Randomized smoothing is a certified defense that transforms any base classifier into a smoothed version with provable adversarial robustness. By adding isotropic Gaussian noise to the input and taking a majority vote over many noisy samples, it constructs a decision boundary with a mathematically guaranteed safety region. This provides a certified L2 radius within which no adversarial perturbation can alter the prediction.
Glossary
Randomized Smoothing

What is Randomized Smoothing?
A technique for constructing a provably robust classifier by adding Gaussian noise to inputs and aggregating predictions, yielding a certified L2 radius guarantee.
Unlike empirical defenses vulnerable to adaptive attacks, randomized smoothing offers a formal, architecture-agnostic guarantee derived from the Neyman-Pearson lemma. The certified radius scales with the margin between the top class probability and the runner-up under the noise distribution. This makes it a foundational technique for safety-critical agentic systems requiring verifiable resilience against evasion attacks.
Key Features of Randomized Smoothing
Randomized smoothing constructs a provably robust classifier by adding Gaussian noise to inputs and aggregating predictions through majority vote, providing a certified L2 radius guarantee against adversarial perturbations.
Provable L2 Robustness Guarantee
Randomized smoothing provides a certified radius within which no adversarial perturbation can change the prediction. Unlike empirical defenses that can be broken by adaptive attacks, this guarantee is mathematically provable and holds for any attack strategy.
- The certified radius scales with the margin between top class probabilities
- Larger Gaussian noise increases the radius but reduces clean accuracy
- Guarantee is attack-agnostic—no assumptions about adversary capabilities
- Formal verification derived from the Neyman-Pearson lemma
Gaussian Noise Mechanism
The core mechanism adds isotropic Gaussian noise with variance σ² to each input before classification. The smoothed classifier g(x) returns the most probable prediction when inputs are sampled from the Gaussian distribution centered at x.
- Noise level σ is a hyperparameter trading off robustness vs. accuracy
- Sampling typically uses 10,000 to 100,000 Monte Carlo samples for certification
- The smoothed classifier is Lipschitz continuous with respect to L2 distance
- Works with any base classifier architecture without modification
Prediction Under Noise
During inference, the smoothed classifier aggregates predictions across multiple noise-perturbed copies of the input. The majority vote determines the final class, and the margin of victory determines the certified radius.
- Prediction phase: Sample n noisy copies, take majority class
- Certification phase: Estimate lower bound on top class probability using Clopper-Pearson confidence intervals
- Higher sample counts yield tighter probability bounds and larger certified radii
- Procedure is embarrassingly parallel and amenable to batch GPU processing
Scalability to Large Models
Randomized smoothing wraps any base classifier as a black box, requiring no architectural changes, gradient access, or retraining. This makes it directly applicable to large-scale vision models and even foundation models.
- Compatible with ResNet, Vision Transformers, and CLIP architectures
- No need for adversarial training or modified loss functions
- Certification cost scales with inference cost × number of samples
- Denoised smoothing variants combine denoisers with smoothing for improved accuracy
Limitations and Trade-offs
Despite its provable guarantees, randomized smoothing faces practical challenges. The certified radii are often smaller than empirical robustness from adversarial training, and the L2 threat model does not capture all real-world attacks.
- Computational cost: Thousands of forward passes per input for certification
- L2-only guarantee: Does not certify against L∞, L1, or non-Lp attacks
- Accuracy-robustness trade-off: Higher noise σ degrades clean accuracy
- Semantic transformations like rotation or lighting changes are not covered
Extensions and Variants
Research has extended randomized smoothing beyond L2 certification to other threat models and improved its efficiency. Key variants address the original method's limitations while preserving provable guarantees.
- SmoothAdv: Combines smoothing with adversarial training for tighter bounds
- MACER: Maximizes certified radius during training via robust optimization
- Consistency regularization: Enforces prediction consistency under noise
- De-randomized smoothing: Uses ablative defenses for L0 and L1 certification
- Dual normalization: Extends guarantees to semantic transformations
Frequently Asked Questions
Explore the mechanics, guarantees, and practical trade-offs of randomized smoothing, a leading technique for providing provable robustness against adversarial perturbations.
Randomized smoothing is a certified defense technique that constructs a provably robust classifier from any base classifier by adding isotropic Gaussian noise to input samples. The core mechanism involves creating a 'smoothed' classifier that, for a given input x, returns the class that the base classifier is most likely to predict when x is perturbed by random noise from a normal distribution N(0, σ²I). At inference, the algorithm estimates this most probable class by running the base classifier on multiple noisy copies of the input and taking a majority vote. This process provides a formal L2 robustness radius guarantee: the smoothed classifier's prediction is certified to remain constant for any adversarial perturbation whose L2 norm is less than a calculated radius R. The radius depends on the noise level σ and the margin of the majority vote, with larger margins and higher noise yielding stronger guarantees.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Randomized smoothing is a foundational technique for provable robustness. These related concepts form the broader landscape of adversarial defense, attack evaluation, and formal verification.
Certified Robustness
A formal, provable guarantee that a model's prediction will not change for any input perturbation within a specified Lp-norm bound. Unlike empirical defenses that can be broken by stronger attacks, certified methods provide a mathematical lower bound on the adversarial radius around each input. Randomized smoothing is the most scalable approach to achieve this for large neural networks, producing a certificate that holds with high probability.
Adversarial Training
A defensive technique that augments the training dataset with adversarially perturbed examples labeled with the ground-truth class. By training on worst-case inputs generated via attacks like Projected Gradient Descent (PGD), the model learns robust decision boundaries. While adversarial training improves empirical robustness, it does not provide formal guarantees—models can still be broken by adaptive attacks specifically designed to circumvent the defense.
Gradient Masking
A phenomenon where a defense gives a false sense of security by producing non-useful or zero gradients, preventing gradient-based attacks from optimizing. This often occurs through shattered gradients (non-differentiable operations) or stochastic gradients (randomized defenses). Critically, gradient masking does not indicate true robustness—models remain vulnerable to black-box attacks and transfer attacks. Randomized smoothing avoids this pitfall by providing verifiable guarantees rather than obscuring gradients.
Adaptive Attack
An attack methodology that assumes full knowledge of a defense mechanism and is specifically designed to circumvent it. When evaluating randomized smoothing, adaptive attacks may target the sampling procedure itself or exploit the gap between the empirical and certified accuracy. This represents the most rigorous evaluation standard—any defense not tested against adaptive attacks cannot be considered reliable. Key techniques include:
- Expectation Over Transformation (EOT) for stochastic defenses
- Attacking the smoothed classifier directly rather than the base model
Denoised Smoothing
An extension of randomized smoothing that prepends a custom-trained denoiser before the base classifier, rather than relying solely on Gaussian noise augmentation. The denoiser attempts to remove adversarial perturbations, allowing the smoothed classifier to achieve higher certified accuracy on non-adversarial inputs while maintaining provable guarantees. This addresses a key limitation of standard randomized smoothing: the accuracy-robustness trade-off where clean accuracy degrades as the certification radius increases.
Projected Gradient Descent (PGD)
A powerful iterative white-box adversarial attack that repeatedly takes a small step in the direction of the loss gradient and projects the result back onto an epsilon-ball around the original input. PGD is the standard benchmark for evaluating empirical adversarial robustness and is often used as the inner maximization step during adversarial training. While randomized smoothing provides certified defense against all attacks within the radius, PGD serves as a complementary empirical evaluation tool for measuring worst-case accuracy.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us