The Cost of Compression: Tight Quadratic Black-Box Attacks on Sketches for $\ell_2$ Norm Estimation

TL;DR

This paper demonstrates a universal black-box attack on linear sketches used for $\, ext{l}_2$-norm estimation, showing that with roughly quadratic queries, an adversary can cause failures or find adversarial inputs, revealing fundamental vulnerabilities.

Contribution

The authors develop a universal, nonadaptive attack applicable to any linear sketch and estimator, establishing tight lower bounds and exposing inherent vulnerabilities in sketch-based norm estimation.

Findings

The attack uses approximately $\tilde{O}(k^2)$ queries to succeed.

It applies to any linear sketch and estimator, including randomized and adaptive ones.

The results match known upper bounds, confirming optimal attack complexity.

Abstract

Dimensionality reduction via linear sketching is a powerful and widely used technique, but it is known to be vulnerable to adversarial inputs. We study the black-box adversarial setting, where a fixed, hidden sketching matrix $A \in R^{k \times n}$ maps high-dimensional vectors $v \in R^n$ to lower-dimensional sketches $A v \in R^k$, and an adversary can query the system to obtain approximate $\ell_2$-norm estimates that are computed from the sketch. We present a universal, nonadaptive attack that, using $\tilde{O}(k^2)$ queries, either causes a failure in norm estimation or constructs an adversarial input on which the optimal estimator for the query distribution (used by the attack) fails. The attack is completely agnostic to the sketching matrix and to the estimator: it applies to any linear sketch and any query responder, including those that are randomized, adaptive, or tailored to the query distribution. Our lower bound construction tightly matches the known upper bounds of $\tilde{\Omega}(k^2)$, achieved by specialized estimators for Johnson Lindenstrauss transforms and AMS sketches. Beyond sketching, our results uncover structural parallels to adversarial attacks in image classification, highlighting fundamental vulnerabilities of compressed representations.