Randomized smoothing is a probabilistic defense that transforms any base classifier into a certifiably robust smoothed classifier. By adding isotropic Gaussian noise to the input and taking a majority vote over many noisy samples, it constructs a smooth decision boundary that comes with a provable L2-radius guarantee—no adversarial example within that radius can change the prediction.
Glossary
Randomized Smoothing

What is Randomized Smoothing?
A technique for constructing a certifiably robust classifier by adding Gaussian noise to inputs and aggregating predictions, creating a smooth model that provides formal guarantees against L2-norm adversarial attacks.
The certified radius is computed using the Neyman-Pearson lemma, which states that randomized smoothing provides the optimal robustness guarantee for L2 adversaries. Unlike empirical defenses that may suffer from gradient masking, this method yields a mathematical certificate: if the smoothed classifier's top-class probability exceeds a threshold, the prediction is provably constant within a specified L2-ball around the input.
Key Characteristics of Randomized Smoothing
Randomized smoothing constructs a certifiably robust classifier from any base model by adding Gaussian noise to inputs and aggregating predictions. This creates a smooth decision boundary with formal L2-norm robustness guarantees.
The Smoothing Mechanism
Randomized smoothing transforms a base classifier f into a smoothed classifier g by adding isotropic Gaussian noise to the input. For a given input x, the smoothed prediction is the most probable class under the noise distribution:
- g(x) = arg max P(f(x + ε) = c) where ε ~ N(0, σ²I)
- The noise level σ controls the robustness-accuracy tradeoff
- Larger σ provides stronger certificates but may degrade clean accuracy
- The smoothed model is inherently Lipschitz continuous, guaranteeing smooth decision boundaries
Certified Radius Computation
The core theorem provides a certified L2-radius R around input x where the prediction remains constant. If the top class probability pA exceeds the runner-up pB, the certificate is:
- R = σ/2 × (Φ⁻¹(pA) - Φ⁻¹(pB)) where Φ⁻¹ is the inverse Gaussian CDF
- This radius is a provable lower bound—no attack within this L2-ball can change the prediction
- The certificate is statistical, estimated via Monte Carlo sampling with confidence bounds
- Tightness depends on the base classifier's margin under noise
Prediction & Certification Procedure
At inference time, the smoothed classifier uses Monte Carlo sampling to estimate class probabilities and compute certificates:
- Prediction: Sample n₀ noise instances, take the majority vote class as the prediction
- Certification: Sample n additional instances, estimate pA with a lower confidence bound using Clopper-Pearson or Hoeffding's inequality
- If pA > 0.5, a non-trivial certificate exists; otherwise, abstain
- Typical values: n₀ = 100, n = 100,000 for tight certificates
- The procedure is model-agnostic—works with any base architecture
Robustness-Accuracy Tradeoff
Randomized smoothing introduces a fundamental tension between certified robustness and standard accuracy:
- Larger σ increases certified radii but smooths away fine decision boundaries, reducing clean accuracy
- Smaller σ preserves accuracy but yields weak or vacuous certificates
- The tradeoff is provably inherent for certain distributions—no smoothed classifier can achieve both perfect accuracy and large certificates
- Practical deployments often use input-specific σ or heteroscedastic noise to adapt the smoothing level per sample
Extensions Beyond L2 Robustness
While the classical formulation certifies L2-norm robustness, the framework extends to other threat models:
- L1 robustness: Use Laplace noise instead of Gaussian for certificates in the L1 metric
- L∞ robustness: Achieved through randomized ablation or subsampling techniques
- Semantic transformations: Smooth over rotations, translations, or color shifts for geometric robustness
- Discrete domains: Apply smoothing with randomized token substitutions for text classification certificates
- Denoised smoothing: Prepend a denoiser before the classifier to improve the accuracy-certificate tradeoff
Limitations & Practical Considerations
Despite its provable guarantees, randomized smoothing has important limitations:
- Computational cost: Certification requires tens of thousands of forward passes per input
- Statistical error: Certificates are probabilistic—there is a small α chance the bound is invalid
- L2-norm mismatch: Real-world attacks often use L∞ or non-Lp perturbations, where L2 certificates may overestimate robustness
- Information loss: Gaussian noise destroys fine-grained features, making the smoothed model blind to subtle but legitimate patterns
- Base classifier dependency: The certificate quality is bounded by how well the base model separates classes under noise
Frequently Asked Questions
Clear, technically precise answers to the most common questions about constructing provably robust classifiers using noise injection and statistical aggregation.
Randomized smoothing is a technique for constructing a provably robust classifier from any base model by adding isotropic Gaussian noise to inputs and aggregating predictions through majority voting. The core mechanism works in three stages: first, during inference, multiple copies of the input are corrupted with random noise drawn from a normal distribution N(0, σ²I). Second, the base classifier predicts on each noisy copy. Third, the smoothed classifier outputs the class that receives the majority of votes. This process creates a smooth decision boundary that is mathematically guaranteed to not change its prediction within a certified L2-radius around the original input. The certification radius depends on the margin of the majority vote and the noise level σ—a higher margin or larger σ yields a larger certified radius. Unlike empirical defenses that can be broken by adaptive attacks, randomized smoothing provides a formal robustness certificate derived from the Neyman-Pearson lemma, making it one of the few defenses with rigorous theoretical guarantees against norm-bounded adversarial perturbations.
Randomized Smoothing vs. Adversarial Training
A technical comparison of two primary strategies for hardening neural networks against adversarial examples, contrasting empirical robustness with provable certification guarantees.
| Feature | Randomized Smoothing | Adversarial Training | Defensive Distillation |
|---|---|---|---|
Core Mechanism | Adds Gaussian noise to inputs and aggregates predictions via majority vote to construct a smooth classifier | Injects adversarial examples into training data with correct labels to learn robust decision boundaries | Trains a second model on the soft probability outputs of a first model to smooth the loss surface |
Robustness Guarantee | Provable certified radius against L2-norm attacks with formal mathematical lower bounds | Empirical robustness only; no formal guarantee against future or stronger attacks | Empirical robustness only; often vulnerable to adaptive attacks that circumvent gradient masking |
Threat Model Coverage | L2-norm bounded perturbations; extensions exist for L1 and L-infinity via alternative noise distributions | Any Lp-norm bounded attack used during training; typically L-infinity for image tasks | Primarily effective against gradient-based white-box attacks; weak against black-box transfer attacks |
Computational Cost at Inference | High; requires 10,000-100,000 Monte Carlo samples per prediction for tight certification | Low; single forward pass identical to standard model inference | Low; single forward pass through distilled model, which may be smaller than the teacher |
Training Complexity | Low; trains on clean data with standard augmentations; no adversarial example generation required | High; requires generating strong adversarial examples at each training epoch, typically 3-10x slower | Moderate; requires two-stage training process with temperature scaling and soft label transfer |
Clean Accuracy Impact | Moderate reduction; noise injection inherently reduces discriminative power on unperturbed inputs | Minimal to moderate reduction; accuracy-efficiency-robustness trade-off controlled by perturbation budget | Minimal reduction; often maintains or slightly improves clean accuracy through label smoothing effect |
Scalability to Large Datasets | Scalable; training is standard, but certification cost scales linearly with number of samples to certify | Scalable but expensive; adversarial example generation cost grows with dataset size and attack strength | Scalable; distillation is a one-time cost and the student model can be smaller than the teacher |
Susceptibility to Gradient Masking |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Randomized smoothing provides a probabilistic robustness certificate against L2-norm attacks. The following concepts define the threat models, alternative certificates, and attack methodologies that contextualize this defense.
Robustness Certificate
A formal, verifiable guarantee that a model's prediction will remain constant for any perturbation within a specified Lp-norm radius. Unlike empirical defenses that can be broken by stronger attacks, a certificate provides a provable lower bound on adversarial accuracy. Randomized smoothing is the primary method for generating these certificates for large-scale models without modifying the training procedure.
Adversarial Training
A defensive technique that injects adversarial examples into the training dataset with correct labels. This forces the model to learn a smoother decision boundary. Key distinctions from randomized smoothing:
- Empirical defense: No formal guarantees, but often higher empirical accuracy
- Min-max optimization: Trains on worst-case PGD attacks
- Complementary: Often combined with randomized smoothing for state-of-the-art certified robustness
Projected Gradient Descent (PGD)
A powerful iterative white-box attack that applies multiple small gradient steps and projects the result back onto an epsilon-ball around the original input. PGD is the standard benchmark for evaluating empirical robustness. It is often used to validate whether a randomized smoothing certificate is tight by searching for adversarial examples near the certified radius.
Gradient Masking
A phenomenon where a defense causes the model's gradients to become useless or misleading to an attacker, creating a false sense of security. This is a critical failure mode to distinguish from true robustness. Randomized smoothing avoids gradient masking because the smoothed classifier's gradients remain meaningful and can be estimated via Monte Carlo sampling.
Decision Boundary Analysis
The process of visualizing and probing the geometric surface that separates classes in the input space. Randomized smoothing explicitly smooths this boundary by convolving it with Gaussian noise, eliminating the sharp, non-smooth curvature that correlates with high adversarial vulnerability. This geometric interpretation explains why the smoothed classifier is provably robust.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us