Randomized smoothing is a technique that transforms an arbitrary base classifier into a certifiably robust smoothed classifier. It operates by adding isotropic Gaussian noise to the input and aggregating the base model's predictions through majority vote, providing a formal L2-norm radius guarantee within which the prediction cannot be altered by any adversary.
Glossary
Randomized Smoothing

What is Randomized Smoothing?
A probabilistic defense that constructs a certifiably robust classifier from any base model by adding random Gaussian noise to inputs and returning the most probable prediction under that noise distribution.
Unlike empirical defenses that rely on defeating specific attacks, randomized smoothing provides a provable lower bound on robustness. The certified radius is derived from the Neyman-Pearson lemma and scales with the margin of the majority class probability, making it a scalable, model-agnostic approach that requires no retraining of the underlying architecture.
Key Characteristics of Randomized Smoothing
Randomized smoothing constructs a provably robust classifier by convolving any base model with Gaussian noise, providing a mathematical certificate of prediction stability within a defined radius.
The Smoothing Mechanism
The core process involves creating multiple noisy copies of the input by adding isotropic Gaussian noise and querying the base classifier on each copy. The smoothed classifier outputs the majority vote among these predictions. This transforms a brittle decision boundary into a smooth, certifiable one by averaging away adversarial perturbations that fall within the noise distribution's effective radius.
Certified Radius Guarantee
The method provides a mathematically proven lower bound on the L2 radius within which no adversarial attack can change the prediction. This certificate is derived from the Neyman-Pearson lemma and depends on the gap between the top class probability and the runner-up under noise. A larger probability margin yields a larger certified radius, offering a direct trade-off between robustness and accuracy.
Prediction & Certification Procedure
The algorithm operates in two phases:
- Prediction: Sample
nnoisy copies, count class frequencies, and return the plurality class. - Certification: Sample
n0copies to estimate the top class, then samplencopies to perform a one-sided binomial hypothesis test. If the test confirms the top class probability exceeds 0.5 with high confidence, the certified radius is calculated analytically.
Model-Agnostic Architecture
Randomized smoothing functions as a wrapper around any black-box classifier. It requires no access to model internals, gradients, or training procedures. This property makes it uniquely applicable to:
- Proprietary or third-party models
- Non-differentiable classifiers like decision trees
- Complex multimodal systems
- Legacy production models that cannot be retrained with adversarial training
Limitations and Trade-offs
Key constraints include:
- L2-only certificates: The standard method certifies only against L2-bounded attacks, not L-infinity or other norms.
- Accuracy-robustness trade-off: Adding noise reduces clean accuracy, especially on high-resolution inputs.
- Curse of dimensionality: The certified radius shrinks as input dimensionality increases.
- Probabilistic certificates: The guarantee holds with a user-specified confidence level (e.g., 99.9%), not absolute certainty.
Randomized Smoothing vs. Adversarial Training
A comparison of the two dominant paradigms for achieving adversarial robustness: empirical defense through data augmentation versus certified defense through statistical smoothing.
| Feature | Randomized Smoothing | Adversarial Training | TRADES |
|---|---|---|---|
Defense Category | Certified Robustness | Empirical Robustness | Empirical Robustness |
Core Mechanism | Gaussian noise injection and majority voting | On-the-fly adversarial example generation | Surrogate loss with stability regularization |
Provable Guarantees | |||
Requires Attack Generation During Training | |||
Standard Accuracy Impact | Moderate degradation | Significant degradation | Moderate degradation |
Computational Cost at Training | Low (standard training) | Very High (multi-step PGD) | High (KL divergence term) |
Computational Cost at Inference | High (Monte Carlo sampling) | Low (single forward pass) | Low (single forward pass) |
Certified Radius (CIFAR-10, L2) | ~0.5-1.0 | N/A (empirical only) | N/A (empirical only) |
Frequently Asked Questions
Explore the core mechanics, mathematical guarantees, and practical trade-offs of randomized smoothing, the leading technique for building provably robust classifiers against adversarial attacks.
Randomized smoothing is a technique for constructing a certifiably robust classifier from any arbitrary base model by adding random Gaussian noise to input samples. The process works by creating a smoothed classifier that, for a given input, generates multiple noisy copies, passes them through the base model, and returns the most probable prediction under the noise distribution. This transforms the base model's complex, potentially brittle decision boundary into a smooth, provably stable one. The core mechanism relies on the Neyman-Pearson lemma to prove that if the majority class probability is sufficiently high, the prediction cannot be altered by any perturbation within a mathematically certified L2 radius. This provides a formal guarantee of robustness without requiring any modification to the underlying model's architecture or training procedure.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the foundational concepts, attacks, and guarantees that surround randomized smoothing in the adversarial robustness landscape.
Certified Robustness
A formal guarantee that a model's prediction will remain constant for any input perturbation within a mathematically proven bound. Unlike empirical defenses that can be broken by stronger attacks, certified robustness provides a lower bound on adversarial resilience.
- Provides a provable safety radius around an input
- Randomized smoothing is the most scalable way to achieve this
- Guarantees hold regardless of the attack strategy used
Adversarial Perturbation
A carefully crafted, often imperceptible modification to input data designed to cause a machine learning model to make an incorrect prediction. These perturbations exploit the model's sensitivity to small changes in high-dimensional space.
- Can be targeted (forcing a specific class) or untargeted (any misclassification)
- Randomized smoothing defends by averaging predictions over many noisy copies
- The noise drowns out the adversarial signal
Gaussian Noise
The core mechanism of randomized smoothing. Isotropic Gaussian noise is added to the input, and the classifier's prediction is aggregated over many noisy samples. The resulting smoothed classifier is certifiably robust within a radius proportional to the noise level.
- Larger noise variance increases the certified radius
- Trades off standard accuracy for robustness
- The noise acts as a randomized smoothing operator on the decision boundary
Projected Gradient Descent (PGD) Attack
An iterative, multi-step white-box attack that represents the strongest first-order adversary. PGD projects adversarial examples back onto an epsilon-ball at each step. Randomized smoothing is evaluated against PGD to validate that its certified bounds hold.
- Standard benchmark for empirical robustness evaluation
- Randomized smoothing's guarantee defeats PGD within the certified radius
- Often used during training for adversarial training baselines
Neyman-Pearson Lemma
The statistical foundation of randomized smoothing's guarantees. This fundamental lemma states that for simple hypothesis testing, the likelihood ratio test is the most powerful. In smoothing, it proves that no attack can beat the certified radius.
- Provides the optimality of the smoothed classifier's robustness
- Connects adversarial defense to classical statistics
- Underpins the mathematical rigor of the entire framework
Denoised Smoothing
An extension of randomized smoothing that prepends a denoising function (often a pre-trained denoiser) before the base classifier. This allows the use of larger noise levels without destroying semantic content, significantly expanding the certified radius on high-resolution images.
- Combines denoising autoencoders with smoothing
- Enables certification on ImageNet-scale datasets
- Addresses the accuracy-robustness trade-off

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us