Sound Randomized Smoothing in Floating-Point Arithmetics

TL;DR

This paper demonstrates that randomized smoothing, a technique for certifying robustness in machine learning, is unsound under floating-point limitations and proposes a new sound method that accounts for finite precision.

Contribution

The paper reveals the unsoundness of randomized smoothing with floating-point arithmetic and introduces a sound approach that maintains certification accuracy.

Findings

Randomized smoothing can certify false robustness radii under floating-point limitations.

The proposed method achieves sound certifications with similar efficiency to standard practices.

The approach requires only access to a fair coin, making it practical for real-world applications.

Abstract

Randomized smoothing is sound when using infinite precision. However, we show that randomized smoothing is no longer sound for limited floating-point precision. We present a simple example where randomized smoothing certifies a radius of $1.26$ around a point, even though there is an adversarial example in the distance $0.8$ and extend this example further to provide false certificates for CIFAR10. We discuss the implicit assumptions of randomized smoothing and show that they do not apply to generic image classification models whose smoothed versions are commonly certified. In order to overcome this problem, we propose a sound approach to randomized smoothing when using floating-point precision with essentially equal speed and matching the certificates of the standard, unsound practice for standard classifiers tested so far. Our only assumption is that we have access to a fair coin.