How Do Diffusion Models Improve Adversarial Robustness?

TL;DR

This paper investigates how diffusion models enhance adversarial robustness, revealing that their robustness benefits are linked to input space compression rather than denoising, and are influenced by internal randomness.

Contribution

The study systematically analyzes the mechanisms of diffusion models' robustness, highlighting the role of input compression and randomness in their effectiveness.

Findings

Diffusion models increase the $\, ext{l}_p$ distance to clean samples.

Robustness improvement drops to ~24% under fixed randomness.

Input space compression correlates with robustness gains.

Abstract

Recent findings suggest that diffusion models significantly enhance empirical adversarial robustness. While some intuitive explanations have been proposed, the precise mechanisms underlying these improvements remain unclear. In this work, we systematically investigate how and how well diffusion models improve adversarial robustness. First, we observe that diffusion models intriguingly increase, rather than decrease, the $\ell_p$ distance to clean samples--challenging the intuition that purification denoises inputs closer to the original data. Second, we find that the purified images are heavily influenced by the internal randomness of diffusion models, where a compression effect arises within each randomness configuration. Motivated by this observation, we evaluate robustness under fixed randomness and find that the improvement drops to approximately 24% on CIFAR-10--substantially lower than prior reports approaching 70%. Importantly, we show that this remaining robustness gain strongly correlates with the model's ability to compress the input space, revealing the compression rate as a reliable robustness indicator without requiring gradient-based analysis. Our findings provide novel insights into the mechanisms underlying diffusion-based purification, and offer guidance for developing more effective and principled adversarial purification systems.