt[p]{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})-\frac{2\sqrt[p]{d}}{r}\operatorname{\mathbf{x}}\|_{\infty}]\leq\frac{2\sqrt[p]{d}}{r}\alpha.

Also, $\tilde{\mathcal{M}}:\{0,1\}^{d}\mapsto[0,1]^{d}$ is $(2\sqrt[q]{d},D_{MR},\|\cdot\|_{p},\epsilon)$ -robust since $\mathcal{M}:\{0,\frac{r}{2\sqrt[p]{d}}\}^{d}\mapsto[0,\frac{r}{2\sqrt[p]{d}}]^{d}$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust. This is because $D_{MR}(\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}})\|\tilde{\mathcal{M}}(\tilde{\operatorname{\mathbf{x}}}^{\prime}))=D_{MR}(\frac{2\sqrt[p]{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})\|\frac{2\sqrt[p]{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ , and $D_{MR}(\frac{2\sqrt[p]{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}})\|\frac{2\sqrt[p]{d}}{r}\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))\leq D_{MR}(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ since $D_{\alpha}(f(\mathcal{M}(\operatorname{\mathbf{x}}))\|f(\mathcal{M}(\operatorname{\mathbf{x}}^{\prime})))\leq D_{\alpha}(\mathcal{M}(\operatorname{\mathbf{x}})\|\mathcal{M}(\operatorname{\mathbf{x}}^{\prime}))$ for any $f(\cdot)$ . Considering $\tilde{\mathcal{M}}$ in Theorem D.1 with $\alpha=\frac{2\sqrt[p]{d}}{r}\alpha\leq O(1)$ , we have

1\geq\Omega(\sqrt{\frac{d}{\epsilon(2\sqrt[p]{d}/{r}\alpha)^{2}}})

Thus we have $\alpha\geq\Omega(\frac{rd^{\frac{1}{2}-\frac{1}{p}}}{\sqrt{\epsilon}})$ .

Remark 3

First, we can see that when $p=2$ , Theorem D.1 is the same as Theorem 5.2. Thus, we can see it as a generalization of the previous theorems. Second, Theorem D.1 indicates that, to certify a certain extent of robustness, the magnitude of the noise we add should be at least $\Omega(d^{\frac{1}{2}-\frac{1}{p}})$ , which can be quite large for high dimensional datasets. This means that for $\ell_{p}$ -norm robustness with $p>2$ , as a defensive method, the random smoothing method is not very scalable to high dimensional data, i.e.,, we can call it as the curse of dimensionality on randomized smoothing for certifying $\ell_{p}(p\geq 2)$ robustness. Note that if $p<2$ , then the $\Omega(d^{\frac{1}{2}-\frac{1}{p}})\rightarrow 0$ as $d\rightarrow\infty$ . Therefore, the lower bound is useful when $p\geq 2$ .

In the following theorem, based on the above criteria for $\ell_{p}$ -norm, we show that the Gaussian mechanism is an appropriate option for certifying $\ell_{p}$ -norm robustness. This is because the gap between the criteria and the magnitude of the additive noise required by the Gaussian mechanism is bounded by $O(\sqrt{\log d})$ .

Theorem D.3 (Gaussian Mechanism for Certifying $\ell_{p}$ -norm robustness)

Let $r,\epsilon>0$ be some fixed number and $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ with $\operatorname{\mathbf{z}}\sim\mathcal{N}(0,\frac{d^{1-\frac{2}{p}}r^{2}}{2\epsilon}I_{d})$ . Then, $\mathcal{M}(\cdot)$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust, and $\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]=\mathbb{E}[\|\mathcal{M}(\operatorname{\mathbf{x}})-\operatorname{\mathbf{x}}\|_{\infty}]$ is upper bounded by $O(\frac{rd^{\frac{1}{2}-\frac{1}{p}}\sqrt{\log d}}{\sqrt{\epsilon}})$ .

Proof [Proof of Theorem D.3] By simple calculation we have

D_{\alpha}(\mathcal{N}(\operatorname{\mathbf{x}},\frac{d^{1-\frac{2}{p}}r^{2}}{2\epsilon}I_{d})\|\mathcal{N}(\operatorname{\mathbf{x}}^{\prime},\frac{d^{1-\frac{2}{p}}r^{2}}{2\epsilon}I_{d}))=\frac{\alpha\epsilon\|\operatorname{\mathbf{x}}-\operatorname{\mathbf{x}}^{\prime}\|_{2}^{2}}{d^{1-\frac{2}{p}}r^{2}}\leq\frac{\alpha d^{1-\frac{2}{p}}\epsilon\|\operatorname{\mathbf{x}}-\operatorname{\mathbf{x}}^{\prime}\|_{p}^{2}}{d^{1-\frac{2}{p}}r^{2}}\leq\alpha\epsilon.

Therefore, $\mathcal{M}(\operatorname{\mathbf{x}})=\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}$ with $\operatorname{\mathbf{z}}\sim\mathcal{N}(0,\frac{d^{1-\frac{2}{p}}r^{2}}{2\epsilon}I_{d})$ is $(r,D_{MR},\|\cdot\|_{p},\epsilon)$ -robust. The bound of $\mathbb{E}[\|\operatorname{\mathbf{z}}\|_{\infty}]$ can be easily proved by substituting $\sigma$ in $O(\sigma\sqrt{\log d})$ [25] with $\sigma=\sqrt{\frac{d^{1-\frac{2}{p}}r^{2}}{2\epsilon}}$ .

Appendix E Additional Details & Results

E.1 Numerical Method

We first detail the numerical method for the experiments in the following. The core algorithm is detailed in Alg. 1. We follow [11] to conduct evaluations on 500 testing samples from CIFAR10 and ImageNet, and we set $n=1000$ for CIFAR-10 and $n=10000$ for ImageNet in Alg. 1. Also, we refer the interested readers to our code for more technical details.

Algorithm 1 Certifying

\ell_{2}

\ell_{\infty}

-norm Robustness

0: Input

\operatorname{\mathbf{x}}

, a classifier

f(\cdot)

, parameter

\sigma>0

, number of samples for estimating confidence interval

n

Sample

n

samples from the Gaussian/Exponential mechanism

\{\operatorname{\mathbf{z}}_{i}\}_{i=1...n}

Compute

c_{i}=f(\operatorname{\mathbf{x}}+\operatorname{\mathbf{z}}_{i})

, and estimate the distribution of

c_{i}

, i.e.,

p_{j}\approx\frac{\#\{c_{i}=j\}_{i=1...n}}{n}

Note that we compute the multinomial confident intervals for

\{p_{j}\}

p_{(1)}

is set as the lower bound of the largest one in

\{p_{j}\}

, and

p_{(2)}

is set as the upper bound of the second largest one in

\{p_{j}\}

if Choose the Gaussian mechanism then

Compute the robust radius by

r_{2}=sup_{\alpha>1}(-\frac{2\sigma^{2}}{\alpha}\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})})^{\frac{1}{2}}

else if Choose the Exponential mechanism then

r_{a}=sup_{\alpha>1}-\frac{\sigma}{\alpha}\log{(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}})}

r_{b}=(sup_{\alpha>1}-\frac{2\sigma^{2}}{\alpha}\log(1-p_{(1)}-p_{(2)}+2(\frac{1}{2}(p_{(1)}^{1-\alpha}+p_{(2)}^{1-\alpha}))^{\frac{1}{1-\alpha}}))^{\frac{1}{2}}

r_{\infty}=\max\{r_{a},r_{b}\}

end if

Output: For the Gaussian mechanism,

\ell_{2}

robust radius is

r_{2}

, and

\ell_{\infty}

robust radius is

\sqrt{r_{2}^{2}/d}

. For the Exponential mechanism,

\ell_{\infty}

robust radius is

r_{\infty}

Here we highlight the sampling method for the Exponential mechanism, which is not detailed in [2, 11]. Due to the high dimensionality of samples in real world applications, directly sampling $\operatorname{\mathbf{z}}\sim p(\operatorname{\mathbf{z}})$ as in Eq. 8 by the Markov Chain Monte Carlo (MCMC) algorithm requires a large number of random-walks that can incur high computational cost. To alleviate this issue, we adopt an efficient sampling method from [31] that first samples $R$ from $Gamma(d+1,\sigma)$ and then samples $\operatorname{\mathbf{z}}$ from $[-R,R]^{d}$ uniformly. The complexity of this sampling algorithm is only $O(d)$ .

E.2 Additional Experiment Results

$\ell_{2}$ -norm Case

In Fig. 3, we can see that, although [11] proves a tighter bound than ours, it also certifies approximately $40\sim 60\%$ accuracy at $\ell_{2}~{}\mbox{radius}~{}=0.34$ (CIFAR-10, $d=3072$ ) and $\ell_{2}~{}\mbox{radius}~{}=0.29$ (ImageNet, $d=150568$ ), i.e., $O(1/\sqrt{\log d})$ . Even after using the advanced training method in [21], the scale of the robust radii is still $O(1/\sqrt{\log d})$ , as shown in Fig. 4.

Model	CIFAR-10		(Original) ImageNet
Model	$\ell_{\infty}$ Acc at 2/255	Standard Acc	$\ell_{\infty}$ Acc at 1/255	Standard Acc
Cohen et al. [11] (Gaussian)	47.0%	74.8% ( $\sigma=0.25$ )	27.4%	57.2% ( $\sigma=0.5$ )
$D_{MR}$ Framework (Gaussian)	42.4%	69.6% ( $\sigma=0.5$ )	24.6%	45.2% ( $\sigma=1.0$ )
Wong et al. [14] (Single model)	53.9%	68.3%	-	-
IBP [17]	50.0%	70.2%	-	-

Table 1: Comparing the performance of the Gaussian mechanism with the other works in the

\ell_{\infty}

case

$\ell_{\infty}$ -norm Case

Note that it seems obvious that the Gaussian mechanism is an appropriate mechanism to certify $\ell_{2}$ -norm robustness since [11, 2, 21] have achieved the state-of-the-art certification results compared with the other methods in the $\ell_{2}$ -norm case. However, in the $\ell_{\infty}$ -norm case, it is a little counterintuitive that the Gaussian mechanism is also an appropriate choice, which performs much better than the Exponential mechanism. In the Table 1, we compare the $\ell_{\infty}$ -norm certification results of the Gaussian mechanism and the other two representative approaches. Although [11] and the $D_{MR}$ framework perform slightly worse than [14] or [17] on CIFAR10, they are more scalable to high-dimensional datasets like ImageNet. So we can say their $\ell_{\infty}$ -norm certification results are comparable. Besides, in Fig. 5 & 6, we show that the Gaussian mechanism certifies approximately $40\sim 60\%$ accuracy at $\ell_{\infty}~{}\mbox{radius}~{}=6e-3$ on CIFAR-10 and $\ell_{\infty}~{}\mbox{radius}~{}=1.1e-3$ on ImageNet, which are also approximately $O(1/\sqrt{d\log d})$ for both datasets.

All in all, the empirical results indicate the theorems proved under our framework are valid and very likely to generalize to the other frameworks.

Towards Assessment of Randomized Smoothing Mechanisms for Certifying Adversarial Robustness

Abstract

1 Introduction

2 Related Work

3 Preliminaries

PixelDP

Definition 1 (PixelDP [1])

Lemma 1 (Robustness Condition [1])

Rényi Divergence-based Bound

Lemma 2 (Rényi Divergence Lemma [2])

Lemma 3 ([2])

4 Framework Overview

4.1 Main Definitions

Definition 2 (Maximal Relative Rényi Divergence)

Definition 3 (DM​RD_{MR} Robustness)

Corollary 1 (Postprocessing Property)

4.2 Connections between DM​RD_{MR} robustness and the existing frameworks

Theorem 4.1 (DM​RD_{MR} Robustness & PixelDP)

Theorem 4.2 (DM​RD_{MR} Robustness & Rényi Divergence-based Bound)

4.3 Assessment of Randomized Mechanisms

Definition 4

5 Assessing Mechanisms for Certifying ℓ2\ell_{2}-norm Robustness

Theorem 5.1 (Gaussian Mechanism for Certifying ℓ2\ell_{2}-norm robustness)

Theorem 5.2 (ℓ2\ell_{2}-norm Criterion for Assessment)

Remark 1

6 Assessing Mechanisms for Certifying ℓ∞\ell_{\infty}-norm Robustness

Theorem 6.1 (Exponential Mechanism for Certifying ℓ∞\ell_{\infty}-norm Robustness)

Corollary 2

Theorem 6.2 (ℓ∞\ell_{\infty}-norm Criterion for Assessment)

Theorem 6.3 (Gaussian Mechanism for Certifying ℓ∞\ell_{\infty}-norm robustness)

Remark 2

7 Experiments

Datasets and Models

Empirical Results

8 Conclusion

References

Definition 5

Definition 6

Appendix A Omitted Proofs in Section 4

Lemma 4 ([28])

Appendix B Omitted Proofs in Section 5

Theorem B.1

Theorem B.2

Lemma 5 (Theorem 1.1 in [29])

Theorem B.3

Appendix C Omitted Proofs in Section 6

Lemma 6 ([30])

Theorem C.1

Theorem C.2

Appendix D Extension to ℓp\ell_{p}-norm robustness for Any 𝐩∈[2,∞)\mathbf{p}\in[2,\infty)

Theorem D.1

Theorem D.2

Remark 3

Theorem D.3 (Gaussian Mechanism for Certifying ℓp\ell_{p}-norm robustness)

Appendix E Additional Details & Results

E.1 Numerical Method

E.2 Additional Experiment Results

ℓ2\ell_{2}-norm Case

ℓ∞\ell_{\infty}-norm Case

Definition 3 ( $D_{MR}$ Robustness)

4.2 Connections between $D_{MR}$ robustness and the existing frameworks

Theorem 4.1 ( $D_{MR}$ Robustness & PixelDP)

Theorem 4.2 ( $D_{MR}$ Robustness & Rényi Divergence-based Bound)

5 Assessing Mechanisms for Certifying $\ell_{2}$ -norm Robustness

Theorem 5.1 (Gaussian Mechanism for Certifying $\ell_{2}$ -norm robustness)

Theorem 5.2 ( $\ell_{2}$ -norm Criterion for Assessment)

6 Assessing Mechanisms for Certifying $\ell_{\infty}$ -norm Robustness

Theorem 6.1 (Exponential Mechanism for Certifying $\ell_{\infty}$ -norm Robustness)

Theorem 6.2 ( $\ell_{\infty}$ -norm Criterion for Assessment)

Theorem 6.3 (Gaussian Mechanism for Certifying $\ell_{\infty}$ -norm robustness)

Appendix D Extension to $\ell_{p}$ -norm robustness for Any $\mathbf{p}\in[2,\infty)$

Theorem D.3 (Gaussian Mechanism for Certifying $\ell_{p}$ -norm robustness)

$\ell_{2}$ -norm Case

$\ell_{\infty}$ -norm Case