Intriguing Properties of Input-dependent Randomized Smoothing

TL;DR

This paper critically examines input-dependent randomized smoothing, revealing its limitations due to the curse of dimensionality, and proposes a theoretically justified framework and a concrete design to improve robustness certification.

Contribution

It demonstrates the lack of guarantees in existing input-dependent smoothing methods, introduces a formal framework to address these issues, and presents a practical variance function design tested on CIFAR10 and MNIST.

Findings

Input-dependent smoothing faces the curse of dimensionality.

The proposed framework enables its use under strict restrictions.

The concrete variance function design improves classical smoothing issues.

Abstract

Randomized smoothing is currently considered the state-of-the-art method to obtain certifiably robust classifiers. Despite its remarkable performance, the method is associated with various serious problems such as "certified accuracy waterfalls", certification vs.\ accuracy trade-off, or even fairness issues. Input-dependent smoothing approaches have been proposed with intention of overcoming these flaws. However, we demonstrate that these methods lack formal guarantees and so the resulting certificates are not justified. We show that in general, the input-dependent smoothing suffers from the curse of dimensionality, forcing the variance function to have low semi-elasticity. On the other hand, we provide a theoretical and practical framework that enables the usage of input-dependent smoothing even in the presence of the curse of dimensionality, under strict restrictions. We present one concrete design of the smoothing variance function and test it on CIFAR10 and MNIST. Our design mitigates some of the problems of classical smoothing and is formally underlined, yet further improvement of the design is still necessary.