The existence of adversarial examples is relatively understood for random fully connected neural networks, but much less so for convolutional neural networks (CNNs). The recent work [Daniely, 2025] establishes that adversarial examples can be found in CNNs, in some non-optimal distance from the input. We extend over this work and prove that adversarial examples in random CNNs with input dimension $d$ can be found already in $\ell_2$-distance of order $\lVert x \rVert /\sqrt{d}$ from the input $x$, which is essentially the nearest possible. We also show that such adversarial small perturbations can be found using a single step of gradient descent. To derive our results we use Fourier decomposition to efficiently bound the singular values of a random linear convolutional operator, which is the main ingredient of a CNN layer. This bound might be of independent interest.

翻译：对于随机全连接神经网络，对抗样本的存在性已得到相对充分的理解，但对于卷积神经网络（CNNs）则知之甚少。近期工作 [Daniely, 2025] 证实了在CNNs中可以找到对抗样本，尽管其与输入的距离并非最优。我们在该研究基础上进一步证明，在输入维度为 $d$ 的随机CNNs中，对抗样本可以在与输入 $x$ 的 $\ell_2$ 距离为 $\lVert x \rVert /\sqrt{d}$ 量级内找到，这本质上是最接近的可能距离。我们还表明，此类微小的对抗性扰动可以通过单步梯度下降法找到。为了推导这些结果，我们利用傅里叶分解来有效界定随机线性卷积算子（CNN层的主要组成部分）的奇异值，该界可能具有独立的研究价值。