Randomized smoothing transforms an arbitrary base classifier into a smoothed classifier with certified robustness guarantees. The process adds isotropic Gaussian noise to the input and queries the base model multiple times to estimate the most likely prediction. If the top class probability is sufficiently high, the smoothed classifier is provably robust within a certified L2-radius — no adversarial perturbation smaller than this radius can change the prediction.
Glossary
Randomized Smoothing

What is Randomized Smoothing?
Randomized smoothing is a technique for constructing a certifiably robust classifier from any base model by adding random Gaussian noise to inputs and returning the most probable prediction under that noise distribution, providing a provable guarantee against adversarial perturbations.
The certified radius is computed analytically using the Neyman-Pearson lemma, which establishes the optimality of Gaussian smoothing for L2 adversaries. Unlike empirical defenses that can be broken by stronger attacks, randomized smoothing provides a mathematical guarantee of robustness that holds regardless of the attacker's knowledge or computational power, making it a cornerstone of verifiable adversarial defense.
Key Features of Randomized Smoothing
Randomized smoothing constructs a provably robust classifier by adding Gaussian noise to inputs and returning the most probable prediction under that noise distribution. These are the core mechanisms that make it a leading defense against adversarial evasion attacks.
The Smoothing Mechanism
The core process transforms a base classifier f into a smoothed classifier g. For any input x, g(x) returns the class that f is most likely to predict when x is perturbed by isotropic Gaussian noise with variance σ². This creates a statistical barrier: an adversary must overcome the noise distribution to change the prediction, not just cross a single decision boundary. The prediction is computed via Monte Carlo sampling, repeatedly querying f on noisy copies of x and taking a majority vote.
Certified Radius Guarantee
The defining property of randomized smoothing is a provable L2-radius around the input. If the smoothed classifier predicts class cA with probability pA, and the runner-up class cB has probability pB, the prediction is guaranteed to remain constant for any adversarial perturbation with an L2-norm less than:
- R = (σ/2) * [Φ⁻¹(pA) - Φ⁻¹(pB)]
where Φ⁻¹ is the inverse Gaussian CDF. This radius is a lower bound on true robustness, meaning the model is at least this robust, often more. The guarantee is probabilistic, holding with a configurable confidence level α (typically 99.9%).
Prediction & Certification Algorithm
The practical algorithm operates in two phases:
- PREDICT: Sample n noisy copies of the input, query the base classifier, and return the plurality class. If the top class count is insufficient, abstain.
- CERTIFY: Sample n₀ copies to identify the most likely class, then sample n additional copies to compute a lower confidence bound on its probability using a Clopper-Pearson binomial confidence interval. If the lower bound exceeds 0.5, compute and return the certified radius.
This decoupling allows prediction to be fast while certification uses more compute for rigorous guarantees.
Architecture-Agnostic Defense
Randomized smoothing is a wrapper method that treats the base classifier as a black box. It requires no knowledge of the model's architecture, weights, or training procedure. This provides three critical advantages:
- Model Flexibility: Works with any classifier, including deep neural networks, random forests, and support vector machines.
- No Retraining Required: Can be applied to pre-trained, off-the-shelf models without modification.
- Composability: Smoothing can be combined with other defenses like adversarial training to boost both empirical and certified robustness simultaneously.
The trade-off is that the base classifier must be robust to Gaussian noise, which may require specialized training for optimal performance.
Limitations & Attack Surfaces
Despite its formal guarantees, randomized smoothing has known limitations:
- L2-Norm Only: The standard guarantee applies only to perturbations bounded in L2-distance. Extensions exist for L1 and L∞ norms but require different noise distributions (Laplace, Uniform).
- Information Leakage: The certification procedure reveals the exact probability pA, which an adaptive attacker can exploit to craft tighter attacks than the certified radius suggests.
- Curse of Dimensionality: In high-dimensional input spaces (e.g., ImageNet-scale images), the certified radius shrinks relative to the data scale, limiting practical guarantees.
- Semantic Perturbations: Smoothing does not defend against non-norm-bounded changes like rotation, translation, or lighting shifts.
Denoised Smoothing Variant
A key extension addresses the base classifier's sensitivity to Gaussian noise. Denoised smoothing prepends a custom-trained denoiser before the base classifier:
- The denoiser is trained to reconstruct clean images from noisy inputs using a mean squared error loss.
- At inference, noisy inputs pass through the denoiser first, then the base classifier.
- This dramatically improves the base classifier's accuracy under noise, enabling larger σ values and thus larger certified radii.
- The denoiser can be a standard autoencoder, DnCNN, or a diffusion-based model.
This approach bridges the gap between standard accuracy and certified robustness, achieving state-of-the-art results on CIFAR-10 and ImageNet.
Frequently Asked Questions
Explore the core mechanisms, guarantees, and practical considerations of randomized smoothing, the leading technique for constructing classifiers with provable adversarial robustness guarantees.
Randomized smoothing is a technique for constructing a certifiably robust classifier from any arbitrary base classifier by adding random Gaussian noise to inputs and returning the most probable prediction under that noise distribution. The process works in two phases: during prediction, the smoothed classifier aggregates the base model's outputs over multiple noisy copies of the input and selects the class with the highest probability. During certification, the method computes a probabilistic lower bound on this majority class's likelihood, which mathematically guarantees that the prediction will remain constant for any adversarial perturbation within a specific L2-radius. This transforms a brittle deep network into a provably robust model without modifying its architecture or training procedure.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the core concepts and complementary techniques that form the foundation of provable adversarial defenses, from the mathematical guarantees of certified robustness to the practical training methods that enable them.
Certified Robustness
A property providing a mathematical proof that a model's prediction will remain constant for any input within a specified Lp-norm radius. Unlike empirical defenses that can be broken by stronger attacks, certified robustness offers an absolute, verifiable guarantee against adversarial perturbations. Randomized smoothing is the most scalable method for achieving this on deep networks.
Adversarial Training
A defensive technique that augments the training dataset with adversarial examples—inputs intentionally perturbed to cause misclassification. By training on these worst-case examples, the model learns more robust decision boundaries. While effective against empirical attacks, adversarial training alone does not provide formal guarantees; it is often combined with randomized smoothing for certified defenses.
Gaussian Noise Augmentation
The core mechanism of randomized smoothing where isotropic Gaussian noise is added to inputs during both training and inference. This creates a smoothed classifier that returns the most probable prediction under the noise distribution. The standard deviation of the noise directly controls the trade-off between certified radius and clean accuracy.
Neyman-Pearson Lemma
A fundamental theorem in statistical hypothesis testing that provides the theoretical foundation for randomized smoothing's guarantees. The lemma states that the likelihood ratio test is the most powerful test for simple hypotheses. In the context of smoothing, it is used to derive the optimal adversarial perturbation for a given noise distribution, establishing the certified radius.
Monte Carlo Sampling
The practical method used to estimate the prediction probability under the smoothed classifier at inference time. Instead of computing an intractable integral over the Gaussian distribution, the model is queried n times with independently sampled noise. A confidence interval (e.g., using Clopper-Pearson) is then constructed to bound the true probability and issue a certified prediction.
Denoised Smoothing
An extension of randomized smoothing that prepends a denoiser (often a pre-trained neural network) before the base classifier. The denoiser removes the added Gaussian noise, allowing the classifier to operate on cleaner inputs. This significantly improves clean accuracy while maintaining the same certified robustness guarantees, as the denoiser is treated as part of the smoothed function.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us