Randomized smoothing is sound when using infinite precision. However, we show that randomized smoothing is no longer sound for limited floating-point precision. We present a simple example where randomized smoothing certifies a radius of $1.26$ around a point, even though there is an adversarial example in the distance $0.8$ and extend this example further to provide false certificates for CIFAR10. We discuss the implicit assumptions of randomized smoothing and show that they do not apply to generic image classification models whose smoothed versions are commonly certified. In order to overcome this problem, we propose a sound approach to randomized smoothing when using floating-point precision with essentially equal speed and matching the certificates of the standard, unsound practice for standard classifiers tested so far. Our only assumption is that we have access to a fair coin.

翻译：采用无限精度时，随机平滑是可靠的。然而，我们证明在有限浮点精度下随机平滑不再可靠。我们给出一个简单示例，其中随机平滑认证某点周围半径为1.26的鲁棒区域，但实际在该点0.8距离处存在对抗样本，并进一步将该示例扩展至CIFAR10以提供虚假认证。我们讨论了随机平滑的隐含假设，并证明这些假设不适用于通常被认证平滑版本的通用图像分类模型。为解决该问题，我们提出了一种在浮点精度下实现随机平滑的可靠方法，其运行速度与当前标准做法相当，且对已有标准分类器的认证结果匹配。我们的唯一假设是可获得一枚公平的硬币。