pith. sign in

arxiv: 2606.02876 · v1 · pith:ZFAZ7Z3Tnew · submitted 2026-06-01 · 💻 cs.LG

RRISE: Robust Radius Inference via a Surrogate Estimator

Jong-Ik Park , Shreyas Chaudhari , Carlee Joe-Wong , Jos\'e M. F. Moura This is my paper

Pith reviewed 2026-06-28 15:22 UTC · model grok-4.3

classification 💻 cs.LG
keywords randomized smoothingcertified robustnesssurrogate modelMonte Carlo samplingconformal calibrationimage classificationl2 robustnessefficient certification
0
0 comments X

The pith

RRISE compresses randomized smoothing certification into one surrogate forward pass while preserving provably conservative radii.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that the per-query Monte Carlo sampling cost in randomized smoothing can be replaced by a learned surrogate that is trained once on precomputed class-count targets. The surrogate is calibrated with a one-time conformal step so that its positive radii guarantee the smoothed classifier stays constant inside the ball. This matches standard Monte Carlo certified accuracy within 0.84 percentage points on image benchmarks while cutting the number of base-model evaluations from thousands to one per query. The training overhead is recovered after roughly 100000 deployment queries, and the method outperforms the only prior offline surrogate approach on CIFAR-100 and Tiny ImageNet. A reader would care because it turns an expensive per-input procedure into an amortized one suitable for repeated real-time use.

Core claim

RRISE trains a surrogate against precomputed Monte Carlo class-count targets via soft-label cross-entropy loss, then applies one-time conformal calibration to turn the surrogate outputs into provably conservative certified radii. Whenever the calibrated radius is positive, the surrogate prediction matches the smoothed classifier and the smoothed classifier is constant on a ball of that radius around the input.

What carries the argument

Surrogate estimator trained on Monte Carlo class-count targets, followed by conformal calibration to produce deployment-verifiable conservative radii.

If this is right

  • Matches fixed-budget Monte Carlo certified accuracy within 0.84 percentage points across image classification benchmarks.
  • Replaces up to 10,000 noisy base-model evaluations per query with a single surrogate forward pass.
  • Recoups the Monte Carlo training cost after approximately 100,000 deployment queries.
  • Achieves 1.23 to 1.91 times higher certified accuracy than the prior offline-surrogate method on CIFAR-100 and Tiny ImageNet.
  • Produces certificates that are deployment-verifiable whenever the radius is positive.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The amortized cost reduction could allow certified robustness to be applied in high-query-volume settings such as online services without dominating latency.
  • Similar surrogate training on sampling-based certificates might be tested in non-vision domains where Monte Carlo costs are also high.
  • The one-time calibration step could be revisited periodically if the base model is fine-tuned after deployment.
  • Combining the surrogate with adaptive sampling budgets might further reduce the initial training data collection cost.

Load-bearing premise

The surrogate trained on precomputed class-count targets and then conformally calibrated produces radii that remain conservative and match the smoothed classifier's behavior on the ball.

What would settle it

Finding an input where the surrogate outputs a positive calibrated radius but the actual smoothed classifier changes its label inside that radius.

Figures

Figures reproduced from arXiv: 2606.02876 by Carlee Joe-Wong, Jong-Ik Park, Jos\'e M. F. Moura, Shreyas Chaudhari.

Figure 1
Figure 1. Figure 1: Certified accuracy and boundary behavior. The four panels report: top-left, full￾test CertAcc@0; top-right, ordinary classification accuracy on the boundary-confidence subset 0.5 < peA(x) < 0.75; bottom-left, boundary mass; and bottom-right, average certified radius within the boundary subset. RRISE closely tracks Baseline 1 in CertAcc@0 and average boundary radius across all four datasets. On CIFAR-100 an… view at source ↗
Figure 2
Figure 2. Figure 2: Boundary-confidence radius distributions. Each curve plots the fraction of test inputs satisfying 0.5 < peA(x) < 0.75 and Re(x) > t. Higher curves mean that more borderline inputs are certified at radius at least t. RRISE tracks the MC baselines on FashionMNIST and CIFAR-10 and remains well-defined on CIFAR-100 and Tiny ImageNet; Baseline 4 collapses on the harder datasets. B than Baseline 1: 24.16% vs. 19… view at source ↗
Figure 3
Figure 3. Figure 3: Computational cost and break-even. Top: average online forward-pass equivalents per input. Bottom: cumulative savings of RRISE over Baselines 1–3; the zero line marks break￾even. Break-even against full-budget MC occurs at 5–10 × 104 queries and against partial-sampling accelerators at 1.8–2.1 × 105 queries. Baselines 2 and 3 because they already reduce average online sampling: on CIFAR-10 they use 5883 an… view at source ↗
read the original abstract

Randomized smoothing (RS) uses a smoothed classifier to provide architecture-agnostic certificates of $\ell_2$ classification robustness, but its dependence on per-input Monte Carlo (MC) sampling undermines its use in real-time systems. We argue that this cost is structural rather than fundamental, such that it can be significantly reduced by sharing information across the deployment stream. We introduce RRISE, an RS framework that compresses certification into a single forward pass through a learned surrogate. RRISE trains the surrogate against precomputed MC class-count targets via a soft-label cross-entropy loss and converts surrogate predictions into provably conservative certified radii through a one-time conformal calibration step. The resulting certificate is deployment-verifiable: whenever the calibrated radius is positive, the surrogate's prediction provably matches the smoothed classifier's and the smoothed classifier is constant on a ball of that radius around the input. Across image classification benchmarks, RRISE matches fixed-budget MC certified accuracy within $0.84$ percentage points while replacing up to $10^4$ noisy base-model evaluations per query with a single surrogate forward pass, recouping MC training cost after $\approx 10^5$ deployment queries. On CIFAR-100 and Tiny ImageNet, where the only prior offline-surrogate method collapses, RRISE achieves $1.23$ to $1.91\times$ higher certified accuracy, establishing efficient randomized smoothing as a practical path to certified robustness in repeated-deployment settings.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 3 minor

Summary. The paper introduces RRISE, a randomized smoothing framework that trains a surrogate model on precomputed Monte Carlo class-count targets using soft-label cross-entropy loss. A one-time conformal calibration step then converts surrogate outputs into provably conservative certified ℓ₂ radii. The resulting certificates are deployment-verifiable: a positive radius guarantees that the surrogate prediction matches the smoothed classifier and that the smoothed classifier is constant on the corresponding ball. Empirically, RRISE matches fixed-budget MC certified accuracy within 0.84 percentage points while replacing up to 10⁴ base-model evaluations per query with one surrogate forward pass, with 1.23–1.91× higher certified accuracy than the prior offline-surrogate method on CIFAR-100 and Tiny ImageNet.

Significance. If the central claims hold, RRISE demonstrates that the per-query Monte Carlo cost of randomized smoothing is amortizable rather than fundamental, making certified robustness practical for repeated-deployment settings after roughly 10⁵ queries. The use of precomputed MC targets plus standard conformal calibration, together with the explicit deployment-verifiable guarantee, provides a clean separation between training and certification that prior surrogate approaches lacked. The reported gains on datasets where the only competing offline method collapses are a concrete strength.

minor comments (3)
  1. [§3.2] §3.2: the precise form of the soft-label cross-entropy loss (including temperature or label-smoothing parameters) is not stated explicitly; adding the equation would remove ambiguity about how the surrogate is optimized against the MC targets.
  2. [§4.3] §4.3, Table 2: the conformal calibration quantile is reported only as a single value per dataset; stating the exact α used and confirming it was chosen on a held-out calibration set (rather than tuned on test data) would strengthen the reproducibility claim.
  3. [Figure 3] Figure 3: the y-axis label 'Certified Accuracy' should specify whether it is measured against the base classifier or the smoothed classifier, and the error bars should be described in the caption.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary, significance assessment, and recommendation of minor revision. The report contains no major comments requiring point-by-point rebuttal.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The derivation trains a surrogate on precomputed Monte Carlo class-count targets using standard soft-label cross-entropy, then applies one-time conformal calibration to obtain conservative radii. Both the training targets and the calibration step are external to the final radius output and do not reduce the certified-radius claim to a fitted quantity by construction. No self-definitional equations, fitted-input-as-prediction, or load-bearing self-citations appear in the provided abstract or high-level argument. The deployment-verifiable guarantee follows from standard conformal properties rather than an internal redefinition.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 0 invented entities

The approach rests on the standard randomized smoothing assumption that class-count estimates can be turned into radius certificates, plus the new assumption that a learned surrogate plus conformal calibration preserves the guarantee. No invented entities are introduced.

free parameters (2)
  • surrogate model parameters
    Learned via soft-label cross-entropy on precomputed MC targets; exact architecture and regularization choices are free parameters.
  • conformal calibration quantile
    Determined from a held-out set to enforce conservatism; this is a fitted threshold.
axioms (1)
  • domain assumption The smoothed classifier is constant on a ball of the certified radius around the input when the surrogate prediction matches the MC estimate after calibration.
    Invoked in the description of the deployment-verifiable certificate.

pith-pipeline@v0.9.1-grok · 5811 in / 1379 out tokens · 25882 ms · 2026-06-28T15:22:02.378565+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

60 extracted references · 1 canonical work pages

  1. [1]

    International Conference on Machine Learning , pages=

    On calibration of modern neural networks , author=. International Conference on Machine Learning , pages=. 2017 , organization=

    2017

  2. [2]

    International Conference on Machine Learning , pages=

    Dropout as a Bayesian approximation: Representing model uncertainty in deep learning , author=. International Conference on Machine Learning , pages=. 2016 , organization=

    2016

  3. [3]

    Advances in Neural Information Processing Systems , volume=

    Simple and scalable predictive uncertainty estimation using deep ensembles , author=. Advances in Neural Information Processing Systems , volume=

  4. [4]

    Advances in Neural Information Processing Systems , volume=

    A simple baseline for Bayesian uncertainty in deep learning , author=. Advances in Neural Information Processing Systems , volume=

  5. [5]

    Journal of Machine Learning Research , volume=

    A simple approach to improve single-model deep uncertainty via distance-awareness , author=. Journal of Machine Learning Research , volume=

  6. [6]

    Advances in Neural Information Processing Systems , volume=

    Energy-based out-of-distribution detection , author=. Advances in Neural Information Processing Systems , volume=

  7. [7]

    Advances in Neural Information Processing Systems , volume=

    Classification with valid and adaptive coverage , author=. Advances in Neural Information Processing Systems , volume=

  8. [8]

    arXiv preprint arXiv:2009.14193 , year=

    Uncertainty sets for image classifiers using conformal prediction , author=. arXiv preprint arXiv:2009.14193 , year=

    arXiv 2009

  9. [9]

    Advances in Neural Information Processing Systems , volume=

    Training uncertainty-aware classifiers with conformalized deep learning , author=. Advances in Neural Information Processing Systems , volume=

  10. [10]

    ACM Computing Surveys , year=

    Conformal prediction: A data perspective , author=. ACM Computing Surveys , year=

  11. [11]

    arXiv preprint arXiv:2305.15508 , year=

    How to fix a broken confidence estimator: Evaluating post-hoc methods for selective classification with deep neural networks , author=. arXiv preprint arXiv:2305.15508 , year=

    arXiv

  12. [12]

    Advances in Neural Information Processing Systems , volume=

    Evidential deep learning to quantify classification uncertainty , author=. Advances in Neural Information Processing Systems , volume=

  13. [13]

    International Conference on Learning Representations , year=

    Enhancing The Reliability of Out-of-distribution Image Detection in Neural Networks , author=. International Conference on Learning Representations , year=

  14. [14]

    Advances in Neural Information Processing Systems , volume=

    Are uncertainty quantification capabilities of evidential deep learning a mirage? , author=. Advances in Neural Information Processing Systems , volume=

  15. [15]

    Advances in Neural Information Processing Systems , volume=

    Formal guarantees on the robustness of a classifier against adversarial manipulation , author=. Advances in Neural Information Processing Systems , volume=

  16. [16]

    International Conference on Machine Learning , pages=

    Certified adversarial robustness via randomized smoothing , author=. International Conference on Machine Learning , pages=. 2019 , organization=

    2019

  17. [17]

    2019 IEEE Symposium on Security and Privacy (SP) , pages=

    Certified robustness to adversarial examples with differential privacy , author=. 2019 IEEE Symposium on Security and Privacy (SP) , pages=. 2019 , organization=

    2019

  18. [18]

    arXiv preprint arXiv:2404.17371 , year=

    Estimating the Robustness Radius for Randomized Smoothing with 100x Sample Efficiency , author=. arXiv preprint arXiv:2404.17371 , year=

    arXiv

  19. [19]

    Proceedings of the AAAI Conference on Artificial Intelligence , volume=

    Input-specific robustness certification for randomized smoothing , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=

  20. [20]

    Advances in Neural Information Processing Systems , volume=

    Treatment of statistical estimation problems in randomized smoothing for adversarial robustness , author=. Advances in Neural Information Processing Systems , volume=

  21. [21]

    Journal of the American Statistical Association , volume=

    Strictly proper scoring rules, prediction, and estimation , author=. Journal of the American Statistical Association , volume=. 2007 , publisher=

    2007

  22. [22]

    Advances in Neural Information Processing Systems , volume=

    Conformalized quantile regression , author=. Advances in Neural Information Processing Systems , volume=

  23. [23]

    The Twelfth International Conference on Learning Representations , year=

    Incremental Randomized Smoothing Certification , author=. The Twelfth International Conference on Learning Representations , year=

  24. [24]

    Proceedings of the AAAI Conference on Artificial Intelligence , volume=

    Towards large certified radius in randomized smoothing using quasiconcave optimization , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=

  25. [25]

    Advances in Neural Information Processing Systems , volume=

    Provably robust deep learning via adversarially trained smoothed classifiers , author=. Advances in Neural Information Processing Systems , volume=

  26. [26]

    Advances in Neural Information Processing Systems , volume=

    Certified defense to image transformations via randomized smoothing , author=. Advances in Neural Information Processing Systems , volume=

  27. [27]

    International Conference on Machine Learning , pages=

    Randomized smoothing of all shapes and sizes , author=. International Conference on Machine Learning , pages=. 2020 , organization=

    2020

  28. [28]

    arXiv preprint arXiv:2402.07498 , year=

    Accelerated Smoothing: A Scalable Approach to Randomized Smoothing , author=. arXiv preprint arXiv:2402.07498 , year=

    arXiv

  29. [29]

    Proceedings of the IEEE Conference on Computer Cision and Pattern Recognition , pages=

    Robust physical-world attacks on deep learning visual classification , author=. Proceedings of the IEEE Conference on Computer Cision and Pattern Recognition , pages=

  30. [30]

    Pattern Recognition , volume=

    Understanding adversarial attacks on deep learning based medical image analysis systems , author=. Pattern Recognition , volume=. 2021 , publisher=

    2021

  31. [31]

    Xu, Xuwei and Wang, Sen and Chen, Yudong and Zheng, Yanping and Wei, Zhewei and Liu, Jiajun , booktitle=

  32. [32]

    Advances in Neural Information Processing Systems , volume=

    Certified adversarial robustness with additive noise , author=. Advances in Neural Information Processing Systems , volume=

  33. [33]

    Transactions on Machine Learning Research , year=

    Projected randomized smoothing for certified adversarial robustness , author=. Transactions on Machine Learning Research , year=

  34. [34]

    Uncertainty in Artificial Intelligence , pages=

    Data dependent randomized smoothing , author=. Uncertainty in Artificial Intelligence , pages=. 2022 , organization=

    2022

  35. [35]

    Proceedings of the ACM on Programming Languages , volume=

    An abstract domain for certifying neural networks , author=. Proceedings of the ACM on Programming Languages , volume=. 2019 , publisher=

    2019

  36. [36]

    International Conference on Machine Learning , pages=

    Towards fast computation of certified robustness for relu networks , author=. International Conference on Machine Learning , pages=. 2018 , organization=

    2018

  37. [37]

    2022 , organization=

    Kong, Zhenglun and Dong, Peiyan and Ma, Xiaolong and Meng, Xin and Niu, Wei and Sun, Mengshu and Shen, Xuan and Yuan, Geng and Ren, Bin and Tang, Hao and others , booktitle=. 2022 , organization=

    2022

  38. [38]

    Advances in Neural Information Processing Systems , volume=

    Efficient formal safety analysis of neural networks , author=. Advances in Neural Information Processing Systems , volume=

  39. [39]

    Conference on Robot Learning , pages=

    Robust trajectory prediction against adversarial attacks , author=. Conference on Robot Learning , pages=. 2023 , organization=

    2023

  40. [40]

    ICASSP 2020-2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) , pages=

    Real-time, universal, and robust adversarial attacks against speaker recognition systems , author=. ICASSP 2020-2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) , pages=. 2020 , organization=

    2020

  41. [41]

    IEEE Transactions on Intelligent Vehicles , year=

    Adversarial attacks on autonomous driving systems in the physical world: a survey , author=. IEEE Transactions on Intelligent Vehicles , year=

  42. [42]

    Machine learning , volume=

    Analysis of classifiers’ robustness to adversarial perturbations , author=. Machine learning , volume=. 2018 , publisher=

    2018

  43. [43]

    , author=

    A tutorial on conformal prediction. , author=. Journal of Machine Learning Research , volume=

  44. [44]

    Clustering with

    Banerjee, Arindam and Merugu, Srujana and Dhillon, Inderjit S and Ghosh, Joydeep , journal=. Clustering with

  45. [45]

    Inequalities for the

    Weissman, Tsachy and Ordentlich, Erik and Seroussi, Gadiel and Verdu, Sergio and Weinberger, Marcelo J , journal=. Inequalities for the

  46. [46]

    Science , volume=

    Adversarial attacks on medical machine learning , author=. Science , volume=. 2019 , publisher=

    2019

  47. [47]

    Advances in Neural Information Processing Systems , volume=

    Selective classification for deep neural networks , author=. Advances in Neural Information Processing Systems , volume=

  48. [48]

    Proceedings of the European Conference on Computer Vision (ECCV) , pages=

    Is robustness the cost of accuracy?--a comprehensive study on the robustness of 18 deep image classification models , author=. Proceedings of the European Conference on Computer Vision (ECCV) , pages=

  49. [49]

    International Journal of Computer Vision , volume=

    A comprehensive study on robustness of image classification models: Benchmarking and rethinking , author=. International Journal of Computer Vision , volume=. 2025 , publisher=

    2025

  50. [50]

    Nature Reviews Physics , volume=

    Physics-informed machine learning , author=. Nature Reviews Physics , volume=. 2021 , publisher=

    2021

  51. [51]

    arXiv preprint arXiv:2312.12608 , year=

    Rethinking Randomized Smoothing from the Perspective of Scalability , author=. arXiv preprint arXiv:2312.12608 , year=

    arXiv

  52. [52]

    Proceedings of the 10th ACM workshop on artificial intelligence and security , pages=

    Adversarial examples are not easily detected: Bypassing ten detection methods , author=. Proceedings of the 10th ACM workshop on artificial intelligence and security , pages=

  53. [53]

    Foundations and Trends in Machine Learning , volume=

    Conformal prediction: A gentle introduction , author=. Foundations and Trends in Machine Learning , volume=. 2023 , publisher=

    2023

  54. [54]

    IEEE Access , volume=

    Threat of adversarial attacks on deep learning in computer vision: A survey , author=. IEEE Access , volume=. 2018 , publisher=

    2018

  55. [55]

    Journal of the American Statistical Association , volume=

    Distribution-free predictive inference for regression , author=. Journal of the American Statistical Association , volume=. 2018 , publisher=

    2018

  56. [56]

    Biometrika , volume=

    The use of confidence or fiducial limits illustrated in the case of the binomial , author=. Biometrika , volume=. 1934 , publisher=

    1934

  57. [57]

    Advances in Neural Information Processing Systems , volume=

    On adaptive attacks to adversarial example defenses , author=. Advances in Neural Information Processing Systems , volume=

  58. [58]

    Physics-informed neural networks: A deep learning frame- work for solving forward and inverse problems involving nonlinear partial differential equations

    M. Raissi and P. Perdikaris and G.E. Karniadakis , keywords =. Physics-informed neural networks: A deep learning framework for solving forward and inverse problems involving nonlinear partial differential equations , journal =. 2019 , issn =. doi:https://doi.org/10.1016/j.jcp.2018.10.045 , url =

    work page doi:10.1016/j.jcp.2018.10.045 2019

  59. [59]

    Advances in Neural Information Processing Systems , volume=

    Sparse weight activation training , author=. Advances in Neural Information Processing Systems , volume=

  60. [60]

    Image Sensor for Automotive Use [Product] , year =