[QUESTION] Some questions about PGDL2 attacks

[rikonaka]

❔ Any questions

First, why PGDL2 random_start like that? Is such a restriction necessary?

Different from PGD.

Second, how does the code limit L2 to eps? If we wanna limi L2 to eps, here is some equation.

So we only need to restrict the size of each delta value to that value and it will ensure that the final L2 is less than eps. But I don't see any similar restriction in the code.

HM-GM-AM-QM_inequalities

In the code.

I think there are some errors here, am I correct?

[Harry24k]

First, the random start of PGDL2 is followed by some previous work (but I cannot remember the source code. Sorry). To my knowledge, there is no standard method to initialize the random noise at the beginning. I think there are several works to investigate the importance of random noise.

For the L2 norm, mathematically, the $i$-th component of delta can be formalized as follows: $\delta _i \times \min (\epsilon/|\delta|_2, 1)$ Thus, the norm of normalized delta is $\sum [ \delta_i \times \min (\epsilon/|\delta|_2, 1)]^2 = \times \min (\epsilon/|\delta|_2, 1) \sum \delta_i^2 = \min (\epsilon, |\delta|_2)$.

I hope this answer solves your questions! 👍

[rikonaka]

First, the random start of PGDL2 is followed by some previous work (but I cannot remember the source code. Sorry). To my knowledge, there is no standard method to initialize the random noise at the beginning. I think there are several works to investigate the importance of random noise.

For the L2 norm, mathematically, the i-th component of delta can be formalized as follows: δi×min(ϵ/|δ|2,1) Thus, the norm of normalized delta is ∑[δi×min(ϵ/|δ|2,1)]2=×min(ϵ/|δ|2,1)∑δi2=min(ϵ,|δ|2).

I hope this answer solves your questions! +1

Thank you very much for your answer, I probably understand it now. 😜