Title: RRISE: Achieving Robust Radius Inference Through a Surrogate Estimator

Abstract: While randomized smoothing (RS) offers architecture-independent guarantees for $\ell_2$ classification robustness via smoothed classifiers, its reliance on per-input Monte Carlo (MC) sampling hinders applicability in real-time environments. We posit that this computational burden is structural, not fundamental, and can be substantially mitigated by leveraging shared information throughout the deployment pipeline. To address this, we present RRISE, an RS framework that streamlines the certification process into a single forward pass using a learned surrogate model. This surrogate is trained against precomputed MC class-count targets using a soft-label cross-entropy loss, and its outputs are transformed into provably conservative certified radii via a one-time conformal calibration procedure. The resulting certification is verifiable at deployment: if the calibrated radius is positive, the surrogate’s prediction is guaranteed to align with that of the smoothed classifier, which remains constant within a ball of that radius surrounding the input. Empirical results on image classification benchmarks demonstrate that RRISE achieves certified accuracy within 0.84 percentage points of fixed-budget MC methods. It replaces up to $10^4$ noisy base-model evaluations per query with a single surrogate pass, recovering the initial training cost after approximately $10^5$ deployment queries. Furthermore, on CIFAR-100 and Tiny ImageNet—datasets where existing offline-surrogate approaches fail—RRISE delivers 1.23 to $1.91\times$ higher certified accuracy, positioning efficient randomized smoothing as a viable route to certified robustness in repeated-deployment scenarios.

Source: arXiv Generated at: 2026-06-03 00:00:00 UTC