Inferensys

Glossary

Randomized Smoothing

A probabilistic certification technique that constructs a provably robust classifier by adding Gaussian noise to inputs and taking a majority vote over a large number of noisy samples.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
PROBABILISTIC CERTIFICATION

What is Randomized Smoothing?

Randomized smoothing is a technique for constructing provably robust classifiers by adding noise to inputs and aggregating predictions.

Randomized smoothing is a probabilistic certification technique that constructs a provably robust classifier from any base model by adding Gaussian noise to inputs and taking a majority vote over a large number of noisy samples. It provides a mathematical guarantee that a prediction will remain constant within a certified L2-radius around the input.

Unlike empirical defenses like adversarial training, randomized smoothing offers a formal robustness certification that is agnostic to the underlying architecture. The certified radius is derived from the statistical margin of the majority class, making it a scalable, model-agnostic approach to achieving provable adversarial robustness.

PROBABILISTIC CERTIFICATION

Key Features of Randomized Smoothing

The core mechanisms that make randomized smoothing a scalable, attack-agnostic, and provably robust defense against adversarial examples.

01

The Gaussian Noise Mechanism

The foundational operation of randomized smoothing involves adding isotropic Gaussian noise to the input before classification. For a base classifier f and an input x, the smoothed classifier g is defined as:

g(x) = argmax_c P(f(x + ε) = c) where ε ~ N(0, σ²I)

  • The noise level σ is a critical hyperparameter controlling the robustness-accuracy trade-off
  • Larger σ provides stronger certification radii but degrades clean accuracy
  • The noise creates a Lipschitz-continuous decision boundary, smoothing out adversarial pockets
σ ∈ [0.12, 1.00]
Typical Noise Range (CIFAR-10)
02

The Neyman-Pearson Certification Guarantee

The robustness certificate is derived from the Neyman-Pearson lemma, which provides the optimal hypothesis test between two Gaussian distributions. This yields a closed-form certified radius R:

R = σ/2 * (Φ⁻¹(p_A) - Φ⁻¹(p_B))

  • p_A is the lower confidence bound of the top class probability
  • Φ⁻¹ is the inverse standard Gaussian CDF
  • The guarantee is probabilistic: it holds with confidence 1-α, where α is the significance level
  • This is a sound certificate—if the condition holds, no adversarial example exists within the radius
ℓ₂-norm
Perturbation Type Certified
03

Monte Carlo Sampling for Prediction

At inference time, the smoothed classifier's prediction is estimated via Monte Carlo sampling rather than computed analytically:

  1. Draw n samples of Gaussian noise: ε₁, ε₂, ..., εₙ ~ N(0, σ²I)
  2. Compute the base classifier's prediction for each noisy copy: f(x + εᵢ)
  3. Take a majority vote across the n predictions
  • Typical n ranges from 10,000 to 100,000 samples for certification
  • A Binomial confidence interval (Clopper-Pearson) is used to bound the true top-class probability
  • The process is embarrassingly parallel and can be batched on GPUs
100k
Typical Sample Count for Certification
04

Prediction vs. Certification Modes

Randomized smoothing operates in two distinct modes with different computational budgets:

  • Prediction Mode: Uses a small number of samples (e.g., n=100) to make a fast, robust prediction without computing a radius. The majority class is returned immediately
  • Certification Mode: Uses a large number of samples (e.g., n=100,000) and a hypothesis test to output both a predicted class and a guaranteed ℓ₂ radius within which the prediction is provably constant

This separation allows the technique to be deployed in latency-sensitive applications while still providing formal guarantees when needed

05

Attack-Agnostic Defense

Unlike adversarial training, randomized smoothing provides a provable guarantee that does not depend on the specific attack algorithm used:

  • The certificate holds against any perturbation within the ℓ₂-ball, regardless of how it was generated
  • This includes unknown, future, or adaptive attacks that specifically target the smoothing mechanism
  • The only assumption is that the attacker is constrained to an ℓ₂-norm budget
  • Extensions exist for ℓ₁, ℓ∞, and other norms using different noise distributions (Laplace, Uniform)
  • This property makes it a gold standard for safety-critical applications where worst-case guarantees are required
06

Denoised Smoothing Extension

Standard randomized smoothing degrades significantly on high-resolution images because Gaussian noise destroys fine details. Denoised smoothing addresses this by prepending a denoiser to the base classifier:

g(x) = argmax_c P(f(denoise(x + ε)) = c)

  • The denoiser is typically a pre-trained diffusion model or a custom DnCNN
  • It removes the Gaussian noise before classification, preserving image fidelity
  • This dramatically improves clean accuracy while maintaining the same certification guarantees
  • The denoiser itself does not need to be robust—the smoothing framework handles certification independently
DEFENSE MECHANISM COMPARISON

Randomized Smoothing vs. Other Defenses

A feature-level comparison of Randomized Smoothing against Adversarial Training and Defensive Distillation for achieving certified and empirical robustness.

FeatureRandomized SmoothingAdversarial TrainingDefensive Distillation

Guarantee Type

Probabilistic certification (L2 norm)

Empirical robustness only

Empirical robustness only

Requires Model Retraining

Scalability to Large Datasets (ImageNet)

Architecture Agnostic

Natural Accuracy Impact

Minimal to moderate drop

Significant drop

Minimal drop

Defense Against Black-box Attacks

Certified Radius (L2, CIFAR-10)

~0.5 to 1.0

Not applicable

Not applicable

Inference Time Overhead

High (requires 10k+ samples)

Low (single forward pass)

Low (single forward pass)

RANDOMIZED SMOOTHING

Frequently Asked Questions

Clear, technically precise answers to the most common questions about provable adversarial robustness via randomized smoothing.

Randomized smoothing is a probabilistic certification technique that transforms any base classifier into a provably robust, smoothed classifier. It works by adding isotropic Gaussian noise to the input and taking a majority vote over a large number of noisy samples. The core mechanism relies on the Neyman-Pearson lemma to compute a certified radius within which the prediction is guaranteed to remain constant. Specifically, if the smoothed classifier predicts class cA with probability pA under noise, and the runner-up class cB has probability pB, the certified L2-radius is calculated as (σ/2) * (Φ⁻¹(pA) - Φ⁻¹(pB)), where Φ⁻¹ is the inverse Gaussian CDF and σ is the noise level. This provides a mathematical guarantee that no adversarial perturbation within that radius can change the prediction.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.