In attacks.AttackCarliniWagnerL2._optimize there's:
if input_orig is None:
dist = l2_dist(input_adv, input_var, keepdim=False)
The problem is that input_var has already been mapped to tanh-space, so it's in fact not the original input. However, the adversarial example input_adv is the one to be used. Therefore, without mapping input_var back to its original space, the dist calculated won't be the true L2 distance between the adversarial example and the original image. In Carlini's code he performed the exact operation. Thanks for checking!
In
attacks.AttackCarliniWagnerL2._optimizethere's:The problem is that
input_varhas already been mapped to tanh-space, so it's in fact not the original input. However, the adversarial exampleinput_advis the one to be used. Therefore, without mappinginput_varback to its original space, thedistcalculated won't be the true L2 distance between the adversarial example and the original image. In Carlini's code he performed the exact operation. Thanks for checking!